[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3094055.QNPB7aoccF@tauon.chronox.de>
Date: Mon, 06 Nov 2023 16:25:51 +0100
From: Stephan Mueller <smueller@...onox.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Herbert Xu <herbert@...dor.apana.org.au>
Cc: "David S. Miller" <davem@...emloft.net>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Steffen Klassert <steffen.klassert@...unet.com>
Subject: Re: [PATCH] crypto: jitterentropy - Hide esoteric Kconfig options under FIPS
and EXPERT
Am Montag, 6. November 2023, 11:00:08 CET schrieb Herbert Xu:
Hi Herbert,
> On Thu, Nov 02, 2023 at 08:32:36PM -1000, Linus Torvalds wrote:
> > I think that would help the situation, but I assume the sizing for the
> > jitter buffer is at least partly due to trying to account for cache
> > sizing or similar issues?
> >
> > Which really means that I assume any static compile-time answer to
> > that question is always wrong - whether you are an expert or not.
> > Unless you are just building the thing for one particular machine.
> >
> > So I do think the problem is deeper than "this is a question only for
> > experts". I definitely don't think you should ask a regular user (or
> > even a distro kernel package manager). I suspect it's likely that the
> > question is just wrong in general - because any particular one buffer
> > size for any number of machines simply cannot be the right answer.
> >
> > I realize that the commit says "*allow* for configuration of memory
> > size", but I really question the whole approach.
>
> Yes I think these are all valid points. I just noticed that I
> forgot to cc the author so let's see if Stephan has anything to
> add.
I concur that these questions are more for experts.
>
> > But yes - hiding these questions from any reasonable normal user is at
> > least a good first step.
>
> OK here's the patch:
>
> ---8<---
> As JITTERENTROPY is selected by default if you enable the CRYPTO
> API, any Kconfig options added there will show up for every single
> user. Hide the esoteric options under EXPERT as well as FIPS so
> that only distro makers will see them.
>
> Reported-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index bbf51d55724e..70661f58ee41 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1297,10 +1297,12 @@ config CRYPTO_JITTERENTROPY
>
> See https://www.chronox.de/jent.html
>
> +if CRYPTO_JITTERENTROPY
> +if CRYPTO_FIPS && EXPERT
> +
> choice
> prompt "CPU Jitter RNG Memory Size"
> default CRYPTO_JITTERENTROPY_MEMSIZE_2
> - depends on CRYPTO_JITTERENTROPY
> help
> The Jitter RNG measures the execution time of memory accesses.
> Multiple consecutive memory accesses are performed. If the memory
> @@ -1344,7 +1346,6 @@ config CRYPTO_JITTERENTROPY_OSR
> int "CPU Jitter RNG Oversampling Rate"
> range 1 15
> default 1
> - depends on CRYPTO_JITTERENTROPY
> help
> The Jitter RNG allows the specification of an oversampling rate (OSR).
> The Jitter RNG operation requires a fixed amount of timing
> @@ -1359,7 +1360,6 @@ config CRYPTO_JITTERENTROPY_OSR
>
> config CRYPTO_JITTERENTROPY_TESTINTERFACE
> bool "CPU Jitter RNG Test Interface"
> - depends on CRYPTO_JITTERENTROPY
> help
> The test interface allows a privileged process to capture
> the raw unconditioned high resolution time stamp noise that
> @@ -1377,6 +1377,28 @@ config CRYPTO_JITTERENTROPY_TESTINTERFACE
>
> If unsure, select N.
>
> +endif # if CRYPTO_FIPS && EXPERT
> +
> +if !(CRYPTO_FIPS && EXPERT)
> +
> +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
> + int
> + default 64
> +
> +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
> + int
> + default 32
> +
> +config CRYPTO_JITTERENTROPY_OSR
> + int
> + default 1
> +
> +config CRYPTO_JITTERENTROPY_TESTINTERFACE
> + bool
> +
> +endif # if !(CRYPTO_FIPS && EXPERT)
> +endif # if CRYPTO_JITTERENTROPY
> +
> config CRYPTO_KDF800108_CTR
> tristate
> select CRYPTO_HMAC
Reviewed-by: Stephan Mueller <smueller@...onox.de>
Ciao
Stephan
Powered by blists - more mailing lists