Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2242717pxb;
        Thu, 3 Feb 2022 02:29:40 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwsfhUh1X6U+mr415qTQFSCxQs4lRaQnj+F58TnNAYQRxJQFU+b9YMpnSsF/IgWjJ33GoWK
X-Received: by 2002:a63:6ac1:: with SMTP id f184mr27586492pgc.524.1643884180094;
        Thu, 03 Feb 2022 02:29:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643884180; cv=none;
        d=google.com; s=arc-20160816;
        b=lIXtwfNbh6PaIToAjB7EIJ9PswZyNtDez0Gs8f9DraJiS9PQ7Jgu9L/FNEXnEx5g1S
         dv7j7BKnyY9MkuYyLv2PKsOJr8KeAbjJynggNIhdS3VuGNQe6v2QnUygZqqnuaW1qTM7
         q9m+7hZJJX6g4cdrlktxo5ODJ4SRpnQ7CPLRVyUOC1F5RPb4WER3sSiRj/BaRxIDmqZq
         0TK4y1qWTN0BaLw/tUKn/5S2m1AKeNHo4LRFWwGIzsqJWU6DQXwTF4rC86PeBh20+o04
         l8XV/EdBnpWysWYAmr1Wev06OiLR5rQuHGFOm0DNMp1YPbAYifwDFy1FCjMEF7ezW16U
         +9uQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=TGEzqHTDCMG8mI3TmhK6JduZrlIkNoEeX3AHXuvfN00=;
        b=f18vfHDp2uFl+Ii/tQuYr8xYCtqwnM5Z6GQn19toBcNOiHIb3OMK4ybBQhaCUb8ork
         uLGzAWTJmO4P5Kwqw0TJqBPTABOy2DnULupw8onTiEMlGX8pLPZ3gryXVf6fF8oxmOYm
         KnrlaLHYPw6NjIi1pVAydJnxJHWt07wHrSiDw6oRAt56jkJxOCYmts0dR9cHs8gVMdww
         NdHcIj+JDHHd5rbxZdVMuei9LWGj1kDGNLl17rQes9HofwgJGi0Jdh4rKkDTdRgrjffr
         Y9HJogkMw4Vsbjqz7K64K8BYOTAgsfn5X4xv0FVckvZR1lwxzl8TNeWCifTxfH4ulck5
         cfeQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=l8b6PN2Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k4si21614689plt.331.2022.02.03.02.29.28;
        Thu, 03 Feb 2022 02:29:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=l8b6PN2Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344127AbiBBMXl (ORCPT <rfc822;xiejw.io@gmail.com> + 99 others);
        Wed, 2 Feb 2022 07:23:41 -0500
Received: from ams.source.kernel.org ([145.40.68.75]:37182 "EHLO
        ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S245587AbiBBMXj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Feb 2022 07:23:39 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 1C898B830B2;
        Wed,  2 Feb 2022 12:23:38 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B5A3AC004E1;
        Wed,  2 Feb 2022 12:23:36 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="l8b6PN2Y"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1643804613;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=TGEzqHTDCMG8mI3TmhK6JduZrlIkNoEeX3AHXuvfN00=;
        b=l8b6PN2YTOt5a6ONR2PcsjguyoljXFj8sF/NfE9DiuT/S9/WNEFzPQs+EIcDCnMkhG6Q7X
        bgKdPug0C85/4dubUin9/YA9GfW9n1jbfcHsyMs/Zc3E/MMmqQkKm4RrSKqdlKk5WgRmjo
        SZEG31O0LpahrNXjSfOOUOjBuXGYbHs=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 92887216 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
        Wed, 2 Feb 2022 12:23:33 +0000 (UTC)
Received: by mail-yb1-f173.google.com with SMTP id i62so60328290ybg.5;
        Wed, 02 Feb 2022 04:23:33 -0800 (PST)
X-Gm-Message-State: AOAM530M2e5oAt0vMZSQxlGOzhu9z1KCQlbHFuOAH9u0dxY5/KnuPSZv
        RxPrZlIkRtRQ5jbdRVptrPUov1PbsReUL6RveU0=
X-Received: by 2002:a05:6902:726:: with SMTP id l6mr3477287ybt.115.1643804611659;
 Wed, 02 Feb 2022 04:23:31 -0800 (PST)
MIME-Version: 1.0
References: <20220201161342.154666-1-Jason@zx2c4.com> <1920812.EuvsCRJjSr@tauon.chronox.de>
In-Reply-To: <1920812.EuvsCRJjSr@tauon.chronox.de>
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
Date:   Wed, 2 Feb 2022 13:23:21 +0100
X-Gmail-Original-Message-ID: <CAHmME9ouMHtTQxB1WHq3H+nfbg27OFaJtw78E5epCJsiHt3sHg@mail.gmail.com>
Message-ID: <CAHmME9ouMHtTQxB1WHq3H+nfbg27OFaJtw78E5epCJsiHt3sHg@mail.gmail.com>
Subject: Re: [PATCH] random: use computational hash for entropy extraction
To:     Stephan Mueller <smueller@chronox.de>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        "Theodore Ts'o" <tytso@mit.edu>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Stephan,

It's like this for a few reasons:

- Primarily, we want to feed 32 bytes back in after finalization (in
this case as a PRF key), just as the code does before this patch, and
return 32 bytes to the caller, and we don't want those to be relatable
to each other after the seed is erased from the stack.
- Actually, your statement isn't correct: _extract_entropy is called
for 48 bytes at ~boot time, with the extra 16 bytes affecting the
block and nonce positions of the chacha state. I'm not sure this is
very sensible to do -- it really is not adding anything -- but I'd
like to avoid changing multiple things at once, when these are better
discussed and done separately. (I have a separate patch for something
along those lines.)
- Similarly, I'd like to avoid changing the general idea of what
_extract_entropy does (the underscore version has never accounted for
entropy counts), deferring anything like that, should it become
necessary, to an additional patch, where again it can be discussed
separately.
- By deferring the RDRAND addition to the second phase, we avoid a
potential compression call while the input pool lock is held, reducing
our critical section.
- HKDF-like constructions are well studied and understood in the model
we're working in, so it forms a natural and somewhat boring fit for
doing what we want to do.

Regards,
Jason