| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170120142852.lznr25go4pbdlwdt@thunk.org>
Date: Fri, 20 Jan 2017 09:28:52 -0500
From: Theodore Ts'o <tytso@....edu>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Hannes Frederic Sowa <hannes@...essinduktion.org>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [PATCH 1/2] random: use chacha20 for get_random_int/long
On Fri, Jan 20, 2017 at 06:27:19AM +0100, Jason A. Donenfeld wrote:
> This is most certainly not the case. Read closely.
>
> I use a different variable for each function. get_random_u32 only
> touches batched_entropy_u32, and get_random_u64 only touches
> bached_entropy_u64. Under no circumstances will one function use the
> other's batched entropy.
>
> I use a union so that only one struct must be declared. If you think
> that's unclear, I can declare two separate structs instead. Let me
> know which strategy you prefer -- what I have now, or splitting it
> into two structs.
What I would probably do is just use one array and one array index,
denominated in 32-bit words, and just grab two 32-bit words for the
64-bit case. Optimizing away the overhead of assembling two 32-bit
words for a 64-bit word, and the possibility that we might have to
touch two cache lines instead of one --- is it really worth it?
Compare that to the fact that you're wasting up to 66% of the
generated words in the batched entropy array, and certainly on average
you're wasting CPU cycles, even if you are reducing the cost of
calling get_random_u{32,64} by a handful of cycles....
- Ted
Powered by blists - more mailing lists