Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks

From: Alexander Graf
Date: Wed May 11 2022 - 09:20:15 EST

Next message: Satya Priya: "[PATCH V12 8/9] arm64: dts: qcom: pm8008: Add base dts file"
Previous message: Jason A. Donenfeld: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
In reply to: Simo Sorce: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
Next in thread: Alexander Graf: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Simo,

On 11.05.22 14:59, Simo Sorce wrote:

Hi Jason,

On Wed, 2022-05-11 at 03:18 +0200, Jason A. Donenfeld wrote:

My proposal here is made with nonce reuse in mind, for things like
session keys that use sequential nonces.

Although this makes sense the problem is that changing applications to
do the right thing based on which situation they are in will never be
done right or soon enough. So I would focus on a solution that makes
the CSPRNGs in crypto libraries safe.

I think we intrinsically have 2 sets of applications: Ones that want an event based notification and don't care about the racyness of it and ones that want an atomic way to determine the epoch. Userspace RNGs are naturally in the second category.

A different issue is random nonces. For these, it seems like a call to
getrandom() for each nonce is probably the best bet. But it sounds like
you're interested in a userspace RNG, akin to OpenBSD's arc4random(3). I
hope you saw these threads:

- https://lore.kernel.org/lkml/YnA5CUJKvqmXJxf2@xxxxxxxxx/
- https://lore.kernel.org/lkml/Yh4+9+UpanJWAIyZ@xxxxxxxxx/
- https://lore.kernel.org/lkml/CAHmME9qHGSF8w3DoyCP+ud_N0MAJ5_8zsUWx=rxQB1mFnGcu9w@xxxxxxxxxxxxxx/

4c does sound like a decent solution, it is semantically identical to
an epoch vmgenid, all the library needs to do is to create such a mmap
region, stick a value on it, verify it is not zero after computing the
next random value but before returning it to the caller.
This reduces the race to a very small window when the machine is frozen
right after the random value is returned to the caller but before it is
used, but hopefully this just means that the two machines will just
make parallel computations that yield the exact same value, so no
catastrophic consequence will arise (there is the odd case where two
random values are sought and the split happens between the two are
retrieved and this has bad consequences, I think we can ignore that).

The problem with wiping memory on clone is that it means you must keep these special wipe on clone pages always present and pinned in memory and can no longer swap them out, compact them or move them for memory hotplug.

We started the journey with a WIPEONSUSPEND flag and eventually abandoned it because it seemed clunky. Happy to reopen it if we believe it's a viable path:

https://lwn.net/Articles/825230/

Alex

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Next message: Satya Priya: "[PATCH V12 8/9] arm64: dts: qcom: pm8008: Add base dts file"
Previous message: Jason A. Donenfeld: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
In reply to: Simo Sorce: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
Next in thread: Alexander Graf: "Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]