From: George Spelvin <lkml@SDF.ORG>
To: Jason Gunthorpe <jgg@ziepe.ca>, tytso@mit.edu
Cc: linux-kernel@vger.kernel.org, Doug Ledford <dledford@redhat.com>,
linux-rdma@vger.kernel.org, Faisal Latif <faisal.latif@intel.com>,
Shiraz Saleem <shiraz.saleem@intel.com>,
Bart Van Assche <bvanassche@acm.org>,
Bernard Metzler <bmt@zurich.ibm.com>,
lkml@sdf.org
Subject: Re: [RFC PATCH v1 42/50] drivers/ininiband: Use get_random_u32()
Date: Sun, 29 Mar 2020 16:31:56 +0000 [thread overview]
Message-ID: <20200329163156.GB4675@SDF.ORG> (raw)
In-Reply-To: <20200329143621.GF20941@ziepe.ca>
On Sun, Mar 29, 2020 at 11:36:21AM -0300, Jason Gunthorpe wrote:
> On Wed, Aug 21, 2019 at 08:21:45PM -0400, George Spelvin wrote:
>> There's no need to get_random_bytes() into a temporary buffer.
>>
>> This is not a no-brainer change; get_random_u32() has slightly weaker
>> security guarantees, but code like this is the classic example of when
>> it's appropriate: the random value is stored in the kernel for as long
>> as it's valuable.
>
> The mechanical transformation looks OK, but can someone who knows the
> RNG confirm this statement?
You might find commit 92e507d21613 ("random: document get_random_int()
family") informative.
> Many of these places are being used in network related contexts, I
> suspect the value here is often less about secrecy, more about
> unguessability.
The significant difference is backtrackability. Each get_random_bytes()
call has a final anti-backtracking step, to ensure that the random number
just generated cannot be recovered from the subsequent kernel state.
This is appropriate for encryption keys or asymmetric keys.
The get_random_{int,long,u32,u64} functions omit this step, which means
they only need one ChaCha20 crypto operation per 64 bytes of output,
not a minimum of one per call.
One good way of distinguishing the cases is to look for calls to
memzero_explicit(). If you need to ensure the random bytes are securely
destroyed, you need antibacktracking. If your application doesn't care if
anyone learns your session authentication keys after the session has been
closed, you don't need it.
next prev parent reply other threads:[~2020-03-29 16:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-22 0:21 [RFC PATCH v1 42/50] drivers/ininiband: Use get_random_u32() George Spelvin
2020-03-29 14:36 ` Jason Gunthorpe
2020-03-29 16:31 ` George Spelvin [this message]
2020-03-29 15:01 ` Bernard Metzler
2020-03-29 16:52 ` George Spelvin
2020-03-29 20:02 ` Jason Gunthorpe
2020-03-29 20:45 ` George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329163156.GB4675@SDF.ORG \
--to=lkml@sdf.org \
--cc=bmt@zurich.ibm.com \
--cc=bvanassche@acm.org \
--cc=dledford@redhat.com \
--cc=faisal.latif@intel.com \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=shiraz.saleem@intel.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).