Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2168895yba; Mon, 6 May 2019 00:33:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqzGLwH4QhjWxyMLTdd8C8F3iP70zPk5RQ0riZb9hG8eOK1LuHUAWlstuCa6QQFKegxTrHxa X-Received: by 2002:a17:902:8349:: with SMTP id z9mr30089259pln.144.1557128019366; Mon, 06 May 2019 00:33:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557128019; cv=none; d=google.com; s=arc-20160816; b=VU+GylW5rRvwXMYWqs746v1P8gsI1LsSaNCbrFk/i1GbKp2AUxe8p1/pHwux+IfLhF LywwIKrHKyLEeVl32tNbhk8ugd8KbMjiAJiZ88ic9mFXu5mbRzQJX3HaZBh2BIIz+iJU CazKgXrGiUmzL6PMFnwYrIGH2v0NHQLWvzx34mV5zAQW8904LDJcoOCuZ9HofC0o6pQQ aeMairO0Iv534EDItQNQrVbisRKIuKPLSsQNDRbwA4VHKUE0srhFPwdg4gqIz/a/1dme KAdpaGajidZ5b8Pj94uoMG7FfCzHc7P28Vby1HzAhePB56qgnWm+P8CsTcWuEbLB/R6B DDrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=EVlGfWLmEYRmREhgJC9RBEZqJqDuzmnB16aRWXV2824=; b=Iirlb4n6JfhkvJmhf873Z+yIbv6DqnWldbr+fGgBCYlBsB5SiFb2ehaZp2L6b4mBzq EBfQ0cneS1teWmxlMweVHTBsYopx9W6rWRRq1PVg2bVsHLLNkc+Bp//XZFqF9VulrYdj 9CtlFa/p5nthE0x86TulcZJHQr2OTtN7gVaddCoPGaI3gg2m9FsDkv92IR8J98iPuepW 34KyyjCrPcnQhSRj7CC2wr9TCZcZ4faW1Y38Bcayli/WKOWUAQaa8prWK8Se8bvue/BJ wkllg1JikMUx9ncEsT7f8WNuWIT7HVbLSntyVQozRjZ3nfR97KPVC39aGPqKw4Djid4u n70w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 36si13274320pla.235.2019.05.06.00.33.23; Mon, 06 May 2019 00:33:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725994AbfEFHc1 convert rfc822-to-8bit (ORCPT + 99 others); Mon, 6 May 2019 03:32:27 -0400 Received: from mga12.intel.com ([192.55.52.136]:27841 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725710AbfEFHc1 (ORCPT ); Mon, 6 May 2019 03:32:27 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 May 2019 00:32:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,437,1549958400"; d="scan'208";a="344117474" Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75]) by fmsmga006.fm.intel.com with ESMTP; 06 May 2019 00:32:23 -0700 Received: from irsmsx111.ger.corp.intel.com (10.108.20.4) by IRSMSX153.ger.corp.intel.com (163.33.192.75) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 6 May 2019 08:32:15 +0100 Received: from irsmsx102.ger.corp.intel.com ([169.254.2.21]) by irsmsx111.ger.corp.intel.com ([169.254.2.85]) with mapi id 14.03.0415.000; Mon, 6 May 2019 08:32:14 +0100 From: "Reshetova, Elena" To: Ingo Molnar , Andy Lutomirski CC: David Laight , Theodore Ts'o , Eric Biggers , "ebiggers@google.com" , "herbert@gondor.apana.org.au" , Peter Zijlstra , "keescook@chromium.org" , Daniel Borkmann , "linux-kernel@vger.kernel.org" , "jpoimboe@redhat.com" , "jannh@google.com" , "Perla, Enrico" , "mingo@redhat.com" , "bp@alien8.de" , "tglx@linutronix.de" , "gregkh@linuxfoundation.org" , "Edgecombe, Rick P" , Linus Torvalds , Peter Zijlstra Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Thread-Topic: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Thread-Index: AQHU81HQwzT9MH4dM0y/JZXnSwiYT6Y8wW2AgAAdM1CAAXexAIAANZ3ggAAW1gCAAApRgIAAMeKAgAAd+PCAAQuGgIAAYQuAgAAKhwCACsPi4IADJTwAgAAcagCAAExngIAEBbGAgACIbACAAbyQ8IAA626AgAGZfXCAAARpgIAAWpuAgAAF74CABdWt4A== Date: Mon, 6 May 2019 07:32:14 +0000 Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4C712F7@IRSMSX102.ger.corp.intel.com> References: <2236FBA76BA1254E88B949DDB74E612BA4C63E24@IRSMSX102.ger.corp.intel.com> <20190426140102.GA4922@mit.edu> <57357E35-3D9B-4CA7-BAB9-0BE89E0094D2@amacapital.net> <2236FBA76BA1254E88B949DDB74E612BA4C66A8A@IRSMSX102.ger.corp.intel.com> <6860856C-6A92-4569-9CD8-FF6C5C441F30@amacapital.net> <2236FBA76BA1254E88B949DDB74E612BA4C6A4D7@IRSMSX102.ger.corp.intel.com> <303fc4ee5ac04e4fac104df1188952e8@AcuMS.aculab.com> <2236FBA76BA1254E88B949DDB74E612BA4C6C2C3@IRSMSX102.ger.corp.intel.com> <2e55aeb3b39440c0bebf47f0f9522dd8@AcuMS.aculab.com> <20190502150853.GA16779@gmail.com> In-Reply-To: <20190502150853.GA16779@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTRmNDFjMWEtYjg0OS00OWUzLWEwNjAtY2U5MTYwNjQ3ZjUyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoick5hUktJayswZTc4VGFLSGtcL2tIWFoyREhucmxJN2cwV3NRMWZwM0RDaXdFMHMza0ZBNXhFN3FTZjVpR0JYNlgifQ== x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > * Andy Lutomirski wrote: > > > Or we decide that calling get_random_bytes() is okay with IRQs off and > > this all gets a bit simpler. > > BTW., before we go down this path any further, is the plan to bind this > feature to a real CPU-RNG capability, i.e. to the RDRAND instruction, > which excludes a significant group of x86 of CPUs? I would not like to bind this to only CPUs that have RDRAND. That's why I was looking into using kernel's CSRNG (we can also use it as backup when rdrand is not available). > Because calling tens of millions of system calls per second will deplete > any non-CPU-RNG sources of entropy and will also starve all other users > of random numbers, which might have a more legitimate need for > randomness, such as the networking stack ... This should not apply to the proper CSRNG. They of course also have a limitation on the amount of bits they can produce safely (as any crypto primitive), but this period is very big and within that it does not affect any other user of this CSPRNG, otherwise all guarantees are broken. > I.e. I'm really *super sceptical* of this whole plan, as currently > formulated. > > If we bind it to RDRAND then we shouldn't be using the generic > drivers/char/random.c pool *at all*, but just call the darn instruction > directly. This is an x86 patch-set after all, right? Yes, but my main issues with RDRAND (even if we focus strictly onx86) are: - it is not available on older PCs - its performance varies across CPUs that support it (and as I understood varies quite some) The last one can actually give unpleasant surprises... > Furthermore the following post suggests that RDRAND isn't a per CPU > capability, but a core or socket level facility, depending on CPU make: > > https://stackoverflow.com/questions/10484164/what-is-the-latency-and- > throughput-of-the-rdrand-instruction-on-ivy-bridge > > 8 gigabits/sec sounds good throughput in principle, if there's no > scalability pathologies with that. > > It would also be nice to know whether RDRAND does buffering *internally*, > in which case it might be better to buffer as little at the system call > level as possible, to allow the hardware RNG buffer to rebuild between > system calls. I will try asking around about concrete details on RDRAND behavior. I have various bits and pieces I have been told plus measurements I did, but things don't quite add up.. > > I.e. I'd suggest to retrieve randomness via a fixed number of RDRAND-r64 > calls (where '1' is a perfectly valid block size - it should be > measured), which random bits are then used as-is for the ~6 bits of > system call stack offset. (I'd even suggest 7 bits: that skips a full > cache line almost for free and makes the fuzz actually meaningful: no > spear attacker will take a 1/128, 0.8% chance to successfully attack a > critical system.) > > Then those 64*N random bits get buffered and consumed in 5-7 bit chunk, > in a super efficient fashion, possibly inlining the fast path, totally > outside the flow of the drivers/char/random.c I will ask around on what is the best way to use RDRAND for our purpose. > > Any non-CPU source of randomness for system calls and plans to add > several extra function calls to every x86 system call is crazy talk I > believe... So, if we go the CPU randomness path, then what do we fall back to when RNRAND is not available? Skip randomization altogether or backup to CSRNG? Best Regards, Elena.