[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191018204220.GD31027@cork>
Date: Fri, 18 Oct 2019 13:42:20 -0700
From: Jörn Engel <joern@...estorage.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] random: make try_to_generate_entropy() more robust
On Fri, Oct 18, 2019 at 01:37:04PM -0700, Jörn Engel wrote:
> Sorry for coming late to the discussion. I generally like the approach
> in try_to_generate_entropy(), but I think we can do a little better
> still. Would something like this work?
Fixed lkml address.
> From 90078333edb6e720f13f6668376a69c0f9c570f5 Mon Sep 17 00:00:00 2001
> From: Joern Engel <joern@...estorage.com>
> Date: Fri, 18 Oct 2019 13:25:52 -0700
> Subject: [PATCH] random: make try_to_generate_entropy() more robust
>
> We can generate entropy on almost any CPU, even if it doesn't provide a
> high-resolution timer for random_get_entropy(). As long as the CPU is
> not idle, it changed the register file every few cycles. As long as the
> ALU isn't fully synchronized with the timer, the drift between the
> register file and the timer is enough to generate entropy from.
>
> Also print a warning on systems where entropy collection might be a
> problem. I have good confidence in two unsynchronized timers generating
> entropy. But I cannot tell whether timer and ALU are synchronized and
> we ought to warn users if all their crypto is likely to be broken.
>
> Signed-off-by: Joern Engel <joern@...estorage.com>
> ---
> drivers/char/random.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index de434feb873a..00a04efd0686 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -1748,6 +1748,16 @@ EXPORT_SYMBOL(get_random_bytes);
> */
> static void entropy_timer(struct timer_list *t)
> {
> + struct pt_regs *regs = get_irq_regs();
> +
> + /*
> + * Even if we don't have a high-resolution timer in our system,
> + * the register file itself is a high-resolution timer. It
> + * isn't monotonic or particularly useful to read the current
> + * time. But it changes with every retired instruction, which
> + * is enough to generate entropy from.
> + */
> + mix_pool_bytes(&input_pool, regs, sizeof(*regs));
> credit_entropy_bits(&input_pool, 1);
> }
>
> @@ -1764,9 +1774,8 @@ static void try_to_generate_entropy(void)
>
> stack.now = random_get_entropy();
>
> - /* Slow counter - or none. Don't even bother */
> - if (stack.now == random_get_entropy())
> - return;
> + /* Slow counter - or none. Warn user */
> + WARN_ON(stack.now == random_get_entropy());
>
> timer_setup_on_stack(&stack.timer, entropy_timer, 0);
> while (!crng_ready()) {
> --
> 2.20.1
>
Jörn
--
...one more straw can't possibly matter...
-- Kirby Bakken
Powered by blists - more mailing lists