s/opetions/options/ in hw.ubsec node description.

entropy(9): Simplify stages. Split interrupt vs non-interrupt paths.

- Nix the entropy stage (cold, warm, hot). Just use the usual kernel
`cold' (cold: single-core, single-thread; interrupts may happen),
and don't make any three-way distinction about whether interrupts
or threads or other CPUs can be running.

Instead, while cold, use splhigh/splx or forbid paths to come from
interrupt context, and while warm, use mutex or the per-CPU hard
and soft interrupt paths for low latency. This comes at a small
cost to some interrupt latency, since we may stir the pool in
interrupt context -- but only for a very short window early at boot
between configure and configure2, so it's hard to imagine it
matters much.

- Allow rnd_add_uint32 to run in hard interrupt context or with spin
locks held, but defer processing to softint and drop samples on the
floor if buffer is full. This is mainly used for cheaply tossing
samples from drivers for non-HWRNG devices into the entropy pool,
so it is often used from interrupt context and/or under spin locks.

- New rnd_add_data_intr provides the interrupt-like data entry path
for arbitrary buffers and driver-specified entropy estimates: defer
processing to softint and drop samples on the floor if buffer is
full.

- Document that rnd_add_data is forbidden under spin locks outside
interrupt context (will crash in LOCKDEBUG), and inadvisable in
interrupt context (but technically permitted just in case there are
compatibility issues for now); later we can forbid it altogether in
interrupt context or under spin locks.

- Audit all uses of rnd_add_data to use rnd_add_data_intr where it
might be used in interrupt context or under a spin lock.

This fixes a regression from last year when the global entropy lock
was changed from IPL_VM (spin) to IPL_SOFTSERIAL (adaptive). Thought
I'd caught all the problems from that, but another one bit three
different people this week, presumably because of recent changes that
led to more non-HWRNG drivers entering the entropy consolidation
path from rnd_add_uint32.

In my attempt to preserve the rnd(9) API for the (now long-since
abandoned) prospect of pullup to netbsd-9 in my rewrite of the
entropy subsystem in 2020, I didn't introduce a separate entry point
for entering entropy from interrupt context or equivalent, i.e., spin
locks held, and instead made rnd_add_data rely on cpu_intr_p() to
decide whether to process the whole sample under a lock or only take
as much as there's buffer space for before scheduling a softint. In
retrospect, that was a mistake (though perhaps not as much of a
mistake as other entropy API decisions...), a mistake which is
finally getting rectified now by rnd_add_data_intr.

XXX pullup-10

s/Regiser/Register/ and s/regester/register/ in comments.

branches: 1.62.4;
Correct the abbreviation of approximately to 'approx.'

Trailing whitespace

Audit unload/unmap v.s. free against DMA buffer for sys/dev/pci;
make sure that bus_dmamap_unload(9) [or bus_dmamap_destroy(9)] or
bus_dmamem_unmap(9) are preceding to freeing DMA buffer, if it is
loaded or mapped, respectively.

This is mandatory for some archs. See, e.g.:

http://www.nerv.org/netbsd/?q=id:20210511T013030Z.013443cc790088147e4beed43f53dedabeaf9312
http://www.nerv.org/netbsd/?q=id:20220511T172220Z.561179f0b6fcc5b9cd73e274f69d74e2ce9e4c93

XXX XXX XXX
Compile test only (for amd64/ALL).

Thanks riastradh@ for double check.

opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

ubsec(4): Prune dead branches. Assert session id validity.

ubsec(4): Tidy up error branches of ubsec_process.

Make sure to return zero, not error, when we've already done
crypto_done and set crp_etype.

ubsec(4): Assert crp_sid is valid.

If opencrypto passes a bad sid in, that's a bug in opencrypto that
needs to be fixed, not a user-triggered invalid input that we need to
fail gracefully on.

ubsec(4): ubsec_kprocess always returns zero. Prune dead branches.

ubsec(4): Fix error branch: call crypto_kdone, don't return error.

ubsec(4): Nix dead code.

No functional change intended.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

entropy(9): Simplify stages. Split interrupt vs non-interrupt paths.

- Nix the entropy stage (cold, warm, hot). Just use the usual kernel
`cold' (cold: single-core, single-thread; interrupts may happen),
and don't make any three-way distinction about whether interrupts
or threads or other CPUs can be running.

Instead, while cold, use splhigh/splx or forbid paths to come from
interrupt context, and while warm, use mutex or the per-CPU hard
and soft interrupt paths for low latency. This comes at a small
cost to some interrupt latency, since we may stir the pool in
interrupt context -- but only for a very short window early at boot
between configure and configure2, so it's hard to imagine it
matters much.

- Allow rnd_add_uint32 to run in hard interrupt context or with spin
locks held, but defer processing to softint and drop samples on the
floor if buffer is full. This is mainly used for cheaply tossing
samples from drivers for non-HWRNG devices into the entropy pool,
so it is often used from interrupt context and/or under spin locks.

- New rnd_add_data_intr provides the interrupt-like data entry path
for arbitrary buffers and driver-specified entropy estimates: defer
processing to softint and drop samples on the floor if buffer is
full.

- Document that rnd_add_data is forbidden under spin locks outside
interrupt context (will crash in LOCKDEBUG), and inadvisable in
interrupt context (but technically permitted just in case there are
compatibility issues for now); later we can forbid it altogether in
interrupt context or under spin locks.

- Audit all uses of rnd_add_data to use rnd_add_data_intr where it
might be used in interrupt context or under a spin lock.

This fixes a regression from last year when the global entropy lock
was changed from IPL_VM (spin) to IPL_SOFTSERIAL (adaptive). Thought
I'd caught all the problems from that, but another one bit three
different people this week, presumably because of recent changes that
led to more non-HWRNG drivers entering the entropy consolidation
path from rnd_add_uint32.

In my attempt to preserve the rnd(9) API for the (now long-since
abandoned) prospect of pullup to netbsd-9 in my rewrite of the
entropy subsystem in 2020, I didn't introduce a separate entry point
for entering entropy from interrupt context or equivalent, i.e., spin
locks held, and instead made rnd_add_data rely on cpu_intr_p() to
decide whether to process the whole sample under a lock or only take
as much as there's buffer space for before scheduling a softint. In
retrospect, that was a mistake (though perhaps not as much of a
mistake as other entropy API decisions...), a mistake which is
finally getting rectified now by rnd_add_data_intr.

XXX pullup-10

s/Regiser/Register/ and s/regester/register/ in comments.

Correct the abbreviation of approximately to 'approx.'

Trailing whitespace

Audit unload/unmap v.s. free against DMA buffer for sys/dev/pci;
make sure that bus_dmamap_unload(9) [or bus_dmamap_destroy(9)] or
bus_dmamem_unmap(9) are preceding to freeing DMA buffer, if it is
loaded or mapped, respectively.

This is mandatory for some archs. See, e.g.:

http://www.nerv.org/netbsd/?q=id:20210511T013030Z.013443cc790088147e4beed43f53dedabeaf9312
http://www.nerv.org/netbsd/?q=id:20220511T172220Z.561179f0b6fcc5b9cd73e274f69d74e2ce9e4c93

XXX XXX XXX
Compile test only (for amd64/ALL).

Thanks riastradh@ for double check.

opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

ubsec(4): Prune dead branches. Assert session id validity.

ubsec(4): Tidy up error branches of ubsec_process.

Make sure to return zero, not error, when we've already done
crypto_done and set crp_etype.

ubsec(4): Assert crp_sid is valid.

If opencrypto passes a bad sid in, that's a bug in opencrypto that
needs to be fixed, not a user-triggered invalid input that we need to
fail gracefully on.

ubsec(4): ubsec_kprocess always returns zero. Prune dead branches.

ubsec(4): Fix error branch: call crypto_kdone, don't return error.

ubsec(4): Nix dead code.

No functional change intended.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

s/Regiser/Register/ and s/regester/register/ in comments.

Correct the abbreviation of approximately to 'approx.'

Trailing whitespace

Audit unload/unmap v.s. free against DMA buffer for sys/dev/pci;
make sure that bus_dmamap_unload(9) [or bus_dmamap_destroy(9)] or
bus_dmamem_unmap(9) are preceding to freeing DMA buffer, if it is
loaded or mapped, respectively.

This is mandatory for some archs. See, e.g.:

http://www.nerv.org/netbsd/?q=id:20210511T013030Z.013443cc790088147e4beed43f53dedabeaf9312
http://www.nerv.org/netbsd/?q=id:20220511T172220Z.561179f0b6fcc5b9cd73e274f69d74e2ce9e4c93

XXX XXX XXX
Compile test only (for amd64/ALL).

Thanks riastradh@ for double check.

opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

ubsec(4): Prune dead branches. Assert session id validity.

ubsec(4): Tidy up error branches of ubsec_process.

Make sure to return zero, not error, when we've already done
crypto_done and set crp_etype.

ubsec(4): Assert crp_sid is valid.

If opencrypto passes a bad sid in, that's a bug in opencrypto that
needs to be fixed, not a user-triggered invalid input that we need to
fail gracefully on.

ubsec(4): ubsec_kprocess always returns zero. Prune dead branches.

ubsec(4): Fix error branch: call crypto_kdone, don't return error.

ubsec(4): Nix dead code.

No functional change intended.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

Correct the abbreviation of approximately to 'approx.'

Trailing whitespace

Audit unload/unmap v.s. free against DMA buffer for sys/dev/pci;
make sure that bus_dmamap_unload(9) [or bus_dmamap_destroy(9)] or
bus_dmamem_unmap(9) are preceding to freeing DMA buffer, if it is
loaded or mapped, respectively.

This is mandatory for some archs. See, e.g.:

http://www.nerv.org/netbsd/?q=id:20210511T013030Z.013443cc790088147e4beed43f53dedabeaf9312
http://www.nerv.org/netbsd/?q=id:20220511T172220Z.561179f0b6fcc5b9cd73e274f69d74e2ce9e4c93

XXX XXX XXX
Compile test only (for amd64/ALL).

Thanks riastradh@ for double check.

opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

ubsec(4): Prune dead branches. Assert session id validity.

ubsec(4): Tidy up error branches of ubsec_process.

Make sure to return zero, not error, when we've already done
crypto_done and set crp_etype.

ubsec(4): Assert crp_sid is valid.

If opencrypto passes a bad sid in, that's a bug in opencrypto that
needs to be fixed, not a user-triggered invalid input that we need to
fail gracefully on.

ubsec(4): ubsec_kprocess always returns zero. Prune dead branches.

ubsec(4): Fix error branch: call crypto_kdone, don't return error.

ubsec(4): Nix dead code.

No functional change intended.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

Audit unload/unmap v.s. free against DMA buffer for sys/dev/pci;
make sure that bus_dmamap_unload(9) [or bus_dmamap_destroy(9)] or
bus_dmamem_unmap(9) are preceding to freeing DMA buffer, if it is
loaded or mapped, respectively.

This is mandatory for some archs. See, e.g.:

http://www.nerv.org/netbsd/?q=id:20210511T013030Z.013443cc790088147e4beed43f53dedabeaf9312
http://www.nerv.org/netbsd/?q=id:20220511T172220Z.561179f0b6fcc5b9cd73e274f69d74e2ce9e4c93

XXX XXX XXX
Compile test only (for amd64/ALL).

Thanks riastradh@ for double check.

opencrypto: Make freesession callback return void.

No functional change intended: all drivers already return zero
unconditionally.

ubsec(4): Prune dead branches. Assert session id validity.

ubsec(4): Tidy up error branches of ubsec_process.

Make sure to return zero, not error, when we've already done
crypto_done and set crp_etype.

ubsec(4): Assert crp_sid is valid.

If opencrypto passes a bad sid in, that's a bug in opencrypto that
needs to be fixed, not a user-triggered invalid input that we need to
fail gracefully on.

ubsec(4): ubsec_kprocess always returns zero. Prune dead branches.

ubsec(4): Fix error branch: call crypto_kdone, don't return error.

ubsec(4): Nix dead code.

No functional change intended.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.

Rewrite the dmamap handling to allocate and cache the dmamaps beforehand.
Calling bus_dmamap_create/destroy is no longer possible in interrupt context.
Move the dmamaps to the end of struct ubsec_q so the rest of the struct
can be cleared with one call to memset().

As a bonus we get a 25% increase in throughput encrypting 8K blocks.

branches: 1.38.2;
make pci_intr_string and eisa_intr_string take a buffer and a length
instead of relying in local static storage.

Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.

If you're going to build this driver as a module, make sure that it
depends on opencrypto module.

Also disable MCR4INT in ubsec_detach() when appropriate.

Add support for BCM5825, and BCM5860, 5861, 5862 from OpenBSD rev 1.143:
Add support for the BCM5825 and the next-generation BCM5860, 5861,
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes.

AES support hasn't been pulled in yet.

Create the sysctl variables on module initialization.
Create them under hw.ubsec as is hip these days.

Make ubsec(4) loadable as kmod.

Fix locking botch. Callers of ubsec_rng_locked() lock and release sc_mtx already.

Use callout_setfunc()/callout_schedule() instead of callout_reset(), it is cheaper.

branches: 1.29.2;
Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

split device_t/softc for all remaining drivers.
replace "struct device *" with "device_t".
use device_xname(), device_unit(), etc.

branches: 1.27.6;
Use pci_aprint_devinfo(9) instead of pci_devinfo+aprint_{normal,naive}
where it looks straightforward, and pci_aprint_devinfo_fancy in a few
others where drivers want to supply their own device names instead
of the pcidevs generated one. More complicated cases, where names
are composed at runtime, are left alone for now. It certainly makes
sense to simplify the drivers here rather than inventing a catch-all API.
This should serve as as example for new drivers, and also ensure
consistent output in the AB_QUIET ("boot -q") case. Also, it avoids
excessive stack usage where drivers attach child devices because the
buffer for the device name is not kept on the local stack anymore.

branches: 1.26.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.25.8;
Don't pull in the whole uvm(9) API to access only PAGE_SIZE and
some other constants. These are provided by sys/param.h now.

branches: 1.24.4;
Cleanup interrupt establish error messages. Do not mix
aprint_error/aprint_normal/printf calls for a single line.

use device_private().
"looks good" ad@
XXX for the device_t/softc split, please check the driver that no cases have been missed.

struct device * -> device_t, no functional changes intended.

struct cfdata * -> cfdata_t, no functional changes intended.

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

bcopy -> memcpy

bzero -> memset

branches: 1.17.2;
use M_ZERO on malloc() and remove subsequent bzero().

branches: 1.16.4; 1.16.12;
use aprint_*_dev and device_xname

branches: 1.15.6;
From Darran Hunt at Coyote Point: don't truncate HMAC to 96 bits unless
actually asked to.

Fixed in FreeBSD a while ago, discussed on tech-kern and tech-crypto.

use __KERNEL_RCSID()

branches: 1.13.8; 1.13.14; 1.13.16; 1.13.18; 1.13.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.12.2; 1.12.4;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.11.4;
__unused removal on arguments; approved by core.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.9.8; 1.9.10;
Use device_unit().

branches: 1.8.4; 1.8.6; 1.8.8; 1.8.10; 1.8.12;
- De-couple the software crypto implementation from the rest of the
framework. There is no need to waste the space if you are only using
algoritms provided by hardware accelerators. To get the software
implementations, add "pseudo-device swcr" to your kernel config.
- Lazily initialize the opencrypto framework when crypto drivers
(either hardware or swcr) register themselves with the framework.

branches: 1.7.2; 1.7.8;
Use ANSI function decls and static.

- const poisoning
- avoid variable shadowing.

nuke trailing whitespace

branches: 1.4.4; 1.4.10; 1.4.12;
* Make matching and chip info table-driven.
* Print product name and revision at attach time.
* Use aprint_*().

Fix some diagnotic printfs.

Remove #ifdef _OpenBSD__ code which sets the softc pointer `sc' by
passing an index into ubsec_cd.cd_devs[]: that causes too much
confusion with the checks that sc is non-null.

Preliminary port of merged OpenBSD/FreeBSD ubsec driver for Bluesteel
Networks/Broadcom line of cryptographic accelerators.

unifdef everything-but-NetBSD. Gets rid of a naked cfattach decl.

rnd_attach_source calls the callback itself now.

No need for every driver to explicitly call it to prime the pool.

Eliminate now-unused <sys/rndpool.h>.

Don't attach rndsource until it's actually ready to run.

Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.

in many device attach paths, allocate memory with M_WAITOK instead of M_NOWAIT
and remove code to handle failures that can no longer happen.

Replace: M_COPY_PKTHDR -> m_copy_pkthdr. No functional change, since the
former is a macro to the latter.

use pci_intr_establish_xname() everywhere

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

branches: 1.43.16; 1.43.18;
KNF. Remove extra spaces. No functional change.

Add header guards and necessary includes.

branches: 1.41.4;
Merge tls-earlyentropy branch into HEAD.

Add support for accelerated AES_CBC in ubsec(4) for BCM5823 and newer.
Update man-page and bump date.
Adjust OpenBSD RCS IDs to reflect roughly the version we are in sync with.