[PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Chris Peterson]

I know a new "pragmatic entropy accounting model" is in the works, but 
until then, this patch removes the network drivers' last few uses of 
theoretically-exploitable network entropy. Only 11 net drivers are 
affected. Headless servers should use a more secure source of entropy, 
such as the userspace daemons.

Signed-off-by: Chris Peterson <cpeterso@cpeterso.com>
---
 diff --git 
a/drivers/net/3c523.c b/drivers/net/3c523.c index 8f734d7..6e4e06d 100644
--- a/drivers/net/3c523.c
+++ b/drivers/net/3c523.c
@@ -288,7 +288,7 @@ static int elmc_open(struct net_device *dev)
 
 	elmc_id_attn586();	/* disable interrupts */
 
-	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM,
+	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED,
 			  dev->name, dev);
 	if (ret) {
 		printk(KERN_ERR "%s: couldn't get irq %d\n", dev->name, dev->irq);
diff --git a/drivers/net/3c527.c b/drivers/net/3c527.c
index b61073c..8161893 100644
--- a/drivers/net/3c527.c
+++ b/drivers/net/3c527.c
@@ -444,7 +444,8 @@ static int __init mc32_probe1(struct net_device *dev, int slot)
 	 *	Grab the IRQ
 	 */
 
-	err = request_irq(dev->irq, &mc32_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM, DRV_NAME, dev);
+	err = request_irq(dev->irq, &mc32_interrupt,
+					  IRQF_SHARED, DRV_NAME, dev);
 	if (err) {
 		release_region(dev->base_addr, MC32_IO_EXTENT);
 		printk(KERN_ERR "%s: unable to get IRQ %d.\n", DRV_NAME, dev->irq);
diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
index 0ab2254..f4bf486 100644
--- a/drivers/net/atlx/atl1.c
+++ b/drivers/net/atlx/atl1.c
@@ -2567,7 +2567,7 @@ static s32 atl1_up(struct atl1_adapter *adapter)
 {
 	struct net_device *netdev = adapter->netdev;
 	int err;
-	int irq_flags = IRQF_SAMPLE_RANDOM;
+	int irq_flags = 0;
 
 	/* hardware has been reset, we need to reload some things */
 	atlx_set_multi(netdev);
diff --git a/drivers/net/cris/eth_v10.c b/drivers/net/cris/eth_v10.c
index 7a18dc7..d021875 100644
--- a/drivers/net/cris/eth_v10.c
+++ b/drivers/net/cris/eth_v10.c
@@ -494,7 +494,7 @@ e100_open(struct net_device *dev)
 	/* allocate the irq corresponding to the receiving DMA */
 
 	if (request_irq(NETWORK_DMA_RX_IRQ_NBR, e100rxtx_interrupt,
-			IRQF_SAMPLE_RANDOM, cardname, (void *)dev)) {
+			0, cardname, (void *)dev)) {
 		goto grace_exit0;
 	}
 
diff --git a/drivers/net/ibmlana.c b/drivers/net/ibmlana.c
index c25bc0b..4270e80 100644
--- a/drivers/net/ibmlana.c
+++ b/drivers/net/ibmlana.c
@@ -782,7 +782,8 @@ static int ibmlana_open(struct net_device *dev)
 
 	/* register resources - only necessary for IRQ */
 
-	result = request_irq(priv->realirq, irq_handler, IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+	result = request_irq(priv->realirq, irq_handler,
+						 IRQF_SHARED, dev->name, dev);
 	if (result != 0) {
 		printk(KERN_ERR "%s: failed to register irq %d\n", dev->name, dev->irq);
 		return result;
diff --git a/drivers/net/macb.c b/drivers/net/macb.c
index e82aee4..d4551b0 100644
--- a/drivers/net/macb.c
+++ b/drivers/net/macb.c
@@ -1162,8 +1162,7 @@ static int __init macb_probe(struct platform_device *pdev)
 	}
 
 	dev->irq = platform_get_irq(pdev, 0);
-	err = request_irq(dev->irq, macb_interrupt, IRQF_SAMPLE_RANDOM,
-			  dev->name, dev);
+	err = request_irq(dev->irq, macb_interrupt, 0, dev->name, dev);
 	if (err) {
 		printk(KERN_ERR
 		       "%s: Unable to request IRQ %d (error %d)\n",
diff --git a/drivers/net/netxen/netxen_nic_main.c b/drivers/net/netxen/netxen_nic_main.c
index aef7728..51985d9 100644
--- a/drivers/net/netxen/netxen_nic_main.c
+++ b/drivers/net/netxen/netxen_nic_main.c
@@ -722,7 +722,7 @@ netxen_nic_request_irq(struct netxen_adapter *adapter)
 	struct nx_host_sds_ring *sds_ring;
 	int err, ring;
 
-	unsigned long flags = IRQF_SAMPLE_RANDOM;
+	unsigned long flags = 0;
 	struct net_device *netdev = adapter->netdev;
 	struct netxen_recv_context *recv_ctx = &adapter->recv_ctx;
 
diff --git a/drivers/net/niu.c b/drivers/net/niu.c
index 2b17453..7db8b51 100644
--- a/drivers/net/niu.c
+++ b/drivers/net/niu.c
@@ -6068,8 +6068,7 @@ static int niu_request_irq(struct niu *np)
 		struct niu_ldg *lp = &np->ldg[i];
 
 		err = request_irq(lp->irq, niu_interrupt,
-				  IRQF_SHARED | IRQF_SAMPLE_RANDOM,
-				  np->irq_name[i], lp);
+				  IRQF_SHARED, np->irq_name[i], lp);
 		if (err)
 			goto out_free_irqs;
 
diff --git a/drivers/net/qla3xxx.c b/drivers/net/qla3xxx.c
index cadc32c..1c51178 100644
--- a/drivers/net/qla3xxx.c
+++ b/drivers/net/qla3xxx.c
@@ -3601,7 +3601,7 @@ static int ql_adapter_up(struct ql3_adapter *qdev)
 {
 	struct net_device *ndev = qdev->ndev;
 	int err;
-	unsigned long irq_flags = IRQF_SAMPLE_RANDOM | IRQF_SHARED;
+	unsigned long irq_flags = IRQF_SHARED;
 	unsigned long hw_flags;
 
 	if (ql_alloc_mem_resources(qdev)) {
diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
index 201be42..8b8c319 100644
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -7556,12 +7556,12 @@ static int tg3_request_irq(struct tg3 *tp)
 		fn = tg3_msi;
 		if (tp->tg3_flags2 & TG3_FLG2_1SHOT_MSI)
 			fn = tg3_msi_1shot;
-		flags = IRQF_SAMPLE_RANDOM;
+		flags = 0;
 	} else {
 		fn = tg3_interrupt;
 		if (tp->tg3_flags & TG3_FLAG_TAGGED_STATUS)
 			fn = tg3_interrupt_tagged;
-		flags = IRQF_SHARED | IRQF_SAMPLE_RANDOM;
+		flags = IRQF_SHARED;
 	}
 	return (request_irq(tp->pdev->irq, fn, flags, dev->name, dev));
 }
@@ -7579,7 +7579,7 @@ static int tg3_test_interrupt(struct tg3 *tp)
 	free_irq(tp->pdev->irq, dev);
 
 	err = request_irq(tp->pdev->irq, tg3_test_isr,
-			  IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+			  IRQF_SHARED, dev->name, dev);
 	if (err)
 		return err;
 
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index f673253..8a16bdf 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1381,8 +1381,7 @@ static int setup_netfront(struct xenbus_device *dev, struct netfront_info *info)
 		goto fail;
 
 	err = bind_evtchn_to_irqhandler(info->evtchn, xennet_interrupt,
-					IRQF_SAMPLE_RANDOM, netdev->name,
-					netdev);
+					0, netdev->name, netdev);
 	if (err < 0)
 		goto fail;
 	netdev->irq = err;

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Matt Mackall]

On Wed, May 13, 2009 at 01:34:47AM -0400, Chris Peterson wrote:
> 
> I know a new "pragmatic entropy accounting model" is in the works, but 
> until then, this patch removes the network drivers' last few uses of 
> theoretically-exploitable network entropy. Only 11 net drivers are 
> affected. Headless servers should use a more secure source of entropy, 
> such as the userspace daemons.

Actually, I'd rather not do this.

I've instead become convinced that what /dev/random's entropy
accounting model is trying to achieve is not actually possible.
It requires:

a) a strict underestimate of entropy
b) from completely unobservable, uncontrollable sources
c) with no correlation to observable sources

If and only if we meet all three of those requirements for all entropy
sources can we actually reach the theoretical point where /dev/random
is actually distinct from /dev/urandom. 

Practically, we're nowhere close on any of those points. We have no
good model for estimating (a) for most sources, and almost all sources
are directly or indirectly observable or controllable to some degree.

Once we acknowledge that, it's easy to see that the right way forward
is not to aim for perfect, but instead to aim for really good. And
that means:

1) significantly more sampling sources with lower overhead
2) more defense in depth
3) working well on headless machines and with hardware RNG sources
4) simpler, more auditable code
5) never starving users

So while your current patch is 'correct' in the current theoretical
model (and one I've personally tried to push in the past), I think the
theoretical model itself needs to change and this is thus a step in
the wrong direction. The future model will continue to sample network
devices on theory that they -might- be less than 100% observable and
that can only increase our total (unmeasurable) amount of entropy.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Chris Peterson]

> The future model will continue to sample network
> devices on theory that they -might- be less than 100% observable and
> that can only increase our total (unmeasurable) amount of entropy.

That sounds reasonable to me. So should all net drivers now specify
IRQF_SAMPLE_RANDOM?

Or even simpler: could request_irq() assume IRQF_SAMPLE_RANDOM for any
interrupt that is not (say) IRQF_IRQPOLL or IRQF_PERCPU?

chris

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Matt Mackall]

On Wed, May 13, 2009 at 12:17:29AM -0700, Chris Peterson wrote:
> > The future model will continue to sample network
> > devices on theory that they -might- be less than 100% observable and
> > that can only increase our total (unmeasurable) amount of entropy.
> 
> That sounds reasonable to me. So should all net drivers now specify
> IRQF_SAMPLE_RANDOM?
> 
> Or even simpler: could request_irq() assume IRQF_SAMPLE_RANDOM for any
> interrupt that is not (say) IRQF_IRQPOLL or IRQF_PERCPU?

Maybe. We don't want IRQ latency to suffer. So before we turn on
sampling of -all- sources, we need to make sampling lighter weight and
we need a way to say 'we have enough' so that we're not consuming CPU
when our pools are 'full'. We could turn it on now and rely on the
current trickle logic, but it's nice to have the water main off when
doing significant plumbing.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Jeff Garzik]

Matt Mackall wrote:
> On Wed, May 13, 2009 at 12:17:29AM -0700, Chris Peterson wrote:
>>> The future model will continue to sample network
>>> devices on theory that they -might- be less than 100% observable and
>>> that can only increase our total (unmeasurable) amount of entropy.
>> That sounds reasonable to me. So should all net drivers now specify
>> IRQF_SAMPLE_RANDOM?
>>
>> Or even simpler: could request_irq() assume IRQF_SAMPLE_RANDOM for any
>> interrupt that is not (say) IRQF_IRQPOLL or IRQF_PERCPU?
> 
> Maybe. We don't want IRQ latency to suffer. So before we turn on
> sampling of -all- sources, we need to make sampling lighter weight and
> we need a way to say 'we have enough' so that we're not consuming CPU
> when our pools are 'full'. We could turn it on now and rely on the
> current trickle logic, but it's nice to have the water main off when
> doing significant plumbing.

So, until such time, let's be consistent in net driver land and not 
IRQF_SAMPLE_RANDOM.

	Jeff

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Matt Mackall]

On Wed, May 13, 2009 at 03:39:11PM -0400, Jeff Garzik wrote:
> Matt Mackall wrote:
> >On Wed, May 13, 2009 at 12:17:29AM -0700, Chris Peterson wrote:
> >>>The future model will continue to sample network
> >>>devices on theory that they -might- be less than 100% observable and
> >>>that can only increase our total (unmeasurable) amount of entropy.
> >>That sounds reasonable to me. So should all net drivers now specify
> >>IRQF_SAMPLE_RANDOM?
> >>
> >>Or even simpler: could request_irq() assume IRQF_SAMPLE_RANDOM for any
> >>interrupt that is not (say) IRQF_IRQPOLL or IRQF_PERCPU?
> >
> >Maybe. We don't want IRQ latency to suffer. So before we turn on
> >sampling of -all- sources, we need to make sampling lighter weight and
> >we need a way to say 'we have enough' so that we're not consuming CPU
> >when our pools are 'full'. We could turn it on now and rely on the
> >current trickle logic, but it's nice to have the water main off when
> >doing significant plumbing.
> 
> So, until such time, let's be consistent in net driver land and not 
> IRQF_SAMPLE_RANDOM.
> 
> 	Jeff

If you want. I was also looking to avoid the fight that happened when
I submitted an equivalent patch a couple years back.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Jeff Garzik]

Chris Peterson wrote:
> Remove network drivers' last few uses of theoretically-exploitable network
> entropy. Only 12 net drivers are affected. Headless boxes should use a
> more secure source of entropy, such as userspace daemons like rngd, 
> clrngd, audio_entropyd, and/or video_entroyd.
> 
> 
> Signed-off-by: Chris Peterson <cpeterso@cpeterso.com>

For what it's worth...  I'm keeping this patch in my 'hold' queue, 
mainly to see if anyone really puts up some major objections, or fuss.

I'm leaning towards applying it for 2.6.27...

	Jeff

[PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Chris Peterson]

Remove network drivers' last few uses of theoretically-exploitable network
entropy. Only 12 net drivers are affected. Headless boxes should use a
more secure source of entropy, such as userspace daemons like rngd, 
clrngd, audio_entropyd, and/or video_entroyd.


Signed-off-by: Chris Peterson <cpeterso@cpeterso.com>
---
diff -Naur linux-2.6.26-rc6.orig/drivers/net/3c523.c linux-2.6.26-rc6/drivers/net/3c523.c
--- linux-2.6.26-rc6.orig/drivers/net/3c523.c	2008-05-18 10:03:23.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/3c523.c	2008-06-13 22:14:54.000000000 -0700
@@ -289,8 +289,7 @@
 
 	elmc_id_attn586();	/* disable interrupts */
 
-	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM,
-			  dev->name, dev);
+	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED, dev->name, dev);
 	if (ret) {
 		printk(KERN_ERR "%s: couldn't get irq %d\n", dev->name, dev->irq);
 		elmc_id_reset586();
diff -Naur linux-2.6.26-rc6.orig/drivers/net/3c527.c linux-2.6.26-rc6/drivers/net/3c527.c
--- linux-2.6.26-rc6.orig/drivers/net/3c527.c	2008-06-12 23:51:32.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/3c527.c	2008-06-13 22:14:54.000000000 -0700
@@ -434,7 +434,7 @@
 	 *	Grab the IRQ
 	 */
 
-	err = request_irq(dev->irq, &mc32_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM, DRV_NAME, dev);
+	err = request_irq(dev->irq, &mc32_interrupt, IRQF_SHARED, DRV_NAME, dev);
 	if (err) {
 		release_region(dev->base_addr, MC32_IO_EXTENT);
 		printk(KERN_ERR "%s: unable to get IRQ %d.\n", DRV_NAME, dev->irq);
diff -Naur linux-2.6.26-rc6.orig/drivers/net/atlx/atl1.c linux-2.6.26-rc6/drivers/net/atlx/atl1.c
--- linux-2.6.26-rc6.orig/drivers/net/atlx/atl1.c	2008-06-12 23:51:33.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/atlx/atl1.c	2008-06-13 22:14:54.000000000 -0700
@@ -2595,7 +2595,7 @@
 {
 	struct net_device *netdev = adapter->netdev;
 	int err;
-	int irq_flags = IRQF_SAMPLE_RANDOM;
+	int irq_flags = 0;
 
 	/* hardware has been reset, we need to reload some things */
 	atlx_set_multi(netdev);
diff -Naur linux-2.6.26-rc6.orig/drivers/net/cris/eth_v10.c linux-2.6.26-rc6/drivers/net/cris/eth_v10.c
--- linux-2.6.26-rc6.orig/drivers/net/cris/eth_v10.c	2008-05-18 10:03:34.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/cris/eth_v10.c	2008-06-13 22:14:54.000000000 -0700
@@ -490,7 +490,7 @@
 	/* allocate the irq corresponding to the receiving DMA */
 
 	if (request_irq(NETWORK_DMA_RX_IRQ_NBR, e100rxtx_interrupt,
-			IRQF_SAMPLE_RANDOM, cardname, (void *)dev)) {
+			0, cardname, (void *)dev)) {
 		goto grace_exit0;
 	}
 
diff -Naur linux-2.6.26-rc6.orig/drivers/net/ibmlana.c linux-2.6.26-rc6/drivers/net/ibmlana.c
--- linux-2.6.26-rc6.orig/drivers/net/ibmlana.c	2008-05-18 10:03:41.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/ibmlana.c	2008-06-13 22:14:54.000000000 -0700
@@ -783,7 +783,7 @@
 
 	/* register resources - only necessary for IRQ */
 
-	result = request_irq(priv->realirq, irq_handler, IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+	result = request_irq(priv->realirq, irq_handler, IRQF_SHARED, dev->name, dev);
 	if (result != 0) {
 		printk(KERN_ERR "%s: failed to register irq %d\n", dev->name, dev->irq);
 		return result;
diff -Naur linux-2.6.26-rc6.orig/drivers/net/macb.c linux-2.6.26-rc6/drivers/net/macb.c
--- linux-2.6.26-rc6.orig/drivers/net/macb.c	2008-06-12 23:51:45.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/macb.c	2008-06-13 22:14:54.000000000 -0700
@@ -1151,8 +1151,7 @@
 	}
 
 	dev->irq = platform_get_irq(pdev, 0);
-	err = request_irq(dev->irq, macb_interrupt, IRQF_SAMPLE_RANDOM,
-			  dev->name, dev);
+	err = request_irq(dev->irq, macb_interrupt, 0, dev->name, dev);
 	if (err) {
 		printk(KERN_ERR
 		       "%s: Unable to request IRQ %d (error %d)\n",
diff -Naur linux-2.6.26-rc6.orig/drivers/net/mv643xx_eth.c linux-2.6.26-rc6/drivers/net/mv643xx_eth.c
--- linux-2.6.26-rc6.orig/drivers/net/mv643xx_eth.c	2008-06-12 23:51:46.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/mv643xx_eth.c	2008-06-13 22:14:54.000000000 -0700
@@ -1329,7 +1329,7 @@
 	rdl(mp, INTERRUPT_CAUSE_EXTEND_REG(port_num));
 
 	err = request_irq(dev->irq, mv643xx_eth_int_handler,
-			IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+			IRQF_SHARED, dev->name, dev);
 	if (err) {
 		printk(KERN_ERR "%s: Can not assign IRQ\n", dev->name);
 		return -EAGAIN;
diff -Naur linux-2.6.26-rc6.orig/drivers/net/netxen/netxen_nic_main.c linux-2.6.26-rc6/drivers/net/netxen/netxen_nic_main.c
--- linux-2.6.26-rc6.orig/drivers/net/netxen/netxen_nic_main.c	2008-06-12 23:51:46.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/netxen/netxen_nic_main.c	2008-06-13 22:14:54.000000000 -0700
@@ -838,7 +838,7 @@
 	int err = 0;
 	int ctx, ring;
 	irq_handler_t handler;
-	unsigned long flags = IRQF_SAMPLE_RANDOM;
+	unsigned long flags = 0;
 
 	if (adapter->is_up != NETXEN_ADAPTER_UP_MAGIC) {
 		err = netxen_init_firmware(adapter);
diff -Naur linux-2.6.26-rc6.orig/drivers/net/niu.c linux-2.6.26-rc6/drivers/net/niu.c
--- linux-2.6.26-rc6.orig/drivers/net/niu.c	2008-06-12 23:51:47.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/niu.c	2008-06-13 22:14:54.000000000 -0700
@@ -5599,8 +5599,7 @@
 		struct niu_ldg *lp = &np->ldg[i];
 
 		err = request_irq(lp->irq, niu_interrupt,
-				  IRQF_SHARED | IRQF_SAMPLE_RANDOM,
-				  np->dev->name, lp);
+				  IRQF_SHARED, np->dev->name, lp);
 		if (err)
 			goto out_free_irqs;
 
diff -Naur linux-2.6.26-rc6.orig/drivers/net/qla3xxx.c linux-2.6.26-rc6/drivers/net/qla3xxx.c
--- linux-2.6.26-rc6.orig/drivers/net/qla3xxx.c	2008-06-12 23:51:49.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/qla3xxx.c	2008-06-13 22:14:54.000000000 -0700
@@ -3618,7 +3618,7 @@
 {
 	struct net_device *ndev = qdev->ndev;
 	int err;
-	unsigned long irq_flags = IRQF_SAMPLE_RANDOM | IRQF_SHARED;
+	unsigned long irq_flags = IRQF_SHARED;
 	unsigned long hw_flags;
 
 	if (ql_alloc_mem_resources(qdev)) {
diff -Naur linux-2.6.26-rc6.orig/drivers/net/tg3.c linux-2.6.26-rc6/drivers/net/tg3.c
--- linux-2.6.26-rc6.orig/drivers/net/tg3.c	2008-06-12 23:51:57.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/tg3.c	2008-06-13 22:14:54.000000000 -0700
@@ -7510,12 +7510,12 @@
 		fn = tg3_msi;
 		if (tp->tg3_flags2 & TG3_FLG2_1SHOT_MSI)
 			fn = tg3_msi_1shot;
-		flags = IRQF_SAMPLE_RANDOM;
+		flags = 0;
 	} else {
 		fn = tg3_interrupt;
 		if (tp->tg3_flags & TG3_FLAG_TAGGED_STATUS)
 			fn = tg3_interrupt_tagged;
-		flags = IRQF_SHARED | IRQF_SAMPLE_RANDOM;
+		flags = IRQF_SHARED;
 	}
 	return (request_irq(tp->pdev->irq, fn, flags, dev->name, dev));
 }
@@ -7533,7 +7533,7 @@
 	free_irq(tp->pdev->irq, dev);
 
 	err = request_irq(tp->pdev->irq, tg3_test_isr,
-			  IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+			  IRQF_SHARED, dev->name, dev);
 	if (err)
 		return err;
 
diff -Naur linux-2.6.26-rc6.orig/drivers/net/xen-netfront.c linux-2.6.26-rc6/drivers/net/xen-netfront.c
--- linux-2.6.26-rc6.orig/drivers/net/xen-netfront.c	2008-06-12 23:52:17.000000000 -0700
+++ linux-2.6.26-rc6/drivers/net/xen-netfront.c	2008-06-13 22:14:54.000000000 -0700
@@ -1361,8 +1361,7 @@
 		goto fail;
 
 	err = bind_evtchn_to_irqhandler(info->evtchn, xennet_interrupt,
-					IRQF_SAMPLE_RANDOM, netdev->name,
-					netdev);
+					0, netdev->name, netdev);
 	if (err < 0)
 		goto fail;
 	netdev->irq = err;

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Martin Wilck]

Chris Peterson wrote:

> Remove network drivers' last few uses of theoretically-exploitable network 
> entropy. Only 12 net drivers are affected. Headless boxes should use a 
> more secure source of entropy, such as the userspace daemons rngd, clrngd, 
> egd, audio_entropyd, and/or video_entroyd.

I don't think that consensus has been reached on this subject yet. 
Re-reading this thread, it's obvious that there are two camps with 
conflicting opinions all the way through the community. Very little has 
changed since the debate in 2006.

Those who are in favor of this patch argue that random data from 
/dev/random must be absolutely, truly cryptographically reliable. That's 
fine as a concept, but it is not even remotely realistic in many 
real-world systems.

Think about disk randomness in times where more and more disks don't 
have mechanical heads. Think about caching RAID controllers, solid state 
disks, virtual disks, even iSCSI volumes! In general, modern "disks" are 
no more reliable as entropy source than network interfaces.

Either the low-level driver (knowing the actual hardware) must decide 
whether or not a device is a suitable source of randomness, or better 
even, the admin must judge that from his knowledge of the actual situation.

To make /dev/random truly solid, all devices that currently contribute 
entropy must be re-scrutinized. Whether or not they really generate 
entropy should be made configurable for administrators, this is a matter 
of policy, not an a-priory property of a device class. It should be an 
individual device property - some SCSI disks in a system may be 
considered reliable and others not, and the same would hold for network 
devices.

In the meantime, while /dev/random isn't what it's supposed to be, I 
pledge to keep IRQF_SAMPLE_RANDOM for network devices, or at least, make 
at a configurable option for headless systems.

egd, etc. are not an adequate replacement for network-generated 
randomness. They either use /dev/hw_random, which is only available on a 
few machines, or system statistics which can hardly count as "random 
noise". On the contrary, the statistics are 100% deterministic if the 
initial system state is known. The only way such data can become 
non-deterministic is through user or network input. User input is not 
available in the scenario we're talking about, and well - network input 
should't count, should it? It's not a proof if such data passes the FIPE 
or diehard tests. These tests are statistical and would be passed by 
totally deterministic data such as the sequence of digits of Pi.

Whatever comes out of this discussion, it's most important that some 
sort of consensus is reached that user space can rely on. The current 
situation is just inconsistent and confusing. I that sense, Chris' patch 
is good because it at least removes the inconsistency between network 
drivers. But I'd only find it acceptable as the first part of a patch 
series that tackles the complete entropy-generation infrastructure.

Regards
Martin

Re: [PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Alan Cox]

On Wed, 28 May 2008 23:23:26 -0700 (PDT)
Chris Peterson <cpeterso@cpeterso.com> wrote:

> 
> Remove network drivers' last few uses of theoretically-exploitable network 
> entropy. Only 12 net drivers are affected. Headless boxes should use a 
> more secure source of entropy, such as the userspace daemons rngd, clrngd, 
> egd, audio_entropyd, and/or video_entroyd.
> 
> I'm also thinking about writing a "Frankenstein" daemon that combines the 
> entropy-collecting algorithms from those daemons into one. Whereas rngd 
> only uses /dev/hw_random, my hypothetical daemon would make a best effort 
> attempt: use /dev/hw_random if it exists, otherwise fallback (or use in 
> addition) the other entropy sources.
> 
> 
> Signed-off-by: Chris Peterson <cpeterso@cpeterso.com>

Acked-by: Alan Cox <alan@redhat.com>

[PATCH] [resend] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

[Chris Peterson]

Remove network drivers' last few uses of theoretically-exploitable network 
entropy. Only 12 net drivers are affected. Headless boxes should use a 
more secure source of entropy, such as the userspace daemons rngd, clrngd, 
egd, audio_entropyd, and/or video_entroyd.

I'm also thinking about writing a "Frankenstein" daemon that combines the 
entropy-collecting algorithms from those daemons into one. Whereas rngd 
only uses /dev/hw_random, my hypothetical daemon would make a best effort 
attempt: use /dev/hw_random if it exists, otherwise fallback (or use in 
addition) the other entropy sources.


Signed-off-by: Chris Peterson <cpeterso@cpeterso.com>
---
diff -pruN linux-2.6.26-rc4.orig/drivers/net/3c523.c linux-2.6.26-rc4/drivers/net/3c523.c
--- linux-2.6.26-rc4.orig/drivers/net/3c523.c	2008-05-18 10:03:23.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/3c523.c	2008-05-27 21:44:23.000000000 -0700
@@ -289,8 +289,7 @@ static int elmc_open(struct net_device *
 
 	elmc_id_attn586();	/* disable interrupts */
 
-	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM,
-			  dev->name, dev);
+	ret = request_irq(dev->irq, &elmc_interrupt, IRQF_SHARED, dev->name, dev);
 	if (ret) {
 		printk(KERN_ERR "%s: couldn't get irq %d\n", dev->name, dev->irq);
 		elmc_id_reset586();
diff -pruN linux-2.6.26-rc4.orig/drivers/net/3c527.c linux-2.6.26-rc4/drivers/net/3c527.c
--- linux-2.6.26-rc4.orig/drivers/net/3c527.c	2008-05-27 21:18:52.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/3c527.c	2008-05-27 21:44:23.000000000 -0700
@@ -434,7 +434,7 @@ static int __init mc32_probe1(struct net
 	 *	Grab the IRQ
 	 */
 
-	err = request_irq(dev->irq, &mc32_interrupt, IRQF_SHARED | IRQF_SAMPLE_RANDOM, DRV_NAME, dev);
+	err = request_irq(dev->irq, &mc32_interrupt, IRQF_SHARED, DRV_NAME, dev);
 	if (err) {
 		release_region(dev->base_addr, MC32_IO_EXTENT);
 		printk(KERN_ERR "%s: unable to get IRQ %d.\n", DRV_NAME, dev->irq);
diff -pruN linux-2.6.26-rc4.orig/drivers/net/atlx/atl1.c linux-2.6.26-rc4/drivers/net/atlx/atl1.c
--- linux-2.6.26-rc4.orig/drivers/net/atlx/atl1.c	2008-05-27 21:18:52.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/atlx/atl1.c	2008-05-27 21:44:23.000000000 -0700
@@ -2610,7 +2610,7 @@ static s32 atl1_up(struct atl1_adapter *
 {
 	struct net_device *netdev = adapter->netdev;
 	int err;
-	int irq_flags = IRQF_SAMPLE_RANDOM;
+	int irq_flags = 0;
 
 	/* hardware has been reset, we need to reload some things */
 	atlx_set_multi(netdev);
diff -pruN linux-2.6.26-rc4.orig/drivers/net/cris/eth_v10.c linux-2.6.26-rc4/drivers/net/cris/eth_v10.c
--- linux-2.6.26-rc4.orig/drivers/net/cris/eth_v10.c	2008-05-18 10:03:34.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/cris/eth_v10.c	2008-05-27 21:44:23.000000000 -0700
@@ -490,7 +490,7 @@ e100_open(struct net_device *dev)
 	/* allocate the irq corresponding to the receiving DMA */
 
 	if (request_irq(NETWORK_DMA_RX_IRQ_NBR, e100rxtx_interrupt,
-			IRQF_SAMPLE_RANDOM, cardname, (void *)dev)) {
+			0, cardname, (void *)dev)) {
 		goto grace_exit0;
 	}
 
diff -pruN linux-2.6.26-rc4.orig/drivers/net/ibmlana.c linux-2.6.26-rc4/drivers/net/ibmlana.c
--- linux-2.6.26-rc4.orig/drivers/net/ibmlana.c	2008-05-18 10:03:41.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/ibmlana.c	2008-05-27 21:44:23.000000000 -0700
@@ -783,7 +783,7 @@ static int ibmlana_open(struct net_devic
 
 	/* register resources - only necessary for IRQ */
 
-	result = request_irq(priv->realirq, irq_handler, IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+	result = request_irq(priv->realirq, irq_handler, IRQF_SHARED, dev->name, dev);
 	if (result != 0) {
 		printk(KERN_ERR "%s: failed to register irq %d\n", dev->name, dev->irq);
 		return result;
diff -pruN linux-2.6.26-rc4.orig/drivers/net/macb.c linux-2.6.26-rc4/drivers/net/macb.c
--- linux-2.6.26-rc4.orig/drivers/net/macb.c	2008-05-27 21:19:39.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/macb.c	2008-05-27 21:44:23.000000000 -0700
@@ -1151,8 +1151,7 @@ static int __init macb_probe(struct plat
 	}
 
 	dev->irq = platform_get_irq(pdev, 0);
-	err = request_irq(dev->irq, macb_interrupt, IRQF_SAMPLE_RANDOM,
-			  dev->name, dev);
+	err = request_irq(dev->irq, macb_interrupt, 0, dev->name, dev);
 	if (err) {
 		printk(KERN_ERR
 		       "%s: Unable to request IRQ %d (error %d)\n",
diff -pruN linux-2.6.26-rc4.orig/drivers/net/mv643xx_eth.c linux-2.6.26-rc4/drivers/net/mv643xx_eth.c
--- linux-2.6.26-rc4.orig/drivers/net/mv643xx_eth.c	2008-05-27 21:19:39.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/mv643xx_eth.c	2008-05-27 21:44:23.000000000 -0700
@@ -1329,7 +1329,7 @@ static int mv643xx_eth_open(struct net_d
 	rdl(mp, INTERRUPT_CAUSE_EXTEND_REG(port_num));
 
 	err = request_irq(dev->irq, mv643xx_eth_int_handler,
-			IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+			IRQF_SHARED, dev->name, dev);
 	if (err) {
 		printk(KERN_ERR "%s: Can not assign IRQ\n", dev->name);
 		return -EAGAIN;
diff -pruN linux-2.6.26-rc4.orig/drivers/net/netxen/netxen_nic_main.c linux-2.6.26-rc4/drivers/net/netxen/netxen_nic_main.c
--- linux-2.6.26-rc4.orig/drivers/net/netxen/netxen_nic_main.c	2008-05-27 21:19:39.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/netxen/netxen_nic_main.c	2008-05-27 21:44:23.000000000 -0700
@@ -838,7 +838,7 @@ static int netxen_nic_open(struct net_de
 	int err = 0;
 	int ctx, ring;
 	irq_handler_t handler;
-	unsigned long flags = IRQF_SAMPLE_RANDOM;
+	unsigned long flags = 0;
 
 	if (adapter->is_up != NETXEN_ADAPTER_UP_MAGIC) {
 		err = netxen_init_firmware(adapter);
diff -pruN linux-2.6.26-rc4.orig/drivers/net/niu.c linux-2.6.26-rc4/drivers/net/niu.c
--- linux-2.6.26-rc4.orig/drivers/net/niu.c	2008-05-27 21:19:39.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/niu.c	2008-05-27 21:44:23.000000000 -0700
@@ -5599,8 +5599,7 @@ static int niu_request_irq(struct niu *n
 		struct niu_ldg *lp = &np->ldg[i];
 
 		err = request_irq(lp->irq, niu_interrupt,
-				  IRQF_SHARED | IRQF_SAMPLE_RANDOM,
-				  np->dev->name, lp);
+				  IRQF_SHARED, np->dev->name, lp);
 		if (err)
 			goto out_free_irqs;
 
diff -pruN linux-2.6.26-rc4.orig/drivers/net/qla3xxx.c linux-2.6.26-rc4/drivers/net/qla3xxx.c
--- linux-2.6.26-rc4.orig/drivers/net/qla3xxx.c	2008-05-27 21:19:41.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/qla3xxx.c	2008-05-27 21:44:24.000000000 -0700
@@ -3618,7 +3618,7 @@ static int ql_adapter_up(struct ql3_adap
 {
 	struct net_device *ndev = qdev->ndev;
 	int err;
-	unsigned long irq_flags = IRQF_SAMPLE_RANDOM | IRQF_SHARED;
+	unsigned long irq_flags = IRQF_SHARED;
 	unsigned long hw_flags;
 
 	if (ql_alloc_mem_resources(qdev)) {
diff -pruN linux-2.6.26-rc4.orig/drivers/net/tg3.c linux-2.6.26-rc4/drivers/net/tg3.c
--- linux-2.6.26-rc4.orig/drivers/net/tg3.c	2008-05-27 21:19:51.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/tg3.c	2008-05-27 21:44:24.000000000 -0700
@@ -7496,12 +7496,12 @@ static int tg3_request_irq(struct tg3 *t
 		fn = tg3_msi;
 		if (tp->tg3_flags2 & TG3_FLG2_1SHOT_MSI)
 			fn = tg3_msi_1shot;
-		flags = IRQF_SAMPLE_RANDOM;
+		flags = 0;
 	} else {
 		fn = tg3_interrupt;
 		if (tp->tg3_flags & TG3_FLAG_TAGGED_STATUS)
 			fn = tg3_interrupt_tagged;
-		flags = IRQF_SHARED | IRQF_SAMPLE_RANDOM;
+		flags = IRQF_SHARED;
 	}
 	return (request_irq(tp->pdev->irq, fn, flags, dev->name, dev));
 }
@@ -7519,7 +7519,7 @@ static int tg3_test_interrupt(struct tg3
 	free_irq(tp->pdev->irq, dev);
 
 	err = request_irq(tp->pdev->irq, tg3_test_isr,
-			  IRQF_SHARED | IRQF_SAMPLE_RANDOM, dev->name, dev);
+			  IRQF_SHARED, dev->name, dev);
 	if (err)
 		return err;
 
diff -pruN linux-2.6.26-rc4.orig/drivers/net/xen-netfront.c linux-2.6.26-rc4/drivers/net/xen-netfront.c
--- linux-2.6.26-rc4.orig/drivers/net/xen-netfront.c	2008-05-27 21:19:53.000000000 -0700
+++ linux-2.6.26-rc4/drivers/net/xen-netfront.c	2008-05-27 21:44:24.000000000 -0700
@@ -1361,8 +1361,7 @@ static int setup_netfront(struct xenbus_
 		goto fail;
 
 	err = bind_evtchn_to_irqhandler(info->evtchn, xennet_interrupt,
-					IRQF_SAMPLE_RANDOM, netdev->name,
-					netdev);
+					0, netdev->name, netdev);
 	if (err < 0)
 		goto fail;
 	netdev->irq = err;