Received-SPF: pass (google.com: domain of linux-kernel+bounces-65895-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Message-ID: <696a5d98-b6a2-43aa-b259-fd85f68a5707@amd.com>
Date: Wed, 14 Feb 2024 13:46:07 -0600
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure
Content-Language: en-US
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
 "Reshetova, Elena" <elena.reshetova@intel.com>
Cc: Theodore Ts'o <tytso@mit.edu>, Dave Hansen <dave.hansen@linux.intel.com>,
 "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
 Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
 "x86@kernel.org" <x86@kernel.org>,
 Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>,
 "Nakajima, Jun" <jun.nakajima@intel.com>,
 "Kalra, Ashish" <ashish.kalra@amd.com>,
 Sean Christopherson <seanjc@google.com>,
 "linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <CAHmME9oJvbZgT4yT9Vydc2ZQVSo3Ea65G5aVK7gFxphkV00BnQ@mail.gmail.com>
 <20240131140756.GB2356784@mit.edu> <Zbpc8tppxuKr-hnN@zx2c4.com>
 <20240131171042.GA2371371@mit.edu>
 <DM8PR11MB5750C7D16DC566CD1329D5A5E77C2@DM8PR11MB5750.namprd11.prod.outlook.com>
 <CAHmME9q-eUXnXnpaDu0VOQemOYysst7SaJ-=b8-vCFP9h50Szg@mail.gmail.com>
 <20240201045710.GD2356784@mit.edu>
 <CAHmME9oqM2a766dBK22-yKr8=2-icg=UkQzmBOF8G5Zh_Y9E9w@mail.gmail.com>
 <DM8PR11MB57505F657A8F08E15DC34673E7422@DM8PR11MB5750.namprd11.prod.outlook.com>
 <DM8PR11MB57503A2BB6F74618D64CC44AE74E2@DM8PR11MB5750.namprd11.prod.outlook.com>
 <Zcz2r51Tbb44ywjl@zx2c4.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
Autocrypt: addr=thomas.lendacky@amd.com; keydata=
 xsFNBFaNZYkBEADxg5OW/ajpUG7zgnUQPsMqWPjeAxtu4YH3lCUjWWcbUgc2qDGAijsLTFv1
 kEbaJdblwYs28z3chM7QkfCGMSM29JWR1fSwPH18WyAA84YtxfPD8bfb1Exwo0CRw1RLRScn
 6aJhsZJFLKyVeaPO1eequEsFQurRhLyAfgaH9iazmOVZZmxsGiNRJkQv4YnM2rZYi+4vWnxN
 1ebHf4S1puN0xzQsULhG3rUyV2uIsqBFtlxZ8/r9MwOJ2mvyTXHzHdJBViOalZAUo7VFt3Fb
 aNkR5OR65eTL0ViQiRgFfPDBgkFCSlaxZvc7qSOcrhol160bK87qn0SbYLfplwiXZY/b/+ez
 0zBtIt+uhZJ38HnOLWdda/8kuLX3qhGL5aNz1AeqcE5TW4D8v9ndYeAXFhQI7kbOhr0ruUpA
 udREH98EmVJsADuq0RBcIEkojnme4wVDoFt1EG93YOnqMuif76YGEl3iv9tYcESEeLNruDN6
 LDbE8blkR3151tdg8IkgREJ+dK+q0p9UsGfdd+H7pni6Jjcxz8mjKCx6wAuzvArA0Ciq+Scg
 hfIgoiYQegZjh2vF2lCUzWWatXJoy7IzeAB5LDl/E9vz72cVD8CwQZoEx4PCsHslVpW6A/6U
 NRAz6ShU77jkoYoI4hoGC7qZcwy84mmJqRygFnb8dOjHI1KxqQARAQABzSZUb20gTGVuZGFj
 a3kgPHRob21hcy5sZW5kYWNreUBhbWQuY29tPsLBmQQTAQoAQwIbIwcLCQgHAwIBBhUIAgkK
 CwQWAgMBAh4BAheAAhkBFiEE3Vil58OMFCw3iBv13v+a5E8wTVMFAmWDAegFCRKq1F8ACgkQ
 3v+a5E8wTVOG3xAAlLuT7f6oj+Wud8dbYCeZhEX6OLfyXpZgvFoxDu62OLGxwVGX3j5SMk0w
 IXiJRjde3pW+Rf1QWi/rbHoaIjbjmSGXvwGw3Gikj/FWb02cqTIOxSdqf7fYJGVzl2dfsAuj
 aW1Aqt61VhuKEoHzIj8hAanlwg2PW+MpB2iQ9F8Z6UShjx1PZ1rVsDAZ6JdJiG1G/UBJGHmV
 kS1G70ZqrqhA/HZ+nHgDoUXNqtZEBc9cZA9OGNWGuP9ao9b+bkyBqnn5Nj+n4jizT0gNMwVQ
 h5ZYwW/T6MjA9cchOEWXxYlcsaBstW7H7RZCjz4vlH4HgGRRIpmgz29Ezg78ffBj2q+eBe01
 7AuNwla7igb0mk2GdwbygunAH1lGA6CTPBlvt4JMBrtretK1a4guruUL9EiFV2xt6ls7/YXP
 3/LJl9iPk8eP44RlNHudPS9sp7BiqdrzkrG1CCMBE67mf1QWaRFTUDPiIIhrazpmEtEjFLqP
 r0P7OC7mH/yWQHvBc1S8n+WoiPjM/HPKRQ4qGX1T2IKW6VJ/f+cccDTzjsrIXTUdW5OSKvCG
 6p1EFFxSHqxTuk3CQ8TSzs0ShaSZnqO1LBU7bMMB1blHy9msrzx7QCLTw6zBfP+TpPANmfVJ
 mHJcT3FRPk+9MrnvCMYmlJ95/5EIuA1nlqezimrwCdc5Y5qGBbbOwU0EVo1liQEQAL7ybY01
 hvEg6pOh2G1Q+/ZWmyii8xhQ0sPjvEXWb5MWvIh7RxD9V5Zv144EtbIABtR0Tws7xDObe7bb
 r9nlSxZPur+JDsFmtywgkd778G0nDt3i7szqzcQPOcR03U7XPDTBJXDpNwVV+L8xvx5gsr2I
 bhiBQd9iX8kap5k3I6wfBSZm1ZgWGQb2mbiuqODPzfzNdKr/MCtxWEsWOAf/ClFcyr+c/Eh2
 +gXgC5Keh2ZIb/xO+1CrTC3Sg9l9Hs5DG3CplCbVKWmaL1y7mdCiSt2b/dXE0K1nJR9ZyRGO
 lfwZw1aFPHT+Ay5p6rZGzadvu7ypBoTwp62R1o456js7CyIg81O61ojiDXLUGxZN/BEYNDC9
 n9q1PyfMrD42LtvOP6ZRtBeSPEH5G/5pIt4FVit0Y4wTrpG7mjBM06kHd6V+pflB8GRxTq5M
 7mzLFjILUl9/BJjzYBzesspbeoT/G7e5JqbiLWXFYOeg6XJ/iOCMLdd9RL46JXYJsBZnjZD8
 Rn6KVO7pqs5J9K/nJDVyCdf8JnYD5Rq6OOmgP/zDnbSUSOZWrHQWQ8v3Ef665jpoXNq+Zyob
 pfbeihuWfBhprWUk0P/m+cnR2qeE4yXYl4qCcWAkRyGRu2zgIwXAOXCHTqy9TW10LGq1+04+
 LmJHwpAABSLtr7Jgh4erWXi9mFoRABEBAAHCwXwEGAEKACYCGwwWIQTdWKXnw4wULDeIG/Xe
 /5rkTzBNUwUCZYMCBQUJEqrUfAAKCRDe/5rkTzBNU7pAD/9MUrEGaaiZkyPSs/5Ax6PNmolD
 h0+Q8Sl4Hwve42Kjky2GYXTjxW8vP9pxtk+OAN5wrbktZb3HE61TyyniPQ5V37jto8mgdslC
 zZsMMm2WIm9hvNEvTk/GW+hEvKmgUS5J6z+R5mXOeP/vX8IJNpiWsc7X1NlJghFq3A6Qas49
 CT81ua7/EujW17odx5XPXyTfpPs+/dq/3eR3tJ06DNxnQfh7FdyveWWpxb/S2IhWRTI+eGVD
 ah54YVJcD6lUdyYB/D4Byu4HVrDtvVGUS1diRUOtDP2dBJybc7sZWaIXotfkUkZDzIM2m95K
 oczeBoBdOQtoHTJsFRqOfC9x4S+zd0hXklViBNQb97ZXoHtOyrGSiUCNXTHmG+4Rs7Oo0Dh1
 UUlukWFxh5vFKSjr4uVuYk7mcx80rAheB9sz7zRWyBfTqCinTrgqG6HndNa0oTcqNI9mDjJr
 NdQdtvYxECabwtPaShqnRIE7HhQPu8Xr9adirnDw1Wruafmyxnn5W3rhJy06etmP0pzL6frN
 y46PmDPicLjX/srgemvLtHoeVRplL9ATAkmQ7yxXc6wBSwf1BYs9gAiwXbU1vMod0AXXRBym
 0qhojoaSdRP5XTShfvOYdDozraaKx5Wx8X+oZvvjbbHhHGPL2seq97fp3nZ9h8TIQXRhO+aY
 vFkWitqCJg==
In-Reply-To: <Zcz2r51Tbb44ywjl@zx2c4.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?utf-8?B?dTVkVFhIekdUUjVUZXgvVnZaWENSVDFwemZ0dGFzMjZPUHdOQ1VPQlhWSXZi?=
 =?utf-8?B?RVVBSDIyTldWODRyeW9yRkZLRmQ2a3B5YXdoMDkvNUR4dE9Yc1RnTzVWaXdQ?=
 =?utf-8?B?YmNkb09RckJacGRPaFhZQnJ3MjNvRDN0Yzl6NUFhNnpNMEw2WnhFWGFaOUF5?=
 =?utf-8?B?LzVaTjlEUTBRcFJxTUE1NitNMW84M2Nxa3BEWm5aUGczNW9VRWcvclc4VjVr?=
 =?utf-8?B?K205UGNDcy9DZk5LY0RzTzRPelpoYWJZQURhL3BYZFRWRGV2Rys3VmpSK05H?=
 =?utf-8?B?YVYzaWJIdlFld3NYdjJJckxITEo4QmlkOVZINGJUYzRLbkxGOEdUNjh4VXA1?=
 =?utf-8?B?d2t4M3lxY00wMm0yWTZ2MWtCaG1qeHBhZDhWUzI0UjVrWVMwREhFKzc4dkd2?=
 =?utf-8?B?em5paXYzbzdEZCtRV1JUSjN5Zkdjb2JlYlVEaVkvNUlsWXFOTmlUeWtkaWFo?=
 =?utf-8?B?Rk9ZT2I3M2F0TGlENlZWaTVmZkFBUzg0K2tqb1ZmRDI0cC8rbEtUeGY5Mzda?=
 =?utf-8?B?cU8xeEx4b0gwa2U5dHVqQ2JhKzFYaG9YYkdHSnVwZVZLMXRNUDdCU002T0Rk?=
 =?utf-8?B?ZVBHYnZESlgvcWNLaXRCMmJwTjlKTFQvZlF2bUs4cE1GM1pMVzFoOXRxY0sz?=
 =?utf-8?B?UngxMXNWdXdWc2FKc0FBc2NYWXpOVHI0THNGaVlLcVE3TlU1WXZmRFJVOFo0?=
 =?utf-8?B?NmF6d1Jmb20rREx0WFFEcm1RNHNVeElqZDRkUFA1a3VqVVpreTJkbkJ0Smxq?=
 =?utf-8?B?RDVvRXFiQkJRM09RdThnYXQ1Z3dMaE5KRDRZRzA5YjRaNVl3QVlQNzZTVlM0?=
 =?utf-8?B?REZGbFYxeDNGWEE5ZEwzSlRtZ2NCNVBoekRSWlRSK1IzYWIvNU4wNEsxTHhK?=
 =?utf-8?B?MXk2NXZ6UHVLTmxET1JTbGJBUVhUS2hUOEplbU5MR0FtZ2wvbExHbnZRSDdQ?=
 =?utf-8?B?NHdha3JJVUU0Y2tIS2pLY0lMMWQ1M09sa1RKMmZvWmFzRWVjK09Kd3lPWUs2?=
 =?utf-8?B?aHh2bVVCMWZuMjRKaEl6Q05RNERiTGlKTHZ3L2FNaTRjK1RtN2pTZEZTM2hj?=
 =?utf-8?B?UVNaMjBFbDhmZ1pBZm5rUkhneEFNRE1zS09SaXdPQjBvTDkzbGNVUy9jTUps?=
 =?utf-8?B?cWNOZnorNmN4T3lmcTdjVDhGNnpkK1UxYXZKL1E1QXIrQWNtYnNjbTFWOGhP?=
 =?utf-8?B?VEUxSy9QQmR6WHg2NWV6VEhpN1hRYmJ3NG9hWXRRdjgweWIzSXRVUmNXN1Js?=
 =?utf-8?B?bXJDbGtWenE4TVhPOTBqY1lGcmx3ZHJxT2VKVC9vdEZpSWdqZGN1cHR3ZVNF?=
 =?utf-8?B?Q3VKa0xMRS9KVzVvNkFkZkFBTVk0NFRsdUlZUURiUlZkS1Z6QklWVUQ0M0J4?=
 =?utf-8?B?MGFFdm5PQkM5UEpKY2JOZWVVYUlsQjkzaVFTMmZ1cW5LUGxibUdjbUJ6UDc2?=
 =?utf-8?B?dnFEYWlLeVpaVFlJZXFvYnJEWUZ3Ny9VSlU5azlTcm1Bblk0V21lb3NqMW9E?=
 =?utf-8?B?NnJJRXlXbHhKUitOMUg1NmVpSkZPRmhPRkE2TDdyV0dZWXNiSzlVOUFyWWp2?=
 =?utf-8?B?SFZaTUY0V2hscmZwMTZJdUJDZ09kZ09HNU1RNjgxTmV0VHFySXozeHRsN2Zv?=
 =?utf-8?B?U0drS2pYaEI1Qy9NK1JBWWE4bDdSZ2xlRXlXNmxsZEhIS1pTclJZNEtoWkox?=
 =?utf-8?B?RmhscmxudUV6TityMjBRM2hMM0VBTC9SZFlIZEdmaG5XVTRCNC94MXRtWHdG?=
 =?utf-8?B?RUl0OEE1MmQ2Sy96OHhKS0hjaEdsemt6SkJJVmxDQWhNVXpRSGhHRU90bzdt?=
 =?utf-8?B?SWxwbk9BcHdNbEF2bUlJYm5WaHBYUldYWElobzQyMnNwbTluMmJ3dlU0Z3l5?=
 =?utf-8?B?MmdaMDV3ZUQxQjJoMFI4WmNIZ2RIYmNNdTZlVUxNbzZQYStkdWZLTGRQbTRC?=
 =?utf-8?B?c1NYZ25hQXNFbW5oY1pmR1dieWtvT2dIY255bXE2WDU1REFPd1djTS9VQTJJ?=
 =?utf-8?B?dUFXSDhNNkY3Z1pPWTRURE8zNDVVNSs0NUx1VHlGSTdadk1uMGMraHlYV05C?=
 =?utf-8?B?Z3g2WDRLcWJpWm03b3dabmtNcEtiUEJVVE03ZzlDajFnK1IzaWNQQWZ5Qld0?=
 =?utf-8?Q?20AiKRy+ukt/RKCCxd1xeBbQx?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e52d0f1-42c3-4070-6da3-08dc2d9597e4
X-MS-Exchange-CrossTenant-AuthSource: BL1PR12MB5732.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2024 19:46:10.2780
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3U1n58aB8T8yrgwh+C2emBOuoKqO8eO3NNtXE1vcmwYLkhWnDO5S2bfIZnRm8M0XiagFPUUe4xOA84E667gQzg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR12MB5338

On 2/14/24 11:21, Jason A. Donenfeld wrote:
> Hi Elena,
> 
> On Wed, Feb 14, 2024 at 4:18 PM Reshetova, Elena <elena.reshetova@intel.com> wrote:
>> "The RdRand in a non-defective device is designed to be faster than the bus,
>> so when a core accesses the output from the DRNG, it will always get a
>> random number.
>> As a result, it is hard to envision a scenario where the RdRand, on a fully
>> functional device, will underflow.
>> The carry flag after RdRand signals an underflow so in the case of a defective chip,
>> this will prevent the code thinking it has a random number when it does not.
> 
> That's really great news, especially combined with a very similar
> statement from Borislav about AMD chips:
> 
> On Fri, Feb 9, 2024 at 10:45 PM Borislav Petkov <bp@alien8.de> wrote:
>> Yeah, I know exactly what you mean and I won't go into details for
>> obvious reasons. Two things:
>>
>> * Starting with Zen3, provided properly configured hw RDRAND will never
>> fail. It is also fair when feeding the different contexts.
> 
> I assume that this faster-than-the-bus-ness also takes into account the
> various accesses required to even switch contexts when scheduling VMs,
> so your proposed host-guest scheduling attack can't really happen
> either. Correct?
> 
> One clarifying question in all of this: what is the point of the "try 10
> times" advice? Is the "faster than the bus" statement actually "faster
> than the bus if you try 10 times"? Or is the "10 times" advice just old
> and not relevant.
> 
> In other words, is the following a reasonable patch?
> 
> diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h
> index 02bae8e0758b..2d5bf5aa9774 100644
> --- a/arch/x86/include/asm/archrandom.h
> +++ b/arch/x86/include/asm/archrandom.h
> @@ -13,22 +13,16 @@
>   #include <asm/processor.h>
>   #include <asm/cpufeature.h>
>   
> -#define RDRAND_RETRY_LOOPS	10
> -
>   /* Unconditional execution of RDRAND and RDSEED */
>   
>   static inline bool __must_check rdrand_long(unsigned long *v)
>   {
>   	bool ok;
> -	unsigned int retry = RDRAND_RETRY_LOOPS;
> -	do {
> -		asm volatile("rdrand %[out]"
> -			     CC_SET(c)
> -			     : CC_OUT(c) (ok), [out] "=r" (*v));
> -		if (ok)
> -			return true;
> -	} while (--retry);
> -	return false;
> +	asm volatile("rdrand %[out]"
> +		     CC_SET(c)
> +		     : CC_OUT(c) (ok), [out] "=r" (*v));
> +	WARN_ON(!ok);
> +	return ok;

Don't forget that Linux will run on older hardware as well, so the 10 
retries might be valid for that. Or do you intend this change purely for CVMs?

Thanks,
Tom

>   }
>   
>   static inline bool __must_check rdseed_long(unsigned long *v)
> 
> (As for the RDSEED clarification, that also matches Borislav's reply, is
> what we expected and knew experimentally, and doesn't really have any
> bearing on Linux's RNG or this discussion, since RDRAND is all we need
> anyway.)
> 
> Regards,
> Jason