Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall

[Andy Lutomirski <luto@amacapital.net>]

> On Apr 29, 2019, at 12:46 AM, Reshetova, Elena <elena.reshetova@intel.com> wrote:
> 
> 
>>>> On Apr 26, 2019, at 7:01 AM, Theodore Ts'o <tytso@mit.edu> wrote:
>>> 
> 
>> It seems to me
>> that we should be using the “fast-erasure” construction for all get_random_bytes()
>> invocations. Specifically, we should have a per cpu buffer that stores some random
>> bytes and a count of how many random bytes there are. get_random_bytes() should
>> take bytes from that buffer and *immediately* zero those bytes in memory. When
>> the buffer is empty, it gets refilled with the full strength CRNG.
> 
> Ideally it would be great to call smth fast and secure on each syscall without a per-cpu
> buffer,

Why?  You only need a few bits, and any sensible crypto primitive is going to be much better at producing lots of bits than producing just a few bits.  Even ignoring that, avoiding the I-cache hit on every syscall has value.  And I still don’t see what’s wrong with a percpu buffer.

> so that's why I was asking on chacha8. As Eric pointed it should not be used for
> cryptographic purpose, but I think it is reasonably secure for our purpose, especially if
> the generator is sometimes reseeded with fresh entropy. 
> However, it very well might be that is too slow anyway. 
> 
> So, I think then we can do the per-cpu approach as you suggesting. 
> Have a per-cpu buffer big enough as you suggested (couple of pages) from where
> we regularly read 8 bits at the time and zero them as we go. 
> 
> I am just not sure on the right refill strategy in this case?
> Should we try to maintain this per-cpu buffer always with some random bytes by
> having a work queued that would refill it (or part of it, i.e. a page from a set of 4 pages) 
> regularly from CRNG source? 
> I guess how often we need to refill will depend so much on the syscall rate
> on that cpu, so it might be hard to find a reasonable period.
> In any case we need to prepare to do a refill straight from a syscall,
> if despite our best efforts to keep the buffer refilled we run out of bits.
> Is it ok to get a visible performance hit at this point? In worse case we will need to
> generate n pages worth of random numbers, which is going to take a
> while. 

I think a small hit every few syscalls is okay. The real time people will turn this off regardless.

> 
> I will try doing this PoC and measure implications (without the worker
> refill to start with). Let's see how bad (performance wise it looks).
> 
> Best Regards,
> Elena.
> 
> 
> 
> 
> 
>> The obvious objection is “oh no, a side channel could leak the buffer,” to which I say
>> so what?  A side channel could just as easily leak the entire CRNG state.
>> 
>> For Elena’s specific use case, we would probably want a
>> try_get_random_bytes_notrace() that *only* tries the percpu buffer, since this code
>> runs so early in the syscall path that we can’t run real C code.  Or it could be moved a
>> bit later, I suppose — the really early part is not really an interesting attack surface.