Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp1799205ybj; Sun, 22 Sep 2019 12:10:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqze+gZglxj/Ef77f3WgkU0Er6HrfjO+ZG6I0MpM/SDfbujCAubIokPPHs/xPhfz3eI/skLw X-Received: by 2002:a50:908c:: with SMTP id c12mr33915989eda.45.1569179448186; Sun, 22 Sep 2019 12:10:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569179448; cv=none; d=google.com; s=arc-20160816; b=PMoXNhX2PIUo2TAqpX/oGOu4i+jRQ6mS82C6kpNeHXeCv3voYY/z6lAfLeXfGknf5L uhGJ4tjraaFc9phHr0W3aO5ECPTwTCJn48Unlczd3pLnBmulSF/PzlFiPFqVZE2Tlut8 dSSeBe+iM7vEYCGBGl6y93kSpVzYITMkYUesgGQHNvUiOiOoiy7GR68MrCmanFQmc7Zv lsk6v9A3VbeEuTCIs9CVdozpxrW6PPS7/ipW3Jr82x8qn+uiP4LrIGQzrymvOkIb1Pvb ceit0gRPo7TZho59brj7tIhv9mPZPKBc3xIF5DjeE5oKq8OCW8B9WMvzP8WRyK9j9xFN SwSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=AzSGPVWzSHQsR8TKoHooeDPStzifC1wpIdedkb1tQ0g=; b=iPLtXImrX/6yjlScAsmfNnBe7PKzAC+mIXNjHPEkeYwidsG/CcoOw+YlqTHsofnUFf FdPFu5Fe7GOvo9gF/XAVHZdvG6OaYTbyNzBiMX8muuGDuX9HxIYeteCTC47E+86Ifycq M9itKir/v/aUOD0m65D5OepwRE9oO0fcSW0qZWZ4YyeQT+e6yfn2sQZV/ia/DLG2JmPW WowywBybuCjOogx6uoS7dN+To5TLATi0ZhVNsjiEch52cD39Mdqp8sWcq2ioLaLDOB8b q2HrHNYQe1KwdYMswDcUIhViiD30PCBBT/+eRvnHTpHiaE+w1dD3sw2AcJG5WjLlmRz5 +6Yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MDD97AOK; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f57si5214127ede.78.2019.09.22.12.10.23; Sun, 22 Sep 2019 12:10:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MDD97AOK; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404787AbfITXaf (ORCPT + 99 others); Fri, 20 Sep 2019 19:30:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:46518 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404967AbfITXaf (ORCPT ); Fri, 20 Sep 2019 19:30:35 -0400 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DB1B221882 for ; Fri, 20 Sep 2019 23:30:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569022234; bh=WnMayVa2/XDvHL1e+7jmVvQ/LflCEEfThR3A/O6WAe0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=MDD97AOK7h1yXKTkH80poLtBNE96X2T5kJ98AMCn2EJoMnuaKS+R8hY1QSnwRhIw6 n8/ucSaPzuQvrsD9Uz3Oo9KrMF4/WwiIGoBzcPKEcrHGmFD/tw6nOOADNtLx9N982o YldrD65lYj0eN1ent3+i64cVSojAaqSDLXJqAZaU= Received: by mail-wr1-f53.google.com with SMTP id i1so8333378wro.4 for ; Fri, 20 Sep 2019 16:30:33 -0700 (PDT) X-Gm-Message-State: APjAAAWfPr/mB1FslgoeZruUBekGYz5GpaeY3T+PuD5cd+IAmtv520pk 7Zf2QaO9/NGycWzmNMGR206Cj4TYErpzwX/ls+DktQ== X-Received: by 2002:a5d:4c92:: with SMTP id z18mr12974870wrs.111.1569022232290; Fri, 20 Sep 2019 16:30:32 -0700 (PDT) MIME-Version: 1.0 References: <20190912034421.GA2085@darwi-home-pc> <20190912082530.GA27365@mit.edu> <20190914122500.GA1425@darwi-home-pc> <008f17bc-102b-e762-a17c-e2766d48f515@gmail.com> <20190915052242.GG19710@mit.edu> <20190918211503.GA1808@darwi-home-pc> <20190918211713.GA2225@darwi-home-pc> <20190920134609.GA2113@pc> In-Reply-To: From: Andy Lutomirski Date: Fri, 20 Sep 2019 16:30:20 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC v4 1/1] random: WARN on large getrandom() waits and introduce getrandom2() To: Linus Torvalds Cc: Andy Lutomirski , "Ahmed S. Darwish" , Lennart Poettering , "Theodore Y. Ts'o" , "Eric W. Biederman" , "Alexander E. Patrakov" , Michael Kerrisk , Willy Tarreau , Matthew Garrett , lkml , Ext4 Developers List , Linux API , linux-man Content-Type: text/plain; charset="UTF-8" Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Fri, Sep 20, 2019 at 3:44 PM Linus Torvalds wrote: > > On Fri, Sep 20, 2019 at 1:51 PM Andy Lutomirski wrote: > > > > To be clear, when I say "blocking", I mean "blocks until we're ready, > > but we make sure we're ready in a moderately timely manner". > > .. an I want a pony. > > The problem is that you start from an assumption that we simply can't > seem to do. Eh, fair enough, I wasn't thinking about platforms without fast clocks. I'm very nervous about allowing getrandom(..., 0) to fail with -EAGAIN, though. On a very, very brief search, I didn't find any programs that would incorrectly assume it worked, but I can easily imagine programs crashing, and that might be bad, too. At the end of the day, most user programmers who call getrandom() really did notice that we flubbed the ABI, and either they were too lazy to fall back to /dev/urandom, or they didn't want to for some reason, or they genuinely want the blocking behavior. And people who work with little embedded systems without good clocks that basically can't generate random numbers already know this, and they have little scripts to help out. So I think that just improving the getrandom()-is-blocking-on-x86-and-arm behavior, adding GRND_INSECURE and GRND_SECURE_BLOCKING, and adding the warning if 0 is passed is good enough. I suppose we could also have separate GRND_SECURE_BLOCKING and GRND_SECURE_BLOCK_FOREVER. We could also say that, if you want to block forever, you should poll() on /dev/random (with my patches applied, where this actually does what users would want). --Andy