Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp8603846ybn; Tue, 1 Oct 2019 10:26:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqzzgAXRxIfiCnBSfwrS8sZrZsmynuSvuzSfn+p022+oXBs2roJ5TYa+whF3rwJfPBwDtf6y X-Received: by 2002:a50:e691:: with SMTP id z17mr26914484edm.84.1569950762735; Tue, 01 Oct 2019 10:26:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569950762; cv=none; d=google.com; s=arc-20160816; b=OvcMljqqMaxzxU3JlOiAgVU0ktphoZ4Zhv9acTeGQlf9ceQu6QUpoDW8MwD3kPkPCZ NeUYpE19E+PELsYvZV4SN09lONIxbFh/Z5w1yQZ3oV0c6Lby0kBLHzBZ9KNa1S/v5bIM 4qXFlubdiur/DMhF5MULNGpJIA4Bxu3XOR09ZOFvgx5tXIgDN6nRylNGOHEGfVGRTpvd NLnqNVa3VwnTIKCcfa9cM53cTe3T50xLJGBrSW1MuSePtUc8xytJ3DHjcTFujXJfqczW 6Hp1Xkyk9VKiiv4M+wOhtCVmTMDEFBfXVZwT+zhVHtjG7Xov7SLMfoNZoWlwbbp+dJTL 5WnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=qYzOtNd+OvSp1jcA2j3Zo16xP06tK4ORpxwmrrXPsz4=; b=r1NWpyT4rqJeSZaku57dV7Uy1iPjQ+G0qOAXQPXSflz1ZSGg+3VTbL8/kBHLYCDdhk oWw5qhBqDaNhHQL5XljMI81lI0jz/IjvHJMKRWj5m90sktK852NYVkOUKKK/QWwPjvxm MWXMcemc9+J7LMSZoEty7JVxAOvqKlfAax6Grpv5k9TyaMa1L21BFqruoQvAk38TI5VS 9k7L7vJ9iH2KAZVGB3eAQ4iAZ80Hy0r1/EjKrt81nfkzIiYlNxtNpzswT/rCFg8J4k2d NQOtRBeGkNpfpYQkzp36/pkUVa1innABFMfn2Kjay9enCr0XUFmaBgk2R/UhbglhXVNA 9XOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=DJdHG6Nx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j14si9109485ejf.53.2019.10.01.10.25.37; Tue, 01 Oct 2019 10:26:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=DJdHG6Nx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729983AbfJARZ3 (ORCPT + 99 others); Tue, 1 Oct 2019 13:25:29 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:42640 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726653AbfJARZ3 (ORCPT ); Tue, 1 Oct 2019 13:25:29 -0400 Received: by mail-lf1-f65.google.com with SMTP id c195so10531419lfg.9 for ; Tue, 01 Oct 2019 10:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qYzOtNd+OvSp1jcA2j3Zo16xP06tK4ORpxwmrrXPsz4=; b=DJdHG6NxS24yvxVndj3S+46jprRiQmR+UGWyqm1a61hVGlhD7ncbRUiP1+D18kVfMH jHtCfaeHloL/uhiOyx3iTHAfVJdfjVRwN0xeyn4s7RJrpF4rLuCRTzhh2Kyt9RF6bcWh TmM2RuW//Rt6vxIfbyXBRKOom6iSbAqS/bOlY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qYzOtNd+OvSp1jcA2j3Zo16xP06tK4ORpxwmrrXPsz4=; b=fs4ZILzlVDbwnjmIuy/gB79hwqW3AZp860YBv1V7iAuOY6gDkKqgQimg2yLMF0JLzp 2PJvbCqMGQ3sg4ZrxNnDNj3z5SFD0D9K+L6w7zbAY7p23RRZxCK3SBLjsAuju2jNB7Q6 VUjFPCTbagNv1wJ1SlQ1c0UD1lu62EVycwdyaj6uS7Gj/c4BpXNsoLzmdzr32vroaVeM 2wqTLEv12SiEeS6BS11ouKRxVH2RcOTToP/NEbXHcD5eoJXSAOS/I1TFVXJ/Yad0i+sc gfFIFP00QnMbFxJ/047++ApL3gLNxnUjQx3mTAIj7mZOxwMMnLld7XOicZzHN7GjI+p0 8VQw== X-Gm-Message-State: APjAAAV+m8HjKJd8X06BpW5Bim691AXlumx1S4cZ1hjhg5oVu0Y6zKFK +oGVr+hjrfRJI+h968qUJE9UbEJwLVE= X-Received: by 2002:ac2:5c11:: with SMTP id r17mr15791447lfp.61.1569950727274; Tue, 01 Oct 2019 10:25:27 -0700 (PDT) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com. [209.85.208.180]) by smtp.gmail.com with ESMTPSA id c3sm3987432lfi.32.2019.10.01.10.25.24 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Oct 2019 10:25:25 -0700 (PDT) Received: by mail-lj1-f180.google.com with SMTP id y3so14248076ljj.6 for ; Tue, 01 Oct 2019 10:25:24 -0700 (PDT) X-Received: by 2002:a2e:2c02:: with SMTP id s2mr17142967ljs.156.1569950724432; Tue, 01 Oct 2019 10:25:24 -0700 (PDT) MIME-Version: 1.0 References: <20191001161448.GA1918@darwi-home-pc> In-Reply-To: <20191001161448.GA1918@darwi-home-pc> From: Linus Torvalds Date: Tue, 1 Oct 2019 10:25:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: x86/random: Speculation to the rescue To: "Ahmed S. Darwish" Cc: Thomas Gleixner , a.darwish@linutronix.de, LKML , "Theodore Ts'o" , Nicholas Mc Guire , "the arch/x86 maintainers" , Andy Lutomirski , Kees Cook Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 1, 2019 at 9:15 AM Ahmed S. Darwish wrot= e: > > To test the quality of the new jitter code, I added a small patch on > top to disable all other sources of randomness except the new jitter > entropy code, [1] and made quick tests on the quality of getrandom(0). You also need to make sure to disable rdrand. Even if we don't trust it, we always mix it in. > Using the "ent" tool, [2] also used to test randomness in the Stephen > M=C3=BCller LRNG paper, on a 500000-byte file, produced the following > results: Entropy is hard to estimate, for roughly the same reasons it's hard to gene= rate. The entropy estimation is entirely bvroken by the whitening we do: first we do the LFSR to mix things into the pools, then we whiten it when we mix it between the input pool and the final pool, and then we whiten it once more when we extract it when reading. So the end result of urandom will look random to all the entropy tools regardless of what the starting point is. Because we use good hashes for whitening, and do all the updating of the pools while extracing, the end result had better look perfect. The only way to even make an educated estimate of actual entropy would be to print out the raw state of the input pool when we do that "crng init done". And then you would have to automate some "reboot machine thousands of times" and start looking for patterns. And even then you'd only have a few thousand starting points that we _claim_ have at least 128 bits of entropy in, and you'd have a really hard time to prove that is the case. You might prove that we are doing something very very wrong and don't have even remotely close to 128 bits of randomness, but just 5 bits of actual entropy or whatever - _that_ kind of pattern is easy to see. But even then /dev/urandom as a _stream_ should look fine. Only the (multiple, repeated) initial states in the input pool would show the lack of entropy. And you'd really have to reboot things for real. And not in a VM either. Just repeating the entropy initialization wouldn't show the pattern (unless it's even more broken) because the base TSC values would be changing. Entropy really is hard. It's hard to generate, and it's hard to measure. Linus