Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp5659229rdb; Sun, 17 Sep 2023 06:48:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHGwumqiJhJJRGoIzBfvWNF8xcNu/VnJ2Uip8fH5ZO5xWrSJoW/51gJOGi0Axi2AhZ/WiIy X-Received: by 2002:a17:902:ce85:b0:1bc:5924:2da2 with SMTP id f5-20020a170902ce8500b001bc59242da2mr6146837plg.56.1694958491216; Sun, 17 Sep 2023 06:48:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694958491; cv=none; d=google.com; s=arc-20160816; b=Dg55Qt5RMVWo4cRy0Msq16Ct1FQp87HWH0/6KcbKWHBiX9kv9vDWORxnbJjBh6CVmd TCPa6U4X3AFvAageyueh94c610mN3d7fPjcN5rmMtq8z40gAAcwUKFz9OarUdGrewSH1 uYuQwgmV28ogFr8jLpFXC9kMD6j8z4DciY1dOqoU34SWL5Mxf8f93gMi4z90DIjFq9ju A2thOt0N8m7DM6CHRhAp1/L98t34DgqWva9papLQCRDdCf96D3Tosqrt/9aFDi2V2NTM VYiJjiK4T/KnGCVGUUdj+Li2eTadJKuuew9vOrqkz56XQ0G0QzKpyb0ko+QYGkl+egr9 FZag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id; bh=Pz/YbyTtHnQFJm27G4ExLFdTjuoSK5FER6kh8XHDYT8=; fh=zf2OjjsOMKmPjPbhJVX3JCWVFfRWnIf05AZsfSvuMfc=; b=U9EakBVhG8VGGAVJfhMswJWDJ51/NBiK4D/6oBf9CJb2NmcnCyPJLPYRT2LesqlmTi yIro2S4pcdS62XYw27yHts6Ab+1zrUMf0/4QRzGuOftdtlisHRaeYkPZtAd/1XXuheGp 5B4uYh2aybZihkmhvo4nNj8RL0g/NDxTlFebzJ9TewkDCFjCnntCbvzQ8B3KfscAwVTN FoJMjrc1MxMndtLiqiQkYpthXQGer5vbOAh//Op2Qf8B95P4kHjwqiB/owhGXusdytUS T5Ic0vqwtQ8jqGSMtASKFI6Krh1BRH/pBktNxaUH4kGmn+QeCRN66YcKNBCwTK/wOykq 1WoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id f2-20020a170902ce8200b001b8a56b9895si6791290plg.616.2023.09.17.06.48.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Sep 2023 06:48:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 29E3F8184E0D; Sun, 17 Sep 2023 06:48:10 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234683AbjIQNmt (ORCPT + 99 others); Sun, 17 Sep 2023 09:42:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234604AbjIQNm1 (ORCPT ); Sun, 17 Sep 2023 09:42:27 -0400 X-Greylist: delayed 482 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 17 Sep 2023 06:42:18 PDT Received: from smtp-out3.octopuce.fr (smtp-out3.octopuce.fr [91.194.60.164]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49E5B131; Sun, 17 Sep 2023 06:42:18 -0700 (PDT) Received: from smtp.ouvaton.coop (smtp.ouvaton.coop [194.36.166.20]) by smtp-out3.octopuce.fr (Postfix) with ESMTPS id 75E804062E; Sun, 17 Sep 2023 15:34:12 +0200 (CEST) Received: from [192.168.0.30] (189.89.89.92.rev.sfr.net [92.89.89.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ouvalternc.octopuce.fr (Postfix) with ESMTPSA id EB3D53FDC8; Sun, 17 Sep 2023 15:34:10 +0200 (CEST) Message-ID: <564c9bb6-1e7d-43c3-8dfc-5282ea82305a@droneaud.fr> Date: Sun, 17 Sep 2023 15:34:09 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH 0/2] Propagating reseed notifications to user space To: Babis Chalios , Olivia Mackall , Herbert Xu , Theodore Ts'o , "Jason A. Donenfeld" , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org Cc: graf@amazon.de, xmarcalx@amazon.co.uk, aams@amazon.de, dwmw@amazon.co.uk, gregkh@linuxfoundation.org References: <20230823090107.65749-1-bchalios@amazon.es> Content-Language: fr-FR, en-US, en-GB From: Yann Droneaud In-Reply-To: <20230823090107.65749-1-bchalios@amazon.es> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 17 Sep 2023 06:48:10 -0700 (PDT) Hi, Le 23/08/2023 à 11:01, Babis Chalios a écrit : > User space often implements PRNGs that use /dev/random as entropy > source. We can not expect that this randomness sources stay completely > unknown forever. For various reasons, the originating PRNG seed may > become known at which point the PRNG becomes insecure for further random > number generation. Events that can lead to that are for example fast > computers reversing the PRNG function using a number of inputs or > Virtual Machine clones which carry seed values into their clones. > > During LPC 2022 Jason, Alex, Michael and me brainstormed on how to > atomically expose a notification to user space that it should reseed. > Atomicity is key for the VM clone case. This patchset implements a > potential path to do so. > > This patchset introduces an epoch value as the means of communicating to > the guest the need to reseed. The epoch is a 32bit value with the > following form: > > RNG epoch > *-------------*---------------------* > | notifier id | epoch counter value | > *-------------*---------------------* > 8 bits 24 bits > > Changes in this value signal moments in time that PRNGs need to be > re-seeded. As a result, the intended use of the epoch from user space > PRNGs is to cache the epoch value every time they reseed using kernel > entropy, then control that its value hasn't changed before giving out > random numbers. If the value has changed the PRNG needs to reseed before > producing any more random bits. > > The API for getting hold of this value is offered through > /dev/(u)random. We introduce a new ioctl for these devices, which > creates an anonymous file descriptor. User processes can call the > ioctl() to get the anon fd and then mmap it to a single page. That page > contains the value of the epoch at offset 0. > > Naturally, random.c is the component that maintains the RNG epoch. > During initialization it allocates a single global page which holds the > epoch value. Moreover, it exposes an API to kernel subsystems > (notifiers) which can report events that require PRNG reseeding. > Notifiers register with random.c and receive an 8-bit notifier id (up to > 256 subscribers should be enough) and a pointer to the epoch. Notifying, > then, is equivalent to writing in the epoch address a new epoch value. > > Notifiers write epoch values that include the notifier ID on the higher > 8 bits and increasing counter values on the 24 remaining bits. This > guarantees that two notifiers cannot ever write the same epoch value, > since notificator IDs are unique. > > The first patch of this series implements the epoch mechanism. It adds > the logic in the random.c to maintain the epoch page and expose the > user space facing API. It also adds the internal API that allows kernel > systems to register as notifiers. From userspace point of view, having to open /dev/random, ioctl, and mmap() is a no-go for a (CS)PRNG embedded in libc for arc4random(). I'm biased, as I proposed to expose such seed epoch value to userspace through getrandom() directly, relying on vDSO for reasonable performances, because current's glibc arc4random() is somewhat to slow to be a general replacement rand(). See https://lore.kernel.org/all/cover.1673539719.git.ydroneaud@opteya.com/ https://lore.kernel.org/all/ae35afa5b824dc76c5ded98efcabc117e6dd3d70@opteya.com/ Reards. -- Yann Droneaud