On Sat, Oct 17, 2020 at 03:40:08AM +0200, Jann Horn wrote: > [adding some more people who are interested in RNG stuff: Andy, Jason, > Theodore, Willy Tarreau, Eric Biggers. also linux-api@, because this > concerns some pretty fundamental API stuff related to RNG usage] > > On Fri, Oct 16, 2020 at 4:33 PM Catangiu, Adrian Costin > <acatan@xxxxxxxxxx> wrote: > > This patch is a driver which exposes the Virtual Machine Generation ID > > via a char-dev FS interface that provides ID update sync and async > > notification, retrieval and confirmation mechanisms: > > > > When the device is 'open()'ed a copy of the current vm UUID is > > associated with the file handle. 'read()' operations block until the > > associated UUID is no longer up to date - until HW vm gen id changes - > > at which point the new UUID is provided/returned. Nonblocking 'read()' > > uses EWOULDBLOCK to signal that there is no _new_ UUID available. > > > > 'poll()' is implemented to allow polling for UUID updates. Such > > updates result in 'EPOLLIN' events. > > > > Subsequent read()s following a UUID update no longer block, but return > > the updated UUID. The application needs to acknowledge the UUID update > > by confirming it through a 'write()'. > > Only on writing back to the driver the right/latest UUID, will the > > driver mark this "watcher" as up to date and remove EPOLLIN status. > > > > 'mmap()' support allows mapping a single read-only shared page which > > will always contain the latest UUID value at offset 0. > > It would be nicer if that page just contained an incrementing counter, > instead of a UUID. It's not like the application cares *what* the UUID > changed to, just that it *did* change and all RNGs state now needs to > be reseeded from the kernel, right? And an application can't reliably > read the entire UUID from the memory mapping anyway, because the VM > might be forked in the middle. > > So I think your kernel driver should detect UUID changes and then turn > those into a monotonically incrementing counter. (Probably 64 bits > wide?) (That's probably also a little bit faster than comparing an > entire UUID.) I agree with this. Further, I'm observing there is a very common confusion between "universally unique" and "random". Randoms are needed when seeking unpredictability. A random number generator *must* be able to return the same value multiple times in a row (though this is rare), otherwise it's not random. To illustrate this, a die has less than 3 bits of randomness and is sufficient to play games with friends where a counter would allow everyone to cheat. Conversely if you want to assign IDs to members of your family you'd rather use a counter than a die for this or you risk collisions and/or long series of retries to pick unique IDs. RFC4122 explains in great length how to produce guaranteed unique IDs, and this only involves space, time and counters. There's indeed a lazy variant that probably everyone uses nowadays, consisting in picking random numbers, but this is not guaranteed unique anymore. If the UUIDs used there are real UUIDs, it could be as simple as updating them according to their format, i.e. updating the timestamp, and if the timestamp is already the same, just increase the seq counter. Doing this doesn't require entropy, doesn't need to block and doesn't needlessly leak randoms that sometimes make people feel nervous. Just my two cents, Willy