Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3658971ybb; Tue, 31 Mar 2020 09:27:53 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtttFshkGKW82n8BqdRJnN+y4kJw85gSqriBLoNJN8C23XJjzxiG64A9CU9vygULfz7nvHj X-Received: by 2002:a9d:19c8:: with SMTP id k66mr14115116otk.186.1585672073611; Tue, 31 Mar 2020 09:27:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585672073; cv=none; d=google.com; s=arc-20160816; b=PkwjMmCZS1NQNWOKye+6heN8m7We8rHbrlJizku8JWRonWueKCM/HnqZeR/P95EXHv XzYN5ZVVDS5vKHvbIoH3d5mBzw19Djq0BrbBRMhoV+e2HaIlo1KWUVT0lSVQGwQ9MZFH crfrLk3mi0R7wRxISWwBK28AI8wOGsFd1daR8O/qvDHENTP+v/Fb1b0QTOyHWX3tA20t 1Q8OX10meXFlp/KIlRTkCkuIMSrAXpmekgN6IuDOZVdyP9nkiSvwoUbo3nHF8Mrde/bm 0/l1ZOqSRcnFcUsrDOl5IjzOIRCPjaaT3hKS1e6Ui9DtwoQV1OXWykTfAF8zP6DAdIis r79A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=zWR4v1Y/PT9AoMNC7fg0rgrQ2zY2gV7PSXBqhFyk+kA=; b=s2CpJhVAcvwAi/E4AL1ooURllV/k/Tfab8QF5syUdIP9Q4+U+M4Qi3ClbU/Qkp0xQK fAoSeMSP+rjlOUDSbLK6tFRyEuULFHt46EsIR6RrrJawbhKf61cNimvCbsEK9aTKnMTP r1R+Vt0eILlOJenjM97U07hc4nQVC+zWi/FHKg2Z0+ve0pR4q3Q1Eo/nuNNZ8JAk8IK8 TeF2NyBiVOnxOhWfszSW+kFHeUfUxOWKYC7FBAbHn190uWbmL0A531aU7UBP5BjguVwm YqsOwDYZzSYqqmd6/DN0EixRoA/ih2TUpp1j5UeT4fL+k+7LHlhQ4U0S5C4gpXpDnaMv GGdg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w5si4793193ote.129.2020.03.31.09.27.39; Tue, 31 Mar 2020 09:27:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730391AbgCaQ0z (ORCPT + 99 others); Tue, 31 Mar 2020 12:26:55 -0400 Received: from foss.arm.com ([217.140.110.172]:57190 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729682AbgCaQ0y (ORCPT ); Tue, 31 Mar 2020 12:26:54 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2BAB330E; Tue, 31 Mar 2020 09:26:54 -0700 (PDT) Received: from C02TD0UTHF1T.local (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id E3F903F71E; Tue, 31 Mar 2020 09:26:52 -0700 (PDT) Date: Tue, 31 Mar 2020 17:26:50 +0100 From: Mark Rutland To: George Spelvin Cc: linux-kernel@vger.kernel.org, Catalin Marinas , Will Deacon , linux-arm-kernel@lists.infradead.org Subject: Re: [RFC PATCH v1 44/50] arm64: ptr auth: Use get_random_u64 instead of _bytes Message-ID: <20200331162650.GB4400@C02TD0UTHF1T.local> References: <202003281643.02SGhOi3016886@sdf.org> <20200330105745.GA1309@C02TD0UTHF1T.local> <20200330193237.GC9199@SDF.ORG> <20200331101412.GA1490@C02TD0UTHF1T.local> <20200331144915.GA4303@SDF.ORG> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200331144915.GA4303@SDF.ORG> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 31, 2020 at 02:49:15PM +0000, George Spelvin wrote: > On Tue, Mar 31, 2020 at 11:14:12AM +0100, Mark Rutland wrote: > > On Mon, Mar 30, 2020 at 07:32:37PM +0000, George Spelvin wrote: > >> On Mon, Mar 30, 2020 at 11:57:45AM +0100, Mark Rutland wrote: > >> Because get_random_bytes() implements anti-backtracking, it's a minimum > >> of one global lock and one ChaCha20 operation per call. Even though > >> chacha_block_generic() returns 64 bytes, for anti-backtracking we use > >> 32 of them to generate a new key and discard the remainder. > >> > >> get_random_u64() uses the exact same generator, but amortizes the cost by > >> storing the output in a per-CPU buffer which it only has to refill every > >> 64 bytes generated. 7/8 of the time, it's just a fetch from a per-CPU > >> data structure. > > > > I see; thanks for this explanation. It would be helpful to mention the > > backtracking distinction explicitly in the commit message, since it > > currently only alludes to it in the first sentence. > > Easily done, but I need to find a centralized place to say it, or > I'd be repeating myself a *lot* in the series. Sure, but in the interests of optimizing for review, it's worth doing a copy+paste of the key detail into each commit. That way, even if the reviewer only looks at the patch in isolation they have all the necessary context, and you don't have to reply to the same question on each patch. > > It's worth noting that the key values *can* be exposed to userspace when > > CONFIG_CHECKPOINT_RESTORE is selected. On such kernels, a user could > > regenerate and read the keys an arbitrary number of times on a CPU of > > their choice. From my limited understanding I presume backtracking may > > be a concern there? > > No. Backtracking is an issue if the keys must remain secret *after* > they are wiped from kernel memory. This applies to session > *encryption* keys (assuming the plaintext should remain secret > after the session is over), and to any long-lived keys which are > stored encrypted or otherwise inaccessible (e.g. in dedicated > hardware). The latter includes most asymmetric private keys. > Basically, do you need to wipe the key (with memzero_explicit) when > you are done with it? If that is important, you also want to > know that the key cannot be reconstructed from the CRNG state. I see, thanks for the explanation. I had misunderstood the what backtracking was in this context. > A modified patch will follow. Thanks for your patience. I've given that an Ack as it looked sound to me. Thanks, Mark.