Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp63528rwb; Fri, 13 Jan 2023 19:09:49 -0800 (PST) X-Google-Smtp-Source: AMrXdXstKCG1uRGR24qj83Erem0vZTWC0owQwWVMln8tZexGqZZ1BL8ehWnyJGbaiKa9n1RIDaCZ X-Received: by 2002:a17:90a:9f94:b0:228:eeee:a42 with SMTP id o20-20020a17090a9f9400b00228eeee0a42mr11487460pjp.34.1673665788897; Fri, 13 Jan 2023 19:09:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673665788; cv=none; d=google.com; s=arc-20160816; b=gWODFI9mFY42JAv6ZpuOZPQeCWUe8W9iimhYlmTWQFPCR46sM7VBGOOSyY2Xd8OTmd r8toM5EmfcW60BMZzIPqDVr2Xc+Vnk26h1XIetkrNs+xm+eo6oI7Ij5R80Z4ocmhtlsW 18sbvxftodYOz3EH4PmVzesuIy1GjovQyUUWcJpmJSA9NYT/mzfez1rsXnEMSWz62qVs nMLt9YV2y7JsG80mkuHvAzb8VfvMMeZqxsKZRUXJSDTlV9Jxb4Y8MgZ+pSj2jgUwwcmB sa17PWJEttAPhkTXVn3SfU9IYWgp7Eb1sHmxi8DYmN1Co9qNp95RPlfHlZICxUdKsmtY YgXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=GqQouhlORIoyM6JNxn/mN7mkG20++JcJpilzWzqGmow=; b=ThJ7eimWGeQoLOEzpfm32KpS5gQbuRaS7k8f/yTwF0/b+wSoqlos+TpfkQd8eTv8IX MZwBwYpBYV7zTcKSIc9mm7c6b4rq9pHATu8+ftk5fHVnYC/GwpXxzVRddAehwi/PD2vX rC2DCo6D1hf4hpF2DiTZLKRXgv3JmeHjg7k4rPoBvKmvuSFD8lvlrTWmd+NTd4KVvOko PEWfYY4F93lnjX6fjPuZLnvDhn75Kot6y6UMnu3r8UhvPhVgRkRMRWvogtkUXLk0DnxD mbl+j0BpUcCB0+DDOWf8cMPtTbZeBWIv5aWvtsTP9MZcF8HBzyTrnLAnUItVFusvprIq R7gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zytor.com header.s=2023010601 header.b=S43FZltO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pf7-20020a17090b1d8700b0022901282df8si7352629pjb.129.2023.01.13.19.09.42; Fri, 13 Jan 2023 19:09:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zytor.com header.s=2023010601 header.b=S43FZltO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231166AbjANCKx (ORCPT + 53 others); Fri, 13 Jan 2023 21:10:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229570AbjANCKu (ORCPT ); Fri, 13 Jan 2023 21:10:50 -0500 Received: from mail.zytor.com (unknown [IPv6:2607:7c80:54:3::138]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 062948B769 for ; Fri, 13 Jan 2023 18:10:49 -0800 (PST) Received: from [IPV6:2601:646:8600:40c1:5967:deb4:a714:2940] ([IPv6:2601:646:8600:40c1:5967:deb4:a714:2940]) (authenticated bits=0) by mail.zytor.com (8.17.1/8.17.1) with ESMTPSA id 30E2AEij2810940 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 13 Jan 2023 18:10:15 -0800 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.zytor.com 30E2AEij2810940 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2023010601; t=1673662217; bh=GqQouhlORIoyM6JNxn/mN7mkG20++JcJpilzWzqGmow=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=S43FZltOLHSxFBy5O44fVMS2oNCKSGKsbGYnaN+U3str1tOvDcStm0HwpiEAK4OTd sMwvReeJDRR7/8fTKraPZy5KGOeX9ayYp8RDObRvyAfLd0lHKlozC5ijdjflJByYIL aWuY1ksgv+TvEuJs9tUKszRzYUgvmRhLnLSQXSErkGFpcOE6QA/GtA5CbBFOupjokX azI1+wm7hHyl8h87Rdt2MiB2uNULKcjrXBKevbq4U2SrHghbAlct3FdE5Ft6mvulN/ FljJgEZGZ74YoZEXDN93I1ktGEZ8Bf4bJbcqRa2m6t4hjIWLemSMtoYD3gqIoG4ifD p3kDNr1YS/HGw== Message-ID: <9fc36447-5534-b93a-98d2-0999820c0def@zytor.com> Date: Fri, 13 Jan 2023 18:10:09 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH v4 3/3] x86 mm, x86 architecture (32-bit and 64-bit): arch/x86/mm/kaslr.c: Adds 64bits version of prandom_seed_state Content-Language: en-US To: david.keisarschm@mail.huji.ac.il, linux-kernel@vger.kernel.org, Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org Cc: Jason@zx2c4.com, keescook@chromium.org, aksecurity@gmail.com, ilay.bahat1@gmail.com References: <295dceed7bef2391f86e751b9bfc9a34347062e4.1673470326.git.david.keisarschm@mail.huji.ac.il> From: "H. Peter Anvin" In-Reply-To: <295dceed7bef2391f86e751b9bfc9a34347062e4.1673470326.git.david.keisarschm@mail.huji.ac.il> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/13/23 13:39, david.keisarschm@mail.huji.ac.il wrote: > +{ > + u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL; > + // To take advantage of all 64 bits of the seed > + u32 j = ((seed>>32) ^ (seed<<10)) & 0xffffffffUL; The and operation here is pointless. You are implicitly casting to u32. Even if you had to mask explicitly, (u32) would be a lot more clear than a hard-to-read constant. > + state->s1 = __seed(i, 2U); > + state->s2 = __seed(j, 8U); > + /* Ensure no obvious linear relation with the previous states */ > + state->s3 = __seed(next_pseudo_random32(i+j), 16U); > + state->s4 = __seed(next_pseudo_random32(j-((i>>16)^(i<<16))), 128U); > + > + /* Calling RNG ten times to satisfy recurrence condition */ > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > + prandom_u32_state(state); > +} What recurrence relation is that? This looks like you are just trying to re-invoke prandom_warmup(), but for heaven's sake, don't open-code it! In fact, it seems you are just hacking an alternate version of prandom_seed_full_state(). Why not just change prandom_seed_full_state() if that is motivated? (You may need to factor out the iteration over all CPUs.) Honestly, I'm not a super expert in PRNGs, but this seems both slow (the *only* motivation for prandom_u32() is to be fast) and pointless. If we are relying on this for security, we should be using something that is actually cryptographic; especially since this is only invoked on boot, which is where entropy is maximally scarce and PRNGs maximally vulnerable due to being close to their seed state. Additionally, in terms of creating performant mixing functions, one thing that comes to mind is the circular multiply: static inline u32 circular_multiply(u32 a, u32 b) { u64 m = (u64)a * b; return m + (m >> 32); } On x86, this is two instructions, even on 32 bits. One can use ^ instead of + to make it a bit less algebraic, but I don't know for sure that that is a net improvement. -hpa