From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <goldstein.w.n@gmail.com>
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com
 [IPv6:2607:f8b0:4864:20::42b])
 by sourceware.org (Postfix) with ESMTPS id F2F873857C43
 for <libc-alpha@sourceware.org>; Tue, 29 Mar 2022 20:04:28 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org F2F873857C43
Received: by mail-pf1-x42b.google.com with SMTP id w7so14170198pfu.11
 for <libc-alpha@sourceware.org>; Tue, 29 Mar 2022 13:04:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=4Z/DuU9RCqo4STgfxCSGfRxFuqmnRC5GFFN2sJ7pyPQ=;
 b=YleN5hot72AcHUjo1UrAy+3uKYfy3DRG1IieqHas90FBDaFvRjto0dkEUnwFe7uZcI
 z/zA2Gx65AVXCN1R2yWPngj6e0SM3Fiingp//x0X6pqUdlGBh6xpCgNGvU4pv5UngNs4
 hYRkuD4qKTnAyaUFFMA2vt5Wqm9AHsGPYTQaJPdFom6WldqBZWhNMMrNviddVwOjsTG6
 rqtNHc0RSh7gufNFEqMqfG+NhJ2koyIGsGB+xfoUSFWxGafMpysPoHI6V7ycrCagEWeV
 YnqAYHCMSLJ6bS++eSZlCYf+ZCAKG+2aa7QHKpObzHk4RQeJrtzPSP1s88Ot1jLRPNl4
 PigA==
X-Gm-Message-State: AOAM530cPo5Vt/BFdrHoT4x/5KdrHiaO/IpWzzOyr5aS1Oe11J3yKwiw
 loJhoayAzrG/SM8oEQ2E9ay6zUTyX8d522CAEtY=
X-Google-Smtp-Source: ABdhPJxLS0jz6lRh2MD3LL5bCTl68TZurWY1myBC253PR0xJG4ITv0SFWqbortJ7QKZB4fbi+ybI22pzsu3i6EuZvDQ=
X-Received: by 2002:a63:6e48:0:b0:397:fb23:794f with SMTP id
 j69-20020a636e48000000b00397fb23794fmr3173793pgc.338.1648584267945; Tue, 29
 Mar 2022 13:04:27 -0700 (PDT)
MIME-Version: 1.0
References: <20220328220936.2724834-1-goldstein.w.n@gmail.com>
 <c6837918-aa51-4e71-bbc8-74e522f1c0c9@linaro.org>
 <CAFUsyfJhWVw81=_5JJWU4t6NYwtpOQ4Fj+H2pFaV3GTiT9yBYw@mail.gmail.com>
In-Reply-To: <CAFUsyfJhWVw81=_5JJWU4t6NYwtpOQ4Fj+H2pFaV3GTiT9yBYw@mail.gmail.com>
From: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Tue, 29 Mar 2022 15:04:17 -0500
Message-ID: <CAFUsyfJRVGefMM5hwSwp_XjTj7O917iOr6s+PHzoLDNTkSbEUw@mail.gmail.com>
Subject: Re: [PATCH v1 1/2] random-bits: Factor out entropy generating function
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 20:04:31 -0000

On Tue, Mar 29, 2022 at 2:56 PM Noah Goldstein <goldstein.w.n@gmail.com> wrote:
>
> On Tue, Mar 29, 2022 at 2:51 PM Adhemerval Zanella
> <adhemerval.zanella@linaro.org> wrote:
> >
> >
> >
> > On 28/03/2022 19:09, Noah Goldstein via Libc-alpha wrote:
> > > On some architectures `clock_gettime` is undesirable as
> > > it may use a syscall or there may be a faster alternative.
> > > Future architecture specific functions can be added in
> > > sysdeps/<arch>/random-bits-entropy.h to provide a version of
> > > 'random_bits_entropy' that doesn't use 'clock_gettime'.
> > > ---
> > >  include/random-bits.h                 | 16 ++++++--------
> > >  sysdeps/generic/random-bits-entropy.h | 31 +++++++++++++++++++++++++++
> > >  2 files changed, 37 insertions(+), 10 deletions(-)
> > >  create mode 100644 sysdeps/generic/random-bits-entropy.h
> > >
> > > diff --git a/include/random-bits.h b/include/random-bits.h
> > > index 17665b479a..016b87576c 100644
> > > --- a/include/random-bits.h
> > > +++ b/include/random-bits.h
> > > @@ -19,21 +19,17 @@
> > >  #ifndef _RANDOM_BITS_H
> > >  # define _RANDOM_BITS_H
> > >
> > > -#include <time.h>
> > > -#include <stdint.h>
> > > +# include <random-bits-entropy.h>
> > > +# include <stdint.h>
> > >
> > > -/* Provides fast pseudo-random bits through clock_gettime.  It has unspecified
> > > -   starting time, nano-second accuracy, its randomness is significantly better
> > > -   than gettimeofday, and for mostly architectures it is implemented through
> > > -   vDSO instead of a syscall.  Since the source is a system clock, the upper
> > > -   bits will have less entropy. */
> > > +/* Provides fast pseudo-random bits through architecture specific
> > > +   random_bits_entropy.  Expectation is source is some timing function so
> > > +   the upper bits have less entropy.  */
> > >  static inline uint32_t
> > >  random_bits (void)
> > >  {
> > > -  struct __timespec64 tv;
> > > -  __clock_gettime64 (CLOCK_MONOTONIC, &tv);
> > > +  uint32_t ret = random_bits_entropy ();
> > >    /* Shuffle the lower bits to minimize the clock bias.  */
> > > -  uint32_t ret = tv.tv_nsec ^ tv.tv_sec;
> > >    ret ^= (ret << 24) | (ret >> 8);
> > >    return ret;
> > >  }
> >
> > We already provide hp-timing.h, which uses rdtsc on x86 and clock_gettime on
> > generic interface (and other high precision timing on other architectures).
> > So I think a better way would be to:
>
> For x86/generic that works but other architectures also have hp-timing
> implementations that might not be suitable for this (i.e there might be
> an entropy regression).
>
> >
> >   static inline uint32_t
> >   random_bits (void)
> >   {
> >     hp_timing_t hp;
> >     HP_TIMING_NOW (hp);

Also not HP_TIMING_NOW will be slightly slower (without reason)
as instead of xoring ns and seconds it does ns + (second * 10^9).

Seems to generate the same amount of entropy so it's just an extra
multiply on the critical path.

> >     /* Shuffle the lower bits to minimize the clock bias.  */
> >     uint32_t ret = hp >> 32 ^ (uint32_t) hp;
> >     ret ^= (ret << 24) | (ret >> 8);
> >     return ret;
> >   }
> >
> > And keep the XOR on with higher bits to keep the clock bias.
> >
> > > diff --git a/sysdeps/generic/random-bits-entropy.h b/sysdeps/generic/random-bits-entropy.h
> > > new file mode 100644
> > > index 0000000000..53290c7f7a
> > > --- /dev/null
> > > +++ b/sysdeps/generic/random-bits-entropy.h
> > > @@ -0,0 +1,31 @@
> > > +/* Fast function for generating entropy of random_bits.
> > > +   Copyright (C) 2022 Free Software Foundation, Inc.
> > > +   This file is part of the GNU C Library.
> > > +
> > > +   The GNU C Library is free software; you can redistribute it and/or
> > > +   modify it under the terms of the GNU Lesser General Public
> > > +   License as published by the Free Software Foundation; either
> > > +   version 2.1 of the License, or (at your option) any later version.
> > > +
> > > +   The GNU C Library is distributed in the hope that it will be useful,
> > > +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > > +   Lesser General Public License for more details.
> > > +
> > > +   You should have received a copy of the GNU Lesser General Public
> > > +   License along with the GNU C Library; if not, see
> > > +   <https://www.gnu.org/licenses/>.  */
> > > +
> > > +#include <stdint.h>
> > > +#include <time.h>
> > > +
> > > +/* Generically use clock_gettime. It has unspecified starting time, nano-second
> > > +   accuracy, its randomness is significantly better than gettimeofday, and for
> > > +   mostly architectures it is implemented through vDSO instead of a syscall.  */
> > > +static inline uint32_t
> > > +random_bits_entropy (void)
> > > +{
> > > +  struct __timespec64 tv;
> > > +  __clock_gettime64 (CLOCK_MONOTONIC, &tv);
> > > +  return tv.tv_nsec ^ tv.tv_sec;
> > > +}