Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1795073rdb; Wed, 31 Jan 2024 09:12:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IEheYqQN2WstIczWYRD3/Q0GQPb46V1bDktD0EhmoccfY+/mGNVXEjHL56bRzuZGUwYgIZh X-Received: by 2002:a05:622a:302:b0:42b:edf6:cf17 with SMTP id q2-20020a05622a030200b0042bedf6cf17mr1728244qtw.42.1706721178014; Wed, 31 Jan 2024 09:12:58 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706721178; cv=pass; d=google.com; s=arc-20160816; b=CYJABmufYq/NLW9ccgGK8bEQljYTQUZTAidXL+LmEh2YucGOW+e6a6+xLyXdxVRJeW MApReyFU7B4Rll1OVgiDsNC8HoFVzW/9l4/f/yPWxr0oI/SVCCEvPI/6gHViORxMpF56 hnSx7B69R/ruWunQbDgGcYU7hLFd8ElYVkeG003Y2RdZZDdv+5ugekHgvV9U/HFa9nVa ldnc0lIJGhver2uoVRnYK4u9V2DKgU6PESR3Uwl4urAaiig8sYqOC1rl164adDD4grnt r5MP9ZAuSLQ1DMQiYkBCBEC6DM5HRUEQXmZVM31rMWHtDdCjo/eokRxHIssWeiVptAoj vZ0g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=c1wII69E6ZxWvvPsnKwrgulp70ifnQl9OU32+K8hAVk=; fh=JhELOedBg3s6kg9/X9l2SvmXWhBzOHMXovg2OlpMpp0=; b=fx1fULKXMUkyePonGfG1E5ZOdIsPj/mkDObaZhgEqmLOhc+qLiDgcjddQKmRiPj+/2 n8luV6Tz3wZiyawKvdHaU4XC05FxTOPFJfvfmrafa99C6BoazWHGORTAbW33s8L/MwRO eA+kApDc/kMBUvw+IF3uV4ssP/PY9GKUrRX6GIK6uQBkkW1++tNdCKCqCQb4B3sCeKyd 9vm16DLOYtle05jfEt6VvggJIFAebHyejkQtbqsRGW1l97oPxJU8M3T0DwhaenQQggEq cdlmuNs13Pjz+eW6IvgXX6b7F5NycfnN83Qax0F0JzHHkhtchWgK1+IUAtdlXcZaUfG1 hblw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=giYx9HtT; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-46881-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46881-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu X-Forwarded-Encrypted: i=1; AJvYcCUILuOskYKyRHaH5YJj8eEKyA9lr7EFVh0ZQhyH9pdhjWHrJdfsdr47LJA1weDSFhrKI8qUrOyZeJcrFi+9Hy6eLGKcRXFIm2ulxGMrVw== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id j16-20020a05622a039000b0042977025f45si12433341qtx.551.2024.01.31.09.12.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 09:12:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-46881-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=giYx9HtT; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-46881-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46881-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C00DD1C21635 for ; Wed, 31 Jan 2024 17:12:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8D48812DDBD; Wed, 31 Jan 2024 17:11:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="giYx9HtT" Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C484C12DD99 for ; Wed, 31 Jan 2024 17:11:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.9.28.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706721087; cv=none; b=l3WsmIx3lYGkFSYd/uaeDe103gh1+F+pG0flcTEjW8oCkhzlBGdWEJ2fmbzZu44yjT2noW0ynISnc/Z7rcGaISr5YeoDEDlJoODHI1S7SGHjpYZyS0sXeLX2pBwCSjAAlKVSAE49XhQELz12vXfYNnMelbSAd/PwGyM60WweYtA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706721087; c=relaxed/simple; bh=tozDlWWoHJlBWRSsavVjeW3OOgiv9gnUfCqGWWzjZro=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=MYFui5Ax4MxDJnOq+2Z7yJnuTpH/QET7XF/EOy9tSnqUNj3Bi02nNU6BJRZgohB4p2Xhbvk9b8zFsLyP/XimAHwOjlo0SyLmRQRFprLiKPG1UeF9vykF9XoTz7yNSRKajL/r0xe9YRyxsaxopqkO0jGuBZSOYRX5bahb+S7caCE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu; spf=pass smtp.mailfrom=mit.edu; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b=giYx9HtT; arc=none smtp.client-ip=18.9.28.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu Received: from cwcc.thunk.org (pool-173-48-116-252.bstnma.fios.verizon.net [173.48.116.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 40VHAgLW030230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 31 Jan 2024 12:10:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1706721048; bh=c1wII69E6ZxWvvPsnKwrgulp70ifnQl9OU32+K8hAVk=; h=Date:From:Subject:Message-ID:MIME-Version:Content-Type; b=giYx9HtT83tHpzmgsba5unHIRE0RvVcYbR2/jWs5DgCz3JJ4tl/Q+9vjp3vcO0rcH fVqZvhx0TzkguaoAhZt7Oi4EDw19LBSYEgrCKrRXSMxj+1C3qnjdqYAJmjh7ek83P4 ctMvyfUM8hS32E5UK1jxOowr3Io9+jH9qtVj3142mDoUtapfv2wVuFaz2a4w4qHuJE SA+NRtIiLDaYiCQ8bHL2krvVJcdWWaIezNb9xpshoS12IRUbdv0tS2EusU9wDbBS4x noS/DRV0pkKaEvgxv4BarmWz8+0te1TF2nSQ2g/dHN3h7bBMJI6N6iOzhS1Vd1nlou iIQDb4rG3W4bQ== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 0C01215C0667; Wed, 31 Jan 2024 12:10:42 -0500 (EST) Date: Wed, 31 Jan 2024 12:10:42 -0500 From: "Theodore Ts'o" To: "Jason A. Donenfeld" Cc: "Reshetova, Elena" , "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "x86@kernel.org" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure Message-ID: <20240131171042.GA2371371@mit.edu> References: <20240131140756.GB2356784@mit.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Jan 31, 2024 at 03:45:06PM +0100, Jason A. Donenfeld wrote: > On Wed, Jan 31, 2024 at 09:07:56AM -0500, Theodore Ts'o wrote: > > What about simply treating boot-time initialization of the /dev/random > > state as special. That is, on x86, if the hardware promises that > > RDSEED or RDRAND is available, we use them to initialization our RNG > > state at boot. On bare metal, there can't be anyone else trying to > > exhaust the on-chip RNG's entropy supply, so if RDSEED or RDRAND > > aren't working available --- panic, since the hardware is clearly > > busted. > > This is the first thing I suggested here: https://lore.kernel.org/all/CAHmME9qsfOdOEHHw_MOBmt6YAtncbbqP9LPK2dRjuOp1CrHzRA@mail.gmail.com/ > > But Elena found this dissatisfying because we still can't guarantee new > material later. Right, but this is good enough that modulo in-kernel RNG state compromise, or the ability to attack the underlying cryptographic primitives (in which case we have much bigger vulnerabilities than this largely theoretical one), even if we don't have new material later, the in-kernel RNG for the CC VM should be sufficiently trustworthy for government work. > Yea, maybe bubbling the RDRAND DoS up to another DoS in the CoCo case is > a good tradeoff that will produce the right pitchforkers without > breaking anything real. - Ted