Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp4223686rwr; Sun, 23 Apr 2023 00:41:38 -0700 (PDT) X-Google-Smtp-Source: AKy350aoT+8JPIhYHRD5Axgl8XozEd7LX2gyrAmQI1th8G3SnTyOtCM5jcE91cshs+maOSJxZqET X-Received: by 2002:a05:6a21:9982:b0:e8:dcca:d9cb with SMTP id ve2-20020a056a21998200b000e8dccad9cbmr13666811pzb.5.1682235697839; Sun, 23 Apr 2023 00:41:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682235697; cv=none; d=google.com; s=arc-20160816; b=LpbXdTgrxLgnqE58dR5qdncLabs27zUFf+Qpv0tJic3CRqAhk7j5NOIc4a5wSAOWsI GxAD5YPDkIJdJ7W6Koaw2ABWfmYmqnp2mnkEwlwkE4U31S4VEghgjNeLzMD6RfOxesYu m2UwI0jXgiM2XkSMO66jdrESWtSOKJlDKboKobz7g76c21Wulurs/yJD3C+dP6WD5eax q7K+YAbGaimLI/wt8GlbXDM0TATwvCA378ktR4ZGB5klQgIoIxtwhGhTiAM3mzZf7OM8 KcKJv8PXpWETiR+v8N5DD5faPPWqXkkaivfmDaLwmo1joJh84QIysqND5ziXZjBdZwa3 n+Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=CMQtQc8JBwrkwHWNnKD4f7Fese2aLtEj8rsPPS7jZeY=; b=QjipyX4iiyAxQ48ABHmGmvbAcSpq3WAi1Ky1JCCkiprrkl9gEv4p9x2H3lU7UX1q5O K0x6dWOYKE6xiDs03cuFCevgBdkLOxnhuCm5USs+y/daRCNgG2Z1FqUG9gcuVuh0Bbo0 JghPjnveCjH1AKr+kTszU0HKbnfqHpnZkk5syy/PxonPJlVAgh/cWdgyXA2d0T2qWYnH 76YO3seQff6PdCGOArwwNlwb99HH493u1cpkRPUKdEHIo0GRArfEzXGNHJFPU7GwzeC7 X9IknCvCh0/UINoibeIFyA1FHmSNKMl7LeY98s89S0gO/qx2vV2/HeIx1Qgqjii0Dtgz o+bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@mail.huji.ac.il header.s=mailhuji header.b=d5k8sprx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=huji.ac.il Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w27-20020aa79a1b000000b00628217e3ea6si8351983pfj.316.2023.04.23.00.41.24; Sun, 23 Apr 2023 00:41:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@mail.huji.ac.il header.s=mailhuji header.b=d5k8sprx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=huji.ac.il Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229763AbjDWHak (ORCPT + 99 others); Sun, 23 Apr 2023 03:30:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229516AbjDWHaj (ORCPT ); Sun, 23 Apr 2023 03:30:39 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA4251BEB for ; Sun, 23 Apr 2023 00:30:37 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-3f18335a870so20402685e9.0 for ; Sun, 23 Apr 2023 00:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.huji.ac.il; s=mailhuji; t=1682235036; x=1684827036; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=CMQtQc8JBwrkwHWNnKD4f7Fese2aLtEj8rsPPS7jZeY=; b=d5k8sprxqaekFneXVau7DimNbLbbBMWS/YrGYklGnahwF4u09MJSTpu5vbcKh9QK1p vsmMJPOpMPtKC91glbIIpAzgdbXZ323upbWys1ZZ7JPkJrUqH61F2O6kN0nl3uLHLy9o OBKT57XQYplpxLguxkhPmHHnLiFzHh42PbsMk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682235036; x=1684827036; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CMQtQc8JBwrkwHWNnKD4f7Fese2aLtEj8rsPPS7jZeY=; b=QgkkUkoGM4lWKoiTLl56TZinaJzkjg52Mxew7pQzeZFey4Bw1TGJW5Y7NEXadfSB9C FcFWv2Y/vIjmfQOFyKxjvjVgZSOhvSEdohHwMM0Qw9bXyPTLTAXnr+NV4pJBliPVS0qc +Lw7xeE0+LcMomDosjN5enpMkHTX4fzcoEzT/Qi79OmqdNbhQCr51FaK+lJpWFynN7/h c0LMAS+kJzMicwFsG37BY8bPdwlTM2Oaolss6bFvWmoWysAzpQH+J9daepMSUUZr3/AW Xr/4ZsDxM8jtuj3pLyQ4MIu96BSPVxdgKFqNf3xgjmJEkEN4RrfuYJ6P78fzWWyVgF4p 7pbw== X-Gm-Message-State: AAQBX9d00vkK3yQu6VcvGHwycESsYXjaf4B/eLB4wthzj0WJ8ajPZUQS e9FmhayMnJciHdAovOU8Nnmb5MVprkrm1Tqd9N7suw== X-Received: by 2002:a05:6000:1b0f:b0:2fa:2e64:7d10 with SMTP id f15-20020a0560001b0f00b002fa2e647d10mr7312858wrz.28.1682235036158; Sun, 23 Apr 2023 00:30:36 -0700 (PDT) MIME-Version: 1.0 References: <20230416172323.13278-1-david.keisarschm@mail.huji.ac.il> In-Reply-To: From: David Keisar Schm Date: Sun, 23 Apr 2023 10:30:24 +0300 Message-ID: Subject: Re: [PATCH v6 3/3] arch/x86/mm/kaslr: use siphash instead of prandom_bytes_state To: "Jason A. Donenfeld" Cc: linux-kernel@vger.kernel.org, Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , keescook@chromium.org, ilay.bahat1@gmail.com, aksecurity@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 16, 2023 at 8:26=E2=80=AFPM Jason A. Donenfeld wrote: > > On 4/16/23, david.keisarschm@mail.huji.ac.il > wrote: > > From: David Keisar Schmidt > > > > However, the seeding here is done by calling prandom_seed_state, > > which effectively uses only 32bits of the seed, which means that observ= ing > > ONE > > region's offset (say 30 bits) can provide the attacker with 2 possible > > seeds > > (from which the attacker can calculate the remaining two regions) > > > > In order to fix it, we have replaced the two invocations of > > prandom_bytes_state and prandom_seed_state > > with siphash, which is considered more secure. > > Besides, the original code used the same pseudo-random number in every > > iteration, > > so to add some additional randomization > > we call siphash every iteration, hashing the iteration index with the > > described key. > > > > > > Nack. Please don't add bespoke new RNG constructions willy nilly. I > just spent a while cleaning this kind of thing up. Hi Jason, Thank you for reviewing our revised patch. We appreciate your concern regarding the use of custom RNG constructions, and we understand the potential issues that could arise from doing so. However, we wanted to clarify that our intention was to use a deterministic PRNG that meets Kees Cook's requirements for debugging and performance analysis purposes. We also acknowledge that using a custom RNG could introduce additional risks, and we're open to exploring alternative solutions that meet our requirements. If you have any suggestions for a more secure and deterministic RNG, we'd be happy to hear them and implement them.