It makes vulnerabilities too easily exploitable, is unused and as a sanity
rule should not be used in the kernel to begin with.
Now, "printf(unfiltered_string);" is much less of a problem.
Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
the system is shutting down or rebooting.
- Set this global in a new function called kern_reboot(), which is currently
just a basic wrapper around cpu_reboot().
- Call kern_reboot() instead of cpu_reboot() almost everywhere; a few
places remain where it's still called directly, but those are in early
pre-main() machdep locations.
Eventually, all of the various cpu_reboot() functions should be re-factored
and common functionality moved to kern_reboot(), but that's for another day.
flags. Add a new kprintf flag to avoid adding time stamps
when outputing to the console. Mostly from Christos, any bugs
added by me.
Use above to print the "twiddle" (when using boot -z) without
timestamps.
to 7 (100's of nanosecs). This should perhaps depend upon the
port (what resolution is rational) the CPU speed, and the clock
update frequency (no point printing nanoseconds if the value being
brinted is only updated every few microseconds).
Eventually it should be able to be controlled by a sysctl, but
the default still matters, as that's what the autoconf (boot time,
before init starts) messages will use.
be controlled - for now that is done by editing this file and
recompiling (or using gdb or equiv to patch /netbsd or /dev/kmem)
but adding a sysctl to allow dynamic userland control should be easy.
Also reduce the initial seconds field width of timestamp from 5 to 4
(it grows wider as needed.)
Avoid printing timestamps if we cannot be sure there will be
a message to accompany them. (Observed happening...)
if we're not going to use the result anyway.
XXX: not necessarily the best fix, but better than crashing *early*
boot due to too-early nanotime() calls.
XXX: pullup.
defined in ddb/db_panic.c and declared in ddb/ddbvar.h. No functional
change.
The copyright years in db_panic.c are the years in which changes were
made to the code that has now been moved to db_panic.c. No pre-NetBSD
copyright notice is needed because revision 1.12 of subr_prf.c had only
the trivial "#ifdef DDB \\ Debugger(); \\ #endif"
sys/stdarg.h and expect compiler to provide proper builtins, defaulting
to the GCC interface. lint still has a special fallback.
Reduce abuse of _BSD_VA_LIST_ by defining __va_list by default and
derive va_list as required by standards.
well have triggered the recursive panic.
Fix the comment for panic() to reflect now-current reality: the code
was already changed never to sync() on panic(), now we avoid dumping
core on a recursive panic.
of transitions to IPL_HIGH from lower IPLs. SPLDEBUG is only available
on i386 and Xen kernels, today.
'options SPLDEBUG' adds instrumentation to spllower() and splraise() as
well as routines to start/stop debugging and to record IPL transitions:
spldebug_start(), spldebug_stop(), spldebug_raise(), spldebug_lower().
maxv