Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1839298pxu; Sat, 17 Oct 2020 02:58:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxi+b3DPcKhU2EHI3FaTyNXC+sgNmpjUeprgVCGLy8m4CPOAuRGBG3spC8+AtXEXHqeV6qa X-Received: by 2002:a05:6402:14cd:: with SMTP id f13mr8264754edx.75.1602928684806; Sat, 17 Oct 2020 02:58:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602928684; cv=none; d=google.com; s=arc-20160816; b=EqzLt0rawy8H/jknXOoEz25enIsJqhGvcZYRmk2o6WN4BnuGjxmgfesQ20U3m0oP01 /TEbYmWOfo1J0sXXx9Ne1P7hJPeVSpee5vnnuHhMDi1CQG1TycAfhidLHHFp7YkwjmGA 7WUW4BnnbVTPDYijltSZQtU6PRUrrULHCDiio5Cx6ZfN0rK1njF4bYEJEASD75Z5SoWF N4o08Voi2WNqf2hfrQkMOk71LGAq+FRvFvpOAOqDtNoB1814ZGm6Lrxlt0gK3TEBc9NO coCi3hjPM2LLw3ezJO0uxin6nOtOan4l+GHNyILvp+jCLxAqM3rj33LIsrFJiecDpAbA 1Y1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wzkWOoKjInRI+O5FvJvA/t/AUj8a5RTpGl8TvIyMwpk=; b=ucNBBgVjACgprFu0zBnjgoDZBaoH4FsvPZvmaJrQD3aitb1e2JIQODNWQ1m+PY3iUz BRAGLJSOj6x1g01O76SsIs2w+sAXI600FH8URAT7TkJonUJrqWlGDnl317rAXrnMzmTw /e2rVKOvs3aT6xABJk7O6LX+ZOcFfyQSPmG7adf2dtDGs4E9RQrMH8ItmOaBjP0U5MGp CO5H+B1VdM+D0F61r1UT/IFnu6Ddr5IsMaSdGMp+hednCpaEjOi3LfvTovv0hZ2t6rKL vX74B03k4lYplPlSN6ecVJbnGjp3dysHv9mwHX3/zyPlMH0m+kY+tVDOkF2mWld/JsBt 2J9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qT5tSTup; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o24si3205595ejc.754.2020.10.17.02.57.43; Sat, 17 Oct 2020 02:58:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qT5tSTup; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437252AbgJQG4E (ORCPT + 99 others); Sat, 17 Oct 2020 02:56:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2437243AbgJQG4D (ORCPT ); Sat, 17 Oct 2020 02:56:03 -0400 Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D575C0613D3 for ; Fri, 16 Oct 2020 23:56:03 -0700 (PDT) Received: by mail-lj1-x243.google.com with SMTP id 23so815538ljv.7 for ; Fri, 16 Oct 2020 23:56:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wzkWOoKjInRI+O5FvJvA/t/AUj8a5RTpGl8TvIyMwpk=; b=qT5tSTupKtI9+LV08l4NhIywJjENbE/1819qMpMZ4wleQCC2UZcegHiJKzfH1HMZ3e VQ39ggQjsnoUsTrwcVQ97D1zQSE6mutGso5Q8ogf39SUNsMEKhaYEUFy/VRoirOjmt9b 37fnHoejXu8BkEr6+HM11CFBIeNasDURFIHxGHoIweZ8GffWeTWMHjs1yf08SJ9aElhz uVubdWIw6/aHW+WMsmF6jE1F+EA14IbVZRX4CbiaSO5HESQkyn+DtfxAcYY1TXnDXa3y L0xoXUEVvRAwv4QmP1JweP+0D8VJwUznxwhWGyWIOZuxwKsIs2yP+PPDqRQknJmj0Lnw LbIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wzkWOoKjInRI+O5FvJvA/t/AUj8a5RTpGl8TvIyMwpk=; b=Ng+RLXm2NJb94W91DfbptSjq0pImH8oZZTIg3KTchwwjuZkzEkLW2N8hooDiKmNA7L Bg+hl32/fGdWSXCev0bOrXEo4/xWccey/KqWtpaPeLuSb0Gil9bccjJr7QHYI0yrL0Wz cbVUTj7AtrxGCIzRWzYCH058gOfH8T5Ulwbo6UmTZah3XuhWQiaaZ0CNaS067pXCe2g2 9fa/LVh7XKNtGDREThklR2iZgmTkZ6arOxmHuqck0CCWozF6pBHx5cgpPjCT5jkqvBf+ anFJwVeaclNyFRSVldFkNStSEKd1Pml4tkiK3Wdy2gguyeMtK7vd3winBKSAPzIk/eaY E2pA== X-Gm-Message-State: AOAM530OygZEFMBDoM8RUxAQs33gclHD94sjfpviWb7sWYZzN39JsMqq SUkw8cXYYU83mvPoCF9tgjb0Cx/yia+yuUloUGQ52w== X-Received: by 2002:a2e:8816:: with SMTP id x22mr2697080ljh.377.1602917761335; Fri, 16 Oct 2020 23:56:01 -0700 (PDT) MIME-Version: 1.0 References: <788878CE-2578-4991-A5A6-669DCABAC2F2@amazon.com> <20201017033606.GA14014@1wt.eu> <6CC3DB03-27BA-4F5E-8ADA-BE605D83A85C@amazon.com> <20201017053712.GA14105@1wt.eu> <20201017064442.GA14117@1wt.eu> In-Reply-To: <20201017064442.GA14117@1wt.eu> From: Jann Horn Date: Sat, 17 Oct 2020 08:55:34 +0200 Message-ID: Subject: Re: [PATCH] drivers/virt: vmgenid: add vm generation id driver To: Willy Tarreau Cc: Colm MacCarthaigh , "Catangiu, Adrian Costin" , Andy Lutomirski , Jason Donenfeld , "Theodore Y. Ts'o" , Eric Biggers , "open list:DOCUMENTATION" , kernel list , "open list:VIRTIO GPU DRIVER" , "Graf (AWS), Alexander" , "Woodhouse, David" , bonzini@gnu.org, "Singh, Balbir" , "Weiss, Radu" , oridgar@gmail.com, ghammer@redhat.com, Jonathan Corbet , Greg Kroah-Hartman , "Michael S. Tsirkin" , Qemu Developers , KVM list , Michal Hocko , "Rafael J. Wysocki" , Pavel Machek , Linux API Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 17, 2020 at 8:44 AM Willy Tarreau wrote: > On Sat, Oct 17, 2020 at 07:52:48AM +0200, Jann Horn wrote: > > On Sat, Oct 17, 2020 at 7:37 AM Willy Tarreau wrote: > > > On Sat, Oct 17, 2020 at 07:01:31AM +0200, Jann Horn wrote: > > > > Microsoft's documentation > > > > (http://go.microsoft.com/fwlink/?LinkId=260709) says that the VM > > > > Generation ID that we get after a fork "is a 128-bit, > > > > cryptographically random integer value". If multiple people use the > > > > same image, it guarantees that each use of the image gets its own, > > > > fresh ID: > > > > > > No. It cannot be more unique than the source that feeds that cryptographic > > > transformation. All it guarantees is that the entropy source is protected > > > from being guessed based on the output. Applying cryptography on a simple > > > counter provides apparently random numbers that will be unique for a long > > > period for the same source, but as soon as you duplicate that code between > > > users and they start from the same counter they'll get the same IDs. > > > > > > This is why I think that using a counter is better if you really need something > > > unique. Randoms only reduce predictability which helps avoiding collisions. > > > > Microsoft's spec tells us that they're giving us cryptographically > > random numbers. Where they're getting those from is not our problem. > > (And if even the hypervisor is not able to collect enough entropy to > > securely generate random numbers, worrying about RNG reseeding in the > > guest would be kinda pointless, we'd be fairly screwed anyway.) > > Sorry if I sound annoying, but it's a matter of terminology and needs. > > Cryptograhically random means safe for use with cryptography in that it > is unguessable enough so that you can use it for encryption keys that > nobody will be able to guess. It in no ways guarantees uniqueness, just > like you don't really care if the symmetric crypto key of you VPN has > already been used once somewhere else as long as there's no way to know. > However with the good enough distribution that a CSPRNG provides, > collisions within a *same* generator are bound to a very low, predictable > rate which is by generally considered as acceptable for all use cases. Yes. > Something random (cryptographically or not) *cannot* be unique by > definition, otherwise it's not random anymore, since each draw has an > influence on the remaining list of possible draws, which is contrary to > randomness. And conversely something unique cannot be completely random > because if you know it's unique, you can already rule out all other known > values from the candidates, thus it's more predictable than random. Yes. > With this in mind, picking randoms from a same RNG is often highly > sufficient to consider they're highly likely unique within a long > period. But it's not a guarantee. And it's even less one between two > RNGs (e.g. if uniqueness is required between multiple hypervisors in > case VMs are migrated or centrally managed, which I don't know). > > If what is sought here is a strong guarantee of uniqueness, using a > counter as you first suggested is better. My suggestion is to use a counter *in the UAPI*, not in the hypervisor protocol. (And as long as that counter can only miss increments in a cryptographically negligible fraction of cases, everything's fine.) > If what is sought is pure > randomness (in the sense that it's unpredictable, which I don't think > is needed here), then randoms are better. And this is what *the hypervisor protocol* gives us (which could be very useful for reseeding the kernel RNG). > If both are required, just > concatenate a counter and a random. And if you need them to be spatially > unique, just include a node identifier. > > Now the initial needs in the forwarded message are not entirely clear > to me but I wanted to rule out the apparent mismatch between the expressed > needs for uniqueness and the proposed solutions solely based on randomness. Sure, from a theoretical standpoint, it would be a little bit nicer if the hypervisor protocol included a generation number along with the 128-bit random value. But AFAIU it doesn't, so if we want this to just work under Microsoft's existing hypervisor, we'll have to make do with checking whether the random value changed. :P