From: Florian Weimer <fweimer@redhat.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
x86@kernel.org, Nadia Heninger <nadiah@cs.ucsd.edu>,
Thomas Ristenpart <ristenpart@cornell.edu>,
Theodore Ts'o <tytso@mit.edu>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Subject: Re: [PATCH RFC v1] random: implement getrandom() in vDSO
Date: Fri, 05 Aug 2022 10:36:16 +0200 [thread overview]
Message-ID: <87v8r713zz.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <878ro6smmm.ffs@tglx> (Thomas Gleixner's message of "Tue, 02 Aug 2022 17:14:57 +0200")
* Thomas Gleixner:
> On Tue, Aug 02 2022 at 15:59, Jason A. Donenfeld wrote:
>> On Tue, Aug 02, 2022 at 03:46:27PM +0200, Thomas Gleixner wrote:
>>> Right now the Linux VDSO functions are 1:1 replacements for system calls
>>> and not adding a magic pile of functionality which is otherwise not
>>> available.
>>>
>>> What you are proposing is to have an implementation which is not
>>> available via a regular syscall. Which means you are creating a VDSO
>>> only syscall which still has the same problem as any other syscall in
>>> terms of API design and functionality which needs to be supported
>>> forever.
>>
>> Wait, what? That's not correct. The WHOLE point is that vdso getrandom()
>> will generate bytes in the same way as the ordinary syscall, without
>> differences. Same function name, same algorithm. But just faster,
>> because vDSO. I explicitly don't want to dip into introducing something
>> different. That's the big selling point: that vDSO getrandom() and
>> syscall getrandom() are the same thing. If you trust one, you can trust
>> the other. If you expect properties of one, you get that from the other.
>> If you know the API of one, you can use the other.
>
> Seriously no. All existing VDSO functions have exactly the same function
> signature and semantics as their syscall counterparts. So they are drop
> in equivalent.
>
> But:
>
> ssize_t getrandom(void *, void *, size_t, unsigned int);
>
> is very much different than
>
> ssize_t getrandom(void *, size_t, unsigned int);
>
> Different signature and different semantics.
Just use
ssize_t getrandom(size_t, unsigned int, void *);
then and have the system call ignore the argument. There is recent
precedent for adding additional arguments to system calls, see
membarrier. If we want to be super-conservative, we could add a new
flag and have the vDSO version always call into the kernel if the flag
isn't set.
*This* part is far less problematic compared to the approach to
per-thread memory allocation.
We now have:
* Explicit donation of memory areas to the kernel (set_robust_list,
rseq).
* This getrandom_alloc vDSO call which does something unspecified and
may return pointers which are or are not abstract. (How is CRIU
expected to handle this?)
* There's also userspace shadow stack coming. I think the kernel moved
away from implicit allocation, to something mmap-based. It's not
clear to me why that would be okay here, but not for shadow stacks.
Does io_uring have to handle a similar problem, too?
As long as the vDSO doesn't use private system calls, I don't expect any
practical problems, but this optimization doesn't really look to me like
something that intrinsically benefits from a completely new way of
allocating userspace memory for use by the kernel.
Thanks,
Florian
prev parent reply other threads:[~2022-08-05 8:36 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-29 14:55 [PATCH RFC v1] random: implement getrandom() in vDSO Jason A. Donenfeld
2022-07-29 20:19 ` Florian Weimer
2022-07-29 22:06 ` Jason A. Donenfeld
2022-07-30 15:48 ` Linus Torvalds
2022-07-30 23:45 ` Jason A. Donenfeld
2022-07-31 0:23 ` Jason A. Donenfeld
2022-07-31 1:31 ` [PATCH RFC v2] " Jason A. Donenfeld
2022-08-01 8:48 ` Florian Weimer
2022-08-01 12:49 ` Jason A. Donenfeld
2022-08-01 13:29 ` Jason A. Donenfeld
2022-08-01 13:00 ` Jason A. Donenfeld
2022-08-01 20:48 ` Thomas Gleixner
2022-08-01 23:41 ` Jason A. Donenfeld
2022-08-02 0:12 ` Jason A. Donenfeld
2022-08-01 19:30 ` [PATCH RFC v1] " Thomas Gleixner
2022-08-01 23:16 ` Jason A. Donenfeld
2022-08-02 13:46 ` Thomas Gleixner
2022-08-02 13:59 ` Jason A. Donenfeld
2022-08-02 15:14 ` Thomas Gleixner
2022-08-02 15:26 ` Jason A. Donenfeld
2022-08-02 22:27 ` Thomas Gleixner
2022-08-04 15:23 ` Jason A. Donenfeld
2022-08-04 16:08 ` Jeffrey Walton
2022-08-04 23:11 ` Thomas Gleixner
2022-08-17 8:20 ` Peter Zijlstra
2022-08-05 8:36 ` Florian Weimer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v8r713zz.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=Jason@zx2c4.com \
--cc=adhemerval.zanella@linaro.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nadiah@cs.ucsd.edu \
--cc=ristenpart@cornell.edu \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vincenzo.frascino@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).