Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp240029ybf;
        Thu, 27 Feb 2020 20:10:48 -0800 (PST)
X-Google-Smtp-Source: APXvYqzikrkaSYXy2YnmLDYDLG0naZ01XL8Lkuo4jGO2clbYdgi8W2BrAkJZ6BtPJ8Srv7NoJSNM
X-Received: by 2002:aca:d0a:: with SMTP id 10mr1738458oin.50.1582863048585;
        Thu, 27 Feb 2020 20:10:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582863048; cv=none;
        d=google.com; s=arc-20160816;
        b=dK5pfrzAck4ORao3d1Z/5iF8u/3De9nPaeEAyVxjZ4dvVKHyGUkAWPeN4NIE2SwI3d
         AUfMtPQSFwWmbixFtqoQiGpsABETsYxzAmsqnOO4BF6Lj8x32qaHoXkYVAL7Faf88rmN
         oIZ6tzqH6/XZhVgOgSxDUnS88uC4W29ztGDP84E+ULTVhgcATzA56HixqH1cqLbM0dI3
         o3SlaAgeVfLf1O40xs3smpAh/Gzop3OjJMkuYzSod8xiSNfPSn7JC2WsCSWf8BbHCYcQ
         tLilYHBySosuJNLs/LNfUD2T/Jh0NRlEmA8/yL+P+AGFHhG/VboiYUtPYyJgVT04Ak2W
         vWYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=X/6FtVwfO4dcotqOYPu4k26+AAaTjZPu8DhluLBQb0E=;
        b=eYS7aAvSrC+ovRWieUpbhJyyeo8OWIX1CYozBp86JYPMmDheFNzTy+6L9FGcrdC+J5
         Uo+K4Kza/2q7j5BR7ygBTN4XBEapnXaMGcOOUcJmSR05YFZgqSpYeZdo3ckZkhxMDEmY
         uJkqkNY6oh+pOOUsUaUgl/nW47izIFfGVczsMno3Z/5z1Go8oI7CqvtdExAAsb3E2Fdn
         GoF7eWv0r3MfECe3bXMUcAddpQ0vXQe4ENzhzSTfCZOOQvJUndUf9NU3/4hoFqfBpv3Q
         q8i0Tz74JCzPVjr0bzwYqqcYgqhh40ZCtUOD3KsEAcA7VQeLmTwOQPoKNDTyjKoYqpKr
         5ybg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y144si992511oia.67.2020.02.27.20.10.37;
        Thu, 27 Feb 2020 20:10:48 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730896AbgB1EJh (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Thu, 27 Feb 2020 23:09:37 -0500
Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:53921 "EHLO
        outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1730885AbgB1EJg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Feb 2020 23:09:36 -0500
Received: from callcc.thunk.org (guestnat-104-133-8-109.corp.google.com [104.133.8.109] (may be forged))
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 01S49UB5027674
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 27 Feb 2020 23:09:32 -0500
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id 46D5B421A71; Thu, 27 Feb 2020 23:09:30 -0500 (EST)
Date:   Thu, 27 Feb 2020 23:09:30 -0500
From:   "Theodore Y. Ts'o" <tytso@mit.edu>
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org
Subject: Re: [PATCH v2] random: always use batched entropy for
 get_random_u{32,64}
Message-ID: <20200228040930.GB101220@mit.edu>
References: <CAHmME9o+Nh0=0QBimOJLXpLitQ9p6rsAut+Zvb4A1-iEjGn3jw@mail.gmail.com>
 <20200221201037.30231-1-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200221201037.30231-1-Jason@zx2c4.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 21, 2020 at 09:10:37PM +0100, Jason A. Donenfeld wrote:
> It turns out that RDRAND is pretty slow. Comparing these two
> constructions:
> 
>   for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
>     arch_get_random_long(&ret);
> 
> and
> 
>   long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
>   extract_crng((u8 *)buf);
> 
> it amortizes out to 352 cycles per long for the top one and 107 cycles
> per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.
> 
> And importantly, the top one has the drawback of not benefiting from the
> real rng, whereas the bottom one has all the nice benefits of using our
> own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
> beyond what it was originally intended for when it was introduced as
> get_random_{int,long} back in the md5 monstrosity era), it seems like it
> might be a good thing to strengthen its posture a tiny bit. Doing this
> should only be stronger and not any weaker because that pool is already
> initialized with a bunch of rdrand data (when available). This way, we
> get the benefits of the hardware rng as well as our own rng.
> 
> Another benefit of this is that we no longer hit pitfalls of the recent
> stream of AMD bugs in RDRAND. One often used code pattern for various
> things is:
> 
>   do {
>   	val = get_random_u32();
>   } while (hash_table_contains_key(val));
> 
> That recent AMD bug rendered that pattern useless, whereas we're really
> very certain that chacha20 output will give pretty distributed numbers,
> no matter what.
> 
> So, this simplification seems better both from a security perspective
> and from a performance perspective.
> 
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks, applied.

						- Ted