Received: by 10.192.165.148 with SMTP id m20csp3366429imm;
        Sun, 29 Apr 2018 21:35:27 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq7Z0E4syM6OFaB+pM23Q2DyhrbLEFG2CAxxE1thOKbIHjjX2RNxq0nLHHdZZeezn7nzeiM
X-Received: by 2002:a17:902:680e:: with SMTP id h14-v6mr10806901plk.90.1525062927120;
        Sun, 29 Apr 2018 21:35:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525062927; cv=none;
        d=google.com; s=arc-20160816;
        b=hqoDMYmm7H18tQw3FOUoCFSssG8GpqHwyYZPgQj8q0tSRH4g7mGS6wltDhM9N1cAoE
         dI7ZK85el1PL3zTSbq6xgLvbps7W7i4JyBrdOeSwNfvXeUua38PrHpXsCcoGuusgopIf
         PHGOL5kE/wnd2nJYWx9Qt2kfXaPlXTBqTgtYia7HudFQGmOMfI0DiyNFcjxox7cNVcgR
         021moBnyZCGsxnaZicfJBTQnKEiDq/3E/b7PxUBaxyqFnlkVTxTgpiZ6WkPuJXARGzqj
         TZP+t7+PvQB1CP/bm85i9JRURERvRdx72THIcp/j3ryR2SokvcQbGa6FDZSTaq55WQ9A
         iQHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:to
         :from:date:dkim-signature:arc-authentication-results;
        bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=;
        b=vsug/jpms3T/zWlLBJs0JcrAHZaLP9manM+r5Lbx3rQTFqtsej5NQRTZGB0bZYPfht
         i557QTugfAyNf5GKPl0vpMaS5yV/sGKZ1cX15kzDE22J+7YgPYZv0ivwNnzQdAg6jmfE
         kB1BiJn0pkS14FxW7TKlMeQkVA3eiXu2SmA6Ra7EQ4wo3agUbNjR0uI/haJ+dlNVEOwD
         Eyx49gdUZd88B192laKoPnVOu/nft4BS8c8RjMm13fT1KtLCUouO73eC5H1GPidbq12g
         /+Wx/SVld+ySd97tD1Dj0q+Ksvqv7xjha+lhjIdIRpL+A7dOohyY5gZ2cQL4rIsKeaii
         +fbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=FGwG9Swz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o63-v6si5630027pga.584.2018.04.29.21.35.13;
        Sun, 29 Apr 2018 21:35:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=FGwG9Swz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751592AbeD3Eew (ORCPT <rfc822;zcyberian@gmail.com> + 99 others);
        Mon, 30 Apr 2018 00:34:52 -0400
Received: from mail-ot0-f182.google.com ([74.125.82.182]:42642 "EHLO
        mail-ot0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751023AbeD3Eeu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 00:34:50 -0400
Received: by mail-ot0-f182.google.com with SMTP id l13-v6so8172967otk.9
        for <linux-kernel@vger.kernel.org>; Sun, 29 Apr 2018 21:34:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=;
        b=FGwG9SwzW1+u+Mp5gNZ7rGvvj8jQSFKATaxTJ26uTASa4kf5cTnlZ1pi8gddIYwuUe
         m8rFmR4WkQjhHbYMZ8oDtbdRjc5GZmkjjz0J3mswPXMvcr3aGzbE7Ybnq0UYr892l71d
         e9HE2AoEKqin+9p297OE0uIdrLAAdN9v5FawI81BYzdtRPWY/56yzPXR/zuwf3NjVCXu
         1S8bnB9/a5PfyLFdr5xjzi7QHA17XceaFMHsDNBrADx3A+OJ07J7KRcOvjuug22hP2qO
         CaRbeG812Z5uiAFYnNhlguibb9TpCwIouo7XN3QZroXnZMYPFfO7v3KvZUQXcI8bRXy4
         9/oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=fyJisar+vWQ1uPRWEeZeVVk38+Z1s1WcR0sz/U2f/34=;
        b=iTuvogOaogSGpAzkRJZigRr845B+cutHI9OIQZkMrLzjrcqkH3/YBa28BDsjp8+206
         Y+IsC9M9MXE2tw1MGFLRl2PsKAyujDSZ3FfcJtJ2Fo+kGOsPvOFeyPz4WtMykwmLWHrS
         CcwNhiNG15ZeAheZM+ptITByo6gJocxDadWxopC1Qxg6llDSDaO9TwQp1t1TzHCGqKj2
         hdbA3Pn8Xt+46Uv8IF2Od9bByI8HdVrDGLP4ozLc6JfSSvTABo9HmwI9JGGGXEspXYrt
         M+gWzKClDjcbBLXs5R22+Mt1qnxAq1SlRzH7CDQoQ0PVP3oqWXmx4fGILtZ7Wf305uHp
         vxWQ==
X-Gm-Message-State: ALQs6tAfGn9cc3rIbTMRYVrAuHJfM+vm8WUimSfiptIalKKEDmO+c8df
        dNrlYd3vV/ohj5t3bsXSWP0=
X-Received: by 2002:a9d:220d:: with SMTP id o13-v6mr6890729ota.366.1525062889949;
        Sun, 29 Apr 2018 21:34:49 -0700 (PDT)
Received: from sultan-box ([107.193.118.89])
        by smtp.gmail.com with ESMTPSA id u65-v6sm3673085oig.56.2018.04.29.21.34.47
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 29 Apr 2018 21:34:48 -0700 (PDT)
Date:   Sun, 29 Apr 2018 21:34:45 -0700
From:   Sultan Alsawaf <sultanxda@gmail.com>
To:     "Theodore Y. Ts'o" <tytso@mit.edu>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>,
        Pavel Machek <pavel@ucw.cz>,
        LKML <linux-kernel@vger.kernel.org>, Jann Horn <jannh@google.com>
Subject: Re: Linux messages full of `random: get_random_u32 called from`
Message-ID: <20180430043445.t7wkykxzkhex2isi@sultan-box>
References: <20180427201036.GL5965@thunk.org>
 <20180429143205.GD13475@amd>
 <20180429170541.lrzwyihrd6d75rql@sultan-box>
 <20180429184101.GA31156@amd>
 <20180429202033.ysmc42mj2rrk3h7p@sultan-box>
 <20180429220519.GQ5965@thunk.org>
 <20180429222625.35tedjzkizchudcm@sultan-box>
 <CAHmME9r5XNS_AU234vKbt9PoHGN3PooFSA8EqNfDRpBHREdQAQ@mail.gmail.com>
 <20180429224928.teg6zyfjxndbcnsn@sultan-box>
 <20180430001106.GS5965@thunk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180430001106.GS5965@thunk.org>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Apr 29, 2018 at 08:11:07PM -0400, Theodore Y. Ts'o wrote:
>
> What your patch does is assume that there is a full bit of uncertainty
> that can be obtained from the information gathered from each
> interrupt.  I *might* be willing to assume that to be valid on x86
> systems that have a high resolution cycle counter.  But on ARM
> platforms, especially during system bootup when the user isn't typing
> anything and SSD's and flash storage tend to have very predictable
> timing patterns?  Not a bet I'd be willing to take.  Even with a cycle
> counter, there's a reason why we assumed that we need to mix in timing
> results from 64 interrupts or one second's worth before we would give
> a single bit's worth of entropy credit.
> 
> 							- Ted

What about abusing high-resolution timers to get entropy? Since hrtimers can't
make guarantees down to the nanosecond, there's always a skew between the
requested expiry time and the actual expiry time.

Please see the attached patch and let me know just how horrible it is.

Sultan

From b0d21c38558c661531d4cb46816fbb36b874a169 Mon Sep 17 00:00:00 2001
From: Sultan Alsawaf <sultanxda@gmail.com>
Date: Sun, 29 Apr 2018 21:28:08 -0700
Subject: [PATCH] random: use high-res timers to generate entropy until crng
 init is done

---
 drivers/char/random.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index d9e38523b383..af2d60bbcec3 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -286,6 +286,7 @@
 #define OUTPUT_POOL_WORDS	(1 << (OUTPUT_POOL_SHIFT-5))
 #define SEC_XFER_SIZE		512
 #define EXTRACT_SIZE		10
+#define ENTROPY_GEN_INTVL_NS	(1 * NSEC_PER_MSEC)
 
 
 #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
@@ -408,6 +409,8 @@ static struct fasync_struct *fasync;
 static DEFINE_SPINLOCK(random_ready_list_lock);
 static LIST_HEAD(random_ready_list);
 
+static struct hrtimer entropy_gen_hrtimer;
+
 struct crng_state {
 	__u32		state[16];
 	unsigned long	init_time;
@@ -2287,3 +2290,47 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
 	credit_entropy_bits(poolp, entropy);
 }
 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+/*
+ * Generate entropy on init using high-res timers. Although high-res timers
+ * provide nanosecond precision, they don't actually honor requests to the
+ * nanosecond. The skew between the expected time difference in nanoseconds and
+ * the actual time difference can be used as a way to generate entropy on boot
+ * for machines that lack sufficient boot-time entropy.
+ */
+static enum hrtimer_restart entropy_timer_cb(struct hrtimer *timer)
+{
+	static u64 prev_ns;
+	u64 curr_ns, delta;
+
+	if (crng_ready())
+		return HRTIMER_NORESTART;
+
+	curr_ns = ktime_get_mono_fast_ns();
+	delta = curr_ns - prev_ns;
+
+	add_interrupt_randomness(delta);
+
+	/* Use the hrtimer skew to make the next interval more unpredictable */
+	if (likely(prev_ns))
+		hrtimer_add_expires_ns(timer, delta);
+	else
+		hrtimer_add_expires_ns(timer, ENTROPY_GEN_INTVL_NS);
+
+	prev_ns = curr_ns;
+	return HRTIMER_RESTART;
+}
+
+static int entropy_gen_hrtimer_init(void)
+{
+	if (!IS_ENABLED(CONFIG_HIGH_RES_TIMERS))
+		return 0;
+
+	hrtimer_init(&entropy_gen_hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+
+	entropy_gen_hrtimer.function = entropy_timer_cb;
+	hrtimer_start(&entropy_gen_hrtimer, ns_to_ktime(ENTROPY_GEN_INTVL_NS),
+		HRTIMER_MODE_REL);
+	return 0;
+}
+core_initcall(entropy_gen_hrtimer_init);
-- 
2.14.1