Thread (17 messages) 17 messages, 5 authors, 2024-06-19

Re: [PATCH v17 4/5] random: introduce generic vDSO getrandom() implementation

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: 2024-06-18 19:27:56
Also in: linux-crypto, linux-patches, lkml 

On Tue, Jun 18, 2024 at 10:55:17AM -0700, Andy Lutomirski wrote:
On Mon, Jun 17, 2024 at 5:12 PM Jason A. Donenfeld [off-list ref] wrote:
quoted
Hi Andy,

On Mon, Jun 17, 2024 at 05:06:22PM -0700, Andy Lutomirski wrote:
quoted
On Fri, Jun 14, 2024 at 12:08 PM Jason A. Donenfeld [off-list ref] wrote:
quoted
Provide a generic C vDSO getrandom() implementation, which operates on
an opaque state returned by vgetrandom_alloc() and produces random bytes
the same way as getrandom(). This has a the API signature:

  ssize_t vgetrandom(void *buffer, size_t len, unsigned int flags, void *opaque_state);
Last time around, I mentioned some potential issues with this function
signature, and I didn't see any answer.  My specific objection was to
the fact that the caller passes in a pointer but not a length, and
this potentially makes reasoning about memory safety awkward,
especially if anything like CRIU is involved.
Oh, I understood this backwards last time - I thought you were
criticizing the size_t len argument, which didn't make any sense.

Re-reading now, what you're suggesting is that I add an additional
argument called `size_t opaque_len`, and then the implementation does
something like:

    if (opaque_len != sizeof(struct vgetrandom_state))
        goto fallback_syscall;

With the reasoning that falling back to syscall is better than returning
-EINVAL, because that could happen in a natural way due to CRIU. In
contrast, your objection to opaque_state not being aligned falling back
to the syscall was that it should never happen ever, so -EFAULT is more
fitting.

Is that correct?
My alternative suggestion, which is far less well formed, would be to
make the opaque argument be somehow not pointer-like and be more of an
opaque handle.  So it would be uintptr_t instead of void *, and the
user API would be built around the user getting a list of handles
instead of a block of memory.

The benefit would be a tiny bit less overhead (potentially), but the
API would need substantially more rework.  I'm not convinced that this
would be worthwhile.
I'd thought about this too -- a Windows-style handle system -- but
it seemed complicated and just not worth it, so the simplicity here
seems more appealing. I'm happy to take your suggestion of an opaque_len
argument (and it's already implemented in my "vdso" branch), and
leaving it at that.

Jason
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help