The poorly named uvm.h is generally supposed to be for uvm-internal
users only.
- Narrow it to files that actually need it -- mostly files that need
to query whether curlwp is the pagedaemon, which should maybe be
exposed by an external header.
- Use uvm_extern.h where feasible and uvm_*.h for things not exposed
by it. We should split up uvm_extern.h but this will serve for now
to reduce the uvm.h dependencies.
- Use uvm_stat.h and #ifdef UVMHIST uvm.h for files that use
UVMHIST(ubchist), since ubchist is declared in uvm.h but the
reference evaporates if UVMHIST is not defined, so we reduce header
file dependencies.
- Make uvm_device.h and uvm_swap.h independently includable while
here.
ok chs@
Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
Remove const from the 2nd argument.
const char ** and char ** are incompatible types and it was a cost to keep
the technically incompatible form for a more purist variation. NetBSD was
almost the last alive OS to still keep the const argument (known leftovers:
Minix and Illumos).
Keep the const form for the internal purposes inside citrus and rump.
Address the build breakage fallout in the same change.
There are no ABI changes.
Change accepted by core@.
- Interrupt-oriented system rather than thread-oriented.
- Improve stability, quality and performance.
- Split playback and record cleanly. Improve halfduplex support.
- Many bugs are fixed including deadlocks, resource leaks, abuses, etc.
- Simplify audio filter mechanism. The encoding/channels/frequency
conversions are completely handled in the upper layer. So the hard-
ware driver only converts its hardware encoding (if necessary).
- audio_hw_if changes:
- Obsoletes query_encoding and add query_format instead.
- Obsoletes set_params and add set_format instead.
- Remove drain, setfd, mappage.
- The call sequences are changed.
- ioctl AUDIO_GETFD/SETFD, AUDIO_GETCHAN/SETCHAN are obsoleted.
- ioctl AUDIO_{QUERY,GET,SET}FORMAT are introduced.
- cleanup config attributes: au*conv and mulaw.
- All hardware drivers should follow it (I've done as much as possible).
Some file paths are changed:
- dev/audio.c -> dev/audio/audio.c (rewritten)
- dev/audiovar.h -> dev/audio/audiovar.h
- dev/audio_dai.h -> dev/audio/audio_dai.h
- dev/audio_if.h -> dev/audio/audio_if.h
- dev/audiobell.c -> dev/audio/audiobell.c
- dev/audiobellvar.h -> dev/audio/audiobellvar.h
- dev/mulaw.[ch] -> dev/audio/mulaw.[ch] + dev/audio/alaw.c
this is not true for alpha, ia64 and arm32 ports, and the first two
were not building because of it, and the latter would be missing
the oabi support (likely not a big deal, but still wrong.)
add a makefile fragment that tells you if it is supported and include
it where needed to define COMPAT_NETBSD32 when building the normal
kernel (ie, modules & rump.)
fixes alpha build, probably fixes ia64 build.
XXX: still leaves some netbsd32 code in rf_netbsdkintf.c, that should
be moved into some hooks, but first the configuration setup
needs to be moved into a common function the netbsd32 code can
call into, vs living in the switch case itself.
These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.
HOWEVER! Some subsystems have
#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))
even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.
To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.
I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:
cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))
It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.
Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)
convert several raidframe ioctls to be bitsize idempotent so that
they work the same in 32 and 64 bit worlds, allowing netbsd32 to
configure and query raid properly. remove useless 'row' in a few
places. add COMPAT_80 and put the old ioctls there.
raidframeio.h:
RAIDFRAME_TEST_ACC
- remove, unused
RAIDFRAME_GET_COMPONENT_LABEL
- convert to label not pointer to label
RAIDFRAME_CHECK_RECON_STATUS_EXT
RAIDFRAME_CHECK_PARITYREWRITE_STATUS_EXT
RAIDFRAME_CHECK_COPYBACK_STATUS_EXT
- convert to progress info not pointer to info
RAIDFRAME_GET_INFO
- version entirely.
raidframevar.h:
- rf_recon_req{} has row, flags and raidPtr removed (they're
not a useful part of this interface.)
- RF_Config_s{} and RF_DeviceConfig_s{} have numRow/rows removed.
- RF_RaidDisk_s{} is re-ordered slightly to fix alignment
padding - the actual data was already OK.
- InstallSpareTable() loses row argument
rf_compat32.c has code for RF_Config_s{} in 32 bit mode, used
by RAIDFRAME_CONFIGURE and RAIDFRAME_GET_INFO32.
rf_compat80.c has code for rf_recon_req{}, RF_RaidDisk_s{} and
RF_DeviceConfig_s{} to handle RAIDFRAME_FAIL_DISK,
RAIDFRAME_GET_COMPONENT_LABEL, RAIDFRAME_CHECK_RECON_STATUS_EXT,
RAIDFRAME_CHECK_PARITYREWRITE_STATUS_EXT,
RAIDFRAME_CHECK_COPYBACK_STATUS_EXT, RAIDFRAME_GET_INFO.
move several of the per-ioctl code blocks into separate functions.
add rf_recon_req_internal{} to replace old usage of global
rf_recon_req{} that had unused void * in the structure, ruining
it's 32/64 bit ABI.
add missing case for RAIDFRAME_GET_INFO50.
adjust raid tests to use the new .conf format, and add a case to
test the old method as well.
raidctl:
deal with lack of 'row' members in a couple of places.
fail request no longer takes row.
handle "START array" sections with just "numCol numSpare", ie
no "numRow" specified. for now, generate old-style configuration
but update raidctl.8 to specify the new style (keeping reference
to the old style.)
note that: RF_ComponentLabel_s::{row,num_rows} and
RF_SingleComponent_s::row are obsolete but not removed yet.
Unclear why we have a separate xyz.ioconf for module and XYZ.ioconf
for rump component, but at least xyz_modcmd obviates the need for
xyz_component.c (though evidently the latter could have been replaced
anyway by RUMP_COMPONENT=ioconf in the rump component Makefile).
Disabled by default in x86/GENERIC and usbdevices.config pending
review and testing without rump ugenhc in the way, but enabled in
x86/ALL for compile-testing.
(Hi gson! Finally found a round tuit in my pocket, next to a certain
rectangular one.)
initialization. Instead, temporarily attach the drvctl's cdevsw to
determine its device c-major, create the /dev/drvctl node using that
c-major, and then detach. This leaves things in a state where normal
module initialization can run.
Since we're now creating the /dev/drvctl device node correctly, we don't
need to create it again. So mark the device as DEVNODE_DONTBOTHER in
the devsw_conv0 conversion table.
This bug was introduced more than a year ago (src/sys/kern/kern_drvctl.c
rev 1.40), but was silently ignored except when running a rump_server
built with LOCKDEBUG.
name (as listed in the devsw_conv[] table) to get the expected device
majors. Once rump initialization is finished (ie, it has created its
required device nodes), we need to detach the [bc]devsw so the module
initialization code doesn't get EEXIST.
(as found in the devsw_conv[] table). This will get us the "official"
major numbers for the cgd device.
After creating the rump file-space nodes for /dev/cgd* we then need to
detach the [bc]devsw's because normal module initialization will do its
own attachment, and we don't want that to fail.
While here, since we're doing the devsw_attach() twice, share the
results from the first call rather than starting from scratch.
The rump code needs to call devsw_attach() in order to assign a dev_major
for bpf; it then uses this to create rumps /dev/bpf node. Unfortunately,
this leaves the devsw attached, so when the bpf module tries to initialize
itself, it gets an EEXIST error and fails.
So, once rump has figured what the dev_major should be, call devsw_detach()
to remove the devsw. Then, when the module initialization code calls
devsw_attach() it will succeed.
If the rnd component is present, load extra initial entropy to avoid
/dev/random not being able to request it on demand. The extra initial
entropy will allow a few instances of /dev/random, but will eventually
go into the failure mode described in the PR.
this Makefile via the env.
That character is strictly speaking not allowed by POSIX in an exported
variable name, and at least dash >= 0.58 refuses to export such variables.
Furthermore, since the individual CFLAGS/CPPFLAGS/etc. variables
are not comprehensive enough for all cases (e.g. HURD), just
support the .includable version from now on, i.e.
RUMPCOMP_MAKEFILEINC_rumpdev_pci.
curious failure mode debugged by Martin Lucina
- API / infrastructure changes to support memory management changes.
- Memory management improvements and bug fixes.
- HCDs should now be MP safe
- conversion to KERNHIST based debug
- FS/LS isoc support on ehci(4).
- conversion to kmem(9)
- Some USB 3 support - mostly from Takahiro HAYASHI (t-hash).
- interrupt transfers now get proper DMA operations
- general bug fixes
- kern/48308
- uhub status notification improvements
- umass(4) probe fix (applied to HEAD already)
- ohci(4) short transfer fix
sprinkling them around the faction directories. Avoids having
to add a CPPFLAGS (or several) to pretty much every component
Makefile.
Leave compat headers around in the old locations.
The commit changes some autogenerated files, but I'll fix the
generators shortly and regen.
riastradh