From: "Theodore Ts'o" <tytso@mit.edu>
To: George Spelvin <linux@horizon.com>
Cc: ahferroin7@gmail.com, andi@firstfloor.org, jepler@unpythonic.net,
linux-kernel@vger.kernel.org, linux@rasmusvillemoes.dk
Subject: Re: Updated scalable urandom patchkit
Date: Sun, 11 Oct 2015 18:25:22 -0400 [thread overview]
Message-ID: <20151011222522.GC5341@thunk.org> (raw)
In-Reply-To: <20151011043546.19633.qmail@ns.horizon.com>
On Sun, Oct 11, 2015 at 12:35:46AM -0400, George Spelvin wrote:
>
> One is the final write back of add_ptr on the last line of
> _mix_pool_bytes. It actually writes i, which includes the per-cpu nonce,
> and will have it jumping all over without the steady progression that
> the mixing polynomial assumes.
Yep, good catch; I need to subtract that off.
> (There's a similar, lesser problem with input_rotate.)
I didn't bother messing with input_rotate at all, and I don't think
that will be a problem.
> The second, less obvious, problem is that by calling _mix_pool_bytes
> completely lockless, there's the risk that it will race with and overwrite
> the addition of new seed material to the pool.
>
> The add-back is not critical, and races between two writers don't really
> do any harm. But seed entropy is valuable.
That's true, but I've been going back and forth about how much it's
worth to fix this. After all, the the non-blocking pool is guaranteed
to have cryptographic randomness, and so it's a question of how much
effort we want to avoid the possibility of losing some seed entropy.
One approach might be to use take a reader lock when mixing back
entropy, but take an exclusive lock in the case when seeding the
non-random pool.
Another approach is to have an alternate mechanism for the
non-blocking pool which uses the LOCK prefix when XOR'ing into the
pool. This would mean that we would have to drop the twisted LFSR and
replace it with something simpler but so long as the mixing algothm
eventually involves all of the bits in the pool, that will probably be
OK.
Of course, using the LOCK prefix is CPU architecture specific, and in
particular, there is no equivalent on the ARM architecture.
The final thing we could do is to just throw in a smp_mb() before the
write into the pool, and just call it day, and accept that while we
might lose a small amount of entropy due to a race, it will only a
byte's worth each time we lose a race (instead of the whole 32 byte
cache line).
None of the alternatives are all that satisfying, and they will all be
a bit more expensive than the first patch. The question is how to
weigh these problems against just simply using a separate pool for
each NUMA node, and how much scalability are we really need for
"realistic" workloads?
- Ted
next prev parent reply other threads:[~2015-10-11 22:25 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-10 18:45 Updated scalable urandom patchkit George Spelvin
2015-10-11 2:31 ` Theodore Ts'o
2015-10-11 2:53 ` Theodore Ts'o
2015-10-11 4:35 ` George Spelvin
2015-10-11 22:25 ` Theodore Ts'o [this message]
2015-10-12 0:16 ` George Spelvin
2015-10-12 4:05 ` Theodore Ts'o
2015-10-12 7:49 ` George Spelvin
2015-10-12 13:54 ` Theodore Ts'o
2015-10-12 20:30 ` George Spelvin
2015-10-12 20:34 ` George Spelvin
2015-10-13 2:46 ` Theodore Ts'o
2015-10-13 3:50 ` Raymond Jennings
2015-10-13 7:50 ` George Spelvin
2015-10-13 6:24 ` George Spelvin
2015-10-13 16:20 ` Andi Kleen
2015-10-13 21:10 ` George Spelvin
2015-10-14 2:15 ` Andi Kleen
2015-10-16 5:28 ` [RFC PATCH 0/4] Alternate sclable urandom patchset George Spelvin
2015-10-16 5:29 ` [RFC PATCH 1/4] random: Reduce stack usage in _xfer_secondary_pool George Spelvin
2015-10-16 5:30 ` [RFC PATCH 2/4] random: Remove two unused arguments from extract_entropy() George Spelvin
2015-10-16 5:33 ` [RFC PATCH 3/4] random: Only do mixback once per read George Spelvin
2015-10-16 6:12 ` kbuild test robot
2015-10-16 8:11 ` George Spelvin
2015-10-16 6:23 ` kbuild test robot
2015-10-16 5:34 ` [RFC PATCH 4/4] random: Make non-blocking mixback non-blocking George Spelvin
2015-10-21 8:27 ` Updated scalable urandom patchkit George Spelvin
2015-10-21 11:47 ` Andi Kleen
2015-10-21 18:10 ` George Spelvin
-- strict thread matches above, loose matches on Subject: below --
2015-09-24 17:19 Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151011222522.GC5341@thunk.org \
--to=tytso@mit.edu \
--cc=ahferroin7@gmail.com \
--cc=andi@firstfloor.org \
--cc=jepler@unpythonic.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=linux@rasmusvillemoes.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.