From: "Stephan Müller" <smueller@chronox.de> To: "Stephan Müller" <smueller@chronox.de> Cc: Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, "Eric W. Biederman" <ebiederm@xmission.com>, "Alexander E. Patrakov" <patrakov@gmail.com>, "Ahmed S. Darwish" <darwish.07@gmail.com>, "Theodore Y. Ts'o" <tytso@mit.edu>, Willy Tarreau <w@1wt.eu>, Matthew Garrett <mjg59@srcf.ucam.org>, Vito Caputo <vcaputo@pengaru.com>, Andreas Dilger <adilger.kernel@dilger.ca>, Jan Kara <jack@suse.cz>, Ray Strode <rstrode@redhat.com>, William Jon McCann <mccann@jhu.edu>, zhangjs <zachary@baishancloud.com>, Florian Weimer <fweimer@redhat.com>, Lennart Poettering <mzxreary@0pointer.de>, Nicolai Stange <nstange@suse.de>, "Peter, Matthias" <matthias.peter@bsi.bund.de>, Marcelo Henrique Cerri <marcelo.cerri@canonical.com>, Roman Drahtmueller <draht@schaltsekun.de>, Neil Horman <nhorman@redhat.com> Subject: Re: [PATCH v24 00/12] /dev/random - a new approach with full SP800-90B compliance Date: Wed, 13 Nov 2019 00:26:34 +0100 [thread overview] Message-ID: <1708605.HZ0Ruzqnhc@positron.chronox.de> (raw) In-Reply-To: <3282061.iY3hP4IT6m@positron.chronox.de> Am Mittwoch, 13. November 2019, 00:03:47 CET schrieb Stephan Müller: Hi Stephan, > Am Dienstag, 12. November 2019, 16:33:59 CET schrieb Andy Lutomirski: > > Hi Andy, > > > On Mon, Nov 11, 2019 at 11:13 AM Stephan Müller <smueller@chronox.de> wrote: > > > The following patch set provides a different approach to /dev/random > > > which > > > is called Linux Random Number Generator (LRNG) to collect entropy within > > > the Linux kernel. The main improvements compared to the existing > > > /dev/random is to provide sufficient entropy during boot time as well as > > > in virtual environments and when using SSDs. A secondary design goal is > > > to limit the impact of the entropy collection on massive parallel > > > systems > > > and also allow the use accelerated cryptographic primitives. Also, all > > > steps of the entropic data processing are testable. > > > > This is very nice! > > > > > The LRNG patch set allows a user to select use of the existing > > > /dev/random > > > or the LRNG during compile time. As the LRNG provides API and ABI > > > compatible interfaces to the existing /dev/random implementation, the > > > user can freely chose the RNG implementation without affecting kernel or > > > user space operations. > > > > > > This patch set provides early boot-time entropy which implies that no > > > additional flags to the getrandom(2) system call discussed recently on > > > the LKML is considered to be necessary. > > > > I'm uneasy about this. I fully believe that, *on x86*, this works. > > But on embedded systems with in-order CPUs, a single clock, and very > > lightweight boot processes, most or all of boot might be too > > deterministic for this to work. > > I agree that in such cases, my LRNG getrandom(2) would also block until the > LRNG thinks it collected 256 bits of entropy. However, I am under the > impression that the LRNG collects that entropy faster that the existing > /dev/ random implementation, even in this case. > > Nicolai is copied on this thread. He promised to have the LRNG tested on > such a minimalistic system that you describe. I hope he could contribute > some numbers from that test helping us to understand how much of a problem > we face. > > I have a somewhat competing patch set here: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=rand > > om /kill-it > > > > (Ignore the "horrible test hack" and the debugfs part.) > > > > The basic summary is that I change /dev/random so that it becomes > > functionally identical to getrandom(..., 0) -- in other words, it > > blocks until the CRNG is initialized but is then identical to > > /dev/urandom. > > This would be equal to the LRNG code without compiling the TRNG. > > > And I add getrandom(...., GRND_INSECURE) that is > > functionally identical to the existing /dev/urandom: it always returns > > *something* immediately, but it may or may not actually be > > cryptographically random or even random at all depending on system > > details. > > Ok, if it is suggested that getrandom(2) should also have a mode to behave > exactly like /dev/urandom by not waiting until it is fully seeded, I am > happy to add that. > > > In other words, my series simplifies the ABI that we support. Right > > now, we have three ways to ask for random numbers with different > > semantics and we need to have to RNGs in the kernel at all time. With > > my changes, we have only two ways to ask for random numbers, and the > > /dev/random pool is entirely gone. > > Again, I do not want to stand in the way of changing the ABI if this is the > agreed way. All I want to say is that the LRNG seemingly is initialized much > faster than the existing /dev/random. If this is not fast enough for some > embedded environments, I would not want to stand in the way to make their > life easier. > > > Would you be amenable to merging this into your series (i.e. either > > merging the code or just the ideas)? > > Absolutely. I would be happy to do that. > > Allow me to pull your code (I am currently behind a slow line) and review it > to see how best to integrate it. > > > This would let you get rid of > > things like the compile-time selection of the blocking TRNG, since the > > blocking TRNG would be entirely gone. > > Hm, I am not so sure we should do that. > > Allow me to explain: I am also collaborating on the European side with the > German BSI. They love /dev/random as it is a "NTG.1" RNG based on their AIS > 31 standard. > > In order to seed a deterministic RNG (like OpenSSL, GnuTLS, etc. which are > all defined to be "DRG.3" or "DRG.2"), BSI mandates that the seed source is > an NTG.1. > > By getting rid of the TRNG entirely and having /dev/random entirely behaving > like /dev/urandom or getrandom(2) without the GRND_RANDOM flag, the kernel > would "only" provide a "DRG.3" type RNG. This type of RNG would be > disallowed to seed another "DRG.3" or "DRG.2". > > In plain English that means that for BSI's requirements, if the TRNG is gone > there would be no native seed source on Linux any more that can satisfy the > requirement. This is the ultimate reason why I made the TRNG compile-time > selectable: to support embedded systems but also support use cases like the > BSI case. > > Please consider that I maintain a study over the last years for BSI trying > to ensure that the NTG.1 property is always met [1] [2]. The sole purpose > of that study is around this NTG.1. > > > Or do you think that a kernel-provided blocking TRNG is a genuinely > > useful thing to keep around? > > Yes, as I hope I explained it appropriately above, there are standardization > requirements that need the TRNG. > > PS: When I was forwarding Linus' email on eliminating the blocking_pool to > BSI, I saw unhappy faces. :-) > > I would like to help both sides here. > > [1] > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/ > LinuxRNG/NTG1_Kerneltabelle_EN.pdf?__blob=publicationFile&v=3 > > [2] > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/ > LinuxRNG/NTG1_Kerneltabelle_EN.pdf?__blob=publicationFile&v=3 Sorry, the copy did not work: [2] https://bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/ LinuxRNG/LinuxRNG_EN.pdf?__blob=publicationFile&v=16 > > Ciao > Stephan Ciao Stephan
next prev parent reply other threads:[~2019-11-12 23:27 UTC|newest] Thread overview: 162+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-11 18:17 Stephan Müller 2019-11-11 18:18 ` [PATCH v24 01/12] Linux Random Number Generator Stephan Müller 2019-11-11 23:54 ` Thomas Gleixner 2019-11-12 2:25 ` Stephan Müller 2019-11-12 10:16 ` Thomas Gleixner 2019-11-12 22:30 ` kbuild test robot 2019-11-12 23:15 ` Stephan Müller 2019-11-13 0:14 ` kbuild test robot 2019-11-13 0:25 ` Stephan Müller 2019-11-24 4:51 ` Sandy Harris 2019-11-24 9:02 ` Stephan Mueller 2019-11-11 18:19 ` [PATCH v24 02/12] LRNG - allocate one SDRNG instance per NUMA node Stephan Müller 2019-11-11 18:20 ` [PATCH v24 03/12] LRNG - /proc interface Stephan Müller 2019-11-11 18:20 ` [PATCH v24 04/12] LRNG - add switchable DRNG support Stephan Müller 2019-11-11 18:21 ` [PATCH v24 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2019-11-11 18:21 ` [PATCH v24 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2019-11-11 18:22 ` [PATCH v24 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2019-11-11 18:23 ` [PATCH v24 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2019-11-11 18:23 ` [PATCH v24 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2019-11-11 18:24 ` [PATCH v24 10/12] LRNG - add TRNG support Stephan Müller 2019-11-11 18:26 ` [PATCH v24 11/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2019-11-12 19:58 ` Alexander E. Patrakov 2019-11-12 23:11 ` Stephan Müller 2019-11-13 0:36 ` Stephan Müller 2019-11-13 6:02 ` Alexander E. Patrakov 2019-11-14 1:46 ` Stephan Müller 2019-11-11 18:26 ` [PATCH v24 12/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2019-11-12 20:55 ` kbuild test robot 2019-11-12 23:13 ` Stephan Müller 2019-11-12 13:23 ` [PATCH v24 00/12] /dev/random - a new approach with full SP800-90B compliance Florian Weimer 2019-11-12 22:43 ` Stephan Müller 2019-11-12 15:33 ` Andy Lutomirski 2019-11-12 23:03 ` Stephan Müller 2019-11-12 23:26 ` Stephan Müller [this message] 2019-11-13 4:24 ` Stephan Müller 2019-11-13 4:48 ` Andy Lutomirski 2019-11-13 12:16 ` Stephan Müller 2019-11-16 9:32 ` [PATCH v25 00/12] /dev/random - a new approach with full SP800-90B Stephan Müller 2019-11-16 9:33 ` [PATCH v25 01/12] Linux Random Number Generator Stephan Müller 2019-11-16 11:25 ` Thomas Gleixner 2019-11-17 10:30 ` Stephan Müller 2019-11-16 18:13 ` Nicolai Stange 2019-11-17 11:01 ` Stephan Müller 2019-11-16 9:33 ` [PATCH v25 02/12] LRNG - allocate one SDRNG instance per NUMA node Stephan Müller 2019-11-16 9:34 ` [PATCH v25 03/12] LRNG - /proc interface Stephan Müller 2019-11-16 16:39 ` Andy Lutomirski 2019-11-17 12:16 ` Stephan Müller 2019-11-19 10:06 ` Andy Lutomirski 2019-11-19 10:55 ` Stephan Mueller 2019-11-19 17:40 ` Andy Lutomirski 2019-11-16 23:36 ` Eric W. Biederman 2019-11-17 11:37 ` Stephan Müller 2019-11-16 9:34 ` [PATCH v25 04/12] LRNG - add switchable DRNG support Stephan Müller 2019-11-16 9:35 ` [PATCH v25 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2019-11-16 9:35 ` [PATCH v25 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2019-11-16 9:35 ` [PATCH v25 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2019-11-16 9:36 ` [PATCH v25 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2019-11-16 9:36 ` [PATCH v25 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2019-11-20 13:33 ` Neil Horman 2019-11-20 20:07 ` Stephan Müller 2019-11-21 14:19 ` Neil Horman 2019-11-21 14:33 ` Stephan Mueller 2019-11-16 9:37 ` [PATCH v25 10/12] LRNG - add TRNG support Stephan Müller 2019-11-16 16:09 ` Andy Lutomirski 2019-11-17 11:10 ` Stephan Müller 2019-11-19 10:07 ` Andy Lutomirski 2019-11-19 10:46 ` Stephan Mueller 2019-11-19 12:41 ` Greg Kroah-Hartman 2019-11-20 8:58 ` Stephan Müller 2019-11-20 9:55 ` Alexander E. Patrakov 2019-11-20 13:29 ` Greg Kroah-Hartman 2019-11-20 19:51 ` Stephan Müller 2019-11-20 19:57 ` Alexander E. Patrakov 2019-11-20 20:32 ` Greg Kroah-Hartman 2019-11-21 13:06 ` Stephan Müller 2019-11-16 9:37 ` [PATCH v25 11/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2019-11-16 9:38 ` [PATCH v25 12/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2019-11-16 16:51 ` Andy Lutomirski 2019-11-17 22:55 ` Stephan Müller 2019-11-19 10:04 ` Andy Lutomirski 2019-11-19 17:17 ` Randy Dunlap 2019-11-20 9:01 ` Stephan Müller 2019-11-21 12:18 ` Nicolai Stange 2019-11-21 15:18 ` Stephan Müller 2019-11-23 20:08 ` [PATCH v26 00/12] /dev/random - a new approach with full SP800-90B Stephan Müller 2019-11-23 20:10 ` [PATCH v26 01/12] Linux Random Number Generator Stephan Müller 2019-11-24 22:44 ` kbuild test robot 2019-11-25 6:29 ` Stephan Mueller 2019-11-23 20:10 ` [PATCH v26 02/12] LRNG - allocate one SDRNG instance per NUMA node Stephan Müller 2019-11-23 20:11 ` [PATCH v26 03/12] LRNG - sysctls and /proc interface Stephan Müller 2019-11-23 20:11 ` [PATCH v26 04/12] LRNG - add switchable DRNG support Stephan Müller 2019-11-23 20:31 ` [PATCH v26 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2019-11-23 20:32 ` [PATCH v26 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2019-11-23 20:32 ` [PATCH v26 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2019-11-23 20:33 ` [PATCH v26 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2019-11-23 20:34 ` [PATCH v26 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2019-11-23 20:34 ` [PATCH v26 10/12] LRNG - add TRNG support Stephan Müller 2019-11-23 20:34 ` [PATCH v26 11/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2019-11-23 20:35 ` [PATCH v26 12/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2020-01-09 8:29 ` [PATCH v27 00/12] /dev/random - a new approach with full SP800-90B Stephan Müller 2020-01-09 8:30 ` [PATCH v27 01/12] Linux Random Number Generator Stephan Müller 2020-01-16 6:09 ` kbuild test robot 2020-01-16 6:41 ` Stephan Mueller 2020-01-09 8:31 ` [PATCH v27 02/12] LRNG - allocate one DRNG instance per NUMA node Stephan Müller 2020-01-09 8:31 ` [PATCH v27 03/12] LRNG - sysctls and /proc interface Stephan Müller 2020-01-09 8:32 ` [PATCH v27 04/12] LRNG - add switchable DRNG support Stephan Müller 2020-01-11 7:09 ` kbuild test robot 2020-01-12 10:12 ` Stephan Müller 2020-01-09 8:32 ` [PATCH v27 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2020-01-09 8:32 ` [PATCH v27 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2020-01-09 8:33 ` [PATCH v27 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2020-01-09 8:33 ` [PATCH v27 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2020-01-09 8:34 ` [PATCH v27 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2020-01-10 0:24 ` Randy Dunlap 2020-01-10 7:45 ` Stephan Mueller 2020-01-09 8:34 ` [PATCH v27 10/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2020-01-10 0:20 ` Randy Dunlap 2020-01-10 8:27 ` Stephan Mueller 2020-01-09 8:35 ` [PATCH v27 11/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2020-01-09 8:35 ` [PATCH v27 12/12] LRNG - add power-on and runtime self-tests Stephan Müller 2020-01-10 0:22 ` Randy Dunlap 2020-01-10 7:48 ` Stephan Mueller 2020-01-13 10:39 ` Dan Carpenter 2020-01-13 10:46 ` Stephan Mueller 2020-01-15 10:31 ` [PATCH v28 00/12] /dev/random - a new approach with full SP800-90B Stephan Müller 2020-01-15 10:31 ` [PATCH v28 01/12] Linux Random Number Generator Stephan Müller 2020-01-16 0:11 ` Randy Dunlap 2020-01-16 7:22 ` Stephan Mueller 2020-01-15 10:32 ` [PATCH v28 02/12] LRNG - allocate one DRNG instance per NUMA node Stephan Müller 2020-01-15 10:32 ` [PATCH v28 03/12] LRNG - sysctls and /proc interface Stephan Müller 2020-01-15 10:32 ` [PATCH v28 04/12] LRNG - add switchable DRNG support Stephan Müller 2020-01-15 10:33 ` [PATCH v28 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2020-01-15 10:33 ` [PATCH v28 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2020-01-16 0:14 ` Randy Dunlap 2020-01-16 6:55 ` Stephan Mueller 2020-01-15 10:34 ` [PATCH v28 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2020-01-16 0:15 ` Randy Dunlap 2020-01-16 6:54 ` Stephan Mueller 2020-01-15 10:34 ` [PATCH v28 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2020-01-15 10:34 ` [PATCH v28 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2020-01-16 0:17 ` Randy Dunlap 2020-01-16 6:51 ` Stephan Mueller 2020-01-15 10:35 ` [PATCH v28 10/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2020-01-15 10:35 ` [PATCH v28 11/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2020-01-16 0:18 ` Randy Dunlap 2020-01-16 6:43 ` Stephan Mueller 2020-01-16 6:48 ` Randy Dunlap 2020-01-16 6:52 ` Stephan Mueller 2020-01-15 10:36 ` [PATCH v28 12/12] LRNG - add power-on and runtime self-tests Stephan Müller 2020-01-19 21:12 ` [PATCH v29 00/12] /dev/random - a new approach with full SP800-90B Stephan Müller 2020-01-19 21:13 ` [PATCH v29 01/12] Linux Random Number Generator Stephan Müller 2020-01-19 21:13 ` [PATCH v29 02/12] LRNG - allocate one DRNG instance per NUMA node Stephan Müller 2020-01-19 21:14 ` [PATCH v29 03/12] LRNG - sysctls and /proc interface Stephan Müller 2020-01-19 21:14 ` [PATCH v29 04/12] LRNG - add switchable DRNG support Stephan Müller 2020-01-19 21:15 ` [PATCH v29 05/12] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller 2020-01-19 21:16 ` [PATCH v29 06/12] LRNG - add SP800-90A DRBG extension Stephan Müller 2020-01-19 21:16 ` [PATCH v29 07/12] LRNG - add kernel crypto API PRNG extension Stephan Müller 2020-01-19 21:17 ` [PATCH v29 08/12] crypto: provide access to a static Jitter RNG state Stephan Müller 2020-01-19 21:18 ` [PATCH v29 09/12] LRNG - add Jitter RNG fast noise source Stephan Müller 2020-01-19 21:18 ` [PATCH v29 10/12] LRNG - add SP800-90B compliant health tests Stephan Müller 2020-01-19 21:19 ` [PATCH v29 11/12] LRNG - add interface for gathering of raw entropy Stephan Müller 2020-01-19 21:20 ` [PATCH v29 12/12] LRNG - add power-on and runtime self-tests Stephan Müller
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1708605.HZ0Ruzqnhc@positron.chronox.de \ --to=smueller@chronox.de \ --cc=adilger.kernel@dilger.ca \ --cc=arnd@arndb.de \ --cc=darwish.07@gmail.com \ --cc=draht@schaltsekun.de \ --cc=ebiederm@xmission.com \ --cc=fweimer@redhat.com \ --cc=gregkh@linuxfoundation.org \ --cc=jack@suse.cz \ --cc=linux-api@vger.kernel.org \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@kernel.org \ --cc=marcelo.cerri@canonical.com \ --cc=matthias.peter@bsi.bund.de \ --cc=mccann@jhu.edu \ --cc=mjg59@srcf.ucam.org \ --cc=mzxreary@0pointer.de \ --cc=nhorman@redhat.com \ --cc=nstange@suse.de \ --cc=patrakov@gmail.com \ --cc=rstrode@redhat.com \ --cc=tytso@mit.edu \ --cc=vcaputo@pengaru.com \ --cc=w@1wt.eu \ --cc=zachary@baishancloud.com \ --subject='Re: [PATCH v24 00/12] /dev/random - a new approach with full SP800-90B compliance' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).