New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys/random: default to musl LCG instead of TinyMT #17188
sys/random: default to musl LCG instead of TinyMT #17188
Conversation
In [0] the paper concludes with > The Knuth LCG is the most efficient general purpose generator that > provides decent statistical quality. > It is simple and lean enough to run on very constrained devices. So let's select `prng_musl_lcg` to be the default PRNG instead of `prng_tinymt32`. This gives a good chunk of memory on e.g. `samr21-xpro`: prng_tinymt32 ------------- text data bss dec hex filename 26452 136 2824 29412 72e4 tests/rng/bin/samr21-xpro/tests_rng.elf prng_musl_lcg ------------- text data bss dec hex filename 26208 136 2808 29152 71e0 tests/rng/bin/samr21-xpro/tests_rng.elf [0] https://sci-hub.se/10.1145/3453159
@PeterKietzmann do you remember why we didn't do this after you published the paper? |
No particular reason. I want to restructure the random subsystem and started from the bottom #14324, currently waiting for #15671. Once I made it to the PRNG level, the plan was to set the default generators. I'm fine with changing now. |
Looks like all applications that already have been converted to Kconfig and use
Is this really needed? Can't we have a default PRNG with Kconfig? |
There are defaults, in fact you are modifying one here. The problem is that the makefile dependency resolution fails to default to use HWRNG (as you pointed in #16732), which Kconfig prioritizes. We decided to override this in application configuration and leave it 'well modelled'. |
BTW you'll also need to adapt those
|
Hm so maybe we should remove the HWRNG default with Kconfig to make it even with the make based dependency system? |
+1. Besides harmonizing both systems, HWRNG isn't always the best choice for direct random number generation. |
Ok, if you think that's the best default sure. I would not do it just for the fact of matching the makefile default though. |
The random dependency resolution is such a mess unfortunately. The reason why I went with HWRNG by default was because that was the only way to get different randomness across reboots (important for CoAP as we otherwise always start with the same sequence number and the server discards our requests). It's also much slimmer than TinyMT, but with LCG that is not so relevant anymore. Ideally we'd default to HWRNG to seed the PRNG, if no HWRNG is available use PUF SRAM to at least get some random seed. Kconfig of course will allow us to model this behavior properly. |
Seeding needs rework. #15671 is the next step towards seed generation and separation. |
@@ -3,5 +3,5 @@ CONFIG_MODULE_RANDOM=y | |||
# Should be autoselecting the MODULE_PRNG_HWRNG if possible | |||
# Since the makefile cannot we have to override until end of migration | |||
# Remove when TEST_KCONFIG is complete | |||
CONFIG_MODULE_PRNG_TINYMT32=y | |||
CONFIG_MODULE_PRNG_MUSL_LCG=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neither Tinymt32, nor LCG are crypto RNGs. One step further, HWRNGs are not necessarily secure for direct use. Hence, we should default to a CSPRNG in crypto contexts. SHA256PRNG
would be the leanest choice.
This shows the problem with our current random
module: There is only a single (non-secure) default RNG. As said, I am planning to continue my work on that starting from #15671.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I meant: crypto packages (cifra, hacl, dsa, ...) that require access to a random number generator should configure a crypto RNG (SHA256PRNG)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but let's do this as a follow-up. This PR only changes the default RNG, those apps are still using the default RNG - if they should not, that would be a different PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we say "set correct default choice"? Anyway, we can also go with two PRs.
e1a606a
to
8a80b93
Compare
Here? |
child.expect("1918982324") | ||
child.expect("1550167154") | ||
child.expect("3454972398") | ||
child.expect("1034066532") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about moving this to a separate test case?
@benpicco did you create the new test values of took them from somewhere? In the latter case, is there more? |
The new test values are just the output of the new RNG |
So lets fix this occurce, merge, and fix the default choice for crypto packages afterwards |
8a80b93
to
87e0032
Compare
Contribution description
In A Guideline on Pseudorandom Number Generation (PRNG) in the IoT the paper concludes with
So let's select
prng_musl_lcg
to be the default PRNG instead ofprng_tinymt32
.Testing procedure
This saves a good chunk of memory on e.g.
samr21-xpro
:prng_tinymt32
prng_musl_lcg
Issues/PRs references