Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp216776pxb; Mon, 16 Aug 2021 04:00:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5U/R9jlcylR7zqhKW8mJ8bfu3KcTd6IfE7EI4FLp5Njf5hhND0DBAU7/RwwxuH8yLuNwt X-Received: by 2002:aa7:c45a:: with SMTP id n26mr19771377edr.218.1629111650346; Mon, 16 Aug 2021 04:00:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629111650; cv=none; d=google.com; s=arc-20160816; b=pWV/Mg1tu5QQtq0o5VqcG+EUs4zr276PGPZpIwR0749qHP9KMhnIxRH5yf1CrbscNk MOOMGDZ8+fMAdm9sALu0YzJHGDhmA0SrWmrZRuoUnOhMsNe2kzVGDf3hsptnt9ZZhmmU jytr84Feqg3rloYpTfJAmj5YF78Zut3FKLZJXH+VqWOrMfsYr5uLvN5vRTKwgfpupeYa xqSUfmqHYhRYHLoAG0qB1KhT5zOpaBJkHj42P1xIDutc3W5oYctLkQefeNalkCGOWOFA Arb2x9Mv4us5gN+8wBgDjnDcYzPdgPBUUY3LduPcTn4W6Q+KKcOlN6sPdgc+CeP/gdGD k+5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Gl27ctEl0OvMeLBpmbnTOkT2KQz+Xemn+56DrD+juXI=; b=00Hzc+uftjm1g23WOTgHtAKtb5SUqIfT9yJx4BoJUhhkg7Vz/dTeLxCS8mjlkjTBUx mRQLJ4GI3fp9R55ysCForw4Sme8UTAM7h/oYFPhraUCJxg6mZ33FCM92TWDebAFUBDy0 QXAOK60aEXB3qzN8cY1DJ2hHux0qeNYQ7NH1N+Z8pA6uZoAR6iox4EWsDklEINIqjukL f5RpgevA9puQLBaQsRZlyuI2tIc9+niq0ulUQwgdgekZYd09JM1t7nl166hk6ggHZ0Pq QMVkf+EhHFvZPzfWmcTx0dYuvxuQwEICZMGvshZyTvb0OHl20eU7K/ZoopaIr8MR+gZY G9+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=t+ydQo3H; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u9si9865463edf.583.2021.08.16.04.00.16; Mon, 16 Aug 2021 04:00:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=t+ydQo3H; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235901AbhHPLAl (ORCPT + 99 others); Mon, 16 Aug 2021 07:00:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233320AbhHPLAf (ORCPT ); Mon, 16 Aug 2021 07:00:35 -0400 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EEBDC0613C1 for ; Mon, 16 Aug 2021 04:00:04 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id q6so11456712wrv.6 for ; Mon, 16 Aug 2021 04:00:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Gl27ctEl0OvMeLBpmbnTOkT2KQz+Xemn+56DrD+juXI=; b=t+ydQo3H4rp2Ylgpm31fOeayrfUe8B7fNtlF8/3E6hKrvdRSSkz2Hgp8IDH67sjOR/ 0zV39bYslRN+robC75uEie3AEk//WqogM+zTK67g92ZiTTLJXf0FVl3DbAPzimJftez+ xcANMADQguxtAi3T//RyAH/HMN1YtGqTfkFix1YenydoIu0z2gYlMPWReoFuJM1OrwwO a3G1wbK4SwX8tWnIwebpi6eki9pHNJz9R38CnPt64vdQKVUi9QzqL5xTsB+zxs5wvmCW YFkTstyN8YfTl9xXoXg/PVzdAgM8hN/teaj1oeV4nKsHwvGTQnNlZRD99hejg9JLt2Ml B3aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Gl27ctEl0OvMeLBpmbnTOkT2KQz+Xemn+56DrD+juXI=; b=V2k70ey3JNv2j3zRAF2Q7Kvr919PoqXebJiEwhBQszvJwK7aCpFXrxeZ2OGRsvz4XF 3jAUn2rmwaJf5Tn4OW8KV4Hi/+XdQuLLuGv9UxjHJXbUFtgsAqv10BlaRlYBa3FQeJzb KGfHaeC9ewitzQkarm76iW4/B7WT/1ng48bk5b+tpEX53d2mAzcJ+0j1ykZ0HxOjVrEO lb5iwA50xTtAWo26dy8xQZ3LDMjDSYnrWyzFSKb/JVUTFrwuyNWQrkkZfPutOGMTiZ5L sgjN1PJJX1Ku9mzzRaO/bts7+F90BrCw2HtOKX+Vnsd/ApqdAT3treElhqpS1HZ98KP7 0GYw== X-Gm-Message-State: AOAM532Xc8mXqd8t7fSCqXD9BRi3XzfLG2jEfuQqdb0THnjA7aZXUvgG rZjBeo/fgrI2Qj/UvmnscQmLofV9imKllRP9xjysqRYdBiU= X-Received: by 2002:a5d:60cd:: with SMTP id x13mr17580192wrt.375.1629111602983; Mon, 16 Aug 2021 04:00:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sandy Harris Date: Mon, 16 Aug 2021 18:59:50 +0800 Message-ID: Subject: Re: Lockless /dev/random - Performance/Security/Stability improvement To: Linux Crypto Mailing List , "Ted Ts'o" , Stephan Mueller , John Denker , m@ib.tc Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org I wrote: > > The basic ideas here look good to me; I will look at details later. > > Looking now, finding some things questionable. > ... I'm still looking & finding things that seem worth wondering about, & asking about here. I am by no means convinced that Mike's idea of a lockless driver is a good one. Without some locks, if two or more parts of the code write to the same data structure, then there's a danger one will overwrite the other's contribution & we'll lose entropy. However, I cannot see why any data structure should be locked when it is only being read. There's no reason to care if others read it as well. If someone writes to it, then the result of reading becomes indeterminate. In most applications, that would be a very Bad Thing. In this contact, though, it is at worst harmless & possibly a Good Thing because it would make some attacks harder. For example, looking at the 5.8.9 kernel Ubuntu gives me, I find this in xtract_buf() /* Generate a hash across the pool, 16 words (512 bits) at a time */ spin_lock_irqsave(&r->lock, flags); for (i = 0; i < r->poolinfo->poolwords; i += 16) sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace); /* * We mix the hash back into the pool ... */ __mix_pool_bytes(r, hash.w, sizeof(hash.w)); spin_unlock_irqrestore(&r->lock, flags); The lock is held throughout the fairly expensive hash operation & I see no reason why it should be. I'd have: /* Generate a hash across the pool, 16 words (512 bits) at a time */ for (i = 0; i < r->poolinfo->poolwords; i += 16) sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace); /* * We mix the hash back into the pool ... */ spin_lock_irqsave(&r->lock, flags); __mix_pool_bytes(r, hash.w, sizeof(hash.w)); spin_unlock_irqrestore(&r->lock, flags);