Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C05BDC433EF for ; Tue, 4 Jan 2022 05:03:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229543AbiADFD6 (ORCPT ); Tue, 4 Jan 2022 00:03:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229452AbiADFD5 (ORCPT ); Tue, 4 Jan 2022 00:03:57 -0500 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3ACDAC061761; Mon, 3 Jan 2022 21:03:57 -0800 (PST) Received: by mail-wm1-x32d.google.com with SMTP id a203-20020a1c7fd4000000b003457874263aso22050541wmd.2; Mon, 03 Jan 2022 21:03:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bX3txH8dDchVX0wVCbxbqybQRQkhYo9my0ZLDA1n4oE=; b=CV0S3MjYHGNdJsMzCoW1Ofj5SlNfSsTCDaf7bKHX39q0opZrkeY/o3vFxPMVMGJrC6 58kP6NQZgwJgT48g23rGuyMIqc+LCdBkf10tqUPF6vMFpznQMEShveWdQOrEIV407jUY EFfbhZuTYPTA3hUZevN/RLpWsEL+C4zKvRHrP07XK9zaHFeW2Gg2Y9ADLqaZHa04SByu 8iXeKosc+sR+qiFyr6nzgQqfNkUBoMGSp7F9ayslzRlixUFFo2Tlqye9WSup/DeFyAoE piFo58n++X07Nek1/zU90AR1KzdyA27r02GqTxFgqGd6tAjBBt234Z8YrCYxosF1RAD4 Ztig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bX3txH8dDchVX0wVCbxbqybQRQkhYo9my0ZLDA1n4oE=; b=vipufBkx5HDoEgtSQ3R25FQoP7nrcbqVKozz67PPUVmyIkPfXFyTQiDJoVepkQ2YDX TlnWtW1fxNVFIzN1E0NJOG6SkE0ZeTETtew7FKso6OQ1JsDO1CWSyfdR9F3xJZit88Pj SsokTZraGo6nAjCSmd0fsulvuqak8yCyyGCyXtyqp67P2N+qRdtYA9kkM/HJyW1A6TkU uZ8JjKC2d4+ZoSFVWqaQyEaa6T9dTud+rb+3+chB6+dY8YCXk1Xz6mq0XaCAiRE1/tPp OZSataPB+tAtEeTPFebY1L2NhKawTSxIF5oqjGXWtBKL3++bcBARnAYMbbaR4p1g9NTQ IsYQ== X-Gm-Message-State: AOAM531JuJMLgLM7rJ71YgJ6KFL5bXXXJh/hpT01hb1+Yp11bF1cly/P 8KQdtGkDlFGVhpPpL320dP+cnrRKylqwNuNpNpaqUK3/6wo= X-Google-Smtp-Source: ABdhPJwNB3Qvdq7axxA4E5eUQlzMMRCT1l0vcXYnVkl/wKpNoxh1CDFHqrOWJnDr7bZ2w3fKP43UxlRbq/S+YklMZ+M= X-Received: by 2002:a7b:c087:: with SMTP id r7mr41264307wmh.17.1641272635864; Mon, 03 Jan 2022 21:03:55 -0800 (PST) MIME-Version: 1.0 References: <20211231114903.60882-1-Jason@zx2c4.com> In-Reply-To: From: Sandy Harris Date: Tue, 4 Jan 2022 13:03:43 +0800 Message-ID: Subject: Re: [PATCH v2] random: avoid superfluous call to RDRAND in CRNG extraction To: "Theodore Ts'o" Cc: "Jason A. Donenfeld" , LKML , Linux Crypto Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org If we are removing RDRAND, what about adding some cheaper mixing? Something along these lines? The current code's mixing is triggered only once in 2^32 iterations, depends only on crng->state[], always changes the same state word, and introduces no new entropy. Make it happen more often, depend on a randomly initialised counter as well as state[], make a data-dependent choice of word to change, and use random_get_entropy(). --- drivers/char/random.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 605969ed0f96..d2be079f004d 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -985,6 +985,10 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r) } } +#define CC_SHIFT 8 +#define CC_MASK ((1<state[14] ^= v; chacha20_block(&crng->state[0], out); - if (crng->state[12] == 0) - crng->state[13]++; + if (cc_count == 0) + cc_count = crng->state[9] ^ random_get_entropy() ; + switch ((crng->state[12] ^ cc_count) & CC_MASK) { + case 0: + cc_count = crng->state[10] ^ (cc_count>>CC_SHIFT); + break ; + case 31: case 97: case 253: + crng->state[crng->state[13]&7]++; + break ; + case 61: case 127: + crng->state[crng->state[11]&7] += random_get_entropy(); + break ; + default: + break ; + } + cc_count++ ; spin_unlock_irqrestore(&crng->lock, flags); } -- Signed-off-by: Sandy Harris