Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2138495rwb;
        Wed, 30 Nov 2022 02:55:56 -0800 (PST)
X-Google-Smtp-Source: AA0mqf46/SqyvPf7+pppb0saj6PGemJ4QmquZ0Be/81BA8yimHrb83ddahZ+mfQiERp8JyB3Kdct
X-Received: by 2002:a17:906:945a:b0:7a8:3597:34a8 with SMTP id z26-20020a170906945a00b007a8359734a8mr34678357ejx.628.1669805756569;
        Wed, 30 Nov 2022 02:55:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669805756; cv=none;
        d=google.com; s=arc-20160816;
        b=uqkhukXijsxszKuFt9xry+2XrEqhVw5DYp7ykOu0EBBO7Q5d2gSu2yrInRjUp6J+u0
         hF+mHohlN9naZBHyz4avd1HCc1WE683o5gApfXA97owbQ5+uqIcP8SOlnshIs88lDOPn
         7r6ascXLm4TtpD+ExKbWCw6vNnT+/y5inJ3685Om8U+a8o7tGyGbRkmXkvxtoH96/1d8
         i62jrgOSG6KIIAC0RngqVvrt+sZbmVbTDKsEfyLvBAfJTMC9D1JJPhTjGpYjI/oz/pyo
         qykxo8XLSC9XyAwXqoE1puatzITpBE88iZji0S5nWEOANjn76QrpShetZnQo3XP5wHAb
         M4AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to
         :date:references:subject:cc:to:from:dkim-signature;
        bh=pvh0cCJDgAci2aX0Jdydv7b4QnzuovzLy7wn9SQOJdE=;
        b=Mid6G6XCVDbxcJXshSqRCKrtnABP6rwjXE/QY+5AmeLbC5cCMampbAiuo1hDhZWwwr
         h3SyInxUsSM91m+Oa3u/ENNctz1G5B4D1pKxHgB2rOs+zGY5SHVPPvLc+iEMcjPZzpvH
         bIv6no64PdofKNBgZU7rCnIptpIKgn9ytpJPAwVvcnYUne6N8wDqBJHGjHkiQyrFfVIX
         t2lcWf3P0HE0oUtgRFDKenssOY1aTUXOnoblQC8K62WMG32kyAUKi+hFnhknzZH2+uGT
         W4yD6vI9HVYVz3FW5L8d8kAokkag/P56aerBWt1QrbErEJy8Yomi6pfDs8g78D9eGQ+R
         jEUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="g/eq1IF6";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id sa39-20020a1709076d2700b007c08bfea555si998267ejc.121.2022.11.30.02.55.32;
        Wed, 30 Nov 2022 02:55:56 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="g/eq1IF6";
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232720AbiK3KxH (ORCPT <rfc822;logchen2009@gmail.com>
        + 99 others); Wed, 30 Nov 2022 05:53:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48172 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232641AbiK3KxG (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 30 Nov 2022 05:53:06 -0500
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8320473BBE
        for <linux-crypto@vger.kernel.org>; Wed, 30 Nov 2022 02:52:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1669805530;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=pvh0cCJDgAci2aX0Jdydv7b4QnzuovzLy7wn9SQOJdE=;
        b=g/eq1IF6iODDPOq7QElvZ5ZFWuQpygKgzpvJ2yv22vg1QmVb7otSt2wmLJnmyYUC+wKtLt
        eHfAzXQ/sNH5YdTXIBUAxMzFljh2InHWD3G5wwCqd1JCfVYdf8aZUfZbgBgnay89r1BeA1
        Au8gYBOVJsr8wu0ajsIzVh66tjnrfII=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-474-CWBn_NusP6CRRW80MXlqxw-1; Wed, 30 Nov 2022 05:52:06 -0500
X-MC-Unique: CWBn_NusP6CRRW80MXlqxw-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E88E185A588;
        Wed, 30 Nov 2022 10:52:05 +0000 (UTC)
Received: from oldenburg.str.redhat.com (unknown [10.2.16.98])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 411362024CBE;
        Wed, 30 Nov 2022 10:52:03 +0000 (UTC)
From:   Florian Weimer <fweimer@redhat.com>
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     linux-kernel@vger.kernel.org, patches@lists.linux.dev,
        tglx@linutronix.de, linux-crypto@vger.kernel.org,
        linux-api@vger.kernel.org, x86@kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
        Carlos O'Donell <carlos@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Christian Brauner <brauner@kernel.org>
Subject: Re: [PATCH v10 1/4] random: add vgetrandom_alloc() syscall
References: <20221129210639.42233-1-Jason@zx2c4.com>
        <20221129210639.42233-2-Jason@zx2c4.com>
Date:   Wed, 30 Nov 2022 11:51:59 +0100
In-Reply-To: <20221129210639.42233-2-Jason@zx2c4.com> (Jason A. Donenfeld's
        message of "Tue, 29 Nov 2022 22:06:36 +0100")
Message-ID: <877czc7m0g.fsf@oldenburg.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

* Jason A. Donenfeld:

> +#ifdef CONFIG_VGETRANDOM_ALLOC_SYSCALL
> +/**
> + * vgetrandom_alloc - allocate opaque states for use with vDSO getrandom().
> + *
> + * @num: on input, a pointer to a suggested hint of how many states to
> + * allocate, and on output the number of states actually allocated.

Should userspace call this system call again if it needs more states?
The interface description doesn't make this clear.

> + * @size_per_each: the size of each state allocated, so that the caller can
> + * split up the returned allocation into individual states.
> + *
> + * @flags: currently always zero.
> + *
> + * The getrandom() vDSO function in userspace requires an opaque state, which
> + * this function allocates by mapping a certain number of special pages into
> + * the calling process. It takes a hint as to the number of opaque states
> + * desired, and provides the caller with the number of opaque states actually
> + * allocated, the size of each one in bytes, and the address of the first
> + * state.
> +
> + * Returns a pointer to the first state in the allocation.
> + *
> + */

How do we deallocate this memory?  Must it remain permanently allocated?

Can userspace use the memory for something else if it's not passed to
getrandom?  The separate system call strongly suggests that the
allocation is completely owned by the kernel, but there isn't
documentation here how the allocation life-cycle is supposed to look
like.  In particular, it is not clear if vgetrandom_alloc or getrandom
could retain a reference to the allocation in a future implementation of
these interfaces.

Some users might want to zap the memory for extra hardening after use,
and it's not clear if that's allowed, either.

> +SYSCALL_DEFINE3(vgetrandom_alloc, unsigned int __user *, num,
> +		unsigned int __user *, size_per_each, unsigned int, flags)
> +{

ABI-wise, that should work.

> +	const size_t state_size = sizeof(struct vgetrandom_state);
> +	size_t alloc_size, num_states;
> +	unsigned long pages_addr;
> +	unsigned int num_hint;
> +	int ret;
> +
> +	if (flags)
> +		return -EINVAL;
> +
> +	if (get_user(num_hint, num))
> +		return -EFAULT;
> +
> +	num_states = clamp_t(size_t, num_hint, 1, (SIZE_MAX & PAGE_MASK) / state_size);
> +	alloc_size = PAGE_ALIGN(num_states * state_size);

Doesn't this waste space for one state if state_size happens to be a
power of 2?  Why do this SIZE_MAX & PAGE_MASK thing at all?  Shouldn't
it be PAGE_SIZE / state_size?

> +	if (put_user(alloc_size / state_size, num) || put_user(state_size, size_per_each))
> +		return -EFAULT;
> +
> +	pages_addr = vm_mmap(NULL, 0, alloc_size, PROT_READ | PROT_WRITE,
> +			     MAP_PRIVATE | MAP_ANONYMOUS | MAP_LOCKED, 0);

I think Rasmus has already raised questions about MAP_LOCKED.

I think the kernel cannot rely on it because userspace could call
munlock on the allocation.

> +	if (IS_ERR_VALUE(pages_addr))
> +		return pages_addr;
> +
> +	ret = do_madvise(current->mm, pages_addr, alloc_size, MADV_WIPEONFORK);
> +	if (ret < 0)
> +		goto err_unmap;
> +
> +	return pages_addr;
> +
> +err_unmap:
> +	vm_munmap(pages_addr, alloc_size);
> +	return ret;
> +}
> +#endif

If there's no registration of the allocation, it's not clear why we need
a separate system call for this.  From a documentation perspective, it
may be easier to describe proper use of the getrandom vDSO call if
ownership resides with userspace.  But it will constrain future
evolution of the implementation because you can't add registration
(retaining a reference to the passed-in area in getrandom) after the
fact.  But I'm not sure if this is possible with the current interface,
either.  Userspace has to make some assumptions about the life-cycle to
avoid a memory leak on thread exit.

Thanks,
Florian