Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp5556482ybn; Sun, 29 Sep 2019 00:42:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqwOeSkdQrtdkXEmXvrzHEeEMaLofGcBnPSjQvoxcemtlmlEI3n8KRS/KFrvqkb8tLygj5/h X-Received: by 2002:a50:a57d:: with SMTP id z58mr13408691edb.115.1569742930159; Sun, 29 Sep 2019 00:42:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569742930; cv=none; d=google.com; s=arc-20160816; b=rSvVnKCCPsEuAe2FEfk/ObSN/NgxsuTy4PWT6DdyTiTiSf0mKEqfT6pYd+oT1FSj8s S2Gdh/cRnvPcjywk0mG1+Bii+vapNa2Ak6AEUSF8JatX5w37i3k/ZSknfg/G28rGVGqs FiUlnXi1URu0GUrL+AKqVSYcJzhL+YQlWkKaNhSqrLaDGjnd+8bR9rdjCwy7SZNpfiUm QzkJZtqrkMA7bLqjUXuDQaO/ELTWdDvWV2nd2rF28suZJyW7CHiBTNv6IhIHg5xKfBCI dUYG27+woI/TQogd8khMHByjkC8kEaYmI0fMBuNkpwH1imnGw0JnfHug9bj1pHvbP7KW jzqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=OAeldDQ9mBMFWx6R0FbfJMpLNQW9lK6YtAXU3nHVZGI=; b=ONpxZYriqOMkdVDoojT68RpMvrEpyKaM6EKvrBv12tFUeTu2kKNjh60wtHDPb56YVe y2XPMTeHxgMvCUL78f8GZoV0aIwN8Oz90VkJ8gvAazARauI3Q812rpkvQcLh5Ha7pkep 4pK39yPHxEUYzeRAmJb/D3bC8T1VRt/ju0l1hWGdq4m+uYMwS6JCJmZfwZNIdUPteGxp Wv3wn8HXLlH28S62V3VdkPzOhJM3LjVFJoWdWh72eDYkRuQ4Bztdd1Z3VsVmNGwjvHC7 eN3HwQYY2tBztpxiyDPpx4MfzZe5Clg5DTiDkshohWw7np9x0Wc1swYPSV/xb3JsvdKc cWQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w21si4858554edc.93.2019.09.29.00.41.45; Sun, 29 Sep 2019 00:42:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728937AbfI2HkS (ORCPT + 99 others); Sun, 29 Sep 2019 03:40:18 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:49507 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725906AbfI2HkS (ORCPT ); Sun, 29 Sep 2019 03:40:18 -0400 Received: from pd9ef19d4.dip0.t-ipconnect.de ([217.239.25.212] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iEToU-0007By-5W; Sun, 29 Sep 2019 09:40:14 +0200 Date: Sun, 29 Sep 2019 09:40:13 +0200 (CEST) From: Thomas Gleixner To: Linus Torvalds cc: "Ahmed S. Darwish" , LKML , Theodore Ts'o , Nicholas Mc Guire , the arch/x86 maintainers , Andy Lutomirski , Kees Cook Subject: Re: x86/random: Speculation to the rescue In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 28 Sep 2019, Linus Torvalds wrote: > On Sat, Sep 28, 2019 at 3:24 PM Thomas Gleixner wrote: > > > > Nicholas presented the idea to (ab)use speculative execution for random > > number generation years ago at the Real-Time Linux Workshop: > > What you describe is just a particularly simple version of the jitter > entropy. Not very reliable. I know that jitter entropy is not the most reliable source. Though its for one better than no entropy and on the other hand the results are interesting. I just looked at the test I ran overnight on one of my machines which did an aggregate test over 1024 runs both on the hacked up thing and the veritable /dev/random. The overall difference is within the noise. So I'm not trying to say that we should rely solely on that, but I think it's something we should not dismiss upfront just because paranoid theory says that jitter entropy is not reliable enough. The point is that jitter entropy relies as any other entropy source on the quality of the observed data. The non-deterministic behaviour of speculative execution seems to yield quite good input. There is another fun thing which I found while analyzing the crappy runtime behaviour of a customer application: static volatile unsigned int foo; t0 = rdtscp(); for (i = 0; i < 10000; i++) foo++; /* rdtscp() or the fenced rdtsc() gives better results */ t1 = rdtscp(); Even with interrupts disabled and no NMI disturbing the loop, the resulting execution time varies depending on the microarchitecture: tmin < t < N * tmin where N is >= 2 on all Intel machines which I tested. Feeding bit 0 of t1 mixed with t0 into the LSFR gives equally good results as the hacky loop I used in the patch. Fun isn't it? > Whatever. I'm entirely convinced this won't make everybody happy > anyway, but it's _one_ approach to handle the issue. > > Ahmed - would you be willing to test this on your problem case (with > the ext4 optimization re-enabled, of course)? > > And Thomas - mind double-checking that I didn't do anything > questionable with the timer code.. Looks about right. > And this goes without saying - this patch is ENTIRELY untested. Apart > from making people upset for the lack of rigor, it might do > unspeakable crimes against your pets. You have been warned. As I'm about to vanish for a 2 weeks vacation, I'm going to shut up now and hope that experiment gave at least food for thought. Thanks, tglx