Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp27793rdb; Wed, 14 Feb 2024 11:32:58 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXnBh7JZWr4hqsoc03QcJmGyajZ2V4P+vhmkm8kfeOa91CHF8YdorlFso/OFMh5F1EMddXiNaPpAqbsk1uaxyPyvERc07nrPm5UrN/V4w== X-Google-Smtp-Source: AGHT+IHF2sSTASp5LpHwdONre+/U9GHfAjv753noVhI4Yfn9ruaoc6MRNSBu0JsanqLu6Bzbdd36 X-Received: by 2002:a05:6808:3c47:b0:3c0:38d4:cd81 with SMTP id gl7-20020a0568083c4700b003c038d4cd81mr5201403oib.41.1707939177664; Wed, 14 Feb 2024 11:32:57 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707939177; cv=pass; d=google.com; s=arc-20160816; b=Gds+vYd9hOUTttLRO8JMNzJSN8hdDQMnuIREPF8UWkhpRHWBD+xqKihWJU6R5G8VKH BNtKOgSvmDHZveaP8BtG2awc7YZEe+ABNU9ikenxTwxSWOCcJXEVfSvAdqwIK3mEPz+a yptKRMSbGlHXc9dGQg+cIRLE/Rx6ecLYYAsuAxsyDQz9/UqQ+sZ70HtsP4RR8gzCiAxq f5z+xcHVk/7Lf89Z//UO4rhfioA4LYW70BZD/UYTECbliKD5FajIqAALvVeNLofLNO5z c9FnJY61lc2+e/SJBQoLGzJKydBProN28VylnnRcbbiUsJaVE75Tl+GdBfy/xmxXjOrK 4LEg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=rwgrX1+QxYG9gCbE66T01ZHvAMhNVdg0g1e0DyMk9OY=; fh=qcNxzG3vTAwNkW5fkqKB12qa0AUPoVW7hnRSVfSnIuA=; b=P5Y956OO6D38KwKI6/VPzMa0kRwfXCOuwFGliSApCOD3NDloosLtLsRce373IHwbF2 cqJxFyYsQ8Y6NP7Hf/KKuRd8wB8k6g0cYZW//rOojvZmxbUO5Ltj/KWau1aZW6jR9o2Z S9uL7Gcx+4vs+6Oh8EndDsPwQArPxgtMV73OTEP1HTpeSuCQKly2uLNn56mgOE6G16N0 XixeAFZjr6ZCWwvStfUDzPR/nqSp6OIamsxoJ18HgiNdposTJOgb4LIq6H4VFWzLGgqY ZpiS9lErxo85xcnL3UkV9OI+thcuwnpryh+qKpiCD3IR3wNMWVDHYpWxjhi5tUnBGNwG z4KA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=gsNuB3Ux; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-65882-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65882-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com X-Forwarded-Encrypted: i=2; AJvYcCVmwv5MHuCwTnBcOGv1M9gaPW+lSEQ6x/kVOuZ4AI7saFGYPybuUkaXYDzJOU6rrKrQ9cZ9c3hGYoowmYJquO/3eudm7KEbgebJhe7Qpg== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 10-20020a056214202a00b0068c7a7ed57csi6219950qvf.540.2024.02.14.11.32.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Feb 2024 11:32:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-65882-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=gsNuB3Ux; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-65882-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65882-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 68BE61C226DD for ; Wed, 14 Feb 2024 19:32:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8E40113B793; Wed, 14 Feb 2024 19:32:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="gsNuB3Ux" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 557011E4B7; Wed, 14 Feb 2024 19:32:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707939169; cv=none; b=nMF6/sK4d7+9tFC+D3JdQoxtuhMUVg7PCSbn/JOMAgGGBkGpX8jTdi0TY/75LKjHZxPYg5KFrl0i4wT6K7v18vYhRLMErfZ8ZDvuTeFaTpnso13BiP1W0vd/TxuXOVs21SiUSYUAdOuW6S89ZyUlXkLYXip9cblb/DsCr2yKg1c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707939169; c=relaxed/simple; bh=g7FzNbsA7kaLt5NE4kJFxAnSgJBqlSpYvd11O517SGQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=i1t0NDDoo7kDHHqeSMK4fNLZ/epB9+ff5QvRbyuufXo1MfoZ1x2jtGSYPE8IKTV9aN9KvCNh5ztvtV6COfpFpOsDs54rle3OT7EvlKb0gGiwZsKmN+wYTSTpjaOgI0uQQ1dwKh8pgmtg+AAOuhCjg+NUyZt2IoIlUM8/n8W4Wyo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b=gsNuB3Ux; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B3D9C433F1; Wed, 14 Feb 2024 19:32:47 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="gsNuB3Ux" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1707939165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rwgrX1+QxYG9gCbE66T01ZHvAMhNVdg0g1e0DyMk9OY=; b=gsNuB3Uxyj/QmmpzZFlyW+ETrhX7nkRGAS+QN7k2uqd2o8wxP+Jtn40lfWYkcmoPE8YNb5 CIT7+Sw/xspMUNUN/ZZy11ej4EFHmFvFYIM6md2H5rhoQdPSFhzCBQ/TvNnjFiQAK657ZS 2lqGzzII36M7lMZfBxqzk6T75+Q1XNE= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id d00ca391 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 14 Feb 2024 19:32:44 +0000 (UTC) Date: Wed, 14 Feb 2024 20:32:43 +0100 From: "Jason A. Donenfeld" To: "Reshetova, Elena" Cc: Theodore Ts'o , Dave Hansen , "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , "x86@kernel.org" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure Message-ID: References: <20240131171042.GA2371371@mit.edu> <20240201045710.GD2356784@mit.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Hi Elena, On Wed, Feb 14, 2024 at 05:59:48PM +0000, Reshetova, Elena wrote: > > > > In other words, is the following a reasonable patch? > > > > diff --git a/arch/x86/include/asm/archrandom.h > > b/arch/x86/include/asm/archrandom.h > > index 02bae8e0758b..2d5bf5aa9774 100644 > > --- a/arch/x86/include/asm/archrandom.h > > +++ b/arch/x86/include/asm/archrandom.h > > @@ -13,22 +13,16 @@ > > #include > > #include > > > > -#define RDRAND_RETRY_LOOPS 10 > > - > > /* Unconditional execution of RDRAND and RDSEED */ > > > > static inline bool __must_check rdrand_long(unsigned long *v) > > { > > bool ok; > > - unsigned int retry = RDRAND_RETRY_LOOPS; > > - do { > > - asm volatile("rdrand %[out]" > > - CC_SET(c) > > - : CC_OUT(c) (ok), [out] "=r" (*v)); > > - if (ok) > > - return true; > > - } while (--retry); > > - return false; > > + asm volatile("rdrand %[out]" > > + CC_SET(c) > > + : CC_OUT(c) (ok), [out] "=r" (*v)); > > + WARN_ON(!ok); > > + return ok; > > } > > Do you intend this as a generic rdrand change or also a fix for CoCo > case problem? I was thinking generic, since in all cases, RDRAND failing points to a hardware bug in the CPU ITSELF (!), which is solid grounds for a WARN(). > I personally don’t like WARN_ON from security > pov, but I know I am in minority with this. I share the same opinion as you, that WARN_ON() is a little weak and we should BUG_ON() or panic() or whatever, but I also know that this ship has really sailed long ago, that in lots of ways Linus is also right that BUG() is bad and shouldn't be used for much, and this just isn't a hill to die on. And the "panic_on_warn" flag exists and "security guides" sometimes say to turn this on, etc, so I think WARN_ON() remains the practical compromise that won't get everyone's feathers ruffelled up. By the way, there is still one question lingering in the back of my mind, but I don't know if answering it would divulge confidential implementation details. You said that RDRAND is faster than the bus, so failures won't be observable, while RDSEED is not because it requires collecting entropy from the ether which is slow. That makes intuitive sense on a certain dumb simplistic level: AES is just an algorithm so is fast, while entropy collection is a more physical thing so is slow. But if you read the implementation details, RDRAND is supposed to reseed after 511 calls. So what's to stop you from exhausting RDSEED in one place, while also getting RDRAND to the end of its 511 calls, and *then* having your victim make the subsequent RDRAND call, which tries to reseed (or is in progress of doing so), finds that RDSEED is out of batteries, and underflows? What's the magic detail that makes this scenario not possible? Jason