opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

padlock(4): Prune dead branches. Assert session id validity.

padlock(4): Return zero, not error, if we've issued crypto_done.

fix various small typos, mainly in comments.

Make padlock(4) compile on amd64.

padlock(4): Remove legacy rijndael API use.

This doesn't actually need to compute AES -- it just needs the
standard AES key schedule, so use the BearSSL constant-time key
schedule implementation.

XXX Compile-tested only.
XXX The byte-order business here seems highly questionable.

padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

Fold constant. err is always 0, so switch to return 0;

Return error values directly where appropriate, instead of using the err
variable.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16; 1.25.18;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

Make padlock(4) compile on amd64.

padlock(4): Remove legacy rijndael API use.

This doesn't actually need to compute AES -- it just needs the
standard AES key schedule, so use the BearSSL constant-time key
schedule implementation.

XXX Compile-tested only.
XXX The byte-order business here seems highly questionable.

padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

Fold constant. err is always 0, so switch to return 0;

Return error values directly where appropriate, instead of using the err
variable.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16; 1.25.18;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

Fold constant. err is always 0, so switch to return 0;

Return error values directly where appropriate, instead of using the err
variable.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16; 1.25.18;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

Fold constant. err is always 0, so switch to return 0;

Return error values directly where appropriate, instead of using the err
variable.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16; 1.25.18;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

Return error values directly where appropriate, instead of using the err
variable.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16; 1.25.18;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

Add splhigh() around the FPU code, we don't want to be preempted in the
middle, this could corrupt the FPU state and trigger undefined behavior.

Intentionally use splhigh and not kpreempt_disable, to match the generic
x86 FPU code.

Compile-tested only (I don't have VIA).

Found by Maya almost a year ago.

branches: 1.25.16;
Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.

Remove callout-based RNG support in VIA crypto driver; add VIA RNG backend for cpu_rng.

Convert arch/x86 to use <sys/rnd*.h>. Omit needless includes.

branches: 1.23.2;
Replace callout_stop with callout_halt

In order to call callout_destroy for a callout safely, we have to ensure
the function of the callout is not running and pending. To do so, we should
use callout_halt, not callout_stop.

Discussed with martin@ and riastradh@.

branches: 1.22.2;
Merge tls-earlyentropy branch into HEAD.

branches: 1.21.2; 1.21.6; 1.21.20;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

In addition to %[er]ax, rep xstore-rng also clobbers %[er]cx and %[er]di.
As such, mark them as outputs, as is done in the VIA Padlock example code.
Additionally, let's assume that VIAC3_RNG_BUFSIZ is in bytes and not DWords.
Furthermore assume that there are not 1 but NBBY bits of entropy per byte.

Fixes PR kern/45847 for me.

leading whitespace too!

drop trailing whitespace

branches: 1.17.2;
Fix one last dangling use of arc4randbytes().

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.15.4;
move the "context size" struct member (which is a pure software
implementation thing) from the abstract xform descriptor to
the cryptosoft implementation part -- for sanity, and now clients
of opencrypto don't depend on headers of cipher implementations anymore

modularize VIA PadLock support
- retire options VIA_PADLOCK, replace with 'padlock0 at cpu0'
- driver supports attach & detach
- support building as a module

branches: 1.13.2; 1.13.4;
Uses cpu_feature, so include <machine/cpuvar.h>

This patch fixes the NX regression issue observed on amd64 kernels, where
per-page execution right was disabled (therefore leading to the inability
of the kernel to detect fraudulent use of memory mappings marked as not
being executable).

- replace cpu_feature and ci_feature_flags variables by cpu_feature and
ci_feat_val arrays. This makes it cleaner and brings kernel code closer
to the design of cpuctl(8). A warning will be raised for each CPU that
does not expose the same features as the Boot Processor (BP).

- the blacklist of CPU features is now a macro defined in the
specialreg.h header, instead of hardcoding it inside MD initialization
code; fix comments.

- replace checks against CPUID_TSC with the cpu_hascounter() function.

- clean up the code in init_x86_64(), as cpu_feature variables are set
inside cpu_probe().

- use cpu_init_msrs() for i386. It will be eventually used later for NX
feature under i386 PAE kernels.

- remove code that checks for CPUID_NOX in amd64 mptramp.S, this is already
performed by cpu_hatch() through cpu_init_msrs().

- remove cpu_signature and feature_flags members from struct mpbios_proc
(they were never used).

This patch was tested with i386 MONOLITHIC, XEN3PAE_DOM0 and XEN3_DOM0 under
a native i386 host, and amd64 GENERIC, XEN3_DOM0 via QEMU virtual machines.

XXX Should kernel rev be bumped?

XXX A similar patch should be pulled-up for NetBSD-5, hopefully tomorrow.

branches: 1.11.2; 1.11.4;
Fix probe for VIA C3 and successors -- these are CPU family 6, not 5.
The broken probe was causing the VIA padlock driver to never attach!
Now we can see that its AES appears to be broken -- it makes FAST_IPSEC
ESP not work, on systems where it works fine with cryptosoft.

Rework code to detect and (if necessary) enable VIA crypto and RNG.
Add RNG support to VIA padlock driver. In the process, have a quick
go at debugging the AES support but no luck thus far.

branches: 1.10.2;
kill MALLOC and FREE macros.

branches: 1.9.4; 1.9.12; 1.9.14; 1.9.20;
- use aprint_*_dev and device_xname
- use POSIX integer types

branches: 1.8.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.

branches: 1.6.2; 1.6.8;
Merge the ppcoea-renovation branch to HEAD.

This branch was a major cleanup and rototill of many of the various OEA
cpu based PPC ports that focused on sharing as much code as possible
between the various ports to eliminate near-identical copies of files in
every tree. Additionally there is a new PIC system that unifies the
interface to interrupt code for all different OEA ppc arches. The work
for this branch was done by a variety of people, too long to list here.

TODO:
bebox still needs work to complete the transition to -renovation.
ofppc still needs a bunch of work, which I will be looking at.
ev64260 still needs to be renovated
amigappc was not attempted.

NOTES:
pmppc was removed as an arch, and moved to a evbppc target.

branches: 1.5.10;
Support for VIA Esther (From FreeBSD)

branches: 1.4.4;
Add missing $ in the RCS ID.

branches: 1.3.2; 1.3.4;
more caddr_t lossage

branches: 1.2.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.1.2; 1.1.4;
Add an opencrypto provider for the AES xcrypt instructions found on VIA
C5P and later cores (also known as 'ACE', which is part of the VIA PadLock
security engine). Ported from OpenBSD.

Reviewed on tech-crypto and port-i386, no objections to commiting this.