From: Marc Zyngier <maz@kernel.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: mark.rutland@arm.com, tytso@mit.edu, andre.przywara@arm.com,
linux-kernel@vger.kernel.org, broonie@kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] random: avoid arch_get_random_seed_long() when collecting IRQ randomness
Date: Fri, 20 Nov 2020 15:27:14 +0000 [thread overview]
Message-ID: <d6cfb1487c1077a7b413276c838dc7aa@kernel.org> (raw)
In-Reply-To: <20201105152944.16953-1-ardb@kernel.org>
On 2020-11-05 15:29, Ard Biesheuvel wrote:
> When reseeding the CRNG periodically, arch_get_random_seed_long() is
> called to obtain entropy from an architecture specific source if one
> is implemented. In most cases, these are special instructions, but in
> some cases, such as on ARM, we may want to back this using firmware
> calls, which are considerably more expensive.
>
> Another call to arch_get_random_seed_long() exists in the CRNG driver,
> in add_interrupt_randomness(), which collects entropy by capturing
> inter-interrupt timing and relying on interrupt jitter to provide
> random bits. This is done by keeping a per-CPU state, and mixing in
> the IRQ number, the cycle counter and the return address every time an
> interrupt is taken, and mixing this per-CPU state into the entropy pool
> every 64 invocations, or at least once per second. The entropy that is
> gathered this way is credited as 1 bit of entropy. Every time this
> happens, arch_get_random_seed_long() is invoked, and the result is
> mixed in as well, and also credited with 1 bit of entropy.
>
> This means that arch_get_random_seed_long() is called at least once
> per second on every CPU, which seems excessive, and doesn't really
> scale, especially in a virtualization scenario where CPUs may be
> oversubscribed: in cases where arch_get_random_seed_long() is backed
> by an instruction that actually goes back to a shared hardware entropy
> source (such as RNDRRS on ARM), we will end up hitting it hundreds of
> times per second.
>
> So let's drop the call to arch_get_random_seed_long() from
> add_interrupt_randomness(), and instead, rely on crng_reseed() to call
> the arch hook to get random seed material from the platform.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Looks sensible. Having this on the interrupt path looks quite
heavy handed, and my understanding of the above is that it has
an adverse effect on the entropy pool.
Acked-by: Marc Zyngier <maz@kernel.org>
M.
--
Jazz is not dead. It just smells funny...
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: tytso@mit.edu, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, mark.rutland@arm.com,
broonie@kernel.org, andre.przywara@arm.com
Subject: Re: [PATCH] random: avoid arch_get_random_seed_long() when collecting IRQ randomness
Date: Fri, 20 Nov 2020 15:27:14 +0000 [thread overview]
Message-ID: <d6cfb1487c1077a7b413276c838dc7aa@kernel.org> (raw)
In-Reply-To: <20201105152944.16953-1-ardb@kernel.org>
On 2020-11-05 15:29, Ard Biesheuvel wrote:
> When reseeding the CRNG periodically, arch_get_random_seed_long() is
> called to obtain entropy from an architecture specific source if one
> is implemented. In most cases, these are special instructions, but in
> some cases, such as on ARM, we may want to back this using firmware
> calls, which are considerably more expensive.
>
> Another call to arch_get_random_seed_long() exists in the CRNG driver,
> in add_interrupt_randomness(), which collects entropy by capturing
> inter-interrupt timing and relying on interrupt jitter to provide
> random bits. This is done by keeping a per-CPU state, and mixing in
> the IRQ number, the cycle counter and the return address every time an
> interrupt is taken, and mixing this per-CPU state into the entropy pool
> every 64 invocations, or at least once per second. The entropy that is
> gathered this way is credited as 1 bit of entropy. Every time this
> happens, arch_get_random_seed_long() is invoked, and the result is
> mixed in as well, and also credited with 1 bit of entropy.
>
> This means that arch_get_random_seed_long() is called at least once
> per second on every CPU, which seems excessive, and doesn't really
> scale, especially in a virtualization scenario where CPUs may be
> oversubscribed: in cases where arch_get_random_seed_long() is backed
> by an instruction that actually goes back to a shared hardware entropy
> source (such as RNDRRS on ARM), we will end up hitting it hundreds of
> times per second.
>
> So let's drop the call to arch_get_random_seed_long() from
> add_interrupt_randomness(), and instead, rely on crng_reseed() to call
> the arch hook to get random seed material from the platform.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Looks sensible. Having this on the interrupt path looks quite
heavy handed, and my understanding of the above is that it has
an adverse effect on the entropy pool.
Acked-by: Marc Zyngier <maz@kernel.org>
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2020-11-20 15:27 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 15:29 [PATCH] random: avoid arch_get_random_seed_long() when collecting IRQ randomness Ard Biesheuvel
2020-11-05 15:29 ` Ard Biesheuvel
2020-11-11 8:19 ` Ard Biesheuvel
2020-11-11 8:19 ` Ard Biesheuvel
2020-11-11 9:45 ` André Przywara
2020-11-11 9:45 ` André Przywara
2020-11-11 10:05 ` Ard Biesheuvel
2020-11-11 10:05 ` Ard Biesheuvel
2020-11-11 10:46 ` André Przywara
2020-11-11 10:46 ` André Przywara
2020-11-11 11:48 ` Ard Biesheuvel
2020-11-11 11:48 ` Ard Biesheuvel
2020-11-17 13:33 ` Ard Biesheuvel
2020-11-17 13:33 ` Ard Biesheuvel
2021-01-04 19:09 ` Ard Biesheuvel
2021-01-04 19:09 ` Ard Biesheuvel
2021-01-10 9:45 ` Ard Biesheuvel
2021-01-10 9:45 ` Ard Biesheuvel
2021-01-10 13:55 ` Jason A. Donenfeld
2021-01-15 13:18 ` Jason A. Donenfeld
2021-01-15 13:18 ` Jason A. Donenfeld
2020-11-20 4:11 ` Eric Biggers
2020-11-20 4:11 ` Eric Biggers
2020-12-01 12:23 ` Ard Biesheuvel
2020-12-01 12:23 ` Ard Biesheuvel
2020-12-07 8:12 ` Ard Biesheuvel
2020-12-07 8:12 ` Ard Biesheuvel
2020-12-07 14:27 ` Jason A. Donenfeld
2020-12-07 14:27 ` Jason A. Donenfeld
2020-12-07 15:35 ` Ard Biesheuvel
2020-12-07 15:35 ` Ard Biesheuvel
2020-11-20 15:27 ` Marc Zyngier [this message]
2020-11-20 15:27 ` Marc Zyngier
2020-11-27 12:08 ` Ard Biesheuvel
2020-11-27 12:08 ` Ard Biesheuvel
2021-01-21 17:53 ` Will Deacon
2021-01-21 17:53 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6cfb1487c1077a7b413276c838dc7aa@kernel.org \
--to=maz@kernel.org \
--cc=andre.przywara@arm.com \
--cc=ardb@kernel.org \
--cc=broonie@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.