[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220208155335.378318-1-Jason@zx2c4.com>
Date: Tue, 8 Feb 2022 16:53:28 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
Theodore Ts'o <tytso@....edu>,
Dominik Brodowski <linux@...inikbrodowski.net>
Subject: [PATCH v1 0/7] random: cleanups around per-cpu crng & rdrand
This series tackles a few issues that are intermingled with each other:
- Using RDSEED when we can rather than using RDRAND.
- Making sure RDRAND/RDSEED input always goes through the mixer rather
than being xor'd into our state directly, in part in order to prevent
ridiculous hypothetical cpu backdoors, and in part because it makes it
easier to model RDRAND/RDSEED as just another entropy input.
- Untangling the never ending headache that is kmalloc'd NUMA secondary
CRNGs, and replacing these with leaner per-cpu ChaCha keys that don't
have all the state troubles. There are other patches pending my review
that take the current NUMA initialization code to yet another layer of
complexity, sort of driving home the point to me that the current code
is a can of worms. This patchset attempts a different direction there.
- Enforcing "fast key erasure" expansion always, and not relying on
having a shared block counter that is bound to lead to troubles sooner
or later.
- Nearly eliminating lock contention when several processes use the rng
at the same time. WireGuard, for example, processes packets in
parallel on all threads, and this packet processing requires frequent
calls to get_random_bytes().
Because one design choice in here affects others, these issues are
tackled by this same patchset. It's roughly divided into "things with
RDSEED" and "things with struct crng", with the ordering of commits
being important.
Finally the series ends with a one-off patch removing an obsolete limit
on /dev/urandom.
Cc: Theodore Ts'o <tytso@....edu>
Cc: Dominik Brodowski <linux@...inikbrodowski.net>
Jason A. Donenfeld (7):
random: use RDSEED instead of RDRAND in entropy extraction
random: get rid of secondary crngs
random: inline leaves of rand_initialize()
random: ensure early RDSEED goes through mixer on init
random: do not xor RDRAND when writing into /dev/random
random: use simpler fast key erasure flow on per-cpu keys
random: remove outdated INT_MAX >> 6 check in urandom_read()
drivers/char/random.c | 566 +++++++++++++++++-------------------------
1 file changed, 231 insertions(+), 335 deletions(-)
--
2.35.0
Powered by blists - more mailing lists