| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251026055032.1413733-14-ebiggers@kernel.org>
Date: Sat, 25 Oct 2025 22:50:30 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: linux-crypto@...r.kernel.org
Cc: David Howells <dhowells@...hat.com>,
Ard Biesheuvel <ardb@...nel.org>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Eric Biggers <ebiggers@...nel.org>,
Holger Dengler <dengler@...ux.ibm.com>,
Harald Freudenberger <freude@...ux.ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
linux-arm-kernel@...ts.infradead.org,
linux-s390@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v2 13/15] crypto: jitterentropy - Use default sha3 implementation
Make jitterentropy use "sha3-256" instead of "sha3-256-generic", as the
ability to explicitly request the generic code is going away. It's not
worth providing a special generic API just for jitterentropy. There are
many other solutions available to it, such as doing more iterations or
using a more effective jitter collection method.
Moreover, the status quo is that SHA-3 is quite slow anyway. Currently
only arm64 and s390 have architecture-optimized SHA-3 code. I'm not
familiar with the performance of the s390 one, but the arm64 one isn't
actually that much faster than the generic code anyway.
Note that jitterentropy should just use the library API instead of
crypto_shash. But that belongs in a separate change later.
Reviewed-by: Ard Biesheuvel <ardb@...nel.org>
Signed-off-by: Eric Biggers <ebiggers@...nel.org>
---
crypto/jitterentropy-kcapi.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index a53de7affe8d1..7c880cf34c523 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -46,11 +46,11 @@
#include <linux/time.h>
#include <crypto/internal/rng.h>
#include "jitterentropy.h"
-#define JENT_CONDITIONING_HASH "sha3-256-generic"
+#define JENT_CONDITIONING_HASH "sha3-256"
/***************************************************************************
* Helper function
***************************************************************************/
@@ -228,19 +228,11 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
struct shash_desc *sdesc;
int size, ret = 0;
spin_lock_init(&rng->jent_lock);
- /*
- * Use SHA3-256 as conditioner. We allocate only the generic
- * implementation as we are not interested in high-performance. The
- * execution time of the SHA3 operation is measured and adds to the
- * Jitter RNG's unpredictable behavior. If we have a slower hash
- * implementation, the execution timing variations are larger. When
- * using a fast implementation, we would need to call it more often
- * as its variations are lower.
- */
+ /* Use SHA3-256 as conditioner */
hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0);
if (IS_ERR(hash)) {
pr_err("Cannot allocate conditioning digest\n");
return PTR_ERR(hash);
}
--
2.51.1.dirty
Powered by blists - more mailing lists