Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp3715860rwb;
        Mon, 16 Jan 2023 11:53:16 -0800 (PST)
X-Google-Smtp-Source: AMrXdXt7Ptx2JfNqXkMd822JWU6wF90vkxvUwwNZyc/UU3lxNx1cizzY9KUcVcXO5b+sfq3eX06Q
X-Received: by 2002:a17:907:8dca:b0:85f:5d72:1841 with SMTP id tg10-20020a1709078dca00b0085f5d721841mr197500ejc.39.1673898796288;
        Mon, 16 Jan 2023 11:53:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673898796; cv=none;
        d=google.com; s=arc-20160816;
        b=FtpTe/aDmrSHDIsTiu3aS9XyR2LW0V9Zb2ebhtqdkB7yPjKlVEEsDHqK2D/Fz3yjFU
         Z+HlQS8qubHPwbzV+ciJmwNTh7217CSOkDVxCAeH0k+RWt261h5pgRRMyiS6o7f4Qtal
         6CK48K1KxKUC/uJ85M/qkDXf3FF+TPyJwk24TY/dsFR/75H6f202Yx4f4X8KCA0T96l0
         vMY7bGl77PzQLjYduKefO9rLUfM61AZLFZx7hp5jPuoTpjMzVvUzYLp1t6KkfdK+E6QM
         zvj1bK4UCvNLoxs6/XWYWgA/0HJjS5RSSLbMMKY/bLO8zwxWuo0Y984X/kcfb7wTxN5o
         2aLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:in-reply-to:cc:references:message-id:date
         :subject:mime-version:from:content-transfer-encoding:dkim-signature;
        bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=;
        b=Kn3r9O/DTrFLaIKNEUypumIlxYEDDqoF3a1bD/aO32DItxyZBcEZ5g/JMHWBeuQp57
         Aa1piUzsVfWgc0/zONI5cOyziCyVg+d60DfuV2EdaAj0kiXOn+skRG/UXrJMKrvyX2FP
         1UCPaRuK5ZaAjKIfRzd4QrMsaL1LmCJifl/ZED03BJh4/Go/AAu18bgPUmzJ89ELElbn
         dzWU4MaNb/TMVvtiL3GJKbGk6FESuIG/84aTEkJKVrAnkOV7FNmjBiehV6AbOgZTN+HE
         iwxPWeQKUGGZ/HjB+6qPy7hwSJwRok/IiXb46rpyBTPM3KVGeFR6muMO8vcKTaSVmvdz
         VLMw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20210112.gappssmtp.com header.s=20210112 header.b=0oC65SyR;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id dp16-20020a170906c15000b00870c5d344e3si4532624ejc.139.2023.01.16.11.52.45;
        Mon, 16 Jan 2023 11:53:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20210112.gappssmtp.com header.s=20210112 header.b=0oC65SyR;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232717AbjAPTuA (ORCPT <rfc822;vik.reck@gmail.com> + 99 others);
        Mon, 16 Jan 2023 14:50:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53352 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231161AbjAPTt5 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 16 Jan 2023 14:49:57 -0500
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90C6A2C67C
        for <linux-crypto@vger.kernel.org>; Mon, 16 Jan 2023 11:49:56 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id z13so3516815plg.6
        for <linux-crypto@vger.kernel.org>; Mon, 16 Jan 2023 11:49:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20210112.gappssmtp.com; s=20210112;
        h=to:in-reply-to:cc:references:message-id:date:subject:mime-version
         :from:content-transfer-encoding:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=;
        b=0oC65SyRHbWDjj7xp6Z5i5H7PKj9V2uYPsPQ3OqlQp+3vN9gFAdP/sq3xkLwsvLRVS
         McB8d3MpJc4v96EUA9wf/iM2TqR0GJ15g374T+k2oOetyyQWWe5sV0KcuuaI0T3DQ1mO
         aPo1gjrVrlEsQNgjfwYbOonw+vgLoONw5oTLv4ZFnSeIM3jDuEFozpyQ+5pp9VxbxTEU
         dIzgulr11qkfeUnYqXz7AVpJZ1KN2zDbCism7+gww5+ygd5mNP3cDh4X7duKjhUMeg4A
         9+k+ruW9Y/N4jDkPQkNzvGey+mDbzzVDdaQJV7geBcMly8kcUZWwPTWhv8f4ZnhHKrtJ
         2IIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:in-reply-to:cc:references:message-id:date:subject:mime-version
         :from:content-transfer-encoding:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=8wZvvACyBelhwyC9g77by0DEIkBqZpn0ZmXIgfmKr4s=;
        b=ws0ZFpdkPdGPNLPTLt8z0lHDZQl0EDvx8qrLg1xgSHdSauPEsowx7A1qBxSQEnVHVP
         4xehCI09vyoj24fuTV79hHRYYQUUobGIW2rP4eQRjH5cQBezufLB+9pxTVilEnvQeeUQ
         URTLx0luNhVz1oFZamKn9FEnkt0gae2/Pl6PpSVx/Wwj7G5zI4YD9ts5yAf37k3IkK6L
         ZEAOeGTssVaK+ls8XQIKWnRGHON81quaqugL40Q/0PzuTjhmKHQVQr4chdjH8sAkohit
         uXCPFEMFNLbqQEHQwTg/3m6roLwS3sKDU14/r+54kP7EXxyq/jUqnuzhDSu14f5KDIXR
         YrFQ==
X-Gm-Message-State: AFqh2kqypQfR/+tyg586WZxXNcaYOocyB130oo5bG7OTfh7pD0UQBpuQ
        xcwjQf6zFqUWBop8Zw3buQweWQ==
X-Received: by 2002:a05:6a20:1710:b0:b8:499d:7c99 with SMTP id bn16-20020a056a20171000b000b8499d7c99mr180334pzb.0.1673898596098;
        Mon, 16 Jan 2023 11:49:56 -0800 (PST)
Received: from smtpclient.apple ([2601:646:c200:522:b469:4533:dab3:1cd4])
        by smtp.gmail.com with ESMTPSA id p5-20020a170902bd0500b0019248880f75sm19686244pls.77.2023.01.16.11.49.54
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 16 Jan 2023 11:49:54 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From:   Andy Lutomirski <luto@amacapital.net>
Mime-Version: 1.0 (1.0)
Subject: Re: [RFC PATCH 0/4] random: a simple vDSO mechanism for reseeding userspace CSPRNGs
Date:   Mon, 16 Jan 2023 11:49:42 -0800
Message-Id: <15F7D57C-8CC6-4CAE-8B7E-6F480B5F4133@amacapital.net>
References: <585ddb35-adc5-f5cf-4db3-27571f394108@zytor.com>
Cc:     Yann Droneaud <ydroneaud@opteya.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>,
        Theodore Ts'o <tytso@mit.edu>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>, x86@kernel.org,
        linux-crypto@vger.kernel.org, linux-api@vger.kernel.org,
        linux-kernel@vger.kernel.org, Florian Weimer <fweimer@redhat.com>,
        Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
        Carlos O'Donell <carlos@redhat.com>
In-Reply-To: <585ddb35-adc5-f5cf-4db3-27571f394108@zytor.com>
To:     "H. Peter Anvin" <hpa@zytor.com>
X-Mailer: iPhone Mail (20C65)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org



> On Jan 13, 2023, at 7:16 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>=20
> =EF=BB=BFOn 1/12/23 11:55, Yann Droneaud wrote:
>> Hi
>> 12 janvier 2023 =C3=A0 18:07 "Jason A. Donenfeld" <Jason@zx2c4.com> a =C3=
=A9crit:
>> =20
>>> Sorry Yann, but I'm not interested in this approach, and I don't think
>>> reviewing the details of it are a good allocation of time. I don't
>>> want to lock the kernel into having specific reseeding semantics that
>>> are a contract with userspace, which is what this approach does.
>> This patch adds a mean for the kernel to tell userspace: between the
>> last time you call us with getrandom(timestamp,, GRND_TIMESTAMP),
>> something happened that trigger an update to the opaque cookie given
>> to getrandom(timestamp, GRND_TIMESTAMP). When such update happen,
>> userspace is advised to discard buffered random data and retry.
>> The meaning of the timestamp cookie is up to the kernel, and can be
>> changed anytime. Userspace is not expected to read the content of this
>> blob. Userspace only acts on the length returned by getrandom(,, GRND_TIM=
ESTAMP):
>>  -1 : not supported
>>   0 : cookie not updated, no need to discard buffered data
>>  >0 : cookie updated, userspace should discard buffered data
>> For the cookie, I've used a single u64, but two u64 could be a better sta=
rt,
>> providing room for implementing improved behavior in future kernel versio=
ns.
>>> Please just let me iterate on my original patchset for a little bit,
>>> without adding more junk to the already overly large conversation.
>> I like the simplicity of my so called "junk". It's streamlined, doesn't
>> require a new syscall, doesn't require a new copy of ChaCha20 code.
>> I'm sorry it doesn't fit your expectations.
>=20
> Why would anything more than a 64-bit counter be ever necessary? It only n=
eeds to be incremented.

This is completely broken with CRIU or, for that matter, with VM forking.

>=20
> Let user space manage keeping track of the cookie matching its own buffers=
. You do NOT want this to be stateful, because that's just begging for multi=
ple libraries to step on each other.
>=20
> Export the cookie from the vdso and voli=C3=A0, a very cheap check around a=
ny user space randomness buffer will work:
>=20
>    static clone_cookie_t last_cookie;
>    clone_cookie_t this_cookie;
>=20
>    this_cookie =3D get_clone_cookie();
>    do {
>        while (this_cookie !=3D last_cookie) {
>            last_cookie =3D this_cookie;
>            reinit_randomness();
>            this_cookie =3D get_clone_cookie();
>        }
>=20
>        extract_randomness_from_buffer();
>        this_cookie =3D get_clone_cookie();
>    } while (this_cookie !=3D last_cookie);
>=20
>    last_cookie =3D this_cookie;
>=20
>    -hpa