From owner-svn-src-head@freebsd.org Wed Jul 22 21:59:24 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AF4E9A839D; Wed, 22 Jul 2015 21:59:24 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from gromit.grondar.org (grandfather.grondar.org [IPv6:2a01:348:0:15:5d59:5c20:0:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 03BFE105E; Wed, 22 Jul 2015 21:59:24 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from graveyard.grondar.org ([88.96.155.33] helo=gronkulator.grondar.org) by gromit.grondar.org with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85 (FreeBSD)) (envelope-from ) id 1ZI22q-000L2c-A3; Wed, 22 Jul 2015 22:59:20 +0100 Subject: Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random sy... Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Content-Type: text/plain; charset=utf-8 From: Mark R V Murray In-Reply-To: Date: Wed, 22 Jul 2015 22:59:14 +0100 Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <201506301700.t5UH0jPq001498@svn.freebsd.org> To: Jeff Roberson X-Mailer: Apple Mail (2.2102) X-SA-Score: -1.0 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2015 21:59:24 -0000 > On 22 Jul 2015, at 22:42, Jeff Roberson = wrote: >=20 > On Tue, 30 Jun 2015, Mark Murray wrote: >=20 >> - Add harvesting of slab allocator events. This needs to be checked = for >> weighing down the allocator code. >=20 > Neither filesystem operations nor allocations are random events. They = are trivially influenced by user code. A malicious attacker could = create repeated patterns of allocations or filesystem activity through = the syscall path to degrade your random sample source. I=E2=80=99m not sure I accept that - Fortuna is very careful about using = non-reversible hashing in it=E2=80=99s accumulation, and countering such = degradation is one of the algorithm=E2=80=99s strong points. There is = perhaps risk of *no* entropy, but even the per-event timing jitter will = be providing this, if nothing else. > Perhaps more importantly to me, this is an unacceptable performance = burden for the allocator. At a minimum it should compile out by = default. Great care has been taken to reduce the fast path of the = allocator to the minimum number of cycles and even cache misses. As currently set up in etc/rc.d/* by default, there is a simple check at = each UMA harvesting opportunity, and no further action. I asked Robert = Watson if this was burdensome, and he said it was not. I=E2=80=99m willing to discuss optimising this, and have plans for some = micro-benchmarks. M --=20 Mark R V Murray PS: Please trim mail when responding - was it necessary to send me back = the whole commit message and diff?