From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jann Horn <jannh@google.com>, tcharding <me@tobin.cc>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Eric Biggers <ebiggers@google.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] random: fix rdrand mix-in
Date: Tue, 17 Jul 2018 16:26:35 -0400 [thread overview]
Message-ID: <20180717202635.GA3489@thunk.org> (raw)
In-Reply-To: <CA+55aFxjx+naf3vQ++kqxBNS=dvevPebcKOzA=OYWfMJZ2CrzA@mail.gmail.com>
On Tue, Jul 17, 2018 at 09:26:00AM -0700, Linus Torvalds wrote:
> On Tue, Jul 17, 2018 at 6:54 AM Arnd Bergmann <arnd@arndb.de> wrote:
> >
> > The newly added arch_get_random_int() call was done incorrectly,
> > using the output only if rdrand hardware was /not/ available. The
> > compiler points out that the data is uninitialized in this case:
Yeah, oops. I had sent it for review to linux-crypto two days ago,
and no one had caught it there --- so thanks so much for catching it,
Arnd! I'm going to fold this into the existing patch so it's easier
to get this sent to stable.
> > for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
> > - if (arch_get_random_int(&t))
> > + if (!arch_get_random_int(&t))
> > continue;
> > buf[i] ^= t;
> > }
>
> Why not just make that "continue" be a "break"? If you fail once, you
> will fail the next time too (whether the arch just doesn't support it
> at all, or whether the HW entropy is just temporarily exhausted).
I wasn't sure how quickly the HW entropy would replenish itself; I
know that on first RDRAND platforms it would effectively never fail
(as in if six of the eight cores were calling RDRAND in a tight loop
_maybe_ you could exhaust the HW entropy). But on more modern systems
with a huge number of cores (say, a 96 core Xeon) HW entropy running
out was much more of a thing. My impression was it could replenish
itself fairly quickly, so my thinking was continue was better than
break.
The other thing that was a factor in my thinking was this was getting
called from process context, and the process would be burning CPU time
running "Jitterentropy", so it didn't seem like we would be wasting
*that* much CPU time.
It's big deal either way, so I can make it be a break if you think
that's better.
- Ted
next prev parent reply other threads:[~2018-07-17 21:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-17 13:53 [PATCH] random: fix rdrand mix-in Arnd Bergmann
2018-07-17 16:26 ` Linus Torvalds
2018-07-17 20:26 ` Theodore Y. Ts'o [this message]
2018-07-18 0:01 ` Linus Torvalds
2018-07-17 20:37 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180717202635.GA3489@thunk.org \
--to=tytso@mit.edu \
--cc=arnd@arndb.de \
--cc=ebiggers@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=me@tobin.cc \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.