From owner-freebsd-arch@FreeBSD.ORG Tue Feb 24 21:13:24 2015 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 750EE975 for ; Tue, 24 Feb 2015 21:13:24 +0000 (UTC) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id 5E21F946 for ; Tue, 24 Feb 2015 21:13:24 +0000 (UTC) Received: from AlfredMacbookAir.local (unknown [12.133.26.10]) by elvis.mu.org (Postfix) with ESMTPSA id 7BAB4341F910; Tue, 24 Feb 2015 13:13:18 -0800 (PST) Message-ID: <54ECEA43.2080008@freebsd.org> Date: Tue, 24 Feb 2015 16:16:51 -0500 From: Alfred Perlstein Organization: FreeBSD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: John-Mark Gurney Subject: Re: locks and kernel randomness... References: <20150224012026.GY46794@funkthat.com> <20150224015721.GT74514@kib.kiev.ua> <54EBDC1C.3060007@astrodoggroup.com> <20150224024250.GV74514@kib.kiev.ua> <20150224174053.GG46794@funkthat.com> <54ECBD4B.6000007@freebsd.org> <20150224182507.GI46794@funkthat.com> In-Reply-To: <20150224182507.GI46794@funkthat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: Konstantin Belousov , Harrison Grundy , freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 21:13:24 -0000 On 2/24/15 1:25 PM, John-Mark Gurney wrote: > Alfred Perlstein wrote this message on Tue, Feb 24, 2015 at 13:04 -0500: >> On 2/24/15 12:40 PM, John-Mark Gurney wrote: >>> Warner Losh wrote this message on Tue, Feb 24, 2015 at 07:56 -0700: >>>> Then again, if you want to change random(), provide a weak_random() that???s >>>> the traditional non-crypto thing that???s fast and lockless. That would make it easy >>>> to audit in our tree. The scheduler doesn???t need cryptographic randomness, it >>>> just needs to make different choices sometimes to ensure its notion of fairness. >>> >>> I do not support having a weak_random... If the consumer is sure >>> enough that you don't need a secure random, then they can pick an LCG >>> and implement it themselves and deal (or not) w/ the locking issues... >>> >>> It appears that the scheduler had an LCG but for some reason the authors >>> didn't feel like using it here.. >> >> The way I read this argument is that no low quality sources of >> randomness shall be allowed. > > No, I'm saying that the person who needs the predictable randomness > needs to do extra work to get it... If they care that much about > performance/predictability/etc, then a little extra work won't hurt > them.. And if they don't know what an LCG is, then they aren't > qualified to make the decision that a weaker RNG is correct for their > situation.. > >> So we should get rid of rand(3)? When do we deprecate that? > > No, we should replace it w/ proper randomness like OpenBSD has... > I'm willing to go that far and I think FreeBSD should... OpenBSD has > done a lot of leg work in tracking down ports that correctly use > rand(3), and letting them keep their deterministic randomness, while > the remaining get real random.. > >> Your argument doesn't hold water. > > Sorry, you're argument sounds like it's from the 90's when we didn't > know any better on how to make secure systems... Will you promise to > audit all new uses of randomness in the system to make sure that they > are using the correct, secure API? > > Considering that it's been recommended that people NOT use > read_random(9) for 14 years, yet people continue to use it in new code, > demonstrates that people do not know what they are doing (wrt > randomness), and the only way to make sure they do the correct, secure > thing is to only provide the secure API... That speaks to more of the drive-by czars we have in BSD land that take an area with a hard lock and then go away. Also, do not want to attempt to be like openbsd, learn from for sure, but to be like, no way. -Alfred