From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by sourceware.org (Postfix) with ESMTPS id E3F67385840C for ; Tue, 29 Mar 2022 20:44:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E3F67385840C Received: by mail-pf1-x434.google.com with SMTP id x31so10360523pfh.9 for ; Tue, 29 Mar 2022 13:44:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4doWxWt2Yo7aqgtbFYGatvucxrDEVulK0XRzmda18uw=; b=6aQm0CuqCXm+wJtPTu66xQGhgGApKWaEVTqjDzqnchPf+wkOEtBxyCDY5swtkiVYdQ rdjKMMdbQ2V/XN8mHCynLuBOLKEqjDF+JwJqx39VW4nnIlJeHrzam+TZFtNFE1Lwxclb lhVJi1eQyg64wEBod2lXEWFWzVmhKVTqXJd2kE0hwKY6jIV8WIlDbet/spWWTkgUCmCY ITAD1bUbdYgUWv8bxQC7QVP7gC89yeAzxca61RVoBdiQkI5txI5x7vh0Vmm1bV953oXF YTVkcCE6GoO8OgpV7YijRNraG1sOtt5KOtmGkHd+PX72Rp1TgKB8ERnY8VN5iIgBj2o0 mSQg== X-Gm-Message-State: AOAM5320x0CdWsjY4pinC/IAHab1I/yFr8lmdqFWieaotLy5Tn/3JA/r ZURTGnkU/M5AI1cei2jpya1pZBBvlETVqbKu0iCTWHDe X-Google-Smtp-Source: ABdhPJxv9tedTykMKUYxDgUED/LL2XI71LAT5U8kN9jdBcRXadtRAqyrk7lJ9Soog4Ys6F4t5tWQQad2tbRXNZDEwDA= X-Received: by 2002:a63:4a09:0:b0:382:597:3d0d with SMTP id x9-20020a634a09000000b0038205973d0dmr3314978pga.18.1648586659959; Tue, 29 Mar 2022 13:44:19 -0700 (PDT) MIME-Version: 1.0 References: <20220328220936.2724834-1-goldstein.w.n@gmail.com> <7b48ece6-392a-0850-c136-01ab751273ef@linaro.org> In-Reply-To: <7b48ece6-392a-0850-c136-01ab751273ef@linaro.org> From: Noah Goldstein Date: Tue, 29 Mar 2022 15:44:09 -0500 Message-ID: Subject: Re: [PATCH v1 1/2] random-bits: Factor out entropy generating function To: Adhemerval Zanella Cc: GNU C Library Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 20:44:23 -0000 On Tue, Mar 29, 2022 at 3:37 PM Adhemerval Zanella wrote: > > > > On 29/03/2022 16:56, Noah Goldstein wrote: > > On Tue, Mar 29, 2022 at 2:51 PM Adhemerval Zanella > > wrote: > >> > >> > >> > >> On 28/03/2022 19:09, Noah Goldstein via Libc-alpha wrote: > >>> On some architectures `clock_gettime` is undesirable as > >>> it may use a syscall or there may be a faster alternative. > >>> Future architecture specific functions can be added in > >>> sysdeps//random-bits-entropy.h to provide a version of > >>> 'random_bits_entropy' that doesn't use 'clock_gettime'. > >>> --- > >>> include/random-bits.h | 16 ++++++-------- > >>> sysdeps/generic/random-bits-entropy.h | 31 +++++++++++++++++++++++++++ > >>> 2 files changed, 37 insertions(+), 10 deletions(-) > >>> create mode 100644 sysdeps/generic/random-bits-entropy.h > >>> > >>> diff --git a/include/random-bits.h b/include/random-bits.h > >>> index 17665b479a..016b87576c 100644 > >>> --- a/include/random-bits.h > >>> +++ b/include/random-bits.h > >>> @@ -19,21 +19,17 @@ > >>> #ifndef _RANDOM_BITS_H > >>> # define _RANDOM_BITS_H > >>> > >>> -#include > >>> -#include > >>> +# include > >>> +# include > >>> > >>> -/* Provides fast pseudo-random bits through clock_gettime. It has unspecified > >>> - starting time, nano-second accuracy, its randomness is significantly better > >>> - than gettimeofday, and for mostly architectures it is implemented through > >>> - vDSO instead of a syscall. Since the source is a system clock, the upper > >>> - bits will have less entropy. */ > >>> +/* Provides fast pseudo-random bits through architecture specific > >>> + random_bits_entropy. Expectation is source is some timing function so > >>> + the upper bits have less entropy. */ > >>> static inline uint32_t > >>> random_bits (void) > >>> { > >>> - struct __timespec64 tv; > >>> - __clock_gettime64 (CLOCK_MONOTONIC, &tv); > >>> + uint32_t ret = random_bits_entropy (); > >>> /* Shuffle the lower bits to minimize the clock bias. */ > >>> - uint32_t ret = tv.tv_nsec ^ tv.tv_sec; > >>> ret ^= (ret << 24) | (ret >> 8); > >>> return ret; > >>> } > >> > >> We already provide hp-timing.h, which uses rdtsc on x86 and clock_gettime on > >> generic interface (and other high precision timing on other architectures). > >> So I think a better way would be to: > > > > For x86/generic that works but other architectures also have hp-timing > > implementations that might not be suitable for this (i.e there might be > > an entropy regression). > > I would expect that the entropy of the hp-timing.h instruction would be similar > to the ones from system clock (which exception of legacy architecture like alpha), > but I haven't checked yet. Would expect the same, but think it will probably take a test on a per-arch basis. Also there are optimizations we can make since we only need the lower 32-bits and not a true timestamp. I.e no multiply for generic. Also on x86 we can skip combining the results of rdtsc. > > > > >> > >> static inline uint32_t > >> random_bits (void) > >> { > >> hp_timing_t hp; > >> HP_TIMING_NOW (hp); > >> /* Shuffle the lower bits to minimize the clock bias. */ > >> uint32_t ret = hp >> 32 ^ (uint32_t) hp; > >> ret ^= (ret << 24) | (ret >> 8); > >> return ret; > >> } > >> > >> And keep the XOR on with higher bits to keep the clock bias. > >> > >>> diff --git a/sysdeps/generic/random-bits-entropy.h b/sysdeps/generic/random-bits-entropy.h > >>> new file mode 100644 > >>> index 0000000000..53290c7f7a > >>> --- /dev/null > >>> +++ b/sysdeps/generic/random-bits-entropy.h > >>> @@ -0,0 +1,31 @@ > >>> +/* Fast function for generating entropy of random_bits. > >>> + Copyright (C) 2022 Free Software Foundation, Inc. > >>> + This file is part of the GNU C Library. > >>> + > >>> + The GNU C Library is free software; you can redistribute it and/or > >>> + modify it under the terms of the GNU Lesser General Public > >>> + License as published by the Free Software Foundation; either > >>> + version 2.1 of the License, or (at your option) any later version. > >>> + > >>> + The GNU C Library is distributed in the hope that it will be useful, > >>> + but WITHOUT ANY WARRANTY; without even the implied warranty of > >>> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > >>> + Lesser General Public License for more details. > >>> + > >>> + You should have received a copy of the GNU Lesser General Public > >>> + License along with the GNU C Library; if not, see > >>> + . */ > >>> + > >>> +#include > >>> +#include > >>> + > >>> +/* Generically use clock_gettime. It has unspecified starting time, nano-second > >>> + accuracy, its randomness is significantly better than gettimeofday, and for > >>> + mostly architectures it is implemented through vDSO instead of a syscall. */ > >>> +static inline uint32_t > >>> +random_bits_entropy (void) > >>> +{ > >>> + struct __timespec64 tv; > >>> + __clock_gettime64 (CLOCK_MONOTONIC, &tv); > >>> + return tv.tv_nsec ^ tv.tv_sec; > >>> +}