From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) by sourceware.org (Postfix) with ESMTPS id 993263858C50 for ; Tue, 29 Mar 2022 20:14:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 993263858C50 Received: by mail-pf1-x42e.google.com with SMTP id u22so16883474pfg.6 for ; Tue, 29 Mar 2022 13:14:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OgsDSxyoNKY/CCUHKD/NXMGoMG8KTp+Db28DFg0vOvI=; b=Lz1lAViIPynla428M63YCaoHQsdOYIgSaMNM6M+f/c1NRhkCA8EI8NdXkmMhHVMioT FFPK48xoz7h4eQB2/syzjiw8m6qIQ+jfLvunkTq0XeZawms9ysMdQlH5lOS9kvzWpnPV Hg6OvMkeBb/MoDIEyjGLkg6Xsd11RMRMIs3C8/otxLAzDrw19ieoUns1QuQJ3OQOveNe IguryqLWSXYRjTerYgM5sdzHfFmE9HPRgxJLOKxPeR64G3U3Uhlt9rQCuL49M4LNTjyQ 8Ql4cDsmYG0FUfHKKrvwcVSW5H37LcbpqDfBnQeuwgUAH9Bs1dRdXq1MfwEiacVA1K0N hkPw== X-Gm-Message-State: AOAM532yooNpSD9dsBxGZE+mr2ysNaFZsyKlSkAc/vdwjayY3hNGe/KB /tl7kkwu//wu4AT+4uZEdQjGMa7+q5VAaQ/Nrdo= X-Google-Smtp-Source: ABdhPJzLO6d771q0o/P5Jr1cNQ7s7eZ+kuLkEmZivZvryKFsaBM+RHTaMt0FlnRkSVMRG/qSQqbQ1vyj1UKz5VsYFGI= X-Received: by 2002:a63:dd47:0:b0:381:2bb3:86ba with SMTP id g7-20020a63dd47000000b003812bb386bamr3245775pgj.381.1648584887455; Tue, 29 Mar 2022 13:14:47 -0700 (PDT) MIME-Version: 1.0 References: <20220328220936.2724834-1-goldstein.w.n@gmail.com> In-Reply-To: From: "H.J. Lu" Date: Tue, 29 Mar 2022 13:14:11 -0700 Message-ID: Subject: Re: [PATCH v1 1/2] random-bits: Factor out entropy generating function To: Noah Goldstein Cc: Adhemerval Zanella , GNU C Library Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-3025.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 20:14:51 -0000 On Tue, Mar 29, 2022 at 12:56 PM Noah Goldstein via Libc-alpha wrote: > > On Tue, Mar 29, 2022 at 2:51 PM Adhemerval Zanella > wrote: > > > > > > > > On 28/03/2022 19:09, Noah Goldstein via Libc-alpha wrote: > > > On some architectures `clock_gettime` is undesirable as > > > it may use a syscall or there may be a faster alternative. > > > Future architecture specific functions can be added in > > > sysdeps//random-bits-entropy.h to provide a version of > > > 'random_bits_entropy' that doesn't use 'clock_gettime'. > > > --- > > > include/random-bits.h | 16 ++++++-------- > > > sysdeps/generic/random-bits-entropy.h | 31 +++++++++++++++++++++++++++ > > > 2 files changed, 37 insertions(+), 10 deletions(-) > > > create mode 100644 sysdeps/generic/random-bits-entropy.h > > > > > > diff --git a/include/random-bits.h b/include/random-bits.h > > > index 17665b479a..016b87576c 100644 > > > --- a/include/random-bits.h > > > +++ b/include/random-bits.h > > > @@ -19,21 +19,17 @@ > > > #ifndef _RANDOM_BITS_H > > > # define _RANDOM_BITS_H > > > > > > -#include > > > -#include > > > +# include > > > +# include > > > > > > -/* Provides fast pseudo-random bits through clock_gettime. It has unspecified > > > - starting time, nano-second accuracy, its randomness is significantly better > > > - than gettimeofday, and for mostly architectures it is implemented through > > > - vDSO instead of a syscall. Since the source is a system clock, the upper > > > - bits will have less entropy. */ > > > +/* Provides fast pseudo-random bits through architecture specific > > > + random_bits_entropy. Expectation is source is some timing function so > > > + the upper bits have less entropy. */ > > > static inline uint32_t > > > random_bits (void) > > > { > > > - struct __timespec64 tv; > > > - __clock_gettime64 (CLOCK_MONOTONIC, &tv); > > > + uint32_t ret = random_bits_entropy (); > > > /* Shuffle the lower bits to minimize the clock bias. */ > > > - uint32_t ret = tv.tv_nsec ^ tv.tv_sec; > > > ret ^= (ret << 24) | (ret >> 8); > > > return ret; > > > } > > > > We already provide hp-timing.h, which uses rdtsc on x86 and clock_gettime on > > generic interface (and other high precision timing on other architectures). > > So I think a better way would be to: > > For x86/generic that works but other architectures also have hp-timing > implementations that might not be suitable for this (i.e there might be > an entropy regression). The default hp-timing.h has # define HP_TIMING_NOW(var) \ ({ \ struct __timespec64 tv; \ __clock_gettime64 (CLOCK_MONOTONIC, &tv); \ (var) = (tv.tv_nsec + UINT64_C(1000000000) * tv.tv_sec); \ }) It isn't the same as the current include/random-bits.h. > > > > static inline uint32_t > > random_bits (void) > > { > > hp_timing_t hp; > > HP_TIMING_NOW (hp); > > /* Shuffle the lower bits to minimize the clock bias. */ > > uint32_t ret = hp >> 32 ^ (uint32_t) hp; > > ret ^= (ret << 24) | (ret >> 8); > > return ret; > > } > > > > And keep the XOR on with higher bits to keep the clock bias. > > > > > diff --git a/sysdeps/generic/random-bits-entropy.h b/sysdeps/generic/random-bits-entropy.h > > > new file mode 100644 > > > index 0000000000..53290c7f7a > > > --- /dev/null > > > +++ b/sysdeps/generic/random-bits-entropy.h > > > @@ -0,0 +1,31 @@ > > > +/* Fast function for generating entropy of random_bits. > > > + Copyright (C) 2022 Free Software Foundation, Inc. > > > + This file is part of the GNU C Library. > > > + > > > + The GNU C Library is free software; you can redistribute it and/or > > > + modify it under the terms of the GNU Lesser General Public > > > + License as published by the Free Software Foundation; either > > > + version 2.1 of the License, or (at your option) any later version. > > > + > > > + The GNU C Library is distributed in the hope that it will be useful, > > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > > + Lesser General Public License for more details. > > > + > > > + You should have received a copy of the GNU Lesser General Public > > > + License along with the GNU C Library; if not, see > > > + . */ > > > + > > > +#include > > > +#include > > > + > > > +/* Generically use clock_gettime. It has unspecified starting time, nano-second > > > + accuracy, its randomness is significantly better than gettimeofday, and for > > > + mostly architectures it is implemented through vDSO instead of a syscall. */ > > > +static inline uint32_t > > > +random_bits_entropy (void) > > > +{ > > > + struct __timespec64 tv; > > > + __clock_gettime64 (CLOCK_MONOTONIC, &tv); > > > + return tv.tv_nsec ^ tv.tv_sec; > > > +} -- H.J.