| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2022 02:16:18 +0100 (BST)
From: "Maciej W. Rozycki" <macro@...am.me.uk>
To: "Jason A. Donenfeld" <Jason@...c4.com>
cc: Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
LKML <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Arnd Bergmann <arnd@...db.de>, Theodore Ts'o <tytso@....edu>,
Dominik Brodowski <linux@...inikbrodowski.net>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
"David S . Miller" <davem@...emloft.net>,
Richard Weinberger <richard@....at>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Johannes Berg <johannes@...solutions.net>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H . Peter Anvin" <hpa@...or.com>, Chris Zankel <chris@...kel.net>,
Max Filippov <jcmvbkbc@...il.com>,
John Stultz <john.stultz@...aro.org>,
Stephen Boyd <sboyd@...nel.org>,
Dinh Nguyen <dinguyen@...nel.org>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
linux-m68k <linux-m68k@...ts.linux-m68k.org>,
"open list:BROADCOM NVRAM DRIVER" <linux-mips@...r.kernel.org>,
linux-riscv <linux-riscv@...ts.infradead.org>,
sparclinux@...r.kernel.org, linux-um@...ts.infradead.org,
X86 ML <x86@...nel.org>, linux-xtensa@...ux-xtensa.org
Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy()
instead of zero
Hi Jason,
> However, one thing that I've been thinking about is that the c0 random
> register is actually kind of garbage. In my fuzzy decade-old memory of
> MIPS, I believe the c0 random register starts at the maximum number of
> TLB entries (16?), and then counts down cyclically, decrementing once
> per CPU cycle. Is that right?
Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and
47-0 (the lower bound can be higher if wired entries are used, which I
think we occasionally do) for R4k machines with a buggy CP0 counter. So
there are either 56 or up to 48 distinct CP0 Random register values.
> If it is, there are some real pros and cons here to consider:
> - Pro: decrementing each CPU cycle means pretty good granularity
> - Con: wrapping at, like, 16 or something really is very limited, to
> the point of being almost bad
>
> Meanwhile, on systems without the c0 cycles counter, what is the
> actual resolution of random_get_entropy_fallback()? Is this just
> falling back to jiffies?
It depends on the exact system. Some have a 32-bit high-resolution
counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz
resolution, some have nothing but jiffies.
> IF (a) the fallback is jiffies AND (b) c0 wraps at 16, then actually,
> what would be really nice would be something like:
>
> return (jiffies << 4) | read_c0_random();
>
> It seems like that would give us something somewhat more ideal than
> the status quo. Still crap, of course, but undoubtedly better.
It seems like a reasonable idea to me, but the details would have to be
sorted out, because where a chipset high-resolution counter is available
we want to factor it in, and otherwise we need to extract the right bits
from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k.
Maciej
Powered by blists - more mailing lists