virtio-dev message

Subject: Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support

From: Babis Chalios <bchalios@amazon.es>
To: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 18 Sep 2023 18:30:42 +0200

Yes, that's what the driver does now in the RFC patch. However, this just
decreases
the race window, it doesn't eliminate it. If a third leak event happens it
might not
find any buffers to use:

1. available buffers to queue 1-X
2. available buffers to queue X


3. poll queue X
4. used buffers in queue X       <- leak event 1 will use buffers in X
5. avail buffers in queue X
6. poll queue 1-X                <- leak event 2 will use buffers in 1-X
7. used buffers in queue 1-X
8. avail buffers in queue 1-X
                                   <- leak event 3 (it needs buffers in X, race with step 5)
9. goto 3

I don't get it. we added buffers in step 5.

What if the leak event 3 arrives before step 5 had time to actually add the
buffers in X and make
them visible to the device?


Then it will see a single event in 1-X instead of two events.  A leak is
a leak though, I don't see does it matter how many triggered.


So the scenario I have in mind is the following:

(Epoch here is terminology that I used in the Linux RFC).

ÂÂÂÂÂÂÂ DriverÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Device


1. Â Â add buffers to 1-X
2. Â Â add buffers to X
3. ÂÂÂ poll queue X
4.ÂÂ Â vcpu 0: cache getrandom() entropy
ÂÂ Â ÂÂ and cache epoch value
5. Â Â Â ÂÂÂ First snapshot: use buffers in X
6. Â Â vcpu 1: sees used buffers
7. ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Second snapshot: use buffers in 1-X
8.Â ÂÂ vcpu 0: getrandom() observes new
ÂÂÂÂÂÂÂ epoch value & caches it

9. ÂÂÂÂÂÂÂÂÂÂ Third snapshot: no buffers in either queue vcpu 1 (fromstep 6 has not yet finished adding new buffers).

10.ÂÂ vcpu 1 adds new buffer in X
11.ÂÂ vcpu 0: getrandom() will not see new
Â Â Â Â epoch and gets stale entropy.

In this succession of events, when the third snapshot will happen, itwon't find any buffers in either queue,so it won't increase the RNG epoch value. So, any entropy gathered afterstep 8 will be the same across all

snapshots. Am I missing something?

Cheers,
Babis

Follow-Ups:
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: Babis Chalios <bchalios@amazon.es>

References:
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: "Michael S. Tsirkin" <mst@redhat.com>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: Babis Chalios <bchalios@amazon.es>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: "Michael S. Tsirkin" <mst@redhat.com>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: Babis Chalios <bchalios@amazon.es>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: "Michael S. Tsirkin" <mst@redhat.com>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: Babis Chalios <bchalios@amazon.es>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: "Michael S. Tsirkin" <mst@redhat.com>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: Babis Chalios <bchalios@amazon.es>
- Re: [virtio-dev] [PATCH RFC 3/3] rng: leak detection support
  - From: "Michael S. Tsirkin" <mst@redhat.com>