lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140614045520.12333.qmail@ns.horizon.com>
Date:	14 Jun 2014 00:55:20 -0400
From:	"George Spelvin" <linux@...izon.com>
To:	linux@...izon.com, tytso@....edu
Cc:	hpa@...ux.intel.com, linux-kernel@...r.kernel.org,
	mingo@...nel.org, price@....edu
Subject: [RFC] random: is the IRQF_TIMER test working as intended?

I'm trying to understand the entropy credit computation in
add_interrupt_randomness.  A few things confuse me, and I'm
wondering if it's intended to be that way.

1) Since the number of samples between spills to the input pool is
   variable (with > 64 samples now possible due to the trylock), wouldn't
   it make more sense to accumulate an entropy estimate?
2) Why only deny entropy credit for back-to-back timer interrupts?
   If both both t2 - x and x - t1 are worth credit, why  not for t2 - t1?
   It seems a lot better (not to mention simpler) to not credit any
   timer interrupt, so x - t1 will get credit but not t2 - x.
3) Why only consider the status of the interrupts when spills occur?
   This is the most confusing. The whole __IRQF_TIMER and last_timer_intr
   logic simply skips over the intermediate samples, so it actually
   detects timer interrupts 64 interrupt (or 1 second) apart.
   Shouldn't that sort of thing actually be looking at *consecutive*
   calls to add_interrupt_randomness?
4) If the above logic denies credit, why deny credit for
   arch_get_random_seed_long as well?

For discussion, here's an example of a change that fixes all of the
above, in patch form.  (The credit_entropy_frac function is omitted but
hopefully obvious.)

The amount of entropy credit particularly needs thought.  I'm currently
using 1/8 of a bit per sample to keep the patch as simple as possible.
This is 8x the current credit if interrupts are frequent, but less if they
occur at less than 8 Hz.  That actually seems on the conservative side
of reasonable to me (1/8 of a bit is odds of 1 in 58.3817), particularly
if there's a cycle timer.


diff --git a/drivers/char/random.c b/drivers/char/random.c
index 03c385f5..c877cb65 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -548,9 +548,8 @@ static void mix_pool_bytes(struct entropy_store *r, const void *in,
 struct fast_pool {
 	__u32		pool[4];
 	unsigned long	last;
-	unsigned short	count;
+	unsigned short	entropy;	/* Entropy, in fractional bits */
 	unsigned char	rotate;
-	unsigned char	last_timer_intr;
 };
 
 /*
@@ -577,7 +576,6 @@ static void fast_mix(struct fast_pool *f, __u32 input[4])
 	input_rotate = (input_rotate + 7) & 31;
 
 	f->rotate = input_rotate;
-	f->count++;
 }
 
 /*
@@ -851,15 +849,33 @@ void add_interrupt_randomness(int irq, int irq_flags)
 
 	fast_mix(fast_pool, input);
 
-	if ((fast_pool->count & 63) && !time_after(now, fast_pool->last + HZ))
+	/*
+	 * If we don't have a vaid cycle counter, don't give credit for
+	 * timer interrupts.  Otherwise, credit 1/8 bit per interrupt.
+	 * (Should there be a difference if there's a cycle counter?)
+	 */
+	if (cycles || (irq_flags & IRQF_TIMER == 0))
+		credit = 1;	/* 1/8 bit */
+	else
+		credit = 0;
+
+	credit += fast_pool->entropy;
+
+	if (credit < 8 << ENTROPY_SHIFT &&
+	    !time_after(now, fast_pool->last + HZ)) {
+		fast_pool->entropy = credit;
 		return;
+	}
+
+	credit = min_t(int, credit, 32 << ENTROPY_SHIFT);
 
 	r = nonblocking_pool.initialized ? &input_pool : &nonblocking_pool;
 	if (!spin_trylock(&r->lock)) {
-		fast_pool->count--;
+		fast_pool->entropy = credit;
 		return;
 	}
 	fast_pool->last = now;
+	fast_pool->entropy = 0;
 	__mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool));
 
 	/*
@@ -867,28 +883,13 @@ void add_interrupt_randomness(int irq, int irq_flags)
 	 * add it to the pool.  For the sake of paranoia count it as
 	 * 50% entropic.
 	 */
-	credit = 1;
 	if (arch_get_random_seed_long(&seed)) {
 		__mix_pool_bytes(r, &seed, sizeof(seed));
-		credit += sizeof(seed) * 4;
+		credit += sizeof(seed) * 4 << entropy_shift;
 	}
 	spin_unlock(&r->lock);
 
-	/*
-	 * If we don't have a valid cycle counter, and we see
-	 * back-to-back timer interrupts, then skip giving credit for
-	 * any entropy, otherwise credit 1 bit.
-	 */
-	if (cycles == 0) {
-		if (irq_flags & __IRQF_TIMER) {
-			if (fast_pool->last_timer_intr)
-				credit = 0;
-			fast_pool->last_timer_intr = 1;
-		} else
-			fast_pool->last_timer_intr = 0;
-	}
-
-	credit_entropy_bits(r, credit);
+	credit_entropy_frac(r, credit);
 }
 
 #ifdef CONFIG_BLOCK
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ