RE: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]



> -----Original Message-----
> From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
> Sent: Tuesday, August 2, 2022 6:00 AM
> To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom
> 
> On Mon, Aug 01, 2022 at 02:07:53AM +0000, Elliott, Robert (Servers)
> wrote:
> > I see the glibc discussion about arc4random has led to a proposal this
> > weekend to add a vDSO for the linux kernel's getrandom(). It'll be
> > interesting to see if that is accepted - Linus' initial reaction was
> "no".
> 
> I was surprised to see they switched arc4random in glibc to
> getrandom(). That has a significant performance impact on chronyd, as
> it calls the function for each generated RX and TX timestamp. In my
> test the maximum number of requests per second handled as a server
> dropped by about 25%. That's not great.
> 
> We'll need to disable the function on Linux, at least until the vDSO
> getrandom() is widely available.

The concern with userspace libraries creating their own random values or 
using a buffer of previously fetched random values from the kernel seems 
to be (quoting Ted Ts'o):
"all of the attendant opportunities for security vulnerabilities in the 
face of VM snapshots, or VM's getting duplicated with a pre-spun execution
image, etc., etc."

Perhaps Linus will be more receptive if a use case where vDSO performance
is important, like a chrony server, is described.



--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/