From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: libc-alpha@sourceware.org, adhemerval.zanella@linaro.org,
Florian Weimer <fweimer@redhat.com>,
Eric Biggers <ebiggers@kernel.org>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v6] arc4random: simplify design for better safety
Date: Thu, 28 Jul 2022 11:29:30 +0100 [thread overview]
Message-ID: <YuJlCijOtAXOco6h@arm.com> (raw)
In-Reply-To: <20220726195822.1223048-1-Jason@zx2c4.com>
The 07/26/2022 21:58, Jason A. Donenfeld via Libc-alpha wrote:
> Rather than buffering 16 MiB of entropy in userspace (by way of
> chacha20), simply call getrandom() every time.
>
> This approach is doubtlessly slower, for now, but trying to prematurely
> optimize arc4random appears to be leading toward all sorts of nasty
> properties and gotchas. Instead, this patch takes a much more
> conservative approach. The interface is added as a basic loop wrapper
> around getrandom(), and then later, the kernel and libc together can
> work together on optimizing that.
>
> This prevents numerous issues in which userspace is unaware of when it
> really must throw away its buffer, since we avoid buffering all
> together. Future improvements may include userspace learning more from
> the kernel about when to do that, which might make these sorts of
> chacha20-based optimizations more possible. The current heuristic of 16
> MiB is meaningless garbage that doesn't correspond to anything the
> kernel might know about. So for now, let's just do something
> conservative that we know is correct and won't lead to cryptographic
> issues for users of this function.
>
> This patch might be considered along the lines of, "optimization is the
> root of all evil," in that the much more complex implementation it
> replaces moves too fast without considering security implications,
> whereas the incremental approach done here is a much safer way of going
> about things. Once this lands, we can take our time in optimizing this
> properly using new interplay between the kernel and userspace.
>
> getrandom(0) is used, since that's the one that ensures the bytes
> returned are cryptographically secure. But on systems without it, we
> fallback to using /dev/urandom. This is unfortunate because it means
> opening a file descriptor, but there's not much of a choice. Secondly,
> as part of the fallback, in order to get more or less the same
> properties of getrandom(0), we poll on /dev/random, and if the poll
> succeeds at least once, then we assume the RNG is initialized. This is a
> rough approximation, as the ancient "non-blocking pool" initialized
> after the "blocking pool", not before, and it may not port back to all
> ancient kernels, though it does to all kernels supported by glibc
> (≥3.2), so generally it's the best approximation we can do.
>
> The motivation for including arc4random, in the first place, is to have
> source-level compatibility with existing code. That means this patch
> doesn't attempt to litigate the interface itself. It does, however,
> choose a conservative approach for implementing it.
>
> Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
> Cc: Florian Weimer <fweimer@redhat.com>
> Cc: Cristian Rodríguez <crrodriguez@opensuse.org>
> Cc: Paul Eggert <eggert@cs.ucla.edu>
> Cc: Mark Harris <mark.hsj@gmail.com>
> Cc: Eric Biggers <ebiggers@kernel.org>
> Cc: linux-crypto@vger.kernel.org
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
fyi, after this patch i see
FAIL: stdlib/tst-arc4random-thread
with
$ cat stdlib/tst-arc4random-thread.out
info: arc4random: minimum of 1750000 blob results expected
info: arc4random: 1750777 blob results observed
info: arc4random_buf: minimum of 1750000 blob results expected
info: arc4random_buf: 1750000 blob results observed
info: arc4random_uniform: minimum of 1750000 blob results expected
Timed out: killed the child process
Termination time: 2022-07-27T14:41:33.766791947
Last write to standard output: 2022-07-27T14:41:22.522497854
on an arm and aarch64 builder.
running it manually it takes >30s to complete.
> ---
> LICENSES | 23 -
> NEWS | 4 +-
> include/stdlib.h | 3 -
> manual/math.texi | 13 +-
> stdlib/Makefile | 2 -
> stdlib/arc4random.c | 196 ++----
> stdlib/arc4random.h | 48 --
> stdlib/chacha20.c | 191 ------
> stdlib/tst-arc4random-chacha20.c | 167 -----
> sysdeps/aarch64/Makefile | 4 -
> sysdeps/aarch64/chacha20-aarch64.S | 314 ----------
> sysdeps/aarch64/chacha20_arch.h | 40 --
> sysdeps/generic/chacha20_arch.h | 24 -
> sysdeps/generic/not-cancel.h | 3 +
> sysdeps/generic/tls-internal-struct.h | 1 -
> sysdeps/generic/tls-internal.c | 10 -
> sysdeps/mach/hurd/_Fork.c | 2 -
> sysdeps/mach/hurd/not-cancel.h | 4 +
> sysdeps/nptl/_Fork.c | 2 -
> .../powerpc/powerpc64/be/multiarch/Makefile | 4 -
> .../powerpc64/be/multiarch/chacha20-ppc.c | 1 -
> .../powerpc64/be/multiarch/chacha20_arch.h | 42 --
> sysdeps/powerpc/powerpc64/power8/Makefile | 5 -
> .../powerpc/powerpc64/power8/chacha20-ppc.c | 256 --------
> .../powerpc/powerpc64/power8/chacha20_arch.h | 37 --
> sysdeps/s390/s390-64/Makefile | 6 -
> sysdeps/s390/s390-64/chacha20-s390x.S | 573 ------------------
> sysdeps/s390/s390-64/chacha20_arch.h | 45 --
> sysdeps/unix/sysv/linux/not-cancel.h | 8 +-
> sysdeps/unix/sysv/linux/tls-internal.c | 10 -
> sysdeps/unix/sysv/linux/tls-internal.h | 1 -
> sysdeps/x86_64/Makefile | 7 -
> sysdeps/x86_64/chacha20-amd64-avx2.S | 328 ----------
> sysdeps/x86_64/chacha20-amd64-sse2.S | 311 ----------
> sysdeps/x86_64/chacha20_arch.h | 55 --
> 35 files changed, 64 insertions(+), 2676 deletions(-)
> delete mode 100644 stdlib/arc4random.h
> delete mode 100644 stdlib/chacha20.c
> delete mode 100644 stdlib/tst-arc4random-chacha20.c
> delete mode 100644 sysdeps/aarch64/chacha20-aarch64.S
> delete mode 100644 sysdeps/aarch64/chacha20_arch.h
> delete mode 100644 sysdeps/generic/chacha20_arch.h
> delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/Makefile
> delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/chacha20-ppc.c
> delete mode 100644 sysdeps/powerpc/powerpc64/be/multiarch/chacha20_arch.h
> delete mode 100644 sysdeps/powerpc/powerpc64/power8/chacha20-ppc.c
> delete mode 100644 sysdeps/powerpc/powerpc64/power8/chacha20_arch.h
> delete mode 100644 sysdeps/s390/s390-64/chacha20-s390x.S
> delete mode 100644 sysdeps/s390/s390-64/chacha20_arch.h
> delete mode 100644 sysdeps/x86_64/chacha20-amd64-avx2.S
> delete mode 100644 sysdeps/x86_64/chacha20-amd64-sse2.S
> delete mode 100644 sysdeps/x86_64/chacha20_arch.h
next prev parent reply other threads:[~2022-07-28 10:30 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-23 16:22 arc4random - are you sure we want these? Jason A. Donenfeld
2022-07-23 16:25 ` Jason A. Donenfeld
2022-07-23 17:18 ` Paul Eggert
2022-07-24 23:55 ` Jason A. Donenfeld
2022-07-25 20:31 ` Paul Eggert
2022-07-23 17:39 ` Adhemerval Zanella Netto
2022-07-23 22:54 ` Jason A. Donenfeld
2022-07-25 15:33 ` Rich Felker
2022-07-25 15:59 ` Adhemerval Zanella Netto
2022-07-25 16:18 ` Sandy Harris
2022-07-25 16:40 ` Florian Weimer
2022-07-25 16:51 ` Jason A. Donenfeld
2022-07-25 17:44 ` Rich Felker
2022-07-25 18:33 ` Cristian Rodríguez
2022-07-25 18:49 ` Rich Felker
2022-07-25 18:49 ` Rich Felker
[not found] ` <YuCa1lDqoxdnZut/@mit.edu>
[not found] ` <a5b6307d-6811-61b6-c13d-febaa6ad1e48@linaro.org>
[not found] ` <YuEwR0bJhOvRtmFe@mit.edu>
2022-07-27 12:49 ` Florian Weimer
2022-07-27 20:15 ` Theodore Ts'o
2022-07-27 21:59 ` Rich Felker
2022-07-28 0:30 ` Theodore Ts'o
2022-07-28 0:39 ` Cristian Rodríguez
2022-07-23 19:04 ` Cristian Rodríguez
2022-07-23 22:59 ` Jason A. Donenfeld
2022-07-24 16:23 ` Cristian Rodríguez
2022-07-24 21:57 ` Jason A. Donenfeld
2022-07-25 10:14 ` Florian Weimer
2022-07-25 10:11 ` Florian Weimer
2022-07-25 11:04 ` Jason A. Donenfeld
2022-07-25 12:39 ` Florian Weimer
2022-07-25 13:43 ` Jason A. Donenfeld
2022-07-25 13:58 ` Cristian Rodríguez
2022-07-25 16:06 ` Rich Felker
2022-07-25 16:43 ` Florian Weimer
2022-07-26 14:27 ` Overwrittting AT_RANDOM after use (was Re: arc4random - are you sure we want these?) Yann Droneaud
2022-07-26 14:35 ` arc4random - are you sure we want these? Yann Droneaud
2022-07-25 13:25 ` Jeffrey Walton
2022-07-25 13:48 ` Jason A. Donenfeld
2022-07-25 14:56 ` Rich Felker
2022-07-25 22:57 ` [PATCH] arc4random: simplify design for better safety Jason A. Donenfeld
2022-07-25 23:11 ` Jason A. Donenfeld
2022-07-25 23:28 ` [PATCH v2] " Jason A. Donenfeld
2022-07-25 23:59 ` Eric Biggers
2022-07-26 10:26 ` Jason A. Donenfeld
2022-07-26 1:10 ` Mark Harris
2022-07-26 10:41 ` Jason A. Donenfeld
2022-07-26 11:06 ` Florian Weimer
2022-07-26 16:51 ` Mark Harris
2022-07-26 18:42 ` Jason A. Donenfeld
2022-07-26 19:24 ` Jason A. Donenfeld
2022-07-26 9:55 ` Florian Weimer
2022-07-26 11:04 ` Jason A. Donenfeld
2022-07-26 11:07 ` [PATCH v3] " Jason A. Donenfeld
2022-07-26 11:11 ` Jason A. Donenfeld
2022-07-26 11:12 ` [PATCH v2] " Florian Weimer
2022-07-26 11:20 ` Jason A. Donenfeld
2022-07-26 11:35 ` Adhemerval Zanella Netto
2022-07-26 11:33 ` Adhemerval Zanella Netto
2022-07-26 11:54 ` Jason A. Donenfeld
2022-07-26 12:08 ` Jason A. Donenfeld
2022-07-26 12:20 ` Jason A. Donenfeld
2022-07-26 12:34 ` Adhemerval Zanella Netto
2022-07-26 12:47 ` Jason A. Donenfeld
2022-07-26 13:11 ` Adhemerval Zanella Netto
2022-07-26 13:30 ` [PATCH v4] " Jason A. Donenfeld
2022-07-26 15:21 ` Yann Droneaud
2022-07-26 16:20 ` Adhemerval Zanella Netto
2022-07-26 18:36 ` Jason A. Donenfeld
2022-07-26 19:08 ` [PATCH v5] " Jason A. Donenfeld
2022-07-26 19:58 ` [PATCH v6] " Jason A. Donenfeld
2022-07-26 20:17 ` Adhemerval Zanella Netto
2022-07-26 20:56 ` Adhemerval Zanella Netto
2022-07-28 10:29 ` Szabolcs Nagy [this message]
2022-07-28 10:36 ` Szabolcs Nagy
2022-07-28 11:01 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YuJlCijOtAXOco6h@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=Jason@zx2c4.com \
--cc=adhemerval.zanella@linaro.org \
--cc=ebiggers@kernel.org \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.