Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp627959ybi; Thu, 30 May 2019 04:17:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxU5xS42tQr0PGjDQWIPte33h+3ZfjE4PGl6UzmrlJMV4wUt4xK8z4R+1V2mmvTvytRHb7Q X-Received: by 2002:a17:902:2e81:: with SMTP id r1mr3310611plb.0.1559215061102; Thu, 30 May 2019 04:17:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559215061; cv=none; d=google.com; s=arc-20160816; b=Qijc9mqtILFpperWAQ4E4iYZxpaZPxTPMnnlzmSF0UJ0uux5N889S/qoIYUCw0lYab 3mEhli7cASu9nifIxPKITkBj2+AGL0v4sAqHRCmi81XlzXuj+8ouxsDa8zBQVY1Yl0FR FlNNCrnIBSadkIhykfuUN6dv7Eflr+BbwVnH+tGT9ydE7orpgNSdIlIci1k+88bv1TR3 5mcV9w3EuvOkdoSuKPmYse2MN0rw7A4U082oEkch/iHuuQaSX7NC0KYZuE2/P8vs92ZN v6gAXfke+3Lhtn7h8JtokXpY6cB8L0/v4P9lDZs+pE9LLHOsFFaoPM7s8T9uJjeMg2e9 cZtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date; bh=aATMK5ShB8+gJZ8xxXigRtUC02swPCSvUf6sgs24hc4=; b=JsCYiXnNSnorW5lWhTg64jRSeeOZz+UKK+/W6aeSI6JO3opSNPIpGd0NH0E0KVIaHc w9N5Cj2JEkrqQ86mGtjQ+6vsJ5XG4rAGkZBuE81OzTiF4Zv7C+ZMmSllrD2GJhhYQRAV MkNo9xQHuk4mu3bGTp9Cj66k8QbsU9PFqfLEE1AFf0ZTn6O6lb/aNH7xBuxO7z2//6fQ Myrjt8XGjxaFvTsWcQxXtn4JxErIQQMk+2gEh2bNLUM+6FkCZlGhwMiASgCGtvM/cgzd v29o8s4k7dtRbZ2I4q6YLIoKIRPkS+jUEkkRS6T27ywU8sfthaN1EstCJ0NVtSa2WCKu 4EoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u13si2901426pgp.478.2019.05.30.04.17.23; Thu, 30 May 2019 04:17:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726800AbfE3LPE (ORCPT + 99 others); Thu, 30 May 2019 07:15:04 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:36458 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725440AbfE3LPE (ORCPT ); Thu, 30 May 2019 07:15:04 -0400 Received: from cpe-2606-a000-111b-405a-0-0-0-162e.dyn6.twc.com ([2606:a000:111b:405a::162e] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1hWJ1K-0006Uv-O0; Thu, 30 May 2019 07:15:01 -0400 Date: Thu, 30 May 2019 07:14:27 -0400 From: Neil Horman To: Theodore Ts'o , linux-kernel@vger.kernel.org, Steve Grubb , Arnd Bergmann , Greg Kroah-Hartman Subject: Re: [PATCH] Fix xoring of arch_get_random_long into crng->state array Message-ID: <20190530111427.GA1966@hmswarspite.think-freely.org> References: <20190402220025.14499-1-nhorman@tuxdriver.com> <20190530031201.GA2751@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190530031201.GA2751@mit.edu> User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 29, 2019 at 11:12:01PM -0400, Theodore Ts'o wrote: > On Tue, Apr 02, 2019 at 06:00:25PM -0400, Neil Horman wrote: > > When _crng_extract is called, any arch that has a registered > > arch_get_random_long method, attempts to mix an unsigned long value into > > the crng->state buffer, it only mixes in 32 of the 64 bits available, > > because the state buffer is an array of u32 values, even though 2 u32 > > are expected to be filled (owing to the fact that it expects indexes 14 > > and 15 to be filled). > > Index 15 does get initialized; in fact, it's changed each time > crng_reseed() is called. > > The way things currently work is that we use state[12] and state[13] > as 64-bit counter (it gets incremented each time we call > _extract_crng), and state[14] and state[15] are nonce values. After > crng->state has been in use for five minutes, we reseed the crng by > grabbing randomness from the input pool, and using that to initialize > state[4..15]. (State[0..3] are always set to the ChaCha20 constant of > "expand 32-byte k".) > > If the CPU provides and RDRAND-like instruction (which can be the case > for x86, PPC, and S390), we xor it into state[14]. Whether we xor any > extra entropy into state[15] to be honest, really doesn't matter much. > I think I was trying to keep things simple, and it wasn't worth it to > call RDRAND twice on a 32-bit x86. (And there isn't an > arch_get_random_long_long. :-) > > Why do we do this at all? Well, the goal was to feed in some > contributing randomness from RDRAND when we turn the CRNG crank. (The > reason why we don't just XOR in the RDRAND into the output ohf the > CRNG is mainly to assuage critics that hypothetical RDRAND backdoor > has access to the CPU registers. So we perturb the inputs to the > CRNG, on the theory that if malicious firmware can reverse > CHACHA20... we've got bigger problems. :-) We get up to 20 bytes out > of a single turn of the CRNG crank, so whether we mix in 4 bytes or 8 > bytes from RDRAND, we're never going to be depending on RDRAND > completely in any case. > > The bottom line is that I'm not at all convinced it worth the effort > to mix in 8 bytes versus 4 bytes from RDRAND. This is really a CRNG, > and the RDRAND inputs really don't change that. > Ok, so what I'm getting is that the exclusion of the second 32 bit word here from &crng->state[15], isn't an oversight, its just skipped because its not worth taking the time for the extra write there, and this is not a bug. I'm ok with that. Thanks for the explination Neil > - Ted >