lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1341514078.4020.1213.camel@calx>
Date:	Thu, 05 Jul 2012 13:47:58 -0500
From:	Matt Mackall <mpm@...enic.com>
To:	Theodore Ts'o <tytso@....edu>
Cc:	Linux Kernel Developers List <linux-kernel@...r.kernel.org>,
	torvalds@...ux-foundation.org, w@....eu, ewust@...ch.edu,
	zakir@...ch.edu, greg@...ah.com, nadiah@...ucsd.edu,
	jhalderm@...ch.edu, tglx@...utronix.de, davem@...emloft.net,
	stable@...nel.org
Subject: Re: [PATCH 01/10] random: make 'add_interrupt_randomness()' do
 something sane

On Thu, 2012-07-05 at 14:12 -0400, Theodore Ts'o wrote:
> We've been moving away from add_interrupt_randomness() for various
> reasons: it's too expensive to do on every interrupt, and flooding the
> CPU with interrupts could theoretically cause bogus floods of entropy
> from a somewhat externally controllable source.
> 
> This solves both problems by limiting the actual randomness addition
> to just once a second or after 128 interrupts, whicever comes first.
> During that time, the interrupt cycle data is buffered up in a per-cpu
> pool.  Also, we make sure the the nonblocking pool used by urandom is
> initialized before we start feeding the normal input pool.  This
> assures that /dev/urandom is returning unpredictable data as soon as
> possible.
> 
> (Based on an original patch by Linus, but significantly modified by
> tytso.)

This series generally looks good to me, thanks for working on this. Some
notes:

a) now that you have a lockless collection path, you can drop the
trickle logic that protects against thrashing the lock
b) you can drop the last of the IRQF_SAMPLE_RANDOM users (and the
corresponding deprecation notice)
c) this code looks like it might credit timer interrupts with entropy on
a system otherwise sitting in the idle loop:

> -	if (state == NULL)
> +	if ((fast_pool->count & 255) &&
> +	    !time_after(now, fast_pool->last + HZ))
>  		return;
>  
> -	DEBUG_ENT("irq event %d\n", irq);
> -	add_timer_randomness(state, 0x100 + irq);
> +	fast_pool->last = now;
> +
> +	r = nonblocking_pool.initialized ? &input_pool : &nonblocking_pool;
> +	mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool));
> +	credit_entropy_bits(r, 1);

I think you should demand a minimum number of events > HZ to actually
credit any valid entropy.

But I also still think the whole entropy counting/blocking scheme ought
to be dropped and /dev/random should become identical to /dev/urandom.
This series gets very close to the point where that's feasible.

-- 
Mathematics is the supreme nostalgia of our time.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ