| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2022 11:27:22 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: "Maciej W. Rozycki" <macro@...am.me.uk>
Cc: Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
LKML <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Arnd Bergmann <arnd@...db.de>, Theodore Ts'o <tytso@....edu>,
Dominik Brodowski <linux@...inikbrodowski.net>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
"David S . Miller" <davem@...emloft.net>,
Richard Weinberger <richard@....at>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Johannes Berg <johannes@...solutions.net>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H . Peter Anvin" <hpa@...or.com>, Chris Zankel <chris@...kel.net>,
Max Filippov <jcmvbkbc@...il.com>,
John Stultz <john.stultz@...aro.org>,
Stephen Boyd <sboyd@...nel.org>,
Dinh Nguyen <dinguyen@...nel.org>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
linux-m68k <linux-m68k@...ts.linux-m68k.org>,
"open list:BROADCOM NVRAM DRIVER" <linux-mips@...r.kernel.org>,
linux-riscv <linux-riscv@...ts.infradead.org>,
sparclinux@...r.kernel.org, linux-um@...ts.infradead.org,
X86 ML <x86@...nel.org>, linux-xtensa@...ux-xtensa.org
Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy()
instead of zero
Hi Maciej,
On Thu, Apr 14, 2022 at 02:16:18AM +0100, Maciej W. Rozycki wrote:
> Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and
> 47-0 (the lower bound can be higher if wired entries are used, which I
> think we occasionally do) for R4k machines with a buggy CP0 counter. So
> there are either 56 or up to 48 distinct CP0 Random register values.
Ahh interesting, so it varies a bit, but it remains rather small.
> It depends on the exact system. Some have a 32-bit high-resolution
> counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz
> resolution, some have nothing but jiffies.
Alright, so there _are_ machines with no c0 cycles but with a good
clock. Yet, 25MHz is still less than the cpu cycle, so this c0 random
ORing trick remains useful perhaps.
> It seems like a reasonable idea to me, but the details would have to be
> sorted out, because where a chipset high-resolution counter is available
> we want to factor it in, and otherwise we need to extract the right bits
> from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k.
One thing we could do here that would seemingly cover all the cases
without losing _that_ much would be:
return (random_get_entropy_fallback() << 13) | ((1<<13) - read_c0_random());
Or in case the 13 turns out to be wrong on some hardware, we could
mitigate the effect with:
return (random_get_entropy_fallback() << 13) ^ ((1<<13) - read_c0_random());
As mentioned in the 1/xx patch of this series,
random_get_entropy_fallback() should call the highest resolution thing.
We then shave off the least-changing bits and stuff in the
faster-changing bits from read_c0_random(). Then, in order to keep it
counting up instead of down, we do the subtraction there.
What do you think of this plan?
Jason
Powered by blists - more mailing lists