From: "Theodore Ts'o" <tytso@mit.edu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: "Reshetova, Elena" <elena.reshetova@intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Kalra, Ashish" <ashish.kalra@amd.com>,
Sean Christopherson <seanjc@google.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure
Date: Wed, 31 Jan 2024 09:07:56 -0500 [thread overview]
Message-ID: <20240131140756.GB2356784@mit.edu> (raw)
In-Reply-To: <CAHmME9oJvbZgT4yT9Vydc2ZQVSo3Ea65G5aVK7gFxphkV00BnQ@mail.gmail.com>
What about simply treating boot-time initialization of the /dev/random
state as special. That is, on x86, if the hardware promises that
RDSEED or RDRAND is available, we use them to initialization our RNG
state at boot. On bare metal, there can't be anyone else trying to
exhaust the on-chip RNG's entropy supply, so if RDSEED or RDRAND
aren't working available --- panic, since the hardware is clearly
busted.
On a guest OS, if confidential compute is enabled, and if RDSEED and
RDRAND don't work after N retries, and we know CC is enabled, panic,
since the kernel can't provide the promised security gaurantees, and
the CC developers and users are cordially invited to sharpen their
pitchforks and to send their tender regards to the Intel RNG
engineers.
For non-confidential compute guests, the question is what is the
appropriate reaction if another VM, possibly belonging to a different
user/customer, is carrying out a RDRAND DOS attack. I'd argue that in
these cases, if the guest VM is using virtio-random, then the host's
/dev/random should be able to cover for cases of Intel RNG exhaustion,
and allowing other customer to be able to prevent other user's VM's
from being able to boot is the the greater evil, so we shouldn't treat
boot-time RDRAND/RDSEED failures as panic-worthy.
- Ted
next prev parent reply other threads:[~2024-01-31 14:08 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 8:30 [PATCH 1/2] x86/random: Retry on RDSEED failure Kirill A. Shutemov
2024-01-30 8:30 ` [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails Kirill A. Shutemov
2024-01-30 12:37 ` Jason A. Donenfeld
2024-01-30 13:45 ` Reshetova, Elena
2024-01-30 14:21 ` Jason A. Donenfeld
2024-01-30 14:55 ` Reshetova, Elena
2024-01-30 15:00 ` Jason A. Donenfeld
2024-01-30 17:31 ` Dave Hansen
2024-01-30 17:49 ` Jason A. Donenfeld
2024-01-30 17:58 ` Dave Hansen
2024-01-30 18:15 ` H. Peter Anvin
2024-01-30 18:23 ` Jason A. Donenfeld
2024-01-30 18:23 ` Jason A. Donenfeld
2024-01-30 18:37 ` Dave Hansen
2024-01-30 18:05 ` Daniel P. Berrangé
2024-01-30 18:24 ` Jason A. Donenfeld
2024-01-30 18:31 ` Jason A. Donenfeld
2024-01-30 18:40 ` H. Peter Anvin
2024-01-31 8:16 ` Reshetova, Elena
2024-01-31 11:59 ` Dr. Greg
2024-01-31 13:06 ` Jason A. Donenfeld
2024-01-31 18:02 ` Reshetova, Elena
2024-01-31 20:35 ` Dr. Greg
2024-02-01 4:47 ` Theodore Ts'o
2024-02-01 9:54 ` Dr. Greg
2024-02-01 11:08 ` Daniel P. Berrangé
2024-02-01 21:04 ` Dr. Greg
2024-02-02 7:56 ` Reshetova, Elena
2024-02-01 7:26 ` Reshetova, Elena
2024-02-01 10:52 ` Dr. Greg
2024-02-06 1:12 ` Dr. Greg
2024-02-06 8:04 ` Daniel P. Berrangé
2024-02-06 12:04 ` Dr. Greg
2024-02-06 13:00 ` Daniel P. Berrangé
2024-02-08 10:31 ` Dr. Greg
2024-02-06 13:50 ` Daniel P. Berrangé
2024-02-06 15:35 ` Borislav Petkov
2024-02-08 11:44 ` Dr. Greg
2024-02-09 17:31 ` Borislav Petkov
2024-02-09 19:49 ` Jason A. Donenfeld
2024-02-09 20:37 ` Dave Hansen
2024-02-09 21:45 ` Borislav Petkov
2024-02-06 18:49 ` H. Peter Anvin
2024-02-08 16:38 ` Dr. Greg
2024-01-30 15:50 ` Kuppuswamy Sathyanarayanan
2024-01-30 12:29 ` [PATCH 1/2] x86/random: Retry on RDSEED failure Jason A. Donenfeld
2024-01-30 12:51 ` Jason A. Donenfeld
2024-01-30 13:10 ` Reshetova, Elena
2024-01-30 14:06 ` Jason A. Donenfeld
2024-01-30 14:43 ` Daniel P. Berrangé
2024-01-30 15:12 ` Jason A. Donenfeld
2024-01-30 18:35 ` Jason A. Donenfeld
2024-01-30 19:06 ` Reshetova, Elena
2024-01-30 19:16 ` Jason A. Donenfeld
2024-01-31 7:56 ` Reshetova, Elena
2024-01-31 13:14 ` Jason A. Donenfeld
2024-01-31 14:07 ` Theodore Ts'o [this message]
2024-01-31 14:45 ` Jason A. Donenfeld
2024-01-31 14:52 ` Jason A. Donenfeld
2024-01-31 17:10 ` Theodore Ts'o
2024-01-31 17:37 ` Reshetova, Elena
2024-01-31 18:01 ` Jason A. Donenfeld
2024-02-01 4:57 ` Theodore Ts'o
2024-02-01 18:09 ` Jason A. Donenfeld
2024-02-01 18:46 ` Dave Hansen
2024-02-01 19:02 ` H. Peter Anvin
2024-02-02 7:25 ` Reshetova, Elena
2024-02-02 15:39 ` Theodore Ts'o
2024-02-03 10:12 ` Jason A. Donenfeld
2024-02-09 19:53 ` Jason A. Donenfeld
2024-02-12 8:25 ` Reshetova, Elena
2024-02-12 16:32 ` Theodore Ts'o
2024-02-13 7:28 ` Dan Williams
2024-02-13 23:13 ` Theodore Ts'o
2024-02-14 0:53 ` Dan Williams
2024-02-14 4:32 ` Theodore Ts'o
2024-02-14 6:48 ` Dan Williams
2024-02-14 6:54 ` Reshetova, Elena
2024-02-14 8:34 ` Nikolay Borisov
2024-02-14 9:34 ` Dr. Greg
2024-02-14 17:30 ` Jason A. Donenfeld
2024-02-14 15:18 ` Reshetova, Elena
2024-02-14 17:21 ` Jason A. Donenfeld
2024-02-14 17:59 ` Reshetova, Elena
2024-02-14 19:32 ` Jason A. Donenfeld
2024-02-15 7:07 ` Reshetova, Elena
2024-02-15 12:58 ` Jason A. Donenfeld
2024-02-14 19:46 ` Tom Lendacky
2024-02-14 20:04 ` Jason A. Donenfeld
2024-02-14 20:11 ` Theodore Ts'o
2024-02-15 13:01 ` Jason A. Donenfeld
2024-02-14 20:14 ` Dave Hansen
2024-02-02 15:47 ` James Bottomley
2024-02-02 16:05 ` Theodore Ts'o
2024-02-02 21:28 ` James Bottomley
2024-02-03 14:35 ` Theodore Ts'o
2024-02-06 19:12 ` H. Peter Anvin
2024-01-30 15:20 ` H. Peter Anvin
2024-01-30 15:44 ` Kuppuswamy Sathyanarayanan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240131140756.GB2356784@mit.edu \
--to=tytso@mit.edu \
--cc=Jason@zx2c4.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=elena.reshetova@intel.com \
--cc=hpa@zytor.com \
--cc=jun.nakajima@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).