Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
kernel and bootloader for 68010.
They requires a special calling convention to udivsi3, and cannot to be
mixed up in normal routines provided by libgcc or compiler_rt. Although,
there's no problem for using them in a controlled situation, i.e., kernel
and standalone programs.
Note that this does not affect at all m68k ports other than sun2, since
codes generated by gcc do not call these routines.
Assembler files are moved from common/lib/libc/arch/m68k/gen to
sys/lib/libkern/arch/m68k in order not to be compiled in libc.
Revert hack introduced to lib/libc/compiler_rt/Makefile.inc rev 1.37:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/compiler_rt/Makefile.inc#rev1.37
Proposed on port-sun2@ with no response...
(Again, this does not affect m68k ports other than sun2.)
http://mail-index.netbsd.org/port-sun2/2020/03/10/msg000102.html
- radix_tree_insert_node(): if the insert failed due to ENOMEM, roll back
any updates made to the tree.
- radix_tree_grow(): either succeed or fail, never make partial adjustments
to the tree.
- radix_tree_await_memory(): allocate & free the maximum possible number of
nodes required by any insertion.
This enables us to load modules depended to __ffssi2.
It is difficult to deal with weak symbols consistently in in-kernel
linker. See explanation by pgoyette on tech-kern:
http://mail-index.netbsd.org/tech-kern/2020/03/09/msg026148.html
Also, we do not currently provide ffs(9) as a kernel routine.
Cherry-pick from FreeBSD:
From 7c1bc5ffc2fa68ddc76e5ea8a3a1a6fdfeee57f0 Mon Sep 17 00:00:00 2001
From: andrew <andrew@FreeBSD.org>
Date: Tue, 28 May 2019 09:12:15 +0000
Subject: [PATCH] Teach the kernel KUBSAN runtime about alignment_assumption
This checks the alignment of a given pointer is sufficient for the
requested alignment asked for. This fixes the build with a recent
llvm/clang.
Sponsored by: DARPA, AFRL
common/lib/libc/stdlib/random.c:482:6 can result in signed integer overflow.
This bug was reported by UBSan runs.
The change has been tested using the following program to generate random numbers
in both the old and the new library and can be used to verify the correctness of the
library after the change.
#include <stdio.h>
#include <stdlib.h>
#define COUNT 1000 * 1000
int
main(void)
{
int i;
FILE *fp = fopen("numbers.txt", "w");
srandom(0xdeadbeef);
for(i = 0; i < COUNT; i++) {
fprintf(fp, "%ld\n", random());
}
fclose(fp);
return 0;
}
Reviewed by: riastradh@ , kamil@
this increases the cache groups from 15 to 63 items in order
to reduce traffic between pool cache layers
this is the same as for other highly frequented pool caches as the pvpool and anonpool
uniformly use 'j' in the user-provided formatting strings instead
of depending on _LP64 to use 'll' or 'l' (and the PRI macros). The
alternative is to parse the printf format manually to determine
which modifier to apply which would make this transparent to the
user (they could still always use '%u' or '%x'), but that's too
painful.
need a non-zero check, substitute with a deterministic bitwise OR of all
values in the node. The structure then becomes cache line aligned.
For each node we now need only touch 2 cache lines instead of 3, which makes
all the operations faster (measured), amortises the cost of not having a
counter, and will avoid intra-pool-page false sharing on MP.
Other architectures do not define them, and so we don't provide a
function declaration in any header.
This means a package may detect it with a link-test and then fail
due to the missing declaration, like sysutils/collectd currently does.
Done this way as aarch64 has not had a release yet. Discussed with releng.
- code that will be unreachable on platforms with
sizeof(double) != sizeof(unsigned long) triggered an valid out
of bounds warning. avoid the error by using sizeof ul.
- also assert that the sizes are the same if entering here.
both from kamil@.
Define _REENTRANT for MKSANITIZER build. This is needed for at least stdio
code. This caused new build issued with duplicated symbols in few places
and rump kernel code picking different code paths borrowed from libc.
Handle all this in one go.
Add bsd.sanitizer.mk to share common code used by programs and libraries.
Switch from realall to beforeinstall target in .syms files. This is more
reliable in MKSANITIZER.
