From: Geert Uytterhoeven <geert@linux-m68k.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"Steffen Klassert" <steffen.klassert@secunet.com>,
"Stephan Müller" <smueller@chronox.de>,
"Masahiro Yamada" <masahiroy@kernel.org>,
linux-kbuild <linux-kbuild@vger.kernel.org>
Subject: Re: [PATCH] crypto: jitterentropy - Hide esoteric Kconfig options under FIPS and EXPERT
Date: Fri, 10 Nov 2023 10:04:38 +0100 [thread overview]
Message-ID: <CAMuHMdWWMABFmejXPEuKyvDC7CgUZSeWU6cR8qpBdVa9KiBdUQ@mail.gmail.com> (raw)
In-Reply-To: <ZUi5KMUaNkp0c1Ds@gondor.apana.org.au>
Hi Herbert, Yamada-san,
On Mon, Nov 6, 2023 at 11:00 AM Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Thu, Nov 02, 2023 at 08:32:36PM -1000, Linus Torvalds wrote:
> > I think that would help the situation, but I assume the sizing for the
> > jitter buffer is at least partly due to trying to account for cache
> > sizing or similar issues?
> >
> > Which really means that I assume any static compile-time answer to
> > that question is always wrong - whether you are an expert or not.
> > Unless you are just building the thing for one particular machine.
> >
> > So I do think the problem is deeper than "this is a question only for
> > experts". I definitely don't think you should ask a regular user (or
> > even a distro kernel package manager). I suspect it's likely that the
> > question is just wrong in general - because any particular one buffer
> > size for any number of machines simply cannot be the right answer.
> >
> > I realize that the commit says "*allow* for configuration of memory
> > size", but I really question the whole approach.
>
> Yes I think these are all valid points. I just noticed that I
> forgot to cc the author so let's see if Stephan has anything to
> add.
>
> > But yes - hiding these questions from any reasonable normal user is at
> > least a good first step.
>
> OK here's the patch:
>
> ---8<---
> As JITTERENTROPY is selected by default if you enable the CRYPTO
> API, any Kconfig options added there will show up for every single
> user. Hide the esoteric options under EXPERT as well as FIPS so
> that only distro makers will see them.
>
> Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks for your patch, which is now commit e7ed6473c2c8c4e4 ("crypto:
jitterentropy - Hide esoteric Kconfig options under FIPS and EXPERT").
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1297,10 +1297,12 @@ config CRYPTO_JITTERENTROPY
>
> See https://www.chronox.de/jent.html
>
> +if CRYPTO_JITTERENTROPY
> +if CRYPTO_FIPS && EXPERT
> +
> choice
> prompt "CPU Jitter RNG Memory Size"
> default CRYPTO_JITTERENTROPY_MEMSIZE_2
> - depends on CRYPTO_JITTERENTROPY
> help
> The Jitter RNG measures the execution time of memory accesses.
> Multiple consecutive memory accesses are performed. If the memory
> @@ -1344,7 +1346,6 @@ config CRYPTO_JITTERENTROPY_OSR
> int "CPU Jitter RNG Oversampling Rate"
> range 1 15
> default 1
> - depends on CRYPTO_JITTERENTROPY
> help
> The Jitter RNG allows the specification of an oversampling rate (OSR).
> The Jitter RNG operation requires a fixed amount of timing
> @@ -1359,7 +1360,6 @@ config CRYPTO_JITTERENTROPY_OSR
>
> config CRYPTO_JITTERENTROPY_TESTINTERFACE
> bool "CPU Jitter RNG Test Interface"
> - depends on CRYPTO_JITTERENTROPY
> help
> The test interface allows a privileged process to capture
> the raw unconditioned high resolution time stamp noise that
> @@ -1377,6 +1377,28 @@ config CRYPTO_JITTERENTROPY_TESTINTERFACE
>
> If unsure, select N.
>
> +endif # if CRYPTO_FIPS && EXPERT
> +
> +if !(CRYPTO_FIPS && EXPERT)
> +
> +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS
> + int
> + default 64
> +
> +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE
> + int
> + default 32
> +
> +config CRYPTO_JITTERENTROPY_OSR
> + int
> + default 1
> +
> +config CRYPTO_JITTERENTROPY_TESTINTERFACE
> + bool
This duplicates the symbols in the CRYPTO_FIPS && EXPERT section above,
which is fragile.
For the int and bool symbols, this can be handled without duplication
using:
config CRYPTO_JITTERENTROPY_OSR
- int "CPU Jitter RNG Oversampling Rate"
+ int "CPU Jitter RNG Oversampling Rate" if CRYPTO_FIPS && EXPERT
config CRYPTO_JITTERENTROPY_TESTINTERFACE
- bool "CPU Jitter RNG Test Interface"
+ bool "CPU Jitter RNG Test Interface" if CRYPTO_FIPS && EXPERT
Unfortunately the following does not work for the choice statement,
although kconfig does not report an error:
choice
- prompt "CPU Jitter RNG Memory Size"
+ prompt "CPU Jitter RNG Memory Size" if CRYPTO_FIPS && EXPERT
default CRYPTO_JITTERENTROPY_MEMSIZE_2
Unlike for other symbol types, which just become silent if
!(CRYPTO_FIPS && EXPERT), the choice is skipped completely if
!(CRYPTO_FIPS && EXPERT), and CRYPTO_JITTERENTROPY_MEMSIZE_2 is not set.
Yamada-san: Do you know why choice behaves differently?
Is this easy to fix?
Thanks!
> +
> +endif # if !(CRYPTO_FIPS && EXPERT)
> +endif # if CRYPTO_JITTERENTROPY
> +
> config CRYPTO_KDF800108_CTR
> tristate
> select CRYPTO_HMAC
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
next prev parent reply other threads:[~2023-11-10 18:30 UTC|newest]
Thread overview: 134+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 4:40 [GIT PULL] Crypto Update for 5.9 Herbert Xu
2020-08-03 17:55 ` pr-tracker-bot
2020-08-30 22:33 ` [GIT PULL] Crypto Fixes " Herbert Xu
2020-08-30 23:02 ` pr-tracker-bot
2020-09-10 0:34 ` Herbert Xu
2020-09-10 2:48 ` pr-tracker-bot
2020-10-26 1:11 ` [GIT PULL] Crypto Fixes for 5.10 Herbert Xu
2020-10-26 17:52 ` pr-tracker-bot
2020-12-27 11:32 ` [GIT PULL] Crypto Fixes for 5.11 Herbert Xu
2020-12-27 17:27 ` pr-tracker-bot
2021-01-08 3:54 ` Herbert Xu
2021-01-08 20:36 ` pr-tracker-bot
2021-01-18 5:13 ` Herbert Xu
2021-01-18 21:16 ` pr-tracker-bot
2021-01-25 22:36 ` Herbert Xu
2021-01-26 0:01 ` pr-tracker-bot
2021-07-08 3:09 ` [GIT PULL] Crypto Fixes for 5.14 Herbert Xu
2021-07-09 19:20 ` pr-tracker-bot
2021-08-17 1:36 ` Herbert Xu
2021-08-17 2:27 ` pr-tracker-bot
2021-09-29 2:38 ` [GIT PULL] Crypto Fixes for 5.15 Herbert Xu
2021-09-29 14:51 ` pr-tracker-bot
2021-10-29 4:14 ` Herbert Xu
2021-10-29 17:39 ` Linus Torvalds
2021-11-02 4:01 ` Herbert Xu
2021-10-29 18:49 ` pr-tracker-bot
2021-11-12 10:48 ` [GIT PULL] Crypto Fixes for 5.16 Herbert Xu
2021-11-12 20:42 ` pr-tracker-bot
2021-12-22 5:13 ` Herbert Xu
2021-12-22 19:02 ` pr-tracker-bot
2022-02-09 2:33 ` [GIT PULL] Crypto Fixes for 5.17 Herbert Xu
2022-02-09 18:01 ` pr-tracker-bot
2022-03-16 1:13 ` Herbert Xu
2022-03-17 20:40 ` pr-tracker-bot
2022-03-31 3:16 ` [GIT PULL] Crypto Fixes for 5.18 Herbert Xu
2022-03-31 19:12 ` pr-tracker-bot
2022-05-20 5:41 ` Herbert Xu
2022-05-20 6:10 ` pr-tracker-bot
2022-05-27 11:29 ` [GIT PULL] Crypto Fixes for 5.19 Herbert Xu
2022-05-28 1:21 ` pr-tracker-bot
2022-06-17 8:29 ` Herbert Xu
2022-06-17 15:29 ` pr-tracker-bot
2022-06-30 7:56 ` Herbert Xu
2022-06-30 17:28 ` pr-tracker-bot
2022-08-31 8:55 ` [GIT PULL] Crypto Fixes for 6.0 Herbert Xu
2022-08-31 17:20 ` pr-tracker-bot
2022-10-17 4:38 ` [GIT PULL] Crypto Fixes for 6.1 Herbert Xu
2022-10-17 17:51 ` pr-tracker-bot
2022-10-28 4:58 ` Herbert Xu
2022-10-28 17:00 ` Linus Torvalds
2022-11-02 9:49 ` Herbert Xu
2022-10-28 17:02 ` pr-tracker-bot
2023-01-06 9:15 ` [GIT PULL] Crypto Fixes for 6.2 Herbert Xu
2023-01-06 21:19 ` pr-tracker-bot
2023-03-05 10:15 ` [GIT PULL] Crypto Fixes for 6.3 Herbert Xu
2023-03-05 19:37 ` pr-tracker-bot
2023-05-07 13:19 ` [GIT PULL] Crypto Fixes for 6.4 Herbert Xu
2023-05-07 18:12 ` pr-tracker-bot
2023-05-29 3:41 ` Herbert Xu
2023-05-29 11:39 ` pr-tracker-bot
2023-07-09 23:51 ` [GIT PULL] Crypto Fixes for 6.5 Herbert Xu
2023-07-10 17:20 ` pr-tracker-bot
2023-08-21 3:37 ` Herbert Xu
2023-08-21 5:09 ` pr-tracker-bot
2023-08-31 5:16 ` [GIT PULL] Crypto Fixes for 6.6 Herbert Xu
2023-09-01 23:19 ` pr-tracker-bot
2023-09-22 2:10 ` Herbert Xu
2023-09-22 16:43 ` pr-tracker-bot
2023-10-10 8:46 ` Herbert Xu
2023-10-10 18:54 ` pr-tracker-bot
2023-10-21 9:23 ` Herbert Xu
2023-10-21 17:57 ` pr-tracker-bot
2023-11-09 4:30 ` [GIT PULL] Crypto Fixes for 6.7 Herbert Xu
2023-11-10 1:30 ` pr-tracker-bot
2022-08-02 6:05 ` [GIT PULL] Crypto Update for 5.20 Herbert Xu
2022-08-03 0:57 ` pr-tracker-bot
2022-10-04 8:54 ` [GIT PULL] Crypto Update for 6.1 Herbert Xu
2022-10-10 20:56 ` pr-tracker-bot
2022-12-14 8:15 ` [GIT PULL] Crypto Update for 6.2 Herbert Xu
2022-12-14 22:25 ` pr-tracker-bot
2023-02-20 5:22 ` [GIT PULL] Crypto Update for 6.3 Herbert Xu
2023-02-22 2:50 ` pr-tracker-bot
2023-04-24 4:52 ` [GIT PULL] Crypto Update for 6.4 Herbert Xu
2023-04-26 17:06 ` pr-tracker-bot
2023-06-29 5:06 ` [GIT PULL] Crypto Update for 6.5 Herbert Xu
2023-07-01 5:04 ` pr-tracker-bot
2023-08-28 9:22 ` [GIT PULL] Crypto Update for 6.6 Herbert Xu
2023-08-29 19:00 ` pr-tracker-bot
2023-11-02 6:56 ` [GIT PULL] Crypto Update for 6.7 Herbert Xu
2023-11-03 2:34 ` Linus Torvalds
2023-11-03 5:52 ` Herbert Xu
2023-11-03 6:32 ` Linus Torvalds
2023-11-06 10:00 ` [PATCH] crypto: jitterentropy - Hide esoteric Kconfig options under FIPS and EXPERT Herbert Xu
2023-11-06 15:25 ` Stephan Mueller
2023-11-10 9:04 ` Geert Uytterhoeven [this message]
2023-11-03 2:37 ` [GIT PULL] Crypto Update for 6.7 pr-tracker-bot
2024-01-09 22:17 ` [GIT PULL] Crypto Update for 6.8 Herbert Xu
2024-01-10 20:38 ` pr-tracker-bot
2024-02-01 5:32 ` [GIT PULL] Crypto Fixes " Herbert Xu
2024-02-01 18:23 ` pr-tracker-bot
2024-02-08 4:29 ` Herbert Xu
2024-02-08 6:24 ` pr-tracker-bot
2024-02-21 9:10 ` Herbert Xu
2024-02-21 17:17 ` pr-tracker-bot
2024-02-28 8:07 ` Herbert Xu
2024-02-28 17:48 ` pr-tracker-bot
2024-03-06 9:47 ` Herbert Xu
2024-03-06 16:33 ` pr-tracker-bot
2024-03-25 9:47 ` [GIT PULL] Crypto Fixes for 6.9 Herbert Xu
2024-03-25 18:18 ` pr-tracker-bot
2024-03-15 3:04 ` [GIT PULL] Crypto Update " Herbert Xu
2024-03-15 21:51 ` Linus Torvalds
2024-03-16 4:39 ` Herbert Xu
2024-03-15 21:59 ` pr-tracker-bot
2020-10-12 3:32 ` [GIT PULL] Crypto Update for 5.10 Herbert Xu
2020-10-13 16:24 ` pr-tracker-bot
2020-12-14 5:55 ` [GIT PULL] Crypto Update for 5.11 Herbert Xu
2020-12-14 20:56 ` pr-tracker-bot
2021-02-15 2:47 ` [GIT PULL] Crypto Update for 5.12 Herbert Xu
2021-02-22 1:28 ` pr-tracker-bot
2021-04-26 12:32 ` [GIT PULL] Crypto Update for 5.13 Herbert Xu
2021-04-26 15:59 ` pr-tracker-bot
2021-06-28 11:00 ` [GIT PULL] Crypto Update for 5.14 Herbert Xu
2021-06-28 23:36 ` pr-tracker-bot
2021-08-30 8:28 ` [GIT PULL] Crypto Update for 5.15 Herbert Xu
2021-08-30 20:17 ` pr-tracker-bot
2021-11-02 3:52 ` [GIT PULL] Crypto Update for 5.16 Herbert Xu
2021-11-02 4:27 ` pr-tracker-bot
2022-01-11 2:04 ` [GIT PULL] Crypto Update for 5.17 Herbert Xu
2022-01-11 20:53 ` pr-tracker-bot
2022-03-20 23:42 ` [GIT PULL] Crypto Update for 5.18 Herbert Xu
2022-03-21 23:14 ` Linus Torvalds
2022-03-22 5:49 ` Herbert Xu
2022-03-21 23:18 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMuHMdWWMABFmejXPEuKyvDC7CgUZSeWU6cR8qpBdVa9KiBdUQ@mail.gmail.com \
--to=geert@linux-m68k.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=smueller@chronox.de \
--cc=steffen.klassert@secunet.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).