| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
RANDOM_LOADABLE and RANDOM_YARROW's definitions from opt_random.h to
opt_global.h
This unbreaks `make depend` in sys/modules with multiple drivers (tmpfs, etc)
after r286839
X-MFC with: r286839
Reviewed by: imp
Submitted by: lwhsu
Differential Revision: D3486
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wanted".
Provide and document the RANDOM_ENABLE_UMA option.
Change RANDOM_FAST to RANDOM_UMA to clarify the harvesting.
Remove RANDOM_DEBUG option, replace with SDT probes. These will be of
use to folks measuring the harvesting effect when deciding whether to
use RANDOM_ENABLE_UMA.
Requested by: scottl and others.
Approved by: so (/dev/random blanket)
Differential Revision: https://reviews.freebsd.org/D3197
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if desired.
Retire randomdev_none.c and introduce random_infra.c for resident
infrastructure. Completely stub out random(4) calls in the "without
DEV_RANDOM" case.
Add RANDOM_LOADABLE option to allow loadable Yarrow/Fortuna/LocallyWritten
algorithm. Add a skeleton "other" algorithm framework for folks
to add their own processing code. NIST, anyone?
Retire the RANDOM_DUMMY option.
Build modules for Yarrow, Fortuna and "other".
Use atomics for the live entropy rate-tracking.
Convert ints to bools for the 'seeded' logic.
Move _write() function from the algorithm-specific areas to randomdev.c
Get rid of reseed() function - it is unused.
Tidy up the opt_*.h includes.
Update documentation for random(4) modules.
Fix test program (reviewers, please leave this).
Differential Revision: https://reviews.freebsd.org/D3354
Reviewed by: wblock,delphij,jmg,bjk
Approved by: so (/dev/random blanket)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The random_get() system call works similar to getentropy()/getrandom()
on OpenBSD/Linux. It fills a buffer with random data.
This change introduces a new function, read_random_uio(), that is used
to implement read() on the random devices. We can call into this
function from within the CloudABI compatibility layer.
Approved by: secteam
Reviewed by: jmg, markm, wblock
Obtained from: https://github.com/NuxiNL/freebsd
Differential Revision: https://reviews.freebsd.org/D3053
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* GENERAL
- Update copyright.
- Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set
neither to ON, which means we want Fortuna
- If there is no 'device random' in the kernel, there will be NO
random(4) device in the kernel, and the KERN_ARND sysctl will
return nothing. With RANDOM_DUMMY there will be a random(4) that
always blocks.
- Repair kern.arandom (KERN_ARND sysctl). The old version went
through arc4random(9) and was a bit weird.
- Adjust arc4random stirring a bit - the existing code looks a little
suspect.
- Fix the nasty pre- and post-read overloading by providing explictit
functions to do these tasks.
- Redo read_random(9) so as to duplicate random(4)'s read internals.
This makes it a first-class citizen rather than a hack.
- Move stuff out of locked regions when it does not need to be
there.
- Trim RANDOM_DEBUG printfs. Some are excess to requirement, some
behind boot verbose.
- Use SYSINIT to sequence the startup.
- Fix init/deinit sysctl stuff.
- Make relevant sysctls also tunables.
- Add different harvesting "styles" to allow for different requirements
(direct, queue, fast).
- Add harvesting of FFS atime events. This needs to be checked for
weighing down the FS code.
- Add harvesting of slab allocator events. This needs to be checked for
weighing down the allocator code.
- Fix the random(9) manpage.
- Loadable modules are not present for now. These will be re-engineered
when the dust settles.
- Use macros for locks.
- Fix comments.
* src/share/man/...
- Update the man pages.
* src/etc/...
- The startup/shutdown work is done in D2924.
* src/UPDATING
- Add UPDATING announcement.
* src/sys/dev/random/build.sh
- Add copyright.
- Add libz for unit tests.
* src/sys/dev/random/dummy.c
- Remove; no longer needed. Functionality incorporated into randomdev.*.
* live_entropy_sources.c live_entropy_sources.h
- Remove; content moved.
- move content to randomdev.[ch] and optimise.
* src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h
- Remove; plugability is no longer used. Compile-time algorithm
selection is the way to go.
* src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h
- Add early (re)boot-time randomness caching.
* src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h
- Remove; no longer needed.
* src/sys/dev/random/uint128.h
- Provide a fake uint128_t; if a real one ever arrived, we can use
that instead. All that is needed here is N=0, N++, N==0, and some
localised trickery is used to manufacture a 128-bit 0ULLL.
* src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h
- Improve unit tests; previously the testing human needed clairvoyance;
now the test will do a basic check of compressibility. Clairvoyant
talent is still a good idea.
- This is still a long way off a proper unit test.
* src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h
- Improve messy union to just uint128_t.
- Remove unneeded 'static struct fortuna_start_cache'.
- Tighten up up arithmetic.
- Provide a method to allow eternal junk to be introduced; harden
it against blatant by compress/hashing.
- Assert that locks are held correctly.
- Fix the nasty pre- and post-read overloading by providing explictit
functions to do these tasks.
- Turn into self-sufficient module (no longer requires randomdev_soft.[ch])
* src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h
- Improve messy union to just uint128_t.
- Remove unneeded 'staic struct start_cache'.
- Tighten up up arithmetic.
- Provide a method to allow eternal junk to be introduced; harden
it against blatant by compress/hashing.
- Assert that locks are held correctly.
- Fix the nasty pre- and post-read overloading by providing explictit
functions to do these tasks.
- Turn into self-sufficient module (no longer requires randomdev_soft.[ch])
- Fix some magic numbers elsewhere used as FAST and SLOW.
Differential Revision: https://reviews.freebsd.org/D2025
Reviewed by: vsevolod,delphij,rwatson,trasz,jmg
Approved by: so (delphij)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
you all as /dev/random.
This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.
The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.
The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.
Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.
My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.
My Nomex pants are on. Let the feedback commence!
Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?)
Approved by: so(des)
|
|
|
|
| |
Reviewed by: markm (random bits only)
|
|
|
|
|
|
|
|
|
|
|
| |
rather than just void *.
Then, as part of this, convert a couple of mbuf m->m_data accesses
to mtod(m, const void *).
Reviewed by: markm
Approved by: security-officer (delphij)
Sponsored by: Netflix, Inc.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a SYSINIT that forces a reseed during proc0 setup, which happens
fairly late in the boot process.
Add a RANDOM_DEBUG option which enables some debugging printf()s.
Add a new RANDOM_ATTACH entropy source which harvests entropy from the
get_cyclecount() delta across each call to a device attach method.
|
|
|
|
|
|
|
|
| |
Looking pretty good; this mostly works now. New code includes:
* Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested.
* Use EVENTHANDLER to do above just before we go multiuser. Untested.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Contains:
* Refactor the hardware RNG CPU instruction sources to feed into
the software mixer. This is unfinished. The actual harvesting needs
to be sorted out. Modified by me (see below).
* Remove 'frac' parameter from random_harvest(). This was never
used and adds extra code for no good reason.
* Remove device write entropy harvesting. This provided a weak
attack vector, was not very good at bootstrapping the device. To
follow will be a replacement explicit reseed knob.
* Separate out all the RANDOM_PURE sources into separate harvest
entities. This adds some secuity in the case where more than one
is present.
* Review all the code and fix anything obviously messy or inconsistent.
Address som review concerns while I'm here, like rename the pseudo-rng
to 'dummy'.
Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
|
| |
|
|
|
|
|
| |
categories are added, the set of entropy source assertions in the
harvesting code also need to be updated.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Remove unneeded includes.
Deal with unused function arguments.
Resolve a boatload of signed/unsigned imcompatabilities.
Etc.
|
|
|
|
|
| |
of entropy harvesting they wish to perform: "ethernet" (LAN),
point-to-point and interrupt.
|
|
|
|
| |
harvester.
|
|
|
|
|
|
|
|
| |
hangover from previous experimentation. Remove it. This will clean
up gratuitous needs for forward references and other namespace
pollution.
Moaned about by: bde
Brought to my attention by: bp
|
|
|
|
| |
Requested by: bde
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from many folk.
o The reseed process is now a kthread. With SMPng, kthreads are
pre-emptive, so the annoying jerkiness of the mouse is gone.
o The data structures are protected by mutexes now, not splfoo()/splx().
o The cryptographic routines are broken out into their own subroutines.
this facilitates review, and possible replacement if that is ever
found necessary.
Thanks to: kris, green, peter, jasone, grog, jhb
Forgotten to thank: You know who you are; no offense intended.
|
|
|
|
|
|
|
|
| |
wrong bytes.
o Improve the public interface; use void* instead of char* or u_int64_t
to pass arbitrary data around.
Submitted by: kris ("horrible bug")
|
|
|
|
|
|
|
|
|
|
|
| |
o Make the comments KNF-compliant.
o Use nanotime instead of getnanotime; the manpage lies about the
kern.timecounter.method - it has been removed.
o Fix the ENTROPYSOURCE const permanently.
o Make variable names more consistent.
o Make function prototypes more consistent.
Some more needs to be done; to follow.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
entropy estimation, but causes an immediate reseed after the input
(read in sizeof(u_int64_t) chunks) is "harvested".
This will be used in the reboot "reseeder", coming in another
commit. This can be used very effectively at any time you think
your randomness is compromised; something like
# (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random
will give the attacker something to think about.
|
|
|
|
|
| |
stomp on each other; provide constant names (as enums) for the harvester
to use (makes it more self-documenting).
|
| |
|
|
|
|
|
| |
header for the new.
Reviewed by: dfr
|
|
|
|
| |
Fixed a missing forward declaration.
|
|
|
|
|
|
| |
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot). This is consistant with the other
BSD's who made this change quite some time ago. More commits to come.
|
| |
|
|
|
|
|
|
|
| |
mmioctl() to fix hundreds of style bugs and a few error handling bugs
(don't check for superuser privilege for inappropriate ioctls, don't
check the input arg for the output-only MEM_RETURNIRQ ioctl, and don't
return EPERM for null changes).
|
|
|
|
|
|
| |
`void *' arg. Fixed or hid most of the resulting type mismatches.
Handlers can now be updated locally (except for reworking their
global declarations in isa_device.h).
|
| |
|
| |
|
|
|
|
| |
better place now.
|
|
|
|
| |
ready for it yet.
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- don't include <sys/ioctl.h> in any header. Include <sys/ioccom.h>
instead. This was already done in 4.4Lite for the most important
ioctl headers. Header spam currently increases kernel build
times by 10-20%. There are more than 30000 #includes (not counting
duplicates) for compiling LINT.
- include <sys/types.h> if and only it is necessary to make the header
almost self-sufficient (some ioctl headers still need structs from
elsewhere).
- uniformized idempotency ifdefs. Copied the style in the 4.4Lite
ioctl headers.
|
|
|
|
|
|
| |
Get rid of pc98/pc98/pc98_device.h.
Submitted by: The FreeBSD(98) Development Team
|
|
|
|
|
|
| |
to match (pc98/random_machdep.c probably requires a similar change). This
is a problem area for the PC98 merge - all PC98 ifdefs in <machine/*.h> are
kludges to work around incorrect layering.
|
|
|
|
|
|
|
|
| |
All new code is "#ifdef PC98"ed so this should make no difference to
PC/AT (and its clones) users.
Ok'd by: core
Submitted by: FreeBSD(98) development team
|
|
|
|
| |
a bunch of system include files.
|
|
|
|
|
|
|
| |
2) improve 586 support
3) add 686 support
4) clean up comments etc
Submitted by: bde
|
| |
|
|
This code will only be included in your kernel if you have
'options DEVRANDOM', but that will fall away in a couple of days.
Obtained from: Theodore Ts'o, Linux
|