From: "H. Peter Anvin" <hpa@zytor.com>
To: Torsten Duwe <duwe@lst.de>, Torsten Duwe <duwe@lst.de>
Cc: tytso@mit.edu, ingo.tuchscherer@de.ibm.com,
linux-kernel@vger.kernel.org,
Hans-Georg Markgraf <MGRF@de.ibm.com>,
Gerald Schaefer <gerald.schaefer@de.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Joe Perches <joe@perches.com>
Subject: Re: [Resend PATCH 2/2] s390: provide hardware randomness from zcrypt card to /dev/random
Date: Thu, 19 Sep 2013 08:05:32 -0500 [thread overview]
Message-ID: <33dd164b-00a7-4cbd-9d62-66000ed4abbf@email.android.com> (raw)
In-Reply-To: <alpine.LNX.2.00.1309191030180.3014@linux.site>
As I said, the option of doing feed from hwrng directly via a kernel thread seems the most logical thing to me, assuming you can convince Ted & co. rngd doesn't really add much value for a whitened source.
Torsten Duwe <duwe@lst.de> wrote:
>
>
>On Thu, 12 Sep 2013, H. Peter Anvin wrote:
>
>> From what I can gather from the patch this is too heavyweight (need
>> locks and so on) to use as arch_get_random*(). There has been a lot
>of
>
>Alas, I can see there's only x86 that currently has this implemented?
>
>> discussion about the pros and cons of allowing the kernel to bypass
>> rngd, but I would think that any such plumbing -- once it gets past
>the
>> fully synchronous low latency properties of arch_get_random*() --
>really
>> should be implemented as an option in the existing hwrng device
>> infrastructure.
>
>As I wrote in the intro, the problem to solve is slow startup when ASLR
>is
>in effect; in that case: until rngd or haveged is finally running.
>
>> In other words, start by implementing a hwrng device. That will work
>> right now with rngd running. Then we can consider if we want to
>allow
>
>That's already there, thanks to the IBM guys :)
>
>> bypass of rngd for certain hwrng devices -- which may include zcrypt,
>> virtio_rng and so on.
>
>I'm currently thinking about some kind of buffer in zcrypt, where
>arch_get_random can get a long or int quickly, as "designed" after x86.
>Device init or low water would trigger a work item to refill the
>buffer.
>It might tun out though, that every device on every architecture that
>does
>not quite match the x86 approach implements its own buffer.
>
>What do you think?
>
>Besides that, as you wrote, a generic mechanism to mix hwrngs into the
>input pool would be nice, triggered by user space policy. As far as I
>can
>see, some mixing of arch_get_random is done, but no entropy credited?
>
> Torsten
--
Sent from my mobile phone. Please pardon brevity and lack of formatting.
next prev parent reply other threads:[~2013-09-19 13:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 9:41 [Resend PATCH 2/2] s390: provide hardware randomness from zcrypt card to /dev/random Torsten Duwe
2013-09-12 20:37 ` H. Peter Anvin
2013-09-19 8:47 ` Torsten Duwe
2013-09-19 13:03 ` H. Peter Anvin
2013-09-19 13:05 ` H. Peter Anvin [this message]
2014-03-17 16:48 ` [PATCH 00/03]: khwrngd (Was: s390: provide hardware randomness from zcrypt card to /dev/random) Torsten Duwe
2014-03-17 16:50 ` [Patch 01/03]: provide an injection point for pure hardware randomness Torsten Duwe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33dd164b-00a7-4cbd-9d62-66000ed4abbf@email.android.com \
--to=hpa@zytor.com \
--cc=MGRF@de.ibm.com \
--cc=duwe@lst.de \
--cc=gerald.schaefer@de.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=ingo.tuchscherer@de.ibm.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.