User Details
- User Since
- Jul 9 2015, 9:56 PM (499 w, 2 d)
Dec 8 2024
Is the associated hardware documentation public, and if so, could you link to it?
Nov 29 2024
I have no objection.
Nov 21 2024
Yes, yes. It is easier to analyze with e.g. rand2() % 3. But you and Ed have both mentioned a way to measure this for rand32 more tractably -- great!
Nov 20 2024
Yeah, you can do a simple bias test with an upper limit of 3 for example. Bucket 0 is more likely than buckets 1 and 2 under a simplistic rand32() % 3 implementation. Or something like that. It is probably easier to measure with a smaller power of 2 generator.
Nov 18 2024
Some context on the Lemire idea if others haven't seen it:
Nov 16 2024
Oct 9 2024
Oct 7 2024
Sep 18 2024
This is now sort of a layering violation, right? We're assuming Fortuna implements devrandom, but the interface is pluggable. We have 2-3 implementations in tree, and integrators might write their own for compliance reasons.
Sep 12 2024
In random_early_prime we divide the input into blocks of size sizeof(event.he_entropy)) and then process those one by one, with each block only being fed into one pool. so simply padding the entropy with zeros would result in most of the pools having no entropy.
I don't think there's any reason to spread this using pbkdf2 just to defeat the Fortuna input seeding thresholds. You might as well seed the 64 bytes and then 2048-64 bytes of zero, or whatever. (Internally Fortuna is compressing the provided seed material using SHA2.)
Jul 15 2024
Aug 28 2023
Jul 16 2023
Jul 13 2023
May 18 2023
Mar 4 2023
Mar 3 2023
Nice observation and fix.
No objection. I'll let someone else stamp it.
Feb 27 2023
Sep 29 2022
Nevermind
Sep 26 2022
Sep 23 2022
Aug 31 2022
Aug 9 2022
As mentioned in email, we might also consider publishing a seed generation to the VDSO page from Fortuna.
Jul 13 2022
Something to keep in mind re: exactly 64 is that it's possible for entropy sources to return less entropy than was requested, if for example some internal state means they don't have anything available at the moment. That's one reason I prefer polling repeatedly until seeded (or some spin threshold is crossed).
Discussed with: cem
Jun 6 2022
May 25 2022
May 24 2022
May 14 2022
Seems reasonable to me.
May 12 2022
Seems very reasonable to me. Thanks!
Apr 18 2022
LGTM. My only bikeshed contribution is maybe gctl_get_devnameparam or get_devparam. But I don’t object to the current name.
Mar 20 2022
Mar 16 2022
Mar 1 2022
Setting cstd seems strongly preferable vs making upstream updates more difficult.
Feb 28 2022
Either way seems fine to me. I’d ask vangyzen or bdrewery for input.
Feb 11 2022
Feb 9 2022
Feb 6 2022
Looks like TESTAB expects boolean (0 and 1) values, too.
Feb 4 2022
Feb 3 2022
Looks fine to me. We should probably also actively feed jitter entropy if we hit the blocked state on boot, but that doesn't mean we shouldn't just do this first.
Feb 1 2022
Jan 8 2022
Typo in summary: s/path/patch/
Jan 3 2022
Thanks.
Dec 29 2021
I’m hoping emaste will be able to test and commit it.
Dec 28 2021
LGTM, thanks.
Dec 15 2021
LGTM modulo overflow concern and what looks like a typo.
Dec 11 2021
Lgtm. I didn’t attempt to verify the asm implementation.
Nov 29 2021
Seems ok in principle.
At a minimum, you have rdseed (rdrand). But I expect there are other non-ethernet sources present as well.
Nov 19 2021
The problem is that in some use cases we might not have a lot of entropy good sources, with the ethernet being the only good candidate.
Nov 17 2021
Consider just disabling Ethernet entropy collection instead. In fact, I thought it was off by default in approximately the 13 timeframe. Maybe even 12.
Nov 16 2021
Cool
Nov 15 2021
Nov 13 2021
Fortuna doesn't specify the 100ms sleep behavior, as far as I can tell. Removing it seems reasonable to me.
Oct 29 2021
This change should come with a motivational ministat graph.
Oct 25 2021
I meant fundamentally bad idea. Very little work should happen in interrupt context. Taking a global lock and running AES in software is somewhat expensive.
Oct 13 2021
I don't believe anything should be consuming random in interrupt contexts. Could you elaborate on the scenario / bug?
Sep 27 2021
Sep 25 2021
Address of packed member? How?
Sep 21 2021
Lgtm, thanks for driving this.
Let’s re-remove read_rate_increment but otherwise it’s looking good to me.
Sep 20 2021
Sep 19 2021
Sep 18 2021
I hadn’t seen the patch moving the stack buffer to the softc when I wrote my earlier remarks. I still think we should be polling less volume.
As mentioned earlier in the stack I don’t think this mitigation is great.
I don’t think this is a great mitigation for random - the pending request will still be written in guest memory, and we need the queue completion to know when we can free the memory.
Aug 30 2021
Lgtm.
Aug 12 2021
LTO builds can see across CUs. I don’t know of any particular pass that would eliminate this, though.
Aug 11 2021
It's not exactly a false positive, although poisoning the output as uninitialized is sort of unhelpful. Are we confident the compiler isn't eliminating access to it (due to UB) outside of KMSAN? In the abstract, I think we would prefer to eliminate bypass_before_seeding.