Re: [PATCH 2/8] drivers/char/random: Split out __get_random_int

[Matt Mackall]

On Wed, 2011-03-16, Mat Mackall wrote:
> On Wed, 2011-03-16 at 00:24 -0400, George Spelvin wrote:
>> If you like, and don't mind a few more bytes of per-cpu data, I'll
>> happily replace the whole dubious thing with a cryptographically secure
>> high-speed PRNG.  I'm thinking ChaCha/12, as Salsa20 was selected by
>> eSTREAM and ChaCha is generally agreed to be stronger.  (It's had more
>> review as the basis of the BLAKE hash function, a SHA-3 finalist.)

> Yes, let's do this. ChaCha looks like a fine candidate.

Just to confirm, it'll have basically the same structure as the
current code: a global secret key, re-seeded every 300 seconds,
with per-CPU state for generation.  I'll generate 16 words at a time,
and use them until they're exhausted or the global secret changes.

ChaCha uses a 256-bit (8-word) key.  It obviously shouldn't be shared
with the weaker half-MD4 operation.  Should I generate both from the
pool directly, or only take 8 words and use ChaCha to generate the
half-MD4 key?  Cryptographically, either is fine; it's a matter of code
simplicity vs. economical use of entropy.  Do you have a preference?
(I slightly prefer #2.)

> I'd rather not add an frandom until after we get rid of the
> random/urandom dichotomy.

Can you explain?  I think Ted's idea of the split was a good idea.
It does require user education, but it's important user education.
(I'm talking API level; I understand the internal plumbing is a bit
of a mess.)

> Think of it as a way of making forward progress. You should explicitly
> call out 'hey, these bits are cleanups you should just merge' so they
> don't get lost in the debate. Then the next time around, you have that
> many fewer patches.

True enough.  I'll submit the cleanups separately.  Appended is another
cleanup I'm thinking of.  Okay with you?  (If so, I'll post it separately
for wider review.)