Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5818940pxb; Wed, 26 Jan 2022 23:28:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJynOxIoDM888jRLCrmu9TawJJdSJ8IPqk3dNHsqGoiPfFQH6PuQZ8qNNNJcwbua1rULEcq2 X-Received: by 2002:a05:6a00:2493:: with SMTP id c19mr2020047pfv.29.1643268521336; Wed, 26 Jan 2022 23:28:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643268521; cv=none; d=google.com; s=arc-20160816; b=Jxnscl9T3wzWvFXQKC/zhuqJ6mcu1PTqqQGMZfqsFpSQzWo95KjKEh+CyOuKfCZd1/ 2Qfoc+TM2U7kumZa/IQutBZB/5KCvsR1Re3eFo5UIw7r873dom6OCecnAkcgIibETSZO LRRxdx/1f6onpii1lbDuCUeiZLDA4kN3iWEOZ5zBW42KAyQYREQ7g1pnVB1t9/p0Vq6f O2aPrf6t57Cd3NSUzMv4sWp5FLz1BSgPkAnm0tu78jbYIKQBpwA1jajiqiY04wjNPEP/ 002ECulVxcsYBxNwtLDHc2Cf4PkrAgRv1LJXR1P6WlP173wqWviRPEbhOxoq11XZc5Po FgNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=X0Usarwu6KVRkGvtR6V1/OIm5/VM3r1k//rGHvbz25Y=; b=RFq/xdE790PDu8eEtwypwYsnwxV9A+rsSkfr8okvy7MEraRPLYd13jsdRVLfGD48k/ MIjfKeelCdbsBC90z/kltgWAjMfWa7qSB3pOg7bYd3mnoHTsAca816y5bTmGZP6d88Rr vkYCFTeRl033nuw0+iwwO0M2UmyHZ2dakHhkEOr9AgQ0AzRueeEyswlDWg/d3Xciuhlv s+ne62L884SvS0pO8DwQbuGFYOPtXe06Q/8Z5lTDG3MEGFFmCX8uhNMbDekiGNPnRtI7 uNmQUDdAT0awHXR5nXXfBq+yYkRA/idAUBoJvdn5OjPjEDuiRHcoEGLz7cPTyaTBR2mT MOnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=R5Qj0O+s; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 8si4665796pju.162.2022.01.26.23.28.15; Wed, 26 Jan 2022 23:28:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=R5Qj0O+s; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230054AbiA0AgK (ORCPT + 99 others); Wed, 26 Jan 2022 19:36:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229724AbiA0AgK (ORCPT ); Wed, 26 Jan 2022 19:36:10 -0500 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E80FC06161C for ; Wed, 26 Jan 2022 16:36:10 -0800 (PST) Received: by mail-ej1-x636.google.com with SMTP id o12so2030695eju.13 for ; Wed, 26 Jan 2022 16:36:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X0Usarwu6KVRkGvtR6V1/OIm5/VM3r1k//rGHvbz25Y=; b=R5Qj0O+sETCdnxm9hPW2uISZBZlRVg37XJ3qtcaQVwhe/6CcL/1aRcasnfVO+p6deZ Jh/jInMG9hsw/Bl9ythl1icc9Q4Qg70+Xw4LUsuq/NFieC5tqp1ICcaVpu47fiJZWAPU qc/z0f4nyIiHnKe0uaEQgn9A6U+zvJLcP9F1gI/ttLspnJkhahqHDAJyZj1H5UxvFOLX bZw+v0kUK2/qffMrKOJx++RmGI/CpMyv7TOB6B2MVpMu9JikmIPDte/7p3z704gZDjAM /htQVoh1xDfu1MkYLgl2/UusDIy4oOc2EYACbp5Z6Av0j0FOuZJMtp94SJD17CLcLT7n 4rpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X0Usarwu6KVRkGvtR6V1/OIm5/VM3r1k//rGHvbz25Y=; b=dz2zt7IJ8+OrnNgDxzM6Q+Dn7Q7xnxd2dC1XCltRcYih9QkYjy58LDGIcgToaOvTzT KiiFV6mxYwyqfd8kOrfazyt2t7siNEqmcFtP+5gIB+KwitVXZd/deXJsh9m6i/Tn6o2U Tg0ZE6Ymgt9S+yv3e5T5GC5iJgXaGTnIsVaN1ZnDQ728cBdl+YnFHMEMb7IusAkuamZk pGAkxzXfzYGE1+gYzZmQhOIa4bhoZkOZTyQm3u8dOuH+sSZuW5CTXUckdTZsVpOqdlqq OjWuh7NT2JhLhXgRZ/qXNfk3feyTq2Cve+Z03dt+t4wNFinHG44Iwq4DCD5YL29n8T0p 9ZBw== X-Gm-Message-State: AOAM531fS4RLTnXzYovHJBbjN+86dTHmtZrYhdcbHaZ4FPrPen7ISJ0L /QLBFUG3CBxcdq+IEMMIjZfGRrIDtnAFci8orxnadxexFaU= X-Received: by 2002:a17:907:1c19:: with SMTP id nc25mr1090294ejc.354.1643243768550; Wed, 26 Jan 2022 16:36:08 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Sandy Harris Date: Thu, 27 Jan 2022 08:35:54 +0800 Message-ID: Subject: Re: Lockless /dev/random - Performance/Security/Stability improvement To: "Theodore Ts'o" , "Jason A. Donenfeld" Cc: Linux Crypto Mailing List , Stephan Mueller , John Denker , m@ib.tc Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Aug 16, 2021 at 10:25 PM Theodore Ts'o wrote: > On Mon, Aug 16, 2021 at 06:59:50PM +0800, Sandy Harris wrote: > > I am by no means convinced that Mike's idea of a lockless driver is a > > good one. Without some locks, if two or more parts of the code write > > to the same data structure, then there's a danger one will overwrite > > the other's contribution & we'll lose entropy. > > > > However, I cannot see why any data structure should be locked when it > > is only being read. There's no reason to care if others read it as > > well. If someone writes to it, then the result of reading becomes > > indeterminate. In most applications, that would be a very Bad Thing. > > In this contact, though, it is at worst harmless & possibly a Good > > Thing because it would make some attacks harder. > > > > For example, looking at the 5.8.9 kernel Ubuntu gives me, I find this > > in xtract_buf() > > > > /* Generate a hash across the pool, 16 words (512 bits) at a time */ > > spin_lock_irqsave(&r->lock, flags); > > for (i = 0; i < r->poolinfo->poolwords; i += 16) > > sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace); > > > > /* > > * We mix the hash back into the pool ... > > */ > > __mix_pool_bytes(r, hash.w, sizeof(hash.w)); > > spin_unlock_irqrestore(&r->lock, flags); > > > > The lock is held throughout the fairly expensive hash operation & I > > see no reason why it should be. > > The reason why this is there is because otherwise, there can be two > processes both trying to extract entry from the pool, and getting the > same result, and returning the identical "randomness" to two different > userspace processes. Which would be sad.... (unless you are a > nation-state attacker, I suppose :-) So lock the chacha context, the data structure it writes, instead. Since the write back to the pool is inside that lock, two threads extracting entropy will get different results. Call mix_pool_bytes() instead of __mix_pool_bytes() and it will do the necessary locking when the input pool is written. I think this deals with Mike's main objection: " It is highly unusual that /dev/random is allowed to degrade the " performance of all other subsystems - and even bring the " system to a halt when it runs dry. At any rate, it reduces the chance of other code that writes to the input pool being blocked by random(4).