#
9eecef05 |
|
15-Nov-2023 |
Andrew Turner <andrew@FreeBSD.org> |
Add an Armv8 rndr random number provider Armv8.5 adds an optional random number generator. This is implemented as two special registers one to read a random number, the other to re-seed the entropy pool before reading a random number. Both registers will set the condition flags to tell the caller they can't produce a random number in a reasonable amount of time. Without a signal to reseed the entropy pool use the latter register to provide random numbers to the kernel pool. If at a later time we had a way to tell the provider if it needs to reseed or not we could use the former. On an Amazon AWS Graviton3 VM this never failed, however this may not be the case on low end CPUs so retry reading the random number 10 times before returning an error. Reviewed by: imp, delphij (csprng) Sponsored by: The FreeBSD Foundation Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D35411
|
#
95ee2897 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
5c73b3e0 |
|
17-Feb-2022 |
Colin Percival <cperciva@FreeBSD.org> |
Add support for getting early entropy from UEFI UEFI provides a protocol for accessing randomness. This is a good way to gather early entropy, especially when there's no driver for the RNG on the platform (as is the case on the Marvell Armada8k (MACCHIATObin) for now). If the entropy_efi_seed option is enabled in loader.conf (default: YES) obtain 2048 bytes of entropy from UEFI and pass is to the kernel as a "module" of name "efi_rng_seed" and type "boot_entropy_platform"; if present, ingest it into the kernel RNG. Submitted by: Greg V Reviewed by: markm, kevans Approved by: csprng (markm) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D20780
|
#
642701ab |
|
03-Feb-2022 |
Kyle Evans <kevans@FreeBSD.org> |
kern: harvest entropy from callouts 74cf7cae4d22 ("softclock: Use dedicated ithreads for running callouts.") switched callouts away from the swi infrastructure. It turns out that this was a major source of entropy in early boot, which we've now lost. As a result, first boot on hardware without a 'fast' entropy source would block waiting for fortuna to be seeded with little hope of progressing without manual intervention. Let's resolve it by explicitly harvesting entropy in callout_process() if we've handled any callouts. cc/curthread/now seem to be reasonable sources of entropy, so use those. Discussed with: jhb (also proposed initial patch) Reported by: many Reviewed by: cem, markm (both csprng) Differential Revision: https://reviews.freebsd.org/D34150
|
#
1492c8c0 |
|
20-Oct-2021 |
Adrian Chadd <adrian@FreeBSD.org> |
qcom_rnd: add initial qualcomm prng driver. This is the MVP required to initialise and consume random data from the QCA PRNG hardware found on the IPQ401x. Reviewed by: andrew, manu, imp Differential Revision: https://reviews.freebsd.org/D32723
|
#
f6e54eb3 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
sys: clean up empty lines in .c and .h files
|
#
97e25132 |
|
11-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove ubsec(4). This driver was previously marked for deprecation in r360710. Approved by: csprng (cem, gordon, delphij) Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24766
|
#
86def3dc |
|
12-Jan-2020 |
Conrad Meyer <cem@FreeBSD.org> |
getrandom(2): Add Linux GRND_INSECURE API flag Treat it as a synonym for GRND_NONBLOCK. The reasoning is this: We have two choices for handling Linux's GRND_INSECURE API flag. 1. We could ignore it completely (like GRND_RANDOM). However, this might produce the surprising result of GRND_INSECURE requests blocking, when the Linux API does not block. 2. Alternatively, we could treat GRND_INSECURE requests as requests for GRND_NONBLOCk. Here, the surprising result for Linux programs is that invocations with unseeded random(4) will produce EAGAIN, rather than garbage. Honoring the flag in the way Linux does seems fraught. If we actually use the output of a random(4) implementation prior to seeding, we leak some entropy (in an information theory and also practical sense) from what will be the initial seed to attackers (or allow attackers to arbitrary DoS initial seeding, if we don't leak). This seems unacceptable -- it defeats the purpose of blocking on initial seeding. Secondary to that concern, before seeding we may have arbitrarily little entropy collected; producing output from zero or a handful of entropy bits does not seem particularly useful to userspace. If userspace can accept garbage, insecure, non-random bytes, they can create their own insecure garbage with srandom(time(NULL)) or similar. Any program which would be satisfied with a 3-bit key CTR stream has no need for CSPRNG bytes. So asking the kernel to produce such an output from the secure getrandom(2) API seems inane. For now, we've elected to emulate GRND_INSECURE as an alternative spelling of GRND_NONBLOCK (2). Consider this API not-quite stable for now. We guarantee it will never block. But we will attempt to monitor actual port uptake of this bizarre API and may revise our plans for the unseeded behavior (prior stable/13 branching). Approved by: csprng(markm), manpages(bcr) See also: https://lwn.net/ml/linux-kernel/cover.1577088521.git.luto@kernel.org/ See also: https://lwn.net/ml/linux-kernel/20200107204400.GH3619@mit.edu/ Differential Revision: https://reviews.freebsd.org/D23130
|
#
767991d2 |
|
31-Dec-2019 |
Conrad Meyer <cem@FreeBSD.org> |
vmgenid(4): Integrate as a random(4) source The number is public and has no "entropy," but should be integrated quickly on VM rewind events to avoid duplicate sequences. Approved by: csprng(markm) Differential Revision: https://reviews.freebsd.org/D22946
|
#
3ee1d5bb |
|
26-Dec-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Simplify RANDOM_LOADABLE Simplify RANDOM_LOADABLE by removing the ability to unload a LOADABLE random(4) implementation. This allows one-time random module selection at boot, by loader(8). Swapping modules on the fly doesn't seem especially useful. This removes the need to hold a lock over the sleepable module calls read_random and read_random_uio. init/deinit have been pulled out of random_algorithm entirely. Algorithms can run their own sysinits to initialize; deinit is removed entirely, as algorithms can not be unloaded. Algorithms should initialize at SI_SUB_RANDOM:SI_ORDER_SECOND. In LOADABLE systems, algorithms install a pointer to their local random_algorithm context in p_random_alg_context at that time. Go ahead and const'ify random_algorithm objects; there is no need to mutate them at runtime. LOADABLE kernel NULL checks are removed from random_harvestq by ordering random_harvestq initialization at SI_SUB_RANDOM:SI_ORDER_THIRD, after algorithm init. Prior to random_harvestq init, hc_harvest_mask is zero and no events are forwarded to algorithms; after random_harvestq init, the relevant pointers will already have been installed. Remove the bulk of random_infra shim wrappers and instead expose the bare function pointers in sys/random.h. In LOADABLE systems, read_random(9) et al are just thin shim macros around invoking the associated function pointer. We do not provide a registration system but instead expect LOADABLE modules to register themselves at SI_SUB_RANDOM:SI_ORDER_SECOND. An example is provided in randomdev.c, as used in the random_fortuna.ko module. Approved by: csprng(markm) Discussed with: gordon Differential Revision: https://reviews.freebsd.org/D22512
|
#
f19de0a9 |
|
22-Nov-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Abstract loader entropy injection Break random_harvestq_prime up into some logical subroutines. The goal is that it becomes easier to add other early entropy sources. While here, drop pre-12.0 compatibility logic. loader default configuration should preload the file as expeced since 12.0. Approved by: csprng(delphij, markm) Differential Revision: https://reviews.freebsd.org/D22482
|
#
c363b16c |
|
20-Jun-2019 |
Conrad Meyer <cem@FreeBSD.org> |
sys: Remove DEV_RANDOM device option Remove 'device random' from kernel configurations that reference it (most). Replace perhaps mistaken 'nodevice random' in two MIPS configs with 'options RANDOM_LOADABLE' instead. Document removal in UPDATING; update NOTES and random.4. Reviewed by: delphij, markm (previous version) Approved by: secteam(delphij) Differential Revision: https://reviews.freebsd.org/D19918
|
#
f3d2512d |
|
16-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Add is_random_seeded(9) KPI The imagined use is for early boot consumers of random to be able to make decisions based on whether random is available yet or not. One such consumer seems to be __stack_chk_init(), which runs immediately after random is initialized. A follow-up patch will attempt to address that. Reported by: many Reviewed by: delphij (except man page) Approved by: secteam(delphij) Differential Revision: https://reviews.freebsd.org/D19926
|
#
13774e82 |
|
15-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Block read_random(9) on initial seeding read_random() is/was used, mostly without error checking, in a lot of very sensitive places in the kernel -- including seeding the widely used arc4random(9). Most uses, especially arc4random(9), should block until the device is seeded rather than proceeding with a bogus or empty seed. I did not spy any obvious kernel consumers where blocking would be inappropriate (in the sense that lack of entropy would be ok -- I did not investigate locking angle thoroughly). In many instances, arc4random_buf(9) or that family of APIs would be more appropriate anyway; that work was done in r345865. A minor cleanup was made to the implementation of the READ_RANDOM function: instead of using a variable-length array on the stack to temporarily store all full random blocks sufficient to satisfy the requested 'len', only store a single block on the stack. This has some benefit in terms of reducing stack usage, reducing memcpy overhead and reducing devrandom output leakage via the stack. Additionally, the stack block is now safely zeroed if it was used. One caveat of this change is that the kern.arandom sysctl no longer returns zero bytes immediately if the random device is not seeded. This means that FreeBSD-specific userspace applications which attempted to handle an unseeded random device may be broken by this change. If such behavior is needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK option. On any typical FreeBSD system, entropy is persisted on read/write media and used to seed the random device very early in boot, and blocking is never a problem. This change primarily impacts the behavior of /dev/random on embedded systems with read-only media that do not configure "nodevice random". We toggle the default from 'charge on blindly with no entropy' to 'block indefinitely.' This default is safer, but may cause frustration. Embedded system designers using FreeBSD have several options. The most obvious is to plan to have a small writable NVRAM or NAND to persist entropy, like larger systems. Early entropy can be fed from any loader, or by writing directly to /dev/random during boot. Some embedded SoCs now provide a fast hardware entropy source; this would also work for quickly seeding Fortuna. A 3rd option would be creating an embedded-specific, more simplistic random module, like that designed by DJB in [1] (this design still requires a small rewritable media for forward secrecy). Finally, the least preferred option might be "nodevice random", although I plan to remove this in a subsequent revision. To help developers emulate the behavior of these embedded systems on ordinary workstations, the tunable kern.random.block_seeded_status was added. When set to 1, it blocks the random device. I attempted to document this change in random.4 and random.9 and ran into a bunch of out-of-date or irrelevant or inaccurate content and ended up rototilling those documents more than I intended to. Sorry. I think they're in a better state now. PR: 230875 Reviewed by: delphij, markm (earlier version) Approved by: secteam(delphij), devrandom(markm) Relnotes: yes Differential Revision: https://reviews.freebsd.org/D19744
|
#
4ee7d3b0 |
|
22-Mar-2019 |
Marcin Wojtas <mw@FreeBSD.org> |
Allow using TPM as entropy source. TPM has a built-in RNG, with its own entropy source. The driver was extended to harvest 16 random bytes from TPM every 10 seconds. A new build option "TPM_HARVEST" was introduced - for now, however, it is not enabled by default in the GENERIC config. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: markm, delphij Approved by: secteam Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19620
|
#
1fa054c1 |
|
24-Dec-2018 |
Conrad Meyer <cem@FreeBSD.org> |
Enable sys/random.h #include from C++ And bump __FreeBSD_version, just in case. PR: 234180 Submitted by: Ralf van der Enden <tremere AT cainites.net> MFC after: 5 days
|
#
37136b84 |
|
27-Oct-2018 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Match enabled sources mask to build options r287023 and r334450 added build option mechanisms to permanently disable spammy and/or low quality entropy sources. Follow-up those changes by updating the 'enabled' sources mask to match. When sources are compile-time disabled, represent them as disabled in the source mask, and prevent users from modifying that, like pure sources. (Modifying the mask bit would have no effect, but users might think it did if it was not prevented.) Mostly a cosmetic change. Reviewed by: markm Approved by: secteam (gordon) X-MFC-With: 334450 Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D17252
|
#
b0dee75e |
|
20-Oct-2018 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Translate a comment requirement into a compile-time invariant In various places, random represents the set of sources as a 32-bit word bitmask. It assumes all sources fit within this, i.e., the maximum valid source number is 31. There was a comment specifying this limitation, but we can actually refuse to compile if our assumption is violated instead. We still have a few spare random source slots, but sooner or later someone may need to convert the masks used from raw 32-bit words to bitset(9) APIs. This prevents some kinds of developer foot-shooting when adding new random sources. No functional change. Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16982
|
#
19fa89e9 |
|
25-Aug-2018 |
Mark Murray <markm@FreeBSD.org> |
Remove the Yarrow PRNG algorithm option in accordance with due notice given in random(4). This includes updating of the relevant man pages, and no-longer-used harvesting parameters. Ensure that the pseudo-unit-test still does something useful, now also with the "other" algorithm instead of Yarrow. PR: 230870 Reviewed by: cem Approved by: so(delphij,gtetlow) Approved by: re(marius) Differential Revision: https://reviews.freebsd.org/D16898
|
#
b14959da |
|
16-Aug-2018 |
Justin Hibbits <jhibbits@FreeBSD.org> |
random: Add PowerPC 'darn' instruction entropy source Summary: PowerISA 3.0 adds a 'darn' instruction to "deliver a random number". This driver was modeled after (rather, copied and gutted of) the Ivy Bridge rdrand driver. This uses the "Conditional Random Number" behavior to remove input bias. From the ISA reference the 'darn' instruction, and the random number generator backing it, conforms to the NIST SP800-90B and SP800-90C standards, compliant to the extent possible at the time the hardware was designed, and guarantees a minimum 0.5 bits of entropy per bit returned. Reviewed By: markm, secteam (delphij) Approved by: secteam (delphij) Differential Revision: https://reviews.freebsd.org/D16552
|
#
a6bc59f2 |
|
31-May-2018 |
Matt Macy <mmacy@FreeBSD.org> |
Reduce overhead of entropy collection - move harvest mask check inline - move harvest mask to frequently_read out of actively modified cache line - disable ether_input collection and describe its limitations in NOTES Typically entropy collection in ether_input was stirring zero in to the entropy pool while at the same time greatly reducing max pps. This indicates that perhaps we should more closely scrutinize how much entropy we're getting from a given source as well as what our actual entropy collection needs are for seeding Yarrow. Reviewed by: cem, gallatin, delphij Approved by: secteam Differential Revision: https://reviews.freebsd.org/D15526
|
#
e9ac2743 |
|
20-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
Implement getrandom(2) and getentropy(3) The general idea here is to provide userspace programs with well-defined sources of entropy, in a fashion that doesn't require opening a new file descriptor (ulimits) or accessing paths (/dev/urandom may be restricted by chroot or capsicum). getrandom(2) is the more general API, and comes from the Linux world. Since our urandom and random devices are identical, the GRND_RANDOM flag is ignored. getentropy(3) is added as a compatibility shim for the OpenBSD API. truss(1) support is included. Tests for both system calls are provided. Coverage is believed to be at least as comprehensive as LTP getrandom(2) test coverage. Additionally, instructions for running the LTP tests directly against FreeBSD are provided in the "Test Plan" section of the Differential revision linked below. (They pass, of course.) PR: 194204 Reported by: David CARLIER <david.carlier AT hardenedbsd.org> Discussed with: cperciva, delphij, jhb, markj Relnotes: maybe Differential Revision: https://reviews.freebsd.org/D14500
|
#
e1700905 |
|
15-Jan-2018 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Add CCP random source definitions The implementation will follow (D12723). For now, get the changes to commit-protected files out of the way. Approved by: secteam (gordon) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D13925
|
#
c4e20cad |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/sys: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts.
|
#
095db7e6 |
|
07-Oct-2017 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Gather entropy from Pure sources At initialization, hc_source_mask only includes non-Pure sources. The patch changes source registration to enable the registered source in the hc_source_mask bitmask. This mask governs which sources are harvested. This patch also disallows userspace from disabling such sources. PR: 222807 Submitted by: W. Dean Freeman <badfilemagic AT gmail.com> Reviewed by: jmg (earlier version), delphij Approved by: secteam (delphij) Obtained from: HBSD 0054e3e170e083811acc9f3b637f8be8a86c03e7 Security: yes Differential Revision: https://reviews.freebsd.org/D12611
|
#
f04c11c3 |
|
07-Oct-2017 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Add missing source descriptions Add source descriptions missed in r260847, r303035. While here, convert the array to C99 initializers. Reviewed by: delphij Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D12618
|
#
150890b0 |
|
16-Apr-2017 |
Mark Murray <markm@FreeBSD.org> |
Replace the RC4 algorithm for generating in-kernel secure random numbers with Chacha20. Keep the API, though, as that is what the other *BSD's have done. Use the boot-time entropy stash (if present) to bootstrap the in-kernel entropy source. Reviewed by: delphij,rwatson Approved by: so(delphij) MFC after: 2 months Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10048
|
#
a1acc06f |
|
19-Jul-2016 |
Mark Murray <markm@FreeBSD.org> |
Random bit generator (RBG) driver for RPi and RPi2. Summary: This driver supports the following methods to trigger gathering random bits from the hardware: 1. interrupt when the FIFO is full (default) fed into the harvest queue 2. callout (when BCM2835_RNG_USE_CALLOUT is defined) every second if hz is less than 100, otherwise hz / 100, feeding the random bits into the harvest queue If the kernel is booted with verbose enabled, the contents of the registers will be dumped after the RBG is started during the attach routine. Author: hackagadget_gmail.com (Stephen J. Kiernan) Test Plan: Built RPI2 kernel and booted on board. Tested the different methods to feed the harvest queue (callout, interrupt) and the interrupt driven approach seems best. However, keeping the other method for people to be able to experiment with. Reviewed By: adrian, delphij, markm Differential Revision: https://reviews.freebsd.org/D6888
|
#
7afd9bf0 |
|
08-Sep-2015 |
Enji Cooper <ngie@FreeBSD.org> |
Remove opt_random.h header pollution from sys/random.h by moving RANDOM_LOADABLE and RANDOM_YARROW's definitions from opt_random.h to opt_global.h This unbreaks `make depend` in sys/modules with multiple drivers (tmpfs, etc) after r286839 X-MFC with: r286839 Reviewed by: imp Submitted by: lwhsu Differential Revision: D3486
|
#
e866d8f0 |
|
21-Aug-2015 |
Mark Murray <markm@FreeBSD.org> |
Make the UMA harvesting go away completely if not wanted. Default to "not wanted". Provide and document the RANDOM_ENABLE_UMA option. Change RANDOM_FAST to RANDOM_UMA to clarify the harvesting. Remove RANDOM_DEBUG option, replace with SDT probes. These will be of use to folks measuring the harvesting effect when deciding whether to use RANDOM_ENABLE_UMA. Requested by: scottl and others. Approved by: so (/dev/random blanket) Differential Revision: https://reviews.freebsd.org/D3197
|
#
646041a8 |
|
17-Aug-2015 |
Mark Murray <markm@FreeBSD.org> |
Add DEV_RANDOM pseudo-option and use it to "include out" random(4) if desired. Retire randomdev_none.c and introduce random_infra.c for resident infrastructure. Completely stub out random(4) calls in the "without DEV_RANDOM" case. Add RANDOM_LOADABLE option to allow loadable Yarrow/Fortuna/LocallyWritten algorithm. Add a skeleton "other" algorithm framework for folks to add their own processing code. NIST, anyone? Retire the RANDOM_DUMMY option. Build modules for Yarrow, Fortuna and "other". Use atomics for the live entropy rate-tracking. Convert ints to bools for the 'seeded' logic. Move _write() function from the algorithm-specific areas to randomdev.c Get rid of reseed() function - it is unused. Tidy up the opt_*.h includes. Update documentation for random(4) modules. Fix test program (reviewers, please leave this). Differential Revision: https://reviews.freebsd.org/D3354 Reviewed by: wblock,delphij,jmg,bjk Approved by: so (/dev/random blanket)
|
#
707d98fe |
|
14-Jul-2015 |
Ed Schouten <ed@FreeBSD.org> |
Implement the CloudABI random_get() system call. The random_get() system call works similar to getentropy()/getrandom() on OpenBSD/Linux. It fills a buffer with random data. This change introduces a new function, read_random_uio(), that is used to implement read() on the random devices. We can call into this function from within the CloudABI compatibility layer. Approved by: secteam Reviewed by: jmg, markm, wblock Obtained from: https://github.com/NuxiNL/freebsd Differential Revision: https://reviews.freebsd.org/D3053
|
#
d1b06863 |
|
30-Jun-2015 |
Mark Murray <markm@FreeBSD.org> |
Huge cleanup of random(4) code. * GENERAL - Update copyright. - Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set neither to ON, which means we want Fortuna - If there is no 'device random' in the kernel, there will be NO random(4) device in the kernel, and the KERN_ARND sysctl will return nothing. With RANDOM_DUMMY there will be a random(4) that always blocks. - Repair kern.arandom (KERN_ARND sysctl). The old version went through arc4random(9) and was a bit weird. - Adjust arc4random stirring a bit - the existing code looks a little suspect. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Redo read_random(9) so as to duplicate random(4)'s read internals. This makes it a first-class citizen rather than a hack. - Move stuff out of locked regions when it does not need to be there. - Trim RANDOM_DEBUG printfs. Some are excess to requirement, some behind boot verbose. - Use SYSINIT to sequence the startup. - Fix init/deinit sysctl stuff. - Make relevant sysctls also tunables. - Add different harvesting "styles" to allow for different requirements (direct, queue, fast). - Add harvesting of FFS atime events. This needs to be checked for weighing down the FS code. - Add harvesting of slab allocator events. This needs to be checked for weighing down the allocator code. - Fix the random(9) manpage. - Loadable modules are not present for now. These will be re-engineered when the dust settles. - Use macros for locks. - Fix comments. * src/share/man/... - Update the man pages. * src/etc/... - The startup/shutdown work is done in D2924. * src/UPDATING - Add UPDATING announcement. * src/sys/dev/random/build.sh - Add copyright. - Add libz for unit tests. * src/sys/dev/random/dummy.c - Remove; no longer needed. Functionality incorporated into randomdev.*. * live_entropy_sources.c live_entropy_sources.h - Remove; content moved. - move content to randomdev.[ch] and optimise. * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h - Remove; plugability is no longer used. Compile-time algorithm selection is the way to go. * src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h - Add early (re)boot-time randomness caching. * src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h - Remove; no longer needed. * src/sys/dev/random/uint128.h - Provide a fake uint128_t; if a real one ever arrived, we can use that instead. All that is needed here is N=0, N++, N==0, and some localised trickery is used to manufacture a 128-bit 0ULLL. * src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h - Improve unit tests; previously the testing human needed clairvoyance; now the test will do a basic check of compressibility. Clairvoyant talent is still a good idea. - This is still a long way off a proper unit test. * src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h - Improve messy union to just uint128_t. - Remove unneeded 'static struct fortuna_start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) * src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h - Improve messy union to just uint128_t. - Remove unneeded 'staic struct start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) - Fix some magic numbers elsewhere used as FAST and SLOW. Differential Revision: https://reviews.freebsd.org/D2025 Reviewed by: vsevolod,delphij,rwatson,trasz,jmg Approved by: so (delphij)
|
#
10cb2424 |
|
30-Oct-2014 |
Mark Murray <markm@FreeBSD.org> |
This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random. This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources. The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people. The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway. Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to. My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise. My Nomex pants are on. Let the feedback commence! Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?) Approved by: so(des)
|
#
10c40180 |
|
17-Jan-2014 |
Bryan Venteicher <bryanv@FreeBSD.org> |
Add very simple virtio_random(4) driver to harvest entropy from host Reviewed by: markm (random bits only)
|
#
a09968c4 |
|
01-Nov-2013 |
Adrian Chadd <adrian@FreeBSD.org> |
Convert the random entropy harvesting code to use a const void * pointer rather than just void *. Then, as part of this, convert a couple of mbuf m->m_data accesses to mtod(m, const void *). Reviewed by: markm Approved by: security-officer (delphij) Sponsored by: Netflix, Inc.
|
#
69160622 |
|
09-Oct-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define RANDOM_PURE_RNDTEST for rndtest(4).
|
#
8cc20a46 |
|
08-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
Make a mildly sylistic change to the order of sources in this enum.
|
#
db3fcaf9 |
|
08-Oct-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add YARROW_RNG and FORTUNA_RNG to sys/conf/options. Add a SYSINIT that forces a reseed during proc0 setup, which happens fairly late in the boot process. Add a RANDOM_DEBUG option which enables some debugging printf()s. Add a new RANDOM_ATTACH entropy source which harvests entropy from the get_cyclecount() delta across each call to a device attach method.
|
#
1a3c1f06 |
|
06-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
Snapshot. Looking pretty good; this mostly works now. New code includes: * Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested. * Use EVENTHANDLER to do above just before we go multiuser. Untested.
|
#
f02e47dc |
|
04-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
Snapshot. This passes the build test, but has not yet been finished or debugged. Contains: * Refactor the hardware RNG CPU instruction sources to feed into the software mixer. This is unfinished. The actual harvesting needs to be sorted out. Modified by me (see below). * Remove 'frac' parameter from random_harvest(). This was never used and adds extra code for no good reason. * Remove device write entropy harvesting. This provided a weak attack vector, was not very good at bootstrapping the device. To follow will be a replacement explicit reseed knob. * Separate out all the RANDOM_PURE sources into separate harvest entities. This adds some secuity in the case where more than one is present. * Review all the code and fix anything obviously messy or inconsistent. Address som review concerns while I'm here, like rename the pseudo-rng to 'dummy'. Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
|
#
c495c935 |
|
26-Aug-2013 |
Mark Murray <markm@FreeBSD.org> |
Snapshot; Do some running repairs on entropy harvesting. More needs to follow.
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
a9befd40 |
|
12-Oct-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Add a note ahea of the esource enum that if new entropy source categories are added, the set of entropy source assertions in the harvesting code also need to be updated.
|
#
9b53341f |
|
04-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
add RANDOM_PURE for use by crypto drivers that harvest data from h/w RNG's
|
#
4a7cdfd7 |
|
03-Mar-2002 |
Mark Murray <markm@FreeBSD.org> |
Provide infrastructure for harvesting SWI entropy.
|
#
e1199601 |
|
03-Mar-2002 |
Mark Murray <markm@FreeBSD.org> |
Massive lint-inspired cleanup. Remove unneeded includes. Deal with unused function arguments. Resolve a boatload of signed/unsigned imcompatabilities. Etc.
|
#
14636c3b |
|
18-Feb-2001 |
Mark Murray <markm@FreeBSD.org> |
Provide the infrastructure for sysadmins to select the broad class of entropy harvesting they wish to perform: "ethernet" (LAN), point-to-point and interrupt.
|
#
89c2809e |
|
25-Nov-2000 |
Mark Murray <markm@FreeBSD.org> |
Add a constant for the (to be committed at a later time) irq-entropy harvester.
|
#
d0d51934 |
|
12-Sep-2000 |
Mark Murray <markm@FreeBSD.org> |
The "struct proc" argument to read_random was ill-conceived, and a hangover from previous experimentation. Remove it. This will clean up gratuitous needs for forward references and other namespace pollution. Moaned about by: bde Brought to my attention by: bp
|
#
72ece4ad |
|
11-Sep-2000 |
John Baldwin <jhb@FreeBSD.org> |
Forward declare 'struct proc'. Requested by: bde
|
#
4d87a031 |
|
10-Sep-2000 |
Mark Murray <markm@FreeBSD.org> |
Large upgrade to the entropy device; mainly inspired by feedback from many folk. o The reseed process is now a kthread. With SMPng, kthreads are pre-emptive, so the annoying jerkiness of the mouse is gone. o The data structures are protected by mutexes now, not splfoo()/splx(). o The cryptographic routines are broken out into their own subroutines. this facilitates review, and possible replacement if that is ever found necessary. Thanks to: kris, green, peter, jasone, grog, jhb Forgotten to thank: You know who you are; no offense intended.
|
#
7aa4389a |
|
25-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
o Fix a horrible bug where small reads (< 8 bytes) would return the wrong bytes. o Improve the public interface; use void* instead of char* or u_int64_t to pass arbitrary data around. Submitted by: kris ("horrible bug")
|
#
c90a8fc9 |
|
23-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Clean this up with some BDE-inspired fixes. o Make the comments KNF-compliant. o Use nanotime instead of getnanotime; the manpage lies about the kern.timecounter.method - it has been removed. o Fix the ENTROPYSOURCE const permanently. o Make variable names more consistent. o Make function prototypes more consistent. Some more needs to be done; to follow.
|
#
720a3741 |
|
16-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Add randomness write functionality. This does absolutely nothing for entropy estimation, but causes an immediate reseed after the input (read in sizeof(u_int64_t) chunks) is "harvested". This will be used in the reboot "reseeder", coming in another commit. This can be used very effectively at any time you think your randomness is compromised; something like # (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random will give the attacker something to think about.
|
#
585ebe2b |
|
09-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Yarrow tweaks; separate the fast and slow reseed tasks so that they don't stomp on each other; provide constant names (as enums) for the harvester to use (makes it more self-documenting).
|
#
da3fb6b4 |
|
07-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Darn; didn't commit this with the rest of the entropy gathering code.
|
#
4eeb4f04 |
|
25-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
Forgot this earlier; delete the old /dev/random driver, bring in the header for the new. Reviewed by: dfr
|
#
a3b693c9 |
|
29-Apr-2000 |
Bruce Evans <bde@FreeBSD.org> |
Updated the name of the idempotency macro to match the move of this file. Fixed a missing forward declaration.
|
#
664a31e4 |
|
28-Dec-1999 |
Peter Wemm <peter@FreeBSD.org> |
Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" is an application space macro and the applications are supposed to be free to use it as they please (but cannot). This is consistant with the other BSD's who made this change quite some time ago. More commits to come.
|
#
c3aac50f |
|
27-Aug-1999 |
Peter Wemm <peter@FreeBSD.org> |
$Id$ -> $FreeBSD$
|
#
316bbd5c |
|
21-Jun-1998 |
Bruce Evans <bde@FreeBSD.org> |
Converted add_interrupt_randomness() to take a `void *' arg. Rewrote mmioctl() to fix hundreds of style bugs and a few error handling bugs (don't check for superuser privilege for inappropriate ioctls, don't check the input arg for the output-only MEM_RETURNIRQ ioctl, and don't return EPERM for null changes).
|
#
9a2daf91 |
|
18-Jun-1998 |
Bruce Evans <bde@FreeBSD.org> |
Changed the type of an isa/general interrupt handler to take a `void *' arg. Fixed or hid most of the resulting type mismatches. Handlers can now be updated locally (except for reworking their global declarations in isa_device.h).
|
#
2eeb0e2e |
|
06-Apr-1998 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Make read_random() take a (void *) argument instead of (char *)
|
#
35b8b2dd |
|
13-Sep-1997 |
Peter Wemm <peter@FreeBSD.org> |
Update select -> poll in drivers.
|
#
4d775b77 |
|
06-Jun-1997 |
Bruce Evans <bde@FreeBSD.org> |
Removed #include of <i386/isa/isa_device.h>. inthand2_t is declared in a better place now.
|
#
6875d254 |
|
22-Feb-1997 |
Peter Wemm <peter@FreeBSD.org> |
Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not ready for it yet.
|
#
1130b656 |
|
14-Jan-1997 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Make the long-awaited change from $Id$ to $FreeBSD$ This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
|
#
ad3bbe7a |
|
27-Sep-1996 |
Peter Wemm <peter@FreeBSD.org> |
Drat, missed this prototype for random_select().
|
#
ebedb5ad |
|
21-Sep-1996 |
Bruce Evans <bde@FreeBSD.org> |
Cleaned up all headers that include <sys/ioctl.h> or <sys/ioccom.h>: - don't include <sys/ioctl.h> in any header. Include <sys/ioccom.h> instead. This was already done in 4.4Lite for the most important ioctl headers. Header spam currently increases kernel build times by 10-20%. There are more than 30000 #includes (not counting duplicates) for compiling LINT. - include <sys/types.h> if and only it is necessary to make the header almost self-sufficient (some ioctl headers still need structs from elsewhere). - uniformized idempotency ifdefs. Copied the style in the 4.4Lite ioctl headers.
|
#
1225e243 |
|
03-Sep-1996 |
Satoshi Asami <asami@FreeBSD.org> |
Second phase of merge, get rid of more machine-independent-dependencies. Get rid of pc98/pc98/pc98_device.h. Submitted by: The FreeBSD(98) Development Team
|
#
f0ea07bf |
|
17-Jun-1996 |
Bruce Evans <bde@FreeBSD.org> |
Reduced nesting of #includes in random.h and adjusted isa/random_machdep.c to match (pc98/random_machdep.c probably requires a similar change). This is a problem area for the PC98 merge - all PC98 ifdefs in <machine/*.h> are kludges to work around incorrect layering.
|
#
ad63a118 |
|
14-Jun-1996 |
Satoshi Asami <asami@FreeBSD.org> |
The Great PC98 Merge. All new code is "#ifdef PC98"ed so this should make no difference to PC/AT (and its clones) users. Ok'd by: core Submitted by: FreeBSD(98) development team
|
#
6c5e9bbd |
|
30-Jan-1996 |
Mike Pritchard <mpp@FreeBSD.org> |
Fix a bunch of spelling errors in the comment fields of a bunch of system include files.
|
#
aba89c50 |
|
29-Dec-1995 |
Mark Murray <markm@FreeBSD.org> |
1) ifdef out some unused functions (for now) 2) improve 586 support 3) add 686 support 4) clean up comments etc Submitted by: bde
|
#
6a9bf141 |
|
27-Dec-1995 |
Mark Murray <markm@FreeBSD.org> |
Clean up and make more universal. Next version of random device.
|
#
1bb2d314 |
|
28-Oct-1995 |
Mark Murray <markm@FreeBSD.org> |
Theodore Ts'po's random number gernerator for Linux, ported by me. This code will only be included in your kernel if you have 'options DEVRANDOM', but that will fall away in a couple of days. Obtained from: Theodore Ts'o, Linux
|