| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Feb 2022 16:11:16 +0100
From: Dominik Brodowski <linux@...inikbrodowski.net>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
bigeasy@...utronix.de, Sultan Alsawaf <sultan@...neltoast.com>,
Thomas Gleixner <tglx@...utronix.de>,
Peter Zijlstra <peterz@...radead.org>,
Theodore Ts'o <tytso@....edu>
Subject: Re: [PATCH] random: do crng pre-init loading in worker rather than
irq
Am Thu, Feb 24, 2022 at 10:49:12AM +0100 schrieb Jason A. Donenfeld:
> On 2/24/22, Dominik Brodowski <linux@...inikbrodowski.net> wrote:
> > Am Wed, Feb 23, 2022 at 07:55:11PM +0100 schrieb Jason A. Donenfeld:
> >> Taking spinlocks from IRQ context is problematic for PREEMPT_RT. That
> >> is, in part, why we take trylocks instead. But apparently this still
> >> trips up various lock dependency analyzers. That seems like a bug in the
> >> analyzers that should be fixed, rather than having to change things
> >> here.
> >>
> >> But maybe there's another reason to change things up: by deferring the
> >> crng pre-init loading to the worker, we can use the cryptographic hash
> >> function rather than xor, which is perhaps a meaningful difference when
> >> considering this data has only been through the relatively weak
> >> fast_mix() function.
> >>
> >> The biggest downside of this approach is that the pre-init loading is
> >> now deferred until later, which means things that need random numbers
> >> after interrupts are enabled, but before workqueues are running -- or
> >> before this particular worker manages to run -- are going to get into
> >> trouble. Hopefully in the real world, this window is rather small,
> >> especially since this code won't run until 64 interrupts had occurred.
> >>
> >> Cc: Dominik Brodowski <linux@...inikbrodowski.net>
> >> Cc: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
> >> Cc: Sultan Alsawaf <sultan@...neltoast.com>
> >> Cc: Thomas Gleixner <tglx@...utronix.de>
> >> Cc: Peter Zijlstra <peterz@...radead.org>
> >> Cc: Theodore Ts'o <tytso@....edu>
> >> Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
> >> ---
> >> drivers/char/random.c | 62 ++++++++++++-------------------------------
> >> 1 file changed, 17 insertions(+), 45 deletions(-)
> >>
> >> diff --git a/drivers/char/random.c b/drivers/char/random.c
> >> index 536237a0f073..9fb06fc298d3 100644
> >> --- a/drivers/char/random.c
> >> +++ b/drivers/char/random.c
> >> @@ -1298,7 +1278,12 @@ static void mix_interrupt_randomness(struct
> >> work_struct *work)
> >> local_irq_enable();
> >>
> >> mix_pool_bytes(pool, sizeof(pool));
> >> - credit_entropy_bits(1);
> >> +
> >> + if (unlikely(crng_init == 0))
> >> + crng_pre_init_inject(pool, sizeof(pool), true);
> >> + else
> >> + credit_entropy_bits(1);
> >> +
> >> memzero_explicit(pool, sizeof(pool));
> >> }
> >
> > Might it make sense to call crng_pre_init_inject() before mix_pool_bytes?
>
> What exactly is the difference you see mattering in the order? I keep
> chasing my tail trying to think about it.
We had that order beforehand -- and even if it probably doesn't matter, this
means crng_pre_init_inject() gets called a tiny bit earlier. That means
there's a chance to progres to crng_init=1 a tiny bit earlier as well.
Thanks,
Dominik
Powered by blists - more mailing lists