From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x35.google.com (mail-oa1-x35.google.com [IPv6:2001:4860:4864:20::35]) by sourceware.org (Postfix) with ESMTPS id 02A863858C56 for ; Tue, 26 Jul 2022 20:56:26 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 02A863858C56 Received: by mail-oa1-x35.google.com with SMTP id 586e51a60fabf-10d845dcf92so20087458fac.12 for ; Tue, 26 Jul 2022 13:56:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:cc:references:organization:in-reply-to :content-transfer-encoding; bh=Lu19QanZmMmFbeJDfXhCYRPTw4ZQh3LrAl/eaR1hZNU=; b=fsQx/LZx/ZxN6Crhkz2reKYcidpEKZ+mL1DVkejklSVLnj6hrROlk0j1R4/wpHa7dY 3F3Gi+N35U19F8NZOTUUioIPNCujLtDh8brstmIZlGoAqmUt0KSxo/aCvzDDiACv1SJI A/wdjTTpc2o3vsOeF+u0kCeDvyJ8SGMQPXN03uUzb1ydcRaefhtzrFGxuigbnA8QESpj S3hMYvufqoAxdNHQ4EaN40k4/LftzEu29v91dW+c5QJqvzzNS8aogA81IiuVEbs38n7Y FjPoeXgJGfe8GGSJTCIjJK8s900N0wfIu3vk324fLM87NoIp6u5NXnamXpWTATQ7tPct r20Q== X-Gm-Message-State: AJIora/wqIqQXoBBMr1OusfY/+y+K8mtwCLYCqLBCGpiAlIviFBe1CXG 2ROqkbzwk06zfu/MQl1l4H6fdg== X-Google-Smtp-Source: AGRyM1u4acPkgeL8YgfuE1QdRat/EQf1eEcOxzG5hnnGgiWAw8wmAmEAd56jBNwLmzHGD8gfB5iTSw== X-Received: by 2002:a05:6870:d204:b0:10e:1cbc:477e with SMTP id g4-20020a056870d20400b0010e1cbc477emr570418oac.298.1658868985328; Tue, 26 Jul 2022 13:56:25 -0700 (PDT) Received: from ?IPV6:2804:431:c7cb:8ded:8925:49f1:c550:ee7d? ([2804:431:c7cb:8ded:8925:49f1:c550:ee7d]) by smtp.gmail.com with ESMTPSA id x1-20020a544001000000b0033a422b39b4sm6421692oie.49.2022.07.26.13.56.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Jul 2022 13:56:24 -0700 (PDT) Message-ID: <9101f76a-c5d4-4101-0583-d942fb247b72@linaro.org> Date: Tue, 26 Jul 2022 17:56:21 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.0.3 Subject: Re: [PATCH v6] arc4random: simplify design for better safety Content-Language: en-US From: Adhemerval Zanella Netto To: "Jason A. Donenfeld" , libc-alpha@sourceware.org Cc: Florian Weimer , =?UTF-8?Q?Cristian_Rodr=c3=adguez?= , Paul Eggert , Mark Harris , Eric Biggers , linux-crypto@vger.kernel.org References: <20220726190830.1189339-1-Jason@zx2c4.com> <20220726195822.1223048-1-Jason@zx2c4.com> Organization: Linaro In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2022 20:56:27 -0000 On 26/07/22 17:17, Adhemerval Zanella Netto wrote: > > > On 26/07/22 16:58, Jason A. Donenfeld wrote: >> Rather than buffering 16 MiB of entropy in userspace (by way of >> chacha20), simply call getrandom() every time. >> >> This approach is doubtlessly slower, for now, but trying to prematurely >> optimize arc4random appears to be leading toward all sorts of nasty >> properties and gotchas. Instead, this patch takes a much more >> conservative approach. The interface is added as a basic loop wrapper >> around getrandom(), and then later, the kernel and libc together can >> work together on optimizing that. >> >> This prevents numerous issues in which userspace is unaware of when it >> really must throw away its buffer, since we avoid buffering all >> together. Future improvements may include userspace learning more from >> the kernel about when to do that, which might make these sorts of >> chacha20-based optimizations more possible. The current heuristic of 16 >> MiB is meaningless garbage that doesn't correspond to anything the >> kernel might know about. So for now, let's just do something >> conservative that we know is correct and won't lead to cryptographic >> issues for users of this function. >> >> This patch might be considered along the lines of, "optimization is the >> root of all evil," in that the much more complex implementation it >> replaces moves too fast without considering security implications, >> whereas the incremental approach done here is a much safer way of going >> about things. Once this lands, we can take our time in optimizing this >> properly using new interplay between the kernel and userspace. >> >> getrandom(0) is used, since that's the one that ensures the bytes >> returned are cryptographically secure. But on systems without it, we >> fallback to using /dev/urandom. This is unfortunate because it means >> opening a file descriptor, but there's not much of a choice. Secondly, >> as part of the fallback, in order to get more or less the same >> properties of getrandom(0), we poll on /dev/random, and if the poll >> succeeds at least once, then we assume the RNG is initialized. This is a >> rough approximation, as the ancient "non-blocking pool" initialized >> after the "blocking pool", not before, and it may not port back to all >> ancient kernels, though it does to all kernels supported by glibc >> (≥3.2), so generally it's the best approximation we can do. >> >> The motivation for including arc4random, in the first place, is to have >> source-level compatibility with existing code. That means this patch >> doesn't attempt to litigate the interface itself. It does, however, >> choose a conservative approach for implementing it. > > LGTM, I agree this is safe solution for 2.36, we can optimize it later > if is were the case. > > I will run some tests and push it upstream. > > Reviewed-by: Adhemerval Zanella And I think we will need to tune down stdlib/tst-arc4random-thread internal parameters because it now takes about 1 minute on my testing machine (which is somewhat recent processor). I will send a patch to adjust the maximum number of threads depending of the configured system CPU (to avoid syscall contention).