Received: by 2002:ac0:f2c4:0:0:0:0:0 with SMTP id f4csp2182651imp; Mon, 25 Jul 2022 08:13:12 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uPAZotC1DFaUQkc/7KZ4kyW7vwqwg0sbCBdS4APJu6g8lbWEithxcz2mCx7IpSRkheo9Vh X-Received: by 2002:a54:488d:0:b0:33a:87b3:31a with SMTP id r13-20020a54488d000000b0033a87b3031amr13206079oic.153.1658761991849; Mon, 25 Jul 2022 08:13:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658761991; cv=none; d=google.com; s=arc-20160816; b=EMbR5hXYha5r62VMIEJBERK7GAx85P7OTHUKxX8BBRjk8PODTlUi5DmP2zb7WRfSiN kqIXOct6DcvySU0rUOUwv96+1CkHc6J6n2jHWYpHVhatbXlOrC6Y/nGXg6IUyeqyzOgQ fxkSHvRFghgFmeaF+79yCzpYuUbnOB+2ORBSNFxCz7v8q+lovIdORPFfJ3N7P1aYyts8 KsbKf/mpO2MsUUVUZxCLUVDqhhxeVmGo66TKcBB5F6f7SirDHnozYUYwJ0XYih/hQRht sjcWNawE/BQ7CvRh3YQI4O5NlWNLmjfcz5OrXDzALs5um9RFx6WiVN6vCGOqLVrtm9BP rFVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2G53n7Ktyz6kfbdkBKhDUYHtHX7Slv7amsXeN/sQtH0=; b=DtYtaBUwrsRdUMmTXA/GtrnkKhXu6nYrk39km39+b6YpkPDMjjOV+XsgJKA/qLRTkh oeHptzwo3z08YS67hu3aj31B2rVw+eIe1QGSjS197HjOthNEX2rFlhWVrMhOQLVMsAZt eRPsiQnGjeVlv21HWur1RibrZu+WiQnAyTaoe181yqI/eqoEGoBuVMK/DESyFi+q32mP ZjueFv7iGndL3c1isU57hO/LqxUIRBd2j7lDpxJxCKGm5XT6/Nov4AkwmAADbE2D9XkN 1blnBZYJkHTtqLiq3jnxtQf1x1rmiRxHDbIOWhDfGey+6mG2Me5yFdUUQR+qLHg/0/z9 nh7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@libc.org header.s=20210105 header.b=g3Wc9Oro; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k26-20020a056808069a00b0033a1ddd4c1dsi947817oig.241.2022.07.25.08.12.44; Mon, 25 Jul 2022 08:13:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@libc.org header.s=20210105 header.b=g3Wc9Oro; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233019AbiGYPJu (ORCPT + 99 others); Mon, 25 Jul 2022 11:09:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232406AbiGYPJt (ORCPT ); Mon, 25 Jul 2022 11:09:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37F3F12D16 for ; Mon, 25 Jul 2022 08:09:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id EA13DB80DD9 for ; Mon, 25 Jul 2022 15:09:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49F6FC341C6 for ; Mon, 25 Jul 2022 15:09:45 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=libc.org header.i=@libc.org header.b="g3Wc9Oro" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=libc.org; s=20210105; t=1658761783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2G53n7Ktyz6kfbdkBKhDUYHtHX7Slv7amsXeN/sQtH0=; b=g3Wc9OroUarJIBAYUc0ueLkeBTdoroNZ5UKTTpyxqxmNFbQOu/QjNJd09ZSq0lZFEOpXt+ nLHRGHyzQ40sQ7BYOjphH0S2gPMevyzlWM51wQGnbXlCCXtEAypUmhbwxgSWTDk5EO6oJy OZ2XUCyYBfmGtfSjc0xMxhq4tG5Mo30= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 443b10df (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Mon, 25 Jul 2022 15:09:43 +0000 (UTC) Date: Mon, 25 Jul 2022 10:56:32 -0400 From: Rich Felker To: Florian Weimer Cc: "Jason A. Donenfeld via Libc-alpha" , Yann Droneaud , jann@thejh.net, "Jason A. Donenfeld" , Michael@phoronix.com, linux-crypto@vger.kernel.org Subject: Re: arc4random - are you sure we want these? Message-ID: <20220725145628.GE7074@brightrain.aerifal.cx> References: <87bktdsdrk.fsf@oldenburg.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87bktdsdrk.fsf@oldenburg.str.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-6.5 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jul 25, 2022 at 12:11:27PM +0200, Florian Weimer via Libc-alpha wrote: > * Jason A. Donenfeld via Libc-alpha: > > > I really wonder whether this is a good idea, whether this is something > > that glibc wants, and whether it's a design worth committing to in the > > long term. > > Do you object to the interface, or the implementation? That was *exactly* my first question too. > The implementation can be improved easily enough at a later date. > > > Firstly, for what use cases does this actually help? As of recent > > changes to the Linux kernels -- now backported all the way to 4.9! -- > > getrandom() and /dev/urandom are extremely fast and operate over per-cpu > > states locklessly. Sure you avoid a syscall by doing that in userspace, > > but does it really matter? Who exactly benefits from this? > > getrandom may be fast for bulk generation. It's not that great for > generating a few bits here and there. For example, shuffling a > 1,000-element array takes 18 microseconds with arc4random_uniform in > glibc, and 255 microseconds with the naïve getrandom-based > implementation (with slightly biased results; measured on an Intel > i9-10900T, Fedora's kernel-5.18.11-100.fc35.x86_64). > > > You miss out on this with arc4random, and if that information _is_ to be > > exported to userspace somehow in the future, it would be awfully nice to > > design the userspace interface alongside the kernel one. > > What is the kernel interface you are talking about? From an interface > standpoint, arc4random_buf and getrandom are very similar, with the main > difference is that arc4random_buf cannot report failure (except by > terminating the process). > > > Seen from this perspective, going with OpenBSD's older paradigm might be > > rather limiting. Why not work together, between the kernel and libc, to > > see if we can come up with something better, before settling on an > > interface with semantics that are hard to walk back later? > > Historically, kernel developers were not interested in solving some of > the hard problems (especially early seeding) that prevent the use of > getrandom during early userspace stages. > > > As-is, it's hard to recommend that anybody really use these functions. > > Just keep using getrandom(2), which has mostly favorable semantics. > > Some applications still need to run in configurations where getrandom is > not available (either because the kernel is too old, or because it has > been disabled via seccomp). > > > Yes, I get it: it's fun to make a random number generator, and so lots > > of projects figure out some way to make yet another one somewhere > > somehow. But the tendency to do so feels like a weird computer tinkerer > > disease rather something that has ever helped the overall ecosystem. > > The performance numbers suggest that we benefit from buffering in user > space. It might not be necessary to implement expansion in userspace. > getrandom (or /dev/urandom) with a moderately-sized buffer could be > sufficient. FWIW I'd rather have a few kB of shareable entropy-expansion .text in userspace than a few kB per process (or even per thread? >_<) of nonshareable data any day. > But that's an implementation detail, and something we can revisit later. > If we vDSO acceleration for getrandom (maybe using the userspace > thread-specific data donation we discussed for rseq), we might > eventually do way with the buffering in glibc. Again this is an > implementation detail we can change easily enough. Exactly. FWIW I've been kinda waiting to see what glibc would do on this after the posix_random proposal failed, before considering much what we should do in musl, but the value I see in either is not as an optimization but as honoring a well-known interface so we have fewer applications doing their own stupid YOLO stuff trying to get secure entropy and botching it. So far the best we have is getentropy but it fails on old kernels. At some point musl will probably implement both arc4random and getentropy with secure fallback process for old kernels -- certainly the fallback is needed for meeting the arc4random contract and I'd like it on both places. Rich