From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Ryan Roberts <ryan.roberts@arm.com>, Kees Cook <kees@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
Will Deacon <will@kernel.org>,
Catalin Marinas <Catalin.Marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [DISCUSSION] kstack offset randomization: bugs and performance
Date: Tue, 18 Nov 2025 18:15:17 +0100 [thread overview]
Message-ID: <aRyppb8PCxFKVphr@zx2c4.com> (raw)
In-Reply-To: <dd5b4423-0954-44d5-99a5-0052b62c55af@app.fastmail.com>
On Mon, Nov 17, 2025 at 05:47:05PM +0100, Arnd Bergmann wrote:
> On Mon, Nov 17, 2025, at 12:31, Ryan Roberts wrote:
> > On 17/11/2025 11:30, Ryan Roberts wrote:
> >> Hi All,
> >>
> >> Over the last few years we had a few complaints that syscall performance on
> >> arm64 is slower than x86. Most recently, it was observed that a certain Java
> >> benchmark that does a lot of fstat and lseek is spending ~10% of it's time in
> >> get_random_u16(). Cue a bit of digging, which led me to [1] and also to some new
> >> ideas about how performance could be improved.
>
>
> >> I believe this helps the mean latency significantly without sacrificing any
> >> strength. But it doesn't reduce the tail latency because we still have to call
> >> into the crng eventually.
> >>
> >> So here's another idea: Could we use siphash to generate some random bits? We
> >> would generate the secret key at boot using the crng. Then generate a 64 bit
> >> siphash of (cntvct_el0 ^ tweak) (where tweak increments every time we generate a
> >> new hash). As long as the key remains secret, the hash is unpredictable.
> >> (perhaps we don't even need the timer value). For every hash we get 64 bits, so
> >> that would last for 10 syscalls at 6 bits per call. So we would still have to
> >> call siphash every 10 syscalls, so there would still be a tail, but from my
> >> experiements, it's much less than the crng:
>
> IIRC, Jason argued against creating another type of prng inside of the
> kernel for a special purpose.
Yes indeed... I'm really not a fan of adding bespoke crypto willynilly
like that. Let's make get_random_u*() faster. If you're finding that the
issue with it is the locking, and that you're calling this from irq
context anyway, then your proposal (if I read this discussion correctly)
to add a raw_get_random_u*() seems like it could be sensible. Those
functions are generated via macro anyway, so it wouldn't be too much to
add the raw overloads. Feel free to send a patch to my random.git tree
if you'd like to give that a try.
Jason
next prev parent reply other threads:[~2025-11-18 17:15 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <66c4e2a0-c7fb-46c2-acce-8a040a71cd8e@arm.com>
2025-11-17 11:31 ` [DISCUSSION] kstack offset randomization: bugs and performance Ryan Roberts
2025-11-17 16:47 ` Arnd Bergmann
2025-11-17 17:23 ` Ryan Roberts
2025-11-17 17:46 ` Mark Rutland
2025-11-17 23:04 ` Arnd Bergmann
2025-11-18 17:15 ` Jason A. Donenfeld [this message]
2025-11-18 17:21 ` Ryan Roberts
2025-11-18 17:28 ` Jason A. Donenfeld
2025-11-17 20:27 ` Kees Cook
2025-11-18 10:28 ` Ryan Roberts
2025-11-18 11:25 ` Mark Rutland
2025-11-18 12:16 ` Ryan Roberts
2025-11-18 11:05 ` Mark Rutland
2025-11-17 20:56 ` Jeremy Linton
2025-11-18 11:05 ` Ryan Roberts
2025-11-24 14:36 ` Will Deacon
2025-11-24 17:11 ` Kees Cook
2025-11-24 17:50 ` Ryan Roberts
2025-11-24 20:51 ` Kees Cook
2025-11-25 11:14 ` Ryan Roberts
2025-11-26 22:58 ` Ard Biesheuvel
2025-11-27 8:00 ` Kees Cook
2025-11-27 11:50 ` Ryan Roberts
2025-11-27 12:19 ` Ard Biesheuvel
2025-11-27 14:09 ` Ryan Roberts
2025-11-27 19:17 ` Kees Cook
2025-11-24 19:08 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRyppb8PCxFKVphr@zx2c4.com \
--to=jason@zx2c4.com \
--cc=Catalin.Marinas@arm.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=jeremy.linton@arm.com \
--cc=kees@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=ryan.roberts@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.