Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2479400pxu; Mon, 7 Dec 2020 07:38:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJy3gngcocpk71E8o9pH/5+Ne8ENeSO4MQ34cr+hKvjIbu5WLVGUB2y5KUk6+KsGI3aMHsQm X-Received: by 2002:a17:906:ae55:: with SMTP id lf21mr19332246ejb.101.1607355536483; Mon, 07 Dec 2020 07:38:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607355536; cv=none; d=google.com; s=arc-20160816; b=Tb4FDpKUa6ksXNtL5Fhb4ovjd0quB7hVnXJx4B4+7TTiJxA7PgAkq2OApXqRyBJH+8 pMMyKca0eS7tkbuEHEMPDWOsljRpJZy2dr3elor07FSGsUBZn/g/tV+C9yv/8R5OmNus aRXt5eus1Wq7owSuxN1Hnbo23GoNhjPcm8unTYxcDV3yWrMyX8ATQI+KOdN4Ma2iJK0f 7K6+OBrAMUrAGeTUmpAdJdSLWA+E2Xm0Gnv0cUTLH6ONX7JojUfRX2S1dD0xLDZbeV7r VbCABsWbY/ADfAh/dV8oEnfgzhW66uhGjmop96ugjdOfETaT4n3b2afDTmdb2OOT9okj 4XCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=872LZLRA/jW9vxi15anlCqMMjRBZpeIFkNIHv5aF110=; b=ee9MFwb3cGcwrslRjm02PWBqz7RODo2Yf8HO2SVfrxFj40xz7CNf/wCvnWH+OY7if0 LXf4Ym+bYxErHCJqblYrLcRuh6FmBQZRPipHi7qIG7ruWsNRQXBfLA9GoijL6pOpoGdz 1BCf/vcrJ1pJVvezsUUB9cez1zbRFYzsZNewDlqjewbIeOVxcyze8JooW8r87zhCBWji m2PSX7nnPa9e9iO/VhlZ79SZTMAJPkdDwbMK9VK5YuO01ubHZoRs/SOaQZ3blBW21Sk1 jEVwCZIiPPPOzAZ6OeksJ1XF+3mhJ3f69MhbtD3Upb339CK4tdziArmwgVlz8Rt1IKT4 hvJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=i6Wk5N45; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j10si8321982edt.142.2020.12.07.07.38.25; Mon, 07 Dec 2020 07:38:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=i6Wk5N45; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726938AbgLGPfy (ORCPT + 99 others); Mon, 7 Dec 2020 10:35:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:37812 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726239AbgLGPfy (ORCPT ); Mon, 7 Dec 2020 10:35:54 -0500 X-Gm-Message-State: AOAM533XrIsmn8n5miQ06Q+LNPDvQb6p5cehNplzxGU/wXfli1WgUiWx qBQgHNFRBxMwyc4URezRiIHEytp3S7aBeITmRIM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1607355313; bh=872LZLRA/jW9vxi15anlCqMMjRBZpeIFkNIHv5aF110=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=i6Wk5N45uFz63/jC4GgUpMw4tYNUh6lvjcK5Te+jls87zxUiDZufZ/2EoCEC1yj91 57mHVUVLYJogKSTRW0O689S6iUNI2wCs2zVXqwHf9gS8z6z5ipW4oAVkFkYn6/jtaq yL50ciMXnSMcRgKkqrFs2++nLiAZIUkIc0XgvfbqcCBuvuoqrYI4kOJGyWBwtZQls7 cUKkixOtaGHdd/hMTfkMZlh4H9NsqnIAicKgyGszPtPoVVtiCy64WCTaAtA0pifDCX DmBj9HssHlUd5xj/UIrNLSwKlE7S7yVEiHjuZq3+Ey+03zWviNLHsNU1i1Wej0ljaj yK8gqO1VVFmyQ== X-Received: by 2002:a9d:4042:: with SMTP id o2mr4287710oti.90.1607355312617; Mon, 07 Dec 2020 07:35:12 -0800 (PST) MIME-Version: 1.0 References: <20201105152944.16953-1-ardb@kernel.org> In-Reply-To: From: Ard Biesheuvel Date: Mon, 7 Dec 2020 16:35:01 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] random: avoid arch_get_random_seed_long() when collecting IRQ randomness To: "Jason A. Donenfeld" Cc: Eric Biggers , "Theodore Y. Ts'o" , Linux Kernel Mailing List , Linux ARM , Marc Zyngier , Mark Rutland , Mark Brown , Andre Przywara Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 7 Dec 2020 at 15:28, Jason A. Donenfeld wrote: > > Hi Ard, > > On Tue, Dec 1, 2020 at 1:24 PM Ard Biesheuvel wrote: > > > > > is implemented. In most cases, these are special instructions, but in > > > > > some cases, such as on ARM, we may want to back this using firmware > > > > > calls, which are considerably more expensive. > > This seems fine. But I suppose I'm curious to learn more about what > you have in mind for ARM. We've been assuming that arch_get_random is > not horribly expensive. Usually external RNGs that are horribly > expensive separate hardware take a different route and aren't hooked > into arch_get_random. When you say "we may want to back this using > firmware", does that mean it hasn't happened yet, and you're in a > position to direct the design otherwise? If so, would it be reasonable > to take a different route with that hardware, and keep arch_get_random > for when it's actually implemented by the hardware? Or are there > actually good reasons for keeping it one and the same? > Many older generation ARM SoCs have IP blocks that expose an entropy source of some kind, and map it in the normal world, which is accessible by the OS directly. These are driven as hwrngs via the driver stack, which models them as actual devices, with clock and regulator handling, power management hooks, etc etc. There are multiple examples where such a SoC is being revved up with newer cores etc, and now, the IP block is in the secure world, which means the OS cannot access it directly, and needs to issue an SMC instruction to perform a firmware call to access it. The secure world firmware is now entirely in charge of the hardware, and so this SMC call is really the only thing that goes on in this driver (no clocks, regulators, etc) So to prevent fragmentation, as well as make the entropy source available much earlier in the boot, ARM has issued a firmware spec that unifies these SMC calls, and defines them as non-blocking, i.e., return the requested number of entropy bits, or fail immediately. Therefore, this should not be super expensive, given that the only overhead is the CPU cycles spent on calling into the firmware (and a bit of overhead perhaps from poking some MMIO registers in the IP block). But it is definitely not suitable for being called hundreds of times per second, hence this patch. (Note that we are talking about arch_get_random_seed_long() here, not arch_get_random_long()) > On the other hand, rdrand on intel is getting slower and slower, to > the point where we've removed it from a few places that used to use > it. And I don't see anything terribly wrong with removing the extra > call in this path here. So need be, I'll offer my Reviewed-by. But I > wanted to get an understanding of the fuller story first. > Given that we already have both arch_get_random_seed_long() and arch_get_random_long(), I think it is reasonable for the former to be allowed to be slightly more expensive, and we should only invoke it for the purpose of reseeding a pseudo-RNG. If this occurs on a hot path, there is something terribly wrong already, so I don't think RDRAND/RDSEED performance should be a huge concern here. Note that once this patch lands, we also intend to change the current way the arm64 RNDR and RNDRRS instructions are mapped to arch_get_random_seed_long() and arch_get_random_long(). (RNDR returns 64-bit from a DRBG that reseeds an an implementation defined rate, and RNDRRS does the same but forces a reseed to occur first) Thanks, Ard.