On Mon, Nov 11, 2019 at 11:13 AM Stephan Müller <smueller@xxxxxxxxxx> wrote: > > The following patch set provides a different approach to /dev/random which is > called Linux Random Number Generator (LRNG) to collect entropy within the Linux > kernel. The main improvements compared to the existing /dev/random is to provide > sufficient entropy during boot time as well as in virtual environments and when > using SSDs. A secondary design goal is to limit the impact of the entropy > collection on massive parallel systems and also allow the use accelerated > cryptographic primitives. Also, all steps of the entropic data processing are > testable. This is very nice! > > The LRNG patch set allows a user to select use of the existing /dev/random or > the LRNG during compile time. As the LRNG provides API and ABI compatible > interfaces to the existing /dev/random implementation, the user can freely chose > the RNG implementation without affecting kernel or user space operations. > > This patch set provides early boot-time entropy which implies that no > additional flags to the getrandom(2) system call discussed recently on > the LKML is considered to be necessary. I'm uneasy about this. I fully believe that, *on x86*, this works. But on embedded systems with in-order CPUs, a single clock, and very lightweight boot processes, most or all of boot might be too deterministic for this to work. I have a somewhat competing patch set here: https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=random/kill-it (Ignore the "horrible test hack" and the debugfs part.) The basic summary is that I change /dev/random so that it becomes functionally identical to getrandom(..., 0) -- in other words, it blocks until the CRNG is initialized but is then identical to /dev/urandom. And I add getrandom(...., GRND_INSECURE) that is functionally identical to the existing /dev/urandom: it always returns *something* immediately, but it may or may not actually be cryptographically random or even random at all depending on system details. In other words, my series simplifies the ABI that we support. Right now, we have three ways to ask for random numbers with different semantics and we need to have to RNGs in the kernel at all time. With my changes, we have only two ways to ask for random numbers, and the /dev/random pool is entirely gone. Would you be amenable to merging this into your series (i.e. either merging the code or just the ideas)? This would let you get rid of things like the compile-time selection of the blocking TRNG, since the blocking TRNG would be entirely gone. Or do you think that a kernel-provided blocking TRNG is a genuinely useful thing to keep around? --Andy