lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.21.2301121100120.65308@angie.orcam.me.uk>
Date:   Mon, 30 Jan 2023 20:43:28 +0000 (GMT)
From:   "Maciej W. Rozycki" <macro@...am.me.uk>
To:     "H. Peter Anvin" <hpa@...or.com>
cc:     "Jason A. Donenfeld" <Jason@...c4.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86: Disable kernel stack offset randomization for
 !TSC

On Wed, 11 Jan 2023, H. Peter Anvin wrote:

> RDTSC isn't a super fast instruction either,

 As someone recently mostly involved with RISC architectures I find it 
interesting indeed, given that the TSC is just some kind of an integer 
register (or data latch).

 E.g. with the MIPS $c0_count register, which is a free-running counter 
similar to the TSC, the "MFC0 reg, $c0_count" instruction executes just 
about as any ordinary ALU operation, such as say ADD (there is no plain 
GPR move instruction in the MIPS ISA to compare this special register move 
to).  Yes, the latency may be two clocks rather than one, but that's still 
pretty damn fast and the extra latency can be dealt with even on scalar 
microarchitectures by reordering the data consumer farther away from the 
producer.

> but what is *way* more 
> significant is that this use of RDTSC is NOT safe: in certain power 
> states it may very well be that stone number of lower bits of TSC 
> contain no entropy at all.

 I wasn't aware of this limitation; certainly at its introduction TSC was 
just a free-running counter with no special states.

 I went after Jason's suggestion to use `get_random_u8' then, which is 
both portable and the single place to make sure proper entropy is 
maintained in.  Thank you for your input.

  Maciej

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ