Question on get random long worse in VM than on host
Ard Biesheuvel
ardb at kernel.org
Sat Aug 31 00:56:23 PDT 2024
On Sat, 31 Aug 2024 at 09:42, Marc Zyngier <maz at kernel.org> wrote:
>
> [+ Ard, who actually understands the whole RNG thing]
>
> On Sat, 31 Aug 2024 04:34:33 +0100,
> Tangnianyao <tangnianyao at huawei.com> wrote:
> >
> > Hi, all
> >
> > On ARM64 server(Kunpeng), performance of some syscall cases (like fork
> > and open) in guest, which need random u64, are 10~20% worse than
> > those on host. Because CONFIG_ARCH_HAS_ELF_RANDOMIZE=y and
> > CONFIG_STACKPROTECTOR=y, guest kernel need random u64 and
> > require them from host kvm using hvc.
> >
> > If FEAT_RNG is supported and EL3 firmware not support smccc trng, host
> > kvm finally return random u64 using RNDRRS to guest.
> >
> > Shall we firstly let guest get random u64 from RNDRRS to avoid hvc trap?
> > For example, if host find smccc trng not available, then tell guest smccc
> > trng not available when guest check trng version.
>
> My recollection is that it was a deliberate decision to decouple what
> the host firmware offers from what the guest sees (we can always
> implement the SMCCC TRNG using any mechanism that the host has to
> deliver entropy).
>
> Now, userspace has almost complete freedom to expose what the guest
> sees in terms of PV services. In this particular case, it can write to
> the KVM_REG_ARM_STD_BMAP pseudo register to remove the
> KVM_REG_ARM_STD_BIT_TRNG_V1_0 bit from the bitmap, which will hide the
> functionality.
>
> Isn't this sufficient here? Given that you seem to be micro-optimising
> for a particular platform, this seems like the easiest way to reach
> your goal without having to change anything.
>
On top of that, the guest kernel should not be calling this interface
every single time it needs some randomness. The kernel's entropy pool
should be used, which is reseeded as needed using whichever source of
entropy the system provides, which includes arch_get_random_longs().
If every fork() and open() results in a HVC, we need to fix that regardless.
As for RNDR/RNDRRS vs TRNG: the former is not a raw entropy source, it
is a DRBG (or CSPRNG) which provides cryptographically secure random
numbers whose security strength is limited by the size of the seed.
TRNG does not have this limitation in principle, although non-p KVM
happily seeds it from the kernel's entropy pool, which has the same
limitation in practice.
TL;DR if the layering inside the kernel is correct, none of this
should matter to fork() or open() performance.
More information about the linux-arm-kernel
mailing list