Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f3d69ca8a8
NetBSD/sys/arch/x86/include/via_padlock.h
tls 3afd44cf08 First step of random number subsystem rework described in 
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00

91 lines
2.8 KiB
C
Raw Blame History

/* $NetBSD: via_padlock.h,v 1.7 2011/11/19 22:51:21 tls Exp $ */
/*-
* Copyright (c) 2003 Jason Wright
* Copyright (c) 2003, 2004 Theo de Raadt
* All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _X86_VIA_PADLOCK_H_
#define _X86_VIA_PADLOCK_H_
#if defined(_KERNEL)
#include <sys/rnd.h>
#include <sys/callout.h>
#include <crypto/rijndael/rijndael.h>
/* VIA C3 xcrypt-* instruction context control options */
#define C3_CRYPT_CWLO_ROUND_M 0x0000000f
#define C3_CRYPT_CWLO_ALG_M 0x00000070
#define C3_CRYPT_CWLO_ALG_AES 0x00000000
#define C3_CRYPT_CWLO_KEYGEN_M 0x00000080
#define C3_CRYPT_CWLO_KEYGEN_HW 0x00000000
#define C3_CRYPT_CWLO_KEYGEN_SW 0x00000080
#define C3_CRYPT_CWLO_NORMAL 0x00000000
#define C3_CRYPT_CWLO_INTERMEDIATE 0x00000100
#define C3_CRYPT_CWLO_ENCRYPT 0x00000000
#define C3_CRYPT_CWLO_DECRYPT 0x00000200
#define C3_CRYPT_CWLO_KEY128 0x0000000a /* 128bit, 10 rds */
#define C3_CRYPT_CWLO_KEY192 0x0000040c /* 192bit, 12 rds */
#define C3_CRYPT_CWLO_KEY256 0x0000080e /* 256bit, 15 rds */
struct via_padlock_session {
uint32_t ses_ekey[4 * (RIJNDAEL_MAXNR + 1) + 4]; /* 128 bit aligned */
uint32_t ses_dkey[4 * (RIJNDAEL_MAXNR + 1) + 4]; /* 128 bit aligned */
uint8_t ses_iv[16]; /* 128 bit aligned */
uint32_t ses_cw0;
struct swcr_data *swd;
int ses_klen;
int ses_used;
};
struct via_padlock_softc {
device_t sc_dev;
uint32_t op_cw[4]; /* 128 bit aligned */
uint8_t op_iv[16]; /* 128 bit aligned */
void *op_buf;
int sc_rnd_hz;
struct callout sc_rnd_co;
krndsource_t sc_rnd_source;
bool sc_rnd_attached;
/* normal softc stuff */
int32_t sc_cid;
bool sc_cid_attached;
int sc_nsessions;
struct via_padlock_session *sc_sessions;
};
#define VIAC3_SESSION(sid) ((sid) & 0x0fffffff)
#define VIAC3_SID(crd,ses) (((crd) << 28) | ((ses) & 0x0fffffff))
#define VIAC3_RNG_BUFSIZ 16
#endif /* _KERNEL */
#if defined(_KERNEL) || defined(_KMEMUSER)
struct cpu_info;
struct via_padlock {
struct cpu_info *vp_ci;
int vp_freq;
};
#endif /* _KERNEL || _KMEMUSER */
#endif /* _X86_VIA_PADLOCK_H_ */
Reference in New Issue View Git Blame Copy Permalink