[GIT PULL] prandom32 changes for v5.10

[GIT PULL] prandom32 changes for v5.10

[Willy Tarreau]

Linus,

Given that nobody objected to this patchset since last update on
prandom32 a month ago, I'm sending you the refreshed one for 5.10.

The following changes since commit bbf5c979011a099af5dc76498918ed7df445635b:

  Linux 5.9 (2020-10-11 14:15:50 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/wtarreau/prandom.git tags/20201012-v3-5.10

for you to fetch changes up to 3486a21c7e5bafbdbc0f7ea5d40f3dad39022bf4:

  random32: add noise from network and scheduling activity (2020-10-12 18:11:51 +0200)

Thanks!
Willy

----------------------------------------------------------------
This is the cleanup of the latest series of prandom_u32 experimentations
consisting in using SipHash instead of Tausworthe to produce the randoms
used by the network stack. The changes to the files were kept minimal,
and the controversial commit that used to take noise from the fast_pool
(f227e3ec3b5c) was reverted. Instead, a dedicated "net_rand_noise" per_cpu
variable is fed from various sources of activities (networking, scheduling)
to perturb the SipHash state using fast, non-trivially predictable data,
instead of keeping it fully deterministic. The goal is essentially to make
any occasional memory leakage or brute-force attempt useless.

The resulting code was verified to be very slightly faster on x86_64 than
what is was with the controversial commit above, though this remains barely
above measurement noise. It was also tested on i386 and arm, and build-
tested only on arm64.

This v3 is a rebase on top of 5.9-final, and switches __this_cpu_read()
for this_cpu_read() to address a crash on i386+SMP+PREEMPT reported by
LTP. Nothing else was changed.

----------------------------------------------------------------
George Spelvin (1):
      random32: make prandom_u32() output unpredictable

Willy Tarreau (1):
      random32: add noise from network and scheduling activity

 drivers/char/random.c   |   1 -
 include/linux/prandom.h |  55 +++++-
 kernel/time/timer.c     |   9 +-
 lib/random32.c          | 438 +++++++++++++++++++++++++++++-------------------
 net/core/dev.c          |   4 +
 5 files changed, 326 insertions(+), 181 deletions(-)

Re: [GIT PULL] prandom32 changes for v5.10

[Linus Torvalds]

On Tue, Oct 20, 2020 at 12:26 PM Amit Klein <aksecurity@gmail.com> wrote:
>
> Quick question: is this patch still planned for inclusion in 5.10-rc1?

It doesn't even build for me, so no. It clearly hasn't been in
linux-next or anything like that.

Hint: grep for prandom_seed_early.

              Linus

Re: [GIT PULL] prandom32 changes for v5.10

[Willy Tarreau]

Hi Linus,

On Tue, Oct 20, 2020 at 04:08:03PM -0700, Linus Torvalds wrote:
> On Tue, Oct 20, 2020 at 12:26 PM Amit Klein <aksecurity@gmail.com> wrote:
> >
> > Quick question: is this patch still planned for inclusion in 5.10-rc1?
> 
> It doesn't even build for me, so no. It clearly hasn't been in
> linux-next or anything like that.
> 
> Hint: grep for prandom_seed_early.

I'm a bit surprised, as it worked for me, but thanks for checking. Given
the lack of responses from many participants on these patches, on several
occations I feel that this series is really not welcome. Initially I just
tried to test and fix Spelvin's patch, but if there's not that much
interest in it, or even reluctance, I'd rather stop. If it's just that
the current state is ugly with the two PRNGs side by side, I can get
back to completely removing the original one as I did in my first series,
and propose a larger series. Or if nobody's interested, I'd rather know
so that I don't have to put more time on it :-/

Thanks for letting me know,
Willy

Re: [GIT PULL] prandom32 changes for v5.10

[Marc Plumb]

As one of the participants, I mostly backed off when Spelvin seemed to 
be more aggressively driving a secure solution. I still think that this 
is an important change, both to fix the original network vulnerability 
and to avoid harming dev/random while doing it. I greatly appreciate 
your time and effort on this but didn't want too much chatter on the DL.


On 2020-10-20 8:27 p.m., Willy Tarreau wrote:
> Hi Linus,
>
> On Tue, Oct 20, 2020 at 04:08:03PM -0700, Linus Torvalds wrote:
>> On Tue, Oct 20, 2020 at 12:26 PM Amit Klein <aksecurity@gmail.com> wrote:
>>> Quick question: is this patch still planned for inclusion in 5.10-rc1?
>> It doesn't even build for me, so no. It clearly hasn't been in
>> linux-next or anything like that.
>>
>> Hint: grep for prandom_seed_early.
> I'm a bit surprised, as it worked for me, but thanks for checking. Given
> the lack of responses from many participants on these patches, on several
> occations I feel that this series is really not welcome. Initially I just
> tried to test and fix Spelvin's patch, but if there's not that much
> interest in it, or even reluctance, I'd rather stop. If it's just that
> the current state is ugly with the two PRNGs side by side, I can get
> back to completely removing the original one as I did in my first series,
> and propose a larger series. Or if nobody's interested, I'd rather know
> so that I don't have to put more time on it :-/
>
> Thanks for letting me know,
> Willy

Re: [GIT PULL] prandom32 changes for v5.10

[Joe Perches]

On Wed, 2020-10-21 at 13:52 -0700, Marc Plumb wrote:
> As one of the participants, I mostly backed off when Spelvin seemed to 
> be more aggressively driving a secure solution.

While secure solutions are useful, I really wonder if
"George Spelvin" is a real person.

https://en.wikipedia.org/wiki/George_Spelvin

_If_ "George Spelvin" is a pseudonym, (apologies if it is not),
should anything with that signature be added to the kernel?

The Developer's Certificate of Origin says that no pseudonyms
are allowed.

---

Developer's Certificate of Origin 1.1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

By making a contribution to this project, I certify that:

        (a) The contribution was created in whole or in part by me and I
            have the right to submit it under the open source license
            indicated in the file; or

        (b) The contribution is based upon previous work that, to the best
            of my knowledge, is covered under an appropriate open source
            license and I have the right under that license to submit that
            work with modifications, whether created in whole or in part
            by me, under the same open source license (unless I am
            permitted to submit under a different license), as indicated
            in the file; or

        (c) The contribution was provided directly to me by some other
            person who certified (a), (b) or (c) and I have not modified
            it.

        (d) I understand and agree that this project and the contribution
            are public and that a record of the contribution (including all
            personal information I submit with it, including my sign-off) is
            maintained indefinitely and may be redistributed consistent with
            this project or the open source license(s) involved.

then you just add a line saying::

	Signed-off-by: Random J Developer <random@developer.example.org>

using your real name (sorry, no pseudonyms or anonymous contributions.)
This will be done for you automatically if you use ``git commit -s``.

Re: [GIT PULL] prandom32 changes for v5.10

[Linus Torvalds]

On Wed, Oct 21, 2020 at 2:20 PM Joe Perches <joe@perches.com> wrote:
>
> While secure solutions are useful, I really wonder if
> "George Spelvin" is a real person.

It's not his real name, no, but he's a real person.

I do have his real name from years ago when I needed to confirm his
identity for sign-offs (I forget what for, I think it was some dcache
name hashing thing).

So I can confirm he's a real person who just wants to keep private,
and is competent when it comes to hashing and security.

                 Linus

Re: [GIT PULL] prandom32 changes for v5.10

[Joe Perches]

On Wed, 2020-10-21 at 14:35 -0700, Linus Torvalds wrote:
> On Wed, Oct 21, 2020 at 2:20 PM Joe Perches <joe@perches.com> wrote:
> > While secure solutions are useful, I really wonder if
> > "George Spelvin" is a real person.
> 
> It's not his real name, no, but he's a real person.
> 
> I do have his real name from years ago when I needed to confirm his
> identity for sign-offs (I forget what for, I think it was some dcache
> name hashing thing).
> 
> So I can confirm he's a real person who just wants to keep private,
> and is competent when it comes to hashing and security.

I hope that real name is in some escrow somewhere and
not just in some long thrown away spinning rust disk.

And because George isn't a real name and contributions
by him have been accepted, the DCO should be updated
to show how pseudonymous contributions can be made.

Re: [GIT PULL] prandom32 changes for v5.10

[Willy Tarreau]

On Wed, Oct 21, 2020 at 02:41:06PM -0700, Joe Perches wrote:
> On Wed, 2020-10-21 at 14:35 -0700, Linus Torvalds wrote:
> > On Wed, Oct 21, 2020 at 2:20 PM Joe Perches <joe@perches.com> wrote:
> > > While secure solutions are useful, I really wonder if
> > > "George Spelvin" is a real person.
> > 
> > It's not his real name, no, but he's a real person.
> > 
> > I do have his real name from years ago when I needed to confirm his
> > identity for sign-offs (I forget what for, I think it was some dcache
> > name hashing thing).
> > 
> > So I can confirm he's a real person who just wants to keep private,
> > and is competent when it comes to hashing and security.
> 
> I hope that real name is in some escrow somewhere and
> not just in some long thrown away spinning rust disk.
> 
> And because George isn't a real name and contributions
> by him have been accepted, the DCO should be updated
> to show how pseudonymous contributions can be made.

Well, if that helps, given that I already needed to modify his code
and that his proposal totally makes sense, I can also replace his
signed-off-by with a suggested-by in the patch and put a link to the
original thread.

I'll do my best to propose an update before -rc1 if that's still
acceptable. Amit found that the code doesn't build when tests are
enabled, visibly they were not on my side and likely explain why
that failed for Linus.

Willy

Re: [GIT PULL] prandom32 changes for v5.10

[pr-tracker-bot]

The pull request you sent on Sat, 24 Oct 2020 21:34:47 +0200:

> git://git.kernel.org/pub/scm/linux/kernel/git/wtarreau/prandom.git tags/20201024-v4-5.10

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/91f28da8c9a054286d6917ce191349455c479478

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

[GIT PULL] prandom32 changes for v5.10

[Willy Tarreau]

Hi Linus,

I've addressed the build issues when CONFIG_RANDOM32_SELFTEST is enabled,
and also added a self-test for the new code (last patch of the series).
As I previously questionned, I finally replaced this_cpu_read(noise) with
raw_cpu_read(noise) as it it's pointless to deal with interrupts here
since we're just collecting noise.

Last point, I kept George as the author despite not being his real name,
as I saw he already signed-off other commits.

Please let me know if you have any question or comment.

The following changes since commit f11901ed723d1351843771c3a84b03a253bbf8b2:

  Merge tag 'xfs-5.10-merge-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux (2020-10-23 17:15:06 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/wtarreau/prandom.git tags/20201024-v4-5.10

for you to fetch changes up to c6e169bc146a76d5ccbf4d3825f705414352bd03:

  random32: add a selftest for the prandom32 code (2020-10-24 20:21:57 +0200)

----------------------------------------------------------------
random32: make prandom_u32() less predictable

This is the cleanup of the latest series of prandom_u32 experimentations
consisting in using SipHash instead of Tausworthe to produce the randoms
used by the network stack. The changes to the files were kept minimal,
and the controversial commit that used to take noise from the fast_pool
(f227e3ec3b5c) was reverted. Instead, a dedicated "net_rand_noise" per_cpu
variable is fed from various sources of activities (networking, scheduling)
to perturb the SipHash state using fast, non-trivially predictable data,
instead of keeping it fully deterministic. The goal is essentially to make
any occasional memory leakage or brute-force attempt useless.

The resulting code was verified to be very slightly faster on x86_64 than
what is was with the controversial commit above, though this remains barely
above measurement noise. It was also tested on i386 and arm, and build-
tested only on arm64.

The whole discussion around this is archived here:
  https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/

---
v4:
  - access noise using raw_cpu_read() instead of this_cpu_read()
  - fixed build with CONFIG_RANDOM32_SELFTEST
  - added a selftest for the prandom32 code
   
v3:
  This v3 is a rebase on top of 5.9-final, and switches __this_cpu_read()
  for this_cpu_read() to address a crash on i386+SMP+PREEMPT reported by
  LKP. Nothing else was changed.

----------------------------------------------------------------
George Spelvin (1):
      random32: make prandom_u32() output unpredictable

Willy Tarreau (2):
      random32: add noise from network and scheduling activity
      random32: add a selftest for the prandom32 code

 drivers/char/random.c   |   1 -
 include/linux/prandom.h |  55 ++++-
 kernel/time/timer.c     |   9 +-
 lib/random32.c          | 525 +++++++++++++++++++++++++++++++-----------------
 net/core/dev.c          |   4 +
 5 files changed, 404 insertions(+), 190 deletions(-)