346725 |
26-Apr-2019 |
mw |
MFC r345438,r345842,r346259,r346261: TPM as possible entropy source
r345438: Allow using TPM as entropy source
TPM has a built-in RNG, with its own entropy source. The driver was extended to harvest 16 random bytes from TPM every 10 seconds. A new build option "TPM_HARVEST" was introduced - for now, however, it is not enabled by default in the GENERIC config.
Reviewed by: markm, delphij Approved by: secteam
r345842: Add a cv_wait to the TPM2.0 harvesting function
r346259: tpm: Prevent session hijack
r346261: Improve tpm20 style
Submitted by: Kornel Duleba <mindal@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield |
345981 |
06-Apr-2019 |
markm |
Backport fixes from FreeBSD-12 to help the random(4) device thread not overwhelm the OS:
a) Use the correct symbolic constant when calculating 10'ths of a second. This means that expensive reseeds happen at ony 1/10 Hz, not some kHz.
b) Rate limit internal high-rate harveting efforts. This stops the harvesting thread from total overkilling the high-grade entropy- gathering work, while still being very conservatively safe.
PR: 230808 Reported by: danilo,eugen Tested by: eugen Approved by: so (blanket permission granted as I am the authour of this code) Relnotes: Yes |
338923 |
25-Sep-2018 |
delphij |
Partial MFC of r338542:
random(4): Squash non-error timeout code from tsleep(9).
PR: 231181 Submitted by: cem Reported by: lev Reviewed by: vangyzen, markm, delphij Approved by: secteam (delphij) Differential Revision: https://reviews.freebsd.org/D17049 |
302408 |
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
301735 |
09-Jun-2016 |
sjg |
Revert previous commit, until issue with sparc64 resolved.
Approved by: so (implicit)
|
301713 |
09-Jun-2016 |
sjg |
Add a prototype for random_harvest_queue to dev/random/random_harvestq.h This fixes a warning that occurs in a number of files that use the random_harvest_queue function.
Differential Revision: https://reviews.freebsd.org/D4229 Submitted by: stevek@juniper.net Reviewed by: markm Approved by: so
|
300050 |
17-May-2016 |
eadler |
Don't repeat the the word 'the'
(one manual change to fix grammar)
Confirmed With: db Approved by: secteam (not really, but this is a comment typo fix)
|
298923 |
02-May-2016 |
pfg |
dev/random: minor spelling fixes in comments.
No functional change.
Reviewed by: markm Approved by: so
|
298593 |
25-Apr-2016 |
pfg |
dev/random: use our roundup() macro instead of re-implementing it.
While here also use howmany() macro from sys/param.h No functional change.
Reviewed by: markm (roundup replacement part) Approved by: so
|
298102 |
16-Apr-2016 |
kib |
Fix rdrand_rng.ko and padlock_rng.ko dependencies, making modules loadable when not compiled into the kernel.
Approved by: so (delphij) Sponsored by: The FreeBSD Foundation
|
297366 |
28-Mar-2016 |
jhb |
Don't start the random harvester process until timers are working.
This is a no-op currently, but in kernels with earlier AP startup, the random kthread was trying to use timeouts with sleeps before timers are working. Wait until SI_SUB_KICK_SCHEDULER to start the random kproc.
Reviewed by: delphij, imp, markm Approved by: so Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D5712
|
295718 |
17-Feb-2016 |
glebius |
Add missing braces.
Found by: PVS-Studio Approved by: so (implicit)
|
292782 |
27-Dec-2015 |
allanjude |
Replace sys/crypto/sha2/sha2.c with lib/libmd/sha512c.c
cperciva's libmd implementation is 5-30% faster
The same was done for SHA256 previously in r263218
cperciva's implementation was lacking SHA-384 which I implemented, validated against OpenSSL and the NIST documentation
Extend sbin/md5 to create sha384(1)
Chase dependancies on sys/crypto/sha2/sha2.{c,h} and replace them with sha512{c.c,.h}
Reviewed by: cperciva, des, delphij Approved by: secteam, bapt (mentor) MFC after: 2 weeks Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D3929
|
288780 |
05-Oct-2015 |
markm |
Fix printf-like formats for KASSERT.
Submitted by: jenkins Approved by: so (/dev/random blanket)
|
288703 |
05-Oct-2015 |
markm |
It appears that under some circumstances, like virtualisiation, the 'rdrand' instruction may occasionally not return random numbers, in spite of looping attempts to do so. The reusult is a KASSERT/panic.
Reluctantly accept this state-of-affairs, but make a noise about it. if this 'noise' spams the console, it may be time to discontinue using that source.
This is written in a general way to account for /any/ source that might not supply random numbers when required.
Submitted by: jkh (report and slightly different fix) Approved by: so (/dev/random blanket)
|
287023 |
22-Aug-2015 |
markm |
Make the UMA harvesting go away completely if not wanted. Default to "not wanted". Provide and document the RANDOM_ENABLE_UMA option.
Change RANDOM_FAST to RANDOM_UMA to clarify the harvesting.
Remove RANDOM_DEBUG option, replace with SDT probes. These will be of use to folks measuring the harvesting effect when deciding whether to use RANDOM_ENABLE_UMA.
Requested by: scottl and others. Approved by: so (/dev/random blanket) Differential Revision: https://reviews.freebsd.org/D3197
|
286839 |
17-Aug-2015 |
markm |
Add DEV_RANDOM pseudo-option and use it to "include out" random(4) if desired.
Retire randomdev_none.c and introduce random_infra.c for resident infrastructure. Completely stub out random(4) calls in the "without DEV_RANDOM" case.
Add RANDOM_LOADABLE option to allow loadable Yarrow/Fortuna/LocallyWritten algorithm. Add a skeleton "other" algorithm framework for folks to add their own processing code. NIST, anyone?
Retire the RANDOM_DUMMY option.
Build modules for Yarrow, Fortuna and "other".
Use atomics for the live entropy rate-tracking.
Convert ints to bools for the 'seeded' logic.
Move _write() function from the algorithm-specific areas to randomdev.c
Get rid of reseed() function - it is unused.
Tidy up the opt_*.h includes.
Update documentation for random(4) modules.
Fix test program (reviewers, please leave this).
Differential Revision: https://reviews.freebsd.org/D3354 Reviewed by: wblock,delphij,jmg,bjk Approved by: so (/dev/random blanket)
|
285700 |
19-Jul-2015 |
markm |
Fix some untidy logic. I committed the wrong local fix; please pass the pointy hat.
Approved by: so (/dev/random blanket)
|
285693 |
19-Jul-2015 |
markm |
Remove out-of-date comments.
Approved by: so (/dev/random blanket)
|
285692 |
19-Jul-2015 |
markm |
Fix the read blocking so that it is interruptable and slow down the rate of console warning spamming while blocked.
Approved by: so (/dev/random blanket)
|
285690 |
19-Jul-2015 |
markm |
Optimise the buffer-size calculation. It was possible to get one block too many.
Approved by: so (/dev/random blanket)
|
285573 |
14-Jul-2015 |
ed |
Fix the build after breaking it in r285549.
I performed the commit on a different system as where I wrote the change. After pulling in the change from Phabricator, I didn't notice that a single chunk did not apply.
Approved by: secteam (implicit, as intended change was approved) Pointy hat to: me
|
285549 |
14-Jul-2015 |
ed |
Implement the CloudABI random_get() system call.
The random_get() system call works similar to getentropy()/getrandom() on OpenBSD/Linux. It fills a buffer with random data.
This change introduces a new function, read_random_uio(), that is used to implement read() on the random devices. We can call into this function from within the CloudABI compatibility layer.
Approved by: secteam Reviewed by: jmg, markm, wblock Obtained from: https://github.com/NuxiNL/freebsd Differential Revision: https://reviews.freebsd.org/D3053
|
285439 |
13-Jul-2015 |
markm |
Rework the read routines to keep the PRNG sources happy. These work in units of crypto blocks, so must have adequate space to write. This means needing to be careful about buffers and keeping track of external read request length.
Approved by: so (/dev/random blanket)
|
285422 |
12-Jul-2015 |
markm |
* Address review (and add a bit myself). - Tweek man page. - Remove all mention of RANDOM_FORTUNA. If the system owner wants YARROW or DUMMY, they ask for it, otherwise they get FORTUNA. - Tidy up headers a bit. - Tidy up declarations a bit. - Make static in a couple of places where needed. - Move Yarrow/Fortuna SYSINIT/SYSUNINIT to randomdev.c, moving us towards a single file where the algorithm context is used. - Get rid of random_*_process_buffer() functions. They were only used in one place each, and are better subsumed into those places. - Remove *_post_read() functions as they are stubs everywhere. - Assert against buffer size illegalities. - Clean up some silly code in the randomdev_read() routine. - Make the harvesting more consistent. - Make some requested argument name changes. - Tidy up and clarify a few comments. - Make some requested comment changes. - Make some requested macro changes.
* NOTE: the thing calling itself a 'unit test' is not yet a proper unit test, but it helps me ensure things work. It may be a proper unit test at some time in the future, but for now please don't make any assumptions or hold any expectations.
Differential Revision: https://reviews.freebsd.org/D2025 Approved by: so (/dev/random blanket)
|
284959 |
30-Jun-2015 |
markm |
Huge cleanup of random(4) code.
* GENERAL - Update copyright. - Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set neither to ON, which means we want Fortuna - If there is no 'device random' in the kernel, there will be NO random(4) device in the kernel, and the KERN_ARND sysctl will return nothing. With RANDOM_DUMMY there will be a random(4) that always blocks. - Repair kern.arandom (KERN_ARND sysctl). The old version went through arc4random(9) and was a bit weird. - Adjust arc4random stirring a bit - the existing code looks a little suspect. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Redo read_random(9) so as to duplicate random(4)'s read internals. This makes it a first-class citizen rather than a hack. - Move stuff out of locked regions when it does not need to be there. - Trim RANDOM_DEBUG printfs. Some are excess to requirement, some behind boot verbose. - Use SYSINIT to sequence the startup. - Fix init/deinit sysctl stuff. - Make relevant sysctls also tunables. - Add different harvesting "styles" to allow for different requirements (direct, queue, fast). - Add harvesting of FFS atime events. This needs to be checked for weighing down the FS code. - Add harvesting of slab allocator events. This needs to be checked for weighing down the allocator code. - Fix the random(9) manpage. - Loadable modules are not present for now. These will be re-engineered when the dust settles. - Use macros for locks. - Fix comments.
* src/share/man/... - Update the man pages.
* src/etc/... - The startup/shutdown work is done in D2924.
* src/UPDATING - Add UPDATING announcement.
* src/sys/dev/random/build.sh - Add copyright. - Add libz for unit tests.
* src/sys/dev/random/dummy.c - Remove; no longer needed. Functionality incorporated into randomdev.*.
* live_entropy_sources.c live_entropy_sources.h - Remove; content moved. - move content to randomdev.[ch] and optimise.
* src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h - Remove; plugability is no longer used. Compile-time algorithm selection is the way to go.
* src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h - Add early (re)boot-time randomness caching.
* src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h - Remove; no longer needed.
* src/sys/dev/random/uint128.h - Provide a fake uint128_t; if a real one ever arrived, we can use that instead. All that is needed here is N=0, N++, N==0, and some localised trickery is used to manufacture a 128-bit 0ULLL.
* src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h - Improve unit tests; previously the testing human needed clairvoyance; now the test will do a basic check of compressibility. Clairvoyant talent is still a good idea. - This is still a long way off a proper unit test.
* src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h - Improve messy union to just uint128_t. - Remove unneeded 'static struct fortuna_start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch])
* src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h - Improve messy union to just uint128_t. - Remove unneeded 'staic struct start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) - Fix some magic numbers elsewhere used as FAST and SLOW.
Differential Revision: https://reviews.freebsd.org/D2025 Reviewed by: vsevolod,delphij,rwatson,trasz,jmg Approved by: so (delphij)
|
278950 |
18-Feb-2015 |
delphij |
- fortuna.c: catch up with r278927 and fix a buffer overflow by using the temporary buffer when remaining space is not enough to hold a whole block. - yarrow.c: add a comment that we intend to change the code and remove memcpy's in the future. (*)
Requested by: markm (*) Reviewed by: markm Approved by: so (self)
|
278927 |
17-Feb-2015 |
jmg |
Fix a bug where this function overflowed it's buffer... This was causing ZFS panics on boot...
This is purely reviewed and tested by peter.
Reviewed by: peter Approved by: so (implicit), peter
|
278907 |
17-Feb-2015 |
jmg |
When the new random adaptor code was brought it in r273872, a call to randomdev_init_reader to change read_random over to the newly installed adaptor was missed. This means both read_random and arc4random (seeded from read_random) were not returning very random data. This also effects userland arc4random as it is seeded from kernel arc4random.
The random devices are uneffected and have returned good randomness since the change.
All keys generated with a kernel of r273872 must be regenerated with a kernel with this patch. Keys generated may be predictable.
Remove the warning as log is too early to print anything, and it would always get printed due to early use of arc4random...
Reviewed by: delphij, markm Approved by: so (delphij)
|
274381 |
11-Nov-2014 |
kib |
Update comment.
Noted by: dim Approved by: secteam (des) MFC after: 4 days
|
274340 |
10-Nov-2014 |
des |
Constify the AES code and propagate to consumers. This allows us to update the Fortuna code to use SHAd-256 as defined in FS&K.
Approved by: so (self)
|
274252 |
07-Nov-2014 |
kib |
Fix random.ko module. - Remove duplicated sources between standard part of the kernel and module. In particular, it caused duplicated lock initialization and sysctl registration, both having bad consequences. - Add missed source files to module. - Static part of the kernel provides randomdev module, not random_adaptors. Correct dependencies. - Use cdev modules declaration macros.
Approved by: secteam (delphij) Reviewed by: markm
|
274250 |
07-Nov-2014 |
kib |
Simplify assembler in ivy.c. Move the copying of the random bits into buffer from asm to C, which reduces amount of arguments for inline asm and simplifies constraints. Use unsigned types consistently.
Submitted by: bde Approved by: secteam (delphij) Reviewed by: markm MFC after: 1 week
|
274103 |
04-Nov-2014 |
des |
When reseeding the DPRNG, we're supposed to hash the current key and some accumulated entropy twice and use that as the new key. Due to a typo, we were using the output of the first hash round instead of the second. Correct this, but eliminate temp[] since we can reuse hash[]. Also add comments explaining what is going on and why.
Noticed by: Sami Farin <sami.farin@gmail.com> Reviewed by: markm@ Approved by: so (des)
|
274006 |
03-Nov-2014 |
delphij |
Don't assert random_adaptors_lock in random_adaptor_read_rate().
Reported by: many Pointy hat to: delphij (for not testing the commit with WITNESS) Approved by: so
|
273997 |
02-Nov-2014 |
delphij |
- Make sure random_adaptor accesses happen only when random_adaptors_lock is held. - Use sx_sleep instead of tsleep in read and write path to allow another thread that registers a new random adapter when waiting. Assert that random_adaptor is not NULL after reacquiring the lock. - Capture EINTR/ERESTART from sx_sleep to allow the blocking cycle be stopped when user requests so, while there also make short read/write's return 0. - Move M_WAITOK allocations out of lock scope.
In collobration with: kib, markm, ian, jilles Reviewed by: kib, markm Approved by: so
|
273958 |
02-Nov-2014 |
des |
Restore the auto-reseed logic, but move it to a much later point, immediately before kick_init.
Approved by: so (self)
|
273872 |
30-Oct-2014 |
markm |
This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random.
This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.
The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.
The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.
Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.
My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.
My Nomex pants are on. Let the feedback commence!
Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?) Approved by: so(des)
|
273027 |
13-Oct-2014 |
np |
Make sure correct object code is generated at -O0.
Submitted by: grehan@ Approved by: so@ (des) MFC after: 1 month
|
267984 |
27-Jun-2014 |
delphij |
Use Intel's official name (Secure Key) per IntelĀ® Digital Random Number Generator (DRNG) Software Implementation Guide.
Reviewed by: kib Approved by: so MFC after: 2 weeks
|
264969 |
26-Apr-2014 |
markm |
Correctly set the sysctl format to Alphanumeric, rather than letting it default.
Approved by: security-officer(des)
|
257525 |
01-Nov-2013 |
adrian |
Convert the random entropy harvesting code to use a const void * pointer rather than just void *.
Then, as part of this, convert a couple of mbuf m->m_data accesses to mtod(m, const void *).
Reviewed by: markm Approved by: security-officer (delphij) Sponsored by: Netflix, Inc.
|
256670 |
17-Oct-2013 |
kib |
Utilize the stronger guarantees on the call arguments from the harvester, which now always calls hwrngs with the buffer length multiple of the word size. This allows to remove the excessive memory accesses to temporary buffer when saving the entropy word.
Streamline the assembly and unify it between i386 and amd64.
Reviewed by: markm, des Approved by: so (des) Sponsored by: The FreeBSD Foundation MFC after: 2 weeks
|
256412 |
13-Oct-2013 |
markm |
There is an issue (not seen in our testing) where "yarrow" and "dummy" switch priorities, and the users are left with no usable /dev/random. The fix assigns priories to these and gives the users what they want. The override tuneable has a stupid name (blame me!) and this fixes it to be something that 'sysctl kern.random' emits and is the right thing to set.
Approved by: re (gjb) Approved by: secteam (cperciva)
|
256377 |
12-Oct-2013 |
markm |
Merge from project branch. Uninteresting commits are trimmed.
Refactor of /dev/random device. Main points include:
* Userland seeding is no longer used. This auto-seeds at boot time on PC/Desktop setups; this may need some tweeking and intelligence from those folks setting up embedded boxes, but the work is believed to be minimal.
* An entropy cache is written to /entropy (even during installation) and the kernel uses this at next boot.
* An entropy file written to /boot/entropy can be loaded by loader(8)
* Hardware sources such as rdrand are fed into Yarrow, and are no longer available raw.
------------------------------------------------------------------------ r256240 | des | 2013-10-09 21:14:16 +0100 (Wed, 09 Oct 2013) | 4 lines
Add a RANDOM_RWFILE option and hide the entropy cache code behind it. Rename YARROW_RNG and FORTUNA_RNG to RANDOM_YARROW and RANDOM_FORTUNA. Add the RANDOM_* options to LINT.
------------------------------------------------------------------------ r256239 | des | 2013-10-09 21:12:59 +0100 (Wed, 09 Oct 2013) | 2 lines
Define RANDOM_PURE_RNDTEST for rndtest(4).
------------------------------------------------------------------------ r256204 | des | 2013-10-09 18:51:38 +0100 (Wed, 09 Oct 2013) | 2 lines
staticize struct random_hardware_source
------------------------------------------------------------------------ r256203 | markm | 2013-10-09 18:50:36 +0100 (Wed, 09 Oct 2013) | 2 lines
Wrap some policy-rich code in 'if NOTYET' until we can thresh out what it really needs to do.
------------------------------------------------------------------------ r256184 | des | 2013-10-09 10:13:12 +0100 (Wed, 09 Oct 2013) | 2 lines
Re-add /dev/urandom for compatibility purposes.
------------------------------------------------------------------------ r256182 | des | 2013-10-09 10:11:14 +0100 (Wed, 09 Oct 2013) | 3 lines
Add missing include guards and move the existing ones out of the implementation namespace.
------------------------------------------------------------------------ r256168 | markm | 2013-10-08 23:14:07 +0100 (Tue, 08 Oct 2013) | 10 lines
Fix some just-noticed problems:
o Allow this to work with "nodevice random" by fixing where the MALLOC pool is defined.
o Fix the explicit reseed code. This was correct as submitted, but in the project branch doesn't need to set the "seeded" bit as this is done correctly in the "unblock" function.
o Remove some debug ifdeffing.
o Adjust comments.
------------------------------------------------------------------------ r256159 | markm | 2013-10-08 19:48:11 +0100 (Tue, 08 Oct 2013) | 6 lines
Time to eat crow for me.
I replaced the sx_* locks that Arthur used with regular mutexes; this turned out the be the wrong thing to do as the locks need to be sleepable. Revert this folly.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (In original diff)
------------------------------------------------------------------------ r256138 | des | 2013-10-08 12:05:26 +0100 (Tue, 08 Oct 2013) | 10 lines
Add YARROW_RNG and FORTUNA_RNG to sys/conf/options.
Add a SYSINIT that forces a reseed during proc0 setup, which happens fairly late in the boot process.
Add a RANDOM_DEBUG option which enables some debugging printf()s.
Add a new RANDOM_ATTACH entropy source which harvests entropy from the get_cyclecount() delta across each call to a device attach method.
------------------------------------------------------------------------ r256135 | markm | 2013-10-08 07:54:52 +0100 (Tue, 08 Oct 2013) | 8 lines
Debugging. My attempt at EVENTHANDLER(multiuser) was a failure; use EVENTHANDLER(mountroot) instead.
This means we can't count on /var being present, so something will need to be done about harvesting /var/db/entropy/... .
Some policy now needs to be sorted out, and a pre-sync cache needs to be written, but apart from that we are now ready to go.
Over to review.
------------------------------------------------------------------------ r256094 | markm | 2013-10-06 23:45:02 +0100 (Sun, 06 Oct 2013) | 8 lines
Snapshot.
Looking pretty good; this mostly works now. New code includes:
* Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested.
* Use EVENTHANDLER to do above just before we go multiuser. Untested.
------------------------------------------------------------------------ r256088 | markm | 2013-10-06 14:01:42 +0100 (Sun, 06 Oct 2013) | 2 lines
Fix up the man page for random(4). This mainly removes no-longer-relevant details about HW RNGs, reseeding explicitly and user-supplied entropy.
------------------------------------------------------------------------ r256087 | markm | 2013-10-06 13:43:42 +0100 (Sun, 06 Oct 2013) | 6 lines
As userland writing to /dev/random is no more, remove the "better than nothing" bootstrap mode.
Add SWI harvesting to the mix.
My box seeds Yarrow by itself in a few seconds! YMMV; more to follow.
------------------------------------------------------------------------ r256086 | markm | 2013-10-06 13:40:32 +0100 (Sun, 06 Oct 2013) | 11 lines
Debug run. This now works, except that the "live" sources haven't been tested. With all sources turned on, this unlocks itself in a couple of seconds! That is no my box, and there is no guarantee that this will be the case everywhere.
* Cut debug prints.
* Use the same locks/mutexes all the way through.
* Be a tad more conservative about entropy estimates.
------------------------------------------------------------------------ r256084 | markm | 2013-10-06 13:35:29 +0100 (Sun, 06 Oct 2013) | 5 lines
Don't use the "real" assembler mnemonics; older compilers may not understand them (like when building CURRENT on 9.x).
# Submitted by: Konstantin Belousov <kostikbel@gmail.com>
------------------------------------------------------------------------ r256081 | markm | 2013-10-06 10:55:28 +0100 (Sun, 06 Oct 2013) | 12 lines
SNAPSHOT.
Simplify the malloc pools; We only need one for this device.
Simplify the harvest queue.
Marginally improve the entropy pool hashing, making it a bit faster in the process.
Connect up the hardware "live" source harvesting. This is simplistic for now, and will need to be made rate-adaptive.
All of the above passes a compile test but needs to be debugged.
------------------------------------------------------------------------ r256042 | markm | 2013-10-04 07:55:06 +0100 (Fri, 04 Oct 2013) | 25 lines
Snapshot. This passes the build test, but has not yet been finished or debugged.
Contains:
* Refactor the hardware RNG CPU instruction sources to feed into the software mixer. This is unfinished. The actual harvesting needs to be sorted out. Modified by me (see below).
* Remove 'frac' parameter from random_harvest(). This was never used and adds extra code for no good reason.
* Remove device write entropy harvesting. This provided a weak attack vector, was not very good at bootstrapping the device. To follow will be a replacement explicit reseed knob.
* Separate out all the RANDOM_PURE sources into separate harvest entities. This adds some secuity in the case where more than one is present.
* Review all the code and fix anything obviously messy or inconsistent. Address som review concerns while I'm here, like rename the pseudo-rng to 'dummy'.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
------------------------------------------------------------------------ r255319 | markm | 2013-09-06 18:51:52 +0100 (Fri, 06 Sep 2013) | 4 lines
Yarrow wants entropy estimations to be conservative; the usual idea is that if you are certain you have N bits of entropy, you declare N/2.
------------------------------------------------------------------------ r255075 | markm | 2013-08-30 18:47:53 +0100 (Fri, 30 Aug 2013) | 4 lines
Remove short-lived idea; thread to harvest (eg) RDRAND enropy into the usual harvest queues. It was a nifty idea, but too heavyweight.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
------------------------------------------------------------------------ r255071 | markm | 2013-08-30 12:42:57 +0100 (Fri, 30 Aug 2013) | 4 lines
Separate out the Software RNG entropy harvesting queue and thread into its own files.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
------------------------------------------------------------------------ r254934 | markm | 2013-08-26 20:07:03 +0100 (Mon, 26 Aug 2013) | 2 lines
Remove the short-lived namei experiment.
------------------------------------------------------------------------ r254928 | markm | 2013-08-26 19:35:21 +0100 (Mon, 26 Aug 2013) | 2 lines
Snapshot; Do some running repairs on entropy harvesting. More needs to follow.
------------------------------------------------------------------------ r254927 | markm | 2013-08-26 19:29:51 +0100 (Mon, 26 Aug 2013) | 15 lines
Snapshot of current work;
1) Clean up namespace; only use "Yarrow" where it is Yarrow-specific or close enough to the Yarrow algorithm. For the rest use a neutral name.
2) Tidy up headers; put private stuff in private places. More could be done here.
3) Streamline the hashing/encryption; no need for a 256-bit counter; 128 bits will last for long enough.
There are bits of debug code lying around; these will be removed at a later stage.
------------------------------------------------------------------------ r254784 | markm | 2013-08-24 14:54:56 +0100 (Sat, 24 Aug 2013) | 39 lines
1) example (partially humorous random_adaptor, that I call "EXAMPLE") * It's not meant to be used in a real system, it's there to show how the basics of how to create interfaces for random_adaptors. Perhaps it should belong in a manual page
2) Move probe.c's functionality in to random_adaptors.c * rename random_ident_hardware() to random_adaptor_choose()
3) Introduce a new way to choose (or select) random_adaptors via tunable "rngs_want" It's a list of comma separated names of adaptors, ordered by preferences. I.e.: rngs_want="yarrow,rdrand"
Such setting would cause yarrow to be preferred to rdrand. If neither of them are available (or registered), then system will default to something reasonable (currently yarrow). If yarrow is not present, then we fall back to the adaptor that's first on the list of registered adaptors.
4) Introduce a way where RNGs can play a role of entropy source. This is mostly useful for HW rngs.
The way I envision this is that every HW RNG will use this functionality by default. Functionality to disable this is also present. I have an example of how to use this in random_adaptor_example.c (see modload event, and init function)
5) fix kern.random.adaptors from kern.random.adaptors: yarrowpanicblock to kern.random.adaptors: yarrow,panic,block
6) add kern.random.active_adaptor to indicate currently selected adaptor: root@freebsd04:~ # sysctl kern.random.active_adaptor kern.random.active_adaptor: yarrow
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
Submitted by: Dag-Erling SmĆørgrav <des@FreeBSD.org>, Arthur Mesh <arthurmesh@gmail.com> Reviewed by: des@FreeBSD.org Approved by: re (delphij) Approved by: secteam (des,delphij)
|
256157 |
08-Oct-2013 |
dim |
Now our binutils's assembler supports the Intel Random Number Generator extensions, we can change the .byte directives in sys/dev/random/ivy.c to plain 'rdrand' mnemonics. This already worked for clang users, but now it will also work for gcc users.
Approved by: re (kib) Approved by: so (des) MFC after: 1 week
|
255391 |
08-Sep-2013 |
markm |
Fix verbose output line; needs <NL>
Submitted by: Sean Bruno <sean_bruno@yahoo.com> Approved by: re (glebius)
|
255379 |
07-Sep-2013 |
markm |
Fix the build; Certain linkable symbols need to always be present.
Pass the pointy hat please.
Also unblock the software (Yarrow) generator for now. This will be reverted; Yarrow needs to block until secure, not this behaviour of serving as soon as asked.
Folks with specific requiremnts will be able to (can!) unblock this device with any write, and are encouraged to do so in /etc/rc.d/* scripting. ("Any" in this case could be "echo '' > /dev/random" as root).
|
255362 |
07-Sep-2013 |
markm |
Bring in some behind-the-scenes development, mainly By Arthur Mesh, the rest by me.
o Namespace cleanup; the Yarrow name is now restricted to where it really applies; this is in anticipation of being augmented or replaced by Fortuna in the future. Fortuna is mentioned, but behind #if logic, and is ignorable for now.
o The harvest queue is pulled out into its own modules.
o Entropy harvesting is emproved, both by being made more conservative, and by separating (a bit!) the sources. Available entropy crumbs are marginally improved.
o Selection of sources is made clearer. With recent revelations, this will receive more work in the weeks and months to come.
Submitted by: Arthur Mesh (partly) <arthurmesh@gmail.com>
|
254147 |
09-Aug-2013 |
obrien |
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah
* Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones.
* If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed.
* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one.
Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: so (des)
|
253845 |
31-Jul-2013 |
obrien |
Back out r253779 & r253786.
|
253786 |
29-Jul-2013 |
obrien |
Decouple yarrow from random(4) device.
* Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option. The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow.
* random(4) device doesn't really depend on rijndael-*. Yarrow, however, does.
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah
* Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones.
* If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed.
* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one.
Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: obrien
|
253779 |
29-Jul-2013 |
obrien |
Decouple yarrow from random(4) device.
* Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option. The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow.
* random(4) device doesn't really depend on rijndael-*. Yarrow, however, does.
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah
* Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones.
* If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed.
* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one.
Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: obrien
|
253122 |
09-Jul-2013 |
obrien |
Refactor random_systat to be a *random_systat. This avoids unnecessary structure copying in random_ident_hardware(). This change will also help further modularization of random(4) subsystem.
Submitted by: arthurmesh@gmail.com Reviewed by: obrien Obtained from: Juniper Networks
|
249631 |
19-Apr-2013 |
ache |
Attempt to mitigate poor initialization of arc4 by one-shot reinitialization from yarrow right after good entropy is harvested.
Approved by: secteam (delphij) MFC after: 1 week
|
247799 |
04-Mar-2013 |
davide |
MFcalloutng (r236314 by mav): Specify that wakeup rate of 7.5-10Hz is enough for yarrow harvesting thread.
Sponsored by: Google Summer of Code 2012, iXsystems inc. Tested by: flo, marius, ian, markj, Fabian Keil
|
247334 |
26-Feb-2013 |
delphij |
Correct a typo introduced in r153575, which gives inverted logic when handling blocking semantics when seeding.
PR: kern/143298 Submitted by: James Juran <james juran baesystems com> Reviewed by: markm MFC after: 3 days
|
240455 |
13-Sep-2012 |
kib |
Rename the IVY_RNG option to RDRAND_RNG.
Based on submission by: Arthur Mesh <arthurmesh@gmail.com> MFC after: 2 weeks
|
240135 |
05-Sep-2012 |
kib |
Add support for new Intel on-CPU Bull Mountain random number generator, found on IvyBridge and supposedly later CPUs, accessible with RDRAND instruction.
From the Intel whitepapers and articles about Bull Mountain, it seems that we do not need to perform post-processing of RDRAND results, like AES-encryption of the data with random IV and keys, which was done for Padlock. Intel claims that sanitization is performed in hardware.
Make both Padlock and Bull Mountain random generators support code covered by kernel config options, for the benefit of people who prefer minimal kernels. Also add the tunables to disable hardware generator even if detected.
Reviewed by: markm, secteam (simon) Tested by: bapt, Michael Moll <kvedulv@kvedulv.de> MFC after: 3 weeks
|
230426 |
21-Jan-2012 |
kib |
Add support for the extended FPU states on amd64, both for native 64bit and 32bit ABIs. As a side-effect, it enables AVX on capable CPUs.
In particular:
- Query the CPU support for XSAVE, list of the supported extensions and the required size of FPU save area. The hw.use_xsave tunable is provided for disabling XSAVE, and hw.xsave_mask may be used to select the enabled extensions.
- Remove the FPU save area from PCB and dynamically allocate the (run-time sized) user save area on the top of the kernel stack, right above the PCB. Reorganize the thread0 PCB initialization to postpone it after BSP is queried for save area size.
- The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as well. FPU state is only useful for suspend, where it is saved in dynamically allocated suspfpusave area.
- Use XSAVE and XRSTOR to save/restore FPU state, if supported and enabled.
- Define new mcontext_t flag _MC_HASFPXSTATE, indicating that mcontext_t has a valid pointer to out-of-struct extended FPU state. Signal handlers are supplied with stack-allocated fpu state. The sigreturn(2) and setcontext(2) syscall honour the flag, allowing the signal handlers to inspect and manipilate extended state in the interrupted context.
- The getcontext(2) never returns extended state, since there is no place in the fixed-sized mcontext_t to place variable-sized save area. And, since mcontext_t is embedded into ucontext_t, makes it impossible to fix in a reasonable way. Instead of extending getcontext(2) syscall, provide a sysarch(2) facility to query extended FPU state.
- Add ptrace(2) support for getting and setting extended state; while there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries.
- Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to consumers, making it opaque. Internally, struct fpu_kern_ctx now contains a space for the extended state. Convert in-kernel consumers of fpu_kern KPI both on i386 and amd64.
First version of the support for AVX was submitted by Tim Bird <tim.bird am sony com> on behalf of Sony. This version was written from scratch.
Tested by: pho (previous version), Yamagi Burmeister <lists yamagi org> MFC after: 1 month
|
230230 |
16-Jan-2012 |
das |
Generate a warning if the kernel's arc4random() is seeded with bogus entropy.
|
229887 |
09-Jan-2012 |
jkim |
Enable hardware RNG for VIA Nano processors.
PR: kern/163974
|
218909 |
21-Feb-2011 |
brucec |
Fix typos - remove duplicate "the".
PR: bin/154928 Submitted by: Eitan Adler <lists at eitanadler.com> MFC after: 3 days
|
216952 |
04-Jan-2011 |
kib |
Finish r210923, 210926. Mark some devices as eternal.
MFC after: 2 weeks
|
208834 |
05-Jun-2010 |
kib |
Use the fpu_kern_enter() interface to properly separate usermode FPU context from in-kernel execution of padlock instructions and to handle spurious FPUDNA exceptions that sometime are raised when doing padlock calculations.
Globally mark crypto(9) kthread as using FPU.
Reviewed by: pjd Hardware provided by: Sentex Communications Tested by: pho PR: amd64/135014 MFC after: 1 month
|
192774 |
25-May-2009 |
markm |
There is rubbish here It is time to take it out Now it is cleaner
|
185254 |
24-Nov-2008 |
cperciva |
Make sure arc4random(9) is properly seeded when /etc/rc.d/initrandom returns.
Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-08:11.arc4random
|
174073 |
29-Nov-2007 |
simon |
Correct a random value disclosure in random(4).
Security: FreeBSD-SA-07:09.random
|
172836 |
20-Oct-2007 |
julian |
Rename the kthread_xxx (e.g. kthread_create()) calls to kproc_xxx as they actually make whole processes. Thos makes way for us to add REAL kthread_create() and friends that actually make theads. it turns out that most of these calls actually end up being moved back to the thread version when it's added. but we need to make this cosmetic change first.
I'd LOVE to do this rename in 7.0 so that we can eventually MFC the new kthread_xxx() calls.
|
170067 |
28-May-2007 |
rwatson |
Don't save SYSCTL_ADD_*() results in a local variable just to throw them away; preserve the ones that are needed for further calls in the init function and ignore the rest entirely.
Found with: Coverity Prevent(tm) CID: 563
|
170025 |
27-May-2007 |
rwatson |
Rather than repeatedly setting and discarding local variable 'o' based on the return values of various run-time sysctl additions, just ignore the return value.
Found with: Coverity Prevent(tm) CID: 562
|
167086 |
27-Feb-2007 |
jhb |
Use pause() rather than tsleep() on stack variables and function pointers.
|
164033 |
06-Nov-2006 |
rwatson |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
160326 |
13-Jul-2006 |
mr |
Now even more style(9)ish.
Submitted by: pjd
|
160325 |
13-Jul-2006 |
mr |
Use the already stored VIA RNG probe information instead of probing again. Adjust style(9) somewhat in probe.c
Reviewed by: pjd MFC after: 1 week
|
160311 |
12-Jul-2006 |
mr |
Use the already stored VIA RNG probe information instead of probing again.
MFC after: 1 week
|
157815 |
17-Apr-2006 |
jhb |
Change msleep() and tsleep() to not alter the calling thread's priority if the specified priority is zero. This avoids a race where the calling thread could read a snapshot of it's current priority, then a different thread could change the first thread's priority, then the original thread would call sched_prio() inside msleep() undoing the change made by the second thread. I used a priority of zero as no thread that calls msleep() or tsleep() should be specifying a priority of zero anyway.
The various places that passed 'curthread->td_priority' or some variant as the priority now pass 0.
|
153575 |
20-Dec-2005 |
ps |
Remove GIANT from device random.
Submitted by: ups
|
146797 |
30-May-2005 |
scottl |
malloc.h relies on param.h for a definition of MAXCPU. I guess that there is other header pollution that makes this work right now, but it falls over when doing a RELENG_5 -> HEAD upgrade.
|
144291 |
29-Mar-2005 |
markm |
Revert to the more correct array size, and correct a KASSERT to only allow proper values. ENTROPYSOURCE is a maxval+1, not an allowable number.
Suggested loose protons in the solution: phk Prefers to keep the pH close to seven: markm
|
143793 |
18-Mar-2005 |
phk |
Fix off-by-one (too little!) array size problem.
Detected by: Coverity (ID#661)
|
143418 |
11-Mar-2005 |
ume |
stop including rijndael-api-fst.h from rijndael.h. this is required to integrate opencrypto into crypto.
|
143063 |
02-Mar-2005 |
joerg |
netchild's mega-patch to isolate compiler dependencies into a central place.
This moves the dependency on GCC's and other compiler's features into the central sys/cdefs.h file, while the individual source files can then refer to #ifdef __COMPILER_FEATURE_FOO where they by now used to refer to #if __GNUC__ > 3.1415 && __BARC__ <= 42.
By now, GCC and ICC (the Intel compiler) have been actively tested on IA32 platforms by netchild. Extension to other compilers is supposed to be possible, of course.
Submitted by: netchild Reviewed by: various developers on arch@, some time ago
|
141405 |
06-Feb-2005 |
iedowse |
Check that we have at least a 586-class CPU before calling do_cpuid(). This fixes booting on a number of 486 processors.
PR: i386/75686 Reviewed by: markm MFC after: 1 week
|
139194 |
22-Dec-2004 |
phk |
Check O_NONBLOCK not IO_NDELAY.
Don't include vnode.h
|
137276 |
05-Nov-2004 |
jhb |
Don't change the priority to PUSER when sleeping, just keep the current priority.
|
137152 |
03-Nov-2004 |
rwatson |
(1) Move from O(n) list copies to O(1) list concatenation, which is supported for STAILQ via STAILQ_CONCAT().
(2) Maintain a count of the number of entries in the thread-local entropy fifo so that we can keep the other fifo counts in synch.
MFC after: 3 weeks MFC with: randomdev_soft.c revisions 1.5 and 1.6 Suggested by: jhb (1)
|
136672 |
18-Oct-2004 |
rwatson |
Annotate that get_cyclecount() can be expensive on some platforms, which juxtaposes nicely with the comment just above on how the harvest function must be cheap.
|
136434 |
12-Oct-2004 |
rwatson |
Assert that the entropy source category provided by a caller submitting entropy is valid, as an invalid source will cause dereferencing of an array of queues to an incorrect memory location.
|
136338 |
09-Oct-2004 |
rwatson |
Modify entropy harvesting locking strategy:
- Trade off granularity to reduce overhead, since the current model doesn't appear to reduce contention substantially: move to a single harvest mutex protecting harvesting queues, rather than one mutex per source plus a mutex for the free list.
- Reduce mutex operations in a harvesting event to 2 from 4, and maintain lockless read to avoid mutex operations if the queue is full.
- When reaping harvested entries from the queue, move all entries from the queue at once, and when done with them, insert them all into a thread-local queue for processing; then insert them all into the empty fifo at once. This reduces O(4n) mutex operations to O(2) mutex operations per wakeup.
In the future, we may want to look at re-introducing granularity, although perhaps at the granularity of the source rather than the source class; both the new and old strategies would cause contention between different instances of the same source (i.e., multiple network interfaces).
Reviewed by: markm
|
133465 |
11-Aug-2004 |
rwatson |
Perform a lockless read to test whether an entropy havesting fifo is full, avoiding the cost of mutex operations if it is. We re-test once the mutex is acquired to make sure it's still true before doing the -modify-write part of the read-modify-write. Note that due to the maximum fifo depth being pretty deep, this is unlikely to improve harvesting performance yet.
Approved by: markm
|
133036 |
02-Aug-2004 |
markm |
Add module versions.
|
132346 |
18-Jul-2004 |
markm |
Start the entropy device insecure/unblocked. I'll be handing over responsibility for critical randomness requirements (like sshd) to rc.d/*
Requested by: many
|
132199 |
15-Jul-2004 |
phk |
Do a pass over all modules in the kernel and make them return EOPNOTSUPP for unknown events.
A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything".
|
131398 |
01-Jul-2004 |
jhb |
Trim a few things from the dmesg output and stick them under bootverbose to cut down on the clutter including PCI interrupt routing, MTRR, pcibios, etc.
Discussed with: USENIX Cabal
|
130585 |
16-Jun-2004 |
phk |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
129876 |
30-May-2004 |
phk |
Add some missing <sys/module.h> includes which are masked by the one on death-row in <sys/kernel.h>
|
128368 |
17-Apr-2004 |
markm |
Add a Davies-Meyer style hash to the output. This is still pure Nehemiah chip, but the work is all done in hardware.
There are three opportunities to add other entropy; the Data Buffer, the Cipher's IV and the Cipher's key. A future commit will exploit these opportunities.
|
128367 |
17-Apr-2004 |
markm |
More removal of the abortive locking code; malloc buffers when needed, rather than potentially reusing contents.
|
128321 |
16-Apr-2004 |
markm |
Attempts to make this device Giant-free were ill-conceived as uiomove(9) is not properly locked. So, return to NEEDGIANT mode. Later, when uiomove is finely locked, I'll revisit.
While I'm here, provide some temporary debugging output to help catch blocking startups.
|
128320 |
16-Apr-2004 |
markm |
Default to harvesting everything. This is to help give a faster startup. harvesting can be turned OFF in etc/rc.d/* if it is a burden.
|
128151 |
12-Apr-2004 |
markm |
Fix "sleeping without a mutex" panic.
|
128109 |
11-Apr-2004 |
nyan |
Fix pc98 build.
|
128059 |
09-Apr-2004 |
markm |
Reorganise the entropy device so that high-yield entropy sources can more easily be used INSTEAD OF the hard-working Yarrow. The only hardware source used at this point is the one inside the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will be added in due course. Contributions welcome!
|
126674 |
05-Mar-2004 |
jhb |
kthread_exit() no longer requires Giant, so don't force callers to acquire Giant just to call kthread_exit().
Requested by: many
|
126080 |
21-Feb-2004 |
phk |
Device megapatch 4/6:
Introduce d_version field in struct cdevsw, this must always be initialized to D_VERSION.
Flip sense of D_NOGIANT flag to D_NEEDGIANT, this involves removing four D_NOGIANT flags and adding 145 D_NEEDGIANT flags.
|
125746 |
12-Feb-2004 |
phk |
Correct the cleanup of the alias dev_t for /dev/urandom: being an alias it depends on the aliased dev_t and disappears automatically when that is removed.
Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
|
122917 |
20-Nov-2003 |
markm |
Fix a major faux pas of mine. I was causing 2 very bad things to happen in interrupt context; 1) sleep locks, and 2) malloc/free calls.
1) is fixed by using spin locks instead.
2) is fixed by preallocating a FIFO (implemented with a STAILQ) and using elements from this FIFO instead. This turns out to be rather fast.
OK'ed by: re (scottl) Thanks to: peter, jhb, rwatson, jake Apologies to: *
|
122871 |
17-Nov-2003 |
markm |
Overhaul the entropy device:
o Each source gets its own queue, which is a FIFO, not a ring buffer. The FIFOs are implemented with the sys/queue.h macros. The separation is so that a low entropy/high rate source can't swamp the harvester with low-grade entropy and destroy the reseeds.
o Each FIFO is limited to 256 (set as a macro, so adjustable) events queueable. Full FIFOs are ignored by the harvester. This is to prevent memory wastage, and helps to keep the kernel thread CPU usage within reasonable limits.
o There is no need to break up the event harvesting into ${burst} sized chunks, so retire that feature.
o Break the device away from its roots with the memory device, and allow it to get its major number automagically.
|
122352 |
09-Nov-2003 |
tanimura |
- Implement selwakeuppri() which allows raising the priority of a thread being waken up. The thread waken up can run at a priority as high as after tsleep().
- Replace selwakeup()s with selwakeuppri()s and pass appropriate priorities.
- Add cv_broadcastpri() which raises the priority of the broadcast threads. Used by selwakeuppri() if collision occurs.
Not objected in: -arch, -current
|
121895 |
02-Nov-2003 |
markm |
Make sure we get all user-written input. This simplifies the code considerably.
Submitted by: (forgotten) [I'll happily acknowledge the submitter if he owns up!]
|
119418 |
24-Aug-2003 |
obrien |
Use __FBSDID(). Also some minor style cleanups.
|
117149 |
02-Jul-2003 |
phk |
Change the sleep identifier to "-" where random normally sleeps.
|
111815 |
03-Mar-2003 |
phk |
Gigacommit to improve device-driver source compatibility between branches:
Initialize struct cdevsw using C99 sparse initializtion and remove all initializations to default values.
This patch is automatically generated and has been tested by compiling LINT with all the fields in struct cdevsw in reverse order on alpha, sparc64 and i386.
Approved by: re(scottl)
|
111119 |
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
110404 |
05-Feb-2003 |
ache |
Remove srandom(): 1) It is already called in init_main.c:proc0_post() 2) It is called each time read_random_phony() called, because "initialized" variable is never set to 1.
Approved by: markm
|
109623 |
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
107789 |
12-Dec-2002 |
markm |
Fix a buffer overrun in /dev/random which, due to the nature of the kernel memory allocator, is harmless. This could be a problem for other systems, though. I've modified Darren's patch a little.
Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com> Also analysed by: SGI, and in particular Divy Le Ray of SGI OK'ed by: re(rwatson)
|
104354 |
02-Oct-2002 |
scottl |
Some kernel threads try to do significant work, and the default KSTACK_PAGES doesn't give them enough stack to do much before blowing away the pcb. This adds MI and MD code to allow the allocation of an alternate kstack who's size can be speficied when calling kthread_create. Passing the value 0 prevents the alternate kstack from being created. Note that the ia64 MD code is missing for now, and PowerPC was only partially written due to the pmap.c being incomplete there. Though this patch does not modify anything to make use of the alternate kstack, acpi and usb are good candidates.
Reviewed by: jake, peter, jhb
|
103765 |
21-Sep-2002 |
markm |
Remove #ifdef'ed Giant mutex wrappers round debugging statements.
|
103763 |
21-Sep-2002 |
markm |
No functional change. Fix comments and whitespace.
|
100082 |
15-Jul-2002 |
markm |
Upgrade the random device to use a "real" hash instead of building one out of a block cipher. This has 2 advantages: 1) The code is _much_ simpler 2) We aren't committing our security to one algorithm (much as we may think we trust AES).
While I'm here, make an explicit reseed do a slow reseed instead of a fast; this is in line with what the original paper suggested.
|
95197 |
21-Apr-2002 |
markm |
Fix really dumb braino of mine; cast a sizeof() to an int, which it is being compared to, not size_t, which it already is.
|
93818 |
04-Apr-2002 |
jhb |
Change callers of mtx_init() to pass in an appropriate lock type name. In most cases NULL is passed, but in some cases such as network driver locks (which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used.
Tested on: i386, alpha, sparc64
|
93593 |
01-Apr-2002 |
jhb |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag.
Discussed on: smp@
|
91601 |
03-Mar-2002 |
markm |
Provide infrastructure for harvesting SWI entropy.
|
91600 |
03-Mar-2002 |
markm |
Massive lint-inspired cleanup.
Remove unneeded includes. Deal with unused function arguments. Resolve a boatload of signed/unsigned imcompatabilities. Etc.
|
91406 |
27-Feb-2002 |
jhb |
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
|
89170 |
10-Jan-2002 |
msmith |
Staticise the random_state array.
Reviewed by: markm
|
83976 |
26-Sep-2001 |
rwatson |
o Modify open() and close() for /dev/random to use securelevel_gt() instead of direct securelevel variable checks.
Obtained from: TrustedBSD Project
|
83805 |
21-Sep-2001 |
jhb |
Use the passed in thread to selrecord() instead of curthread.
|
83366 |
12-Sep-2001 |
julian |
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process.
Sorry john! (your next MFC will be a doosie!)
Reviewed by: peter@freebsd.org, dillon@freebsd.org
X-MFC after: ha ha ha ha
|
83267 |
10-Sep-2001 |
peter |
Fix a minor buglet/typo here that gcc3 complains about.
|
80032 |
20-Jul-2001 |
markm |
Fix type warnings.
PR: 29101
|
76166 |
01-May-2001 |
markm |
Undo part of the tangle of having sys/lock.h and sys/mutex.h included in other "system" header files.
Also help the deprecation of lockmgr.h by making it a sub-include of sys/lock.h and removing sys/lockmgr.h form kernel .c files.
Sort sys/*.h includes where possible in affected files.
OK'ed by: bde (with reservations)
|
74914 |
28-Mar-2001 |
jhb |
Catch up to header include changes: - <sys/mutex.h> now requires <sys/systm.h> - <sys/mutex.h> and <sys/sx.h> now require <sys/lock.h>
|
74908 |
28-Mar-2001 |
markm |
Fix nasty corruption problem where a 64bit variable was being used (overflowed) to catch a 256bit result.
Hard work done by: jhb
|
74810 |
26-Mar-2001 |
phk |
Send the remains (such as I have located) of "block major numbers" to the bit-bucket.
|
74771 |
25-Mar-2001 |
markm |
Allow bog-standard ioctls through. There are really handled in higher layers, but there needs to be a "no-error" return here.
|
74741 |
24-Mar-2001 |
markm |
Silence (harmless) warnings.
|
74072 |
10-Mar-2001 |
markm |
Very large makeover of the /dev/random driver.
o Separate the kernel stuff from the Yarrow algorithm. Yarrow is now well contained in one source file and one header.
o Replace the Blowfish-based crypto routines with Rijndael-based ones. (Rijndael is the new AES algorithm). The huge improvement in Rijndael's key-agility over Blowfish means that this is an extremely dramatic improvement in speed, and makes a heck of a difference in its (lack of) CPU load.
o Clean up the sysctl's. At BDE's prompting, I have gone back to static sysctls.
o Bug fixes. The streamlining of the crypto stuff enabled me to find and fix some bugs. DES also found a bug in the reseed routine which is fixed.
o Change the way reseeds clear "used" entropy. Previously, only the source(s) that caused a reseed were cleared. Now all sources in the relevant pool(s) are cleared.
o Code tidy-up. Mostly to make it (nearly) 80-column compliant.
|
73379 |
03-Mar-2001 |
markm |
Take down a comment that is no longer true.
/dev/random is ready for prime time!
|
72667 |
18-Feb-2001 |
markm |
Provide the infrastructure for sysadmins to select the broad class of entropy harvesting they wish to perform: "ethernet" (LAN), point-to-point and interrupt.
|
72364 |
11-Feb-2001 |
markm |
Make a big improvement to entropy-harvesting speed by not having any locks (only atomic assigns) in the harvest ringbuffer.
|
72200 |
09-Feb-2001 |
bmilekic |
Change and clean the mutex lock interface.
mtx_enter(lock, type) becomes:
mtx_lock(lock) for sleep locks (MTX_DEF-initialized locks) mtx_lock_spin(lock) for spin locks (MTX_SPIN-initialized)
similarily, for releasing a lock, we now have:
mtx_unlock(lock) for MTX_DEF and mtx_unlock_spin(lock) for MTX_SPIN. We change the caller interface for the two different types of locks because the semantics are entirely different for each case, and this makes it explicitly clear and, at the same time, it rids us of the extra `type' argument.
The enter->lock and exit->unlock change has been made with the idea that we're "locking data" and not "entering locked code" in mind.
Further, remove all additional "flags" previously passed to the lock acquire/release routines with the exception of two:
MTX_QUIET and MTX_NOSWITCH
The functionality of these flags is preserved and they can be passed to the lock/unlock routines by calling the corresponding wrappers:
mtx_{lock, unlock}_flags(lock, flag(s)) and mtx_{lock, unlock}_spin_flags(lock, flag(s)) for MTX_DEF and MTX_SPIN locks, respectively.
Re-inline some lock acq/rel code; in the sleep lock case, we only inline the _obtain_lock()s in order to ensure that the inlined code fits into a cache line. In the spin lock case, we inline recursion and actually only perform a function call if we need to spin. This change has been made with the idea that we generally tend to avoid spin locks and that also the spin locks that we do have and are heavily used (i.e. sched_lock) do recurse, and therefore in an effort to reduce function call overhead for some architectures (such as alpha), we inline recursion for this case.
Create a new malloc type for the witness code and retire from using the M_DEV type. The new type is called M_WITNESS and is only declared if WITNESS is enabled.
Begin cleaning up some machdep/mutex.h code - specifically updated the "optimized" inlined code in alpha/mutex.h and wrote MTX_LOCK_SPIN and MTX_UNLOCK_SPIN asm macros for the i386/mutex.h as we presently need those.
Finally, caught up to the interface changes in all sys code.
Contributors: jake, jhb, jasone (in no particular order)
|
72180 |
08-Feb-2001 |
asmodai |
Fix typos: initalise -> initialise.
Initalise is not an english word.
|
71037 |
14-Jan-2001 |
markm |
Remove NOBLOCKRANDOM as a compile-time option. Instead, provide exactly the same functionality via a sysctl, making this feature a run-time option.
The default is 1(ON), which means that /dev/random device will NOT block at startup.
setting kern.random.sys.seeded to 0(OFF) will cause /dev/random to block until the next reseed, at which stage the sysctl will be changed back to 1(ON).
While I'm here, clean up the sysctls, and make them dynamic. Reviewed by: des Tested on Alpha by: obrien
|
70834 |
09-Jan-2001 |
wollman |
select() DKI is now in <sys/selinfo.h>.
|
69526 |
02-Dec-2000 |
markm |
Major speedup to /dev/random and the kernel thread that reseeds it.
There is no more TAILQ fifo to harvest the entropy; instead, there is a circular buffer of constant size (changeable by macro) that pretty dramatically improves the speed and fixes potential slowdowns- by-locking.
Also gone are a slew of malloc(9) and free(9) calls; all harvesting buffers are static.
All-in-all, this is a good performance improvement.
Thanks-to: msmith for the circular buffer concept-code.
|
69198 |
26-Nov-2000 |
markm |
Fix safety-net code. While technically a bug, I'm delighted to see that it has never (apparently) been invoked.
Submitted by: ache
|
69174 |
25-Nov-2000 |
markm |
D'uh. The explicit reseed was happening at the wrong security/privelige levels.
|
69172 |
25-Nov-2000 |
markm |
Greatly improve the boot-up unblocking time of the entropy device.
|
69170 |
25-Nov-2000 |
markm |
More comment changing. Keep documentation in one place.
|
69169 |
25-Nov-2000 |
markm |
Correct a comment. This represents a very minor policy change of my intentions with this code.
|
69168 |
25-Nov-2000 |
markm |
Stop explicitly using nanotime(9) and use the new get_cyclecounter(9) call instead.
This makes a pretty dramatic difference to the amount of work that the harvester needs to do - it is much friendlier on the system. (80386 and 80486 class machines will notice little, as the new get_cyclecounter() call is a wrapper round nanotime(9) for them).
|
67893 |
29-Oct-2000 |
phk |
Move suser() and suser_xxx() prototypes and a related #define from <sys/proc.h> to <sys/systm.h>.
Correctly document the #includes needed in the manpage.
Add one now needed #include of <sys/systm.h>. Remove the consequent 48 unused #includes of <sys/proc.h>.
|
67882 |
29-Oct-2000 |
phk |
Remove unneeded #include <sys/proc.h> lines.
|
67689 |
27-Oct-2000 |
markm |
As the blocking model has seems to be troublesome for many, disable it for now with an option.
This option is already deprecated, and will be removed when the entropy-harvesting code is fast enough to warrant it.
|
67365 |
20-Oct-2000 |
jhb |
Catch up to moving headers: - machine/ipl.h -> sys/ipl.h - machine/mutex.h -> sys/mutex.h
|
67286 |
18-Oct-2000 |
peter |
Attempt to fix the random read blocking. The old code slept at priority "0" and without PCATCH, so it was uninterruptable. And even when it did wake up after entropy arrived, it exited after the wakeup without actually reading the freshly arrived entropy. I sent this to Mark before but it seems he is in transit. Mark: feel free to replace this if it gets in your way.
|
67112 |
14-Oct-2000 |
markm |
After some complaints about the dir names, the random device is now in dirs called sys/*/random/ instead of sys/*/randomdev/*.
Introduce blocking, but only at startup; the random device will block until the first reseed happens to prevent clients from using untrustworthy output.
Provide a read_random() call for the rest of the kernel so that the entropy device does not need to be present. This means that things like IPX no longer need to have "device random" hardcoded into thir kernel config. The downside is that read_random() will provide very poor output until the entropy device is loaded and reseeded. It is recommended that developers do NOT use the read_random() call; instead, they should use arc4random() which internally uses read_random().
Clean up the mutex and locking code a bit; this makes it possible to unload the module again.
|
66155 |
21-Sep-2000 |
markm |
Remove unneeded includes.
Submitted by: phk
|
66044 |
18-Sep-2000 |
rwatson |
Include <sys/proc.h> to silence suser() compiler warning.
Approved by: markm
|
65856 |
14-Sep-2000 |
jhb |
Remove the mtx_t, witness_t, and witness_blessed_t types. Instead, just use struct mtx, struct witness, and struct witness_blessed.
Requested by: bde
|
65775 |
12-Sep-2000 |
markm |
The "struct proc" argument to read_random was ill-conceived, and a hangover from previous experimentation. Remove it. This will clean up gratuitous needs for forward references and other namespace pollution. Moaned about by: bde Brought to my attention by: bp
|
65752 |
11-Sep-2000 |
jhb |
Move the prototypes for random_set_wakeup* from yarrow.c to yarrow.h so that both yarrow.c and harvest.c can use them.
Approved by: markm
|
65712 |
11-Sep-2000 |
jhb |
- Use RFHIGHPID when creating the kthread to get a more sensible pid. - Don't fake walking a tailq. Instead, use a while loop that pulls items off the head of the queue while the queue is not empty.
|
65686 |
10-Sep-2000 |
markm |
Large upgrade to the entropy device; mainly inspired by feedback from many folk.
o The reseed process is now a kthread. With SMPng, kthreads are pre-emptive, so the annoying jerkiness of the mouse is gone.
o The data structures are protected by mutexes now, not splfoo()/splx().
o The cryptographic routines are broken out into their own subroutines. this facilitates review, and possible replacement if that is ever found necessary.
Thanks to: kris, green, peter, jasone, grog, jhb Forgotten to thank: You know who you are; no offense intended.
|
63855 |
25-Jul-2000 |
markm |
o Fix a horrible bug where small reads (< 8 bytes) would return the wrong bytes.
o Improve the public interface; use void* instead of char* or u_int64_t to pass arbitrary data around. Submitted by: kris ("horrible bug")
|
63771 |
23-Jul-2000 |
markm |
Clean this up with some BDE-inspired fixes.
o Make the comments KNF-compliant. o Use nanotime instead of getnanotime; the manpage lies about the kern.timecounter.method - it has been removed. o Fix the ENTROPYSOURCE const permanently. o Make variable names more consistent. o Make function prototypes more consistent.
Some more needs to be done; to follow.
|
63306 |
17-Jul-2000 |
markm |
Add randomness write functionality. This does absolutely nothing for entropy estimation, but causes an immediate reseed after the input (read in sizeof(u_int64_t) chunks) is "harvested".
This will be used in the reboot "reseeder", coming in another commit. This can be used very effectively at any time you think your randomness is compromised; something like
# (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random
will give the attacker something to think about.
|
62969 |
11-Jul-2000 |
markm |
Storing to a pointer is (effectively) atomic; no need to protect this with splhigh(). However, the entropy-harvesting routine needs pretty serious irq-protection, as it is called out of irq handlers etc.
Clues given by: bde
|
62967 |
11-Jul-2000 |
markm |
I think I need to move the newly static variables to the random_state structure; remind myself in the cooments. Also regroup all the Yarrow variables at the top of the variable list; they are "special". (no functional change).
|
62936 |
11-Jul-2000 |
green |
One should never allocate 4-kilobyte structs and such on the interrupt stack. It's bad for your machine's health.
Make the two huge structs in reseed() static to prevent crashes. This is the bug that people have been running into and panic()ing on for the past few days.
Reviewed by: phk
|
62875 |
10-Jul-2000 |
markm |
Provide more splsofttq() protection for the reseed task (running out of taskqueue_swi).
|
62850 |
09-Jul-2000 |
markm |
Make sure that tasks (running out of taskqueue_swi at splsofttq) are not interfered with by the harvester.
|
62841 |
09-Jul-2000 |
markm |
Yarrow tweaks; separate the fast and slow reseed tasks so that they don't stomp on each other; provide constant names (as enums) for the harvester to use (makes it more self-documenting).
|
62840 |
09-Jul-2000 |
markm |
Fix bug with a vraiable that needs to be per-process, not static; fix formatting of long macros.
Pointed out by: bde
|
62765 |
07-Jul-2000 |
markm |
Add entropy gathering code. This will work whether the module is compiled in or loaded.
|
62217 |
28-Jun-2000 |
markm |
Staticize a variable.
This fixes the case where linking randomdev into the kernel statically can cause panics at shutdown time.
Reported by: sos
|
62149 |
27-Jun-2000 |
markm |
I am guilty of an act of ommission. There is no longer a /dev/urandom device with Yarrow, and although I coded for that in dev/MAKEDEV, I forgot to _tell_ folks.
This commit adds back the /dev/urandom device (as a duplicate) of /dev/random, until such time as it can be properly announced.
This will help the openssl users quite a lot.
|
62117 |
26-Jun-2000 |
markm |
style(9) fixes from BDE. We shouldn't use '#include ""', rather '#include<>'.
|
62090 |
25-Jun-2000 |
markm |
Fix include for non-module case.
Thanks-to: SOS
|
62087 |
25-Jun-2000 |
markm |
Fix include for the non-module case.
Thanks-to: SOS
|
62053 |
25-Jun-2000 |
markm |
New machine-independant /dev/random driver.
This is work-in-progress, and the entropy-gathering routines are not yet present. As such, this should be viewed as a pretty reasonable PRNG with _ABSOLUTELY_NO_ security!!
Entropy gathering will be the subject of ongoing work.
This is written as a module, and as such is unloadable, but there is no refcounting done. I would like to use something like device_busy(9) to achieve this (eventually).
Lots of useful ideas from: bde, phk, Jeroen van Gelderen
Reviewed by: dfr
|