Received: by 10.192.165.148 with SMTP id m20csp3366429imm; Sun, 29 Apr 2018 21:35:27 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq7Z0E4syM6OFaB+pM23Q2DyhrbLEFG2CAxxE1thOKbIHjjX2RNxq0nLHHdZZeezn7nzeiM X-Received: by 2002:a17:902:680e:: with SMTP id h14-v6mr10806901plk.90.1525062927120; Sun, 29 Apr 2018 21:35:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525062927; cv=none; d=google.com; s=arc-20160816; b=hqoDMYmm7H18tQw3FOUoCFSssG8GpqHwyYZPgQj8q0tSRH4g7mGS6wltDhM9N1cAoE dI7ZK85el1PL3zTSbq6xgLvbps7W7i4JyBrdOeSwNfvXeUua38PrHpXsCcoGuusgopIf PHGOL5kE/wnd2nJYWx9Qt2kfXaPlXTBqTgtYia7HudFQGmOMfI0DiyNFcjxox7cNVcgR 021moBnyZCGsxnaZicfJBTQnKEiDq/3E/b7PxUBaxyqFnlkVTxTgpiZ6WkPuJXARGzqj TZP+t7+PvQB1CP/bm85i9JRURERvRdx72THIcp/j3ryR2SokvcQbGa6FDZSTaq55WQ9A iQHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:dkim-signature:arc-authentication-results; bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=; b=vsug/jpms3T/zWlLBJs0JcrAHZaLP9manM+r5Lbx3rQTFqtsej5NQRTZGB0bZYPfht i557QTugfAyNf5GKPl0vpMaS5yV/sGKZ1cX15kzDE22J+7YgPYZv0ivwNnzQdAg6jmfE kB1BiJn0pkS14FxW7TKlMeQkVA3eiXu2SmA6Ra7EQ4wo3agUbNjR0uI/haJ+dlNVEOwD Eyx49gdUZd88B192laKoPnVOu/nft4BS8c8RjMm13fT1KtLCUouO73eC5H1GPidbq12g /+Wx/SVld+ySd97tD1Dj0q+Ksvqv7xjha+lhjIdIRpL+A7dOohyY5gZ2cQL4rIsKeaii +fbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FGwG9Swz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o63-v6si5630027pga.584.2018.04.29.21.35.13; Sun, 29 Apr 2018 21:35:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FGwG9Swz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751592AbeD3Eew (ORCPT + 99 others); Mon, 30 Apr 2018 00:34:52 -0400 Received: from mail-ot0-f182.google.com ([74.125.82.182]:42642 "EHLO mail-ot0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751023AbeD3Eeu (ORCPT ); Mon, 30 Apr 2018 00:34:50 -0400 Received: by mail-ot0-f182.google.com with SMTP id l13-v6so8172967otk.9 for ; Sun, 29 Apr 2018 21:34:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=; b=FGwG9SwzW1+u+Mp5gNZ7rGvvj8jQSFKATaxTJ26uTASa4kf5cTnlZ1pi8gddIYwuUe m8rFmR4WkQjhHbYMZ8oDtbdRjc5GZmkjjz0J3mswPXMvcr3aGzbE7Ybnq0UYr892l71d e9HE2AoEKqin+9p297OE0uIdrLAAdN9v5FawI81BYzdtRPWY/56yzPXR/zuwf3NjVCXu 1S8bnB9/a5PfyLFdr5xjzi7QHA17XceaFMHsDNBrADx3A+OJ07J7KRcOvjuug22hP2qO CaRbeG812Z5uiAFYnNhlguibb9TpCwIouo7XN3QZroXnZMYPFfO7v3KvZUQXcI8bRXy4 9/oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=; b=iTuvogOaogSGpAzkRJZigRr845B+cutHI9OIQZkMrLzjrcqkH3/YBa28BDsjp8+206 Y+IsC9M9MXE2tw1MGFLRl2PsKAyujDSZ3FfcJtJ2Fo+kGOsPvOFeyPz4WtMykwmLWHrS CcwNhiNG15ZeAheZM+ptITByo6gJocxDadWxopC1Qxg6llDSDaO9TwQp1t1TzHCGqKj2 hdbA3Pn8Xt+46Uv8IF2Od9bByI8HdVrDGLP4ozLc6JfSSvTABo9HmwI9JGGGXEspXYrt M+gWzKClDjcbBLXs5R22+Mt1qnxAq1SlRzH7CDQoQ0PVP3oqWXmx4fGILtZ7Wf305uHp vxWQ== X-Gm-Message-State: ALQs6tAfGn9cc3rIbTMRYVrAuHJfM+vm8WUimSfiptIalKKEDmO+c8df dNrlYd3vV/ohj5t3bsXSWP0= X-Received: by 2002:a9d:220d:: with SMTP id o13-v6mr6890729ota.366.1525062889949; Sun, 29 Apr 2018 21:34:49 -0700 (PDT) Received: from sultan-box ([107.193.118.89]) by smtp.gmail.com with ESMTPSA id u65-v6sm3673085oig.56.2018.04.29.21.34.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 29 Apr 2018 21:34:48 -0700 (PDT) Date: Sun, 29 Apr 2018 21:34:45 -0700 From: Sultan Alsawaf To: "Theodore Y. Ts'o" , "Jason A. Donenfeld" , Pavel Machek , LKML , Jann Horn Subject: Re: Linux messages full of `random: get_random_u32 called from` Message-ID: <20180430043445.t7wkykxzkhex2isi@sultan-box> References: <20180427201036.GL5965@thunk.org> <20180429143205.GD13475@amd> <20180429170541.lrzwyihrd6d75rql@sultan-box> <20180429184101.GA31156@amd> <20180429202033.ysmc42mj2rrk3h7p@sultan-box> <20180429220519.GQ5965@thunk.org> <20180429222625.35tedjzkizchudcm@sultan-box> <20180429224928.teg6zyfjxndbcnsn@sultan-box> <20180430001106.GS5965@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180430001106.GS5965@thunk.org> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 29, 2018 at 08:11:07PM -0400, Theodore Y. Ts'o wrote: > > What your patch does is assume that there is a full bit of uncertainty > that can be obtained from the information gathered from each > interrupt. I *might* be willing to assume that to be valid on x86 > systems that have a high resolution cycle counter. But on ARM > platforms, especially during system bootup when the user isn't typing > anything and SSD's and flash storage tend to have very predictable > timing patterns? Not a bet I'd be willing to take. Even with a cycle > counter, there's a reason why we assumed that we need to mix in timing > results from 64 interrupts or one second's worth before we would give > a single bit's worth of entropy credit. > > - Ted What about abusing high-resolution timers to get entropy? Since hrtimers can't make guarantees down to the nanosecond, there's always a skew between the requested expiry time and the actual expiry time. Please see the attached patch and let me know just how horrible it is. Sultan From b0d21c38558c661531d4cb46816fbb36b874a169 Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Sun, 29 Apr 2018 21:28:08 -0700 Subject: [PATCH] random: use high-res timers to generate entropy until crng init is done --- drivers/char/random.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index d9e38523b383..af2d60bbcec3 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -286,6 +286,7 @@ #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) #define SEC_XFER_SIZE 512 #define EXTRACT_SIZE 10 +#define ENTROPY_GEN_INTVL_NS (1 * NSEC_PER_MSEC) #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) @@ -408,6 +409,8 @@ static struct fasync_struct *fasync; static DEFINE_SPINLOCK(random_ready_list_lock); static LIST_HEAD(random_ready_list); +static struct hrtimer entropy_gen_hrtimer; + struct crng_state { __u32 state[16]; unsigned long init_time; @@ -2287,3 +2290,47 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, credit_entropy_bits(poolp, entropy); } EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); + +/* + * Generate entropy on init using high-res timers. Although high-res timers + * provide nanosecond precision, they don't actually honor requests to the + * nanosecond. The skew between the expected time difference in nanoseconds and + * the actual time difference can be used as a way to generate entropy on boot + * for machines that lack sufficient boot-time entropy. + */ +static enum hrtimer_restart entropy_timer_cb(struct hrtimer *timer) +{ + static u64 prev_ns; + u64 curr_ns, delta; + + if (crng_ready()) + return HRTIMER_NORESTART; + + curr_ns = ktime_get_mono_fast_ns(); + delta = curr_ns - prev_ns; + + add_interrupt_randomness(delta); + + /* Use the hrtimer skew to make the next interval more unpredictable */ + if (likely(prev_ns)) + hrtimer_add_expires_ns(timer, delta); + else + hrtimer_add_expires_ns(timer, ENTROPY_GEN_INTVL_NS); + + prev_ns = curr_ns; + return HRTIMER_RESTART; +} + +static int entropy_gen_hrtimer_init(void) +{ + if (!IS_ENABLED(CONFIG_HIGH_RES_TIMERS)) + return 0; + + hrtimer_init(&entropy_gen_hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + + entropy_gen_hrtimer.function = entropy_timer_cb; + hrtimer_start(&entropy_gen_hrtimer, ns_to_ktime(ENTROPY_GEN_INTVL_NS), + HRTIMER_MODE_REL); + return 0; +} +core_initcall(entropy_gen_hrtimer_init); -- 2.14.1