From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) by sourceware.org (Postfix) with ESMTPS id 274093858C2D for ; Wed, 30 Mar 2022 15:37:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 274093858C2D Received: by mail-oi1-x229.google.com with SMTP id j83so22413132oih.6 for ; Wed, 30 Mar 2022 08:37:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=v831rT0Dmja5xMtlvUYmUV426sspX6SFzwTfIuV0SLA=; b=r4CggPO/OetF+/xlgjBgakOcbOA6+8UZCynLMtrRBJOcXqQnaNua2u2sHYDyUq/VVU /nZjYlKa9YDCX8gR3wHl63G8WvvhxsU/mP/VDfhqX7W8TWQ5O3j9FPdTo3Bdx//7kHvB qtjzw006bhu1uXfMWKIdIqmmUJPzTU25xN7DY2GzXyQb2auMY9jGrrFP9Ikh5BIPa5cc dw7oFeT+k4LUmAHNogTJ/lN6pYVfdBvid5+5zrfFjFVr73XQ6ze52u/msd+DvW7ZBLxE xt4fWV2kegxDgBnn6odMZhv2Is5Q3XWf1vntupQWqrKaSZWa5u8h6NXMg/c9KxbgbgUl p1lA== X-Gm-Message-State: AOAM530BkhuG3JKIz0FQwmGVYXwDzBd3JQPpdNlrtHjQGoLGoR8h7qum HWTlDG+cAYyFRzjkNxPF2Bo6ZA== X-Google-Smtp-Source: ABdhPJzk2TooRq1Tbh9K3Wq1M2Tc2ZDQ9mXaIrjMQQzbutzwVOlaMLEk4y3UjAwNshWOw9HpeI7DIQ== X-Received: by 2002:a05:6808:1a8f:b0:2ef:87cc:b1d1 with SMTP id bm15-20020a0568081a8f00b002ef87ccb1d1mr114486oib.25.1648654666390; Wed, 30 Mar 2022 08:37:46 -0700 (PDT) Received: from ?IPV6:2804:431:c7cb:a6c0:ca7b:5b69:d952:46d0? ([2804:431:c7cb:a6c0:ca7b:5b69:d952:46d0]) by smtp.gmail.com with ESMTPSA id u2-20020a056870304200b000ddb1828e3csm9921083oau.19.2022.03.30.08.37.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Mar 2022 08:37:45 -0700 (PDT) Message-ID: <72332228-093c-5186-789f-8616cfb93793@linaro.org> Date: Wed, 30 Mar 2022 12:37:43 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v1 1/2] random-bits: Factor out entropy generating function Content-Language: en-US To: Noah Goldstein Cc: GNU C Library References: <20220328220936.2724834-1-goldstein.w.n@gmail.com> <7b48ece6-392a-0850-c136-01ab751273ef@linaro.org> From: Adhemerval Zanella In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-12.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 15:37:49 -0000 On 29/03/2022 17:44, Noah Goldstein wrote: > On Tue, Mar 29, 2022 at 3:37 PM Adhemerval Zanella > wrote: >> >> >> >> On 29/03/2022 16:56, Noah Goldstein wrote: >>> On Tue, Mar 29, 2022 at 2:51 PM Adhemerval Zanella >>> wrote: >>>> >>>> >>>> >>>> On 28/03/2022 19:09, Noah Goldstein via Libc-alpha wrote: >>>>> On some architectures `clock_gettime` is undesirable as >>>>> it may use a syscall or there may be a faster alternative. >>>>> Future architecture specific functions can be added in >>>>> sysdeps//random-bits-entropy.h to provide a version of >>>>> 'random_bits_entropy' that doesn't use 'clock_gettime'. >>>>> --- >>>>> include/random-bits.h | 16 ++++++-------- >>>>> sysdeps/generic/random-bits-entropy.h | 31 +++++++++++++++++++++++++++ >>>>> 2 files changed, 37 insertions(+), 10 deletions(-) >>>>> create mode 100644 sysdeps/generic/random-bits-entropy.h >>>>> >>>>> diff --git a/include/random-bits.h b/include/random-bits.h >>>>> index 17665b479a..016b87576c 100644 >>>>> --- a/include/random-bits.h >>>>> +++ b/include/random-bits.h >>>>> @@ -19,21 +19,17 @@ >>>>> #ifndef _RANDOM_BITS_H >>>>> # define _RANDOM_BITS_H >>>>> >>>>> -#include >>>>> -#include >>>>> +# include >>>>> +# include >>>>> >>>>> -/* Provides fast pseudo-random bits through clock_gettime. It has unspecified >>>>> - starting time, nano-second accuracy, its randomness is significantly better >>>>> - than gettimeofday, and for mostly architectures it is implemented through >>>>> - vDSO instead of a syscall. Since the source is a system clock, the upper >>>>> - bits will have less entropy. */ >>>>> +/* Provides fast pseudo-random bits through architecture specific >>>>> + random_bits_entropy. Expectation is source is some timing function so >>>>> + the upper bits have less entropy. */ >>>>> static inline uint32_t >>>>> random_bits (void) >>>>> { >>>>> - struct __timespec64 tv; >>>>> - __clock_gettime64 (CLOCK_MONOTONIC, &tv); >>>>> + uint32_t ret = random_bits_entropy (); >>>>> /* Shuffle the lower bits to minimize the clock bias. */ >>>>> - uint32_t ret = tv.tv_nsec ^ tv.tv_sec; >>>>> ret ^= (ret << 24) | (ret >> 8); >>>>> return ret; >>>>> } >>>> >>>> We already provide hp-timing.h, which uses rdtsc on x86 and clock_gettime on >>>> generic interface (and other high precision timing on other architectures). >>>> So I think a better way would be to: >>> >>> For x86/generic that works but other architectures also have hp-timing >>> implementations that might not be suitable for this (i.e there might be >>> an entropy regression). >> >> I would expect that the entropy of the hp-timing.h instruction would be similar >> to the ones from system clock (which exception of legacy architecture like alpha), >> but I haven't checked yet. > > Would expect the same, but think it will probably take a test on a > per-arch basis. > > Also there are optimizations we can make since we only need the lower > 32-bits and > not a true timestamp. > > I.e no multiply for generic. Also on x86 we can skip combining the > results of rdtsc. I tested the entropy on some different architectures: aarch64: $ ent gettime-random.txt Entropy = 7.293634 bits per byte. $ ent hptiming-random.txt Entropy = 6.451314 bits per byte. ia64: $ ent gettime-random.txt Entropy = 7.613066 bits per byte. $ ent hptiming-random.txt Entropy = 7.458615 bits per byte. powerpc64le: $ ent gettime-random.txt Entropy = 7.413584 bits per byte. $ ent hptiming-random.txt Entropy = 7.243894 bits per byte. sparc64 $ ent gettime-random.txt Entropy = 7.388590 bits per byte. $ ent hptiming-random.txt Entropy = 7.602368 bits per byte. So it seems that only aarch64 is really losing some entropy when using hp-timing.h (not sure why).