On Fri, Apr 22, 2022 at 11:42:04AM +0200, Jason A. Donenfeld wrote:
> Hi Eric,
>
> On Thu, Apr 21, 2022 at 05:34:58PM -0700, Eric Biggers wrote:
> > On Fri, Apr 22, 2022 at 01:40:25AM +0200, Jason A. Donenfeld wrote:
> > > Hi Eric,
> > >
> > > Thanks. This looks better.
> > >
> > > On Thu, Apr 21, 2022 at 04:31:52PM -0700, Eric Biggers wrote:
> > > > Therefore, increase the number of counter comparisons from 1 to 3, to
> > > > greatly reduce the rate of false positive cycle counter detections.
> > > > + for (i = 0; i < 3; i++) {
> > > > + unsigned long entropy = random_get_entropy();
> > >
> > > Wondering: why do you do 3 comparisons rather than 2? What does 3 get
> > > you that 2 doesn't already? I thought the only real requirement was that
> > > in the event where (a)!=(b), (b) is read as meaningfully close as
> > > possible to when the counter changes.
> > >
> >
> > On CONFIG_PREEMPT kernels this code usually runs with preemption enabled, so I
> > don't think it's guaranteed that any particular number of comparisons will be
> > sufficient, since the task could get preempted for a long time between each call
> > to random_get_entropy(). However, the chance of a false positive should
> > decrease exponentially, and should be pretty small in the first place, so 3
> > comparisons seems like a good number.
>
> Ahh, I see. So you check three times instead of disabling
> preemption/irqs, which would be awfully heavy weight. Seems like a
> reasonable compromise.
>
> By the way, I was thinking about the assumptions we're making with this
> comparison ("two adjacent counters shouldn't be the same") in the
> context of this idea from my first reply to you:
Rather than buggy inline email code, I made a real patch out of it for
your consideration:
https://lore.kernel.org/linux-crypto/20220422132027.1267060-1-Jason@xxxxxxxxx/
Jason
