From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D482C433DF for ; Tue, 11 Aug 2020 05:27:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F3285206C3 for ; Tue, 11 Aug 2020 05:27:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726680AbgHKF1i (ORCPT ); Tue, 11 Aug 2020 01:27:38 -0400 Received: from mx.sdf.org ([205.166.94.24]:62740 "EHLO mx.sdf.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726559AbgHKF1h (ORCPT ); Tue, 11 Aug 2020 01:27:37 -0400 Received: from sdf.org (IDENT:lkml@faeroes.freeshell.org [205.166.94.9]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 07B5QpAZ008524 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO); Tue, 11 Aug 2020 05:26:51 GMT Received: (from lkml@localhost) by sdf.org (8.15.2/8.12.8/Submit) id 07B5Qnrs020655; Tue, 11 Aug 2020 05:26:49 GMT Date: Tue, 11 Aug 2020 05:26:49 +0000 From: George Spelvin To: Willy Tarreau Cc: Linus Torvalds , Florian Westphal , Netdev , Amit Klein , Eric Dumazet , "Jason A. Donenfeld" , Andrew Lutomirski , Kees Cook , Thomas Gleixner , Peter Zijlstra , "Theodore Ts'o" , Marc Plumb , Stephen Hemminger , George Spelvin Subject: Re: [DRAFT PATCH] random32: make prandom_u32() output unpredictable Message-ID: <20200811052649.GG25124@SDF.ORG> References: <20200809065744.GA17668@SDF.ORG> <20200809093805.GA7928@1wt.eu> <20200809170639.GB25124@SDF.ORG> <20200809173302.GA8027@1wt.eu> <20200809183017.GC25124@SDF.ORG> <20200810114700.GB8474@1wt.eu> <20200810165859.GD9060@1wt.eu> <20200810210455.GA9194@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200810210455.GA9194@1wt.eu> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Mon, Aug 10, 2020 at 11:04:55PM +0200, Willy Tarreau wrote: > What could be improved is the way the input values are mixed (just > added hence commutative for now). I didn't want to call a siphash > round on the hot paths, but just shifting the previous noise value > before adding would work, such as the following for example: > > void prandom_u32_add_noise(a, b, c, d) > { > unsigned long *noise = get_cpu_ptr(&net_rand_noise); > > #if BITS_PER_LONG == 64 > *noise = rol64(*noise, 7) + a + b + c + d; > #else > *noise = rol32(*noise, 7) + a + b + c + d; > #endif > put_cpu_ptr(&net_rand_noise); > > } If you think this is enough seed material, I'm fine with it. I don't hugely like the fact that you sum all the inputs, since entropy tends to be concentrated in the low-order words, and summing risks cancellation. You can't afford even one SIPROUND as a non-cryptographic hash? E.g. DEFINE_PER_CPU(unsigned long[4], net_rand_noise); EXPORT_SYMBOL(net_rand_noise); void prandom_u32_add_noise(a, b, c, d) { unsigned long *noise = get_cpu_ptr(&net_rand_noise); a ^= noise[0]; b ^= noise[1]; c ^= noise[2]; d ^= noise[3]; /* * This is not used cryptographically; it's just * a convenient 4-word hash function. */ SIPROUND(a, b, c, d); noise[0] = a; noise[1] = b; noise[2] = c; put_cpu_ptr(&net_rand_noise); } (And then you mix in net_rand_noise[0].) Other options are HASH_MIX() from fs/namei.c, but that's more sequential. There's also a simple Xorshift generator.