mbox series

[v36,00/13] /dev/random - a new approach

Message ID 3073852.aeNJFYEL58@positron.chronox.de
Headers show
Series /dev/random - a new approach | expand

Message

Stephan Mueller Oct. 19, 2020, 7:28 p.m. UTC
Hi,

The following patch set provides a different approach to /dev/random which
is called Linux Random Number Generator (LRNG) to collect entropy within
the Linux kernel. It provides the same API and ABI and can be used as a
drop-in replacement.

The LRNG implements at least all features of the existing /dev/random such as
NUMA-node-local DRNGs. Patches 1 through 3 provide the code that is feature-
identical. The following advantages compared to the existing /dev/random
implementation are present:

* Sole use of crypto for data processing:

 - Exclusive use of a hash operation for conditioning entropy data with
   a clear mathematical description as given in [2] section 2.2 -
   non-cryptographic operations like LFSR are not used.

 - The LRNG uses only properly defined and implemented cryptographic
   algorithms unlike the use of the SHA-1 transformation in the existing
   /dev/random implementation.

 - Hash operations use NUMA-node-local hash instances to benefit large
   parallel systems.

 - LRNG uses limited number of data post-processing steps as documented in
   [2] section 2.2 compared to the large variation of different
   post-processing steps in the existing /dev/random implementation that
   have no apparent mathematical description (see [2] section 4.5).

* Performance

 - Faster by up to 75% in the critical code path of the interrupt handler
   depending on data collection size configurable at kernel compile time -
   the default is about equal in performance with existing /dev/random as
   outlined in [2] section 4.2.

 - Configurable data collection sizes to accommodate small environments
   and big environments via CONFIG_LRNG_COLLECTION_SIZE.

 - Entropy collection using an almost never contended lock to benefit
   large parallel systems – worst case rate of contention is the number
   of DRNG reseeds, usually the number of potential contentions per 10
   minutes is equal to number of NUMA nodes.

 - ChaCha20 DRNG is significantly faster as implemented in the existing
   /dev/random as demonstrated with [2] table 2.

 - Faster entropy collection during boot time to reach fully seeded
   level, including on virtual systems or systems with SSDs as outlined
   in [2] section 4.1.

* Testing

 - Availablility of run-time health tests of the raw unconditioned
   noise source to identify degradation of the available entropy as
   documented in [2] section 2.5.4. Such health tests are important
   today due to virtual machine monitors reducing the resolution of
   or disabling the high-resolution timer.

 - Heuristic entropy estimation is based on quantitative measurements
   and analysis following SP800-90B and not on coincidental
   underestimation of entropy applied by the existing /dev/random as
   outlined in [4] section 4.4.

 - Power-on self tests for critical deterministic components (ChaCha20
   DRNG, software hash implementation, and entropy collection logic)
   not already covered by power-up tests of the kernel crypto API as
   documented in [2] section 2.14.

 - Availability of test interfaces for all operational stages of the
   LRNG including boot-time raw entropy event data sampling as outlined
   in [2] section 2.15.

 - Fully testable ChaCha20 DRNG via a userspace ChaCha20 DRNG
   implementation [3].

 - In case of using the kernel crypto API SHASH hash implementation, it
   is fully testable and tested via the NIST ACVP test framework, for
   example certificates A734, A737, and A738.

 - The LRNG offers a test interface to validate the used software hash
   implementation and in particular that the LRNG invokes the hash
   correctly, allowing a NIST ACVP-compliant test cycle - see [2]
   section 2.15.

 - Availability of stress testing covering the different code paths for
   data and mechanism (de)allocations and code paths covered with locks.

* Entropy collection

 - The LRNG is shipped with test tools allowing the collection of
   raw unconditioned entropy during runtime and boot time available at
   [1].

 - Full entropy assessment and description is provided with [2] chapter 3,
   specifically section 3.2.6.

 - Guarantee that entropy events are not credited with entropy twice
   (the existing /dev/random implementation credits HID/disk and
   interrupt events with entropy which are a derivative of each other)
   and guarantee that entropy data is not reused for two different use
   cases (as done in the existing /dev/random implementation when
   injecting a part of fast_pool into the net_rand_state).

* Configurable

 - LRNG kernel configuration allows configuration that is functionally
   equivalent to the existing /dev/random. Non-compiled additional code
   is folded into no-ops.

 - The following additional functions are compile-time selectable
   independent of each other:

  + Enabling of switchable cryptographic implementation support. This
    allows enabling an SP800-90A DRBG.

  + Enabling of using Jitter RNG noise source.

  + Enabling of noise source health tests.

  + Enabling of test interface allowing to enable each test interface
    individually.

  + Enabling of the power-up self test.

 - At boot-time, the SP800-90B health tests can be enabled as outlined
   in [2] section 2.5.4.

 - At boot-time, the entropy rate used to credit the external CPU-based
   noise source and Jitter RNG noise source can be configured including
   setting an entropy rate of zero or full entropy - see [2] sections
   2.5.2 and 2.5.3.

* Run-time pluggable cryptographic implementations used for all data
  processing steps specified in [2] section 2.2

 - The DRNG can be replaced with a different implementation allowing
   any type of DRNG to provide data via the output interfaces. The LRNG
   provides the following types of DRNG implementations:

  + ChaCha20-based software implementation that is used per default.

  + SP800-90A DRBG using accelerated cryptographic implementations that
    may sleep.

  + Any DRNG that is accessible via the kernel crypto API RNG subsystem.

 - The hash component can be replaced with any other hash implementation
   provided the implementation does not sleep. The LRNG provides the
   access to the following types of non-sleeping hash implementations:

  + SHA-256 software implementation that is used per default. Due to
    kernel build system inconsistencies, the software SHA-1 implementation
    is used if the kernel crypto API is not compiled.

  + SHA-512 hash using the fastest hash implementation available via the
    kernel crypto API SHASH subsystem.

* Code structure

 - The LRNG source code is available for current upstream Linux kernel
   separate to the existing /dev/random which means that users who are
   conservative can use the unchanged existing /dev/random implementation.

 - Back-port patches are available at [5] to apply the LRNG to Linux
   kernel versions of 5.8, 5.4, 4.19, 4.14, 4.12, and 4.10. Patches for
   other kernel versions are easily derived from the existing ones.

Booting the patch with the kernel command line option
"dyndbg=file drivers/char/lrng/* +p" generates logs indicating the
operation of the LRNG. Each log is pre-pended with "lrng".

An entropy analysis is performed on the following systems - details
are given in [2] appendix C:

* x86 KVM virtualized guest 32 and 64 bit systems

* x86 bare metal

* older and newer ARMv7 system

* ARM64

* POWER7 LE and POWER 8 BE

* IBM Z System mainframe

* old MIPS embedded device

* testing with GCC and Clang

[1] https://www.chronox.de/lrng.html - If the patch is accepted, I would
be volunteering to convert the documentation into RST format and
contribute it to the Linux kernel documentation directory.

[2] https://www.chronox.de/lrng/doc/lrng.pdf

[3] https://www.chronox.de/chacha20_drng.html

[4] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/LinuxRNG/LinuxRNG_EN_V4_1.pdf

[5] https://github.com/smuellerDD/lrng/tree/master/backports

Changes (compared to the previous patch set) - individual patches
are visible at https://github.com/smuellerDD/lrng/commits/master:

* fix display of available entropy - the fix only affects the display of
  available entropy at /proc/sys/kernel/random/entropy_avail

* simplify code to obtain available and max entropy

* always reset entropy gathering interface when listener detaches

CC: Torsten Duwe <duwe@lst.de>
CC: "Eric W. Biederman" <ebiederm@xmission.com>
CC: "Alexander E. Patrakov" <patrakov@gmail.com>
CC: "Ahmed S. Darwish" <darwish.07@gmail.com>
CC: "Theodore Y. Ts'o" <tytso@mit.edu>
CC: Willy Tarreau <w@1wt.eu>
CC: Matthew Garrett <mjg59@srcf.ucam.org>
CC: Vito Caputo <vcaputo@pengaru.com>
CC: Andreas Dilger <adilger.kernel@dilger.ca>
CC: Jan Kara <jack@suse.cz>
CC: Ray Strode <rstrode@redhat.com>
CC: William Jon McCann <mccann@jhu.edu>
CC: zhangjs <zachary@baishancloud.com>
CC: Andy Lutomirski <luto@kernel.org>
CC: Florian Weimer <fweimer@redhat.com>
CC: Lennart Poettering <mzxreary@0pointer.de>
CC: Nicolai Stange <nstange@suse.de>
CC: Eric Biggers <ebiggers@kernel.org>
Tested-by: Roman Drahtmüller <draht@schaltsekun.de>
Tested-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>

Stephan Mueller (13):
  Linux Random Number Generator
  LRNG - allocate one DRNG instance per NUMA node
  LRNG - sysctls and /proc interface
  LRNG - add switchable DRNG support
  LRNG - add common generic hash support
  crypto: DRBG - externalize DRBG functions for LRNG
  LRNG - add SP800-90A DRBG extension
  LRNG - add kernel crypto API PRNG extension
  crypto: provide access to a static Jitter RNG state
  LRNG - add Jitter RNG fast noise source
  LRNG - add SP800-90B compliant health tests
  LRNG - add interface for gathering of raw entropy
  LRNG - add power-on and runtime self-tests

 MAINTAINERS                                   |   7 +
 crypto/drbg.c                                 |  16 +-
 crypto/jitterentropy-kcapi.c                  |   3 +-
 crypto/jitterentropy.c                        |  31 +-
 drivers/char/Kconfig                          |   2 +
 drivers/char/Makefile                         |   9 +-
 drivers/char/lrng/Kconfig                     | 353 +++++++++
 drivers/char/lrng/Makefile                    |  20 +
 drivers/char/lrng/lrng_archrandom.c           |  93 +++
 drivers/char/lrng/lrng_aux.c                  | 136 ++++
 drivers/char/lrng/lrng_chacha20.c             | 352 +++++++++
 drivers/char/lrng/lrng_chacha20.h             |  29 +
 drivers/char/lrng/lrng_drbg.c                 | 197 +++++
 drivers/char/lrng/lrng_drng.c                 | 406 +++++++++++
 drivers/char/lrng/lrng_health.c               | 407 +++++++++++
 drivers/char/lrng/lrng_interfaces.c           | 649 +++++++++++++++++
 drivers/char/lrng/lrng_internal.h             | 429 +++++++++++
 drivers/char/lrng/lrng_jent.c                 |  88 +++
 drivers/char/lrng/lrng_kcapi.c                | 228 ++++++
 drivers/char/lrng/lrng_kcapi_hash.c           |  97 +++
 drivers/char/lrng/lrng_kcapi_hash.h           |  19 +
 drivers/char/lrng/lrng_numa.c                 | 108 +++
 drivers/char/lrng/lrng_pool.c                 | 457 ++++++++++++
 drivers/char/lrng/lrng_proc.c                 | 182 +++++
 drivers/char/lrng/lrng_selftest.c             | 344 +++++++++
 drivers/char/lrng/lrng_sw_noise.c             | 466 ++++++++++++
 drivers/char/lrng/lrng_sw_noise.h             |  56 ++
 drivers/char/lrng/lrng_switch.c               | 203 ++++++
 drivers/char/lrng/lrng_testing.c              | 689 ++++++++++++++++++
 include/crypto/drbg.h                         |   7 +
 .../crypto/internal}/jitterentropy.h          |   3 +
 include/linux/lrng.h                          |  79 ++
 32 files changed, 6155 insertions(+), 10 deletions(-)
 create mode 100644 drivers/char/lrng/Kconfig
 create mode 100644 drivers/char/lrng/Makefile
 create mode 100644 drivers/char/lrng/lrng_archrandom.c
 create mode 100644 drivers/char/lrng/lrng_aux.c
 create mode 100644 drivers/char/lrng/lrng_chacha20.c
 create mode 100644 drivers/char/lrng/lrng_chacha20.h
 create mode 100644 drivers/char/lrng/lrng_drbg.c
 create mode 100644 drivers/char/lrng/lrng_drng.c
 create mode 100644 drivers/char/lrng/lrng_health.c
 create mode 100644 drivers/char/lrng/lrng_interfaces.c
 create mode 100644 drivers/char/lrng/lrng_internal.h
 create mode 100644 drivers/char/lrng/lrng_jent.c
 create mode 100644 drivers/char/lrng/lrng_kcapi.c
 create mode 100644 drivers/char/lrng/lrng_kcapi_hash.c
 create mode 100644 drivers/char/lrng/lrng_kcapi_hash.h
 create mode 100644 drivers/char/lrng/lrng_numa.c
 create mode 100644 drivers/char/lrng/lrng_pool.c
 create mode 100644 drivers/char/lrng/lrng_proc.c
 create mode 100644 drivers/char/lrng/lrng_selftest.c
 create mode 100644 drivers/char/lrng/lrng_sw_noise.c
 create mode 100644 drivers/char/lrng/lrng_sw_noise.h
 create mode 100644 drivers/char/lrng/lrng_switch.c
 create mode 100644 drivers/char/lrng/lrng_testing.c
 rename {crypto => include/crypto/internal}/jitterentropy.h (84%)
 create mode 100644 include/linux/lrng.h

Comments

Torsten Duwe Oct. 28, 2020, 5:51 p.m. UTC | #1
On Mon, 19 Oct 2020 21:28:50 +0200
Stephan Müller <smueller@chronox.de> wrote:
[...]
> * Sole use of crypto for data processing:
[...]
>  - The LRNG uses only properly defined and implemented cryptographic
>    algorithms unlike the use of the SHA-1 transformation in the
> existing /dev/random implementation.
> 
>  - Hash operations use NUMA-node-local hash instances to benefit large
>    parallel systems.
> 
>  - LRNG uses limited number of data post-processing steps
[...]
> * Performance
> 
>  - Faster by up to 75% in the critical code path of the interrupt
> handler depending on data collection size configurable at kernel
> compile time - the default is about equal in performance with
> existing /dev/random as outlined in [2] section 4.2.

[...]
>  - ChaCha20 DRNG is significantly faster as implemented in the
> existing /dev/random as demonstrated with [2] table 2.
> 
>  - Faster entropy collection during boot time to reach fully seeded
>    level, including on virtual systems or systems with SSDs as
> outlined in [2] section 4.1.
> 
> * Testing
[...]

So we now have 2 proposals for a state-of-the-art RNG, and over a month
without a single comment on-topic from any `get_maintainer.pl`

I don't want to emphasise the certification aspects so much. The
interrelation is rather that those certifications require certain code
features, features which are reasonable per se. But the current code is
lagging way behind.

I see the focus namely on performance, scalability, testability and
virtualisation. And it certainly is an advantage to use the code
already present under crypto, with its optimisations, and not rely
on some home brew.

Can we please have a discussion about how to proceed?
Ted, Greg, Arnd: which approach would you prefer?

	Torsten
Greg Kroah-Hartman Oct. 28, 2020, 6:07 p.m. UTC | #2
On Wed, Oct 28, 2020 at 06:51:17PM +0100, Torsten Duwe wrote:
> On Mon, 19 Oct 2020 21:28:50 +0200

> Stephan Müller <smueller@chronox.de> wrote:

> [...]

> > * Sole use of crypto for data processing:

> [...]

> >  - The LRNG uses only properly defined and implemented cryptographic

> >    algorithms unlike the use of the SHA-1 transformation in the

> > existing /dev/random implementation.

> > 

> >  - Hash operations use NUMA-node-local hash instances to benefit large

> >    parallel systems.

> > 

> >  - LRNG uses limited number of data post-processing steps

> [...]

> > * Performance

> > 

> >  - Faster by up to 75% in the critical code path of the interrupt

> > handler depending on data collection size configurable at kernel

> > compile time - the default is about equal in performance with

> > existing /dev/random as outlined in [2] section 4.2.

> 

> [...]

> >  - ChaCha20 DRNG is significantly faster as implemented in the

> > existing /dev/random as demonstrated with [2] table 2.

> > 

> >  - Faster entropy collection during boot time to reach fully seeded

> >    level, including on virtual systems or systems with SSDs as

> > outlined in [2] section 4.1.

> > 

> > * Testing

> [...]

> 

> So we now have 2 proposals for a state-of-the-art RNG, and over a month

> without a single comment on-topic from any `get_maintainer.pl`

> 

> I don't want to emphasise the certification aspects so much. The

> interrelation is rather that those certifications require certain code

> features, features which are reasonable per se. But the current code is

> lagging way behind.

> 

> I see the focus namely on performance, scalability, testability and

> virtualisation. And it certainly is an advantage to use the code

> already present under crypto, with its optimisations, and not rely

> on some home brew.

> 

> Can we please have a discussion about how to proceed?

> Ted, Greg, Arnd: which approach would you prefer?


Greg and Arnd are not the random driver maintainers, as is now correctly
shown in the 5.10-rc1 MAINTAINERS file, so I doubt we (well at least I)
have any say here, sorry.

good luck!

greg k-h
Torsten Duwe Nov. 2, 2020, 1:44 p.m. UTC | #3
On Wed, 28 Oct 2020 19:07:28 +0100
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> On Wed, Oct 28, 2020 at 06:51:17PM +0100, Torsten Duwe wrote:

> > On Mon, 19 Oct 2020 21:28:50 +0200

> > Stephan Müller <smueller@chronox.de> wrote:

> > [...]

> > > * Sole use of crypto for data processing:

> > [...]

> > >  - The LRNG uses only properly defined and implemented

> > > cryptographic algorithms unlike the use of the SHA-1

> > > transformation in the existing /dev/random implementation.

> > > 

> > >  - Hash operations use NUMA-node-local hash instances to benefit

> > > large parallel systems.

> > > 

> > >  - LRNG uses limited number of data post-processing steps

> > [...]

> > > * Performance

> > > 

> > >  - Faster by up to 75% in the critical code path of the interrupt

> > > handler depending on data collection size configurable at kernel

> > > compile time - the default is about equal in performance with

> > > existing /dev/random as outlined in [2] section 4.2.

> > 

> > [...]

> > >  - ChaCha20 DRNG is significantly faster as implemented in the

> > > existing /dev/random as demonstrated with [2] table 2.

> > > 

> > >  - Faster entropy collection during boot time to reach fully

> > > seeded level, including on virtual systems or systems with SSDs as

> > > outlined in [2] section 4.1.

> > > 

> > > * Testing

> > [...]

> > 

> > So we now have 2 proposals for a state-of-the-art RNG, and over a

> > month without a single comment on-topic from any `get_maintainer.pl`

> > 

> > I don't want to emphasise the certification aspects so much. The

> > interrelation is rather that those certifications require certain

> > code features, features which are reasonable per se. But the

> > current code is lagging way behind.

> > 

> > I see the focus namely on performance, scalability, testability and

> > virtualisation. And it certainly is an advantage to use the code

> > already present under crypto, with its optimisations, and not rely

> > on some home brew.

> > 

> > Can we please have a discussion about how to proceed?

> > Ted, Greg, Arnd: which approach would you prefer?

> 

> Greg and Arnd are not the random driver maintainers, as is now

> correctly shown in the 5.10-rc1 MAINTAINERS file, so I doubt we (well

> at least I) have any say here, sorry.


No problem. get_maintainer (for the proposals) works on paths, not on
topics and I didn't want to leave anybody out.

Ted, if you don't have the time any more to take care of /dev/random,
it's not a shame to hand over maintainership, especially given your
long history of Linux contributions.

Please do seriously consider to hand it over to someone new. This would
be a good opportunity.

	Torsten
Marcelo Henrique Cerri Nov. 4, 2020, 2:26 p.m. UTC | #4
On Mon, Nov 02, 2020 at 02:44:35PM +0100, Torsten Duwe wrote:
> On Wed, 28 Oct 2020 19:07:28 +0100

> Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> 

> > On Wed, Oct 28, 2020 at 06:51:17PM +0100, Torsten Duwe wrote:

> > > On Mon, 19 Oct 2020 21:28:50 +0200

> > > Stephan Müller <smueller@chronox.de> wrote:

> > > [...]

> > > > * Sole use of crypto for data processing:

> > > [...]

> > > >  - The LRNG uses only properly defined and implemented

> > > > cryptographic algorithms unlike the use of the SHA-1

> > > > transformation in the existing /dev/random implementation.

> > > > 

> > > >  - Hash operations use NUMA-node-local hash instances to benefit

> > > > large parallel systems.

> > > > 

> > > >  - LRNG uses limited number of data post-processing steps

> > > [...]

> > > > * Performance

> > > > 

> > > >  - Faster by up to 75% in the critical code path of the interrupt

> > > > handler depending on data collection size configurable at kernel

> > > > compile time - the default is about equal in performance with

> > > > existing /dev/random as outlined in [2] section 4.2.

> > > 

> > > [...]

> > > >  - ChaCha20 DRNG is significantly faster as implemented in the

> > > > existing /dev/random as demonstrated with [2] table 2.

> > > > 

> > > >  - Faster entropy collection during boot time to reach fully

> > > > seeded level, including on virtual systems or systems with SSDs as

> > > > outlined in [2] section 4.1.

> > > > 

> > > > * Testing

> > > [...]

> > > 

> > > So we now have 2 proposals for a state-of-the-art RNG, and over a

> > > month without a single comment on-topic from any `get_maintainer.pl`

> > > 

> > > I don't want to emphasise the certification aspects so much. The

> > > interrelation is rather that those certifications require certain

> > > code features, features which are reasonable per se. But the

> > > current code is lagging way behind.

> > > 

> > > I see the focus namely on performance, scalability, testability and

> > > virtualisation. And it certainly is an advantage to use the code

> > > already present under crypto, with its optimisations, and not rely

> > > on some home brew.

> > > 

> > > Can we please have a discussion about how to proceed?

> > > Ted, Greg, Arnd: which approach would you prefer?

> > 

> > Greg and Arnd are not the random driver maintainers, as is now

> > correctly shown in the 5.10-rc1 MAINTAINERS file, so I doubt we (well

> > at least I) have any say here, sorry.

> 

> No problem. get_maintainer (for the proposals) works on paths, not on

> topics and I didn't want to leave anybody out.

> 

> Ted, if you don't have the time any more to take care of /dev/random,

> it's not a shame to hand over maintainership, especially given your

> long history of Linux contributions.

> 

> Please do seriously consider to hand it over to someone new. This would

> be a good opportunity.

> 

> 	Torsten

>


I'd like to help with any solution upstream decide to follow either
testing or with code. I understand some of the concerns the community
has regarding FIPS but that doesn't make it less relevant and it's
totally possible to improve /dev/random while allowing it users to
decide if they want to comply to SP 800 90B. I believe the main
blocker now is the lack of direction.

-- 
Regards,
Marcelo
Stephan Mueller Nov. 10, 2020, 10:22 a.m. UTC | #5
Am Montag, 19. Oktober 2020, 21:28:50 CET schrieb Stephan Müller:

Hi,
> 

> * Performance

> 

>  - Faster by up to 75% in the critical code path of the interrupt handler

>    depending on data collection size configurable at kernel compile time -

>    the default is about equal in performance with existing /dev/random as

>    outlined in [2] section 4.2.


By streamlining the implementation a bit, the LRNG interrupt handler now 
operates about 130% faster than the existing /dev/random (average of 97 cycles 
of the existing /dev/random code vs. an average of 42 cycles of the LRNG). 
This fast operation is the default now due to patch [2]. The conceptual data 
handling outlined in [3] section 2.2 remains unchanged.

Even the addition of health tests applied to the noise source data would still 
result in a faster interrupt handling code (average of 97 cycles of the 
existing /dev/random code vs on average 78 cycles of the LRNG).

[1] https://github.com/smuellerDD/lrng/commit/
10b74b242950371273e38df78060e258d9d3ea40

[2] https://github.com/smuellerDD/lrng/commit/
383b087653c21cf20984f5508befa57e96f685ba

[3] https://chronox.de/lrng/doc/lrng.pdf

Ciao
Stephan
Torsten Duwe Nov. 17, 2020, 2:01 p.m. UTC | #6
On Mon, Nov 02, 2020 at 02:44:35PM +0100, Torsten Duwe wrote:
> 

> Ted, if you don't have the time any more to take care of /dev/random,

> it's not a shame to hand over maintainership, especially given your

> long history of Linux contributions.

> 

> Please do seriously consider to hand it over to someone new. This would

> be a good opportunity.


I can see you are quite busy working on ext4, and there is a number of
patches for drivers/char/random.c awaiting review. Wouldn't it be good
to pass it on to someone more enthusiastic?

At least some sort of reply would be appreciated.
Or are you already pondering the request ;-) ?

	Torsten