cff1e35637
- Make rnd_printing static in kern_rndq.c. - Merge some #ifdef _KERNEL blocks. - Fix comments about RND_DEV_(U)RANDOM. - Move rnd_ready to rnd_private.h.
1326 lines
32 KiB
C
1326 lines
32 KiB
C
/* $NetBSD: kern_rndq.c,v 1.46 2015/04/13 15:23:01 riastradh Exp $ */
|
|
|
|
/*-
|
|
* Copyright (c) 1997-2013 The NetBSD Foundation, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
|
* by Michael Graff <explorer@flame.org> and Thor Lancelot Simon.
|
|
* This code uses ideas and algorithms from the Linux driver written by
|
|
* Ted Ts'o.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__KERNEL_RCSID(0, "$NetBSD: kern_rndq.c,v 1.46 2015/04/13 15:23:01 riastradh Exp $");
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/atomic.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/fcntl.h>
|
|
#include <sys/select.h>
|
|
#include <sys/poll.h>
|
|
#include <sys/kmem.h>
|
|
#include <sys/mutex.h>
|
|
#include <sys/proc.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/conf.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/callout.h>
|
|
#include <sys/intr.h>
|
|
#include <sys/rnd.h>
|
|
#include <sys/rndsink.h>
|
|
#include <sys/vnode.h>
|
|
#include <sys/pool.h>
|
|
#include <sys/kauth.h>
|
|
#include <sys/once.h>
|
|
#include <sys/rngtest.h>
|
|
|
|
#include <dev/rnd_private.h>
|
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
|
#include <machine/cpu_counter.h>
|
|
#endif
|
|
|
|
#ifdef RND_DEBUG
|
|
#define DPRINTF(l,x) if (rnd_debug & (l)) rnd_printf x
|
|
int rnd_debug = 0;
|
|
#else
|
|
#define DPRINTF(l,x)
|
|
#endif
|
|
|
|
/*
|
|
* list devices attached
|
|
*/
|
|
#if 0
|
|
#define RND_VERBOSE
|
|
#endif
|
|
|
|
#ifdef RND_VERBOSE
|
|
#define rnd_printf_verbose(fmt, ...) rnd_printf(fmt, ##__VA_ARGS__)
|
|
#else
|
|
#define rnd_printf_verbose(fmt, ...) ((void)0)
|
|
#endif
|
|
|
|
#ifdef RND_VERBOSE
|
|
static unsigned int deltacnt;
|
|
#endif
|
|
|
|
/*
|
|
* This is a little bit of state information attached to each device that we
|
|
* collect entropy from. This is simply a collection buffer, and when it
|
|
* is full it will be "detached" from the source and added to the entropy
|
|
* pool after entropy is distilled as much as possible.
|
|
*/
|
|
#define RND_SAMPLE_COUNT 64 /* collect N samples, then compress */
|
|
typedef struct _rnd_sample_t {
|
|
SIMPLEQ_ENTRY(_rnd_sample_t) next;
|
|
krndsource_t *source;
|
|
int cursor;
|
|
int entropy;
|
|
uint32_t ts[RND_SAMPLE_COUNT];
|
|
u_int32_t values[RND_SAMPLE_COUNT];
|
|
} rnd_sample_t;
|
|
|
|
SIMPLEQ_HEAD(rnd_sampleq, _rnd_sample_t);
|
|
|
|
/*
|
|
* The sample queue. Samples are put into the queue and processed in a
|
|
* softint in order to limit the latency of adding a sample.
|
|
*/
|
|
static struct {
|
|
kmutex_t lock;
|
|
struct rnd_sampleq q;
|
|
} rnd_samples __cacheline_aligned;
|
|
|
|
/*
|
|
* Memory pool for sample buffers
|
|
*/
|
|
static pool_cache_t rnd_mempc;
|
|
|
|
/*
|
|
* Our random pool. This is defined here rather than using the general
|
|
* purpose one defined in rndpool.c.
|
|
*
|
|
* Samples are collected and queued into a separate mutex-protected queue
|
|
* (rnd_samples, see above), and processed in a timeout routine; therefore,
|
|
* the mutex protecting the random pool is at IPL_SOFTCLOCK() as well.
|
|
*/
|
|
rndpool_t rnd_pool;
|
|
kmutex_t rndpool_mtx;
|
|
kcondvar_t rndpool_cv;
|
|
|
|
/*
|
|
* This source is used to easily "remove" queue entries when the source
|
|
* which actually generated the events is going away.
|
|
*/
|
|
static krndsource_t rnd_source_no_collect = {
|
|
/* LIST_ENTRY list */
|
|
.name = { 'N', 'o', 'C', 'o', 'l', 'l', 'e', 'c', 't',
|
|
0, 0, 0, 0, 0, 0, 0 },
|
|
.total = 0,
|
|
.type = RND_TYPE_UNKNOWN,
|
|
.flags = (RND_FLAG_NO_COLLECT |
|
|
RND_FLAG_NO_ESTIMATE),
|
|
.state = NULL,
|
|
.test_cnt = 0,
|
|
.test = NULL
|
|
};
|
|
|
|
static krndsource_t rnd_source_anonymous = {
|
|
/* LIST_ENTRY list */
|
|
.name = { 'A', 'n', 'o', 'n', 'y', 'm', 'o', 'u', 's',
|
|
0, 0, 0, 0, 0, 0, 0 },
|
|
.total = 0,
|
|
.type = RND_TYPE_UNKNOWN,
|
|
.flags = (RND_FLAG_COLLECT_TIME|
|
|
RND_FLAG_COLLECT_VALUE|
|
|
RND_FLAG_ESTIMATE_TIME),
|
|
.state = NULL,
|
|
.test_cnt = 0,
|
|
.test = NULL
|
|
};
|
|
|
|
krndsource_t rnd_printf_source, rnd_autoconf_source;
|
|
|
|
void *rnd_process, *rnd_wakeup;
|
|
|
|
void rnd_wakeup_readers(void);
|
|
static inline uint32_t rnd_counter(void);
|
|
static void rnd_intr(void *);
|
|
static void rnd_wake(void *);
|
|
static void rnd_process_events(void);
|
|
static void rnd_add_data_ts(krndsource_t *, const void *const,
|
|
uint32_t, uint32_t, uint32_t);
|
|
static inline void rnd_schedule_process(void);
|
|
|
|
int rnd_ready = 0;
|
|
int rnd_initial_entropy = 0;
|
|
|
|
static int rnd_printing = 0;
|
|
|
|
#ifdef DIAGNOSTIC
|
|
static int rnd_tested = 0;
|
|
static rngtest_t rnd_rt;
|
|
static uint8_t rnd_testbits[sizeof(rnd_rt.rt_b)];
|
|
#endif
|
|
|
|
struct rndsource_head rnd_sources;
|
|
|
|
rndsave_t *boot_rsp;
|
|
|
|
static inline void
|
|
rnd_printf(const char *fmt, ...)
|
|
{
|
|
va_list ap;
|
|
|
|
membar_consumer();
|
|
if (rnd_printing) {
|
|
return;
|
|
}
|
|
rnd_printing = 1;
|
|
membar_producer();
|
|
va_start(ap, fmt);
|
|
vprintf(fmt, ap);
|
|
va_end(ap);
|
|
rnd_printing = 0;
|
|
}
|
|
|
|
void
|
|
rnd_init_softint(void) {
|
|
rnd_process = softint_establish(SOFTINT_SERIAL|SOFTINT_MPSAFE,
|
|
rnd_intr, NULL);
|
|
rnd_wakeup = softint_establish(SOFTINT_CLOCK|SOFTINT_MPSAFE,
|
|
rnd_wake, NULL);
|
|
rnd_schedule_process();
|
|
}
|
|
|
|
/*
|
|
* Generate a 64-bit counter.
|
|
*/
|
|
static inline uint32_t
|
|
rnd_counter(void)
|
|
{
|
|
struct timespec ts;
|
|
uint32_t ret;
|
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
|
if (cpu_hascounter())
|
|
return cpu_counter32();
|
|
#endif
|
|
if (rnd_ready) {
|
|
nanouptime(&ts);
|
|
ret = ts.tv_sec;
|
|
ret *= (uint32_t)1000000000;
|
|
ret += ts.tv_nsec;
|
|
return ret;
|
|
}
|
|
/* when called from rnd_init, its too early to call nanotime safely */
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* We may be called from low IPL -- protect our softint.
|
|
*/
|
|
|
|
static inline void
|
|
rnd_schedule_softint(void *softint)
|
|
{
|
|
kpreempt_disable();
|
|
softint_schedule(softint);
|
|
kpreempt_enable();
|
|
}
|
|
|
|
static inline void
|
|
rnd_schedule_process(void)
|
|
{
|
|
if (__predict_true(rnd_process)) {
|
|
rnd_schedule_softint(rnd_process);
|
|
return;
|
|
}
|
|
rnd_process_events();
|
|
}
|
|
|
|
static inline void
|
|
rnd_schedule_wakeup(void)
|
|
{
|
|
if (__predict_true(rnd_wakeup)) {
|
|
rnd_schedule_softint(rnd_wakeup);
|
|
return;
|
|
}
|
|
rnd_wakeup_readers();
|
|
}
|
|
|
|
/*
|
|
* Tell any sources with "feed me" callbacks that we are hungry.
|
|
*/
|
|
void
|
|
rnd_getmore(size_t byteswanted)
|
|
{
|
|
krndsource_t *rs;
|
|
|
|
KASSERT(mutex_owned(&rndpool_mtx));
|
|
|
|
LIST_FOREACH(rs, &rnd_sources, list) {
|
|
if (!ISSET(rs->flags, RND_FLAG_HASCB))
|
|
continue;
|
|
KASSERT(rs->get != NULL);
|
|
KASSERT(rs->getarg != NULL);
|
|
rs->get(byteswanted, rs->getarg);
|
|
rnd_printf_verbose("rnd: entropy estimate %zu bits\n",
|
|
rndpool_get_entropy_count(&rnd_pool));
|
|
rnd_printf_verbose("rnd: asking source %s for %zu bytes\n",
|
|
rs->name, byteswanted);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Check to see if there are readers waiting on us. If so, kick them.
|
|
*/
|
|
void
|
|
rnd_wakeup_readers(void)
|
|
{
|
|
|
|
/*
|
|
* XXX This bookkeeping shouldn't be here -- this is not where
|
|
* the rnd_initial_entropy state change actually happens.
|
|
*/
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
const size_t entropy_count = rndpool_get_entropy_count(&rnd_pool);
|
|
if (entropy_count < RND_ENTROPY_THRESHOLD * 8) {
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
return;
|
|
} else {
|
|
#ifdef RND_VERBOSE
|
|
if (__predict_false(!rnd_initial_entropy))
|
|
rnd_printf_verbose("rnd: have initial entropy (%zu)\n",
|
|
entropy_count);
|
|
#endif
|
|
rnd_initial_entropy = 1;
|
|
}
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
|
|
rndsinks_distribute();
|
|
}
|
|
|
|
/*
|
|
* Use the timing/value of the event to estimate the entropy gathered.
|
|
* If all the differentials (first, second, and third) are non-zero, return
|
|
* non-zero. If any of these are zero, return zero.
|
|
*/
|
|
static inline uint32_t
|
|
rnd_delta_estimate(rnd_delta_t *d, uint32_t v, int32_t delta)
|
|
{
|
|
int32_t delta2, delta3;
|
|
|
|
d->insamples++;
|
|
|
|
/*
|
|
* Calculate the second and third order differentials
|
|
*/
|
|
delta2 = d->dx - delta;
|
|
if (delta2 < 0)
|
|
delta2 = -delta2;
|
|
|
|
delta3 = d->d2x - delta2;
|
|
if (delta3 < 0)
|
|
delta3 = -delta3;
|
|
|
|
d->x = v;
|
|
d->dx = delta;
|
|
d->d2x = delta2;
|
|
|
|
/*
|
|
* If any delta is 0, we got no entropy. If all are non-zero, we
|
|
* might have something.
|
|
*/
|
|
if (delta == 0 || delta2 == 0 || delta3 == 0)
|
|
return (0);
|
|
|
|
d->outbits++;
|
|
return (1);
|
|
}
|
|
|
|
/*
|
|
* Delta estimator for 32-bit timeestamps. Must handle wrap.
|
|
*/
|
|
static inline uint32_t
|
|
rnd_dt_estimate(krndsource_t *rs, uint32_t t)
|
|
{
|
|
int32_t delta;
|
|
uint32_t ret;
|
|
rnd_delta_t *d = &rs->time_delta;
|
|
|
|
if (t < d->x) {
|
|
delta = UINT32_MAX - d->x + t;
|
|
} else {
|
|
delta = d->x - t;
|
|
}
|
|
|
|
if (delta < 0) {
|
|
delta = -delta;
|
|
}
|
|
|
|
ret = rnd_delta_estimate(d, t, delta);
|
|
|
|
KASSERT(d->x == t);
|
|
KASSERT(d->dx == delta);
|
|
#ifdef RND_VERBOSE
|
|
if (deltacnt++ % 1151 == 0) {
|
|
rnd_printf_verbose("rnd_dt_estimate: %s x = %lld, dx = %lld, "
|
|
"d2x = %lld\n", rs->name,
|
|
(int)d->x, (int)d->dx, (int)d->d2x);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Delta estimator for 32 or bit values. "Wrap" isn't.
|
|
*/
|
|
static inline uint32_t
|
|
rnd_dv_estimate(krndsource_t *rs, uint32_t v)
|
|
{
|
|
int32_t delta;
|
|
uint32_t ret;
|
|
rnd_delta_t *d = &rs->value_delta;
|
|
|
|
delta = d->x - v;
|
|
|
|
if (delta < 0) {
|
|
delta = -delta;
|
|
}
|
|
ret = rnd_delta_estimate(d, v, (uint32_t)delta);
|
|
|
|
KASSERT(d->x == v);
|
|
KASSERT(d->dx == delta);
|
|
#ifdef RND_VERBOSE
|
|
if (deltacnt++ % 1151 == 0) {
|
|
rnd_printf_verbose("rnd_dv_estimate: %s x = %lld, dx = %lld, "
|
|
" d2x = %lld\n", rs->name,
|
|
(long long int)d->x,
|
|
(long long int)d->dx,
|
|
(long long int)d->d2x);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
|
static struct {
|
|
kmutex_t lock;
|
|
struct callout callout;
|
|
struct callout stop_callout;
|
|
krndsource_t source;
|
|
} rnd_skew __cacheline_aligned;
|
|
|
|
static void rnd_skew_intr(void *);
|
|
|
|
static void
|
|
rnd_skew_enable(krndsource_t *rs, bool enabled)
|
|
{
|
|
|
|
if (enabled) {
|
|
rnd_skew_intr(rs);
|
|
} else {
|
|
callout_stop(&rnd_skew.callout);
|
|
}
|
|
}
|
|
|
|
static void
|
|
rnd_skew_stop_intr(void *arg)
|
|
{
|
|
|
|
callout_stop(&rnd_skew.callout);
|
|
}
|
|
|
|
static void
|
|
rnd_skew_get(size_t bytes, void *priv)
|
|
{
|
|
krndsource_t *skewsrcp = priv;
|
|
|
|
KASSERT(skewsrcp == &rnd_skew.source);
|
|
if (RND_ENABLED(skewsrcp)) {
|
|
/* Measure for 30s */
|
|
callout_schedule(&rnd_skew.stop_callout, hz * 30);
|
|
callout_schedule(&rnd_skew.callout, 1);
|
|
}
|
|
}
|
|
|
|
static void
|
|
rnd_skew_intr(void *arg)
|
|
{
|
|
static int flipflop;
|
|
|
|
/*
|
|
* Even on systems with seemingly stable clocks, the
|
|
* delta-time entropy estimator seems to think we get 1 bit here
|
|
* about every 2 calls.
|
|
*
|
|
*/
|
|
mutex_spin_enter(&rnd_skew.lock);
|
|
flipflop = !flipflop;
|
|
|
|
if (RND_ENABLED(&rnd_skew.source)) {
|
|
if (flipflop) {
|
|
rnd_add_uint32(&rnd_skew.source, rnd_counter());
|
|
callout_schedule(&rnd_skew.callout, hz / 10);
|
|
} else {
|
|
callout_schedule(&rnd_skew.callout, 1);
|
|
}
|
|
}
|
|
mutex_spin_exit(&rnd_skew.lock);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* initialize the global random pool for our use.
|
|
* rnd_init() must be called very early on in the boot process, so
|
|
* the pool is ready for other devices to attach as sources.
|
|
*/
|
|
void
|
|
rnd_init(void)
|
|
{
|
|
uint32_t c;
|
|
|
|
if (rnd_ready)
|
|
return;
|
|
|
|
mutex_init(&rnd_samples.lock, MUTEX_DEFAULT, IPL_VM);
|
|
rndsinks_init();
|
|
|
|
/*
|
|
* take a counter early, hoping that there's some variance in
|
|
* the following operations
|
|
*/
|
|
c = rnd_counter();
|
|
|
|
LIST_INIT(&rnd_sources);
|
|
SIMPLEQ_INIT(&rnd_samples.q);
|
|
|
|
rndpool_init(&rnd_pool);
|
|
mutex_init(&rndpool_mtx, MUTEX_DEFAULT, IPL_VM);
|
|
cv_init(&rndpool_cv, "rndread");
|
|
|
|
rnd_mempc = pool_cache_init(sizeof(rnd_sample_t), 0, 0, 0,
|
|
"rndsample", NULL, IPL_VM,
|
|
NULL, NULL, NULL);
|
|
|
|
/*
|
|
* Set resource limit. The rnd_process_events() function
|
|
* is called every tick and process the sample queue.
|
|
* Without limitation, if a lot of rnd_add_*() are called,
|
|
* all kernel memory may be eaten up.
|
|
*/
|
|
pool_cache_sethardlimit(rnd_mempc, RND_POOLBITS, NULL, 0);
|
|
|
|
/*
|
|
* Mix *something*, *anything* into the pool to help it get started.
|
|
* However, it's not safe for rnd_counter() to call microtime() yet,
|
|
* so on some platforms we might just end up with zeros anyway.
|
|
* XXX more things to add would be nice.
|
|
*/
|
|
if (c) {
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
rndpool_add_data(&rnd_pool, &c, sizeof(c), 1);
|
|
c = rnd_counter();
|
|
rndpool_add_data(&rnd_pool, &c, sizeof(c), 1);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
}
|
|
|
|
/*
|
|
* If we have a cycle counter, take its error with respect
|
|
* to the callout mechanism as a source of entropy, ala
|
|
* TrueRand.
|
|
*
|
|
*/
|
|
#if defined(__HAVE_CPU_COUNTER)
|
|
/* IPL_VM because taken while rndpool_mtx is held. */
|
|
mutex_init(&rnd_skew.lock, MUTEX_DEFAULT, IPL_VM);
|
|
callout_init(&rnd_skew.callout, CALLOUT_MPSAFE);
|
|
callout_init(&rnd_skew.stop_callout, CALLOUT_MPSAFE);
|
|
callout_setfunc(&rnd_skew.callout, rnd_skew_intr, NULL);
|
|
callout_setfunc(&rnd_skew.stop_callout, rnd_skew_stop_intr, NULL);
|
|
rndsource_setcb(&rnd_skew.source, rnd_skew_get, &rnd_skew.source);
|
|
rndsource_setenable(&rnd_skew.source, rnd_skew_enable);
|
|
rnd_attach_source(&rnd_skew.source, "callout", RND_TYPE_SKEW,
|
|
RND_FLAG_COLLECT_VALUE|RND_FLAG_ESTIMATE_VALUE|
|
|
RND_FLAG_HASCB|RND_FLAG_HASENABLE);
|
|
rnd_skew_intr(NULL);
|
|
#endif
|
|
|
|
rnd_printf_verbose("rnd: initialised (%u)%s", RND_POOLBITS,
|
|
c ? " with counter\n" : "\n");
|
|
if (boot_rsp != NULL) {
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
rndpool_add_data(&rnd_pool, boot_rsp->data,
|
|
sizeof(boot_rsp->data),
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
|
if (rndpool_get_entropy_count(&rnd_pool) >
|
|
RND_ENTROPY_THRESHOLD * 8) {
|
|
rnd_initial_entropy = 1;
|
|
}
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
rnd_printf("rnd: seeded with %d bits\n",
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
|
memset(boot_rsp, 0, sizeof(*boot_rsp));
|
|
}
|
|
rnd_attach_source(&rnd_source_anonymous, "Anonymous",
|
|
RND_TYPE_UNKNOWN,
|
|
RND_FLAG_COLLECT_TIME|RND_FLAG_COLLECT_VALUE|
|
|
RND_FLAG_ESTIMATE_TIME);
|
|
rnd_attach_source(&rnd_printf_source, "printf", RND_TYPE_UNKNOWN,
|
|
RND_FLAG_NO_ESTIMATE);
|
|
rnd_attach_source(&rnd_autoconf_source, "autoconf",
|
|
RND_TYPE_UNKNOWN,
|
|
RND_FLAG_COLLECT_TIME|RND_FLAG_ESTIMATE_TIME);
|
|
rnd_ready = 1;
|
|
}
|
|
|
|
static rnd_sample_t *
|
|
rnd_sample_allocate(krndsource_t *source)
|
|
{
|
|
rnd_sample_t *c;
|
|
|
|
c = pool_cache_get(rnd_mempc, PR_WAITOK);
|
|
if (c == NULL)
|
|
return (NULL);
|
|
|
|
c->source = source;
|
|
c->cursor = 0;
|
|
c->entropy = 0;
|
|
|
|
return (c);
|
|
}
|
|
|
|
/*
|
|
* Don't wait on allocation. To be used in an interrupt context.
|
|
*/
|
|
static rnd_sample_t *
|
|
rnd_sample_allocate_isr(krndsource_t *source)
|
|
{
|
|
rnd_sample_t *c;
|
|
|
|
c = pool_cache_get(rnd_mempc, PR_NOWAIT);
|
|
if (c == NULL)
|
|
return (NULL);
|
|
|
|
c->source = source;
|
|
c->cursor = 0;
|
|
c->entropy = 0;
|
|
|
|
return (c);
|
|
}
|
|
|
|
static void
|
|
rnd_sample_free(rnd_sample_t *c)
|
|
{
|
|
memset(c, 0, sizeof(*c));
|
|
pool_cache_put(rnd_mempc, c);
|
|
}
|
|
|
|
/*
|
|
* Add a source to our list of sources.
|
|
*/
|
|
void
|
|
rnd_attach_source(krndsource_t *rs, const char *name, uint32_t type,
|
|
uint32_t flags)
|
|
{
|
|
uint32_t ts;
|
|
|
|
ts = rnd_counter();
|
|
|
|
strlcpy(rs->name, name, sizeof(rs->name));
|
|
memset(&rs->time_delta, 0, sizeof(rs->time_delta));
|
|
rs->time_delta.x = ts;
|
|
memset(&rs->value_delta, 0, sizeof(rs->value_delta));
|
|
rs->total = 0;
|
|
|
|
/*
|
|
* Some source setup, by type
|
|
*/
|
|
rs->test = NULL;
|
|
rs->test_cnt = -1;
|
|
|
|
if (flags == 0) {
|
|
flags = RND_FLAG_DEFAULT;
|
|
}
|
|
|
|
switch (type) {
|
|
case RND_TYPE_NET: /* Don't collect by default */
|
|
flags |= (RND_FLAG_NO_COLLECT | RND_FLAG_NO_ESTIMATE);
|
|
break;
|
|
case RND_TYPE_RNG: /* Space for statistical testing */
|
|
rs->test = kmem_alloc(sizeof(rngtest_t), KM_NOSLEEP);
|
|
rs->test_cnt = 0;
|
|
/* FALLTHRU */
|
|
case RND_TYPE_VM: /* Process samples in bulk always */
|
|
flags |= RND_FLAG_FAST;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
rs->type = type;
|
|
rs->flags = flags;
|
|
|
|
rs->state = rnd_sample_allocate(rs);
|
|
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
LIST_INSERT_HEAD(&rnd_sources, rs, list);
|
|
|
|
#ifdef RND_VERBOSE
|
|
rnd_printf_verbose("rnd: %s attached as an entropy source (",
|
|
rs->name);
|
|
if (!(flags & RND_FLAG_NO_COLLECT)) {
|
|
rnd_printf_verbose("collecting");
|
|
if (flags & RND_FLAG_NO_ESTIMATE)
|
|
rnd_printf_verbose(" without estimation");
|
|
}
|
|
else
|
|
rnd_printf_verbose("off");
|
|
rnd_printf_verbose(")\n");
|
|
#endif
|
|
|
|
/*
|
|
* Again, put some more initial junk in the pool.
|
|
* FreeBSD claim to have an analysis that show 4 bits of
|
|
* entropy per source-attach timestamp. I am skeptical,
|
|
* but we count 1 bit per source here.
|
|
*/
|
|
rndpool_add_data(&rnd_pool, &ts, sizeof(ts), 1);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
}
|
|
|
|
/*
|
|
* Remove a source from our list of sources.
|
|
*/
|
|
void
|
|
rnd_detach_source(krndsource_t *source)
|
|
{
|
|
rnd_sample_t *sample;
|
|
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
LIST_REMOVE(source, list);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
|
|
/*
|
|
* If there are samples queued up "remove" them from the sample queue
|
|
* by setting the source to the no-collect pseudosource.
|
|
*/
|
|
mutex_spin_enter(&rnd_samples.lock);
|
|
sample = SIMPLEQ_FIRST(&rnd_samples.q);
|
|
while (sample != NULL) {
|
|
if (sample->source == source)
|
|
sample->source = &rnd_source_no_collect;
|
|
|
|
sample = SIMPLEQ_NEXT(sample, next);
|
|
}
|
|
mutex_spin_exit(&rnd_samples.lock);
|
|
|
|
if (source->state) {
|
|
rnd_sample_free(source->state);
|
|
source->state = NULL;
|
|
}
|
|
|
|
if (source->test) {
|
|
kmem_free(source->test, sizeof(rngtest_t));
|
|
}
|
|
|
|
rnd_printf_verbose("rnd: %s detached as an entropy source\n",
|
|
source->name);
|
|
}
|
|
|
|
static inline uint32_t
|
|
rnd_estimate(krndsource_t *rs, uint32_t ts, uint32_t val)
|
|
{
|
|
uint32_t entropy = 0, dt_est, dv_est;
|
|
|
|
dt_est = rnd_dt_estimate(rs, ts);
|
|
dv_est = rnd_dv_estimate(rs, val);
|
|
|
|
if (!(rs->flags & RND_FLAG_NO_ESTIMATE)) {
|
|
if (rs->flags & RND_FLAG_ESTIMATE_TIME) {
|
|
entropy += dt_est;
|
|
}
|
|
|
|
if (rs->flags & RND_FLAG_ESTIMATE_VALUE) {
|
|
entropy += dv_est;
|
|
}
|
|
|
|
}
|
|
return entropy;
|
|
}
|
|
|
|
/*
|
|
* Add a 32-bit value to the entropy pool. The rs parameter should point to
|
|
* the source-specific source structure.
|
|
*/
|
|
void
|
|
_rnd_add_uint32(krndsource_t *rs, uint32_t val)
|
|
{
|
|
uint32_t ts;
|
|
uint32_t entropy = 0;
|
|
|
|
if (rs->flags & RND_FLAG_NO_COLLECT)
|
|
return;
|
|
|
|
/*
|
|
* Sample the counter as soon as possible to avoid
|
|
* entropy overestimation.
|
|
*/
|
|
ts = rnd_counter();
|
|
|
|
/*
|
|
* Calculate estimates - we may not use them, but if we do
|
|
* not calculate them, the estimators' history becomes invalid.
|
|
*/
|
|
entropy = rnd_estimate(rs, ts, val);
|
|
|
|
rnd_add_data_ts(rs, &val, sizeof(val), entropy, ts);
|
|
}
|
|
|
|
void
|
|
_rnd_add_uint64(krndsource_t *rs, uint64_t val)
|
|
{
|
|
uint32_t ts;
|
|
uint32_t entropy = 0;
|
|
|
|
if (rs->flags & RND_FLAG_NO_COLLECT)
|
|
return;
|
|
|
|
/*
|
|
* Sample the counter as soon as possible to avoid
|
|
* entropy overestimation.
|
|
*/
|
|
ts = rnd_counter();
|
|
|
|
/*
|
|
* Calculate estimates - we may not use them, but if we do
|
|
* not calculate them, the estimators' history becomes invalid.
|
|
*/
|
|
entropy = rnd_estimate(rs, ts, (uint32_t)(val & (uint64_t)0xffffffff));
|
|
|
|
rnd_add_data_ts(rs, &val, sizeof(val), entropy, ts);
|
|
}
|
|
|
|
void
|
|
rnd_add_data(krndsource_t *rs, const void *const data, uint32_t len,
|
|
uint32_t entropy)
|
|
{
|
|
/*
|
|
* This interface is meant for feeding data which is,
|
|
* itself, random. Don't estimate entropy based on
|
|
* timestamp, just directly add the data.
|
|
*/
|
|
if (__predict_false(rs == NULL)) {
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
rndpool_add_data(&rnd_pool, data, len, entropy);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
} else {
|
|
rnd_add_data_ts(rs, data, len, entropy, rnd_counter());
|
|
}
|
|
}
|
|
|
|
static void
|
|
rnd_add_data_ts(krndsource_t *rs, const void *const data, u_int32_t len,
|
|
u_int32_t entropy, uint32_t ts)
|
|
{
|
|
rnd_sample_t *state = NULL;
|
|
const uint8_t *p = data;
|
|
uint32_t dint;
|
|
int todo, done, filled = 0;
|
|
int sample_count;
|
|
struct rnd_sampleq tmp_samples = SIMPLEQ_HEAD_INITIALIZER(tmp_samples);
|
|
|
|
if (rs && (rs->flags & RND_FLAG_NO_COLLECT ||
|
|
__predict_false(!(rs->flags &
|
|
(RND_FLAG_COLLECT_TIME|
|
|
RND_FLAG_COLLECT_VALUE))))) {
|
|
return;
|
|
}
|
|
todo = len / sizeof(dint);
|
|
/*
|
|
* Let's try to be efficient: if we are warm, and a source
|
|
* is adding entropy at a rate of at least 1 bit every 10 seconds,
|
|
* mark it as "fast" and add its samples in bulk.
|
|
*/
|
|
if (__predict_true(rs->flags & RND_FLAG_FAST) ||
|
|
(todo >= RND_SAMPLE_COUNT)) {
|
|
sample_count = RND_SAMPLE_COUNT;
|
|
} else {
|
|
if (!(rs->flags & RND_FLAG_HASCB) &&
|
|
!cold && rnd_initial_entropy) {
|
|
struct timeval upt;
|
|
|
|
getmicrouptime(&upt);
|
|
if ( (upt.tv_sec > 0 && rs->total > upt.tv_sec * 10) ||
|
|
(upt.tv_sec > 10 && rs->total > upt.tv_sec) ||
|
|
(upt.tv_sec > 100 &&
|
|
rs->total > upt.tv_sec / 10)) {
|
|
rnd_printf_verbose("rnd: source %s is fast"
|
|
" (%d samples at once,"
|
|
" %d bits in %lld seconds), "
|
|
"processing samples in bulk.\n",
|
|
rs->name, todo, rs->total,
|
|
(long long int)upt.tv_sec);
|
|
rs->flags |= RND_FLAG_FAST;
|
|
}
|
|
}
|
|
sample_count = 2;
|
|
}
|
|
|
|
/*
|
|
* Loop over data packaging it into sample buffers.
|
|
* If a sample buffer allocation fails, drop all data.
|
|
*/
|
|
for (done = 0; done < todo ; done++) {
|
|
state = rs->state;
|
|
if (state == NULL) {
|
|
state = rnd_sample_allocate_isr(rs);
|
|
if (__predict_false(state == NULL)) {
|
|
break;
|
|
}
|
|
rs->state = state;
|
|
}
|
|
|
|
state->ts[state->cursor] = ts;
|
|
(void)memcpy(&dint, &p[done*4], 4);
|
|
state->values[state->cursor] = dint;
|
|
state->cursor++;
|
|
|
|
if (state->cursor == sample_count) {
|
|
SIMPLEQ_INSERT_HEAD(&tmp_samples, state, next);
|
|
filled++;
|
|
rs->state = NULL;
|
|
}
|
|
}
|
|
|
|
if (__predict_false(state == NULL)) {
|
|
while ((state = SIMPLEQ_FIRST(&tmp_samples))) {
|
|
SIMPLEQ_REMOVE_HEAD(&tmp_samples, next);
|
|
rnd_sample_free(state);
|
|
}
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Claim all the entropy on the last one we send to
|
|
* the pool, so we don't rely on it being evenly distributed
|
|
* in the supplied data.
|
|
*
|
|
* XXX The rndpool code must accept samples with more
|
|
* XXX claimed entropy than bits for this to work right.
|
|
*/
|
|
state->entropy += entropy;
|
|
rs->total += entropy;
|
|
|
|
/*
|
|
* If we didn't finish any sample buffers, we're done.
|
|
*/
|
|
if (!filled) {
|
|
return;
|
|
}
|
|
|
|
mutex_spin_enter(&rnd_samples.lock);
|
|
while ((state = SIMPLEQ_FIRST(&tmp_samples))) {
|
|
SIMPLEQ_REMOVE_HEAD(&tmp_samples, next);
|
|
SIMPLEQ_INSERT_HEAD(&rnd_samples.q, state, next);
|
|
}
|
|
mutex_spin_exit(&rnd_samples.lock);
|
|
|
|
/* Cause processing of queued samples */
|
|
rnd_schedule_process();
|
|
}
|
|
|
|
static int
|
|
rnd_hwrng_test(rnd_sample_t *sample)
|
|
{
|
|
krndsource_t *source = sample->source;
|
|
size_t cmplen;
|
|
uint8_t *v1, *v2;
|
|
size_t resid, totest;
|
|
|
|
KASSERT(source->type == RND_TYPE_RNG);
|
|
|
|
/*
|
|
* Continuous-output test: compare two halves of the
|
|
* sample buffer to each other. The sample buffer (64 ints,
|
|
* so either 256 or 512 bytes on any modern machine) should be
|
|
* much larger than a typical hardware RNG output, so this seems
|
|
* a reasonable way to do it without retaining extra data.
|
|
*/
|
|
cmplen = sizeof(sample->values) / 2;
|
|
v1 = (uint8_t *)sample->values;
|
|
v2 = (uint8_t *)sample->values + cmplen;
|
|
|
|
if (__predict_false(!memcmp(v1, v2, cmplen))) {
|
|
rnd_printf("rnd: source \"%s\" failed continuous-output test.\n",
|
|
source->name);
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* FIPS 140 statistical RNG test. We must accumulate 20,000 bits.
|
|
*/
|
|
if (__predict_true(source->test_cnt == -1)) {
|
|
/* already passed the test */
|
|
return 0;
|
|
}
|
|
resid = FIPS140_RNG_TEST_BYTES - source->test_cnt;
|
|
totest = MIN(RND_SAMPLE_COUNT * 4, resid);
|
|
memcpy(source->test->rt_b + source->test_cnt, sample->values, totest);
|
|
resid -= totest;
|
|
source->test_cnt += totest;
|
|
if (resid == 0) {
|
|
strlcpy(source->test->rt_name, source->name,
|
|
sizeof(source->test->rt_name));
|
|
if (rngtest(source->test)) {
|
|
rnd_printf("rnd: source \"%s\" failed statistical test.",
|
|
source->name);
|
|
return 1;
|
|
}
|
|
source->test_cnt = -1;
|
|
memset(source->test, 0, sizeof(*source->test));
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Process the events in the ring buffer. Called by rnd_timeout or
|
|
* by the add routines directly if the callout has never fired (that
|
|
* is, if we are "cold" -- just booted).
|
|
*
|
|
*/
|
|
static void
|
|
rnd_process_events(void)
|
|
{
|
|
rnd_sample_t *sample = NULL;
|
|
krndsource_t *source, *badsource = NULL;
|
|
static krndsource_t *last_source;
|
|
u_int32_t entropy;
|
|
size_t pool_entropy;
|
|
int found = 0, wake = 0;
|
|
struct rnd_sampleq dq_samples = SIMPLEQ_HEAD_INITIALIZER(dq_samples);
|
|
struct rnd_sampleq df_samples = SIMPLEQ_HEAD_INITIALIZER(df_samples);
|
|
|
|
/*
|
|
* Drain to the on-stack queue and drop the lock.
|
|
*/
|
|
mutex_spin_enter(&rnd_samples.lock);
|
|
while ((sample = SIMPLEQ_FIRST(&rnd_samples.q))) {
|
|
found++;
|
|
SIMPLEQ_REMOVE_HEAD(&rnd_samples.q, next);
|
|
/*
|
|
* We repeat this check here, since it is possible
|
|
* the source was disabled before we were called, but
|
|
* after the entry was queued.
|
|
*/
|
|
if (__predict_false(!(sample->source->flags &
|
|
(RND_FLAG_COLLECT_TIME|
|
|
RND_FLAG_COLLECT_VALUE)))) {
|
|
SIMPLEQ_INSERT_TAIL(&df_samples, sample, next);
|
|
} else {
|
|
SIMPLEQ_INSERT_TAIL(&dq_samples, sample, next);
|
|
}
|
|
}
|
|
mutex_spin_exit(&rnd_samples.lock);
|
|
|
|
/* Don't thrash the rndpool mtx either. Hold, add all samples. */
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
|
|
pool_entropy = rndpool_get_entropy_count(&rnd_pool);
|
|
|
|
while ((sample = SIMPLEQ_FIRST(&dq_samples))) {
|
|
int sample_count;
|
|
|
|
SIMPLEQ_REMOVE_HEAD(&dq_samples, next);
|
|
source = sample->source;
|
|
entropy = sample->entropy;
|
|
sample_count = sample->cursor;
|
|
|
|
/*
|
|
* Don't provide a side channel for timing attacks on
|
|
* low-rate sources: require mixing with some other
|
|
* source before we schedule a wakeup.
|
|
*/
|
|
if (!wake &&
|
|
(source != last_source || source->flags & RND_FLAG_FAST)) {
|
|
wake++;
|
|
}
|
|
last_source = source;
|
|
|
|
/*
|
|
* If the source has been disabled, ignore samples from
|
|
* it.
|
|
*/
|
|
if (source->flags & RND_FLAG_NO_COLLECT)
|
|
goto skip;
|
|
|
|
/*
|
|
* Hardware generators are great but sometimes they
|
|
* have...hardware issues. Don't use any data from
|
|
* them unless it passes some tests.
|
|
*/
|
|
if (source->type == RND_TYPE_RNG) {
|
|
if (__predict_false(rnd_hwrng_test(sample))) {
|
|
source->flags |= RND_FLAG_NO_COLLECT;
|
|
rnd_printf("rnd: disabling source \"%s\".",
|
|
badsource->name);
|
|
goto skip;
|
|
}
|
|
}
|
|
|
|
if (source->flags & RND_FLAG_COLLECT_VALUE) {
|
|
rndpool_add_data(&rnd_pool, sample->values,
|
|
sample_count *
|
|
sizeof(sample->values[1]),
|
|
0);
|
|
}
|
|
if (source->flags & RND_FLAG_COLLECT_TIME) {
|
|
rndpool_add_data(&rnd_pool, sample->ts,
|
|
sample_count *
|
|
sizeof(sample->ts[1]),
|
|
0);
|
|
}
|
|
|
|
pool_entropy += entropy;
|
|
source->total += sample->entropy;
|
|
skip: SIMPLEQ_INSERT_TAIL(&df_samples, sample, next);
|
|
}
|
|
rndpool_set_entropy_count(&rnd_pool, pool_entropy);
|
|
if (pool_entropy > RND_ENTROPY_THRESHOLD * 8) {
|
|
wake++;
|
|
} else {
|
|
rnd_getmore(howmany((RND_POOLBITS - pool_entropy), NBBY));
|
|
rnd_printf_verbose("rnd: empty, asking for %d bytes\n",
|
|
(int)(howmany((RND_POOLBITS - pool_entropy), NBBY)));
|
|
}
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
|
|
/* Now we hold no locks: clean up. */
|
|
while ((sample = SIMPLEQ_FIRST(&df_samples))) {
|
|
SIMPLEQ_REMOVE_HEAD(&df_samples, next);
|
|
rnd_sample_free(sample);
|
|
}
|
|
|
|
/*
|
|
* Wake up any potential readers waiting.
|
|
*/
|
|
if (wake) {
|
|
rnd_schedule_wakeup();
|
|
}
|
|
}
|
|
|
|
static void
|
|
rnd_intr(void *arg)
|
|
{
|
|
rnd_process_events();
|
|
}
|
|
|
|
static void
|
|
rnd_wake(void *arg)
|
|
{
|
|
rnd_wakeup_readers();
|
|
}
|
|
|
|
static uint32_t
|
|
rnd_extract_data(void *p, u_int32_t len, u_int32_t flags)
|
|
{
|
|
static int timed_in;
|
|
int entropy_count;
|
|
uint32_t retval;
|
|
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
if (__predict_false(!timed_in)) {
|
|
if (boottime.tv_sec) {
|
|
rndpool_add_data(&rnd_pool, &boottime,
|
|
sizeof(boottime), 0);
|
|
}
|
|
timed_in++;
|
|
}
|
|
if (__predict_false(!rnd_initial_entropy)) {
|
|
uint32_t c;
|
|
|
|
rnd_printf_verbose("rnd: WARNING! initial entropy low (%u).\n",
|
|
rndpool_get_entropy_count(&rnd_pool));
|
|
/* Try once again to put something in the pool */
|
|
c = rnd_counter();
|
|
rndpool_add_data(&rnd_pool, &c, sizeof(c), 1);
|
|
}
|
|
|
|
#ifdef DIAGNOSTIC
|
|
while (!rnd_tested) {
|
|
entropy_count = rndpool_get_entropy_count(&rnd_pool);
|
|
rnd_printf_verbose("rnd: starting statistical RNG test,"
|
|
" entropy = %d.\n",
|
|
entropy_count);
|
|
if (rndpool_extract_data(&rnd_pool, rnd_rt.rt_b,
|
|
sizeof(rnd_rt.rt_b), RND_EXTRACT_ANY)
|
|
!= sizeof(rnd_rt.rt_b)) {
|
|
panic("rnd: could not get bits for statistical test");
|
|
}
|
|
/*
|
|
* Stash the tested bits so we can put them back in the
|
|
* pool, restoring the entropy count. DO NOT rely on
|
|
* rngtest to maintain the bits pristine -- we could end
|
|
* up adding back non-random data claiming it were pure
|
|
* entropy.
|
|
*/
|
|
memcpy(rnd_testbits, rnd_rt.rt_b, sizeof(rnd_rt.rt_b));
|
|
strlcpy(rnd_rt.rt_name, "entropy pool", sizeof(rnd_rt.rt_name));
|
|
if (rngtest(&rnd_rt)) {
|
|
/*
|
|
* The probabiliity of a Type I error is 3/10000,
|
|
* but note this can only happen at boot time.
|
|
* The relevant standard says to reset the module,
|
|
* but developers objected...
|
|
*/
|
|
rnd_printf("rnd: WARNING, ENTROPY POOL FAILED "
|
|
"STATISTICAL TEST!\n");
|
|
continue;
|
|
}
|
|
memset(&rnd_rt, 0, sizeof(rnd_rt));
|
|
rndpool_add_data(&rnd_pool, rnd_testbits, sizeof(rnd_testbits),
|
|
entropy_count);
|
|
memset(rnd_testbits, 0, sizeof(rnd_testbits));
|
|
rnd_printf_verbose("rnd: statistical RNG test done,"
|
|
" entropy = %d.\n",
|
|
rndpool_get_entropy_count(&rnd_pool));
|
|
rnd_tested++;
|
|
}
|
|
#endif
|
|
entropy_count = rndpool_get_entropy_count(&rnd_pool);
|
|
if (entropy_count < (RND_ENTROPY_THRESHOLD * 2 + len) * NBBY) {
|
|
rnd_printf_verbose("rnd: empty, asking for %d bytes\n",
|
|
(int)(howmany((RND_POOLBITS - entropy_count), NBBY)));
|
|
rnd_getmore(howmany((RND_POOLBITS - entropy_count), NBBY));
|
|
}
|
|
retval = rndpool_extract_data(&rnd_pool, p, len, flags);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* Fill the buffer with as much entropy as we can. Return true if it
|
|
* has full entropy and false if not.
|
|
*/
|
|
bool
|
|
rnd_extract(void *buffer, size_t bytes)
|
|
{
|
|
const size_t extracted = rnd_extract_data(buffer, bytes,
|
|
RND_EXTRACT_GOOD);
|
|
|
|
if (extracted < bytes) {
|
|
(void)rnd_extract_data((uint8_t *)buffer + extracted,
|
|
bytes - extracted, RND_EXTRACT_ANY);
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
rnd_getmore(bytes - extracted);
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* If we have as much entropy as is requested, fill the buffer with it
|
|
* and return true. Otherwise, leave the buffer alone and return
|
|
* false.
|
|
*/
|
|
|
|
CTASSERT(RND_ENTROPY_THRESHOLD <= 0xffffffffUL);
|
|
CTASSERT(RNDSINK_MAX_BYTES <= (0xffffffffUL - RND_ENTROPY_THRESHOLD));
|
|
CTASSERT((RNDSINK_MAX_BYTES + RND_ENTROPY_THRESHOLD) <=
|
|
(0xffffffffUL / NBBY));
|
|
|
|
bool
|
|
rnd_tryextract(void *buffer, size_t bytes)
|
|
{
|
|
bool ok;
|
|
|
|
KASSERT(bytes <= RNDSINK_MAX_BYTES);
|
|
|
|
const uint32_t bits_needed = ((bytes + RND_ENTROPY_THRESHOLD) * NBBY);
|
|
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
if (bits_needed <= rndpool_get_entropy_count(&rnd_pool)) {
|
|
const uint32_t extracted __diagused =
|
|
rndpool_extract_data(&rnd_pool, buffer, bytes,
|
|
RND_EXTRACT_GOOD);
|
|
|
|
KASSERT(extracted == bytes);
|
|
|
|
ok = true;
|
|
} else {
|
|
ok = false;
|
|
rnd_getmore(howmany(bits_needed -
|
|
rndpool_get_entropy_count(&rnd_pool), NBBY));
|
|
}
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
|
|
return ok;
|
|
}
|
|
|
|
void
|
|
rnd_seed(void *base, size_t len)
|
|
{
|
|
SHA1_CTX s;
|
|
uint8_t digest[SHA1_DIGEST_LENGTH];
|
|
|
|
if (len != sizeof(*boot_rsp)) {
|
|
rnd_printf("rnd: bad seed length %d\n", (int)len);
|
|
return;
|
|
}
|
|
|
|
boot_rsp = (rndsave_t *)base;
|
|
SHA1Init(&s);
|
|
SHA1Update(&s, (uint8_t *)&boot_rsp->entropy,
|
|
sizeof(boot_rsp->entropy));
|
|
SHA1Update(&s, boot_rsp->data, sizeof(boot_rsp->data));
|
|
SHA1Final(digest, &s);
|
|
|
|
if (memcmp(digest, boot_rsp->digest, sizeof(digest))) {
|
|
rnd_printf("rnd: bad seed checksum\n");
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* It's not really well-defined whether bootloader-supplied
|
|
* modules run before or after rnd_init(). Handle both cases.
|
|
*/
|
|
if (rnd_ready) {
|
|
rnd_printf_verbose("rnd: ready,"
|
|
" feeding in seed data directly.\n");
|
|
mutex_spin_enter(&rndpool_mtx);
|
|
rndpool_add_data(&rnd_pool, boot_rsp->data,
|
|
sizeof(boot_rsp->data),
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
|
memset(boot_rsp, 0, sizeof(*boot_rsp));
|
|
mutex_spin_exit(&rndpool_mtx);
|
|
} else {
|
|
rnd_printf_verbose("rnd: not ready, deferring seed feed.\n");
|
|
}
|
|
}
|