Skip to content

Help users of Tails in a VM from ISO get good randomness

One of the outcomes of #11898 (closed) is that many VMs get poor randomness, which impacts all kinds of security operations. #11897 will mostly fix that for users who start Tails in a VM from a virtual USB drive created from a USB image. But users who use the ISO as a virtual DVD will still be exposed to this problem.

We should communicate to users that for safe Tails usage from ISO in a virtual machine, one needs to provide randomness from the host system to the guest Tails virtual machine, for example using the Virtio RNG feature in QEMU and libvirt.

Open questions:

  • Is RNG passthrough good enough in itself?
  • Is there a similar feature in VirtualBox?

Regarding how to help these users:

  • We should probably add specific recommendations in our doc about running Tails in VMs.
  • Ideally, when started from DVD and our “running in a VM” detection system does not detect a “hardware” RNG, it could warn the user and point them to the aforementioned doc.

Blueprint: https://tails.boum.org/blueprint/randomness_seeding/

Original created by @intrigeri on 16971 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information