Hi Simo, On Wed, May 11, 2022 at 08:59:07AM -0400, Simo Sorce wrote: > Hi Jason, > > On Wed, 2022-05-11 at 03:18 +0200, Jason A. Donenfeld wrote: > > My proposal here is made with nonce reuse in mind, for things like > > session keys that use sequential nonces. > > Although this makes sense the problem is that changing applications to > do the right thing based on which situation they are in will never be > done right or soon enough. So I would focus on a solution that makes > the CSPRNGs in crypto libraries safe. Please don't dismiss this. I realize you have your one single use case in mind, but there are others, and the distinction you gave for why we should dismiss the others to focus on yours doesn't really make any sense. Here's why: In my email I pointed out two places where VM forks impact crypto in bad ways: - Session keys, wrt nonce reuse. - Random nonces, wrt nonce reuse. There are other problems that arise from VM forks too. But these stand out because they are both quite catastrophic, whether it's duplicated ECDSA random nonces, or whether it's the same session key used with the same sequential counter to encrypt different plaintexts with something like AES-GCM or ChaCha20Poly1305. These are both very, very bad things. And both things happen in: - Libraries: crypto lib random number generators (e.g. OpenSSL), crypto lib session keys (e.g. any TLS library). - Applications: application level random number generators (e.g. Bitcoin Core *facepalm*), application level session keys (e.g. OpenSSH). So I don't think the "library vs application" distinction is really meaningful here. Rather, things kind of fall apart all over the place for a variety of reasons on VM fork. > > - https://lore.kernel.org/lkml/YnA5CUJKvqmXJxf2@xxxxxxxxx/ > > - https://lore.kernel.org/lkml/Yh4+9+UpanJWAIyZ@xxxxxxxxx/ > > - https://lore.kernel.org/lkml/CAHmME9qHGSF8w3DoyCP+ud_N0MAJ5_8zsUWx=rxQB1mFnGcu9w@xxxxxxxxxxxxxx/ > > 4c does sound like a decent solution, it is semantically identical to It does, yeah, but realistically it's never going to happen. I don't think there's a near- or medium-term chance of changing hypervisor semantics again. That means for 4-like solutions, there's 4a and 4b. By the way, that email of mine has inaccuracy in it. I complain about being in irq context, but it turns out not to be the case; we're inside of a kthread during the notification, which means we have a lot more options on what we can do. If 4 is the solution that appeals to you most, do you want to try your hand at a RFC patch for it? I don't yet know if that's the best direction to take, but the devil is kind of in the details, so it might be interesting to see how it pans out. Jason