On Mon, Jun 17, 2024 at 5:12 PM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > Hi Andy, > > On Mon, Jun 17, 2024 at 05:06:22PM -0700, Andy Lutomirski wrote: > > On Fri, Jun 14, 2024 at 12:08 PM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > > > Provide a generic C vDSO getrandom() implementation, which operates on > > > an opaque state returned by vgetrandom_alloc() and produces random bytes > > > the same way as getrandom(). This has a the API signature: > > > > > > ssize_t vgetrandom(void *buffer, size_t len, unsigned int flags, void *opaque_state); > > > > Last time around, I mentioned some potential issues with this function > > signature, and I didn't see any answer. My specific objection was to > > the fact that the caller passes in a pointer but not a length, and > > this potentially makes reasoning about memory safety awkward, > > especially if anything like CRIU is involved. > > Oh, I understood this backwards last time - I thought you were > criticizing the size_t len argument, which didn't make any sense. > > Re-reading now, what you're suggesting is that I add an additional > argument called `size_t opaque_len`, and then the implementation does > something like: > > if (opaque_len != sizeof(struct vgetrandom_state)) > goto fallback_syscall; > > With the reasoning that falling back to syscall is better than returning > -EINVAL, because that could happen in a natural way due to CRIU. In > contrast, your objection to opaque_state not being aligned falling back > to the syscall was that it should never happen ever, so -EFAULT is more > fitting. > > Is that correct? Yes, exactly. My alternative suggestion, which is far less well formed, would be to make the opaque argument be somehow not pointer-like and be more of an opaque handle. So it would be uintptr_t instead of void *, and the user API would be built around the user getting a list of handles instead of a block of memory. The benefit would be a tiny bit less overhead (potentially), but the API would need substantially more rework. I'm not convinced that this would be worthwhile. --Andy
