Re: [PATCH 5/7] random: replace non-blocking pool with a Chacha20-based CRNG

From: H. Peter Anvin
Date: Mon Jun 20 2016 - 16:30:11 EST


On 06/20/16 08:49, Stephan Mueller wrote:
> Am Montag, 20. Juni 2016, 11:01:47 schrieb Theodore Ts'o:
>
> Hi Theodore,
>
>>
>> So simply doing chacha20 encryption in a tight loop in the kernel
>> might not be a good proxy for what would actually happen in real life
>> when someone calls getrandom(2). (Another good question to ask is
>> when someone might be needing to generate millions of 256-bit session
>> keys per second, when the D-H setup, even if you were using ECCDH,
>> would be largely dominating the time for the connection setup anyway.)
>
> Is speed everything we should care about? What about:
>
> - offloading of crypto operation from the CPU
>

This sounds like a speed operation (and very unlikely to be a win given
the usage).

> - potentially additional security features a hardware cipher may provide like
> cache coloring attack resistance?

How about burning that bridge when and if we get to it? It sounds very
hypothetical.

I guess I could add in some comments here about how a lot of these
problems can be eliminated by offloading an entire DRNG into hardware,
but I don't think it is productive.

-hpa