Page MenuHomeFreeBSD
Differential D32021

kern: random: reduce the rate at which we collect from fast entropy sources
ClosedPublic
Actions

Authored by kevans on Sep 20 2021, 6:12 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 6, 4:00 AM
Unknown Object (File)
Thu, Nov 6, 2:24 AM
Unknown Object (File)
Wed, Nov 5, 11:55 PM
Unknown Object (File)
Wed, Nov 5, 5:51 PM
Unknown Object (File)
Sun, Nov 2, 1:57 PM
Unknown Object (File)
Wed, Oct 29, 2:01 PM
Unknown Object (File)
Wed, Oct 29, 1:09 PM
Unknown Object (File)
Mon, Oct 27, 11:09 AM
View All Files
Subscribers
cem
delphij

Details

Reviewers
cem
delphij
markm
Group Reviewers
csprng
Commits
rG5e79bba562bc: kern: random: collect ~16x less from fast-entropy sources
rG6895cade9421: kern: random: drop read_rate and associated functionality
Summary

I have this staged as three commits, but I decided combining them for review was not too much to review and more useful to discuss the changes in the full context. I think the below is a reasonable interpretation of previous discussions, but I'm happy to be corrected. :-)

commit c55c59e65067efaa5c51d0159afdadb4c1bdce70
Author: Kyle Evans <kevans@FreeBSD.org>
Date:   Sun Sep 19 23:59:09 2021 -0500

    kern: random: drop read_rate and associated functionality
    
    Refer to discussion in PR 230808 for a less incomplete discussion, but
    the gist of this change is that we currently collect orders of magnitude
    more entropy than we need.
    
    The excess comes from bytes being read out of /dev/*random.  The default
    rate at which we collect entropy without the read_rate increase is
    already more than we need to recover from a compromise of an internal
    state.

commit 238ae5d7a77f24134c985cbf2caa49a04e8af275
Author: Kyle Evans <kevans@FreeBSD.org>
Date:   Mon Sep 20 00:46:21 2021 -0500

    kern: random: collect ~16x less from fast-entropy sources
    
    Previously, we were collecting at a base rate of:
    
    64 bits x 32 pools x 10 Hz = 2.5 kB/s
    
    This change drops it to closer to 64-ish bits per pool per second, to
    work a little better with entropy providers in virtualized environments
    without compromising the security goals of Fortuna.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans requested review of this revision.Sep 20 2021, 6:12 AM
kevans created this revision.
kevans added inline comments.Sep 20 2021, 6:15 AM
sys/dev/random/random_harvestq.c
81

This is a little convoluted, but I included it as-is to demonstrate the goal rate...

cem added a subscriber: cem.Sep 20 2021, 9:04 AM
cem added inline comments.
sys/dev/random/fortuna.c
76–83 ↗(On Diff #95373)

I think we could drop this part -- I misspoke earlier re: reseed interval. The virtio-rng volume is coming entirely from the background thread polling fast random sources frequently, which *happens* to also be 10 Hz prior to this revision, but is orthogonal to the reseed interval.

sys/dev/random/random_harvestq.c
83–84

Maybe also static assert > 0

229

Effectively, this goes from 2 to 1, right?

244

I was imagining breaking this loop up, so we only did a subset of poolcount every 100ms iteration of random_kthread. That could get us down anywhere from 2-32x lower read rates.

kevans updated this revision to Diff 95430.Sep 21 2021, 7:45 AM
kevans marked 3 inline comments as done.
kevans edited the summary of this revision. (Show Details)

Address comments, maybe

cem added a comment.Sep 21 2021, 5:13 PM

Let’s re-remove read_rate_increment but otherwise it’s looking good to me.

sys/dev/random/random_harvestq.h
45

I think this got restored on accident.

kevans updated this revision to Diff 95461.Sep 21 2021, 5:18 PM

Whoops, fix git snafu. I also had some inline review comments that remained unsubmitted, but I went ahead and nuked those because the changes mentioned have already generally been observed. :-)

cem accepted this revision.Sep 21 2021, 5:42 PM

Lgtm, thanks for driving this.

This revision is now accepted and ready to land.Sep 21 2021, 5:42 PM
delphij accepted this revision.Sep 21 2021, 6:04 PM
delphij added a subscriber: delphij.

LGTM; I'd use howmany() for npools (see suggested edit inline).

sys/dev/random/random_harvestq.c
247–248

[OPTIONAL] I'd use howmany here.

delphij added a comment.Sep 21 2021, 6:08 PM

Another observation (unrelated to your change) is that the current RANDOM_KTHREAD_HZ was 10; we might want to choose a power of two value that is close (8 maybe?) to simplify some calculation?

kevans added inline comments.Sep 21 2021, 6:11 PM
sys/dev/random/random_harvestq.c
247–248

Oh, good call. I will switch it pre-commit. Thanks!

kevans added a comment.Sep 22 2021, 6:09 AM
In D32021#723250, @delphij wrote:

Another observation (unrelated to your change) is that the current RANDOM_KTHREAD_HZ was 10; we might want to choose a power of two value that is close (8 maybe?) to simplify some calculation?

Sorry, I missed this one earlier. Is there a csprng@ list/alias that we can raise this to in a general context? re: calculations here, at least, I think we're largely indifferent...the slop from overshooting the target is basically insignificant.

markm accepted this revision.Sep 22 2021, 7:44 AM
Closed by commit rG6895cade9421: kern: random: drop read_rate and associated functionality (authored by kevans). · Explain WhySep 23 2021, 6:03 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG6895cade9421: kern: random: drop read_rate and associated functionality.
kevans added a commit: rG5e79bba562bc: kern: random: collect ~16x less from fast-entropy sources.

Revision Contents
Changeset List

PathSize
sys/
dev/
random/
2 lines
18 lines
2 lines

Diff 95547

View Options

sys/dev/random/random_harvestq.h

Loading...
View Options

sys/dev/random/random_harvestq.c

Loading...
View Options

sys/dev/random/randomdev.c

Loading...