From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: tytso@mit.edu, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] random: always use batched entropy for get_random_u{32,64}
Date: Sun, 16 Feb 2020 19:23:19 +0100 [thread overview]
Message-ID: <20200216182319.GA54139@kroah.com> (raw)
In-Reply-To: <20200216161836.1976-1-Jason@zx2c4.com>
On Sun, Feb 16, 2020 at 05:18:36PM +0100, Jason A. Donenfeld wrote:
> It turns out that RDRAND is pretty slow. Comparing these two
> constructions:
>
> for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
> arch_get_random_long(&ret);
>
> and
>
> long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
> extract_crng((u8 *)buf);
>
> it amortizes out to 352 cycles per long for the top one and 107 cycles
> per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.
>
> And importantly, the top one has the drawback of not benefiting from the
> real rng, whereas the bottom one has all the nice benefits of using our
> own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
> beyond what it was originally intended for when it was introduced as
> get_random_{int,long} back in the md5 monstrosity era), it seems like it
> might be a good thing to strengthen its posture a tiny bit. Doing this
> should only be stronger and not any weaker because that pool is already
> initialized with a bunch of rdrand data (when available). This way, we
> get the benefits of the hardware rng as well as our own rng.
>
> Another benefit of this is that we no longer hit pitfalls of the recent
> stream of AMD bugs in RDRAND. One often used code pattern for various
> things is:
>
> do {
> val = get_random_u32();
> } while (hash_table_contains_key(val));
>
> That recent AMD bug rendered that pattern useless, whereas we're really
> very certain that chacha20 output will give pretty distributed numbers,
> no matter what.
>
> So, this simplification seems better both from a security perspective
> and from a performance perspective.
>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/char/random.c | 12 ------------
> 1 file changed, 12 deletions(-)
Looks good to me, thank for doing this:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
next prev parent reply other threads:[~2020-02-16 18:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-16 16:18 [PATCH] random: always use batched entropy for get_random_u{32,64} Jason A. Donenfeld
2020-02-16 18:23 ` Greg Kroah-Hartman [this message]
2020-02-20 22:20 ` Tony Luck
2020-02-20 22:29 ` Tony Luck
2020-02-21 20:08 ` Jason A. Donenfeld
2020-02-22 0:41 ` Theodore Y. Ts'o
2020-02-22 9:59 ` Jason A. Donenfeld
2020-02-24 20:41 ` Luck, Tony
2020-02-21 20:07 ` Jason A. Donenfeld
2020-02-21 20:10 ` [PATCH v2] " Jason A. Donenfeld
2020-02-28 4:09 ` Theodore Y. Ts'o
2020-04-01 13:08 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200216182319.GA54139@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=Jason@zx2c4.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.