From: Eric Biggers <ebiggers@kernel.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Theodore Ts'o <tytso@mit.edu>,
Dominik Brodowski <linux@dominikbrodowski.net>
Subject: Re: [PATCH v3] random: absorb fast pool into input pool after fast load
Date: Sun, 20 Feb 2022 18:47:28 -0800 [thread overview]
Message-ID: <YhL9QNsMSHZvuR0u@sol.localdomain> (raw)
In-Reply-To: <20220215211333.244383-1-Jason@zx2c4.com>
On Tue, Feb 15, 2022 at 10:13:33PM +0100, Jason A. Donenfeld wrote:
> During crng_init == 0, we never credit entropy in add_interrupt_
> randomness(), but instead dump it directly into the primary_crng. That's
> fine, except for the fact that we then wind up throwing away that
> entropy later when we switch to extracting from the input pool and
> overwriting the primary_crng key. The two other early init sites --
> add_hwgenerator_randomness()'s use crng_fast_load() and add_device_
> randomness()'s use of crng_slow_load() -- always additionally give their
> inputs to the input pool. But not add_interrupt_randomness().
>
> This commit fixes that shortcoming by calling mix_pool_bytes() after
> crng_fast_load() in add_interrupt_randomness(). That's partially
> verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ
> handler. But this also only happens during early boot and then never
> again after that. Plus it's a trylock so it has the same considerations
> as calling crng_fast_load(), which we're already using.
>
> Cc: Theodore Ts'o <tytso@mit.edu>
> Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
> Suggested-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
> v3 uses a trylock instead of a spinlock, just like all the other locks
> taken in hard irq. (Incidentally, we're now talking about moving this
> into the deferred stage, so that at can be a spinlock, but at least with
> what we have here, this really must be a trylock.)
This looks fine, though it's unfortunate that it has to be a trylock so this
isn't guaranteed. Also, the commit message is a bit misleading because it talks
about "overwriting" the primary_crng key, but at this point in the series the
extracted entropy is still being XOR'd with the primary_crng key. It's not
until the next patch that the key is simply overwritten.
- Eric
next prev parent reply other threads:[~2022-02-21 2:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 1:19 [PATCH v2 0/9] random: cleanups around per-cpu crng & rdrand Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 1/9] random: use RDSEED instead of RDRAND in entropy extraction Jason A. Donenfeld
2022-02-09 6:18 ` Dominik Brodowski
2022-02-09 1:19 ` [PATCH v2 2/9] random: get rid of secondary crngs Jason A. Donenfeld
2022-02-09 8:22 ` Dominik Brodowski
2022-02-09 10:26 ` Jason A. Donenfeld
2022-02-21 2:38 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 3/9] random: inline leaves of rand_initialize() Jason A. Donenfeld
2022-02-09 8:22 ` Dominik Brodowski
2022-02-09 10:27 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 4/9] random: ensure early RDSEED goes through mixer on init Jason A. Donenfeld
2022-02-09 8:23 ` Dominik Brodowski
2022-02-09 10:37 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 5/9] random: do not xor RDRAND when writing into /dev/random Jason A. Donenfeld
2022-02-09 8:28 ` Dominik Brodowski
2022-02-09 10:40 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 6/9] random: absorb fast pool into input pool after fast load Jason A. Donenfeld
2022-02-09 8:29 ` Dominik Brodowski
2022-02-09 10:45 ` Jason A. Donenfeld
2022-02-15 21:13 ` [PATCH v3] " Jason A. Donenfeld
2022-02-21 2:47 ` Eric Biggers [this message]
2022-02-21 14:57 ` Jason A. Donenfeld
2022-02-21 14:58 ` [PATCH v4] " Jason A. Donenfeld
2022-02-21 19:08 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 7/9] random: use simpler fast key erasure flow on per-cpu keys Jason A. Donenfeld
2022-02-09 8:30 ` Dominik Brodowski
2022-02-09 10:54 ` Jason A. Donenfeld
2022-02-14 18:46 ` [PATCH v3] " Jason A. Donenfeld
2022-02-16 23:21 ` [PATCH v4] " Jason A. Donenfeld
2022-02-21 3:37 ` Eric Biggers
2022-02-21 14:42 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 8/9] random: use hash function for crng_slow_load() Jason A. Donenfeld
2022-02-09 8:30 ` Dominik Brodowski
2022-02-21 3:40 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 9/9] random: remove outdated INT_MAX >> 6 check in urandom_read() Jason A. Donenfeld
2022-02-21 3:56 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhL9QNsMSHZvuR0u@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.