| Message ID | 20250208170537.96787-1-cristian@rodriguez.im (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Arjun Shankar |
| Headers |
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id A64703857720 for <patchwork@sourceware.org>; Sat, 8 Feb 2025 17:06:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A64703857720 Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=rodriguez.im header.i=@rodriguez.im header.a=rsa-sha256 header.s=google header.b=PZom9mtj X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by sourceware.org (Postfix) with ESMTPS id 455683858D38 for <libc-alpha@sourceware.org>; Sat, 8 Feb 2025 17:05:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 455683858D38 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=rodriguez.im Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cristianrodriguez.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 455683858D38 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::1032 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739034345; cv=none; b=jiQTRlqRIVuYizTYDqrmQrRozDhF49lzR4qnGcUVTWc7Gem4etDi3EL4anWEmBAzIIGwF+xScVeRqawlTVFnbRskNVED6YGUS9+xku2A5jE6r7i1aw7hhW6cHGjkp0bbbLezx5zrMmuR60uQxoHscNff+fYAvANj+Mp9432ZEdY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739034345; c=relaxed/simple; bh=AzPfB8HAPKpz0c28o6U8rVJI8jkK6yvyMnmOrEBAoNg=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=tHbEw2B7uWJbayypcGwc5O2rFVDxN9UCPLV/0NdSO2oKu55LWbtH+qTrXMzWvlxUX1tDjyvFFeBjE5yrYdAaWwfuQRrGVcsFNFH4456vZRv7M4hEruaR3mCqCx/v0X2fA3TZtRkpWsaFDdggmtT7viIuWV2rE0TzBgu3VGq1LtM= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 455683858D38 Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-2fa286ea7e8so2427860a91.2 for <libc-alpha@sourceware.org>; Sat, 08 Feb 2025 09:05:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rodriguez.im; s=google; t=1739034344; x=1739639144; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GtpUxDCMO15nEKIUcPLF0I0U/sdYjcy5pUsuUy0D0sw=; b=PZom9mtja5qE2M3aLGvjLeuunEF51Ycjf7NlYJedZl/b8NcURHaAHGIPJ2QdmvMbLA sc/r0pgWlatCxmq0wvOC/melM9OPIak7cM9NsA4UphifteiXhJtm82j/HzqkDj+nenp3 WoqNJOBycNtgDpvrIM9g3voGBn6C34FJoUwdg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739034344; x=1739639144; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GtpUxDCMO15nEKIUcPLF0I0U/sdYjcy5pUsuUy0D0sw=; b=CZeDjo+UzEzYvz5n+pJY2Dm+GUHTUSx8qFN5yWBThhJchtroWk3a2CgySp1lcDHdx6 uXt79T9580e83rosWqctK+ehjc+qUo415qdR5puC9X+vrm1BMZ03swWT0qvlLAC/D917 IcfOG+oOmClrw6rKXc9IcJvxM55cgKb9QgtFcQiKbsV60F6ZSVCLJNeGHX2rSo5srdUX mRZw0kYp3Ybetq0TorXLqRaBtr48r2JyduQsu8F4/1J0pJJhf8GiVnQgZVNwQJTyIOrt c+jpQpAgxC45ADY9lzN69Nx95Capo5NWP0H83Ct0zys7nWlPe/BEQOqtailfuNVSEmH0 FCcg== X-Gm-Message-State: AOJu0Yx1l5hrAQT+CXxksIDefIzq03ys8Bn9er+jD3Bb3+IQhNGqof41 2T6wFBxyeeyD94MQFUnCehw4g3sSWdH/OIssa4GIHX3iM5cmhCh3onRtyBRp4bVFHsQ3M4udSTg = X-Gm-Gg: ASbGncu0tBEeN4cpzPNVykHvZFBpJfF9FjPOxrS0zICr+9sBBO/CWMimd/v+Pf6j1ek y34TTwX1wFbW0sl5ZhzWBP9SGWS5Paz9BrGxPHklBDuNFgFGpFCM63/r2mp7AQ/VhWVlT3YvmhV vE7737kEaI4XLGthv5UJ+ApFwUxhV8HitODOZML7aFgyCGRlc1BW6/Ks/2Tqmx2lfXUmxACGYga A2ILjBpkCg9JRe309tS4uTGLp1k0nQCcLUbbInIR8B8mgJAEx4v54ftq5BPhkrrukdc2m6kjARg T7eQVo/fGMf0vwtTNk3gV0YuaId9eDQ6ij3xONQDSQbfQErlD9FAF/Q= X-Google-Smtp-Source: AGHT+IFrLlO7tS95caSQKdW42CmAn8kdEFLls472eLKKpPJ5rx8Jn3rWvFOSd+b2eZLp91TazQ85gQ== X-Received: by 2002:aa7:88cb:0:b0:72f:d7ce:500f with SMTP id d2e1a72fcca58-7305d525eb4mr12257803b3a.21.1739034343998; Sat, 08 Feb 2025 09:05:43 -0800 (PST) Received: from tumbleweedvm.tail230b8a.ts.net ([181.160.31.22]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7307b967019sm954145b3a.109.2025.02.08.09.05.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 08 Feb 2025 09:05:43 -0800 (PST) From: =?utf-8?q?Cristian_Rodr=C3=ADguez?= <cristian@rodriguez.im> To: libc-alpha@sourceware.org Cc: =?utf-8?q?Cristian_Rodr=C3=ADguez?= <cristian@rodriguez.im> Subject: [PATCH 2/2] linux: use __getrandom_nocancel in getentropy Date: Sat, 8 Feb 2025 14:05:19 -0300 Message-ID: <20250208170537.96787-1-cristian@rodriguez.im> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, GIT_PATCH_0, HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org |
| Series |
None
|
|
Commit Message
Cristian Rodríguez
Feb. 8, 2025, 5:05 p.m. UTC
It must use the VDSO implementation if available instead of a raw
syscall.
Signed-off-by: Cristian Rodríguez <cristian@rodriguez.im>
---
sysdeps/unix/sysv/linux/getentropy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Sat, Feb 8, 2025 at 2:05 PM Cristian Rodríguez <cristian@rodriguez.im> wrote: > > It must use the VDSO implementation if available instead of a raw > syscall. > > Signed-off-by: Cristian Rodríguez <cristian@rodriguez.im> I looked at the other implementations around and needs this needs to - be made POSIX.2024 compatible, where the only possible errors are EINVAL and maybe ENOSYS. - The different BSDs implementations where this function originally comes from all abort on irrecoverable errors, either by explicit raise(SIGKILL) or because getentropy is just a wrapper against arc4random_buf I got to the poin that I think it has just ot be implemented like this now: int getentropy (void *buffer, size_t length) { /* The interface is documented to return EINVAL for buffer lengths longer than 256 bytes. */ if (length > GETENTROPY_MAX) { __set_errno (EINVAL); return -1; } __arc4random_buf(buffer, length); return 0; } Will that fly here ?
On 08/02/25 14:05, Cristian Rodríguez wrote: > It must use the VDSO implementation if available instead of a raw > syscall. > > Signed-off-by: Cristian Rodríguez <cristian@rodriguez.im> I think it make sense now that we have an non-cancellable internal symbol, and the vDSO should give us same guarantee as the kernel. LGTM, thanks. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> > --- > sysdeps/unix/sysv/linux/getentropy.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sysdeps/unix/sysv/linux/getentropy.c b/sysdeps/unix/sysv/linux/getentropy.c > index a62c9fb099..2134a32ae4 100644 > --- a/sysdeps/unix/sysv/linux/getentropy.c > +++ b/sysdeps/unix/sysv/linux/getentropy.c > @@ -21,7 +21,7 @@ > #include <errno.h> > #include <unistd.h> > #include <sysdep.h> > - > +#include <not-cancel.h> > /* Write LENGTH bytes of randomness starting at BUFFER. Return 0 on > success and -1 on failure. */ > int > @@ -42,7 +42,7 @@ getentropy (void *buffer, size_t length) > while (buffer < end) > { > /* NB: No cancellation point. */ > - ssize_t bytes = INLINE_SYSCALL_CALL (getrandom, buffer, end - buffer, 0); > + ssize_t bytes = __getrandom_nocancel (buffer, end - buffer, 0); > if (bytes < 0) > { > if (errno == EINTR)
On Feb 08 2025, Cristian Rodríguez wrote: > diff --git a/sysdeps/unix/sysv/linux/getentropy.c b/sysdeps/unix/sysv/linux/getentropy.c > index a62c9fb099..2134a32ae4 100644 > --- a/sysdeps/unix/sysv/linux/getentropy.c > +++ b/sysdeps/unix/sysv/linux/getentropy.c > @@ -21,7 +21,7 @@ > #include <errno.h> > #include <unistd.h> > #include <sysdep.h> > - > +#include <not-cancel.h> > /* Write LENGTH bytes of randomness starting at BUFFER. Return 0 on > success and -1 on failure. */ > int Please keep the empty line.
On 09/02/25 00:14, Cristian Rodríguez wrote: > On Sat, Feb 8, 2025 at 2:05 PM Cristian Rodríguez <cristian@rodriguez.im> wrote: >> >> It must use the VDSO implementation if available instead of a raw >> syscall. >> >> Signed-off-by: Cristian Rodríguez <cristian@rodriguez.im> > > > I looked at the other implementations around and needs this needs to > > - be made POSIX.2024 compatible, where the only possible errors are > EINVAL and maybe ENOSYS. > - The different BSDs implementations where this function originally > comes from all abort on irrecoverable errors, either by explicit > raise(SIGKILL) or because getentropy is just a wrapper against > arc4random_buf > > I got to the poin that I think it has just ot be implemented like this now: > > int > getentropy (void *buffer, size_t length) > { > /* The interface is documented to return EINVAL for buffer lengths > longer than 256 bytes. */ > if (length > GETENTROPY_MAX) > { > __set_errno (EINVAL); > return -1; > } > __arc4random_buf(buffer, length); > return 0; > } > > Will that fly here ? It would change getentropy semantics slight, since arc4random will try to open/read/close the /dev/urandom if getrandom is not available (due syscall filtering or old kernels). In this case with current code, getentropy() will fail with ENOSYS; while for arc4random() it will abort() if /dev/urandom is not available or if it can't be open (ENFILE, etc.). I am not sure if this is problem, but I think it would be safe to avoid changing for now. Now that we have __getrandom_nocancel, we can just do something like: static void getentropy_fatal (void) { __libc_fatal ("Fatal glibc error: cannot get entropy for getentropy\n"); } /* Write LENGTH bytes of randomness starting at BUFFER. Return 0 on success and -1 on failure. */ int getentropy (void *buffer, size_t length) { if (length > 256) { __set_errno (EINVAL); return -1; } /* Try to fill the buffer completely. Even with the 256 byte limit above, we might still receive an EINTR error (when blocking during boot). */ void *end = buffer + length; while (buffer < end) { /* NB: No cancellation point. */ ssize_t bytes = __getrandom_nocancel (buffer, end - buffer, 0); if (bytes < 0) { switch (errno) { case EINTR: continue; case ENOSYS: return -1; default: getentropy_fatal (); } } else if (bytes == 0) /* No more bytes available. This should not happen under normal circumstances. */ getentropy_fatal (); /* Try again in case of a short read. */ buffer += bytes; } return 0; } And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c
On Wed, Feb 12, 2025 at 9:57 AM Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> wrote: > > And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c OK, Im gonna post an improved version later.
On Wed, Feb 12, 2025 at 6:40 PM Cristian Rodríguez <cristian@rodriguez.im> wrote: > > On Wed, Feb 12, 2025 at 9:57 AM Adhemerval Zanella Netto > <adhemerval.zanella@linaro.org> wrote: > > > > > And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c > > > OK, Im gonna post an improved version later. Went back to this again.. what to do with GETENTROPY_MAX now.. ? Posix says {GETENTROPY_MAX}The maximum value of the length argument in calls to the getentropy() function. Minimum Acceptable Value: 256 However since: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05 The kernel special case is PAGE_SIZE not 256..and the special 256 never worked in the first place.. So at least for the linux parts - GETENTROPY_MAX == 256 ? and forget such a limit will not be enforced? - GETENTROPY_MAX == getpagesize() ? because PAGE_SIZE is not fixed in userspace? - Do not define it all.. make the wrapper return EINVAL if bigger than a pagesize to match the current kernel special case. looking forward to your inputs.
On 22/11/25 11:35, Cristian Rodríguez wrote: > On Wed, Feb 12, 2025 at 6:40 PM Cristian Rodríguez > <cristian@rodriguez.im> wrote: >> >> On Wed, Feb 12, 2025 at 9:57 AM Adhemerval Zanella Netto >> <adhemerval.zanella@linaro.org> wrote: >> >>> >>> And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c >> >> >> OK, Im gonna post an improved version later. > > Went back to this again.. what to do with GETENTROPY_MAX now.. ? Posix says > > {GETENTROPY_MAX}The maximum value of the length argument in calls to > the getentropy() function. > Minimum Acceptable Value: 256 > > However since: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05 > > The kernel special case is PAGE_SIZE not 256..and the special 256 > never worked in the first place.. > > So at least for the linux parts > > - GETENTROPY_MAX == 256 ? and forget such a limit will not be enforced? > - GETENTROPY_MAX == getpagesize() ? because PAGE_SIZE is not fixed in > userspace? > - Do not define it all.. make the wrapper return EINVAL if bigger than > a pagesize to match the current kernel special case. > > looking forward to your inputs. Can we assume 'GETENTROPY_MAX == getpagesize()' works for older kernels than 5.18? We did changed PTHREAD_STACK_MIN to be dynamic based on sysconf(_SC_THREAD_STACK_MIN) (5d98a7dae955bafa6740c26eaba9c86060ae0344), so I think we will need something similar to make GETENTROPY_MAX based on the system page size. This is really a lot of complexity, and I am not sure it users will really require GETENTROPY_MAX > 256 for most usercases.
On Tue, Nov 25, 2025 at 1:12 PM Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> wrote: > > > > On 22/11/25 11:35, Cristian Rodríguez wrote: > > On Wed, Feb 12, 2025 at 6:40 PM Cristian Rodríguez > > <cristian@rodriguez.im> wrote: > >> > >> On Wed, Feb 12, 2025 at 9:57 AM Adhemerval Zanella Netto > >> <adhemerval.zanella@linaro.org> wrote: > >> > >>> > >>> And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c > >> > >> > >> OK, Im gonna post an improved version later. > > > > Went back to this again.. what to do with GETENTROPY_MAX now.. ? Posix says > > > > {GETENTROPY_MAX}The maximum value of the length argument in calls to > > the getentropy() function. > > Minimum Acceptable Value: 256 > > > > However since: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05 > > > > The kernel special case is PAGE_SIZE not 256..and the special 256 > > never worked in the first place.. > > > > So at least for the linux parts > > > > - GETENTROPY_MAX == 256 ? and forget such a limit will not be enforced? > > - GETENTROPY_MAX == getpagesize() ? because PAGE_SIZE is not fixed in > > userspace? > > - Do not define it all.. make the wrapper return EINVAL if bigger than > > a pagesize to match the current kernel special case. > > > > looking forward to your inputs. > > Can we assume 'GETENTROPY_MAX == getpagesize()' works for older kernels than 5.18? as far as I understood, the 256 special case has never worked. the kernel never reacted to signals until all bytes were read. so it should work. > This is really a lot of complexity, and I am not sure it users will really > require GETENTROPY_MAX > 256 for most usercases. Yeah.. What about using the smallest possible page size as a limit then? I think adding further complexity in this case aint worth it.
On 25/11/25 13:50, Cristian Rodríguez wrote: > On Tue, Nov 25, 2025 at 1:12 PM Adhemerval Zanella Netto > <adhemerval.zanella@linaro.org> wrote: >> >> >> >> On 22/11/25 11:35, Cristian Rodríguez wrote: >>> On Wed, Feb 12, 2025 at 6:40 PM Cristian Rodríguez >>> <cristian@rodriguez.im> wrote: >>>> >>>> On Wed, Feb 12, 2025 at 9:57 AM Adhemerval Zanella Netto >>>> <adhemerval.zanella@linaro.org> wrote: >>>> >>>>> >>>>> And remove both sysdeps/mach/hurd/getentropy.c and sysdeps/unix/sysv/linux/getentropy.c >>>> >>>> >>>> OK, Im gonna post an improved version later. >>> >>> Went back to this again.. what to do with GETENTROPY_MAX now.. ? Posix says >>> >>> {GETENTROPY_MAX}The maximum value of the length argument in calls to >>> the getentropy() function. >>> Minimum Acceptable Value: 256 >>> >>> However since: >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05 >>> >>> The kernel special case is PAGE_SIZE not 256..and the special 256 >>> never worked in the first place.. >>> >>> So at least for the linux parts >>> >>> - GETENTROPY_MAX == 256 ? and forget such a limit will not be enforced? >>> - GETENTROPY_MAX == getpagesize() ? because PAGE_SIZE is not fixed in >>> userspace? >>> - Do not define it all.. make the wrapper return EINVAL if bigger than >>> a pagesize to match the current kernel special case. >>> >>> looking forward to your inputs. >> >> Can we assume 'GETENTROPY_MAX == getpagesize()' works for older kernels than 5.18? > > as far as I understood, the 256 special case has never worked. the > kernel never reacted to signals until all bytes were read. > so it should work. Right, it might be good to check this empirically on some older kernel. > >> This is really a lot of complexity, and I am not sure it users will really >> require GETENTROPY_MAX > 256 for most usercases. > > Yeah.. What about using the smallest possible page size as a limit > then? I think adding further complexity in this case aint worth it. I think it seems reasonable, assuming it does work as intended in all kernel version. We don't have an internal minimal page size definition, but we can assume 4096 (and I don't think it would be worth to make it arch-dependent).
diff --git a/sysdeps/unix/sysv/linux/getentropy.c b/sysdeps/unix/sysv/linux/getentropy.c index a62c9fb099..2134a32ae4 100644 --- a/sysdeps/unix/sysv/linux/getentropy.c +++ b/sysdeps/unix/sysv/linux/getentropy.c @@ -21,7 +21,7 @@ #include <errno.h> #include <unistd.h> #include <sysdep.h> - +#include <not-cancel.h> /* Write LENGTH bytes of randomness starting at BUFFER. Return 0 on success and -1 on failure. */ int @@ -42,7 +42,7 @@ getentropy (void *buffer, size_t length) while (buffer < end) { /* NB: No cancellation point. */ - ssize_t bytes = INLINE_SYSCALL_CALL (getrandom, buffer, end - buffer, 0); + ssize_t bytes = __getrandom_nocancel (buffer, end - buffer, 0); if (bytes < 0) { if (errno == EINTR)