Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp5575121ybn; Sun, 29 Sep 2019 01:08:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqw0THPg8L5j/IOVtF/8fXcG79vfVY57aEyX2UCK+WlyTVN2WmSdRcXZnBisDx13CHp8XKHL X-Received: by 2002:a17:906:cec3:: with SMTP id si3mr14448361ejb.145.1569744511575; Sun, 29 Sep 2019 01:08:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569744511; cv=none; d=google.com; s=arc-20160816; b=xQD/OlhWwQY/fheaLuHMy1ELCDfNaMnTny4NfgmPR3O+ICIXjcExWQRa8dWzZjfWA9 OCPtgQAvUtPnqE0JFfAQaCRprZVvMFIx/LhZbUtlBv3CFq/2coqsM6iMiLPbc8dJBqt1 YJ150lMQY3D6BRseMeQ8nqpQSQwwr4G7P9BXs8MUwwKBmc4yUqNQn/hg4KL9bUChIqXu zlbwSULpd5zGqCwUp6ghSgyl4U1VuagNAZSMsj7MSUC/Jzu70esK9X0SZzR79pt7zJwU 2jkh4iM8vR5zPs8Sd4fgpEMmYrWRxOK5xeWFTsBk/DljP47ufdgtKOel46O5oM9/pPjW /Ufw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=0Kup/WuM5USev7LE9gSO4eOzCdji3byaAj/3kHQx28s=; b=Tqwo+Jum+NJxF1nO6U14LqvoxAWWQVpLMsbkRffDbjwCmeJaKYz08BFSPSIhPbLFdl doa+QgMaYmsz99PFIYAZTV2XHBILZyg7nGT/HhFyKGdIfaDe0rWNHYOyOAamLKiMKmmn hU0xYGdaUr5HNmTOT6k/Ez794P4SoQPWN6gUnf9Xia5Yj2gAwTHtU1YMbkvf2w17M4Hd NuGHZeAMfxxSQEiwe+Racgyh/SuG4dsiHMHRgmrddvmNwgn/eiH4rMjIBys4YBWc8+To 7k9/xoFrWwvfTjPEsweTxa/qq9x9RuHBgJUFliiR5UKHCSB48XvUh1wZmtoE0DeWADmB N9xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=h2pwvASX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x19si5473275eju.15.2019.09.29.01.08.06; Sun, 29 Sep 2019 01:08:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=h2pwvASX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728965AbfI2IFW (ORCPT + 99 others); Sun, 29 Sep 2019 04:05:22 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:45919 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726889AbfI2IFV (ORCPT ); Sun, 29 Sep 2019 04:05:21 -0400 Received: by mail-lf1-f66.google.com with SMTP id r134so4760487lff.12 for ; Sun, 29 Sep 2019 01:05:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=0Kup/WuM5USev7LE9gSO4eOzCdji3byaAj/3kHQx28s=; b=h2pwvASX7WQiv/rG/0XYDhLUx3u00mBa+Jz8rIT6Pw+WoeadNb+O6ie2l7YKC5Rf8J 5stOLp7KSQ4PIqko2eAhgEJHMyn7GKhuS7LudsvEaV80s0BKLUl7VclZjKIBvdIQsfMO PZRVepNvb3vht+suAXOPFWzPbi07gGt2OPjnRLRDi1x0XrB64PgxCOJ005atFdPXEoPj 2aKrVzHgih52hT+GRID9d7Hk/593LA0slzUtT1NjK5rSX2i8FHW3OMU7eUQo2HGeFz5W tm2XBHctTStlpYlUPd6M8oG91MjnMPRWv68lvgfkc2fuVEQ49bEhT2SmQiQScJiusP0H ZkAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0Kup/WuM5USev7LE9gSO4eOzCdji3byaAj/3kHQx28s=; b=EsUWAZ7lJ2uyd5npKxT3C68Lgfd1qNSnRU+9EkcrrHlrJZxgJKRu2Urcjo92zkrVRg ml0aoIAxVnna7PvgVHTOrwwjpVzLuz5oTMhdjMK505OE61Hlx++xQiUOI0xToUAYfcWu YuuFPE3oYZYJYUGzT3qwG4B9Nn2zuHy1RXS/2TYI5R5qYe/SarrzTxzKes+mfKNPqvDM T1+PmayR5J/E6Bcne9uSz7XGF0qjMlcvq+OqlTMvc/2ayqL+S7RH7hBcT731YNdOktFX q7z28LtBv0jxOATig/o9b5GUXYeS/zGocqf7DeCPsjhEIi17vFxez5WmeVw65NFb1ktl AR3Q== X-Gm-Message-State: APjAAAUOviR0i+Rm/Y+iujnWAmxTpUw2dB9yQEpe/ATIGTf+50yeoOpj TuDDArSq2b7+hVZWz4kL9sY= X-Received: by 2002:a19:dc10:: with SMTP id t16mr7774621lfg.85.1569744319667; Sun, 29 Sep 2019 01:05:19 -0700 (PDT) Received: from ?IPv6:2a02:17d0:4a6:5700:d63d:7eff:fed9:a39? ([2a02:17d0:4a6:5700:d63d:7eff:fed9:a39]) by smtp.googlemail.com with ESMTPSA id q3sm1985677ljq.4.2019.09.29.01.05.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 29 Sep 2019 01:05:17 -0700 (PDT) Subject: Re: x86/random: Speculation to the rescue To: Linus Torvalds , Thomas Gleixner , "Ahmed S. Darwish" Cc: LKML , Theodore Ts'o , Nicholas Mc Guire , the arch/x86 maintainers , Andy Lutomirski , Kees Cook , Stephan Mueller References: From: "Alexander E. Patrakov" Message-ID: Date: Sun, 29 Sep 2019 13:05:15 +0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-PH Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 29.09.2019 04:53, Linus Torvalds пишет: > On Sat, Sep 28, 2019 at 3:24 PM Thomas Gleixner wrote: >> >> Nicholas presented the idea to (ab)use speculative execution for random >> number generation years ago at the Real-Time Linux Workshop: > > What you describe is just a particularly simple version of the jitter > entropy. Not very reliable. > > But hey, here's a made-up patch. It basically does jitter entropy, but > it uses a more complex load than the fibonacci LFSR folding: it calls > "schedule()" in a loop, and it sets up a timer to fire. > > And then it mixes in the TSC in that loop. > > And to be fairly conservative, it then credits one bit of entropy for > every timer tick. Not because the timer itself would be all that > unpredictable, but because the interaction between the timer and the > loop is going to be pretty damn unpredictable. This looks quite similar to the refactoring proposed earlier by Stephan Müller in his paper: https://www.chronox.de/lrng/doc/lrng.pdf . Indeed, he makes a good argument that the timing of device interrupts is right now the main actual source of entropy in Linux, at the end of Section 1.1: """ The discussion shows that the noise sources of block devices and HIDs are a derivative of the interrupt noise source. All events used as entropy source recorded by the block device and HID noise source are delivered to the Linux kernel via interrupts. """ Now your patch adds the timer interrupt (while the schedule() loop is running) to the mix, essentially in the same setup as proposed. > > Ok, I'm handwaving. But I do claim it really is fairly conservative to > think that a cycle counter would give one bit of entropy when you time > over a timer actually happening. The way that loop is written, we do > guarantee that we'll mix in the TSC value both before and after the > timer actually happened. We never look at the difference of TSC > values, because the mixing makes that uninteresting, but the code does > start out with verifying that "yes, the TSC really is changing rapidly > enough to be meaningful". > > So if we want to do jitter entropy, I'd much rather do something like > this that actually has a known fairly complex load with timers and > scheduling. > > And even if absolutely no actual other process is running, the timer > itself is still going to cause perturbations. And the "schedule()" > call is more complicated than the LFSR is anyway. > > It does wait for one second the old way before it starts doing this. > > Whatever. I'm entirely convinced this won't make everybody happy > anyway, but it's _one_ approach to handle the issue. > > Ahmed - would you be willing to test this on your problem case (with > the ext4 optimization re-enabled, of course)? > > And Thomas - mind double-checking that I didn't do anything > questionable with the timer code.. > > And this goes without saying - this patch is ENTIRELY untested. Apart > from making people upset for the lack of rigor, it might do > unspeakable crimes against your pets. You have been warned. > > Linus > -- Alexander E. Patrakov