sys/random: default to musl LCG instead of TinyMT #17188
Conversation
In [0] the paper concludes with > The Knuth LCG is the most efficient general purpose generator that > provides decent statistical quality. > It is simple and lean enough to run on very constrained devices. So let's select `prng_musl_lcg` to be the default PRNG instead of `prng_tinymt32`. This gives a good chunk of memory on e.g. `samr21-xpro`: prng_tinymt32 ------------- text data bss dec hex filename 26452 136 2824 29412 72e4 tests/rng/bin/samr21-xpro/tests_rng.elf prng_musl_lcg ------------- text data bss dec hex filename 26208 136 2808 29152 71e0 tests/rng/bin/samr21-xpro/tests_rng.elf [0] https://sci-hub.se/10.1145/3453159
benpicco
requested review from
cgundogan,
jia200x and
leandrolanzieri
as code owners
github-actions
bot
added
Area: build system
benpicco
added
the
CI: ready for build
|
@PeterKietzmann do you remember why we didn't do this after you published the paper? |
No particular reason. I want to restructure the random subsystem and started from the bottom #14324, currently waiting for #15671. Once I made it to the PRNG level, the plan was to set the default generators. I'm fine with changing now. |
|
Looks like all applications that already have been converted to Kconfig and use Is this really needed? Can't we have a default PRNG with Kconfig? |
There are defaults, in fact you are modifying one here. The problem is that the makefile dependency resolution fails to default to use HWRNG (as you pointed in #16732), which Kconfig prioritizes. We decided to override this in application configuration and leave it 'well modelled'. |
BTW you'll also need to adapt those |
benpicco
requested review from
aabadie,
fjmolinas,
MichelRottleuthner and
smlng
as code owners
|
Hm so maybe we should remove the HWRNG default with Kconfig to make it even with the make based dependency system? |
+1. Besides harmonizing both systems, HWRNG isn't always the best choice for direct random number generation. |
Ok, if you think that's the best default sure. I would not do it just for the fact of matching the makefile default though. |
|
The random dependency resolution is such a mess unfortunately. The reason why I went with HWRNG by default was because that was the only way to get different randomness across reboots (important for CoAP as we otherwise always start with the same sequence number and the server discards our requests). It's also much slimmer than TinyMT, but with LCG that is not so relevant anymore. Ideally we'd default to HWRNG to seed the PRNG, if no HWRNG is available use PUF SRAM to at least get some random seed. Kconfig of course will allow us to model this behavior properly. |
|
Seeding needs rework. #15671 is the next step towards seed generation and separation. |
| @@ -3,5 +3,5 @@ CONFIG_MODULE_RANDOM=y | |||
| # Should be autoselecting the MODULE_PRNG_HWRNG if possible | |||
| # Since the makefile cannot we have to override until end of migration | |||
| # Remove when TEST_KCONFIG is complete | |||
| CONFIG_MODULE_PRNG_TINYMT32=y | |||
| CONFIG_MODULE_PRNG_MUSL_LCG=y | |||
There was a problem hiding this comment.
Neither Tinymt32, nor LCG are crypto RNGs. One step further, HWRNGs are not necessarily secure for direct use. Hence, we should default to a CSPRNG in crypto contexts. SHA256PRNG would be the leanest choice.
This shows the problem with our current random module: There is only a single (non-secure) default RNG. As said, I am planning to continue my work on that starting from #15671.
There was a problem hiding this comment.
What I meant: crypto packages (cifra, hacl, dsa, ...) that require access to a random number generator should configure a crypto RNG (SHA256PRNG)
There was a problem hiding this comment.
I agree, but let's do this as a follow-up. This PR only changes the default RNG, those apps are still using the default RNG - if they should not, that would be a different PR.
There was a problem hiding this comment.
What if we say "set correct default choice"? Anyway, we can also go with two PRs.
benpicco
added
CI: ready for build
benpicco
force-pushed
the
sys/random-musl_lcg-default
branch
from
e1a606a
to
8a80b93
Compare
|
Here? |
PeterKietzmann
added
Reviewed: 1-fundamentals
| child.expect("1918982324") | ||
| child.expect("1550167154") | ||
| child.expect("3454972398") | ||
| child.expect("1034066532") |
There was a problem hiding this comment.
How about moving this to a separate test case?
@benpicco did you create the new test values of took them from somewhere? In the latter case, is there more? |
PeterKietzmann
added
the
Reviewed: 3-testing
|
The new test values are just the output of the new RNG |
|
So lets fix this occurce, merge, and fix the default choice for crypto packages afterwards |
benpicco
force-pushed
the
sys/random-musl_lcg-default
branch
from
8a80b93
to
87e0032
Compare
kaspar030
removed
the
CI: ready for build
kaspar030
added
the
CI: ready for build
Contribution description
In A Guideline on Pseudorandom Number Generation (PRNG) in the IoT the paper concludes with
So let's select
prng_musl_lcgto be the default PRNG instead ofprng_tinymt32.Testing procedure
This saves a good chunk of memory on e.g.
samr21-xpro:prng_tinymt32
prng_musl_lcg
Issues/PRs references