Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1030158iob;
        Fri, 13 May 2022 20:17:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzdka/vWQ2Zn0FvP/LZ0EhIo7civd3lPeTWuY0qfmXB4ouPGCBBKjW4vAt8Pl5gK7HPXCcR
X-Received: by 2002:a7b:cd98:0:b0:394:2431:2393 with SMTP id y24-20020a7bcd98000000b0039424312393mr7156623wmj.122.1652498224836;
        Fri, 13 May 2022 20:17:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652498224; cv=none;
        d=google.com; s=arc-20160816;
        b=fx/NkaFPy260iqMCS0creVAxvwbqY9sMdbkSwZjJU5VvARaMq1eh7i2tGjpeT1YrvG
         zxLujRkADJhjf7Ii8cUpZEP3BUQkAtSeumf9u/kLJ70SeYd7V+H/q3BYv/UtRlWv6MS+
         JmodYfBVK2xGrNXi/ZH3yIqs4MlAtGThoYDEurtdD4r36auINyKcw42Z94kO4AtnTn9w
         bUZKiiAn8Ri0k8ReCOtIFL/NcO2UDq3dE2RueiqRe/w7F5gFadLw0vWL6sNgAJlAiMdC
         FWjclK3+A4gAK0SX4Ny9b+uvngf30I0WKsYY+clo9f4EeoP+uAgz70GcDdl9AuDELc8l
         pVaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=iImDbU3nUHMZt1YRnYGIy84xsDPh4wA9Mi8DNnLVB5k=;
        b=QEhlzimI82TwUgrrwGB9dpVnROvGDdI21Wy0T2FCHsRb7E81icLZ9u9aWu1peZWoXH
         tKV4yImBuyzRHPzAFSxfyeozXgVVBE2jrX12LPr0BnP7UI7L3r6bEBVyhfnbybchYRh4
         QgFv4hdJXVcssJfhqNMi8pA5jxje1Di2EH1w3DgGKudnS4m5cesOK3IbXJ6BfvwhGY4d
         DIu98QlFA+fRP+GlwweXtts1OJxoRg7WJgjF5fl9zkVgsP2zEWQAJSUIrLuOP5AHPKSq
         k58wsJCLA90m0vO0EM0+ITFqFs+yoDgnHiM27wJqtO8R9Vgh4cqMsRWjHTMDhggmC0Gq
         v4lA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=DlGM2Q2E;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id w12-20020adfcd0c000000b0020c681131adsi3567361wrm.137.2022.05.13.20.17.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 May 2022 20:17:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=DlGM2Q2E;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 30A603ABF13;
	Fri, 13 May 2022 16:55:46 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1376307AbiEMBNc (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Thu, 12 May 2022 21:13:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50998 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1353878AbiEMBNb (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 12 May 2022 21:13:31 -0400
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BE25223090;
        Thu, 12 May 2022 18:13:30 -0700 (PDT)
Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252])
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 24D1CvAK014725
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 12 May 2022 21:12:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
        t=1652404379; bh=iImDbU3nUHMZt1YRnYGIy84xsDPh4wA9Mi8DNnLVB5k=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To;
        b=DlGM2Q2EeXmU85fZY30sh5X4mBkUOMnZ6DgXZJ8/qWBC82SspXjsx9J5Jz22ayUhR
         DCiRge0tKsm4irq1xgZ1mRLaSjV+kD0odUHoWOiw+z8HC3+xCB6VS/R2gc4z9H2UPy
         tkaUyluznidv9oqSc85hQdeAa+QC/xP6BrxJmrqsR8ykXlgu1Bdo1UOQyrsol9kUui
         yVN/YFIN4VKAU1VUMf+q78DfKnIPgw1s2XxfT3WWiFJUKGhR4rMZVMlGeWfeJEHZKg
         f7R2pj5fkv042wOz6ZUEQ6wnTFt1QG7WnUxl8vWLEaT5oOqWjo7EcLN9aesDgBoVhQ
         sYI8EAP2PZIfw==
Received: by cwcc.thunk.org (Postfix, from userid 15806)
        id A579A15C3F2A; Thu, 12 May 2022 21:12:57 -0400 (EDT)
Date:   Thu, 12 May 2022 21:12:57 -0400
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
        netdev@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>
Subject: Re: [PATCH] random32: use real rng for non-deterministic randomness
Message-ID: <Yn2wmb/McCbhNaTb@mit.edu>
References: <20220511143257.88442-1-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20220511143257.88442-1-Jason@zx2c4.com>
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Wed, May 11, 2022 at 04:32:57PM +0200, Jason A. Donenfeld wrote:
> random32.c has two RNGs in it: one that is meant to be used
> deterministically, with some predefined seed, and one that does the same
> exact thing as random.c, except does it poorly. The first one has some
> use cases. The second one no longer does and can be replaced with calls
> to random.c's proper random number generator.
> 
> The relatively recent siphash-based bad random32.c code was added in
> response to concerns that the prior random32.c was too deterministic.
> Out of fears that random.c was (at the time) too slow, this code was
> anonymously contributed by somebody who was likely reusing the alias of
> long time anonymous contributor George Spelvin. Then out of that emerged
> a kind of shadow entropy gathering system, with its own tentacles
> throughout various net code, added willy nilly.
> 
> Stop????making????crappy????bespoke????random????number????generators????.
> 
> Fortunately, recently advances in random.c mean that we can stop playing
> with this sketchiness, and just use get_random_u32(), which is now fast
> enough. In micro benchmarks using RDPMC, I'm seeing the same median
> cycle count between the two functions, with the mean being _slightly_
> higher due to batches refilling (which we can optimize further need be).
> However, when doing *real* benchmarks of the net functions that actually
> use these random numbers, the mean cycles actually *decreased* slightly
> (with the median still staying the same), likely because the additional
> prandom code means icache misses and complexity, whereas random.c is
> generally already being used by something else nearby.
> 
> The biggest benefit of this is that there are many users of prandom who
> probably should be using cryptographically secure random numbers. This
> makes all of those accidental cases become secure by just flipping a
> switch. Later on, we can do a tree-wide cleanup to remove the static
> inline wrapper functions that this commit adds.
> 
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Theodore Ts'o <tytso@mit.edu>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Yay!

Acked-by: Theodore Ts'o <tytso@mit.edu>