arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed

There is no functional change for the existing Fortuna random(4)
implementation, which remains the default in GENERIC.

In the FenestrasX model, when the root CSPRNG is reseeded from pools due to
an (infrequent) timer, child CSPRNGs can cheaply detect this condition and
reseed.  To do so, they just need to track an additional 64-bit value in the
associated state, and compare it against the root seed version (generation)
on random reads.

This revision integrates arc4random(9) into that model without substantially
changing the design or implementation of arc4random(9).  The motivation is
that arc4random(9) is immediately reseeded when the backing random(4)
implementation has additional entropy.  This is arguably most important
during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second
intervals.  Today, arc4random(9) has a hardcoded 300 second reseed window.
Without this mechanism, if arc4random(9) gets weak entropy during initial
seed (and arc4random(9) is used early in boot, so this is quite possible),
it may continue to emit poorly seeded output for 5 minutes.  The FenestrasX
push-reseed scheme corrects consumers, like arc4random(9), as soon as
possible.

Reviewed by:	markm
Approved by:	csprng (markm)
Differential Revision:	https://reviews.freebsd.org/D22838

sys/dev/random/fenestrasX/fx_brng.c

@@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
 
 #include <dev/random/fenestrasX/fx_brng.h>
 #include <dev/random/fenestrasX/fx_priv.h>
+#include <dev/random/fenestrasX/fx_pub.h>
 #include <dev/random/fenestrasX/fx_rng.h>
 
 /*

sys/dev/random/fenestrasX/fx_main.c

@@ -88,7 +88,6 @@
  *   a while).
  *
  * Not yet implemented, not in scope, or todo:
- *  - arc4random(9) injection/replacement
  *  - Userspace portions -- shared page, like timehands vdso?
  */
 
@@ -125,6 +124,7 @@ __FBSDID("$FreeBSD$");
 #include <dev/random/fenestrasX/fx_hash.h>
 #include <dev/random/fenestrasX/fx_pool.h>
 #include <dev/random/fenestrasX/fx_priv.h>
+#include <dev/random/fenestrasX/fx_pub.h>
 #include <dev/random/fenestrasX/fx_rng.h>
 
 struct fxrng_buffered_rng fxrng_root;
@@ -142,7 +142,7 @@ DPCPU_DEFINE_STATIC(struct fxrng_buffered_rng *, fxrng_brng);
  * the root generation number >0.
  */
 static void
-fxrng_alg_read(uint8_t *output, size_t nbytes)
+_fxrng_alg_read(uint8_t *output, size_t nbytes, uint64_t *seed_version_out)
 {
 	struct fxrng_buffered_rng **pcpu_brng_p, *rng, *tmp;
 	struct pcpu *pcpu;
@@ -248,10 +248,32 @@ fxrng_alg_read(uint8_t *output, size_t nbytes)
 have_valid_rng:
 	/* At this point we have a valid, initialized and seeded rng pointer. */
 	FXRNG_BRNG_LOCK(rng);
+	if (seed_version_out != NULL)
+		*seed_version_out = rng->brng_generation;
 	fxrng_brng_read(rng, output, nbytes);
 	FXRNG_BRNG_ASSERT_NOT(rng);
 }
 
+static void
+fxrng_alg_read(uint8_t *output, size_t nbytes)
+{
+	_fxrng_alg_read(output, nbytes, NULL);
+}
+
+/*
+ * External API for arc4random(9) to fetch new key material and associated seed
+ * version in chacha20_randomstir().
+ */
+void
+read_random_key(void *output, size_t nbytes, uint64_t *seed_version_out)
+{
+	/* Ensure _fxrng_alg_read invariant. */
+	if (__predict_false(atomic_load_acq_64(&fxrng_root_generation) == 0))
+		(void)fxrng_alg_seeded();
+
+	_fxrng_alg_read(output, nbytes, seed_version_out);
+}
+
 static void
 fxrng_init_alg(void *dummy __unused)
 {

sys/dev/random/fenestrasX/fx_pool.c

@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD$");
 #include <dev/random/fenestrasX/fx_hash.h>
 #include <dev/random/fenestrasX/fx_pool.h>
 #include <dev/random/fenestrasX/fx_priv.h>
+#include <dev/random/fenestrasX/fx_pub.h>
 
 /*
  * Timer-based reseed interval growth factor and limit in seconds. (§ 3.2)

sys/dev/random/fenestrasX/fx_priv.h

@@ -46,4 +46,3 @@
 #endif
 
 extern struct fxrng_buffered_rng fxrng_root;
-extern uint64_t __read_mostly fxrng_root_generation;

sys/dev/random/fenestrasX/fx_pub.h

@@ -0,0 +1,53 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2019 Conrad Meyer <cem@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+#pragma once
+
+#include <sys/systm.h>
+
+/*
+ * The root BRNG seed version, or generation.
+ *
+ * FenestrasX-aware downstream CSPRNGs (i.e., arc4random(9)) should track the
+ * generation number they seeded from, using the read_random_key(9) API below.
+ * If their current seed version is older than the root generation, they should
+ * reseed before producing output.
+ *
+ * The variable is read-only outside of the fenestrasX implementation and
+ * should be accessed using 'atomic_load_acq_64(&fxrng_root_generation)'.
+ * Reseeds are extremely infrequent, so callers may wish to hint to the
+ * compiler that a matching generation is the expected case, with
+ * __predict_true() or __predict_false().
+ */
+extern uint64_t __read_mostly fxrng_root_generation;
+
+/*
+ * A routine for generating seed/key material 
+ * Bypasses random(4) for now, but conceivably could be incorporated into that.
+ */
+void read_random_key(void *buf, size_t nbytes, uint64_t *seed_version_out);

sys/dev/random/randomdev.c

@@ -373,8 +373,10 @@ randomdev_unblock(void)
 	selwakeuppri(&rsel, PUSER);
 	wakeup(p_random_alg_context);
 	printf("random: unblocking device.\n");
+#ifndef RANDOM_FENESTRASX
 	/* Do random(9) a favour while we are about it. */
 	(void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE, ARC4_ENTR_HAVE);
+#endif
 }
 
 /* ARGSUSED */

sys/libkern/arc4random.c

@@ -40,10 +40,14 @@ __FBSDID("$FreeBSD$");
 #include <sys/smp.h>
 #include <sys/time.h>
 
+#include <machine/cpu.h>
+
 #include <crypto/chacha20/chacha.h>
 #include <crypto/sha2/sha256.h>
 #include <dev/random/randomdev.h>
-#include <machine/cpu.h>
+#ifdef RANDOM_FENESTRASX
+#include <dev/random/fenestrasX/fx_pub.h>
+#endif
 
 #define	CHACHA20_RESEED_BYTES	65536
 #define	CHACHA20_RESEED_SECONDS	300
@@ -52,7 +56,9 @@ __FBSDID("$FreeBSD$");
 
 CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
 
+#ifndef RANDOM_FENESTRASX
 int arc4rand_iniseed_state = ARC4_ENTR_NONE;
+#endif
 
 MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
 
@@ -62,6 +68,9 @@ struct chacha20_s {
 	time_t t_reseed;
 	u_int8_t m_buffer[CHACHA20_BUFFER_SIZE];
 	struct chacha_ctx ctx;
+#ifdef RANDOM_FENESTRASX
+	uint64_t seed_version;
+#endif
 } __aligned(CACHE_LINE_SIZE);
 
 static struct chacha20_s *chacha20inst = NULL;
@@ -79,7 +88,10 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 {
 	struct timeval tv_now;
 	u_int8_t key[CHACHA20_KEYBYTES];
+#ifdef RANDOM_FENESTRASX
+	uint64_t seed_version;
 
+#else
 	if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) {
 		SHA256_CTX ctx;
 		uint64_t cc;
@@ -106,6 +118,10 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 		    "make sure 256 bits is still 256 bits");
 		SHA256_Final(key, &ctx);
 	} else {
+#endif
+#ifdef RANDOM_FENESTRASX
+		read_random_key(key, CHACHA20_KEYBYTES, &seed_version);
+#else
 		/*
 		* If the loader(8) did not have an entropy stash from the
 		* previous shutdown to load, then we will block.  The answer is
@@ -117,6 +133,7 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 		*/
 		read_random(key, CHACHA20_KEYBYTES);
 	}
+#endif
 	getmicrouptime(&tv_now);
 	mtx_lock(&chacha20->mtx);
 	chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
@@ -124,6 +141,9 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 	/* Reset for next reseed cycle. */
 	chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
 	chacha20->numbytes = 0;
+#ifdef RANDOM_FENESTRASX
+	chacha20->seed_version = seed_version;
+#endif
 	mtx_unlock(&chacha20->mtx);
 }
 
@@ -173,9 +193,13 @@ arc4rand(void *ptr, u_int len, int reseed)
 	u_int length;
 	u_int8_t *p;
 
+#ifdef RANDOM_FENESTRASX
+	if (__predict_false(reseed))
+#else
 	if (__predict_false(reseed ||
 	    (arc4rand_iniseed_state == ARC4_ENTR_HAVE &&
 	    atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))))
+#endif
 		CHACHA20_FOREACH(chacha20)
 			chacha20_randomstir(chacha20);
 
@@ -185,8 +209,18 @@ arc4rand(void *ptr, u_int len, int reseed)
 	if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
 		chacha20_randomstir(chacha20);
 
-	p = ptr;
 	mtx_lock(&chacha20->mtx);
+#ifdef RANDOM_FENESTRASX
+	if (__predict_false(
+	    atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version
+	    )) {
+		mtx_unlock(&chacha20->mtx);
+		chacha20_randomstir(chacha20);
+		mtx_lock(&chacha20->mtx);
+	}
+#endif
+
+	p = ptr;
 	while (len) {
 		length = MIN(CHACHA20_BUFFER_SIZE, len);
 		chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);

sys/sys/libkern.h

@@ -116,10 +116,12 @@ static __inline int abs(int a) { return (a < 0 ? -a : a); }
 static __inline long labs(long a) { return (a < 0 ? -a : a); }
 static __inline quad_t qabs(quad_t a) { return (a < 0 ? -a : a); }
 
+#ifndef RANDOM_FENESTRASX
 #define	ARC4_ENTR_NONE	0	/* Don't have entropy yet. */
 #define	ARC4_ENTR_HAVE	1	/* Have entropy. */
 #define	ARC4_ENTR_SEED	2	/* Reseeding. */
 extern int arc4rand_iniseed_state;
+#endif
 
 /* Prototypes for non-quad routines. */
 struct malloc_type;