| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 06 Dec 2007 08:02:33 +0100 From: Eric Dumazet <dada1@...mosbay.com> To: Matt Mackall <mpm@...enic.com> CC: Alan Cox <alan@...rguk.ukuu.org.uk>, Adrian Bunk <bunk@...nel.org>, Marc Haber <mh+linux-kernel@...schlus.de>, linux-kernel@...r.kernel.org, "David S. Miller" <davem@...emloft.net> Subject: Re: Why does reading from /dev/urandom deplete entropy so much? Matt Mackall a écrit : > On Tue, Dec 04, 2007 at 07:17:58PM +0100, Eric Dumazet wrote: >> Alan Cox a ?crit : >>>> No matter what you consider as being better, changing a 12 years old and >>>> widely used userspace interface like /dev/urandom is simply not an >>>> option. >>>> >>> Fixing it to be more efficient in its use of entropy and also fixing the >>> fact its not actually a good random number source would be worth looking >>> at however. >>> >> Yes, since current behavior on network irq is very pessimistic. > > No, it's very optimistic. The network should not be trusted. You keep saying that. I am refering to your previous attempts last year to remove net drivers from sources of entropy. No real changes were done. If the network should not be trusted, then a patch should make sure network interrupts feed /dev/urandom but not /dev/random at all. (ie not calling credit_entropy_store() at all) > > The distinction between /dev/random and /dev/urandom boils down to one > word: paranoia. If you are not paranoid enough to mistrust your > network, then /dev/random IS NOT FOR YOU. Use /dev/urandom. Do not > send patches to make /dev/random less paranoid, kthxbye. I have many tg3 adapters on my servers, receiving thousand of interrupts per second, and calling add_timer_randomness(). I would like to either : - Make sure this stuff is doing usefull job. - Make improvements to reduce cpu time used. I do not use /dev/urandom or/and /dev/random, but I know David wont accept a patch to remove IRQF_SAMPLE_RANDOM from tg3.c Currently, I see that current implementation is suboptimal because it calls credit_entropy_store( nbits=0) forever. > >> If you have some trafic, (ie more than HZ/2 interrupts per second), >> then add_timer_randomness() feeds >> some entropy but gives no credit (calling credit_entropy_store() with >> nbits=0) >> >> This is because we take into account only the jiffies difference, and >> not the get_cycles() that should give >> us more entropy on most plaforms. > > If we cannot measure a difference, we should nonetheless assume there > is one? There is a big difference on get_cycles() and jiffies. You should try to measure it on a typical x86_64 platform. > >> In this patch, I suggest that we feed only one u32 word of entropy, >> combination of the previous distinct >> words (with some of them being constant or so), so that the nbits >> estimation is less pessimistic, but also to >> avoid injecting false entropy. > > Umm.. no, that's not how it works at all. > > Also, for future reference, patches for /dev/random go through me, not > through Dave. > Why ? David is the network maintainer, and he was the one who rejected your previous patches. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists