Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp10088823rwl; Wed, 11 Jan 2023 14:25:36 -0800 (PST) X-Google-Smtp-Source: AMrXdXtTIDAGwEba6/qFnM+OovkCvDjqHgUQGLvPC/RdwGdWLFAeFY7qCPtCvF5XSD9Jz/QdWnQx X-Received: by 2002:a17:906:9141:b0:7b2:757a:1411 with SMTP id y1-20020a170906914100b007b2757a1411mr71060520ejw.9.1673475936576; Wed, 11 Jan 2023 14:25:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673475936; cv=none; d=google.com; s=arc-20160816; b=Wv08KzsaL+o0GV7mhapqLmLQzosJnvsGGSII9MEMYEVTEqRk+BmoXQqyxhy6Isi6sv 1pauwyzD0NXRqIij3AXujLthH4dA6tjFsOnppgFTalOesmy8GsuCkywg/is1BnndLYgT 8ws4D4YSUWcfUfHC5qj94ABnsPtZ6nU0g1i+ztj7b4IMxF7vImztR1rNE33BtZz6pcuR aUHVHRzyNYkMEzR8PJjkL3XQiywB5KfeYTHrgbFvbmHPRyXTg8VzARkdhXRDdvMNnzw5 sPK8BNFxOuUzj4MiL1IsAfZ4H99xalZd1nbqV/SVbiL6fOJ9oPtBV4DxyRweWt5ia+Ga 8PqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=gU8SaOMOcRayw7QmSx4x+PEyBmmpEirqYrPt3JM+BBA=; b=Gr6kQKVh8ARZc+o4Npp4kQoBSBqBKA1qhLBr6oW2lcEjB+0TkXeb3ObzbyFQaw+e6k 2enkdHkOq+rB6YCAtI+PNmYtaOvHBhTy5JJm3xU0mT2n1L1qVpW/n1PZ2nHS1f2QWgj4 l8ozGjGVg5taRypWKRS853cZbaktgcEu3daUZCss0R+eRV5Nngru/xs5Amhjagrff8Ik +YjUqWTpYNk7uKb6rfDIHI3LGwvIZADN3nDUqn1XiDGz6gWTnlSHPdAv/0MimV/h6QHc dQE0qgt/f8EJlinBK3VfoozSTcYNCunTT2GFLbTlvrTbll0p+UJCJwrL/4idpnsv4iTt kcPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=ahLgkiB5; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g25-20020a170906595900b0084c4942ea8esi12311032ejr.268.2023.01.11.14.25.02; Wed, 11 Jan 2023 14:25:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=ahLgkiB5; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236111AbjAKWXf (ORCPT + 99 others); Wed, 11 Jan 2023 17:23:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236068AbjAKWX1 (ORCPT ); Wed, 11 Jan 2023 17:23:27 -0500 Received: from smtpout.efficios.com (smtpout.efficios.com [167.114.26.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0031D431A6; Wed, 11 Jan 2023 14:23:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=efficios.com; s=smtpout1; t=1673475805; bh=1Oxpyw0xOs6/7W8Tuvd1QWxZNFxc0oTmNh4yGrJ47L0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ahLgkiB5IQ5QRVqLfHoeZAVd/D9rkVuFxvdtTNVcpj+nX3+Rzvw9sNQfLAFLHAfuC fx2epI4w+DJKuXv6m4KR7SNDMY4qMZkhSzNmwfHDp9UqNnqPC07Z+ESFd62ySxl27x 1wDae6L32WANYrSWVuQ5r5f0bvZJC1zbqZBt+qAO6TYRifgM/TovLMfKe8NlW3HsLj fGxSA7BZCmBpd8/UoA5TukoL0tLQap1kgsp3nWKpTHdr1PKfLtKXSds8I04INn6pf9 2Ku8+BOZMXNrPpCwYL7CdG4HKbEZoiMxoIHB2d2PRE0F6GcbbuI2DJ91Zc50i/9/Ua ZUhqiJZIJYa4A== Received: from localhost (192-222-180-24.qc.cable.ebox.net [192.222.180.24]) by smtpout.efficios.com (Postfix) with ESMTPSA id 4Nshz073rzzgWG; Wed, 11 Jan 2023 17:23:24 -0500 (EST) Date: Wed, 11 Jan 2023 17:23:56 -0500 From: Mathieu Desnoyers To: "Jason A. Donenfeld" Cc: linux-kernel@vger.kernel.org, patches@lists.linux.dev, tglx@linutronix.de, linux-crypto@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, Greg Kroah-Hartman , Adhemerval Zanella Netto , Carlos O'Donell , Florian Weimer , Arnd Bergmann , Jann Horn , Christian Brauner , Peter Zijlstra Subject: Re: [PATCH v14 0/7] implement getrandom() in vDSO Message-ID: References: <20230101162910.710293-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230101162910.710293-1-Jason@zx2c4.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 01-Jan-2023 05:29:03 PM, Jason A. Donenfeld wrote: [...] > Two statements: > > 1) Userspace wants faster cryptographically secure random numbers of > arbitrary size, big or small. > > 2) Userspace is currently unable to safely roll its own RNG with the > same security profile as getrandom(). > [...] > API-wise, the vDSO gains this function: > > ssize_t vgetrandom(void *buffer, size_t len, unsigned int flags, void *opaque_state); > > The return value and the first 3 arguments are the same as ordinary > getrandom(), while the last argument is a pointer to some state > allocated with vgetrandom_alloc(), explained below. Were all four > arguments passed to the getrandom syscall, nothing different would > happen, and the functions would have the exact same behavior. > > Then, we introduce a new syscall: > > void *vgetrandom_alloc(unsigned int *num, unsigned int *size_per_each, > unsigned long addr, unsigned int flags); > > This takes a hinted number of opaque states in `num`, and returns a > pointer to an array of opaque states, the number actually allocated back > in `num`, and the size in bytes of each one in `size_per_each`, enabling > a libc to slice up the returned array into a state per each thread. (The > `flags` and `addr` arguments, as well as the `*size_per_each` input > value, are reserved for the future and are forced to be zero for now.) > > Libc is expected to allocate a chunk of these on first use, and then > dole them out to threads as they're created, allocating more when > needed. The returned address of the first state may be passed to > munmap(2) with a length of `num * size_per_each`, in order to deallocate > the memory. > > We very intentionally do *not* leave state allocation up to the caller > of vgetrandom, but provide vgetrandom_alloc for that allocation. There > are too many weird things that can go wrong, and it's important that > vDSO does not provide too generic of a mechanism. It's not going to > store its state in just any old memory address. It'll do it only in ones > it allocates. [...] Have you considered extending rseq(2) per-thread "struct rseq" with an additional "prng_seed" pointer field, which would point to a per-thread memory area accessible both from userspace (at address __builtin_thread_pointer() + __rseq_offset) and from kernel's return-to-userspace rseq notification code (which can handle page faults) ? This way, the kernel can update its content when returning to userspace if an update is needed since the last update. Would that be sufficient as prng seed for your security requirements ? Implementation-wise, the semantic of the prng_seed could be entirely internal to a vgetrandom vDSO implementation, but the allocation of the memory holding this seed would be the responsibility of libc. libc could query the size required by the kernel for this prng seed with a new getauxval(3) entry, e.g. AT_RSEQ_PRNG_SIZE. By doing so, libc would only allocate as much memory as needed by the kernel vDSO implementation. This would remove the need for any kind of vgetrandom_alloc system call and all its associated complexity. Thoughts ? Thanks, Mathieu -- Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com