Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CEFEDC05027 for ; Tue, 14 Feb 2023 04:54:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230127AbjBNEy6 (ORCPT ); Mon, 13 Feb 2023 23:54:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229597AbjBNEy5 (ORCPT ); Mon, 13 Feb 2023 23:54:57 -0500 Received: from angie.orcam.me.uk (angie.orcam.me.uk [IPv6:2001:4190:8020::34]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2F884B443 for ; Mon, 13 Feb 2023 20:54:56 -0800 (PST) Received: by angie.orcam.me.uk (Postfix, from userid 500) id 5E71392009C; Tue, 14 Feb 2023 05:54:53 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by angie.orcam.me.uk (Postfix) with ESMTP id 50C2B92009B; Tue, 14 Feb 2023 04:54:53 +0000 (GMT) Date: Tue, 14 Feb 2023 04:54:53 +0000 (GMT) From: "Maciej W. Rozycki" To: Thomas Gleixner cc: Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "Jason A. Donenfeld" , Kees Cook , x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PING][PATCH v3] x86: Use `get_random_u8' for kernel stack offset randomization In-Reply-To: <877cwltmno.ffs@tglx> Message-ID: References: <877cwltmno.ffs@tglx> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 13 Feb 2023, Thomas Gleixner wrote: > >> For x86 kernel stack offset randomization uses the RDTSC instruction, > >> which according to H. Peter Anvin is not a secure source of entropy: > >> > >> "RDTSC isn't a super fast instruction either, but what is *way* more > >> significant is that this use of RDTSC is NOT safe: in certain power states > >> it may very well be that stone number of lower bits of TSC contain no > >> entropy at all." > > > > Ping for: > > . > > I'm waiting for you to address Peter Anvins feedback. Do you mean this part: On Tue, 31 Jan 2023, H. Peter Anvin wrote: > Well, what I said was that masking out the low bits of TSC is not a valid use to > extract a random(-ish) number this way, because the lower bits may be affected > by quantization. Something like a circular multiply using a large prime with a > good 0:1 balance can be used to mitigate that. > > However, the second part is that subsequent RDTSCs will be highly correlated, > and so a CSPRNG is needed if you are actually trying to get reasonable security > this way – and, well, we already have one of those. ? Well, I inferred, perhaps incorrectly, from the second paragraph that Peter agrees with my approach (with the CSPRNG being what `get_random_u8' and friends get at). > You also cite him > w/o providing a link to the conversation, so any context is missing. Sorry about that. I put the change heading for the previous iterations in the change log, but I agree actual web links would've been better: , . Please let me know if you need anything else. Thank you for your review. Maciej