KAME_IPSEC, and make IPSEC define it so that existing kernel
config files work as before
Now the default can be easily be changed to FAST_IPSEC just by
setting the IPSEC alias to FAST_IPSEC.
but removed by merge botch on __HAVE_NEW_STYLE_BUS_H changes in rev 1.15.
Fixes "/dev/nvram: Device not configured" problem on installboot(8)
reported by David Ross.
implementation. Rewrite pseudodevice code to use cprng_strong(9).
The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key. Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.
The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256. This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.
Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.
For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved. For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.
x8/x16 configurations, or two x8 chips forming a x16 port width.
- The offset in cfi_cmd() is now always given for 64-bit port width.
It will be scaled down for the actual port width to avoid problems
with 0x2aa -> 0x554 instead of 0x555.
- Added missing cfi_reset_default() in cfi_jedec_id(). The reset is
needed, because the chip was still in CFI-Query mode.
- Removed everything dealing with cfi_opmodes. It only complicates things
and I found no reason for keeping them. The port width and chip width
is known, so I just introduced a new cfi_read_qry() function which reads
a single word using bus_space_read_N() from the QRY structure, which
can be checked for 'Q', 'R' and 'Y'. That's all we need, before
reading and unpacking the whole QRY and PRI structures.
- Added two new fields, cfi_unlock_addr1 and cfi_unlock_addr2 to
the cfi struct. The unlock offsets should be kept variable, depending
on the manufacturer or command set version.
Changes have been discussed with cliff@.
