From: Andy Lutomirski <luto@amacapital.net>
To: Torsten Duwe <duwe@lst.de>, "H. Peter Anvin" <hpa@zytor.com>,
"Theodore Ts'o" <tytso@mit.edu>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Matt Mackall <mpm@selenic.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Arnd Bergmann <arnd@arndb.de>,
Rusty Russell <rusty@rustcorp.com.au>,
Satoru Takeuchi <satoru.takeuchi@gmail.com>
Cc: ingo.tuchscherer@de.ibm.com, linux-kernel@vger.kernel.org,
Hans-Georg Markgraf <MGRF@de.ibm.com>,
Gerald Schaefer <gerald.schaefer@de.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Joe Perches <joe@perches.com>
Subject: Re: [PATCH v2 02/03]: hwrng: create filler thread
Date: Wed, 26 Mar 2014 17:50:09 -0700 [thread overview]
Message-ID: <533375C1.5060904@mit.edu> (raw)
In-Reply-To: <20140321143342.GK1763@lst.de>
On 03/21/2014 07:33 AM, Torsten Duwe wrote:
> This can be viewed as the in-kernel equivalent of hwrngd;
> like FUSE it is a good thing to have a mechanism in user land,
> but for some reasons (simplicity, secrecy, integrity, speed)
> it may be better to have it in kernel space.
Nice.
[...]
>
> static struct hwrng *current_rng;
> +static struct task_struct *hwrng_fill;
> static LIST_HEAD(rng_list);
> static DEFINE_MUTEX(rng_mutex);
> static int data_avail;
> -static u8 *rng_buffer;
> +static u8 *rng_buffer, *rng_fillbuf;
> +static unsigned short derating_current = 700; /* an arbitrary 70% */
> +
> +module_param(derating_current, ushort, 0644);
> +MODULE_PARM_DESC(derating_current,
> + "current hwrng entropy estimation per mill");
As an electrical engineer (sort of), I can't read this without thinking
you're talking about the amount by which the current is derated. For
example, a 14-50 electrical outlet is rated to 50 Amps. If you use it
continuously for a long time, though, the current is derated to 40 Amps.
Shouldn't this be called credit_derating or, even better,
credit_per_1000bits?
Also, "per mill" is just obscure enough that someone might think it
means "per million".
> +
> +static void start_khwrngd(void);
>
> static size_t rng_buffer_size(void)
> {
> @@ -62,9 +71,18 @@ static size_t rng_buffer_size(void)
>
> static inline int hwrng_init(struct hwrng *rng)
> {
> + int err;
> +
> if (!rng->init)
> return 0;
> - return rng->init(rng);
> + err = rng->init(rng);
> + if (err)
> + return err;
> +
> + if (derating_current > 0 && !hwrng_fill)
> + start_khwrngd();
> +
Why the check for derating > 0? Paranoid users may want zero credit,
but they probably still want the thing to run.
> + return 0;
> }
>
> static inline void hwrng_cleanup(struct hwrng *rng)
> @@ -300,6 +318,36 @@ err_misc_dereg:
> goto out;
> }
>
> +static int hwrng_fillfn(void *unused)
> +{
> + long rc;
> +
> + while (!kthread_should_stop()) {
> + if (!current_rng)
> + break;
> + rc = rng_get_data(current_rng, rng_fillbuf,
> + rng_buffer_size(), 1);
> + if (rc <= 0) {
> + pr_warn("hwrng: no data available\n");
ratelimit (heavily), please.
Also, would it make sense to round-robin all hwrngs? Even better:
collect entropy from each one and add them to the pool all at once. If
so, would it make sense for the derating to be a per-rng parameter. For
example, if there's a sysfs class, it could go in there.
Finally, there may be hwrngs like TPMs that are amazingly slow. What
happens if the RNG is so slow that it becomes the bottleneck? Should
this thing back off? Using the TPM at 100% utilization seems silly when
there's a heavy entropy consumer, especially since reading 256 bits from
the TPM once is probably just about as secure as reading from it
continuously.
Also, with my quantum hat on, thanks for doing this in a way that isn't
gratuitously insecure against quantum attack. 128-bit reseeds are
simply too small if your adversary has a large quantum computer :)
--Andy
next prev parent reply other threads:[~2014-03-27 0:50 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-21 14:29 [PATCH v2 00/03]: khwrngd Torsten Duwe
2014-03-21 14:32 ` [Patch v2 01/03]: provide an injection point for pure hardware randomness Torsten Duwe
2014-03-21 14:33 ` [PATCH v2 02/03]: hwrng: create filler thread Torsten Duwe
2014-03-27 0:50 ` Andy Lutomirski [this message]
2014-03-27 1:03 ` H. Peter Anvin
2014-03-27 1:11 ` Andy Lutomirski
2014-03-27 1:55 ` H. Peter Anvin
2014-03-27 4:47 ` H. Peter Anvin
2014-03-27 15:03 ` Torsten Duwe
2014-03-27 16:06 ` Andy Lutomirski
2014-03-27 14:54 ` Torsten Duwe
2014-03-27 15:47 ` Andy Lutomirski
2014-04-14 16:02 ` [PATCH v3 00/03]: hwrng: an in-kernel rngd Torsten Duwe
2014-04-14 16:04 ` [PATCH v3 01/03]: hwrng: provide an injection point for pure hardware randomness Torsten Duwe
2014-04-14 16:05 ` [PATCH v3 02/03]: hwrng: create filler thread Torsten Duwe
2014-04-14 16:06 ` [PATCH v3 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-04-14 16:41 ` Andy Lutomirski
2014-04-15 8:51 ` Torsten Duwe
2014-04-15 16:53 ` Andy Lutomirski
2014-05-27 13:41 ` [PATCH v5 00/03]: hwrng: an in-kernel rngd Torsten Duwe
2014-05-27 13:44 ` [Patch 01/03]: provide an injection point for pure hardware randomness Torsten Duwe
2014-05-27 13:45 ` [Patch v5 02/03]: hwrng: create filler thread Torsten Duwe
2014-05-27 13:46 ` [Patch v5 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-05-27 14:11 ` [Patch v5.1 " Torsten Duwe
2014-06-12 1:24 ` H. Peter Anvin
2014-06-12 10:09 ` Torsten Duwe
2014-06-14 2:40 ` Theodore Ts'o
2014-06-14 2:44 ` H. Peter Anvin
2014-06-15 5:11 ` Theodore Ts'o
2014-06-16 7:31 ` Torsten Duwe
2014-06-16 11:22 ` Theodore Ts'o
2014-06-16 14:07 ` Torsten Duwe
2014-06-16 14:40 ` Theodore Ts'o
[not found] ` <20140616141444.GB1744@suse.de>
[not found] ` <20140616142812.GB19387@thunk.org>
2014-07-11 13:43 ` Ingo Tuchscherer
2014-07-11 14:42 ` Theodore Ts'o
2014-04-14 16:09 ` [PATCH v3 00/03]: hwrng: an in-kernel rngd H. Peter Anvin
2014-04-14 16:24 ` Torsten Duwe
2014-04-14 16:29 ` H. Peter Anvin
2014-04-14 16:43 ` Andy Lutomirski
2014-04-14 16:27 ` [PATCH v4 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-03-21 14:34 ` [PATCH v2 " Torsten Duwe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533375C1.5060904@mit.edu \
--to=luto@amacapital.net \
--cc=MGRF@de.ibm.com \
--cc=arnd@arndb.de \
--cc=duwe@lst.de \
--cc=gerald.schaefer@de.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=heiko.carstens@de.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=ingo.tuchscherer@de.ibm.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=rusty@rustcorp.com.au \
--cc=satoru.takeuchi@gmail.com \
--cc=schwidefsky@de.ibm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).