Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp375239pxb;
        Mon, 16 Aug 2021 07:26:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyAja3RCbCGtc+pCBFacTLXJuduwonZYj40yajNSv9m14okE7avxz7PbXWSBayuwmYmWKtf
X-Received: by 2002:a05:6e02:1d96:: with SMTP id h22mr11805894ila.294.1629124016251;
        Mon, 16 Aug 2021 07:26:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629124016; cv=none;
        d=google.com; s=arc-20160816;
        b=OuhGgv1TL2ZgSIlC5OZVqlMDnfKK02jxU991WcIFLNzWaNxlv4bbMlxzePXfACDIYy
         nj2yVXXuE/8kPTIPHS4huaM4s+0t79FG1d82JLdN190Bt8xPEzFfl0PaZBAQil/jVRYK
         zak+dIAEcItYjo3fzs36v6zYG35SerSv1uq7DoP8kgJiNNZ9vluOlScMXDABUhQKDyVv
         28UOFSf8LrDH5ozl34QhdTMSnti8cxdD4DYOQhAlbwTCHZTMC56L/px5ARaNzlf5TjqS
         8eBCVLSDsw0YN1xpMntryQl+9B99Gs6IP06x90XdO6xMSM46gUUCMk4NtbK6QULFm0ZV
         ZZWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=h9+1qVFyGs3V8CknGdFsPPOV7Vj2pAWUjE51axk53mI=;
        b=0tOvZvEs+I4YWvdNKdpSGbNSE3rhTFQ3fRVAWwtx9yOZEXuNEGWUH2TrmxocRU6ZcI
         oFlr28BP4HqfC54WSuEuRDopITdQ1oJvsCzT5VObME5sq5TSjrKDs/zX85vWPE4e8Rm3
         KXaLsioWwIj7iRfiy0QJcnMDmh+Nfi7P3SZSyK2/GEack/gQQUki2BR3qcCgiG3JV7BG
         RYiM/FCFYXses70paaJr8hCFFLwFaSkCAedP1jqS7keJnYaSr3ZVBVRGUP0L3eORS+GP
         Q2FIMCw11iuJx6/cQL09Y4d6n1gQOx7i/gRNkG1Esttn3c0eip4BS0huA8vGAORZIp7R
         UpQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e9si11795722ios.63.2021.08.16.07.26.35;
        Mon, 16 Aug 2021 07:26:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232202AbhHPO0a (ORCPT <rfc822;will.sands.v@gmail.com>
        + 99 others); Mon, 16 Aug 2021 10:26:30 -0400
Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:41480 "EHLO
        outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S232234AbhHPO0a (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 16 Aug 2021 10:26:30 -0400
Received: from cwcc.thunk.org (pool-72-74-133-215.bstnma.fios.verizon.net [72.74.133.215])
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 17GEPbSw009058
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 16 Aug 2021 10:25:38 -0400
Received: by cwcc.thunk.org (Postfix, from userid 15806)
        id 9060C15C3DB9; Mon, 16 Aug 2021 10:25:37 -0400 (EDT)
Date:   Mon, 16 Aug 2021 10:25:37 -0400
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     Sandy Harris <sandyinchina@gmail.com>
Cc:     Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Stephan Mueller <smueller@chronox.de>,
        John Denker <jsd@av8n.com>, m@ib.tc
Subject: Re: Lockless /dev/random - Performance/Security/Stability improvement
Message-ID: <YRp1YbpFdNG0IJMI@mit.edu>
References: <CALFqKjSnOWyFjp7NQZKMXQ+TfzXMCBS=y8xnv5GE56SHVr5tCg@mail.gmail.com>
 <CACXcFmnRAkrj0Q3uFjyLu7RaWQh0VPbmErkj+cUaxZMb=YiGCw@mail.gmail.com>
 <CACXcFmmW+tCUf8JS=a=wJEnBY2JojP8VwEGLncYcGLZqiU+5Jw@mail.gmail.com>
 <CACXcFmmosvNMxwjOFZ9SDadqJE11w6Vva+i9AV1zYQxbwoB9sA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACXcFmmosvNMxwjOFZ9SDadqJE11w6Vva+i9AV1zYQxbwoB9sA@mail.gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Mon, Aug 16, 2021 at 06:59:50PM +0800, Sandy Harris wrote:
> I am by no means convinced that Mike's idea of a lockless driver is a
> good one. Without some locks, if two or more parts of the code write
> to the same data structure, then there's a danger one will overwrite
> the other's contribution & we'll lose entropy.
> 
> However, I cannot see why any data structure should be locked when it
> is only being read. There's no reason to care if others read it as
> well. If someone writes to it, then the result of reading becomes
> indeterminate. In most applications, that would be a very Bad Thing.
> In this contact, though, it is at worst harmless & possibly a Good
> Thing because it would make some attacks harder.
> 
> For example, looking at the 5.8.9 kernel Ubuntu gives me, I find this
> in xtract_buf()
> 
> /* Generate a hash across the pool, 16 words (512 bits) at a time */
>     spin_lock_irqsave(&r->lock, flags);
>     for (i = 0; i < r->poolinfo->poolwords; i += 16)
>         sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace);
> 
>     /*
>      * We mix the hash back into the pool ...
>      */
>     __mix_pool_bytes(r, hash.w, sizeof(hash.w));
>     spin_unlock_irqrestore(&r->lock, flags);
> 
> The lock is held throughout the fairly expensive hash operation & I
> see no reason why it should be.

The reason why this is there is because otherwise, there can be two
processes both trying to extract entry from the pool, and getting the
same result, and returning the identical "randomness" to two different
userspace processes.  Which would be sad....  (unless you are a
nation-state attacker, I suppose :-)

Cheers,

					- Ted