| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130922205334.GC4584@logfs.org> Date: Sun, 22 Sep 2013 16:53:34 -0400 From: Jörn Engel <joern@...fs.org> To: Theodore Ts'o <tytso@....edu> Cc: Jörg-Volker Peetz <jvpeetz@....de>, John Stultz <john.stultz@...aro.org>, Stephan Mueller <smueller@...onox.de>, LKML <linux-kernel@...r.kernel.org>, dave.taht@...ferbloat.net, Frederic Weisbecker <fweisbec@...il.com>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH,RFC] random: make fast_mix() honor its name On Sun, 22 September 2013 17:27:52 -0400, Theodore Ts'o wrote: > > The structure of the mixing functions in /dev/random has been well > studied, and validatetd in a number of different academic papers. So > I prefer to stick with the basic architecture, even as it is scaled > down for speed reasons and beause the pool is smaller. And I want to keep that function. Essentially the point of fast_mix() is to ratelimit _mix_pool_bytes(). Naïve ratelimiting would simply discard the input once the ratelimit has been reached. My proposal is to still use the input bits, but use a really cheap mixing function. Your version of fast_mix() failed in the "really cheap" department. As a result, it showed up in profiles and at least one idiot (me) reverted to naïve ratelimiting. It could have been worse, I was explicitly asked twice to just remove the call to add_interrupt_randomness(). So don't think of my patch as weakening the mixing, but as strengthening the ratelimited mixing. If we have few interrupts, _mix_pool_bytes() will be run once a second, if we have many it will be run once every 64 interrupts. And in the latter case, the input for _mix_pool_bytes() is much better than with naïve ratelimiting. And you should do the same for add_timer_randomness(), where again you have ratelimiting. Once trickle_thresh is reached your code simply discards most randomness. Only once in 4096 call do you use all the bits you get - most of which will be predictable. Why not use a cheap mixing function for the other 4095 calls and ensure we have many good bits on call 4096? Jörn -- You can't tell where a program is going to spend its time. Bottlenecks occur in surprising places, so don't try to second guess and put in a speed hack until you've proven that's where the bottleneck is. -- Rob Pike -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists