Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6901834iob; Wed, 11 May 2022 07:44:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx1NnZTmbm0XQAX1rIf7pM9i/cJmQtog0EKlsHbtYVrRy2zmOPLsenq9sNqgbb1pnjNL+7z X-Received: by 2002:a17:907:6d9e:b0:6f9:b861:828e with SMTP id sb30-20020a1709076d9e00b006f9b861828emr16970085ejc.427.1652280268688; Wed, 11 May 2022 07:44:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652280268; cv=none; d=google.com; s=arc-20160816; b=yEC1vyOJIh5RJ7TAyYmuZ26sJqZdGVyjC8w+O5x7cTzjYipGaVsNxuurXDdjFDmgxg nB/AEAVlawmrTEjncc1KPkY9mAuZ+tTiQK0erQ8Nc0hFOAdEK8DN8mLmp+No7JdeLI45 XvBmvC8l3dDDiVbsxoaKmQ88L7Ext9xv0kAiPUnHQxMlNU3kgeRLjYptzajrLVfELwWO G7k7o3/ApFegjOkZZ70T3f0XB+USA7TxOx6Ifa5x3FxCMNHMJYqNiinm5FTvaY3ptWTf QlTF8UXX4MsaaoIZe1A37aUTHgj5PokN9/y7cZrngMpYMmUWX/b1yiN7RPxXYYWZy/pJ cjYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:organization:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=P3pmuNFV/ptflpHqQQDwwf4tEA/mscwqGqx/YTI6DC4=; b=A/hPKksbIqc+HjVCqDc9IEsRi8LwqZLGWIyztBcyvpog0yQFYRIBt5YKnj+OE8i9Y+ wzD0lG+hHZ2GbMb/stz1pJsBVDfD6OCeoFsdxy3tRunkB0Vq6YXg5lJcbqpHbwo27X0V j+42VKvOz1JpKHJ+UFdFryZdELcP33PZZAx/SKduEJIx9XJHagTlAagNJf/bLogKVJb7 70/swbbv6BUlNRCZQb/nhOp9TRIRAqJ9rEHBzSPMlbtIvFaWDXizpacwUswxK43SnVju gyXCXwYIqwKEcpj5rk5FeINgCRTonNq5xKCVbsiUlihk8VH+njTw7DE5zwxEK8J/db1L oPJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=S6BT2UOo; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ne36-20020a1709077ba400b006e87643da69si2616451ejc.746.2022.05.11.07.44.03; Wed, 11 May 2022 07:44:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=S6BT2UOo; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242907AbiEKM7Q (ORCPT + 99 others); Wed, 11 May 2022 08:59:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242909AbiEKM7O (ORCPT ); Wed, 11 May 2022 08:59:14 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C50C195DE9 for ; Wed, 11 May 2022 05:59:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652273952; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P3pmuNFV/ptflpHqQQDwwf4tEA/mscwqGqx/YTI6DC4=; b=S6BT2UOos8aiCNb9QyWzgryLSMuFe+bATzKNCvYQuSMsbHiqGNQWawV0nDRSy1lzoWL5Ns ws72iv+w+lfquOITGSAYPCgbfr8/UpMf9RRpUwQP6PiATxiRQzMlKOHABdLmtfvismERuE L6hOSGArAdmWBO6pgumV3bHsITSPCMI= Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-400-3Ohi9LKrMfK808LuASAVAA-1; Wed, 11 May 2022 08:59:09 -0400 X-MC-Unique: 3Ohi9LKrMfK808LuASAVAA-1 Received: by mail-qt1-f199.google.com with SMTP id a24-20020ac81098000000b002e1e06a72aeso1523134qtj.6 for ; Wed, 11 May 2022 05:59:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:organization:user-agent:mime-version :content-transfer-encoding; bh=P3pmuNFV/ptflpHqQQDwwf4tEA/mscwqGqx/YTI6DC4=; b=iI0EJmNP5MlBY8H9Hi+bE9mQx9gGn/9Bgood8gIkyCJAUptOFukidpJBlh61ViMfHg H8GYfJPNUpoq0IlMcAGohgiMyJpjvVezd+BDlvNX2Hmzdi5MKUM/WAZapWRSuBE1+7Ah 5jPE265rT9tthtXb7a/bw9RprHIjzIZbD0RN0N6pxDfSJVEpVktggWP3WLX5gtUCxn1G Hll+tmedw0vtBA7zLs/J+Bum4QplzNGU1Gz7ObLWpE14nIT2qM8UWiTx/3I+/ukCGrc7 fIBLxfMghoHXPmcQrbvG8cqjfUzv1ER2P+9iW2s7qjDoGFCXsHDVwtOesCpzWOeq8CGy rEDQ== X-Gm-Message-State: AOAM533rdRGf4ze5UMuo/uGyHiJgpyl+TNcKtRcuUxD0M86h0xXa+wOV xdfNMlorC+DzXNvdhoBHnNbhl7WduC5ZvIEwXID+BOZuZ9ysAIO8H6T5wqmt1ua4OvAI4cJ817C ekFcLAGwd24rQNPej2AM4kVLu X-Received: by 2002:a05:620a:2412:b0:6a0:5f8e:c050 with SMTP id d18-20020a05620a241200b006a05f8ec050mr13739695qkn.462.1652273949358; Wed, 11 May 2022 05:59:09 -0700 (PDT) X-Received: by 2002:a05:620a:2412:b0:6a0:5f8e:c050 with SMTP id d18-20020a05620a241200b006a05f8ec050mr13739677qkn.462.1652273949082; Wed, 11 May 2022 05:59:09 -0700 (PDT) Received: from m8.users.ipa.redhat.com (cpe-158-222-141-151.nyc.res.rr.com. [158.222.141.151]) by smtp.gmail.com with ESMTPSA id bk29-20020a05620a1a1d00b0069fca79fa3asm1244537qkb.62.2022.05.11.05.59.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 May 2022 05:59:08 -0700 (PDT) Message-ID: Subject: Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks From: Simo Sorce To: "Jason A. Donenfeld" Cc: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Dominik Brodowski , Greg Kroah-Hartman , Theodore Ts'o , Alexander Graf , Colm MacCarthaigh , Torben Hansen , Jann Horn Date: Wed, 11 May 2022 08:59:07 -0400 In-Reply-To: References: <20220502140602.130373-1-Jason@zx2c4.com> <20220502140602.130373-2-Jason@zx2c4.com> <8f305036248cae1d158c4e567191a957a1965ad1.camel@redhat.com> Organization: Red Hat Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Jason, On Wed, 2022-05-11 at 03:18 +0200, Jason A. Donenfeld wrote: > My proposal here is made with nonce reuse in mind, for things like > session keys that use sequential nonces. Although this makes sense the problem is that changing applications to do the right thing based on which situation they are in will never be done right or soon enough. So I would focus on a solution that makes the CSPRNGs in crypto libraries safe. > A different issue is random nonces. For these, it seems like a call to > getrandom() for each nonce is probably the best bet. But it sounds like > you're interested in a userspace RNG, akin to OpenBSD's arc4random(3). I > hope you saw these threads: > > - https://lore.kernel.org/lkml/YnA5CUJKvqmXJxf2@zx2c4.com/ > - https://lore.kernel.org/lkml/Yh4+9+UpanJWAIyZ@zx2c4.com/ > - https://lore.kernel.org/lkml/CAHmME9qHGSF8w3DoyCP+ud_N0MAJ5_8zsUWx=rxQB1mFnGcu9w@mail.gmail.com/ 4c does sound like a decent solution, it is semantically identical to an epoch vmgenid, all the library needs to do is to create such a mmap region, stick a value on it, verify it is not zero after computing the next random value but before returning it to the caller. This reduces the race to a very small window when the machine is frozen right after the random value is returned to the caller but before it is used, but hopefully this just means that the two machines will just make parallel computations that yield the exact same value, so no catastrophic consequence will arise (there is the odd case where two random values are sought and the split happens between the two are retrieved and this has bad consequences, I think we can ignore that). > Each one of those touches on vDSO things quite a bit. Basically, the > motivation for doing that is for making userspace RNGs safe and > promoting their use with a variety of kernel enhancements to make that > easy. And IF we are to ship a vDSO RNG, then certainly this vmgenid > business should be exposed that way, over and above other mechanisms. > It'd make the most sense...IF we're going to ship a vDSO RNG. > > So the question really is: should we ship a vDSO RNG? I could work on > designing that right. But I'm a little bit skeptical generally of the > whole userspace RNG concept. By and large they always turn out to be > less safe and more complex than the kernel one. So if we're to go that > way, I'd like to understand what the strongest arguments for it are. I am not entirely sure how a vDSO RNG would work, I think exposing the epoch(or whatever indicator) is enough, crypto libraries have pretty good PRNGs, what they require is simply a good source of entropy for the initial seeding and this safety mechanism to avoid state duplication on machine cloning. All the decent libraries already support detecting process forks. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc