lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4C66AA0@IRSMSX102.ger.corp.intel.com> Date: Mon, 29 Apr 2019 07:49:36 +0000 From: "Reshetova, Elena" <elena.reshetova@...el.com> To: Theodore Ts'o <tytso@....edu> CC: Eric Biggers <ebiggers3@...il.com>, "ebiggers@...gle.com" <ebiggers@...gle.com>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, David Laight <David.Laight@...LAB.COM>, "Ingo Molnar" <mingo@...nel.org>, 'Peter Zijlstra' <peterz@...radead.org>, "keescook@...omium.org" <keescook@...omium.org>, Daniel Borkmann <daniel@...earbox.net>, "luto@...nel.org" <luto@...nel.org>, "luto@...capital.net" <luto@...capital.net>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "jpoimboe@...hat.com" <jpoimboe@...hat.com>, "jannh@...gle.com" <jannh@...gle.com>, "Perla, Enrico" <enrico.perla@...el.com>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "tglx@...utronix.de" <tglx@...utronix.de>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall > On Fri, Apr 26, 2019 at 11:33:09AM +0000, Reshetova, Elena wrote: > > Adding Eric and Herbert to continue discussion for the chacha part. > > So, as a short summary I am trying to find out a fast (fast enough to be used per > syscall > > invocation) source of random bits with good enough security properties. > > I started to look into chacha kernel implementation and while it seems that it is > designed to > > work with any number of rounds, it does not expose less than 12 rounds primitive. > > I guess this is done for security sake, since 12 is probably the lowest bound we > want people > > to use for the purpose of encryption/decryption, but if we are to build an efficient > RNG, > > chacha8 probably is a good tradeoff between security and speed. > > > > What are people's opinions/perceptions on this? Has it been considered before to > create a > > kernel RNG based on chacha? > > Well, sure. The get_random_bytes() kernel interface and the > getrandom(2) system call uses a CRNG based on chacha20. See > extract_crng() and crng_reseed() in drivers/char/random.c. Oh, indeed, I missed this link fully when was trying to trace chacha usages in kernel. I am not familiar with crypto kernel API and looks like my source code cross referencing failed here miserably. Only question left is how fast/slow is this... Best Regards, Elena.
Powered by blists - more mailing lists