| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Aug 2020 10:07:51 -0700
From: Andy Lutomirski <luto@...capital.net>
To: George Spelvin <lkml@....org>
Cc: netdev@...r.kernel.org, w@....eu, aksecurity@...il.com,
torvalds@...ux-foundation.org, edumazet@...gle.com,
Jason@...c4.com, luto@...nel.org, keescook@...omium.org,
tglx@...utronix.de, peterz@...radead.org, tytso@....edu,
lkml.mplumb@...il.com, stephen@...workplumber.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
> On Aug 8, 2020, at 8:29 AM, George Spelvin <lkml@....org> wrote:
>
> And apparently switching to the fastest secure PRNG currently
> in the kernel (get_random_u32() using ChaCha + per-CPU buffers)
> would cause too much performance penalty.
Can someone explain *why* the slow path latency is particularly relevant here? What workload has the net code generating random numbers in a place where even a whole microsecond is a problem as long as the amortized cost is low? (I’m not saying I won’t believe this matters, but it’s not obvious to me that it matters.)
> - Cryptographically strong ChaCha, batched
> - Cryptographically strong ChaCha, with anti-backtracking.
I think we should just anti-backtrack everything. With the “fast key erasure” construction, already implemented in my patchset for the buffered bytes, this is extremely fast.
Powered by blists - more mailing lists