Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2932629iog; Mon, 20 Jun 2022 07:46:02 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vPE5tFNgp2y/W6L1h02Gkw14ssOQoPgq9K7YJ6fIkUsZx95qZ+PzxOLjc57prMlc3BH7/1 X-Received: by 2002:a62:be01:0:b0:525:1ee2:1481 with SMTP id l1-20020a62be01000000b005251ee21481mr7319295pff.30.1655736252350; Mon, 20 Jun 2022 07:44:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655736252; cv=none; d=google.com; s=arc-20160816; b=kPI/kvcvJ0cl55lVXxEElbB99naWNSdF+H5FVO/ws6yDqqco0NI0K8IHhiF9ecE1J6 Gbb7Hr92HI7IJH4xwWUtworC5OGZD6el/6JsYAn6hQ5tXFAezgDFgAEZt6VUFHgBndTM 4pxxNOj44j/rp64Q8/hYXDQkEqpQcydnZKsnwEXJsIPid3y9AqzPdSmSWuvGtvoA79Qf Sk1EwgSDnKAfVHGM1S1ZP5mXVQ8LDqu5kvsgFw6dhBV/1Cc5oBXiWwXaL6ylktaN6gdV CMWmnsBpVc+A26TDQCMchUlH/Yzh7OqfreP8Fet80I8B23lsHJp4MOAGLTiaCp0RSfXy 2KlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o8F9X12BJ3yIa9jJ8pCCF910/6KgUUS5WBrbg00Ir5c=; b=gH/YxEFkf2MJrkXt1Cd4t7jpaevlYBQ+ll21KugLAOiEGYKRWPm0zHy7lnhi/kj/jM D/Djtr5zB8nkpV2DxOSQNxDewmroO8w81KUxeaAWfBoGR3JiAJWqTSJ47vdU+N0IgI/f vVxCCTZql3+giOQLoZC5A06phSFTlvxGPT+HG7MR+TBiDg8+Vxo4XSUH5zfdVK4q6QeA NCkuLCjM5lvXyXSOO4ETEZ2dx2jQ/R19ZJX9KoPMPdZI7X2SSCpQAp5DWGeilVPCfEhX NeIK9jVvPYUun7vkzVroMXpHFi+4t4Hn7VUUxUUI8Y0yTtrQog3iRYuazxp/0VBHzeBE Qbrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CDV2jJPO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id on10-20020a17090b1d0a00b001e866c2c666si21755586pjb.94.2022.06.20.07.43.58; Mon, 20 Jun 2022 07:44:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CDV2jJPO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346846AbiFTNfp (ORCPT + 99 others); Mon, 20 Jun 2022 09:35:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347564AbiFTNeH (ORCPT ); Mon, 20 Jun 2022 09:34:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C64E91D33D; Mon, 20 Jun 2022 06:13:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1165360EC6; Mon, 20 Jun 2022 13:12:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 00434C3411B; Mon, 20 Jun 2022 13:12:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655730759; bh=mvbc0UwFRxHk3S/6WpcJH1rq+Wb+kHQBfZvG3cSrfQI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CDV2jJPOo0xEsOpzaEeopYPfXCy9+ILkX08PitGHMDXrcsNbcdweuPy+nQTiQrNCB Jcy2kjW9KIl52sG4cUtNVm3qzXjpI9n5F6sIhN29Se4ZbUAMkXxRXK3dqpX9q2HNnA qbLhhgbuiZ+BJUNNcK1eCBuGEuMISrFMvbZSWjZw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Ard Biesheuvel , "Jason A. Donenfeld" Subject: [PATCH 5.4 047/240] random: avoid superfluous call to RDRAND in CRNG extraction Date: Mon, 20 Jun 2022 14:49:08 +0200 Message-Id: <20220620124739.458601247@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220620124737.799371052@linuxfoundation.org> References: <20220620124737.799371052@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" commit 2ee25b6968b1b3c66ffa408de23d023c1bce81cf upstream. RDRAND is not fast. RDRAND is actually quite slow. We've known this for a while, which is why functions like get_random_u{32,64} were converted to use batching of our ChaCha-based CRNG instead. Yet CRNG extraction still includes a call to RDRAND, in the hot path of every call to get_random_bytes(), /dev/urandom, and getrandom(2). This call to RDRAND here seems quite superfluous. CRNG is already extracting things based on a 256-bit key, based on good entropy, which is then reseeded periodically, updated, backtrack-mutated, and so forth. The CRNG extraction construction is something that we're already relying on to be secure and solid. If it's not, that's a serious problem, and it's unlikely that mixing in a measly 32 bits from RDRAND is going to alleviate things. And in the case where the CRNG doesn't have enough entropy yet, we're already initializing the ChaCha key row with RDRAND in crng_init_try_arch_early(). Removing the call to RDRAND improves performance on an i7-11850H by 370%. In other words, the vast majority of the work done by extract_crng() prior to this commit was devoted to fetching 32 bits of RDRAND. Reviewed-by: Theodore Ts'o Acked-by: Ard Biesheuvel Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1024,7 +1024,7 @@ static void crng_reseed(struct crng_stat static void _extract_crng(struct crng_state *crng, __u8 out[CHACHA_BLOCK_SIZE]) { - unsigned long v, flags, init_time; + unsigned long flags, init_time; if (crng_ready()) { init_time = READ_ONCE(crng->init_time); @@ -1034,8 +1034,6 @@ static void _extract_crng(struct crng_st &input_pool : NULL); } spin_lock_irqsave(&crng->lock, flags); - if (arch_get_random_long(&v)) - crng->state[14] ^= v; chacha20_block(&crng->state[0], out); if (crng->state[12] == 0) crng->state[13]++;