• J
    random: always use batched entropy for get_random_u{32,64} · 69efea71
    Jason A. Donenfeld 提交于
    It turns out that RDRAND is pretty slow. Comparing these two
    constructions:
    
      for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
        arch_get_random_long(&ret);
    
    and
    
      long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
      extract_crng((u8 *)buf);
    
    it amortizes out to 352 cycles per long for the top one and 107 cycles
    per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.
    
    And importantly, the top one has the drawback of not benefiting from the
    real rng, whereas the bottom one has all the nice benefits of using our
    own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
    beyond what it was originally intended for when it was introduced as
    get_random_{int,long} back in the md5 monstrosity era), it seems like it
    might be a good thing to strengthen its posture a tiny bit. Doing this
    should only be stronger and not any weaker because that pool is already
    initialized with a bunch of rdrand data (when available). This way, we
    get the benefits of the hardware rng as well as our own rng.
    
    Another benefit of this is that we no longer hit pitfalls of the recent
    stream of AMD bugs in RDRAND. One often used code pattern for various
    things is:
    
      do {
      	val = get_random_u32();
      } while (hash_table_contains_key(val));
    
    That recent AMD bug rendered that pattern useless, whereas we're really
    very certain that chacha20 output will give pretty distributed numbers,
    no matter what.
    
    So, this simplification seems better both from a security perspective
    and from a performance perspective.
    Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
    Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20200221201037.30231-1-Jason@zx2c4.comSigned-off-by: NTheodore Ts'o <tytso@mit.edu>
    69efea71
random.c 67.7 KB