Re: Hashed pointer issues - Tobin C. Harding

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Tobin C. Harding" <me@tobin.cc>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	"Ted Ts'o" <tytso@mit.edu>, Steven Rostedt <rostedt@goodmis.org>,
	Anna-Maria Gleixner <anna-maria@linutronix.de>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: Hashed pointer issues
Date: Tue, 1 May 2018 07:23:05 +1000	[thread overview]
Message-ID: <20180430212305.GD22100@eros> (raw)
In-Reply-To: <CAGXu5jKbagUs7cS5y6zRQkgiA0tnD7K0FajwA1Gt+ZCPrc2jfQ@mail.gmail.com>

On Mon, Apr 30, 2018 at 12:16:45PM -0700, Kees Cook wrote:
> On Mon, Apr 30, 2018 at 12:00 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> > On Mon, Apr 30, 2018 at 11:38 AM Kees Cook <keescook@chromium.org> wrote:
> >
> >> Something like this? (Untested.)
> >
> > Looks workable.
> >
> >> +       /* If we have hw RNG, start hashing immediately. */
> >> +       if (arch_has_random()) {
> >> +               get_random_bytes_arch(&ptr_key, sizeof(ptr_key));
> >> +               ptr_key_ready();
> >> +               return 0;
> >> +       }
> >
> > Small tweak: you should check the return value of get_random_bytes_arch(),
> > because in theory it can fail.
> >
> > Sadly, that's not actually how get_random_bytes_arch() really works - it
> > falls back on "get_random_bytes()" on failure instead, which is explicitly
> > against the whole point here.
> 
> I just noticed: there are _no_ users of get_random_bytes_arch() ...
> didn't we once use it to feed entropy to the CRNG?
> 
> > So I think it would need some tweaking, with a new function entirely
> > (get_random_bytes_arch() with a failure return for "cannot fill buffer").
> >
> > But that would be just a few more lines, because we could make the existing
> > get_random_bytes_arch() just use the failure-case thing.
> >
> > So add a "get_hw_random_bytes()" that does that same loop in
> > get_random_bytes_arch(), but returns the number of bytes it filled in.
> >
> > Then get_random_bytes_arch() turns into
> >
> >      got = get_hw_random_bytes(p, nbytes);
> >      if (got < nbytes)
> >          get_random_bytes(p+got, nbytes-got);
> >
> > and the initialize_ptr_random() use would be something like
> >
> >      if (get_hw_random_bytes(&ptr_key, sizeof(ptr_key)) == sizeof(ptr_key)) {
> >          ptr_key_ready();
> >          return 0;
> >     }
> >
> > Hmm?
> >
> > Maybe we could call the "get_hw_random_bytes()" something like
> > "get_early_random_bytes()" and the "use HW for it" is purely an
> > implementation detail?
> 
> Yeah, and if we add __must_check, I think this should be fine. Ted,
> any thoughts on this?
> 
> Tobin, is this something you've got time to implement and test?

Sure thing, thanks for the opportunity.

	Tobin

     prev parent reply	other threads:[~2018-04-30 21:23 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-30 15:50 Hashed pointer issues Anna-Maria Gleixner
2018-04-30 16:11 ` Kees Cook
2018-04-30 16:31   ` Linus Torvalds
2018-04-30 16:41     ` Steven Rostedt
2018-04-30 16:57       ` Linus Torvalds
2018-04-30 17:01         ` Linus Torvalds
2018-04-30 17:06           ` Randy Dunlap
2018-04-30 17:12             ` Linus Torvalds
2018-05-01  7:05               ` tcharding
2018-05-03  8:41             ` Geert Uytterhoeven
2018-04-30 18:38           ` Kees Cook
2018-04-30 19:00             ` Linus Torvalds
2018-04-30 19:16               ` Kees Cook
2018-04-30 20:01                 ` Linus Torvalds
2018-04-30 20:07                   ` Linus Torvalds
2018-04-30 21:23                 ` Tobin C. Harding [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180430212305.GD22100@eros \
    --to=me@tobin.cc \
    --cc=Jason@zx2c4.com \
    --cc=anna-maria@linutronix.de \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.