From: Florian Weimer <fweimer@redhat.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
x86@kernel.org, Nadia Heninger <nadiah@cs.ucsd.edu>,
Thomas Ristenpart <ristenpart@cornell.edu>,
Theodore Ts'o <tytso@mit.edu>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Subject: Re: [PATCH RFC v1] random: implement getrandom() in vDSO
Date: Fri, 05 Aug 2022 10:36:16 +0200 [thread overview]
Message-ID: <87v8r713zz.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <878ro6smmm.ffs@tglx> (Thomas Gleixner's message of "Tue, 02 Aug 2022 17:14:57 +0200")
* Thomas Gleixner:
> On Tue, Aug 02 2022 at 15:59, Jason A. Donenfeld wrote:
>> On Tue, Aug 02, 2022 at 03:46:27PM +0200, Thomas Gleixner wrote:
>>> Right now the Linux VDSO functions are 1:1 replacements for system calls
>>> and not adding a magic pile of functionality which is otherwise not
>>> available.
>>>
>>> What you are proposing is to have an implementation which is not
>>> available via a regular syscall. Which means you are creating a VDSO
>>> only syscall which still has the same problem as any other syscall in
>>> terms of API design and functionality which needs to be supported
>>> forever.
>>
>> Wait, what? That's not correct. The WHOLE point is that vdso getrandom()
>> will generate bytes in the same way as the ordinary syscall, without
>> differences. Same function name, same algorithm. But just faster,
>> because vDSO. I explicitly don't want to dip into introducing something
>> different. That's the big selling point: that vDSO getrandom() and
>> syscall getrandom() are the same thing. If you trust one, you can trust
>> the other. If you expect properties of one, you get that from the other.
>> If you know the API of one, you can use the other.
>
> Seriously no. All existing VDSO functions have exactly the same function
> signature and semantics as their syscall counterparts. So they are drop
> in equivalent.
>
> But:
>
> ssize_t getrandom(void *, void *, size_t, unsigned int);
>
> is very much different than
>
> ssize_t getrandom(void *, size_t, unsigned int);
>
> Different signature and different semantics.
Just use
ssize_t getrandom(size_t, unsigned int, void *);
then and have the system call ignore the argument. There is recent
precedent for adding additional arguments to system calls, see
membarrier. If we want to be super-conservative, we could add a new
flag and have the vDSO version always call into the kernel if the flag
isn't set.
*This* part is far less problematic compared to the approach to
per-thread memory allocation.
We now have:
* Explicit donation of memory areas to the kernel (set_robust_list,
rseq).
* This getrandom_alloc vDSO call which does something unspecified and
may return pointers which are or are not abstract. (How is CRIU
expected to handle this?)
* There's also userspace shadow stack coming. I think the kernel moved
away from implicit allocation, to something mmap-based. It's not
clear to me why that would be okay here, but not for shadow stacks.
Does io_uring have to handle a similar problem, too?
As long as the vDSO doesn't use private system calls, I don't expect any
practical problems, but this optimization doesn't really look to me like
something that intrinsically benefits from a completely new way of
allocating userspace memory for use by the kernel.
Thanks,
Florian
prev parent reply other threads:[~2022-08-05 8:36 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-29 14:55 [PATCH RFC v1] random: implement getrandom() in vDSO Jason A. Donenfeld
2022-07-29 20:19 ` Florian Weimer
2022-07-29 22:06 ` Jason A. Donenfeld
2022-07-30 15:48 ` Linus Torvalds
2022-07-30 23:45 ` Jason A. Donenfeld
2022-07-31 0:23 ` Jason A. Donenfeld
2022-07-31 1:31 ` [PATCH RFC v2] " Jason A. Donenfeld
2022-08-01 8:48 ` Florian Weimer
2022-08-01 12:49 ` Jason A. Donenfeld
2022-08-01 13:29 ` Jason A. Donenfeld
2022-08-01 13:00 ` Jason A. Donenfeld
2022-08-01 20:48 ` Thomas Gleixner
2022-08-01 23:41 ` Jason A. Donenfeld
2022-08-02 0:12 ` Jason A. Donenfeld
2022-08-01 19:30 ` [PATCH RFC v1] " Thomas Gleixner
2022-08-01 23:16 ` Jason A. Donenfeld
2022-08-02 13:46 ` Thomas Gleixner
2022-08-02 13:59 ` Jason A. Donenfeld
2022-08-02 15:14 ` Thomas Gleixner
2022-08-02 15:26 ` Jason A. Donenfeld
2022-08-02 22:27 ` Thomas Gleixner
2022-08-04 15:23 ` Jason A. Donenfeld
2022-08-04 16:08 ` Jeffrey Walton
2022-08-04 23:11 ` Thomas Gleixner
2022-08-17 8:20 ` Peter Zijlstra
2022-08-05 8:36 ` Florian Weimer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v8r713zz.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=Jason@zx2c4.com \
--cc=adhemerval.zanella@linaro.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nadiah@cs.ucsd.edu \
--cc=ristenpart@cornell.edu \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vincenzo.frascino@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.