From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61A52C5519F for ; Fri, 20 Nov 2020 04:13:13 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DF627222C8 for ; Fri, 20 Nov 2020 04:13:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="X3Vkdx+U"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="wy0sMTNA" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DF627222C8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=hg6BblXCgGTxPECzhT/83xLweLqOYb/JlOSFDPci6g0=; b=X3Vkdx+UQtxWWF+O2frBicgqS 2HCHnHqLYzn+7+lrIZp3SeKC7ADNYhyRVVmBhrRgBA7mitlZZW7GBJjZgDGOCqNibyln/Mj7lgzlB 3On32wurc7/Jectr2MqTPthBAnQulVXMQE2w68uICLiYQbUvdfniXyd8HqYjMjp+3e1337TeoDLlA hN6qbEJVFiIQtFgM4WDEaEOoJDClJj1oY1FoJxBfpHfxukkCT7ZXs+AaA0vtO50ojRGIG8TSMzWL8 tYt+JYlRXOwg+eSlPfQn7X5HCJXw55YR3h9cb4JVMqbuWXu0AE5WEkg4Rqwv+MsuDT3LI+n4C6o05 +wUdJa+sQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kfxls-0005os-3G; Fri, 20 Nov 2020 04:11:40 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kfxlo-0005oT-UK for linux-arm-kernel@lists.infradead.org; Fri, 20 Nov 2020 04:11:38 +0000 Received: from sol.localdomain (172-10-235-113.lightspeed.sntcca.sbcglobal.net [172.10.235.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 236C5222C8; Fri, 20 Nov 2020 04:11:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605845494; bh=Vt2nOl7KcXqOp1T0wQlU+ExwVGJdC23WC1Dq9lPDKD0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wy0sMTNA4khCq/atdsui9N3bhnj6ZLxOU6xcZSt7kK4nVMWYX6yvGpjZk1hihgSqQ QlZY3GZRlzHgbLfKl/ZokQXyIcYkbb1fp/JLDDJAM3oWh7wihm9kZ9c0lZJvw2hiWW T6rqkVxhWBR5o0jotQpuVVPjcyZ6cfEpmboDCADI= Date: Thu, 19 Nov 2020 20:11:32 -0800 From: Eric Biggers To: Ard Biesheuvel Subject: Re: [PATCH] random: avoid arch_get_random_seed_long() when collecting IRQ randomness Message-ID: References: <20201105152944.16953-1-ardb@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201119_231137_240788_0D3FB954 X-CRM114-Status: GOOD ( 35.98 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , "Theodore Y. Ts'o" , Marc Zyngier , Linux Kernel Mailing List , Mark Brown , Andre Przywara , Linux ARM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Nov 11, 2020 at 09:19:37AM +0100, Ard Biesheuvel wrote: > (+ Eric) > > On Thu, 5 Nov 2020 at 16:29, Ard Biesheuvel wrote: > > > > When reseeding the CRNG periodically, arch_get_random_seed_long() is > > called to obtain entropy from an architecture specific source if one > > is implemented. In most cases, these are special instructions, but in > > some cases, such as on ARM, we may want to back this using firmware > > calls, which are considerably more expensive. > > > > Another call to arch_get_random_seed_long() exists in the CRNG driver, > > in add_interrupt_randomness(), which collects entropy by capturing > > inter-interrupt timing and relying on interrupt jitter to provide > > random bits. This is done by keeping a per-CPU state, and mixing in > > the IRQ number, the cycle counter and the return address every time an > > interrupt is taken, and mixing this per-CPU state into the entropy pool > > every 64 invocations, or at least once per second. The entropy that is > > gathered this way is credited as 1 bit of entropy. Every time this > > happens, arch_get_random_seed_long() is invoked, and the result is > > mixed in as well, and also credited with 1 bit of entropy. > > > > This means that arch_get_random_seed_long() is called at least once > > per second on every CPU, which seems excessive, and doesn't really > > scale, especially in a virtualization scenario where CPUs may be > > oversubscribed: in cases where arch_get_random_seed_long() is backed > > by an instruction that actually goes back to a shared hardware entropy > > source (such as RNDRRS on ARM), we will end up hitting it hundreds of > > times per second. > > > > So let's drop the call to arch_get_random_seed_long() from > > add_interrupt_randomness(), and instead, rely on crng_reseed() to call > > the arch hook to get random seed material from the platform. > > > > Signed-off-by: Ard Biesheuvel > > --- > > drivers/char/random.c | 15 +-------------- > > 1 file changed, 1 insertion(+), 14 deletions(-) > > > > diff --git a/drivers/char/random.c b/drivers/char/random.c > > index 2a41b21623ae..a9c393c1466d 100644 > > --- a/drivers/char/random.c > > +++ b/drivers/char/random.c > > @@ -1261,8 +1261,6 @@ void add_interrupt_randomness(int irq, int irq_flags) > > cycles_t cycles = random_get_entropy(); > > __u32 c_high, j_high; > > __u64 ip; > > - unsigned long seed; > > - int credit = 0; > > > > if (cycles == 0) > > cycles = get_reg(fast_pool, regs); > > @@ -1298,23 +1296,12 @@ void add_interrupt_randomness(int irq, int irq_flags) > > > > fast_pool->last = now; > > __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool)); > > - > > - /* > > - * If we have architectural seed generator, produce a seed and > > - * add it to the pool. For the sake of paranoia don't let the > > - * architectural seed generator dominate the input from the > > - * interrupt noise. > > - */ > > - if (arch_get_random_seed_long(&seed)) { > > - __mix_pool_bytes(r, &seed, sizeof(seed)); > > - credit = 1; > > - } > > spin_unlock(&r->lock); > > > > fast_pool->count = 0; > > > > /* award one bit for the contents of the fast pool */ > > - credit_entropy_bits(r, credit + 1); > > + credit_entropy_bits(r, 1); > > } > > EXPORT_SYMBOL_GPL(add_interrupt_randomness); Looks reasonable to me. The CRNG state already gets XOR'ed with the output of arch_get_random_seed_long() each time the CRNG is reseeded. Calling arch_get_random_seed_long() here too isn't necessary, and it's not really appropriate to repeatedly call it during interrupt handling, as you point out. Reviewed-by: Eric Biggers - Eric _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel