From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Theodore Ts'o <tytso@mit.edu>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
Linus Torvalds <torvalds@linuxfoundation.org>
Subject: Re: [PATCH v2] random: avoid mis-detecting a slow counter as a cycle counter
Date: Fri, 22 Apr 2022 15:24:00 +0200 [thread overview]
Message-ID: <YmKscCcGxeqikv7t@zx2c4.com> (raw)
In-Reply-To: <YmJ4bJjet/QhkXZS@zx2c4.com>
On Fri, Apr 22, 2022 at 11:42:04AM +0200, Jason A. Donenfeld wrote:
> Hi Eric,
>
> On Thu, Apr 21, 2022 at 05:34:58PM -0700, Eric Biggers wrote:
> > On Fri, Apr 22, 2022 at 01:40:25AM +0200, Jason A. Donenfeld wrote:
> > > Hi Eric,
> > >
> > > Thanks. This looks better.
> > >
> > > On Thu, Apr 21, 2022 at 04:31:52PM -0700, Eric Biggers wrote:
> > > > Therefore, increase the number of counter comparisons from 1 to 3, to
> > > > greatly reduce the rate of false positive cycle counter detections.
> > > > + for (i = 0; i < 3; i++) {
> > > > + unsigned long entropy = random_get_entropy();
> > >
> > > Wondering: why do you do 3 comparisons rather than 2? What does 3 get
> > > you that 2 doesn't already? I thought the only real requirement was that
> > > in the event where (a)!=(b), (b) is read as meaningfully close as
> > > possible to when the counter changes.
> > >
> >
> > On CONFIG_PREEMPT kernels this code usually runs with preemption enabled, so I
> > don't think it's guaranteed that any particular number of comparisons will be
> > sufficient, since the task could get preempted for a long time between each call
> > to random_get_entropy(). However, the chance of a false positive should
> > decrease exponentially, and should be pretty small in the first place, so 3
> > comparisons seems like a good number.
>
> Ahh, I see. So you check three times instead of disabling
> preemption/irqs, which would be awfully heavy weight. Seems like a
> reasonable compromise.
>
> By the way, I was thinking about the assumptions we're making with this
> comparison ("two adjacent counters shouldn't be the same") in the
> context of this idea from my first reply to you:
Rather than buggy inline email code, I made a real patch out of it for
your consideration:
https://lore.kernel.org/linux-crypto/20220422132027.1267060-1-Jason@zx2c4.com/
Jason
prev parent reply other threads:[~2022-04-22 13:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-21 23:31 [PATCH v2] random: avoid mis-detecting a slow counter as a cycle counter Eric Biggers
2022-04-21 23:40 ` Jason A. Donenfeld
2022-04-22 0:34 ` Eric Biggers
2022-04-22 9:42 ` Jason A. Donenfeld
2022-04-22 13:24 ` Jason A. Donenfeld [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YmKscCcGxeqikv7t@zx2c4.com \
--to=jason@zx2c4.com \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linuxfoundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox