Received: by 2002:a05:7412:2a91:b0:fc:a2b0:25d7 with SMTP id u17csp724617rdh; Wed, 14 Feb 2024 09:25:50 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXTCicUN8xc5W8oHenVN53JpXnqZtH0962yvSVYLqG8Kk7jG/gXoH0GU7dm2J37PKqAJuuV9xHhITVIRVY/J8/rt+vrYgQ4KnwmzxL9yQ== X-Google-Smtp-Source: AGHT+IE9w0PiixpHlVrih3EhteG4i4L0n5qgGS/R46/I+cuZmXSzfxksw8sG9goqY/k+WElPqAyx X-Received: by 2002:a17:906:e090:b0:a38:187c:2a9f with SMTP id gh16-20020a170906e09000b00a38187c2a9fmr2467755ejb.36.1707931550554; Wed, 14 Feb 2024 09:25:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707931550; cv=pass; d=google.com; s=arc-20160816; b=XjgoCv1U82wMDSm8sb8oCDDZ7e2HeGNjRoRRR/rsUaUhqD4dMmVu4VaFvx4jhI+Sta Jg289lxjn2onHPatIJZ0bHZUlPjvGeI/iz5rQjzAiJMdxkwoXruOh2dPmXfrufxx3Lfg ORXcLfnPlaXxf/2ZZNHE0Jq3sCHURazEwGa278Iw1TuFYlliiEdDzlGD7/vJHoXEx0bY ZIPkWNvSsyYFoBBhWaqQ5OT6f4ZYsattJjNHg18zTNK9QCJ0atZgiCT3kB0ZbKLWm7Nf sdHiRqyqsqFzxX+EWwly3ZoJJxKJyDUoIVAlq4LVuPjwpd2H63q7G14g0aMtRS5rlpHn su3g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=WZwi+vdzpHGZX+Nb7Ks31fJ33S155hZL64yC+vQwOQw=; fh=Vd3tygSYoDHBxhgUFLIynPJKH+sJdrnRbKZL+Q7EqtU=; b=FNb/vNKMOFZJ+xp2vTrEjwyZ24b73npdn9qS1bHuNgkc0yxJmGxqbryNOKwSC/jnzA yggGed5SnqXwsa7zdgYg08X4ljE+YbpB9E7Rd74qHa+s6SNxWFw1p+MqEEHSR1RusyGK tAC6KoTBqVCc6Hp5EENLKxNLZtv3hVGJBkxuJVrGmxhgLr/TH9KICP8+RxTSl7EcD7sx 3YPROXq2V8gYpZoNwHin3NspVeeD9VBt8K8xUWROAHSNY7Dxui3ITUk/eOUnF1FNjL4T vggvcMl9iqBmBYGlhKkAhZeFfpQfccUzVCU/HvuS2zuHREdJnfqXWzrhPWJbh/ikYRyG JsFA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=gj7URXbb; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-65658-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65658-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com X-Forwarded-Encrypted: i=2; AJvYcCV6ypkzrkw7SLpPvpARYzGBw76IYJ5+SEmj9mmSzJvK0NoYSZwiF7fOFT8hbXz4aHH9ESASkCtTLNJKOGnAAnDWCXZDPIX3+B3FHQ3noQ== Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id l9-20020a1709066b8900b00a3d01738378si1756229ejr.970.2024.02.14.09.25.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Feb 2024 09:25:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-65658-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=gj7URXbb; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-65658-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65658-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 23A5D1F22962 for ; Wed, 14 Feb 2024 17:25:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 36D5C86626; Wed, 14 Feb 2024 17:22:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="gj7URXbb" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 226BE83A1E; Wed, 14 Feb 2024 17:21:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707931320; cv=none; b=ZLLjsnXF9LQ4KWolAG0CtxHvGhSM1/fXhn3053rj8xk0DPnmuqadPgkM3wrTrWHr4h0Ad29Xbx4nbbUbMnAdoYm3XEj999XmEzD6ZH1Nf0ubbvZcBDOi39c7iTd9gb8llcdP9Va6DliyablOxhXEKFRw8LJqHqhjaJE3C3kTvG4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707931320; c=relaxed/simple; bh=wNciBySlMAxEqegwGBJHPqbtebvqeKeL8MXAm8xIM9Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=eiZGReiiWRLDZVUuVRBh5X/0scr3xIqX4W/Kt2PABHwDwebxTE8VtiTcEKrpsgzE1+2wKS2ZC6KlgPEvsmG1Va1yichu4QMeUBSab630dOmleuINVvy0TOIJJ/TH+P11F89TgZjW01097nI8bgjVQoJkCOfa+YH4XKK1AiPWEY4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b=gj7URXbb; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 037B6C433C7; Wed, 14 Feb 2024 17:21:57 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="gj7URXbb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1707931315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WZwi+vdzpHGZX+Nb7Ks31fJ33S155hZL64yC+vQwOQw=; b=gj7URXbb4PfZ+LnbtVPwINBwopSuxpUC9VnhcHhu4v8RoIZJ6vwu/qKYE4Q4OiFarheJIU NMaS+ekZth9cjpnULPk5rvE93c5/qzHWFbFWYCxmKJDQIDfsFsRQJZhU9NxAIy7AFTNCS/ j37QJ6zF3tsm462Xv51jQ2JrIP1eQxc= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 97ac0457 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 14 Feb 2024 17:21:54 +0000 (UTC) Date: Wed, 14 Feb 2024 18:21:51 +0100 From: "Jason A. Donenfeld" To: "Reshetova, Elena" Cc: Theodore Ts'o , Dave Hansen , "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , "x86@kernel.org" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure Message-ID: References: <20240131140756.GB2356784@mit.edu> <20240131171042.GA2371371@mit.edu> <20240201045710.GD2356784@mit.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Hi Elena, On Wed, Feb 14, 2024 at 4:18 PM Reshetova, Elena wrote: > "The RdRand in a non-defective device is designed to be faster than the bus, > so when a core accesses the output from the DRNG, it will always get a > random number. > As a result, it is hard to envision a scenario where the RdRand, on a fully > functional device, will underflow. > The carry flag after RdRand signals an underflow so in the case of a defective chip, > this will prevent the code thinking it has a random number when it does not. That's really great news, especially combined with a very similar statement from Borislav about AMD chips: On Fri, Feb 9, 2024 at 10:45 PM Borislav Petkov wrote: > Yeah, I know exactly what you mean and I won't go into details for > obvious reasons. Two things: > > * Starting with Zen3, provided properly configured hw RDRAND will never > fail. It is also fair when feeding the different contexts. I assume that this faster-than-the-bus-ness also takes into account the various accesses required to even switch contexts when scheduling VMs, so your proposed host-guest scheduling attack can't really happen either. Correct? One clarifying question in all of this: what is the point of the "try 10 times" advice? Is the "faster than the bus" statement actually "faster than the bus if you try 10 times"? Or is the "10 times" advice just old and not relevant. In other words, is the following a reasonable patch? diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h index 02bae8e0758b..2d5bf5aa9774 100644 --- a/arch/x86/include/asm/archrandom.h +++ b/arch/x86/include/asm/archrandom.h @@ -13,22 +13,16 @@ #include #include -#define RDRAND_RETRY_LOOPS 10 - /* Unconditional execution of RDRAND and RDSEED */ static inline bool __must_check rdrand_long(unsigned long *v) { bool ok; - unsigned int retry = RDRAND_RETRY_LOOPS; - do { - asm volatile("rdrand %[out]" - CC_SET(c) - : CC_OUT(c) (ok), [out] "=r" (*v)); - if (ok) - return true; - } while (--retry); - return false; + asm volatile("rdrand %[out]" + CC_SET(c) + : CC_OUT(c) (ok), [out] "=r" (*v)); + WARN_ON(!ok); + return ok; } static inline bool __must_check rdseed_long(unsigned long *v) (As for the RDSEED clarification, that also matches Borislav's reply, is what we expected and knew experimentally, and doesn't really have any bearing on Linux's RNG or this discussion, since RDRAND is all we need anyway.) Regards, Jason