From: Will Deacon <will.deacon@arm.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: "Theodore Ts'o" <tytso@mit.edu>, Borislav Petkov <bp@alien8.de>,
Ingo Molnar <mingo@kernel.org>, Willy Tarreau <w@1wt.eu>,
Linus Torvalds <torvalds@linux-foundation.org>,
x86-ml <x86@kernel.org>, "Jason A. Donenfeld" <Jason@zx2c4.com>,
lkml <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Nicholas Mc Guire <der.herr@hofr.at>,
paulmck@linux.vnet.ibm.com
Subject: Re: early x86 unseeded randomness
Date: Wed, 16 Aug 2017 10:56:38 +0100 [thread overview]
Message-ID: <20170816095637.GF12845@arm.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1708160956140.1987@nanos>
On Wed, Aug 16, 2017 at 11:13:03AM +0200, Thomas Gleixner wrote:
> On Tue, 15 Aug 2017, Theodore Ts'o wrote:
> > If we really want to do this, I'd much rather *not* have code calling
> > tsc_early_random(). We're better off having the code call
> > get_random_bytes() and/or get_random_u32(), and having these systems
> > use RDRAND if available, and if not, falling back to
> > tsc_early_random() and then mixing it with whatever unpredictability
> > we may have been able to gather so far if the CRNG hasn't been
> > initialized yet.
>
> I agree. This is not about systems which have RDRAND. We want to support
> systems which do not have it and there the TSC magic comes handy.
>
> > That way something like tsc_early_random() can help, but it can't make
> > things worse than what we have today (excepting the performance delay
> > caused by adding whatever random shite that we hope is enough to
> > introduce unpredictability to the TSC --- for which I still remain
> > very skeptical).
>
> I just rerun tests in the early boot code (interrupts disabled, no NMIs
> ...) with the TSC/wbinvd voodoo on several generations of machines and
> stored 4M random values in a big static array. Reading it out after boot
> and running it through dieharder makes me pretty confident that we observe
> real random noise coming from the internals of the microarch/pipelines/bus
> interactions.
>
> > P.S. As I recall hpa@ has talked to some Intel architects internally
> > about how much unpredictability we could really get, and how much of
> > it is just because there's complex state that we can't see (which if
> > we could see, might make it much more predictable), and as I recall
>
> Right, there is complex state which is not completely synchronous even if
> all frequencies are derived from a single 24MHZ oscillator. The PWMs, the
> memory access characteristics and quite some other sources of
> asynchronousity allow us to utilize that and I'm pretty sure, that you
> can't find two systems which expose exactly the same behaviour.
>
> > they didn't say anyhing definitively; but they were nervous. I'm
>
> Sure, they are always nervous when you ask them questions about the
> internals of their chips especially when you expect authorative answers.
Right, especially as this is randomness as a side-effect of the design,
rather than something that was an actual design goal. You won't find CPU
designers committing to semantics of accidental behaviours :)
Another paper on this (which I think Paul pointed me to) is:
https://www.kernel.org/doc/ols/2014/ols2014-mueller.pdf
which seems to be what crypto/jitterentropy.c is based on.
On arm64, we currently rely on the bootloader for entropy (either an
explicit kaslr seed, or the EFI_RNG_PROTOCOL). Unfortunately, the former is
often zero and the latter unimplemented, but this seems to be improving
slowly.
Will
next prev parent reply other threads:[~2017-08-16 9:56 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-14 17:35 early x86 unseeded randomness Borislav Petkov
2017-08-14 17:47 ` Linus Torvalds
2017-08-14 18:00 ` Borislav Petkov
2017-08-14 18:17 ` Linus Torvalds
2017-08-14 19:00 ` Borislav Petkov
2017-08-15 1:31 ` Theodore Ts'o
2017-08-15 6:44 ` Willy Tarreau
2017-08-15 7:42 ` Ingo Molnar
2017-08-15 8:01 ` Willy Tarreau
2017-08-15 8:05 ` Ingo Molnar
2017-08-15 12:09 ` Theodore Ts'o
2017-08-15 13:26 ` Willy Tarreau
2017-08-15 10:47 ` Thomas Gleixner
2017-08-15 13:45 ` Borislav Petkov
2017-08-15 13:48 ` Thomas Gleixner
2017-08-15 14:25 ` Theodore Ts'o
2017-08-15 14:42 ` Thomas Gleixner
2017-08-15 15:26 ` Borislav Petkov
2017-08-15 17:37 ` Thomas Gleixner
2017-08-16 3:35 ` Theodore Ts'o
2017-08-16 9:13 ` Thomas Gleixner
2017-08-16 9:56 ` Will Deacon [this message]
2017-08-16 3:21 ` Theodore Ts'o
2017-08-15 15:24 ` Borislav Petkov
2017-08-15 12:48 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170816095637.GF12845@arm.com \
--to=will.deacon@arm.com \
--cc=Jason@zx2c4.com \
--cc=bp@alien8.de \
--cc=der.herr@hofr.at \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.