entropy collected. It's undocumented, noone else does it and
it leads to "named" errors during boot for me.
Generally, consumers of "/dev/random" should be prepared to wait.
(The other uses of "rnd_have_entropy" look bogus to me too,
but this needs more consideration.)
to pool_init. Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.
Convert struct session, ucred and lockf to pools.
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.
Bump the kernel rev up to 1.6V
kqueue provides a stateful and efficient event notification framework
currently supported events include socket, file, directory, fifo,
pipe, tty and device changes, and monitoring of processes and signals
kqueue is supported by all writable filesystems in NetBSD tree
(with exception of Coda) and all device drivers supporting poll(2)
based on work done by Jonathan Lemon for FreeBSD
initial NetBSD port done by Luke Mewburn and Jason Thorpe
initialisation. This is just as silly as the other entropy
estimations, but it at least allows us to see how many values have
been added.
spl protect rnd_get_entropy_counter call properly
Make rndpool start out doing rotations on the first pass - make the
LSFR's be less sensitive to stuck bits in poor initial inputs.
Add considerable comments regarding the mixing function.
This merge changes the device switch tables from static array to
dynamically generated by config(8).
- All device switches is defined as a constant structure in device drivers.
- The new grammer ``device-major'' is introduced to ``files''.
device-major <prefix> char <num> [block <num>] [<rules>]
- All device major numbers must be listed up in port dependent majors.<arch>
by using this grammer.
- Added the new naming convention.
The name of the device switch must be <prefix>_[bc]devsw for auto-generation
of device switch tables.
- The backward compatibility of loading block/character device
switch by LKM framework is broken. This is necessary to convert
from block/character device major to device name in runtime and vice versa.
- The restriction to assign device major by LKM is completely removed.
We don't need to reserve LKM entries for dynamic loading of device switch.
- In compile time, device major numbers list is packed into the kernel and
the LKM framework will refer it to assign device major number dynamically.
- implement SIMPLEQ_REMOVE(head, elm, type, field). whilst it's O(n),
this mirrors the functionality of SLIST_REMOVE() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE()
- remove the unnecessary elm arg from SIMPLEQ_REMOVE_HEAD().
this mirrors the functionality of SLIST_REMOVE_HEAD() (the other
singly-linked list type) and FreeBSD's STAILQ_REMOVE_HEAD()
- remove notes about SIMPLEQ not supporting arbitrary element removal
- use SIMPLEQ_FOREACH() instead of home-grown for loops
- use SIMPLEQ_EMPTY() appropriately
- use SIMPLEQ_*() instead of accessing sqh_first,sqh_last,sqe_next directly
- reorder manual page; be consistent about how the types are listed
- other minor cleanups
deal with shortages of the VM maps where the backing pages are mapped
(usually kmem_map). Try to deal with this:
* Group all information about the backend allocator for a pool in a
separate structure. The pool references this structure, rather than
the individual fields.
* Change the pool_init() API accordingly, and adjust all callers.
* Link all pools using the same backend allocator on a list.
* The backend allocator is responsible for waiting for physical memory
to become available, but will still fail if it cannot callocate KVA
space for the pages. If this happens, carefully drain all pools using
the same backend allocator, so that some KVA space can be freed.
* Change pool_reclaim() to indicate if it actually succeeded in freeing
some pages, and use that information to make draining easier and more
efficient.
* Get rid of PR_URGENT. There was only one use of it, and it could be
dealt with by the caller.
From art@openbsd.org.
- Add comments about which spls apply to which data structures.
- Consistently protect the rnd_samples queue (the queue of
unprocessed samples) at splhigh().
- allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for
an optional higher-resolution clock/roulette wheel source.
- Collect more statistics on the pool state (keeping track of where
collected bits are going, in addition to where they came from).
- Add RNDGETPOOLSTAT ioctl to get the additional stats.
- Flush a few unused rndpool calls.
- XXX XXX Cryptographic changes:
- 32-bit rotate is:
((val << rp->rotate) | (val >> (32 - rp->rotate))),
not
(val << rp->rotate) | (val >> rp->rotate)
or
((val << rp->rotate) | (val >> (31 - rp->rotate)))
- Avoid overloading of rp->rotate and double-rotation of data
(which limited pool mixing somewhat; "rotate" never got above 7).
- Be more paranoid (but probably not paranoid enough) about mixing
output back into the pool. This is an improvement, but it needs
revisiting soon.
We should follow the spirit of some of the recommendations in
the Schneier PRNG papers:
http://www.counterpane.com/yarrow-notes.htmlhttp://www.counterpane.com/pseudorandom_number.html
including:
- two (or more) stage operation for better isolation between inputs
and outputs.
- use of keyed one-way functions (probably better even than
invertible keyed functions like 3DES) at key points in the data flow,
so that breaking the PRNG is clearly as hard as breaking the function.
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
resource allocation.
- Insertion and removal of callouts is constant time, important as
this facility is used quite a lot in the kernel.
The old timeout()/untimeout() API has been removed from the kernel.
(1) remove unused and probably bad (from an API POV) ioctls,
(2) split tyfl into type and flags,
(3) collect an array of samples, and add them all at once. Soon, this
will be using gzip to estimate the entropy, but for now the original
estimation methods are still used.
(4) kill rnd_add_data() -- it compliated the API for little benefit
release the first 96 bits of the hash directly rather than by folding.
The full 160 bit hash is mixed back into the entropy pool. This keeps
64 bits secret to stir the pool with.
splsoftclock() instead. This is done with an event queue of raw data,
and the entropy calculation etc. is done at splsoftclock().
o Use a private entropy pool rather than the global one defined in
rndpool.c. That global will probably go away, eventually.
pseudo-device rnd # /dev/random and in-kernel generator
in config files.
o Add declaration to all architectures.
o Clean up copyright message in rnd.c, rnd.h, and rndpool.c to include
that this code is derived in part from Ted Tyso's linux code.
but do not assume any entopy is gathered. It can be enabled using an
IOCTL again if the user desires.
Note that the mix function uses xor, so at worse an attacker can twiddle
bits in the pool, but not into a known state assuming it started as
an unknown.