Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp3715860rwb; Mon, 16 Jan 2023 11:53:16 -0800 (PST) X-Google-Smtp-Source: AMrXdXt7Ptx2JfNqXkMd822JWU6wF90vkxvUwwNZyc/UU3lxNx1cizzY9KUcVcXO5b+sfq3eX06Q X-Received: by 2002:a17:907:8dca:b0:85f:5d72:1841 with SMTP id tg10-20020a1709078dca00b0085f5d721841mr197500ejc.39.1673898796288; Mon, 16 Jan 2023 11:53:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673898796; cv=none; d=google.com; s=arc-20160816; b=FtpTe/aDmrSHDIsTiu3aS9XyR2LW0V9Zb2ebhtqdkB7yPjKlVEEsDHqK2D/Fz3yjFU Z+HlQS8qubHPwbzV+ciJmwNTh7217CSOkDVxCAeH0k+RWt261h5pgRRMyiS6o7f4Qtal 6CK48K1KxKUC/uJ85M/qkDXf3FF+TPyJwk24TY/dsFR/75H6f202Yx4f4X8KCA0T96l0 vMY7bGl77PzQLjYduKefO9rLUfM61AZLFZx7hp5jPuoTpjMzVvUzYLp1t6KkfdK+E6QM zvj1bK4UCvNLoxs6/XWYWgA/0HJjS5RSSLbMMKY/bLO8zwxWuo0Y984X/kcfb7wTxN5o 2aLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:in-reply-to:cc:references:message-id:date :subject:mime-version:from:content-transfer-encoding:dkim-signature; bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=; b=Kn3r9O/DTrFLaIKNEUypumIlxYEDDqoF3a1bD/aO32DItxyZBcEZ5g/JMHWBeuQp57 Aa1piUzsVfWgc0/zONI5cOyziCyVg+d60DfuV2EdaAj0kiXOn+skRG/UXrJMKrvyX2FP 1UCPaRuK5ZaAjKIfRzd4QrMsaL1LmCJifl/ZED03BJh4/Go/AAu18bgPUmzJ89ELElbn dzWU4MaNb/TMVvtiL3GJKbGk6FESuIG/84aTEkJKVrAnkOV7FNmjBiehV6AbOgZTN+HE iwxPWeQKUGGZ/HjB+6qPy7hwSJwRok/IiXb46rpyBTPM3KVGeFR6muMO8vcKTaSVmvdz VLMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20210112.gappssmtp.com header.s=20210112 header.b=0oC65SyR; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dp16-20020a170906c15000b00870c5d344e3si4532624ejc.139.2023.01.16.11.52.45; Mon, 16 Jan 2023 11:53:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20210112.gappssmtp.com header.s=20210112 header.b=0oC65SyR; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232717AbjAPTuA (ORCPT + 99 others); Mon, 16 Jan 2023 14:50:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231161AbjAPTt5 (ORCPT ); Mon, 16 Jan 2023 14:49:57 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90C6A2C67C for ; Mon, 16 Jan 2023 11:49:56 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id z13so3516815plg.6 for ; Mon, 16 Jan 2023 11:49:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=; b=0oC65SyRHbWDjj7xp6Z5i5H7PKj9V2uYPsPQ3OqlQp+3vN9gFAdP/sq3xkLwsvLRVS McB8d3MpJc4v96EUA9wf/iM2TqR0GJ15g374T+k2oOetyyQWWe5sV0KcuuaI0T3DQ1mO aPo1gjrVrlEsQNgjfwYbOonw+vgLoONw5oTLv4ZFnSeIM3jDuEFozpyQ+5pp9VxbxTEU dIzgulr11qkfeUnYqXz7AVpJZ1KN2zDbCism7+gww5+ygd5mNP3cDh4X7duKjhUMeg4A 9+k+ruW9Y/N4jDkPQkNzvGey+mDbzzVDdaQJV7geBcMly8kcUZWwPTWhv8f4ZnhHKrtJ 2IIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=; b=ws0ZFpdkPdGPNLPTLt8z0lHDZQl0EDvx8qrLg1xgSHdSauPEsowx7A1qBxSQEnVHVP 4xehCI09vyoj24fuTV79hHRYYQUUobGIW2rP4eQRjH5cQBezufLB+9pxTVilEnvQeeUQ URTLx0luNhVz1oFZamKn9FEnkt0gae2/Pl6PpSVx/Wwj7G5zI4YD9ts5yAf37k3IkK6L ZEAOeGTssVaK+ls8XQIKWnRGHON81quaqugL40Q/0PzuTjhmKHQVQr4chdjH8sAkohit uXCPFEMFNLbqQEHQwTg/3m6roLwS3sKDU14/r+54kP7EXxyq/jUqnuzhDSu14f5KDIXR YrFQ== X-Gm-Message-State: AFqh2kqypQfR/+tyg586WZxXNcaYOocyB130oo5bG7OTfh7pD0UQBpuQ xcwjQf6zFqUWBop8Zw3buQweWQ== X-Received: by 2002:a05:6a20:1710:b0:b8:499d:7c99 with SMTP id bn16-20020a056a20171000b000b8499d7c99mr180334pzb.0.1673898596098; Mon, 16 Jan 2023 11:49:56 -0800 (PST) Received: from smtpclient.apple ([2601:646:c200:522:b469:4533:dab3:1cd4]) by smtp.gmail.com with ESMTPSA id p5-20020a170902bd0500b0019248880f75sm19686244pls.77.2023.01.16.11.49.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 16 Jan 2023 11:49:54 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Subject: Re: [RFC PATCH 0/4] random: a simple vDSO mechanism for reseeding userspace CSPRNGs Date: Mon, 16 Jan 2023 11:49:42 -0800 Message-Id: <15F7D57C-8CC6-4CAE-8B7E-6F480B5F4133@amacapital.net> References: <585ddb35-adc5-f5cf-4db3-27571f394108@zytor.com> Cc: Yann Droneaud , "Jason A. Donenfeld" , Theodore Ts'o , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Andy Lutomirski , Vincenzo Frascino , x86@kernel.org, linux-crypto@vger.kernel.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, Florian Weimer , Adhemerval Zanella Netto , Carlos O'Donell In-Reply-To: <585ddb35-adc5-f5cf-4db3-27571f394108@zytor.com> To: "H. Peter Anvin" X-Mailer: iPhone Mail (20C65) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org > On Jan 13, 2023, at 7:16 PM, H. Peter Anvin wrote: >=20 > =EF=BB=BFOn 1/12/23 11:55, Yann Droneaud wrote: >> Hi >> 12 janvier 2023 =C3=A0 18:07 "Jason A. Donenfeld" a =C3= =A9crit: >> =20 >>> Sorry Yann, but I'm not interested in this approach, and I don't think >>> reviewing the details of it are a good allocation of time. I don't >>> want to lock the kernel into having specific reseeding semantics that >>> are a contract with userspace, which is what this approach does. >> This patch adds a mean for the kernel to tell userspace: between the >> last time you call us with getrandom(timestamp,, GRND_TIMESTAMP), >> something happened that trigger an update to the opaque cookie given >> to getrandom(timestamp, GRND_TIMESTAMP). When such update happen, >> userspace is advised to discard buffered random data and retry. >> The meaning of the timestamp cookie is up to the kernel, and can be >> changed anytime. Userspace is not expected to read the content of this >> blob. Userspace only acts on the length returned by getrandom(,, GRND_TIM= ESTAMP): >> -1 : not supported >> 0 : cookie not updated, no need to discard buffered data >> >0 : cookie updated, userspace should discard buffered data >> For the cookie, I've used a single u64, but two u64 could be a better sta= rt, >> providing room for implementing improved behavior in future kernel versio= ns. >>> Please just let me iterate on my original patchset for a little bit, >>> without adding more junk to the already overly large conversation. >> I like the simplicity of my so called "junk". It's streamlined, doesn't >> require a new syscall, doesn't require a new copy of ChaCha20 code. >> I'm sorry it doesn't fit your expectations. >=20 > Why would anything more than a 64-bit counter be ever necessary? It only n= eeds to be incremented. This is completely broken with CRIU or, for that matter, with VM forking. >=20 > Let user space manage keeping track of the cookie matching its own buffers= . You do NOT want this to be stateful, because that's just begging for multi= ple libraries to step on each other. >=20 > Export the cookie from the vdso and voli=C3=A0, a very cheap check around a= ny user space randomness buffer will work: >=20 > static clone_cookie_t last_cookie; > clone_cookie_t this_cookie; >=20 > this_cookie =3D get_clone_cookie(); > do { > while (this_cookie !=3D last_cookie) { > last_cookie =3D this_cookie; > reinit_randomness(); > this_cookie =3D get_clone_cookie(); > } >=20 > extract_randomness_from_buffer(); > this_cookie =3D get_clone_cookie(); > } while (this_cookie !=3D last_cookie); >=20 > last_cookie =3D this_cookie; >=20 > -hpa