Commit Graph

213 Commits

Author SHA1 Message Date
Mark Murray
663c239342 Fix a constant printf which is (int) on some architectures and (long int) on others. 2013-10-10 07:39:19 +00:00
Dag-Erling Smørgrav
997b0a641d Add a RANDOM_RWFILE option and hide the entropy cache code behind it.
Rename YARROW_RNG and FORTUNA_RNG to RANDOM_YARROW and RANDOM_FORTUNA.
Add the RANDOM_* options to LINT.
2013-10-09 20:14:16 +00:00
Mark Murray
1b24a3a73b Sigh. I can't even get a single #ifdef right. Who's got the hat? 2013-10-09 18:11:15 +00:00
Dag-Erling Smørgrav
1b277d38f6 staticize struct random_hardware_source 2013-10-09 17:51:38 +00:00
Mark Murray
6a7ba84834 Wrap some policy-rich code in 'if NOTYET' until we can thresh out what it really needs to do. 2013-10-09 17:50:36 +00:00
Dag-Erling Smørgrav
aa1c90971f Re-add /dev/urandom for compatibility purposes. 2013-10-09 09:13:12 +00:00
Dag-Erling Smørgrav
85bbc612af comment nit 2013-10-09 09:12:44 +00:00
Dag-Erling Smørgrav
3e8957ea85 Add missing include guards and move the existing ones out of the
implementation namespace.
2013-10-09 09:11:14 +00:00
Mark Murray
b9887f5053 Fix some just-noticed problems:
o Allow this to work with "nodevice random" by fixing where the MALLOC pool is defined.

o Fix the explicit reseed code. This was correct as submitted, but in the project branch doesn't need to set the "seeded" bit as this is done correctly in the "unblock" function.

o Remove some debug ifdeffing.

o Adjust comments.
2013-10-08 22:14:07 +00:00
Mark Murray
898f83f9eb MFC - tracking commit. 2013-10-08 19:07:48 +00:00
Mark Murray
623f70165f Time to eat crow for me.
I replaced the sx_* locks that Arthur used with regular mutexes; this turned out the be the wrong thing to do as the locks need to be sleepable. Revert this folly.

Submitted by:	Arthur Mesh <arthurmesh@gmail.com> (In original diff)
2013-10-08 18:48:11 +00:00
Dimitry Andric
e7ad54b2b4 Now our binutils's assembler supports the Intel Random Number Generator
extensions, we can change the .byte directives in sys/dev/random/ivy.c
to plain 'rdrand' mnemonics.  This already worked for clang users, but
now it will also work for gcc users.

Approved by:	re (kib)
Approved by:	so (des)
MFC after:	1 week
2013-10-08 17:26:28 +00:00
Dag-Erling Smørgrav
db3fcaf970 Add YARROW_RNG and FORTUNA_RNG to sys/conf/options.
Add a SYSINIT that forces a reseed during proc0 setup, which happens
fairly late in the boot process.

Add a RANDOM_DEBUG option which enables some debugging printf()s.

Add a new RANDOM_ATTACH entropy source which harvests entropy from the
get_cyclecount() delta across each call to a device attach method.
2013-10-08 11:05:26 +00:00
Mark Murray
6e818c871f Debugging. My attempt at EVENTHANDLER(multiuser) was a failure; use EVENTHANDLER(mountroot) instead.
This means we can't count on /var being present, so something will need to be done about harvesting /var/db/entropy/... .

Some policy now needs to be sorted out, and a pre-sync cache needs to be written, but apart from that we are now ready to go.

Over to review.
2013-10-08 06:54:52 +00:00
Mark Murray
1a3c1f06dd Snapshot.
Looking pretty good; this mostly works now. New code includes:

* Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested.

* Use EVENTHANDLER to do above just before we go multiuser. Untested.
2013-10-06 22:45:02 +00:00
Mark Murray
ad1f331196 Debug run. This now works, except that the "live" sources haven't
been tested. With all sources turned on, this unlocks itself in
a couple of seconds! That is no my box, and there is no guarantee
that this will be the case everywhere.

* Cut debug prints.

* Use the same locks/mutexes all the way through.

* Be a tad more conservative about entropy estimates.
2013-10-06 12:40:32 +00:00
Mark Murray
eee1352e67 Don't use the "real" assembler mnemonics; older compilers may not
understand them (like when building CURRENT on 9.x).

Submitted by:	Konstantin Belousov <kostikbel@gmail.com>
2013-10-06 12:35:29 +00:00
Mark Murray
095ed2c9f3 SNAPSHOT.
Simplify the malloc pools; We only need one for this device.

Simplify the harvest queue.

Marginally improve the entropy pool hashing, making it a bit faster in the process.

Connect up the hardware "live" source harvesting. This is simplistic for now, and will need to be made rate-adaptive.

All of the above passes a compile test but needs to be debugged.
2013-10-06 09:55:28 +00:00
Mark Murray
f02e47dc1e Snapshot. This passes the build test, but has not yet been finished or debugged.
Contains:

* Refactor the hardware RNG CPU instruction sources to feed into
the software mixer. This is unfinished. The actual harvesting needs
to be sorted out. Modified by me (see below).

* Remove 'frac' parameter from random_harvest(). This was never
used and adds extra code for no good reason.

* Remove device write entropy harvesting. This provided a weak
attack vector, was not very good at bootstrapping the device. To
follow will be a replacement explicit reseed knob.

* Separate out all the RANDOM_PURE sources into separate harvest
entities. This adds some secuity in the case where more than one
is present.

* Review all the code and fix anything obviously messy or inconsistent.
Address som review concerns while I'm here, like rename the pseudo-rng
to 'dummy'.

Submitted by:	Arthur Mesh <arthurmesh@gmail.com> (the first item)
2013-10-04 06:55:06 +00:00
Mark Murray
27650413ea MFC - tracking update. 2013-10-02 18:07:43 +00:00
Mark Murray
9365bad8a2 Fix verbose output line; needs <NL>
Submitted by:	Sean Bruno <sean_bruno@yahoo.com>
Approved by:	re (glebius)
2013-09-08 16:48:03 +00:00
Mark Murray
7c2af6212d Fix the build; Certain linkable symbols need to always be present.
Pass the pointy hat please.

Also unblock the software (Yarrow) generator for now. This will be
reverted; Yarrow needs to block until secure, not this behaviour
of serving as soon as asked.

Folks with specific requiremnts will be able to (can!) unblock this
device with any write, and are encouraged to do so in /etc/rc.d/*
scripting. ("Any" in this case could be "echo '' > /dev/random" as
root).
2013-09-07 22:07:36 +00:00
Mark Murray
7737ec4198 Remove short-lived idea; thread to harvest (eg) RDRAND enropy into the usual harvest queues. It was a nifty idea, but too heavyweight.
Submitted by:	Arthur Mesh <arthurmesh@gmail.com>
2013-08-30 17:47:53 +00:00
Mark Murray
77de2c3f58 Separate out the Software RNG entropy harvesting queue and thread into its own files.
Submitted by:	 Arthur Mesh <arthurmesh@gmail.com>
2013-08-30 11:42:57 +00:00
Mark Murray
111e60c2ad Remove the short-lived namei experiment. 2013-08-26 19:07:03 +00:00
Mark Murray
f8530155da Snapshot of current work;
1) Clean up namespace; only use "Yarrow" where it is Yarrow-specific
or close enough to the Yarrow algorithm. For the rest use a neutral
name.

2) Tidy up headers; put private stuff in private places. More could
be done here.

3) Streamline the hashing/encryption; no need for a 256-bit counter;
128 bits will last for long enough.

There are bits of debug code lying around; these will be removed
at a later stage.
2013-08-26 18:29:51 +00:00
Mark Murray
ddbfa6b19e 1) example (partially humorous random_adaptor, that I call "EXAMPLE")
* It's not meant to be used in a real system, it's there to show how
   the basics of how to create interfaces for random_adaptors. Perhaps
   it should belong in a manual page

2) Move probe.c's functionality in to random_adaptors.c
 * rename random_ident_hardware() to random_adaptor_choose()

3) Introduce a new way to choose (or select) random_adaptors via tunable
"rngs_want" It's a list of comma separated names of adaptors, ordered
by preferences. I.e.:
rngs_want="yarrow,rdrand"

Such setting would cause yarrow to be preferred to rdrand. If neither of
them are available (or registered), then system will default to
something reasonable (currently yarrow). If yarrow is not present, then
we fall back to the adaptor that's first on the list of registered
adaptors.

4) Introduce a way where RNGs can play a role of entropy source. This is
mostly useful for HW rngs.

The way I envision this is that every HW RNG will use this
functionality by default. Functionality to disable this is also present.
I have an example of how to use this in random_adaptor_example.c (see
modload event, and init function)

5) fix kern.random.adaptors from
kern.random.adaptors: yarrowpanicblock
to
kern.random.adaptors: yarrow,panic,block

6) add kern.random.active_adaptor to indicate currently selected
adaptor:
root@freebsd04:~ # sysctl kern.random.active_adaptor
kern.random.active_adaptor: yarrow

Submitted by:	Arthur Mesh <arthurmesh@gmail.com>
2013-08-24 13:54:56 +00:00
David E. O'Brien
5711939b63 * Add random_adaptors.[ch] which is basically a store of random_adaptor's.
random_adaptor is basically an adapter that plugs in to random(4).
  random_adaptor can only be plugged in to random(4) very early in bootup.
  Unplugging random_adaptor from random(4) is not supported, and is probably a
  bad idea anyway, due to potential loss of entropy pools.
  We currently have 3 random_adaptors:
  + yarrow
  + rdrand (ivy.c)
  + nehemeiah

* Remove platform dependent logic from probe.c, and move it into
  corresponding registration routines of each random_adaptor provider.
  probe.c doesn't do anything other than picking a specific random_adaptor
  from a list of registered ones.

* If the kernel doesn't have any random_adaptor adapters present then the
  creation of /dev/random is postponed until next random_adaptor is kldload'ed.

* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a
  system wide one.

Submitted by: arthurmesh@gmail.com, obrien
Obtained from: Juniper Networks
Reviewed by: so (des)
2013-08-09 15:31:50 +00:00
David E. O'Brien
0e6a0799a9 Back out r253779 & r253786. 2013-07-31 17:21:18 +00:00
David E. O'Brien
4e368a0f8f Decouple yarrow from random(4) device.
* Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option.
  The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow.

* random(4) device doesn't really depend on rijndael-*.  Yarrow, however, does.

* Add random_adaptors.[ch] which is basically a store of random_adaptor's.
  random_adaptor is basically an adapter that plugs in to random(4).
  random_adaptor can only be plugged in to random(4) very early in bootup.
  Unplugging random_adaptor from random(4) is not supported, and is probably a
  bad idea anyway, due to potential loss of entropy pools.
  We currently have 3 random_adaptors:
  + yarrow
  + rdrand (ivy.c)
  + nehemeiah

* Remove platform dependent logic from probe.c, and move it into
  corresponding registration routines of each random_adaptor provider.
  probe.c doesn't do anything other than picking a specific random_adaptor
  from a list of registered ones.

* If the kernel doesn't have any random_adaptor adapters present then the
  creation of /dev/random is postponed until next random_adaptor is kldload'ed.

* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a
  system wide one.

Submitted by: arthurmesh@gmail.com, obrien
Obtained from: Juniper Networks
Reviewed by: obrien
2013-07-29 20:58:09 +00:00
David E. O'Brien
99ff83da74 Decouple yarrow from random(4) device.
* Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option.
  The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow.

* random(4) device doesn't really depend on rijndael-*.  Yarrow, however, does.

* Add random_adaptors.[ch] which is basically a store of random_adaptor's.
  random_adaptor is basically an adapter that plugs in to random(4).
  random_adaptor can only be plugged in to random(4) very early in bootup.
  Unplugging random_adaptor from random(4) is not supported, and is probably a
  bad idea anyway, due to potential loss of entropy pools.
  We currently have 3 random_adaptors:
  + yarrow
  + rdrand (ivy.c)
  + nehemeiah

* Remove platform dependent logic from probe.c, and move it into
  corresponding registration routines of each random_adaptor provider.
  probe.c doesn't do anything other than picking a specific random_adaptor
  from a list of registered ones.

* If the kernel doesn't have any random_adaptor adapters present then the
  creation of /dev/random is postponed until next random_adaptor is kldload'ed.

* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a
  system wide one.

Submitted by: arthurmesh@gmail.com, obrien
Obtained from: Juniper Networks
Reviewed by: obrien
2013-07-29 20:26:27 +00:00
David E. O'Brien
d0961945bb Refactor random_systat to be a *random_systat. This avoids unnecessary
structure copying in random_ident_hardware(). This change will also help
further modularization of random(4) subsystem.

Submitted by: arthurmesh@gmail.com
Reviewed by: obrien
Obtained from: Juniper Networks
2013-07-09 23:47:28 +00:00
Andrey A. Chernov
2b50ce65be Attempt to mitigate poor initialization of arc4 by one-shot
reinitialization from yarrow right after good entropy is harvested.

Approved by:    secteam (delphij)
MFC after:      1 week
2013-04-19 00:30:52 +00:00
Davide Italiano
36d0b73102 MFcalloutng (r236314 by mav):
Specify that wakeup rate of 7.5-10Hz is enough for yarrow harvesting
thread.

Sponsored by:	Google Summer of Code 2012, iXsystems inc.
Tested by:	flo, marius, ian, markj, Fabian Keil
2013-03-04 16:16:23 +00:00
Xin LI
498b4407b9 Correct a typo introduced in r153575, which gives inverted logic when
handling blocking semantics when seeding.

PR:		kern/143298
Submitted by:	James Juran <james juran baesystems com>
Reviewed by:	markm
MFC after:	3 days
2013-02-26 18:33:23 +00:00
Konstantin Belousov
c5e3d0ab11 Rename the IVY_RNG option to RDRAND_RNG.
Based on submission by:	Arthur Mesh <arthurmesh@gmail.com>
MFC after:	2 weeks
2012-09-13 10:12:16 +00:00
Konstantin Belousov
ef9461ba0e Add support for new Intel on-CPU Bull Mountain random number
generator, found on IvyBridge and supposedly later CPUs, accessible
with RDRAND instruction.

From the Intel whitepapers and articles about Bull Mountain, it seems
that we do not need to perform post-processing of RDRAND results, like
AES-encryption of the data with random IV and keys, which was done for
Padlock. Intel claims that sanitization is performed in hardware.

Make both Padlock and Bull Mountain random generators support code
covered by kernel config options, for the benefit of people who prefer
minimal kernels. Also add the tunables to disable hardware generator
even if detected.

Reviewed by:	markm, secteam (simon)
Tested by:	bapt, Michael Moll <kvedulv@kvedulv.de>
MFC after:	3 weeks
2012-09-05 13:18:51 +00:00
Konstantin Belousov
8c6f8f3d5b Add support for the extended FPU states on amd64, both for native
64bit and 32bit ABIs.  As a side-effect, it enables AVX on capable
CPUs.

In particular:

- Query the CPU support for XSAVE, list of the supported extensions
  and the required size of FPU save area. The hw.use_xsave tunable is
  provided for disabling XSAVE, and hw.xsave_mask may be used to
  select the enabled extensions.

- Remove the FPU save area from PCB and dynamically allocate the
  (run-time sized) user save area on the top of the kernel stack,
  right above the PCB. Reorganize the thread0 PCB initialization to
  postpone it after BSP is queried for save area size.

- The dumppcb, stoppcbs and susppcbs now do not carry the FPU state as
  well. FPU state is only useful for suspend, where it is saved in
  dynamically allocated suspfpusave area.

- Use XSAVE and XRSTOR to save/restore FPU state, if supported and
  enabled.

- Define new mcontext_t flag _MC_HASFPXSTATE, indicating that
  mcontext_t has a valid pointer to out-of-struct extended FPU
  state. Signal handlers are supplied with stack-allocated fpu
  state. The sigreturn(2) and setcontext(2) syscall honour the flag,
  allowing the signal handlers to inspect and manipilate extended
  state in the interrupted context.

- The getcontext(2) never returns extended state, since there is no
  place in the fixed-sized mcontext_t to place variable-sized save
  area. And, since mcontext_t is embedded into ucontext_t, makes it
  impossible to fix in a reasonable way.  Instead of extending
  getcontext(2) syscall, provide a sysarch(2) facility to query
  extended FPU state.

- Add ptrace(2) support for getting and setting extended state; while
  there, implement missed PT_I386_{GET,SET}XMMREGS for 32bit binaries.

- Change fpu_kern KPI to not expose struct fpu_kern_ctx layout to
  consumers, making it opaque. Internally, struct fpu_kern_ctx now
  contains a space for the extended state. Convert in-kernel consumers
  of fpu_kern KPI both on i386 and amd64.

First version of the support for AVX was submitted by Tim Bird
<tim.bird am sony com> on behalf of Sony. This version was written
from scratch.

Tested by:	pho (previous version), Yamagi Burmeister <lists yamagi org>
MFC after:	1 month
2012-01-21 17:45:27 +00:00
David Schultz
a7eaecefba Generate a warning if the kernel's arc4random() is seeded with bogus entropy. 2012-01-16 20:18:10 +00:00
Jung-uk Kim
ee5f87f458 Enable hardware RNG for VIA Nano processors.
PR:		kern/163974
2012-01-09 23:20:30 +00:00
Rebecca Cran
6bccea7c2b Fix typos - remove duplicate "the".
PR:	bin/154928
Submitted by:	Eitan Adler <lists at eitanadler.com>
MFC after: 	3 days
2011-02-21 09:01:34 +00:00
Konstantin Belousov
23b70c1ae2 Finish r210923, 210926. Mark some devices as eternal.
MFC after:	2 weeks
2011-01-04 10:59:38 +00:00
Konstantin Belousov
04c49e68de Use the fpu_kern_enter() interface to properly separate usermode FPU
context from in-kernel execution of padlock instructions and to handle
spurious FPUDNA exceptions that sometime are raised when doing padlock
calculations.

Globally mark crypto(9) kthread as using FPU.

Reviewed by:	pjd
Hardware provided by:	Sentex Communications
Tested by:	  pho
PR:    amd64/135014
MFC after:    1 month
2010-06-05 16:00:53 +00:00
Mark Murray
84e17f8297 There is rubbish here
It is time to take it out
Now it is cleaner
2009-05-25 22:50:11 +00:00
Colin Percival
8c85a7fb78 Make sure arc4random(9) is properly seeded when /etc/rc.d/initrandom returns.
Approved by:	so (cperciva)
Approved by:	re (kensmith)
Security:	FreeBSD-SA-08:11.arc4random
2008-11-24 17:39:39 +00:00
Simon L. B. Nielsen
9790a3cbd4 Correct a random value disclosure in random(4).
Security:	FreeBSD-SA-07:09.random
2007-11-29 16:06:12 +00:00
Julian Elischer
3745c395ec Rename the kthread_xxx (e.g. kthread_create()) calls
to kproc_xxx as they actually make whole processes.
Thos makes way for us to add REAL kthread_create() and friends
that actually make theads. it turns out that most of these
calls actually end up being moved back to the thread version
when it's added. but we need to make this cosmetic change first.

I'd LOVE to do this rename in 7.0  so that we can eventually MFC the
new kthread_xxx() calls.
2007-10-20 23:23:23 +00:00
Robert Watson
5e6868f3d4 Don't save SYSCTL_ADD_*() results in a local variable just to throw them
away; preserve the ones that are needed for further calls in the init
function and ignore the rest entirely.

Found with:	Coverity Prevent(tm)
CID:		563
2007-05-28 18:20:15 +00:00
Robert Watson
d53c5a8872 Rather than repeatedly setting and discarding local variable 'o' based
on the return values of various run-time sysctl additions, just ignore
the return value.

Found with:	Coverity Prevent(tm)
CID:		562
2007-05-27 18:54:58 +00:00
John Baldwin
4d70511ac3 Use pause() rather than tsleep() on stack variables and function pointers. 2007-02-27 17:23:29 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Michael Reifenberger
42936f9334 Now even more style(9)ish.
Submitted by:	pjd
2006-07-13 11:47:36 +00:00
Michael Reifenberger
4fd58e10b2 Use the already stored VIA RNG probe information
instead of probing again.
Adjust style(9) somewhat in probe.c

Reviewed by:	pjd
MFC after:	1 week
2006-07-13 09:15:14 +00:00
Michael Reifenberger
243d8ac855 Use the already stored VIA RNG probe information
instead of probing again.

MFC after:	1 week
2006-07-12 20:29:11 +00:00
John Baldwin
0f180a7cce Change msleep() and tsleep() to not alter the calling thread's priority
if the specified priority is zero.  This avoids a race where the calling
thread could read a snapshot of it's current priority, then a different
thread could change the first thread's priority, then the original thread
would call sched_prio() inside msleep() undoing the change made by the
second thread.  I used a priority of zero as no thread that calls msleep()
or tsleep() should be specifying a priority of zero anyway.

The various places that passed 'curthread->td_priority' or some variant
as the priority now pass 0.
2006-04-17 18:20:38 +00:00
Paul Saab
efbbe8fa79 Remove GIANT from device random.
Submitted by:	ups
2005-12-20 21:41:52 +00:00
Scott Long
e39e116ca2 malloc.h relies on param.h for a definition of MAXCPU. I guess that there is
other header pollution that makes this work right now, but it falls over when
doing a RELENG_5 -> HEAD upgrade.
2005-05-30 05:01:44 +00:00
Mark Murray
3a0323d92f Revert to the more correct array size, and correct a KASSERT to
only allow proper values. ENTROPYSOURCE is a maxval+1, not an
allowable number.

Suggested loose protons in the solution:	phk
Prefers to keep the pH close to seven:		markm
2005-03-29 11:08:45 +00:00
Poul-Henning Kamp
f7e6cbd933 Fix off-by-one (too little!) array size problem.
Detected by:	Coverity (ID#661)
2005-03-18 07:13:35 +00:00
Hajimu UMEMOTO
68527b3aad stop including rijndael-api-fst.h from rijndael.h.
this is required to integrate opencrypto into crypto.
2005-03-11 15:42:51 +00:00
Joerg Wunsch
a5f50ef9e4 netchild's mega-patch to isolate compiler dependencies into a central
place.

This moves the dependency on GCC's and other compiler's features into
the central sys/cdefs.h file, while the individual source files can
then refer to #ifdef __COMPILER_FEATURE_FOO where they by now used to
refer to #if __GNUC__ > 3.1415 && __BARC__ <= 42.

By now, GCC and ICC (the Intel compiler) have been actively tested on
IA32 platforms by netchild.  Extension to other compilers is supposed
to be possible, of course.

Submitted by:	netchild
Reviewed by:	various developers on arch@, some time ago
2005-03-02 21:33:29 +00:00
Ian Dowse
1c7178ce25 Check that we have at least a 586-class CPU before calling do_cpuid().
This fixes booting on a number of 486 processors.

PR:		i386/75686
Reviewed by:	markm
MFC after:	1 week
2005-02-06 16:55:52 +00:00
Poul-Henning Kamp
4c4a94cefe Check O_NONBLOCK not IO_NDELAY.
Don't include vnode.h
2004-12-22 17:29:37 +00:00
John Baldwin
6ac27fe1e6 Don't change the priority to PUSER when sleeping, just keep the current
priority.
2004-11-05 20:15:06 +00:00
Robert Watson
b899bc84c5 (1) Move from O(n) list copies to O(1) list concatenation, which is
supported for STAILQ via STAILQ_CONCAT().

(2) Maintain a count of the number of entries in the thread-local entropy
    fifo so that we can keep the other fifo counts in synch.

MFC after:	3 weeks
MFC with:	randomdev_soft.c revisions 1.5 and 1.6
Suggested by:   jhb (1)
2004-11-03 10:02:50 +00:00
Robert Watson
8f30dde5fe Annotate that get_cyclecount() can be expensive on some platforms,
which juxtaposes nicely with the comment just above on how the
harvest function must be cheap.
2004-10-18 19:29:13 +00:00
Robert Watson
f5c3a74502 Assert that the entropy source category provided by a caller submitting
entropy is valid, as an invalid source will cause dereferencing of an
array of queues to an incorrect memory location.
2004-10-12 14:57:14 +00:00
Robert Watson
a28ce935d9 Modify entropy harvesting locking strategy:
- Trade off granularity to reduce overhead, since the current model
  doesn't appear to reduce contention substantially: move to a single
  harvest mutex protecting harvesting queues, rather than one mutex
  per source plus a mutex for the free list.

- Reduce mutex operations in a harvesting event to 2 from 4, and
  maintain lockless read to avoid mutex operations if the queue is
  full.

- When reaping harvested entries from the queue, move all entries from
  the queue at once, and when done with them, insert them all into a
  thread-local queue for processing; then insert them all into the
  empty fifo at once.  This reduces O(4n) mutex operations to O(2)
  mutex operations per wakeup.

In the future, we may want to look at re-introducing granularity,
although perhaps at the granularity of the source rather than the
source class; both the new and old strategies would cause contention
between different instances of the same source (i.e., multiple
network interfaces).

Reviewed by:	markm
2004-10-09 22:04:13 +00:00
Robert Watson
38c9c1708b Perform a lockless read to test whether an entropy havesting fifo is
full, avoiding the cost of mutex operations if it is.  We re-test
once the mutex is acquired to make sure it's still true before doing
the -modify-write part of the read-modify-write.  Note that due to
the maximum fifo depth being pretty deep, this is unlikely to improve
harvesting performance yet.

Approved by:	markm
2004-08-11 03:33:32 +00:00
Mark Murray
ce46e2059e Add module versions. 2004-08-02 20:42:28 +00:00
Mark Murray
587d5fc63b Start the entropy device insecure/unblocked. I'll be handing over
responsibility for critical randomness requirements (like sshd)
to rc.d/*

Requested by: many
2004-07-18 09:07:58 +00:00
Poul-Henning Kamp
3e019deaed Do a pass over all modules in the kernel and make them return EOPNOTSUPP
for unknown events.

A number of modules return EINVAL in this instance, and I have left
those alone for now and instead taught MOD_QUIESCE to accept this
as "didn't do anything".
2004-07-15 08:26:07 +00:00
John Baldwin
39981fed82 Trim a few things from the dmesg output and stick them under bootverbose to
cut down on the clutter including PCI interrupt routing, MTRR, pcibios,
etc.

Discussed with:	USENIX Cabal
2004-07-01 07:46:29 +00:00
Poul-Henning Kamp
89c9c53da0 Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
Poul-Henning Kamp
41ee9f1c69 Add some missing <sys/module.h> includes which are masked by the
one on death-row in <sys/kernel.h>
2004-05-30 17:57:46 +00:00
Mark Murray
5564b4b984 Add a Davies-Meyer style hash to the output. This is still pure
Nehemiah chip, but the work is all done in hardware.

There are three opportunities to add other entropy; the Data
Buffer, the Cipher's IV and the Cipher's key. A future commit
will exploit these opportunities.
2004-04-17 19:26:53 +00:00
Mark Murray
fa2d865bad More removal of the abortive locking code; malloc buffers when
needed, rather than potentially reusing contents.
2004-04-17 19:23:15 +00:00
Mark Murray
55636152d5 Attempts to make this device Giant-free were ill-conceived as
uiomove(9) is not properly locked. So, return to NEEDGIANT
mode. Later, when uiomove is finely locked, I'll revisit.

While I'm here, provide some temporary debugging output to
help catch blocking startups.
2004-04-16 17:10:54 +00:00
Mark Murray
2a8b87d883 Default to harvesting everything. This is to help give a faster
startup. harvesting can be turned OFF in etc/rc.d/* if it is a
burden.
2004-04-16 17:07:11 +00:00
Mark Murray
f587c6bf9f Fix "sleeping without a mutex" panic. 2004-04-12 09:13:24 +00:00
Yoshihiro Takahashi
55fda92f91 Fix pc98 build. 2004-04-11 09:13:42 +00:00
Mark Murray
e7806b4c0e Reorganise the entropy device so that high-yield entropy sources
can more easily be used INSTEAD OF the hard-working Yarrow.
The only hardware source used at this point is the one inside
the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will
be added in due course. Contributions welcome!
2004-04-09 15:47:10 +00:00
John Baldwin
6074439965 kthread_exit() no longer requires Giant, so don't force callers to acquire
Giant just to call kthread_exit().

Requested by:	many
2004-03-05 22:42:17 +00:00
Poul-Henning Kamp
dc08ffec87 Device megapatch 4/6:
Introduce d_version field in struct cdevsw, this must always be
initialized to D_VERSION.

Flip sense of D_NOGIANT flag to D_NEEDGIANT, this involves removing
four D_NOGIANT flags and adding 145 D_NEEDGIANT flags.
2004-02-21 21:10:55 +00:00
Poul-Henning Kamp
74cf585544 Correct the cleanup of the alias dev_t for /dev/urandom: being an
alias it depends on the aliased dev_t and disappears automatically
when that is removed.

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
2004-02-12 20:46:49 +00:00
Mark Murray
4e3a7a14d9 Fix a major faux pas of mine. I was causing 2 very bad things to
happen in interrupt context; 1) sleep locks, and 2) malloc/free
calls.

1) is fixed by using spin locks instead.

2) is fixed by preallocating a FIFO (implemented with a STAILQ)
   and using elements from this FIFO instead. This turns out
   to be rather fast.

OK'ed by:	re (scottl)
Thanks to:	peter, jhb, rwatson, jake
Apologies to:	*
2003-11-20 15:35:48 +00:00
Mark Murray
0887c8c110 Overhaul the entropy device:
o Each source gets its own queue, which is a FIFO, not a ring buffer.
  The FIFOs are implemented with the sys/queue.h macros. The separation
  is so that a low entropy/high rate source can't swamp the harvester
  with low-grade entropy and destroy the reseeds.

o Each FIFO is limited to 256 (set as a macro, so adjustable) events
  queueable. Full FIFOs are ignored by the harvester. This is to
  prevent memory wastage, and helps to keep the kernel thread CPU
  usage within reasonable limits.

o There is no need to break up the event harvesting into ${burst}
  sized chunks, so retire that feature.

o Break the device away from its roots with the memory device, and
  allow it to get its major number automagically.
2003-11-17 23:02:21 +00:00
Seigo Tanimura
512824f8f7 - Implement selwakeuppri() which allows raising the priority of a
thread being waken up.  The thread waken up can run at a priority as
  high as after tsleep().

- Replace selwakeup()s with selwakeuppri()s and pass appropriate
  priorities.

- Add cv_broadcastpri() which raises the priority of the broadcast
  threads.  Used by selwakeuppri() if collision occurs.

Not objected in:	-arch, -current
2003-11-09 09:17:26 +00:00
Mark Murray
f757589236 Make sure we get all user-written input. This simplifies the
code considerably.

Submitted by:	(forgotten)
[I'll happily acknowledge the submitter if he owns up!]
2003-11-02 10:55:16 +00:00
David E. O'Brien
aad970f1fe Use __FBSDID().
Also some minor style cleanups.
2003-08-24 17:55:58 +00:00
Poul-Henning Kamp
68c2a41e6c Change the sleep identifier to "-" where random normally sleeps. 2003-07-02 08:04:57 +00:00
Poul-Henning Kamp
7ac40f5f59 Gigacommit to improve device-driver source compatibility between
branches:

Initialize struct cdevsw using C99 sparse initializtion and remove
all initializations to default values.

This patch is automatically generated and has been tested by compiling
LINT with all the fields in struct cdevsw in reverse order on alpha,
sparc64 and i386.

Approved by:    re(scottl)
2003-03-03 12:15:54 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Andrey A. Chernov
952b6153de Remove srandom():
1) It is already called in init_main.c:proc0_post()
2) It is called each time read_random_phony() called, because "initialized"
variable is never set to 1.

Approved by:    markm
2003-02-05 15:56:04 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Mark Murray
340a8a91c3 Fix a buffer overrun in /dev/random which, due to the nature of the
kernel memory allocator, is harmless. This could be a problem for
other systems, though. I've modified Darren's patch a little.

Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com>
Also analysed by:  SGI, and in particular Divy Le Ray of SGI
OK'ed by:          re(rwatson)
2002-12-12 17:38:45 +00:00
Scott Long
316ec49abd Some kernel threads try to do significant work, and the default KSTACK_PAGES
doesn't give them enough stack to do much before blowing away the pcb.
This adds MI and MD code to allow the allocation of an alternate kstack
who's size can be speficied when calling kthread_create.  Passing the
value 0 prevents the alternate kstack from being created.  Note that the
ia64 MD code is missing for now, and PowerPC was only partially written
due to the pmap.c being incomplete there.
Though this patch does not modify anything to make use of the alternate
kstack, acpi and usb are good candidates.

Reviewed by:	jake, peter, jhb
2002-10-02 07:44:29 +00:00
Mark Murray
a0a95acece Remove #ifdef'ed Giant mutex wrappers round debugging statements. 2002-09-21 21:44:19 +00:00
Mark Murray
b0186e2c5c No functional change. Fix comments and whitespace. 2002-09-21 21:40:02 +00:00
Mark Murray
bbf09ad887 Upgrade the random device to use a "real" hash instead of building
one out of a block cipher. This has 2 advantages:
1) The code is _much_ simpler
2) We aren't committing our security to one algorithm (much as we
   may think we trust AES).

While I'm here, make an explicit reseed do a slow reseed instead
of a fast; this is in line with what the original paper suggested.
2002-07-15 13:58:35 +00:00