From: Markus Theil <theil.markus@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org, davem@davemloft.net, smueller@chronox.de
Subject: Re: [PATCH] crypto: jitter - add cmdline oversampling overrides
Date: Mon, 10 Feb 2025 13:40:10 +0100 [thread overview]
Message-ID: <1157db48-ba02-4977-9604-fdca26da575b@gmail.com> (raw)
In-Reply-To: <Z6hy7LFoHPffWuWi@gondor.apana.org.au>
Hi (& sorry for replying in HTML the last time :(),
On 09.02.25 10:18, Herbert Xu wrote:
> On Mon, Jan 27, 2025 at 05:02:36PM +0100, Markus Theil wrote:
>> As already mentioned in the comments, using a cryptographic
>> hash function, like SHA3-256, decreases the expected entropy
>> due to properties of random mappings (collisions and unused values).
>>
>> When mapping 256 bit of entropy to 256 output bits, this results
>> in roughly 6 bit entropy loss (depending on the estimate formula
>> for mapping 256 bit to 256 bit via a random mapping):
>>
>> NIST approximation (count all input bits as input): 255.0
>> NIST approximation (count only entropy bits as input): 251.69 Bit
>> BSI approximation (count only entropy bits as input): 250.11 Bit
>>
>> Therefore add a cmdline override for the 64 bit oversampling safety margin,
>> This results in an expected entropy of nearly 256 bit also after hashing,
>> when desired.
>>
>> Only enable this, when you are aware of the increased runtime per
>> iteration.
>>
>> This override is only possible, when not in FIPS mode (as FIPS mandates
>> this to be true for a full entropy claim).
>>
>> Signed-off-by: Markus Theil <theil.markus@gmail.com>
>> ---
>> crypto/jitterentropy.c | 33 +++++++++++++++++++++++++++------
>> 1 file changed, 27 insertions(+), 6 deletions(-)
>
> Why does this need to be a toggle?
It slightly increases the runtime of the code per 256 Bit random number
generated, which possibly doesn't suit embedded guys using this RNG but
demanding short system bootup.
So users who can live with this penalty can enable it, others probably
won't tolerate it. With this being a toggle, it will also be easier to
enable this in default distribution kernels running e.g. in cloud instances.
>
> Why can't you just make this conditional on fips_enabled?
This was also my first thought, just enable fips mode. Our workloads
don't have to run in FIPS mode and I don't know which software may
reacts to the kernel announcing to be fips enabled in an unexpected way.
So basically, this seems to be useful, even when not in FIPS mode.
BR
Markus
next prev parent reply other threads:[~2025-02-10 12:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 16:02 [PATCH] crypto: jitter - add cmdline oversampling overrides Markus Theil
2025-01-27 16:50 ` Stephan Mueller
2025-02-09 9:18 ` Herbert Xu
2025-02-10 12:40 ` Markus Theil [this message]
2025-02-11 9:14 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1157db48-ba02-4977-9604-fdca26da575b@gmail.com \
--to=theil.markus@gmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).