[PATCH] crypto: drbg - use pragmas for disabling optimization

[PATCH] crypto: drbg - use pragmas for disabling optimization

[Stephan Mueller]

Hi,

I performed measurements of the upper and lower boundary of the minimum and
Shannon entropy for the RNG before the patch and after the patch. The values
are very similar which demonstrates that the change does not affect the
cryptographic characteristics of the RNG.

The tests are available at:

[1] shows the lower boundary of the fully non-optimized RNG

[2] shows the lower boundary of the RNG with the patch below

[3] shows the upper boundary of the fully non-optimized RNG

[4] shows the upper boundary of the RNG with the patch below

The pictures are fully explained in [5], but the key values are the minimum
and Shannon entropy numbers in the legend of the graphs.
 
[1] http://www.eperm.de/userspace-foldtime-testO0.data-single-time-dist-delta-3036-hist.pdf

[2] http://www.eperm.de/userspace-foldtime-test-pragmas-O2.data-single-time-dist-delta-2370-hist.pdf

[3] http://www.eperm.de/userspace-foldtime-testO0.data-varying-time-dist-delta-7302-hist.pdf

[4] http://www.eperm.de/userspace-foldtime-test-pragmas-O2.data-varying-time-dist-delta-7055-hist.pdf

[5] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf

---8<---
Replace the global -O0 compiler flag from the Makefile with GCC
pragmas to mark only the functions required to be compiled without
optimizations.

This patch also adds a comment describing the rationale for the
functions chosen to be compiled without optimizations.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/Makefile        |  1 -
 crypto/jitterentropy.c | 30 ++++++++++++++++++++++++++----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/crypto/Makefile b/crypto/Makefile
index 83b3c44..c842035 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -97,7 +97,6 @@ obj-$(CONFIG_CRYPTO_842) += 842.o
 obj-$(CONFIG_CRYPTO_RNG2) += rng.o
 obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o
 obj-$(CONFIG_CRYPTO_DRBG) += drbg.o
-CFLAGS_jitterentropy.o = -O0
 obj-$(CONFIG_CRYPTO_JITTERENTROPY) += jitterentropy.o
 obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o
 obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 20dc178..9ba99e6 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -57,10 +57,6 @@
 #include <linux/crypto.h>
 #include <crypto/internal/rng.h>
 
-#ifdef __OPTIMIZE__
- #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
-#endif
-
 /* The entropy pool */
 struct rand_data {
 	/* all data values that are vital to maintain the security
@@ -188,6 +184,20 @@ static __u64 jent_loop_shuffle(struct rand_data *ec,
  * Noise sources
  ***************************************************************************/
 
+/*
+ * The disabling of the optimizations is performed as documented and assessed
+ * thoroughly in http://www.chronox.de/jent.html. However, instead of disabling
+ * the optimization of the entire C file, only the main functions the jitter is
+ * measured for are not optimized. These functions include the noise sources as
+ * well as the main functions triggering the noise sources. As the time
+ * measurement is done from one invocation of the jitter noise source to the
+ * next, even the execution jitter of the code invoking the noise sources
+ * contribute to the overall randomness as well. The behavior of the RNG and the
+ * statistical characteristics when only the mentioned functions are not
+ * optimized is almost equal to the a completely non-optimized RNG compilation
+ * as tested with the test tools provided at the initially mentioned web site.
+ */
+
 /**
  * CPU Jitter noise source -- this is the noise source based on the CPU
  *			      execution time jitter
@@ -222,6 +232,8 @@ static __u64 jent_loop_shuffle(struct rand_data *ec,
  *
  * @return Number of loops the folding operation is performed
  */
+#pragma GCC push_options
+#pragma GCC optimize ("-O0")
 static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
 			    __u64 *folded, __u64 loop_cnt)
 {
@@ -251,6 +263,7 @@ static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
 	*folded = new;
 	return fold_loop_cnt;
 }
+#pragma GCC pop_options
 
 /**
  * Memory Access noise source -- this is a noise source based on variations in
@@ -279,6 +292,8 @@ static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
  *
  * @return Number of memory access operations
  */
+#pragma GCC push_options
+#pragma GCC optimize ("-O0")
 static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
 {
 	unsigned char *tmpval = NULL;
@@ -318,6 +333,7 @@ static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
 	}
 	return i;
 }
+#pragma GCC pop_options
 
 /***************************************************************************
  * Start of entropy processing logic
@@ -366,6 +382,8 @@ static void jent_stuck(struct rand_data *ec, __u64 current_delta)
  *
  * @return One random bit
  */
+#pragma GCC push_options
+#pragma GCC optimize ("-O0")
 static __u64 jent_measure_jitter(struct rand_data *ec)
 {
 	__u64 time = 0;
@@ -395,6 +413,7 @@ static __u64 jent_measure_jitter(struct rand_data *ec)
 
 	return data;
 }
+#pragma GCC pop_options
 
 /**
  * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
@@ -495,6 +514,8 @@ static void jent_stir_pool(struct rand_data *entropy_collector)
  * Input:
  * @ec Reference to entropy collector
  */
+#pragma GCC push_options
+#pragma GCC optimize ("-O0")
 static void jent_gen_entropy(struct rand_data *ec)
 {
 	unsigned int k = 0;
@@ -556,6 +577,7 @@ static void jent_gen_entropy(struct rand_data *ec)
 	if (ec->stir)
 		jent_stir_pool(ec);
 }
+#pragma GCC pop_options
 
 /**
  * The continuous test required by FIPS 140-2 -- the function automatically
-- 
2.4.2

Re: [PATCH] crypto: drbg - use pragmas for disabling optimization

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 613 bytes --]

Hi Stephan,

On Tue, 09 Jun 2015 04:08:49 +0200 Stephan Mueller <smueller@chronox.de> wrote:
>
> Replace the global -O0 compiler flag from the Makefile with GCC
> pragmas to mark only the functions required to be compiled without
> optimizations.
> 
> This patch also adds a comment describing the rationale for the
> functions chosen to be compiled without optimizations.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>

I will add this as a fix patch to the crypto tree merge today (unless
someone yells at me).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH] crypto: drbg - use pragmas for disabling optimization

[Guenter Roeck]

On 06/08/2015 07:08 PM, Stephan Mueller wrote:
> Hi,
>
> I performed measurements of the upper and lower boundary of the minimum and
> Shannon entropy for the RNG before the patch and after the patch. The values
> are very similar which demonstrates that the change does not affect the
> cryptographic characteristics of the RNG.
>
> The tests are available at:
>
> [1] shows the lower boundary of the fully non-optimized RNG
>
> [2] shows the lower boundary of the RNG with the patch below
>
> [3] shows the upper boundary of the fully non-optimized RNG
>
> [4] shows the upper boundary of the RNG with the patch below
>
> The pictures are fully explained in [5], but the key values are the minimum
> and Shannon entropy numbers in the legend of the graphs.
>
> [1] http://www.eperm.de/userspace-foldtime-testO0.data-single-time-dist-delta-3036-hist.pdf
>
> [2] http://www.eperm.de/userspace-foldtime-test-pragmas-O2.data-single-time-dist-delta-2370-hist.pdf
>
> [3] http://www.eperm.de/userspace-foldtime-testO0.data-varying-time-dist-delta-7302-hist.pdf
>
> [4] http://www.eperm.de/userspace-foldtime-test-pragmas-O2.data-varying-time-dist-delta-7055-hist.pdf
>
> [5] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf
>
> ---8<---
> Replace the global -O0 compiler flag from the Makefile with GCC
> pragmas to mark only the functions required to be compiled without
> optimizations.
>
> This patch also adds a comment describing the rationale for the
> functions chosen to be compiled without optimizations.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>

With openrisc, I get:

   CC [M]  crypto/jitterentropy.o
crypto/jitterentropy.c:266:9: warning: #pragma GCC target is not supported for this machine

which may not be perfect, but is better than a compile error ;-).

nios2 still fails to build with

ERROR: "get_cycles" [crypto/jitterentropy.ko] undefined!

Guenter

nios2: Export get_cycles

[Herbert Xu]

On Mon, Jun 08, 2015 at 09:31:54PM -0700, Guenter Roeck wrote:
> 
> nios2 still fails to build with
> 
> ERROR: "get_cycles" [crypto/jitterentropy.ko] undefined!

It's the only arch that doesn't inline get_cycles and doesn't
export it.

---8<---
nios2 is the only architecture that does not inline get_cycles
and does not export it.  This breaks crypto as it uses get_cycles
in a number of modules.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/nios2/kernel/time.c b/arch/nios2/kernel/time.c
index 7f45474..be186a7 100644
--- a/arch/nios2/kernel/time.c
+++ b/arch/nios2/kernel/time.c
@@ -8,6 +8,7 @@
  * for more details.
  */
 
+#include <linux/export.h>
 #include <linux/interrupt.h>
 #include <linux/clockchips.h>
 #include <linux/clocksource.h>
@@ -106,6 +107,7 @@ cycles_t get_cycles(void)
 {
 	return nios2_timer_read(&nios2_cs.cs);
 }
+EXPORT_SYMBOL(get_cycles);
 
 static void nios2_timer_start(struct nios2_timer *timer)
 {
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: nios2: Export get_cycles

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

Hi Herbert,

On Tue, 9 Jun 2015 12:46:46 +0800 Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Mon, Jun 08, 2015 at 09:31:54PM -0700, Guenter Roeck wrote:
> > 
> > nios2 still fails to build with
> > 
> > ERROR: "get_cycles" [crypto/jitterentropy.ko] undefined!
> 
> It's the only arch that doesn't inline get_cycles and doesn't
> export it.
> 
> ---8<---
> nios2 is the only architecture that does not inline get_cycles
> and does not export it.  This breaks crypto as it uses get_cycles
> in a number of modules.
> 
> Reported-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Also added into linux-next today.

I am assuming that they will turn up in the crypto tree soon(ish).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: nios2: Export get_cycles

[Herbert Xu]

On Tue, Jun 09, 2015 at 03:19:32PM +1000, Stephen Rothwell wrote:
> Hi Herbert,
> 
> On Tue, 9 Jun 2015 12:46:46 +0800 Herbert Xu <herbert@gondor.apana.org.au> wrote:
> >
> > On Mon, Jun 08, 2015 at 09:31:54PM -0700, Guenter Roeck wrote:
> > > 
> > > nios2 still fails to build with
> > > 
> > > ERROR: "get_cycles" [crypto/jitterentropy.ko] undefined!
> > 
> > It's the only arch that doesn't inline get_cycles and doesn't
> > export it.
> > 
> > ---8<---
> > nios2 is the only architecture that does not inline get_cycles
> > and does not export it.  This breaks crypto as it uses get_cycles
> > in a number of modules.
> > 
> > Reported-by: Guenter Roeck <linux@roeck-us.net>
> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> Also added into linux-next today.
> 
> I am assuming that they will turn up in the crypto tree soon(ish).

Yes I'll be adding them to cryptodev.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: drbg - use pragmas for disabling optimization

[Herbert Xu]

On Tue, Jun 09, 2015 at 04:08:49AM +0200, Stephan Mueller wrote:
>
> Replace the global -O0 compiler flag from the Makefile with GCC
> pragmas to mark only the functions required to be compiled without
> optimizations.
> 
> This patch also adds a comment describing the rationale for the
> functions chosen to be compiled without optimizations.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>

Patch applied.  Thanks Stephan!
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt