From: Nicolai Stange <nstange@suse.de>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: linux-crypto@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Alexander E. Patrakov" <patrakov@gmail.com>,
"Ahmed S. Darwish" <darwish.07@gmail.com>,
"Willy Tarreau" <w@1wt.eu>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Vito Caputo" <vcaputo@pengaru.com>,
"Andreas Dilger" <adilger.kernel@dilger.ca>,
"Jan Kara" <jack@suse.cz>, "Ray Strode" <rstrode@redhat.com>,
"William Jon McCann" <mccann@jhu.edu>,
zhangjs <zachary@baishancloud.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Florian Weimer" <fweimer@redhat.com>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Peter Matthias" <matthias.peter@bsi.bund.de>,
"Marcelo Henrique Cerri" <marcelo.cerri@canonical.com>,
"Roman Drahtmueller" <draht@schaltsekun.de>,
"Neil Horman" <nhorman@redhat.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Julia Lawall" <julia.lawall@inria.fr>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
"Andy Lavr" <andy.lavr@gmail.com>,
"Eric Biggers" <ebiggers@kernel.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Stephan Müller" <smueller@chronox.de>,
"Torsten Duwe" <duwe@suse.de>, "Petr Tesarik" <ptesarik@suse.cz>,
"Nicolai Stange" <nstange@suse.de>
Subject: [RFC PATCH 08/41] random: introduce __credit_entropy_bits_fast() for hot paths
Date: Mon, 21 Sep 2020 09:58:24 +0200 [thread overview]
Message-ID: <20200921075857.4424-9-nstange@suse.de> (raw)
In-Reply-To: <20200921075857.4424-1-nstange@suse.de>
When transferring entropy from the fast_pool into the global input_pool
from add_interrupt_randomness(), there are at least two atomic operations
involved: one when taking the input_pool's spinlock for the actual mixing
and another one in the cmpxchg loop in credit_entropy_bits() for
updating the pool's ->entropy_count. Because cmpxchg is potentially costly,
it would be nice if it could be avoided.
As said, the input_pool's spinlock is taken anyway, and I see no reason
why its scope should not be extended to protect ->entropy_count as well.
Performance considerations set aside, this will also facilitate future
changes introducing additional fields to input_pool which will also have to
get updated atomically from the consumer/producer sides.
The actual move to extend the spinlock's scope to cover ->entropy_count
will be the subject of a future patch. Prepare for that by putting
a limit on the work to be done with the lock being held.
In order to avoid releasing and regrabbing from hot producer paths, they'll
keep the lock when executing those calculations in pool_entropy_delta().
The loop found in the latter has a theoretical upper bound of
2 * log2(pool_size) == 24 iterations. However, as all entropy increments
awarded from the interrupt path are less than pool_size/2 in magnitude,
it is safe to enforce a guaranteed limit of one on the iteration count
by setting pool_entropy_delta()'s 'fast' parameter.
Introduce __credit_entropy_bits_fast() doing exactly that. Currently
it resembles the behaviour from credit_entropy_bits() except that
- pool_entropy_delta() gets called with 'fast' set to true and
- that __credit_entropy_bits_fast() returns a bool indicating whether
the caller should reseed the primary_crng.
Note that unlike it's the case with credit_entropy_bits(), the reseeding
won't be possible from within __credit_entropy_bits_fast() anymore once it
actually gets invoked with the pool lock being held in the future.
There is no functional change.
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
drivers/char/random.c | 49 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 46 insertions(+), 3 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 08caa7a691a5..d9e4dd27d45d 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -714,6 +714,39 @@ static unsigned int pool_entropy_delta(struct entropy_store *r,
return entropy_count - base_entropy_count;
}
+/*
+ * Credit the entropy store with n bits of entropy.
+ * To be used from hot paths when it is either known that nbits is
+ * smaller than one half of the pool size or losing anything beyond that
+ * doesn't matter.
+ */
+static bool __credit_entropy_bits_fast(struct entropy_store *r, int nbits)
+{
+ int entropy_count, orig;
+
+ if (!nbits)
+ return false;
+
+retry:
+ orig = READ_ONCE(r->entropy_count);
+ entropy_count = orig + pool_entropy_delta(r, orig,
+ nbits << ENTROPY_SHIFT,
+ true);
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+ trace_credit_entropy_bits(r->name, nbits,
+ entropy_count >> ENTROPY_SHIFT, _RET_IP_);
+
+ if (unlikely(r == &input_pool && crng_init < 2)) {
+ const int entropy_bits = entropy_count >> ENTROPY_SHIFT;
+
+ return (entropy_bits >= 128);
+ }
+
+ return false;
+}
+
/*
* Credit the entropy store with n bits of entropy.
* Use credit_entropy_bits_safe() if the value comes from userspace
@@ -1169,6 +1202,7 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
unsigned num;
} sample;
long delta, delta2, delta3;
+ bool reseed;
sample.jiffies = jiffies;
sample.cycles = random_get_entropy();
@@ -1206,7 +1240,9 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
* Round down by 1 bit on general principles,
* and limit entropy estimate to 12 bits.
*/
- credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
+ reseed = __credit_entropy_bits_fast(r, min_t(int, fls(delta>>1), 11));
+ if (reseed)
+ crng_reseed(&primary_crng, r);
}
void add_input_randomness(unsigned int type, unsigned int code,
@@ -1274,6 +1310,7 @@ void add_interrupt_randomness(int irq, int irq_flags)
__u64 ip;
unsigned long seed;
int credit = 0;
+ bool reseed;
if (cycles == 0)
cycles = get_reg(fast_pool, regs);
@@ -1326,7 +1363,9 @@ void add_interrupt_randomness(int irq, int irq_flags)
fast_pool->count = 0;
/* award one bit for the contents of the fast pool */
- credit_entropy_bits(r, credit + 1);
+ reseed = __credit_entropy_bits_fast(r, credit + 1);
+ if (reseed)
+ crng_reseed(&primary_crng, r);
}
EXPORT_SYMBOL_GPL(add_interrupt_randomness);
@@ -1599,7 +1638,11 @@ EXPORT_SYMBOL(get_random_bytes);
*/
static void entropy_timer(struct timer_list *t)
{
- credit_entropy_bits(&input_pool, 1);
+ bool reseed;
+
+ reseed = __credit_entropy_bits_fast(&input_pool, 1);
+ if (reseed)
+ crng_reseed(&primary_crng, &input_pool);
}
/*
--
2.26.2
next prev parent reply other threads:[~2020-09-21 7:59 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 7:58 [DISCUSSION PATCH 00/41] random: possible ways towards NIST SP800-90B compliance Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 01/41] random: remove dead code in credit_entropy_bits() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 02/41] random: remove dead code for nbits < 0 " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 03/41] random: prune dead assignment to entropy_bits " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 04/41] random: drop 'reserved' parameter from extract_entropy() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 05/41] random: don't reset entropy to zero on overflow Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 06/41] random: factor the exponential approximation in credit_entropy_bits() out Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 07/41] random: let pool_entropy_delta() take nbits in units of 2^-ENTROPY_SHIFT Nicolai Stange
2020-09-21 7:58 ` Nicolai Stange [this message]
2020-09-21 7:58 ` [RFC PATCH 09/41] random: protect ->entropy_count with the pool spinlock Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 10/41] random: implement support for delayed entropy dispatching Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 11/41] random: convert add_timer_randomness() to queued_entropy API Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 12/41] random: convert add_interrupt_randomness() " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 13/41] random: convert try_to_generate_entropy() " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 14/41] random: drop __credit_entropy_bits_fast() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 15/41] random: convert add_hwgenerator_randomness() to queued_entropy API Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 16/41] random: convert random_ioctl() " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 17/41] random: drop credit_entropy_bits() and credit_entropy_bits_safe() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 18/41] random: move arch_get_random_seed() calls in crng_reseed() into own loop Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 19/41] random: reintroduce arch_has_random() + arch_has_random_seed() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 20/41] random: provide min_crng_reseed_pool_entropy() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 21/41] random: don't invoke arch_get_random_long() from add_interrupt_randomness() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 22/41] random: introduce arch_has_sp800_90b_random_seed() Nicolai Stange
2020-09-21 12:18 ` kernel test robot
2020-09-21 7:58 ` [RFC PATCH 23/41] random: don't award entropy to non-SP800-90B arch RNGs in FIPS mode Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 24/41] init: call time_init() before rand_initialize() Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 25/41] random: probe cycle counter resolution at initialization Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 26/41] random: implement support for evaluating larger fast_pool entropies Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 27/41] random: increase per-IRQ event entropy estimate if in FIPS mode Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 28/41] random: don't award entropy to disk + input events " Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 29/41] random: move definition of struct queued_entropy and related API upwards Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 30/41] random: add a queued_entropy instance to struct fast_pool Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 31/41] random: introduce struct health_test + health_test_reset() placeholders Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 32/41] random: introduce health test stub and wire it up Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 33/41] random: make health_test_process() maintain the get_cycles() delta Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 34/41] random: implement the "Adaptive Proportion" NIST SP800-90B health test Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 35/41] random: improve the APT's statistical power Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 36/41] random: optimize the APT's presearch Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 37/41] random: implement the "Repetition Count" NIST SP800-90B health test Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 38/41] random: enable NIST SP800-90B startup tests Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 39/41] random: make the startup tests include muliple APT invocations Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 40/41] random: trigger startup health test on any failure of the health tests Nicolai Stange
2020-09-21 7:58 ` [RFC PATCH 41/41] random: lower per-IRQ entropy estimate upon health test failure Nicolai Stange
2020-09-21 8:09 ` [DISCUSSION PATCH 00/41] random: possible ways towards NIST SP800-90B compliance Jason A. Donenfeld
2020-09-21 8:40 ` Stephan Mueller
2020-09-22 13:23 ` Torsten Duwe
2020-09-22 16:21 ` Greg Kroah-Hartman
2020-09-22 17:48 ` Torsten Duwe
2020-10-02 12:38 ` Torsten Duwe
2020-10-02 13:15 ` Willy Tarreau
2020-10-02 13:33 ` Greg Kroah-Hartman
2020-10-02 14:05 ` Torsten Duwe
2020-10-02 13:56 ` Stephan Mueller
2020-10-16 17:26 ` Torsten Duwe
2020-10-19 19:28 ` [PATCH v36 00/13] /dev/random - a new approach Stephan Müller
2020-10-19 19:30 ` [PATCH v36 01/13] Linux Random Number Generator Stephan Müller
2020-10-19 19:31 ` [PATCH v36 02/13] LRNG - allocate one DRNG instance per NUMA node Stephan Müller
2020-10-19 19:32 ` [PATCH v36 03/13] LRNG - sysctls and /proc interface Stephan Müller
2020-10-19 19:32 ` [PATCH v36 04/13] LRNG - add switchable DRNG support Stephan Müller
2020-10-19 19:33 ` [PATCH v36 05/13] LRNG - add common generic hash support Stephan Müller
2020-10-19 19:34 ` [PATCH v36 06/13] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller
2020-10-19 19:34 ` [PATCH v36 07/13] LRNG - add SP800-90A DRBG extension Stephan Müller
2020-10-19 19:35 ` [PATCH v36 08/13] LRNG - add kernel crypto API PRNG extension Stephan Müller
2020-10-19 19:35 ` [PATCH v36 09/13] crypto: provide access to a static Jitter RNG state Stephan Müller
2020-10-19 19:36 ` [PATCH v36 10/13] LRNG - add Jitter RNG fast noise source Stephan Müller
2020-10-19 19:37 ` [PATCH v36 11/13] LRNG - add SP800-90B compliant health tests Stephan Müller
2020-10-19 19:37 ` [PATCH v36 12/13] LRNG - add interface for gathering of raw entropy Stephan Müller
2020-10-19 19:38 ` [PATCH v36 13/13] LRNG - add power-on and runtime self-tests Stephan Müller
2020-10-28 17:51 ` [PATCH v36 00/13] /dev/random - a new approach Torsten Duwe
2020-10-28 18:07 ` Greg Kroah-Hartman
2020-11-02 13:44 ` Torsten Duwe
2020-11-04 14:26 ` Marcelo Henrique Cerri
2020-11-17 14:01 ` Torsten Duwe
2020-11-10 10:22 ` Stephan Mueller
2020-10-02 13:35 ` [DISCUSSION PATCH 00/41] random: possible ways towards NIST SP800-90B compliance Van Leeuwen, Pascal
2020-10-02 14:04 ` Greg Kroah-Hartman
2020-10-02 14:34 ` Van Leeuwen, Pascal
2020-10-02 15:13 ` Greg Kroah-Hartman
2020-10-02 15:39 ` Van Leeuwen, Pascal
2020-10-02 16:30 ` Randy Dunlap
2020-10-02 18:14 ` Theodore Y. Ts'o
2020-10-02 19:09 ` Van Leeuwen, Pascal
2020-10-07 4:24 ` Eric Biggers
2020-10-07 5:52 ` Stephan Mueller
2020-10-07 10:38 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921075857.4424-9-nstange@suse.de \
--to=nstange@suse.de \
--cc=Jason@zx2c4.com \
--cc=adilger.kernel@dilger.ca \
--cc=andy.lavr@gmail.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=darwish.07@gmail.com \
--cc=draht@schaltsekun.de \
--cc=duwe@suse.de \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=julia.lawall@inria.fr \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=marcelo.cerri@canonical.com \
--cc=matthias.peter@bsi.bund.de \
--cc=mccann@jhu.edu \
--cc=mjg59@srcf.ucam.org \
--cc=mzxreary@0pointer.de \
--cc=nhorman@redhat.com \
--cc=patrakov@gmail.com \
--cc=ptesarik@suse.cz \
--cc=rdunlap@infradead.org \
--cc=rstrode@redhat.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
--cc=vcaputo@pengaru.com \
--cc=w@1wt.eu \
--cc=zachary@baishancloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.