| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Oct 2013 22:05:15 -0400 From: Theodore Ts'o <tytso@....edu> To: Linux Kernel Developers List <linux-kernel@...r.kernel.org> Cc: cryptography@...zdowd.com, Theodore Ts'o <tytso@....edu> Subject: [PATCH] random: drop trickle mode The add_timer_randomness() used to drop into trickle mode when entropy pool was estimated to be 87.5% full. This was important when add_timer_randomness() was used to sample interrupts. It's not used for this any more --- add_interrupt_randomness() now uses fast_mix() instead. By elimitating trickle mode, it allows us to fully utilize entropy provided by add_input_randomness() and add_disk_randomness() even when the input pool is above the old trickle threshold of 87.5%. This helps to answer the criticism in [1] in their hypothetical scenario where our entropy estimator was inaccurate, even though the measurements in [2] seem to indicate that our entropy estimator given real-life entropy collection is actually pretty good, albeit on the conservative side (which was as it was designed). [1] http://eprint.iacr.org/2013/338.pdf [2] http://eprint.iacr.org/2012/251.pdf Signed-off-by: "Theodore Ts'o" <tytso@....edu> --- drivers/char/random.c | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 790ce8d..8661c5c 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -282,10 +282,8 @@ #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) /* - * To allow fractional bits to be tracked, the following fields contain - * this many fractional bits: - * - * entropy_count, trickle_thresh + * To allow fractional bits to be tracked, the entropy_count field is + * denominated in units of 1/8th bits. * * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in * credit_entropy_bits() needs to be 64 bits wide. @@ -314,14 +312,6 @@ static int random_write_wakeup_thresh = 128; static int random_min_urandom_seed = 60; /* - * When the input pool goes over trickle_thresh, start dropping most - * samples to avoid wasting CPU time and reduce lock contention. - */ -static const int trickle_thresh = (INPUT_POOL_WORDS * 28) << ENTROPY_SHIFT; - -static DEFINE_PER_CPU(int, trickle_count); - -/* * Originally, we used a primitive polynomial of degree .poolwords * over GF(2). The taps for various sizes are defined below. They * were chosen to be evenly spaced except for the last tap, which is 1 @@ -755,10 +745,6 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) long delta, delta2, delta3; preempt_disable(); - /* if over the trickle threshold, use only 1 in 4096 samples */ - if (ENTROPY_BITS(&input_pool) > trickle_thresh && - ((__this_cpu_inc_return(trickle_count) - 1) & 0xfff)) - goto out; sample.jiffies = jiffies; sample.cycles = random_get_entropy(); -- 1.7.12.rc0.22.gcdd159b -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists