Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1635302ybb; Sun, 29 Mar 2020 09:33:16 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvPvO1hw0f7Qh++gApTB8wtZF1YpetgKEj6z78ra8HaXiHkJpkZ4IVpzb0b4tu7no9x9R4p X-Received: by 2002:a05:6830:1e79:: with SMTP id m25mr6124777otr.36.1585499596794; Sun, 29 Mar 2020 09:33:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585499596; cv=none; d=google.com; s=arc-20160816; b=YIZdicSO+rxs3lv5FTd1i7//OpL5OyRO1uI27+C1BUfaSUj6rrs1+D/XAuD/9n+Tpk gsYmxMEx/7i3+LszuHaUu85UzjmZfQNpMk/NM4ovxZuTVHxt+XFuynD8K6qY4ji5fzjG Ni2h+QgfER6foaTAQanC0oN1X9nfwjW6Axd7xpA0hQtgA8gGvNOZ/GUjJNLAim71l+iY HrThRFRGRQmGLyqtNVocaLFZpPO+iZPkmk2GSVBXjT+ulYSXfomC1Q91E8+9ASWWq3Z4 gqQtady11zmNB/CuffIwczkR/j+rgrCuhw+HYydht3GG3MFOHxx5DjcXyQ9fXebKt37y anZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=48ofsBJV+xVg0A4vaIzjAHAy/ApBgqBkryeSP5nBJKo=; b=kdDHGPaSbp9Oz8+KytZ3kzyDQH5XkEe8SpSu92ku2pfqt6sL2QZZMFJAs7m6Afg8mF k7JvmrvbdyDyfN+M1VXiw8Zq7YEtY7L40gdYcIRudjNeizbrrIFv0b4P0Oz38mU5WJjB 6wReYcdFEbrDNYyOjapyC7bKwioICTPLJ0XiYzl6HXvztrKIrOI7QRyseA+gGg0WeDFK bhIE1cJjQJiTSwn1syBHbo+2hYnFLb3fMYQqYqHXyOdP9lnPZrKOe8JprtfrjR19wHXf zDhC/bok8O4IrK7CtniNN6NsSmZACKfwDBlvrgs46Cu7RFPe002FB3vtmRgq5dYWRciU dyFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3si4343322otg.9.2020.03.29.09.33.03; Sun, 29 Mar 2020 09:33:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728320AbgC2QcQ (ORCPT + 99 others); Sun, 29 Mar 2020 12:32:16 -0400 Received: from mx.sdf.org ([205.166.94.20]:63508 "EHLO mx.sdf.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727903AbgC2QcP (ORCPT ); Sun, 29 Mar 2020 12:32:15 -0400 Received: from sdf.org (IDENT:lkml@sdf.lonestar.org [205.166.94.16]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 02TGVvPV009144 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO); Sun, 29 Mar 2020 16:31:57 GMT Received: (from lkml@localhost) by sdf.org (8.15.2/8.12.8/Submit) id 02TGVuVO017489; Sun, 29 Mar 2020 16:31:56 GMT Date: Sun, 29 Mar 2020 16:31:56 +0000 From: George Spelvin To: Jason Gunthorpe , tytso@mit.edu Cc: linux-kernel@vger.kernel.org, Doug Ledford , linux-rdma@vger.kernel.org, Faisal Latif , Shiraz Saleem , Bart Van Assche , Bernard Metzler , lkml@sdf.org Subject: Re: [RFC PATCH v1 42/50] drivers/ininiband: Use get_random_u32() Message-ID: <20200329163156.GB4675@SDF.ORG> References: <202003281643.02SGhN9T020186@sdf.org> <20200329143621.GF20941@ziepe.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200329143621.GF20941@ziepe.ca> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 29, 2020 at 11:36:21AM -0300, Jason Gunthorpe wrote: > On Wed, Aug 21, 2019 at 08:21:45PM -0400, George Spelvin wrote: >> There's no need to get_random_bytes() into a temporary buffer. >> >> This is not a no-brainer change; get_random_u32() has slightly weaker >> security guarantees, but code like this is the classic example of when >> it's appropriate: the random value is stored in the kernel for as long >> as it's valuable. > > The mechanical transformation looks OK, but can someone who knows the > RNG confirm this statement? You might find commit 92e507d21613 ("random: document get_random_int() family") informative. > Many of these places are being used in network related contexts, I > suspect the value here is often less about secrecy, more about > unguessability. The significant difference is backtrackability. Each get_random_bytes() call has a final anti-backtracking step, to ensure that the random number just generated cannot be recovered from the subsequent kernel state. This is appropriate for encryption keys or asymmetric keys. The get_random_{int,long,u32,u64} functions omit this step, which means they only need one ChaCha20 crypto operation per 64 bytes of output, not a minimum of one per call. One good way of distinguishing the cases is to look for calls to memzero_explicit(). If you need to ensure the random bytes are securely destroyed, you need antibacktracking. If your application doesn't care if anyone learns your session authentication keys after the session has been closed, you don't need it.