Re: [PATCH] random: make try_to_generate_entropy() more robust

["Jörn Engel" <joern@purestorage.com>]

On Fri, Oct 18, 2019 at 01:37:04PM -0700, Jörn Engel wrote:
> Sorry for coming late to the discussion.  I generally like the approach
> in try_to_generate_entropy(), but I think we can do a little better
> still.  Would something like this work?

Fixed lkml address.

> From 90078333edb6e720f13f6668376a69c0f9c570f5 Mon Sep 17 00:00:00 2001
> From: Joern Engel <joern@purestorage.com>
> Date: Fri, 18 Oct 2019 13:25:52 -0700
> Subject: [PATCH] random: make try_to_generate_entropy() more robust
> 
> We can generate entropy on almost any CPU, even if it doesn't provide a
> high-resolution timer for random_get_entropy().  As long as the CPU is
> not idle, it changed the register file every few cycles.  As long as the
> ALU isn't fully synchronized with the timer, the drift between the
> register file and the timer is enough to generate entropy from.
> 
> Also print a warning on systems where entropy collection might be a
> problem.  I have good confidence in two unsynchronized timers generating
> entropy.  But I cannot tell whether timer and ALU are synchronized and
> we ought to warn users if all their crypto is likely to be broken.
> 
> Signed-off-by: Joern Engel <joern@purestorage.com>
> ---
>  drivers/char/random.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index de434feb873a..00a04efd0686 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -1748,6 +1748,16 @@ EXPORT_SYMBOL(get_random_bytes);
>   */
>  static void entropy_timer(struct timer_list *t)
>  {
> +	struct pt_regs *regs = get_irq_regs();
> +
> +	/*
> +	 * Even if we don't have a high-resolution timer in our system,
> +	 * the register file itself is a high-resolution timer.  It
> +	 * isn't monotonic or particularly useful to read the current
> +	 * time.  But it changes with every retired instruction, which
> +	 * is enough to generate entropy from.
> +	 */
> +	mix_pool_bytes(&input_pool, regs, sizeof(*regs));
>  	credit_entropy_bits(&input_pool, 1);
>  }
>  
> @@ -1764,9 +1774,8 @@ static void try_to_generate_entropy(void)
>  
>  	stack.now = random_get_entropy();
>  
> -	/* Slow counter - or none. Don't even bother */
> -	if (stack.now == random_get_entropy())
> -		return;
> +	/* Slow counter - or none.  Warn user */
> +	WARN_ON(stack.now == random_get_entropy());
>  
>  	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
>  	while (!crng_ready()) {
> -- 
> 2.20.1
> 

Jörn

--
...one more straw can't possibly matter...
-- Kirby Bakken