From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: George Spelvin <lkml@SDF.ORG>
Cc: David Laight <David.Laight@ACULAB.COM>,
Dan Williams <dan.j.williams@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Qian Cai <cai@lca.pw>, Kees Cook <keescook@chromium.org>,
Michal Hocko <mhocko@suse.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux MM <linux-mm@kvack.org>
Subject: Re: [RFC PATCH v1 00/52] Audit kernel random number use
Date: Sun, 29 Mar 2020 17:42:14 -0400 [thread overview]
Message-ID: <20200329214214.GB768293@mit.edu> (raw)
In-Reply-To: <20200329174122.GD4675@SDF.ORG>
On Sun, Mar 29, 2020 at 05:41:22PM +0000, George Spelvin wrote:
> > Using xor was particularly stupid.
> > The whole generator was then linear and trivially reversable.
> > Just using addition would have made it much stronger.
>
> I considered changing it to addition (actually, add pairs and XOR the
> sums), but that would break its self-test. And once I'd done that,
> there are much better possibilities.
>
> Actually, addition doesn't make it *much* stronger. To start
> with, addition and xor are the same thing at the lsbit, so
> observing 113 lsbits gives you a linear decoding problem.
David,
If anyone is trying to rely on prandom_u32() as being "strong" in any
sense of the word in terms of being reversable by attacker --- they
shouldn't be using prandom_u32(). That's going to be true no matter
*what* algorithm we use.
Better distribution? Sure. Making prandom_u32() faster? Absolutely;
that's its primary Raison d'Etre.
George,
Did you send the full set of patches to a single mailing list? Or can
you make it available on a git tree somewhere? I've y seen this
message plus the ext4 related change, and I can't find the full patch
series anywhere. If you can send the next version such that it's
fully cc'ed to linux-kernel, that would be really helpful.
Thanks!!
- Ted
next prev parent reply other threads:[~2020-03-29 21:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-03 9:51 [RFC PATCH v1 46/50] mm/shuffle.c: use get_random_max() George Spelvin
2020-03-28 18:23 ` Dan Williams
2020-03-28 18:28 ` [RFC PATCH v1 00/52] Audit kernel random number use George Spelvin
2020-03-29 12:21 ` David Laight
2020-03-29 17:41 ` George Spelvin
2020-03-29 21:42 ` Theodore Y. Ts'o [this message]
2020-03-30 2:45 ` Another batched entropy idea George Spelvin
2020-03-30 5:54 ` [PATCH] random: reduce temporary buffers George Spelvin
2020-03-30 9:27 ` [RFC PATCH v1 00/52] Audit kernel random number use David Laight
2020-04-01 5:17 ` lib/random32.c security George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329214214.GB768293@mit.edu \
--to=tytso@mit.edu \
--cc=David.Laight@ACULAB.COM \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=dan.j.williams@intel.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkml@SDF.ORG \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.