Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp246345ybb;
        Tue, 31 Mar 2020 22:25:00 -0700 (PDT)
X-Google-Smtp-Source: APiQypLxzxrn/I+9y4G+RnARbuq6GswFGPqz8cX8CuNcxuAhziPZYpf+xOFVmMfguL/TeU2ZP4J2
X-Received: by 2002:aca:c3d1:: with SMTP id t200mr1686894oif.24.1585718700043;
        Tue, 31 Mar 2020 22:25:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585718700; cv=none;
        d=google.com; s=arc-20160816;
        b=XxzroNabjVEyh1i4BLKt0bKft2y55WARMIiFh4IPrLAsIETU6qwWX3szd4cym69YIx
         V1hnvbgmnT961xICO7/+Tg1cMMFKn9R1Y8t6o6oODkYj2Y5bvhJhyE/Yl91DCwDhPkpx
         NoXdGJFXmYNKmzHN3ybqzSPE9ir7+WP9Gql+hLfwlyQgO+RBfpjQDH1dZo7dFumKuM1/
         MkJ3Ovbew3JNfEWUwTmPCpfAGztKUbr9joirgo8xKU5xt8YSix24re+7DGMwN3KEN0is
         Ff21wwgQv7a2g0qpgYboW5SH4yMrTO4pAuIMTmDR/RB3gbSGi1XDDJNMu+SELBtYfhSs
         6Mkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=aG23JSkZnQQdOTXuItUy2ordOjPPbrtyfRDrMkBgE5I=;
        b=aKRWE3b4QMMMVCtdpAk1LaBgNC3UxTjvx7qX+0FCugf4dLoKpkTvO0COGmAS17LxWU
         e1aZHpoPixIYN8lAq5xiUc0ZATY+OBTxT3FeIUfcBiKNe4VDGtavdhRqSpo1PGWF4LFy
         aMkpAg2lHCauljVWk8ROMZk5SJUng+TpYagiG0E4QHhYSePf7zpcstdsk7NwBqm6awKI
         do7p/0EtPN5HZIU3JvQz46vki63eK2QQGvKXpYJwDoNohNvxuHObNC8HExRcDRUm9yhQ
         fCIGftkdNmiOpFpZA4wA08yPG2hCSQUqlOI1WdxGuxiu3i5hIs1mIPeNPSkI/4RD8H8s
         5AHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w18si353906otp.73.2020.03.31.22.24.46;
        Tue, 31 Mar 2020 22:25:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731795AbgDAFXB (ORCPT <rfc822;rruigrok1@gmail.com> + 99 others);
        Wed, 1 Apr 2020 01:23:01 -0400
Received: from mx.sdf.org ([205.166.94.20]:64868 "EHLO mx.sdf.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726125AbgDAFXA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 01:23:00 -0400
Received: from sdf.org (IDENT:lkml@faeroes.freeshell.org [205.166.94.9])
        by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 0315I32g012695
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO);
        Wed, 1 Apr 2020 05:18:03 GMT
Received: (from lkml@localhost)
        by sdf.org (8.15.2/8.12.8/Submit) id 0315Hxjv027273;
        Wed, 1 Apr 2020 05:17:59 GMT
Date:   Wed, 1 Apr 2020 05:17:59 +0000
From:   George Spelvin <lkml@SDF.ORG>
To:     "Theodore Y. Ts'o" <tytso@mit.edu>
Cc:     David Laight <David.Laight@ACULAB.COM>,
        Dan Williams <dan.j.williams@intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Qian Cai <cai@lca.pw>, Kees Cook <keescook@chromium.org>,
        Michal Hocko <mhocko@suse.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linux MM <linux-mm@kvack.org>,
        Thomas Garnier <thgarnie@google.com>, lkml@sdf.org
Subject: lib/random32.c security
Message-ID: <20200401051759.GA9616@SDF.ORG>
References: <202003281643.02SGhPmY017434@sdf.org>
 <CAPcyv4iagZy5m3FpMrQqyOi=_uCzqh5MjbW+J_xiHU1Z1BmF=g@mail.gmail.com>
 <20200328182817.GE5859@SDF.ORG>
 <98bd30f23b374ccbb61dd46125dc9669@AcuMS.aculab.com>
 <20200329174122.GD4675@SDF.ORG>
 <20200329214214.GB768293@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200329214214.GB768293@mit.edu>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Mar 29, 2020 at 05:42:14PM -0400, Theodore Y. Ts'o wrote:
> If anyone is trying to rely on prandom_u32() as being "strong" in any
> sense of the word in terms of being reversable by attacker --- they
> shouldn't be using prandom_u32().  That's going to be true no matter
> *what* algorithm we use.
> 
> Better distribution?  Sure.  Making prandom_u32() faster?  Absolutely;
> that's its primary Raison d'Etre.

I'd like your comments on an idea I had to add a second PRNG state
for security-interesting applications.

There are some ASLR tasks, notably slab freelist shuffling and
per-syscall stack offset randomization, which need a Very Fast
source of random numbers.  No crypto-grade generator qualifies,
and both currently use very bad ad-hoc generators.

The per-syscall stack offset code currently uses the lsbits of the
TSC, which is obviously bad as they're observable by the (presumed
malicious) userspace immediately before the call and thus highly
predictable.

Likewise, the slab shuffling currently precomputes a permutation and
just picks a random starting position for every slab.

Both are saved by the fact that their PRNG outputs are mostly
unobservable, so an attacker can't start to predict them.

I was thinking that a second PRNG, identical to the prandom_u32()
one but seeded speartely, could be used for this purpose.  The good
distribution would preclude trivial patterns in their output, which
is about all we can hope for.

The difference is that it would only be used for applications which
both require high speed and are (mostly) unobservable to an attacker.


Any opinions, anyone?