| RE: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: "chrony-dev@xxxxxxxxxxxxxxxxxxxx" <chrony-dev@xxxxxxxxxxxxxxxxxxxx>
- Subject: RE: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom
- From: "Elliott, Robert (Servers)" <elliott@xxxxxxx>
- Date: Tue, 2 Aug 2022 16:14:15 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=giePRPNdGS+gwDBUoSJK+FmiTa6Z2cZ46ll6XkBRWx8=; b=Grxpn6/hAW/70LGJ1ta/tg2uUPmbldG55w89VJvIr3qP8alhWoPzsHrn5uhJPiDU8OP0NPftIZOmwcTXOTisCDKqKDtZ/KMcVxDd3zuDOrn/v7jPb++NTjraOgYewXl4vjZPv1pWxyeoq9S7vuRFamDkDLhVmcOgEaLdiIRsY3QUuQnVJuHmNpFi2c9djMGDaa5mwEQY1oOq5FTYt34CQOWPQ3K+mDasuDaO5/nZBdI/OMNjAutJ/No3C0CGO8JIV5BW47heRXSenBqz1ELNCWaoRXB5SRpVCayElzml9Nt7UJyuvYEfGUpRYVRGbQWkOBhpD++kAWWkhLS4ILxPXQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MDASUV/PV2l0Q29F85P8T3PdlseNADv5PbPIe0PJ+vQAtJUSCDbmL4vPFHmLXZtlgiF2yQpyYf9NMIjYOJxcjvlt1fIhjcQk53a+Ua6bxNTDOERaroTHK5saOdurshk8npTPFGa6VMAqkIef+HY1rD6t5A5M3jVtopqLH2Ad2JIX1DhFppzMEqpUkHf4ESxQ1cqpZamSQgHxEZI0dZn9otm1ahdqcisrWHKxR9dEHEUDRhAOFb9kWSbUw6Gx7jVUnSYveAosE6gZcyttDllT9Q1e4VQRRrbOraJAORJPiwZgpTedaARthnlLDnalhEkhBcPvQu3lGaHIt2oelMn0Dw==
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=giePRPNdGS+gwDBUoSJK+FmiTa6Z2cZ46ll6XkBRWx8=; b=N4/oKJC9eor9t3l44zmUQUFYXlLEbwGstGOmF591x7CEXnlyRUQyHcsxH80wNd97S6SS R8w8CMx3aaGT5qnfZXcXzRaXsLzOZr2zgLFLicjC+H/VQnvDVBKk3Kl2/S0nl150dCEv rbeGq647ozltUiBGR5pBTxqwYUZr8WCUDdTusSAENomAFPUVDpLvDEVrJLTKhB/7OSS0 BPdwX9MpyDi+mKCWW9Vb+BBcsGCWxm/0myH9yQTZLC3pOGrclKSxGyZtK8os/q0GBUJG 9gQuv6CecVeuGj2EF47fuHiSo9dPAkh/i9TefR8/k5SXQDqZXDeT5oEs2/O6wNF5oc86 vg==
- Thread-index: Adiij6DbFoP0/w+fTGiMAJgcedDN2wAAhCsAAAgS9sAA60RjgAAKF8fA
- Thread-topic: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom
> -----Original Message-----
> From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
> Sent: Tuesday, August 2, 2022 6:00 AM
> To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom
>
> On Mon, Aug 01, 2022 at 02:07:53AM +0000, Elliott, Robert (Servers)
> wrote:
> > I see the glibc discussion about arc4random has led to a proposal this
> > weekend to add a vDSO for the linux kernel's getrandom(). It'll be
> > interesting to see if that is accepted - Linus' initial reaction was
> "no".
>
> I was surprised to see they switched arc4random in glibc to
> getrandom(). That has a significant performance impact on chronyd, as
> it calls the function for each generated RX and TX timestamp. In my
> test the maximum number of requests per second handled as a server
> dropped by about 25%. That's not great.
>
> We'll need to disable the function on Linux, at least until the vDSO
> getrandom() is widely available.
The concern with userspace libraries creating their own random values or
using a buffer of previously fetched random values from the kernel seems
to be (quoting Ted Ts'o):
"all of the attendant opportunities for security vulnerabilities in the
face of VM snapshots, or VM's getting duplicated with a pre-spun execution
image, etc., etc."
Perhaps Linus will be more receptive if a use case where vDSO performance
is important, like a chrony server, is described.
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.