lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4C66AA0@IRSMSX102.ger.corp.intel.com>
Date:   Mon, 29 Apr 2019 07:49:36 +0000
From:   "Reshetova, Elena" <elena.reshetova@...el.com>
To:     Theodore Ts'o <tytso@....edu>
CC:     Eric Biggers <ebiggers3@...il.com>,
        "ebiggers@...gle.com" <ebiggers@...gle.com>,
        "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
        David Laight <David.Laight@...LAB.COM>,
        "Ingo Molnar" <mingo@...nel.org>,
        'Peter Zijlstra' <peterz@...radead.org>,
        "keescook@...omium.org" <keescook@...omium.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        "luto@...nel.org" <luto@...nel.org>,
        "luto@...capital.net" <luto@...capital.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "jpoimboe@...hat.com" <jpoimboe@...hat.com>,
        "jannh@...gle.com" <jannh@...gle.com>,
        "Perla, Enrico" <enrico.perla@...el.com>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "bp@...en8.de" <bp@...en8.de>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall


> On Fri, Apr 26, 2019 at 11:33:09AM +0000, Reshetova, Elena wrote:
> > Adding Eric and Herbert to continue discussion for the chacha part.
> > So, as a short summary I am trying to find out a fast (fast enough to be used per
> syscall
> > invocation) source of random bits with good enough security properties.
> > I started to look into chacha kernel implementation and while it seems that it is
> designed to
> > work with any number of rounds, it does not expose less than 12 rounds primitive.
> > I guess this is done for security sake, since 12 is probably the lowest bound we
> want people
> > to use for the purpose of encryption/decryption, but if we are to build an efficient
> RNG,
> > chacha8 probably is a good tradeoff between security and speed.
> >
> > What are people's opinions/perceptions on this? Has it been considered before to
> create a
> > kernel RNG based on chacha?
> 
> Well, sure.  The get_random_bytes() kernel interface and the
> getrandom(2) system call uses a CRNG based on chacha20.  See
> extract_crng() and crng_reseed() in drivers/char/random.c.

Oh, indeed, I missed this link fully when was trying to trace chacha
usages in kernel. I am not familiar with crypto kernel API and looks like
my source code cross referencing failed here miserably. 

Only question left is how fast/slow is this... 

Best Regards,
Elena.

Powered by blists - more mailing lists