Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3095883ybp; Sun, 6 Oct 2019 04:46:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqy+E5w5dC2PwnorsS/t6XkpAqT5LHUZNPCEC6cjPdhfF7DCorKUjfpMoME4XOyQzC9BsuoW X-Received: by 2002:a50:fa09:: with SMTP id b9mr24279910edq.165.1570362370507; Sun, 06 Oct 2019 04:46:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570362370; cv=none; d=google.com; s=arc-20160816; b=jI3l0EAfb8TtOkojnnYJrEyM+tkb2Mzqt2xGHXu8VNj2T00yiZIwFrltzYalxw+asa TvDiGN/7Di7Asv6PjRCS4uyjWnshJUTMWtu9UftAaT70D0sA3BTI2JO8CejTSO2uVUhG ZAk4nRHxStH4xMcGnU1l+LA3ONA2WIKQRJ7FAJGKcHhN99epW8OgXpDn3NhTVVBKdJr1 Yz2AVcBhu5C/lLReb21Fx91IZWfVcMDej93gvulfRJSc3yw4oibCdSeqKb/4bsxVYjfo 2LTpo6aRzOza3lCI7FbK0+yReKh2l3GcXUKtt6mm8BPCeRlk1LMxgL8g7IZCLP63c8ck qGHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=wQ5WOgASvaURZz2cS7XgOJUahn6eXkpBze0WAd3KRvQ=; b=u0AJzmjNoUh/kjxKdRiE56bMYymmcHgPcUYQRFDIbb2kVLnfmFH1yn/lMi2Djbtx9C u/b7r5u3562mIx8Z3j7Q+yHxr8UmIWN7XC8k9ox3JrazXxw693dYr7kIoBcCa7zIkxFQ 7wnp8pUSBwVgoClNEJTSvBvMYRsdlwMPo3fMoH0avDkxKCEobjjGjgjvAniQ/5HeP5YQ q8JiN4p2hs/xktDbDs3eB6CJVdhQP8QcVWtmBkTp65/z6RPmUYVTTLMMPlVo4JptK/H5 qPXWaMhPC/PBo18wU6sxXCr9puAJ+vkLzhTssQX37COYnDA1I+3y428KM8EAziANML4A OREQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h50si6828995ede.423.2019.10.06.04.45.46; Sun, 06 Oct 2019 04:46:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726477AbfJFLlc (ORCPT + 99 others); Sun, 6 Oct 2019 07:41:32 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:44653 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726256AbfJFLlc (ORCPT ); Sun, 6 Oct 2019 07:41:32 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 9F75A8047D; Sun, 6 Oct 2019 13:41:14 +0200 (CEST) Date: Sun, 6 Oct 2019 13:41:29 +0200 From: Pavel Machek To: Linus Torvalds Cc: Thomas Gleixner , "Ahmed S. Darwish" , LKML , Theodore Ts'o , Nicholas Mc Guire , the arch/x86 maintainers , Andy Lutomirski , Kees Cook Subject: Re: x86/random: Speculation to the rescue Message-ID: <20191006114129.GD24605@amd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ylS2wUBXLOxYXZFQ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --ylS2wUBXLOxYXZFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! On Sat 2019-09-28 16:53:52, Linus Torvalds wrote: > On Sat, Sep 28, 2019 at 3:24 PM Thomas Gleixner wrot= e: > > > > Nicholas presented the idea to (ab)use speculative execution for random > > number generation years ago at the Real-Time Linux Workshop: >=20 > What you describe is just a particularly simple version of the jitter > entropy. Not very reliable. >=20 > But hey, here's a made-up patch. It basically does jitter entropy, but > it uses a more complex load than the fibonacci LFSR folding: it calls > "schedule()" in a loop, and it sets up a timer to fire. >=20 > And then it mixes in the TSC in that loop. >=20 > And to be fairly conservative, it then credits one bit of entropy for > every timer tick. Not because the timer itself would be all that > unpredictable, but because the interaction between the timer and the > loop is going to be pretty damn unpredictable. >=20 > Ok, I'm handwaving. But I do claim it really is fairly conservative to > think that a cycle counter would give one bit of entropy when you time > over a timer actually happening. The way that loop is written, we do > guarantee that we'll mix in the TSC value both before and after the > timer actually happened. We never look at the difference of TSC > values, because the mixing makes that uninteresting, but the code does > start out with verifying that "yes, the TSC really is changing rapidly > enough to be meaningful". >=20 > So if we want to do jitter entropy, I'd much rather do something like > this that actually has a known fairly complex load with timers and > scheduling. > +/* > + * If we have an actual cycle counter, see if we can > + * generate enough entropy with timing noise > + */ > +static void try_to_generate_entropy(void) > +{ > + struct { > + unsigned long now; > + struct timer_list timer; > + } stack; Should we have some kind of notifier chain, so that we could utilize better random sources (spinning rust) if we had them? Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --ylS2wUBXLOxYXZFQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl2Z0ukACgkQMOfwapXb+vKARACfcUHgIWJelJiFkcenzPoaAlp+ FcAAn3RfGOg2Pv1WVXC9GkV6ehOMxCWR =6z3Q -----END PGP SIGNATURE----- --ylS2wUBXLOxYXZFQ--