[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190426140102.GA4922@mit.edu>
Date: Fri, 26 Apr 2019 10:01:02 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: "Reshetova, Elena" <elena.reshetova@...el.com>
Cc: Eric Biggers <ebiggers3@...il.com>,
"ebiggers@...gle.com" <ebiggers@...gle.com>,
"herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
David Laight <David.Laight@...LAB.COM>,
Ingo Molnar <mingo@...nel.org>,
"'Peter Zijlstra'" <peterz@...radead.org>,
"keescook@...omium.org" <keescook@...omium.org>,
Daniel Borkmann <daniel@...earbox.net>,
"luto@...nel.org" <luto@...nel.org>,
"luto@...capital.net" <luto@...capital.net>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"jpoimboe@...hat.com" <jpoimboe@...hat.com>,
"jannh@...gle.com" <jannh@...gle.com>,
"Perla, Enrico" <enrico.perla@...el.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"bp@...en8.de" <bp@...en8.de>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
On Fri, Apr 26, 2019 at 11:33:09AM +0000, Reshetova, Elena wrote:
> Adding Eric and Herbert to continue discussion for the chacha part.
> So, as a short summary I am trying to find out a fast (fast enough to be used per syscall
> invocation) source of random bits with good enough security properties.
> I started to look into chacha kernel implementation and while it seems that it is designed to
> work with any number of rounds, it does not expose less than 12 rounds primitive.
> I guess this is done for security sake, since 12 is probably the lowest bound we want people
> to use for the purpose of encryption/decryption, but if we are to build an efficient RNG,
> chacha8 probably is a good tradeoff between security and speed.
>
> What are people's opinions/perceptions on this? Has it been considered before to create a
> kernel RNG based on chacha?
Well, sure. The get_random_bytes() kernel interface and the
getrandom(2) system call uses a CRNG based on chacha20. See
extract_crng() and crng_reseed() in drivers/char/random.c.
It *is* possible to use an arbitrary number of rounds if you use the
low level interface exposed as chacha_block(), which is an
EXPORT_SYMBOL interface so even modules can use it. "Does not expose
less than 12 rounds" applies only if you are using the high-level
crypto interface.
We have used cut down crypto algorithms for performance critical
applications before; at one point, we were using a cut down MD4(!) for
initial TCP sequence number generation. But that was getting rekeyed
every five minutes, and the goal was to make it just hard enough that
there were other easier ways of DOS attacking a server.
I'm not a cryptographer, so I'd really us to hear from multiple
experts about the security level of, say, ChaCha8 so we understand
exactly kind of security we'd offering. And I'd want that interface
to be named so that it's clear it's only intended for a very specific
use case, since it will be tempting for other kernel developers to use
it in other contexts, with undue consideration.
- Ted
Powered by blists - more mailing lists