akira2501
a year ago
You should not be calling getentropy() often enough to be concerned about it's performance. Of course RAND_bytes will be faster because it doesn't have to context switch into ring 0 to do the job. The vDSO feels like a complete punt by libc authors on providing a sane interface to random number generation particularly in threaded environments, but to be fair, POSIX really is zero help here.
Finally if you just need to seed an RNG once in a single threaded process, there's always getauxval(3) with the AT_RANDOM op, combined with any number of RNGs works a real treat.
fanf2
a year ago
Why would I use Linux-only getauxval() when POSIX specifies a reasonably portable getentropy()?
Your theory about the relative performance is what I thought, but it turns out not to be the case for older versions of OpenSSL.
The cover letter for getrandom() vDSO support explains the whys and wherefores pretty well https://lwn.net/ml/all/20240712014009.281406-1-Jason@zx2c4.c...
akira2501
a year ago
Auxiliary values are a part of the ELF specification.
Did you compare older versions of OpenSSL against the kernels that were contemporary to their release dates?
And I read the LKML thread. In particular, I don't agree with statement 2, which seems to boil down to "it's harder to get right on VMs, and one time we forgot we had to special case hibernation, so that serves as justification for the vDSO."
The notion seemingly being "we want to make it easy to write carefree cryptographically secure code all managed by the kernel." I think you can have two of those three but probably not all three at once. What end state are we actually trying to create here?
fanf2
a year ago
Auxiliary values are part of ELF, but it only specifies the layout in memory. ELF doesn’t specify a header that defines the AT_… values and some systems don’t even spell them with that prefix.
djbusby
a year ago
> What end state are we actually trying to create here?
Getting sufficiently random bits (perhaps crypto) in a portable and fast way.
dale_glass
a year ago
I don't see what the big deal is here? Why fight so much over such a tiny patch?
To me this all seems like a no-brainer. A performant way to do a security-critical thing with less footguns, using an already existing mechanism.
akira2501
a year ago
I don't see what's making you interpret this as a "big deal" or a "fight." This is Hacker News on a Saturday. I'm offering some really light and off the cuff analysis over what may potentially be a bad feature.
I would not consider the kernel's internal entropy management a way to find "less foot guns." I don't think I'm the only one who feels this way, in particular, I think it's telling that the only way to form a cogent argument around this feature is by invoking VMs with bad vendor state management facilities.
Anyways.. I felt like commenting because this generally feels like the "worse is actually better" trend in kernel development that's become en vogue lately. I personally, just don't like it, and I thought this was a forum where I could just basically say that, without someone feeling confronted by it.
why_only_15
a year ago
Why does portability matter here? I guess if you want to run on macOS too?
monocasa
a year ago
Can't getentropy(3) block for arbitrary amounts of time since it's based on get getrandom(2), whereas the data for AT_RANDOM is already on the initial thread's stack?
jart
a year ago
The getrandom(2) man page guarantees it doesn't block or get a signal if it's less than 256 bytes and you're not using GRND_RANDOM. That's basically the subset of getrandom that getentropy uses.
monocasa
a year ago
That's not my reading.
> If the urandom source has not yet been initialized, then getrandom() will block, unless GRND_NONBLOCK is specified in flags.
And glibc's implementation doesn't specify any flags. https://github.com/bminor/glibc/blob/e67f8e6dbd5ec98578a775b...
Where as GRND_RANDOM is about switching to the random source instead of the urandom source.
> GRND_RANDOM
> If this bit is set, then random bytes are drawn from the random source (i.e., the same source as the /dev/random device) instead of the urandom source....
The combo seems to imply both sources can block, urandom is just less likely to.
dfox
a year ago
IIRC OpenBSD's arc4random (even in the kernel) gets its initial seed by pretty much identical mechanism as linux-specific getauxval(AT_RANDOM).
fanf2
a year ago
No, userland arc4random() calls getentropy()
https://cvsweb.openbsd.org/src/lib/libc/crypt/arc4random.c?r...
I have not investigated OpenBSD’s boot-time kernel RNG keying.
user
a year ago