Help users of Tails in a VM from ISO get good randomness
Originally created by @intrigeri on #16971 (Redmine)
One of the outcomes of #11898 (closed) is that many VMs get poor randomness, which impacts all kinds of security operations. #11897 will mostly fix that for users who start Tails in a VM from a virtual USB drive created from a USB image. But users who use the ISO as a virtual DVD will still be exposed to this problem.
We should communicate to users that for safe Tails usage from ISO in a virtual machine, one needs to provide randomness from the host system to the guest Tails virtual machine, for example using the Virtio RNG feature in QEMU and libvirt.
Open questions:
- Is RNG passthrough good enough in itself?
- Is there a similar feature in VirtualBox?
Regarding how to help these users:
- We should probably add specific recommendations in our doc about running Tails in VMs.
- Ideally, when started from DVD and our “running in a VM” detection system does not detect a “hardware” RNG, it could warn the user and point them to the aforementioned doc.
Blueprint: https://tails.boum.org/blueprint/randomness_seeding/