Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
repository, don't attempt to install it, and don't expect it to
be installed. If a better fix is to return 02-dump, then this
change can be reverted (by anyone, just go ahead and do it).
dhcpcd(8) should also have mention of 02-dump removed, if removing
it was intentional.
on the OpenBSD single-port XR21V1410 uxrcom driver, but adds support
for multi-port chipsets and uses the common umodem framework instead of
being a standalone driver.
Thanks to skrll@ for much USB clue and mrg@ for financing the
development of this driver.
/netbsd/modules respectively instead of /netbsd and
/stand/<arch>/<version>/modules. This is only supported for x86,
and is turned off by default. To try it, add KERNEL_DIR=yes in your
/mk.conf and install a system from that build.
- Modify the writing code to only write entries in the new
format for the terminal descriptions that require it.
- Store new format entries as <name>@v3
- Store old format entries with clamped values as <name> for
backwards compatibility
- Lookup first <name>@v3 and then <name> if that is not found.
- Don't create terminfo2 anymore; old programs keep working with
clamped entries, and new programs be able to use the wide
fields with using the original db file.
While here also document (but comment it out since it isn't
available - yet) strerror_lr(). To include that, simply
uncomment the relevant lines, and (twice I think) s/returns/return/
on lines just after currently commented out lines (that is, it
currently says, "A returns" after the comments are returned, we
need it to be "A and B return" - the "and B" appears when the comment
markers are removed, removing the 's' from returns must be done manually.
In addition to adding strerror_l() some additional enhancements were
made to the general strerror() doc.
No mouse support actually included.
But that doesn't matter because most terms don't actually support a mouse.
We should look into hooking these into wsmouse(4) and xterm mouse
in the future.
Compatable with nCurses mouse API version 2.
POSIX mandates implementations must support upto a short but may exceed it.
When NetBSD terminfo was implemented, no terminfo description used over
a short, but because ncurses has supported ints for some time, some now do.
Infact, such a terminfo description was imported where colour pairs for
screen-256color went up to 65536 which exposed a bug in the existing
implementation where it set to zero. Because the number might mean
something more than a range, we need to be able to store it accurately.
This requires a version bump because whilst the API hasn't changed thanks
to C int promotion, the ABI has. Also the underlying database structure
has changed as well - we now store the numeric paramter inside a uint32_t
field rather than a uint16_t one.
Whilst this change can still read the old style database, the old one
cannot read the new one and thus we now maintain the database as
terminfo2.cdb, leaving the old library and database alone so old programs
still work fine.
libcurses, libfrom, libmenu and libpanel have also been bumped to
accomoate this change.
t_ptrace_sigchld - for SIGCHLD handler + ptrace(2).
Right now a single test is enabled (raise(SIGKILL)) and marked as failed
as it never finishes as the child is never collected before exiting the
parent uninterested about its child (SA_NOCLDWAIT).
These are currently listed in order of uid because I went through
src/etc/group and src/etc/master.passwd line by line, and sorting any
other way after the fact -- like lexicographically, how it should be
-- was kinda inconvenient.
Feel free to sort, add information, add historical references,
correct any mistakes, &c., so that these remain living documents
describing NetBSD's standard users and groups and practices around
them.
91 passed test cases
0 failed test cases.
0 expected failed test cases.
62 skipped test cases.
There are many skipped tests, because the test itself supports full-
duplex, half-duplex and uni-directional devices but pad(4) used in ATF
tests is uni-directional device.
Background:
- All m68k ports have fixed PAGE_SIZE value in their kernels,
but each port uses different PAGE_SIZE value (4096 or 8192)
due to historical reasons.
- Currently module(7) binaries are built per each port so
all m68k kernel sources don't support run-time variable PAGE_SIZE.
- MI <uvm/uvm_param.h> assumes that the port supports a variable
PAGE_SIZE on module(7) builds if both MAX_PAGE_SIZE and MIN_PAGE_SIZE
are defined and they have different values.
- On the other hand, jemalloc(3) checks MAX_PAGE_SHIFT in
src/external/bsd/jemalloc/include/jemalloc/internal/jemalloc_internal_defs.h
for internal optimization.
- m68k ports share userland binaries (especially pkgsrc binaries)
among all ports, so we need to define MAX_PAGE_SHIFT as 13 to
support m68k ports where PAGE_SIZE==8192.
(though this would affect only if static binaries built on
4k page hosts are executed on 8k page hosts)
To solve these inconsistency on PAGE_SIZE definitions,
we should have an independent PAGE_SIZE related definitions
for userland, but it requires major reorganization.
For now (especially for netbsd-9) we define MAX/MIN PAGE_SIZE and
PAGE_SHIFT values in <m68k/vmparam.h> only in !defined(_KERNEL) case.
Discussed on source-changes-d@ and tech-kern@ with christos@ and thorpej@:
https://mail-index.netbsd.org/source-changes-d/2020/01/thread1.html#012035https://mail-index.netbsd.org/tech-kern/2020/01/thread1.html#025954
Should be pulled up to netbsd-9.
Associates a constructor and destructor with the percpu. Currently
the constructor runs immediately, but in principle we could use the
same API for future CPU hotplug support.
This lets you sleep for allocation or draining users before
deallocation when setting up or tearing down a percpu -- currently we
have many abuses of percpu_foreach in tree for that purpose.
Proposed on tech-kern:
https://mail-index.NetBSD.org/tech-kern/2020/01/30/msg026036.html
At this point it is highly unlikely this 1999 device still has users,
but it still comes up in the context of maxv's USB-fuzzing (and any device
could pretend to be a urio(4)), so it's best to get rid of it.
Renamed all major entries to obsolete, as was done in previous removals.
This still requires an update to sanitizers, but they're located in
"external", perhaps it should be first committed upstream?
Proposed on tech-kern a month ago.
stuff from the rest of the module. This allows loading of the
(main) compat_50 module on kernels that don't include ``options
QUOTA''.
Welcome to 9.99.40 !
Addresses PR kern/54875
Discussed on tech-kern:
https://mail-index.NetBSD.org/tech-kern/2020/01/13/msg025938.html
This was never (intentionally) enabled by default, and the design has
some shortcomings. You can get mostly the same results with ktrace,
as in usr.bin/make/filemon/filemon_ktrace.c which is now used instead
of filemon for make's meta mode.
If applications require higher performance than ktrace, or nesting
that ktrace doesn't support, we might consider adding something back
into the vfs system calls themselves, without hijacking the syscall
table. (Might want a more reliable output format too, e.g. one that
can handle newlines in file names.)
This is a driver for a "nonsense machine" made by the art group Maywa-Denki
in 2008. It was disabled by default.
Unfortunately even so it draws development attention (flaws found in the
code, MP-ification needs) and it is best not to continue to maintain this
driver.
Proposed without objections on tech-kern.
Guarantee no fusing and no tearing, and can optionally impose
ordering relative to other memory operations.
Unordered:
- atomic_load_relaxed
- atomic_store_relaxed
Ordered:
- atomic_load_acquire
- atomic_load_consume
- atomic_store_release
These are intended to match C11 semantics, and can be defined in
terms of the C11 atomic API when ready.
It isn't suited for general use (that is, it poses security risks),
but the existence of the module means it is auto-loaded when /dev/filemon
is opened, which can be done by any user.
Thanks Ilja van Sprundel for the heads up.
In conjunction with mount_9p, it enables a NetBSD system running as a VM guest
to mount an exported filesystem by the host via virtio-9p. It exports a 9p
end-point of virtio-9p via a character device file for mount_9p.
Reviewed by yamaguchi@
- ldconfig in netbsd refers to a.out binaries only. We've been ELF-only
since NetBSD 2.0 or so, and having it in /rescue served little purpose
even before that, as /rescue is standalone.
- Using MI obsolete to avoid the need for MD set lists where ldconfig
is the sole entry
The new member is caled f_mntfromlabel and it is the dkw_wname
of the corresponding wedge. This is now used by df -W to display
the mountpoint name as NAME=
by /sbin/{zfs,zpool,mount_zfs}. The general effect is to move them
from /usr/lib to /lib. Compatibility links are installed in /usr/lib
and nothing that is installed, say in /usr/pkg, appears to break.
With this, it is possible to have a /var and /usr mount using ZFS
legacy mounting early on in the boot process.
Run tested on amd64 and i386 and compile tested on evbarm.
in the ZFS properties of the dataset and a simple man page for
mount_zfs. With this, it is possible to put ZFS filesystems in
/etc/fstab as file system type zfs.
Add a rc.d script that kicks the module ZFS load mostly before
mountall runs simular to what LVM does. This allows for any legacy
mounts to be specified in critical_local_filesystems and allows for
ZFS pools on top of cgd (probably among other things). Introduce a
rc.conf variable called zfs which needs to be set to YES, in the usual
manor of things, to get zvols and ZFS dataset support rather then just
assume that 'zfs mount' does that in mountall. Fix a problem in
mountall if ZFS is not compiled into the system.
Define _REENTRANT for MKSANITIZER build. This is needed for at least stdio
code. This caused new build issued with duplicated symbols in few places
and rump kernel code picking different code paths borrowed from libc.
Handle all this in one go.
Add bsd.sanitizer.mk to share common code used by programs and libraries.
Switch from realall to beforeinstall target in .syms files. This is more
reliable in MKSANITIZER.
Fix generation of .a.syms files in LLVM sanitizers. The old rules weren't
functional and sometimes they were fatal in the build.
Add the .a.syms files to distribution sets.
These files are generated only in certain .a files in 64bit version of
sanitizers.
Correct the location of files with LLVM sanitizers. Move the LLVM sanitizer
entries from base to comp files.
Add i386 support for LLVM sanitizers.
Add new build phases do-sanitizer-* for building LLVM sanitizers after libs
and before other programs. This phase is important as sanitizers need
to link with libs and sanitized programs must link with sanitizer runtimes.
Leak Sanitizer header is already needed in the distribution for built with
Address Sanitizer (MKSANITIZER):
- dist/llvm/utils/TableGen/TableGen.cpp
- dist/clang/utils/TableGen/TableGen.cpp
Next version of LLVM (9.0) will ship with LSan.
Enable in all the supported variations for NetBSD/amd64:
- Address Sanitizer
- Thread Sanitizer
- Memory Sanitizer
- Undefined Behavior Sanitizer
- SafeStack
- libFuzzer
- XRay
This change enables the features on amd64 for start.
USB ethernet drivers.
usbnet.h introduces a new set of APIs to provide common solutions
for these driver features:
- USB endpoint pipe handling
- rx and tx chain handling
- generic handlers or support for several struct ifnet callbacks
- MII bus locking
- interrupt handling
- partial autoconf handling: much of attach, and detach/activate
can use common versions directly.
currently, only axen(4) and cdce(4) are converted. the reductions
in these drivers are quite significant: if_cdce.c is reduced from
1000 lines to 320 lines, and if_axen is reduced from 1902 lines
to 1021 lines.
add a "usbnet" module and make the if_axen module depend upon it.
