From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10F9AC4332F for ; Thu, 14 Apr 2022 09:27:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240665AbiDNJaB (ORCPT ); Thu, 14 Apr 2022 05:30:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229733AbiDNJ37 (ORCPT ); Thu, 14 Apr 2022 05:29:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94EAD50E2A; Thu, 14 Apr 2022 02:27:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8F56861CB7; Thu, 14 Apr 2022 09:27:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F941C385A1; Thu, 14 Apr 2022 09:27:29 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="iCKw8U+B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1649928448; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jitaCCQ2e/PpJGSBhLHWsevtZEgEekS1b3Wk73klyKA=; b=iCKw8U+BX0unZDHdCqu1WEQPpDnLVael4IDVYgWvfW7w0XcoPFz96Q+X7Oh/HXcBDfoQgf relkkKJiqLUs0hWWbJBeLDEdKmFO5iYlsrmp12SxDsveaByJUqA4gI9QfV6k/NrhryczGl YX1t4UDjk8/egPtL7ZCNgWMOfE4aDFg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff3c9dc5 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 14 Apr 2022 09:27:27 +0000 (UTC) Date: Thu, 14 Apr 2022 11:27:22 +0200 From: "Jason A. Donenfeld" To: "Maciej W. Rozycki" Cc: Thomas Bogendoerfer , LKML , Linux Crypto Mailing List , Thomas Gleixner , Arnd Bergmann , Theodore Ts'o , Dominik Brodowski , Russell King , Catalin Marinas , Will Deacon , Geert Uytterhoeven , Paul Walmsley , Palmer Dabbelt , Albert Ou , "David S . Miller" , Richard Weinberger , Anton Ivanov , Johannes Berg , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Chris Zankel , Max Filippov , John Stultz , Stephen Boyd , Dinh Nguyen , linux-arm-kernel , linux-m68k , "open list:BROADCOM NVRAM DRIVER" , linux-riscv , sparclinux@vger.kernel.org, linux-um@lists.infradead.org, X86 ML , linux-xtensa@linux-xtensa.org Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy() instead of zero Message-ID: References: <20220413115411.21489-1-Jason@zx2c4.com> <20220413115411.21489-5-Jason@zx2c4.com> <20220413122546.GA11860@alpha.franken.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Maciej, On Thu, Apr 14, 2022 at 02:16:18AM +0100, Maciej W. Rozycki wrote: > Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and > 47-0 (the lower bound can be higher if wired entries are used, which I > think we occasionally do) for R4k machines with a buggy CP0 counter. So > there are either 56 or up to 48 distinct CP0 Random register values. Ahh interesting, so it varies a bit, but it remains rather small. > It depends on the exact system. Some have a 32-bit high-resolution > counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz > resolution, some have nothing but jiffies. Alright, so there _are_ machines with no c0 cycles but with a good clock. Yet, 25MHz is still less than the cpu cycle, so this c0 random ORing trick remains useful perhaps. > It seems like a reasonable idea to me, but the details would have to be > sorted out, because where a chipset high-resolution counter is available > we want to factor it in, and otherwise we need to extract the right bits > from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k. One thing we could do here that would seemingly cover all the cases without losing _that_ much would be: return (random_get_entropy_fallback() << 13) | ((1<<13) - read_c0_random()); Or in case the 13 turns out to be wrong on some hardware, we could mitigate the effect with: return (random_get_entropy_fallback() << 13) ^ ((1<<13) - read_c0_random()); As mentioned in the 1/xx patch of this series, random_get_entropy_fallback() should call the highest resolution thing. We then shave off the least-changing bits and stuff in the faster-changing bits from read_c0_random(). Then, in order to keep it counting up instead of down, we do the subtraction there. What do you think of this plan? Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C8640C433F5 for ; Thu, 14 Apr 2022 09:28:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=GEZtoi7MWeGEf+0cTeYURZbboFq36TOwyT1l3mCo6hE=; b=LrbSA4bzkwrnsF NIlkdB6jb32zxuSzzEZeYbdDjkhwogam3VEehOD3m4Mx89mH1tJkP96YZngr4hYUw+IHSWSi6hvz6 o2Z+Spg4wPdSkPs1kIvgZxU7SshD75hDX1mGqGP8hGkZ8ImG+pAxn3SQAjQHQNGZGVRlFg0Ug4Xpj scvTv3ovaozn+hRfkYZB9F9pivebRmVOld/7Us5dYv5FXbFt3aTdrUDNvsa67XggrEPZ0HwJNQumh Q+ODfwdQTvHDfGLuH7xoBZMVqxGZTHexV2QPlmVScArS9yUnmPgqlcgSghnTBAkFjsaNfYyPWLWTn GxEiHY0ugLIvNnpii2hQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nevlW-004t3T-V1; Thu, 14 Apr 2022 09:27:50 +0000 Received: from dfw.source.kernel.org ([139.178.84.217]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nevlG-004sxV-T6; Thu, 14 Apr 2022 09:27:36 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8293D61CAB; Thu, 14 Apr 2022 09:27:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F941C385A1; Thu, 14 Apr 2022 09:27:29 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="iCKw8U+B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1649928448; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jitaCCQ2e/PpJGSBhLHWsevtZEgEekS1b3Wk73klyKA=; b=iCKw8U+BX0unZDHdCqu1WEQPpDnLVael4IDVYgWvfW7w0XcoPFz96Q+X7Oh/HXcBDfoQgf relkkKJiqLUs0hWWbJBeLDEdKmFO5iYlsrmp12SxDsveaByJUqA4gI9QfV6k/NrhryczGl YX1t4UDjk8/egPtL7ZCNgWMOfE4aDFg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff3c9dc5 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 14 Apr 2022 09:27:27 +0000 (UTC) Date: Thu, 14 Apr 2022 11:27:22 +0200 From: "Jason A. Donenfeld" To: "Maciej W. Rozycki" Cc: Thomas Bogendoerfer , LKML , Linux Crypto Mailing List , Thomas Gleixner , Arnd Bergmann , Theodore Ts'o , Dominik Brodowski , Russell King , Catalin Marinas , Will Deacon , Geert Uytterhoeven , Paul Walmsley , Palmer Dabbelt , Albert Ou , "David S . Miller" , Richard Weinberger , Anton Ivanov , Johannes Berg , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Chris Zankel , Max Filippov , John Stultz , Stephen Boyd , Dinh Nguyen , linux-arm-kernel , linux-m68k , "open list:BROADCOM NVRAM DRIVER" , linux-riscv , sparclinux@vger.kernel.org, linux-um@lists.infradead.org, X86 ML , linux-xtensa@linux-xtensa.org Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy() instead of zero Message-ID: References: <20220413115411.21489-1-Jason@zx2c4.com> <20220413115411.21489-5-Jason@zx2c4.com> <20220413122546.GA11860@alpha.franken.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220414_022735_265604_85AF45B1 X-CRM114-Status: GOOD ( 21.16 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Hi Maciej, On Thu, Apr 14, 2022 at 02:16:18AM +0100, Maciej W. Rozycki wrote: > Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and > 47-0 (the lower bound can be higher if wired entries are used, which I > think we occasionally do) for R4k machines with a buggy CP0 counter. So > there are either 56 or up to 48 distinct CP0 Random register values. Ahh interesting, so it varies a bit, but it remains rather small. > It depends on the exact system. Some have a 32-bit high-resolution > counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz > resolution, some have nothing but jiffies. Alright, so there _are_ machines with no c0 cycles but with a good clock. Yet, 25MHz is still less than the cpu cycle, so this c0 random ORing trick remains useful perhaps. > It seems like a reasonable idea to me, but the details would have to be > sorted out, because where a chipset high-resolution counter is available > we want to factor it in, and otherwise we need to extract the right bits > from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k. One thing we could do here that would seemingly cover all the cases without losing _that_ much would be: return (random_get_entropy_fallback() << 13) | ((1<<13) - read_c0_random()); Or in case the 13 turns out to be wrong on some hardware, we could mitigate the effect with: return (random_get_entropy_fallback() << 13) ^ ((1<<13) - read_c0_random()); As mentioned in the 1/xx patch of this series, random_get_entropy_fallback() should call the highest resolution thing. We then shave off the least-changing bits and stuff in the faster-changing bits from read_c0_random(). Then, in order to keep it counting up instead of down, we do the subtraction there. What do you think of this plan? Jason _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1DF8FC433EF for ; Thu, 14 Apr 2022 09:28:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=un1XGllrZXdaUKY6CYVaVxnq44n7+IIUsB91tCStQD4=; b=akSr8nC8yL5z10 HGABunxD1l6G89X4X52u3jeIKNMZ/MbbRQpgJDGb3NT2A5U2jv7QO4CkKWSX1AiS8e41r+BXHjTkt JaTiSWlzyROZVe1FTd35abehhLMrjcjUY8ttjuePOuNucCDhFpWUgmIdyLh2MrC/5DbyLwpZNDICi 6SLdhe0gjSPifvWzSlDFrW1IHeYR8Q41RUa05uKyJ1KV1aKjyDB2/ReYP5XrcfrrylZi8qcTPoUZd 0l88nbewKYsFWjOTy/xdG7VCMzkLG0Sx5bpRZdLj2TQyKeR77Oe377bc/7hasQgr2EkDmaHmsZs3A 1iK3koLz438JQmz96Z8g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nevlK-004sz3-JR; Thu, 14 Apr 2022 09:27:38 +0000 Received: from dfw.source.kernel.org ([139.178.84.217]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nevlG-004sxV-T6; Thu, 14 Apr 2022 09:27:36 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8293D61CAB; Thu, 14 Apr 2022 09:27:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F941C385A1; Thu, 14 Apr 2022 09:27:29 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="iCKw8U+B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1649928448; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jitaCCQ2e/PpJGSBhLHWsevtZEgEekS1b3Wk73klyKA=; b=iCKw8U+BX0unZDHdCqu1WEQPpDnLVael4IDVYgWvfW7w0XcoPFz96Q+X7Oh/HXcBDfoQgf relkkKJiqLUs0hWWbJBeLDEdKmFO5iYlsrmp12SxDsveaByJUqA4gI9QfV6k/NrhryczGl YX1t4UDjk8/egPtL7ZCNgWMOfE4aDFg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff3c9dc5 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 14 Apr 2022 09:27:27 +0000 (UTC) Date: Thu, 14 Apr 2022 11:27:22 +0200 From: "Jason A. Donenfeld" To: "Maciej W. Rozycki" Cc: Thomas Bogendoerfer , LKML , Linux Crypto Mailing List , Thomas Gleixner , Arnd Bergmann , Theodore Ts'o , Dominik Brodowski , Russell King , Catalin Marinas , Will Deacon , Geert Uytterhoeven , Paul Walmsley , Palmer Dabbelt , Albert Ou , "David S . Miller" , Richard Weinberger , Anton Ivanov , Johannes Berg , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Chris Zankel , Max Filippov , John Stultz , Stephen Boyd , Dinh Nguyen , linux-arm-kernel , linux-m68k , "open list:BROADCOM NVRAM DRIVER" , linux-riscv , sparclinux@vger.kernel.org, linux-um@lists.infradead.org, X86 ML , linux-xtensa@linux-xtensa.org Subject: Re: [PATCH v4 04/11] mips: use fallback for random_get_entropy() instead of zero Message-ID: References: <20220413115411.21489-1-Jason@zx2c4.com> <20220413115411.21489-5-Jason@zx2c4.com> <20220413122546.GA11860@alpha.franken.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220414_022735_265604_85AF45B1 X-CRM114-Status: GOOD ( 21.16 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Maciej, On Thu, Apr 14, 2022 at 02:16:18AM +0100, Maciej W. Rozycki wrote: > Yes, for the relevant CPUs the range is 63-8 << 8 for R3k machines and > 47-0 (the lower bound can be higher if wired entries are used, which I > think we occasionally do) for R4k machines with a buggy CP0 counter. So > there are either 56 or up to 48 distinct CP0 Random register values. Ahh interesting, so it varies a bit, but it remains rather small. > It depends on the exact system. Some have a 32-bit high-resolution > counter in the chipset (arch/mips/kernel/csrc-ioasic.c) giving like 25MHz > resolution, some have nothing but jiffies. Alright, so there _are_ machines with no c0 cycles but with a good clock. Yet, 25MHz is still less than the cpu cycle, so this c0 random ORing trick remains useful perhaps. > It seems like a reasonable idea to me, but the details would have to be > sorted out, because where a chipset high-resolution counter is available > we want to factor it in, and otherwise we need to extract the right bits > from the CP0 Random register, either 13:8 for the R3k or 5:0 for the R4k. One thing we could do here that would seemingly cover all the cases without losing _that_ much would be: return (random_get_entropy_fallback() << 13) | ((1<<13) - read_c0_random()); Or in case the 13 turns out to be wrong on some hardware, we could mitigate the effect with: return (random_get_entropy_fallback() << 13) ^ ((1<<13) - read_c0_random()); As mentioned in the 1/xx patch of this series, random_get_entropy_fallback() should call the highest resolution thing. We then shave off the least-changing bits and stuff in the faster-changing bits from read_c0_random(). Then, in order to keep it counting up instead of down, we do the subtraction there. What do you think of this plan? Jason _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel