From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <goldstein.w.n@gmail.com>
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com
 [IPv6:2607:f8b0:4864:20::434])
 by sourceware.org (Postfix) with ESMTPS id A08243858C50
 for <libc-alpha@sourceware.org>; Tue, 29 Mar 2022 19:56:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A08243858C50
Received: by mail-pf1-x434.google.com with SMTP id b13so14964412pfv.0
 for <libc-alpha@sourceware.org>; Tue, 29 Mar 2022 12:56:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=jMEiglUyUpnRa6kuWXDg//9F0gPjsKU6q6mhDlYBtTQ=;
 b=yZcWOKIFgQIchbnxnbQeCNMT8Q8Z05RAUe//aD5ex/cxtRHyb3H3wuHb1cWJV2AeCH
 c8aqnMVVNZMDL1Q5GSrcGUQrXyMZdEvorgB4nKCuvsYsqCBvyOY94TmK/9uhDbhcF/Nc
 nCWEzaIs0G9VJvHIUhIDnI2rKmaWDS/GPuFYjiulnVthTrFqN5Tj9cLkPqudzwnj7pBK
 ShoIeem84G9/Lxv0aWYOV3CtL6yAOshLW4LEJv1MF92JYctr8/90xZlrv8NlRnrfeeLw
 UqmjMrHvmT7P7ZI0UoWRbWhJcEiSXoiQ5WlWyaxsTkodJyChAS5PjIX8wIarfgsvIuy4
 GrSA==
X-Gm-Message-State: AOAM530gudgJP9dNQOez7rmOXPh6G4ljqn3J7y4u2Pgqrz77aG8xg/Gi
 BmtwasLW3WybPby328E5jt6qDDijc9zkeHgMJmOnMKYp
X-Google-Smtp-Source: ABdhPJyFdAKKzDcmd/h6iwjeyh4hAONO466HQyEBur7BAhV6FXN8w0mWLQJkvN/9R6kpFTd+NkTvq4N7PwUs5e+cQXY=
X-Received: by 2002:a05:6a00:a15:b0:4fb:4112:870e with SMTP id
 p21-20020a056a000a1500b004fb4112870emr14481898pfh.11.1648583775613; Tue, 29
 Mar 2022 12:56:15 -0700 (PDT)
MIME-Version: 1.0
References: <20220328220936.2724834-1-goldstein.w.n@gmail.com>
 <c6837918-aa51-4e71-bbc8-74e522f1c0c9@linaro.org>
In-Reply-To: <c6837918-aa51-4e71-bbc8-74e522f1c0c9@linaro.org>
From: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Tue, 29 Mar 2022 14:56:04 -0500
Message-ID: <CAFUsyfJhWVw81=_5JJWU4t6NYwtpOQ4Fj+H2pFaV3GTiT9yBYw@mail.gmail.com>
Subject: Re: [PATCH v1 1/2] random-bits: Factor out entropy generating function
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 19:56:19 -0000

On Tue, Mar 29, 2022 at 2:51 PM Adhemerval Zanella
<adhemerval.zanella@linaro.org> wrote:
>
>
>
> On 28/03/2022 19:09, Noah Goldstein via Libc-alpha wrote:
> > On some architectures `clock_gettime` is undesirable as
> > it may use a syscall or there may be a faster alternative.
> > Future architecture specific functions can be added in
> > sysdeps/<arch>/random-bits-entropy.h to provide a version of
> > 'random_bits_entropy' that doesn't use 'clock_gettime'.
> > ---
> >  include/random-bits.h                 | 16 ++++++--------
> >  sysdeps/generic/random-bits-entropy.h | 31 +++++++++++++++++++++++++++
> >  2 files changed, 37 insertions(+), 10 deletions(-)
> >  create mode 100644 sysdeps/generic/random-bits-entropy.h
> >
> > diff --git a/include/random-bits.h b/include/random-bits.h
> > index 17665b479a..016b87576c 100644
> > --- a/include/random-bits.h
> > +++ b/include/random-bits.h
> > @@ -19,21 +19,17 @@
> >  #ifndef _RANDOM_BITS_H
> >  # define _RANDOM_BITS_H
> >
> > -#include <time.h>
> > -#include <stdint.h>
> > +# include <random-bits-entropy.h>
> > +# include <stdint.h>
> >
> > -/* Provides fast pseudo-random bits through clock_gettime.  It has unspecified
> > -   starting time, nano-second accuracy, its randomness is significantly better
> > -   than gettimeofday, and for mostly architectures it is implemented through
> > -   vDSO instead of a syscall.  Since the source is a system clock, the upper
> > -   bits will have less entropy. */
> > +/* Provides fast pseudo-random bits through architecture specific
> > +   random_bits_entropy.  Expectation is source is some timing function so
> > +   the upper bits have less entropy.  */
> >  static inline uint32_t
> >  random_bits (void)
> >  {
> > -  struct __timespec64 tv;
> > -  __clock_gettime64 (CLOCK_MONOTONIC, &tv);
> > +  uint32_t ret = random_bits_entropy ();
> >    /* Shuffle the lower bits to minimize the clock bias.  */
> > -  uint32_t ret = tv.tv_nsec ^ tv.tv_sec;
> >    ret ^= (ret << 24) | (ret >> 8);
> >    return ret;
> >  }
>
> We already provide hp-timing.h, which uses rdtsc on x86 and clock_gettime on
> generic interface (and other high precision timing on other architectures).
> So I think a better way would be to:

For x86/generic that works but other architectures also have hp-timing
implementations that might not be suitable for this (i.e there might be
an entropy regression).

>
>   static inline uint32_t
>   random_bits (void)
>   {
>     hp_timing_t hp;
>     HP_TIMING_NOW (hp);
>     /* Shuffle the lower bits to minimize the clock bias.  */
>     uint32_t ret = hp >> 32 ^ (uint32_t) hp;
>     ret ^= (ret << 24) | (ret >> 8);
>     return ret;
>   }
>
> And keep the XOR on with higher bits to keep the clock bias.
>
> > diff --git a/sysdeps/generic/random-bits-entropy.h b/sysdeps/generic/random-bits-entropy.h
> > new file mode 100644
> > index 0000000000..53290c7f7a
> > --- /dev/null
> > +++ b/sysdeps/generic/random-bits-entropy.h
> > @@ -0,0 +1,31 @@
> > +/* Fast function for generating entropy of random_bits.
> > +   Copyright (C) 2022 Free Software Foundation, Inc.
> > +   This file is part of the GNU C Library.
> > +
> > +   The GNU C Library is free software; you can redistribute it and/or
> > +   modify it under the terms of the GNU Lesser General Public
> > +   License as published by the Free Software Foundation; either
> > +   version 2.1 of the License, or (at your option) any later version.
> > +
> > +   The GNU C Library is distributed in the hope that it will be useful,
> > +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > +   Lesser General Public License for more details.
> > +
> > +   You should have received a copy of the GNU Lesser General Public
> > +   License along with the GNU C Library; if not, see
> > +   <https://www.gnu.org/licenses/>.  */
> > +
> > +#include <stdint.h>
> > +#include <time.h>
> > +
> > +/* Generically use clock_gettime. It has unspecified starting time, nano-second
> > +   accuracy, its randomness is significantly better than gettimeofday, and for
> > +   mostly architectures it is implemented through vDSO instead of a syscall.  */
> > +static inline uint32_t
> > +random_bits_entropy (void)
> > +{
> > +  struct __timespec64 tv;
> > +  __clock_gettime64 (CLOCK_MONOTONIC, &tv);
> > +  return tv.tv_nsec ^ tv.tv_sec;
> > +}