> On Apr 29, 2019, at 12:46 AM, Reshetova, Elena <elena.reshet...@intel.com>
> wrote:
>
>
>>>> On Apr 26, 2019, at 7:01 AM, Theodore Ts'o <ty...@mit.edu> wrote:
>>>
>
>> It seems to me
>> that we should be using the “fast-erasure” construction for all
>> get_random_bytes()
>> invocations. Specifically, we should have a per cpu buffer that stores some
>> random
>> bytes and a count of how many random bytes there are. get_random_bytes()
>> should
>> take bytes from that buffer and *immediately* zero those bytes in memory.
>> When
>> the buffer is empty, it gets refilled with the full strength CRNG.
>
> Ideally it would be great to call smth fast and secure on each syscall
> without a per-cpu
> buffer,
Why? You only need a few bits, and any sensible crypto primitive is going to
be much better at producing lots of bits than producing just a few bits. Even
ignoring that, avoiding the I-cache hit on every syscall has value. And I
still don’t see what’s wrong with a percpu buffer.
> so that's why I was asking on chacha8. As Eric pointed it should not be used
> for
> cryptographic purpose, but I think it is reasonably secure for our purpose,
> especially if
> the generator is sometimes reseeded with fresh entropy.
> However, it very well might be that is too slow anyway.
>
> So, I think then we can do the per-cpu approach as you suggesting.
> Have a per-cpu buffer big enough as you suggested (couple of pages) from where
> we regularly read 8 bits at the time and zero them as we go.
>
> I am just not sure on the right refill strategy in this case?
> Should we try to maintain this per-cpu buffer always with some random bytes by
> having a work queued that would refill it (or part of it, i.e. a page from a
> set of 4 pages)
> regularly from CRNG source?
> I guess how often we need to refill will depend so much on the syscall rate
> on that cpu, so it might be hard to find a reasonable period.
> In any case we need to prepare to do a refill straight from a syscall,
> if despite our best efforts to keep the buffer refilled we run out of bits.
> Is it ok to get a visible performance hit at this point? In worse case we
> will need to
> generate n pages worth of random numbers, which is going to take a
> while.
I think a small hit every few syscalls is okay. The real time people will turn
this off regardless.
>
> I will try doing this PoC and measure implications (without the worker
> refill to start with). Let's see how bad (performance wise it looks).
>
> Best Regards,
> Elena.
>
>
>
>
>
>> The obvious objection is “oh no, a side channel could leak the buffer,” to
>> which I say
>> so what? A side channel could just as easily leak the entire CRNG state.
>>
>> For Elena’s specific use case, we would probably want a
>> try_get_random_bytes_notrace() that *only* tries the percpu buffer, since
>> this code
>> runs so early in the syscall path that we can’t run real C code. Or it
>> could be moved a
>> bit later, I suppose — the really early part is not really an interesting
>> attack surface.
