From: "Theodore Ts'o" <tytso@mit.edu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH v2] random: avoid superfluous call to RDRAND in CRNG extraction
Date: Fri, 31 Dec 2021 12:13:48 -0500 [thread overview]
Message-ID: <Yc86TIah3w4waDEc@mit.edu> (raw)
In-Reply-To: <20211231114903.60882-1-Jason@zx2c4.com>
On Fri, Dec 31, 2021 at 12:49:03PM +0100, Jason A. Donenfeld wrote:
> RDRAND is not fast. RDRAND is actually quite slow. We've known this for
> a while, which is why functions like get_random_u{32,64} were converted
> to use batching of our ChaCha-based CRNG instead.
>
> Yet CRNG extraction still includes a call to RDRAND, in the hot path of
> every call to get_random_bytes(), /dev/urandom, and getrandom(2).
>
> This call to RDRAND here seems quite superfluous. CRNG is already
> extracting things based on a 256-bit key, based on good entropy, which
> is then reseeded periodically, updated, backtrack-mutated, and so
> forth. The CRNG extraction construction is something that we're already
> relying on to be secure and solid. If it's not, that's a serious
> problem, and it's unlikely that mixing in a measly 32 bits from RDRAND
> is going to alleviate things.
>
> And in the case where the CRNG doesn't have enough entropy yet, we're
> already initializing the ChaCha key row with RDRAND in
> crng_init_try_arch_early().
>
> Removing the call to RDRAND improves performance on an i7-11850H by
> 370%. In other words, the vast majority of the work done by
> extract_crng() prior to this commit was devoted to fetching 32 bits of
> RDRAND.
>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
next prev parent reply other threads:[~2021-12-31 17:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-30 16:50 [PATCH] random: avoid superfluous call to RDRAND in CRNG extraction Jason A. Donenfeld
2021-12-30 22:13 ` Theodore Ts'o
2021-12-30 22:58 ` Jason A. Donenfeld
2021-12-31 3:35 ` Theodore Ts'o
2021-12-31 11:49 ` [PATCH v2] " Jason A. Donenfeld
2021-12-31 17:13 ` Theodore Ts'o [this message]
2022-01-04 5:03 ` Sandy Harris
2022-01-04 5:55 ` Theodore Ts'o
2022-01-20 15:03 ` Jason A. Donenfeld
2022-01-20 15:07 ` [PATCH] random: use named fields for adjusting chacha state Jason A. Donenfeld
2022-01-20 17:50 ` Theodore Ts'o
2022-01-20 21:53 ` Jason A. Donenfeld
2022-01-05 15:28 ` [PATCH v2] random: avoid superfluous call to RDRAND in CRNG extraction Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yc86TIah3w4waDEc@mit.edu \
--to=tytso@mit.edu \
--cc=Jason@zx2c4.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.