Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp379955rdb; Thu, 1 Feb 2024 11:04:02 -0800 (PST) X-Google-Smtp-Source: AGHT+IGiFZxhGK/lcjI4Ysd4VRDDkobJXruqmE1uUZ0l+B0kxb7jYOhcGxGntDHZX5i/TQP/ToPn X-Received: by 2002:a05:6a00:2e93:b0:6de:1d0b:ae29 with SMTP id fd19-20020a056a002e9300b006de1d0bae29mr6778130pfb.0.1706814242058; Thu, 01 Feb 2024 11:04:02 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706814242; cv=pass; d=google.com; s=arc-20160816; b=MbLLC8VpzS6QwQIby7MPY989500SVkWPnT3VLlttz14qYu/mu8jUw9tqIhpFZtwhkR T2afynnUtZT/smDLd28mjoxqK551ux0gokwrjlKXL7Fdlu7A+EUr6c0/1foedespF92N s/S9i7i/yI91zl+pCxEc3qbHjdOk2VS9sQVE0qsPtWW06uhEU4CeKTiKFQ+wEAod3Eny Umzm1vvO6RI+ubxlngowOo6Q6JAzJ4ukv/oGVPnbg/JByuShV0MfLBRg+gDdtF87HSwE cgH2F/a4Giuihf2exRF3epQA0BaNM3bQR75hvM/aDdqlVX4bfFLG4wYWf20tjLEdxLoa 1ihA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:references:in-reply-to :user-agent:subject:cc:to:from:date:dkim-signature:dkim-filter; bh=kTXZyCcIqsNzCBXtIsoCaFjWy3OW00U35UzSwYcLSMo=; fh=Iew7X/fv2CnqNLwlnY06xJBsdpfPnXhiRFNkkvb4ZFo=; b=PBVYV+oJ6vmH1KFXhapg3+Z/MzxFeS0rFmOBCKKL83Mzn+J164dn6+Pep6dY8SQ2Hy /UY4Youx6+ltawjTIaIdrU/Qbn8Vg19QnFa9iOhLAUob6E91Fbzl2h8CEmGC3Coq2jUT AqD5DqKF7AMqpzbDJM+l8AAYTaJPfcwU2fDDM0QtxagWk3LAbDhuxqFvDZ+HMefkDvYh mtWhszXi/UpRFp6i0xel55N+eCy1hjmNLlJsz4FxXqi+z2Nk2I188VCGI4BlxGxN0lYM 5Q4K/HqJd3qbweU79bvzhaWkVFuy2/n3m1jWhhpoxu/rJcvPEZclFPGoUEzQidyhCLuc +wKg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=fail header.i=@zytor.com header.s=2024011201 header.b=lQuIo6xO; arc=pass (i=1 spf=pass spfdomain=zytor.com dmarc=pass fromdomain=zytor.com); spf=pass (google.com: domain of linux-kernel+bounces-48743-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-48743-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=zytor.com X-Forwarded-Encrypted: i=1; AJvYcCUCc/x6tcJJix7Av+KRv6QZeKLy7ju639QcdXxWbuz80ejF9a5WyH5xK8zl9Kl1g3sa57Phwg2a/ab5dg42O0j7QfZ0hDxBKz0whsKTew== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id a20-20020a056a000c9400b006dff2e845d7si136721pfv.78.2024.02.01.11.04.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Feb 2024 11:04:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-48743-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=fail header.i=@zytor.com header.s=2024011201 header.b=lQuIo6xO; arc=pass (i=1 spf=pass spfdomain=zytor.com dmarc=pass fromdomain=zytor.com); spf=pass (google.com: domain of linux-kernel+bounces-48743-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-48743-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A32E528E469 for ; Thu, 1 Feb 2024 19:03:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 78EFF85265; Thu, 1 Feb 2024 19:03:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=zytor.com header.i=@zytor.com header.b="lQuIo6xO" Received: from mail.zytor.com (terminus.zytor.com [198.137.202.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 045EF84FBF for ; Thu, 1 Feb 2024 19:03:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706814196; cv=none; b=SW66uAIuZQf09Gl20NqiR7NdAIWVobJ856Y/kreTLRI9+NMr7lkCjS2pcaxenRNs+mDZ272q5f5k948bEB3Zw2w4XAl80ln1bdUH1oATYNdJxbFb8slDCPPSbmDQ7U91g/RLrSVL26FOHB2SyzNHhNCWH91B/ye5vqtIhBAf1rQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706814196; c=relaxed/simple; bh=/k+B1mAjGbVHW0u2oSbT1r0tPCzVnEoOzFJ/awMko9E=; h=Date:From:To:CC:Subject:In-Reply-To:References:Message-ID: MIME-Version:Content-Type; b=pSYmJri4DJIkmVM43s0PfegqUc0k8r55TsNcnGQLTa3xE/R99fZBk9xzPiqioZDeVD1j+e4A7q2X9TSAlNTjVswa2Q9fCrqAvt12vb8ZEF1kRUykV4PnT0fU28ZaCDDPHNid97SymxbjPAM7NO+JErS+M1BTsbzM5I7GhT6EbGo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zytor.com; spf=pass smtp.mailfrom=zytor.com; dkim=fail (2048-bit key) header.d=zytor.com header.i=@zytor.com header.b=lQuIo6xO reason="signature verification failed"; arc=none smtp.client-ip=198.137.202.136 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zytor.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zytor.com Received: from [127.0.0.1] ([76.133.66.138]) (authenticated bits=0) by mail.zytor.com (8.17.2/8.17.1) with ESMTPSA id 411J2YGs4164724 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 1 Feb 2024 11:02:35 -0800 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.zytor.com 411J2YGs4164724 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2024011201; t=1706814155; bh=kTXZyCcIqsNzCBXtIsoCaFjWy3OW00U35UzSwYcLSMo=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=lQuIo6xOi7oNx4tIHkF1PGZbqvLVDtNXhxS0pj5tZMDm2pJ+X+bmBJjabf5/ual1Y WYSqI2jN7dJEyv0ajkY8IwhSEMiJ+r5412GDFUObznHTY9ZTwvpSbBQHOBnmHAAWO8 HiSJf3oFwOkbinYlQ/PqvC/jZfme4xNyeBjQYDGenDBaVJtCMX2+3HAPjmN5oQuRod UJ8V8BCKAnUaQJdw3zUI7KpOMRyw8v9ZgcFvHI6mbARp/7/5QpreEMJUz3t3dxB80p tQf9OE6h8n/dItJvhSYw0MyjmtIePa6aP+EYzLzGVUpghdQ/ywI9+l0xphDlFGpCh0 w+ZhbevD4A9eQ== Date: Thu, 01 Feb 2024 11:02:32 -0800 From: "H. Peter Anvin" To: Dave Hansen , "Jason A. Donenfeld" , "Theodore Ts'o" , "Reshetova, Elena" , Dave Hansen CC: "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "x86@kernel.org" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure User-Agent: K-9 Mail for Android In-Reply-To: References: <20240131140756.GB2356784@mit.edu> <20240131171042.GA2371371@mit.edu> <20240201045710.GD2356784@mit.edu> Message-ID: <52A2842D-AC23-4321-B06B-CDA082183862@zytor.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On February 1, 2024 10:46:06 AM PST, Dave Hansen wrote: >On 2/1/24 10:09, Jason A=2E Donenfeld wrote: >> Question ii) Just how DoS-able is RDRAND? From host to guest, where >> the host controls scheduling, that seems easier, but how much so, and >> what's the granularity of these operations, and could retries still >> help, or not at all? What about from guest to guest, where the >> scheduling is out of control; in that case is there a value of N for >> which N retries makes it actually impossible to DoS? What about from >> userspace to kernelspace; good value of N? > >So far, in practice, I haven't seen a single failure of RDRAND=2E It's >been limited to RDSEED=2E In a perfect world, I'd change the architectur= e >docs to say, "RDRAND only fails when the hardware breaks" and leave >RDSEED defined to be the one that fails easily=2E > >Dealing with a fragile RDSEED seems like a much easier problem than >dealing with a fragile RDRAND since RDSEED is used _much_ more sparingly >in the kernel today=2E > >But I'm not sure if the hardware implementations fit into this perfect >world I've conjured up=2E We're going to wrangle up the folks at Intel >who can hopefully tell me if I'm totally deluded=2E > >Has anyone seen RDRAND failures in practice? Or just RDSEED? > >> Question iii) How likely is Intel to actually fix this in a >> satisfactory way (see "specifying this is an interesting question" in >> [1])? And if they would, what would the timeline even be? > >If the fix is pure documentation, it's on the order of months=2E I'm >holding out hope that some kind of anti-DoS claims like you mentioned: > >> Specifying this is an interesting question=2E What exactly might our >> requirements be for a "non-broken" RDRAND? It seems like we have two >> basic ones: >>=20 >> - One VMX (or host) context can't DoS another one=2E >> - Ring 3 can't DoS ring 0=2E > >are still possible on existing hardware, at least for RDRAND=2E The real question is: what do we actually need? During startup, we could afford a *lot* of looping to collect enough entro= py before giving up=2E After that, even if RDSEED fails 99% of the time, it= will still produce far more entropy than a typical external randomness sou= rce=2E We don't want to loop that long, obviously (*), but instead try peri= odically and let the entropy accumulate=2E (*) We *could* of course choose to aggressively loop in task context if th= ere task would otherwise block on /dev/random=2E