Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp1442293pxb; Thu, 14 Apr 2022 06:23:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwy4eb5+L/BkCQjtVW6RUXu1n8XarQlj8ccA9m+2AgJWq82HKK3VHVAqIFIMTazobxNOibd X-Received: by 2002:a17:90a:d083:b0:1c9:94bb:732d with SMTP id k3-20020a17090ad08300b001c994bb732dmr3752795pju.106.1649942607369; Thu, 14 Apr 2022 06:23:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649942607; cv=none; d=google.com; s=arc-20160816; b=c+H7vET3mS1eo5S9aLS/DG5MLiZf5HgGOXCsgkb1Q44aiD5Uj91tD9zyKrLGab4HQ1 rZK9cHEin1INzXLhB4/KVndT5JK634iA0d0QUnD0wgxKJ9PuwWxAwrG7W7gl50/krepa /0C3evXaTcTJ+57zGyVlZG+Itf5lrlXxIvhG/KHwho2eq1nDeiewP6RLTJp+jXRLVBd/ fHtPHxRWotyHfOOWOP9H0DvRGENBjnCL+CQIXF8nyMf33QMdGaiYYuZ+wGRaUV9M7/nZ H8DzkN2FuOu7Fn0o4t113tK31TZqEJG5gHkyYoecs90epPbrEHGUIKEWzrKkm57k+M5j Snmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jitaCCQ2e/PpJGSBhLHWsevtZEgEekS1b3Wk73klyKA=; b=rwh/6DhKK3l3FYmecMNELzT0D+LtA3WIMfIhlRWaKKmcz1K3jwJ2KlNWxFzGsnVmh1 Dnun+3OMdjwUvaUcJ7aqmrsN9rVtD14nOOizDgVYk7UzRMmc/IXJfGxTM9iiaiGpzRXU Lc04viWUtHNP58raGreJuqxg5j+pY3vmwghCA6UOyF0YoZ3KkPI6UowTz7Ix87UjF5QI 823+x4gxtHALBmLL1BLG7bjfcVcgitpvklRmP34zrsNtFOHmUYTAYy7iMP0E54LpJzFr Jv/8RU6AvwybnZ3TpRye7hpMaWsiGdA7n0iY5NFbjZFPpHdAZVMYgjdRIobwRWY9tnwR jj1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=iCKw8U+B; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h124-20020a636c82000000b003816043f0fcsi8065737pgc.753.2022.04.14.06.23.11; Thu, 14 Apr 2022 06:23:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=iCKw8U+B; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240665AbiDNJaB (ORCPT + 99 others); Thu, 14 Apr 2022 05:30:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229733AbiDNJ37 (ORCPT ); Thu, 14 Apr 2022 05:29:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94EAD50E2A; Thu, 14 Apr 2022 02:27:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8F56861CB7; Thu, 14 Apr 2022 09:27:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F941C385A1; Thu, 14 Apr 2022 09:27:29 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="iCKw8U+B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1649928448; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jitaCCQ2e/PpJGSBhLHWsevtZEgEekS1b3Wk73klyKA=; b=iCKw8U+BX0unZDHdCqu1WEQPpDnLVael4IDVYgWvfW7w0XcoPFz96Q+X7Oh/HXcBDfoQgf relkkKJiqLUs0hWWbJBeLDEdKmFO5iYlsrmp12SxDsveaByJUqA4gI9QfV6k/NrhryczGl YX1t4UDjk8/egPtL7ZCNgWMOfE4aDFg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff3c9dc5 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 14 Apr 2022 09:27:27 +0000 (UTC) Date: Thu, 14 Apr 2022 11:27:22 +0200 From: "Jason A. Donenfeld" To: "Maciej W. Rozycki" Cc: Thomas Bogendoerfer , LKML , Linux Crypto Mailing List , Thomas Gleixner , Arnd Bergmann , Theodore Ts'o , Dominik Brodowski , Russell King , Catalin Marinas , Will Deacon , Geert Uytterhoeven , Paul Walmsley , Palmer Dabbelt , Albert Ou , "David S . Miller" , Richard Weinberger , Anton Ivanov , Johannes Berg , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Chris Zankel , Max Filippov , John Stultz , Stephen Boyd , Dinh Nguyen , linux-arm-kernel , linux-m68k , "open list:BROADCOM NVRAM DRIVER" , linux-riscv , sparclinux@vger.kernel.org, linux-um@lists.infradead.org, X86 ML , linux-xtensa@linux-xtensa.org Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy() instead of zero Message-ID: References: <20220413115411.21489-1-Jason@zx2c4.com> <20220413115411.21489-5-Jason@zx2c4.com> <20220413122546.GA11860@alpha.franken.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Maciej, On Thu, Apr 14, 2022 at 02:16:18AM +0100, Maciej W. Rozycki wrote: > Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and > 47-0 (the lower bound can be higher if wired entries are used, which I > think we occasionally do) for R4k machines with a buggy CP0 counter. So > there are either 56 or up to 48 distinct CP0 Random register values. Ahh interesting, so it varies a bit, but it remains rather small. > It depends on the exact system. Some have a 32-bit high-resolution > counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz > resolution, some have nothing but jiffies. Alright, so there _are_ machines with no c0 cycles but with a good clock. Yet, 25MHz is still less than the cpu cycle, so this c0 random ORing trick remains useful perhaps. > It seems like a reasonable idea to me, but the details would have to be > sorted out, because where a chipset high-resolution counter is available > we want to factor it in, and otherwise we need to extract the right bits > from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k. One thing we could do here that would seemingly cover all the cases without losing _that_ much would be: return (random_get_entropy_fallback() << 13) | ((1<<13) - read_c0_random()); Or in case the 13 turns out to be wrong on some hardware, we could mitigate the effect with: return (random_get_entropy_fallback() << 13) ^ ((1<<13) - read_c0_random()); As mentioned in the 1/xx patch of this series, random_get_entropy_fallback() should call the highest resolution thing. We then shave off the least-changing bits and stuff in the faster-changing bits from read_c0_random(). Then, in order to keep it counting up instead of down, we do the subtraction there. What do you think of this plan? Jason