Commit Graph

245 Commits

Author SHA1 Message Date
Conrad Meyer
22eedc9722 random(4): Fix a regression in short AES mode reads
In r349154, random device reads of size < 16 bytes (AES block size) were
accidentally broken to loop forever.  Correct the loop condition for small
reads.

Reported by:	pho
Reviewed by:	delphij
Approved by:	secteam(delphij)
Differential Revision:	https://reviews.freebsd.org/D20686
2019-06-18 18:50:58 +00:00
Conrad Meyer
179f62805c random(4): Fortuna: allow increased concurrency
Add experimental feature to increase concurrency in Fortuna.  As this
diverges slightly from canonical Fortuna, and due to the security
sensitivity of random(4), it is off by default.  To enable it, set the
tunable kern.random.fortuna.concurrent_read="1".  The rest of this commit
message describes the behavior when enabled.

Readers continue to update shared Fortuna state under global mutex, as they
do in the status quo implementation of the algorithm, but shift the actual
PRF generation out from under the global lock.  This massively reduces the
CPU time readers spend holding the global lock, allowing for increased
concurrency on SMP systems and less bullying of the harvestq kthread.

It is somewhat of a deviation from FS&K.  I think the primary difference is
that the specific sequence of AES keys will differ if READ_RANDOM_UIO is
accessed concurrently (as the 2nd thread to take the mutex will no longer
receive a key derived from rekeying the first thread).  However, I believe
the goals of rekeying AES are maintained: trivially, we continue to rekey
every 1MB for the statistical property; and each consumer gets a
forward-secret, independent AES key for their PRF.

Since Chacha doesn't need to rekey for sequences of any length, this change
makes no difference to the sequence of Chacha keys and PRF generated when
Chacha is used in place of AES.

On a GENERIC 4-thread VM (so, INVARIANTS/WITNESS, numbers not necessarily
representative), 3x concurrent AES performance jumped from ~55 MiB/s per
thread to ~197 MB/s per thread.  Concurrent Chacha20 at 3 threads went from
roughly ~113 MB/s per thread to ~430 MB/s per thread.

Prior to this change, the system was extremely unresponsive with 3-4
concurrent random readers; each thread had high variance in latency and
throughput, depending on who got lucky and won the lock.  "rand_harvestq"
thread CPU use was high (double digits), seemingly due to spinning on the
global lock.

After the change, concurrent random readers and the system in general are
much more responsive, and rand_harvestq CPU use dropped to basically zero.

Tests are added to the devrandom suite to ensure the uint128_add64 primitive
utilized by unlocked read functions to specification.

Reviewed by:	markm
Approved by:	secteam(delphij)
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D20313
2019-06-17 20:29:13 +00:00
Conrad Meyer
d0d71d818c random(4): Generalize algorithm-independent APIs
At a basic level, remove assumptions about the underlying algorithm (such as
output block size and reseeding requirements) from the algorithm-independent
logic in randomdev.c.  Chacha20 does not have many of the restrictions that
AES-ICM does as a PRF (Pseudo-Random Function), because it has a cipher
block size of 512 bits.  The motivation is that by generalizing the API,
Chacha is not penalized by the limitations of AES.

In READ_RANDOM_UIO, first attempt to NOWAIT allocate a large enough buffer
for the entire user request, or the maximal input we'll accept between
signal checking, whichever is smaller.  The idea is that the implementation
of any randomdev algorithm is then free to divide up large requests in
whatever fashion it sees fit.

As part of this, two responsibilities from the "algorithm-generic" randomdev
code are pushed down into the Fortuna ra_read implementation (and any other
future or out-of-tree ra_read implementations):

  1. If an algorithm needs to rekey every N bytes, it is responsible for
  handling that in ra_read(). (I.e., Fortuna's 1MB rekey interval for AES
  block generation.)

  2. If an algorithm uses a block cipher that doesn't tolerate partial-block
  requests (again, e.g., AES), it is also responsible for handling that in
  ra_read().

Several APIs are changed from u_int buffer length to the more canonical
size_t.  Several APIs are changed from taking a blockcount to a bytecount,
to permit PRFs like Chacha20 to directly generate quantities of output that
are not multiples of RANDOM_BLOCKSIZE (AES block size).

The Fortuna algorithm is changed to NOT rekey every 1MiB when in Chacha20
mode (kern.random.use_chacha20_cipher="1").  This is explicitly supported by
the math in FS&K §9.4 (Ferguson, Schneier, and Kohno; "Cryptography
Engineering"), as well as by their conclusion: "If we had a block cipher
with a 256-bit [or greater] block size, then the collisions would not
have been an issue at all."

For now, continue to break up reads into PAGE_SIZE chunks, as they were
before.  So, no functional change, mostly.

Reviewed by:	markm
Approved by:	secteam(delphij)
Differential Revision:	https://reviews.freebsd.org/D20312
2019-06-17 15:09:12 +00:00
Conrad Meyer
403c041316 random(4): Add regression tests for uint128 implementation, Chacha CTR
Add some basic regression tests to verify behavior of both uint128
implementations at typical boundary conditions, to run on all architectures.

Test uint128 increment behavior of Chacha in keystream mode, as used by
'kern.random.use_chacha20_cipher=1' (r344913) to verify assumptions at edge
cases.  These assumptions are critical to the safety of using Chacha as a
PRF in Fortuna (as implemented).

(Chacha's use in arc4random is safe regardless of these tests, as it is
limited to far less than 4 billion blocks of output in that API.)

Reviewed by:	markm
Approved by:	secteam(gordon)
Differential Revision:	https://reviews.freebsd.org/D20392
2019-06-17 14:59:45 +00:00
Conrad Meyer
5ca5dfe938 random(4): Fix RANDOM_LOADABLE build
I introduced an obvious compiler error in r346282, so this change fixes
that.

Unfortunately, RANDOM_LOADABLE isn't covered by our existing tinderbox, and
it seems like there were existing latent linking problems.  I believe these
were introduced on accident in r338324 during reduction of the boolean
expression(s) adjacent to randomdev.c and hash.c.  It seems the
RANDOM_LOADABLE build breakage has gone unnoticed for nine months.

This change correctly annotates randomdev.c and hash.c with !random_loadable
to match the pre-r338324 logic; and additionally updates the HWRNG drivers
in MD 'files.*', which depend on random_device symbols, with
!random_loadable (it is invalid for the kernel to depend on symbols from a
module).

(The expression for both randomdev.c and hash.c was the same, prior to
r338324: "optional random random_yarrow | random !random_yarrow
!random_loadable".  I.e., "random && (yarrow || !loadable)."  When Yarrow
was removed ("yarrow := False"), the expression was incorrectly reduced to
"optional random" when it should have retained "random && !loadable".)

Additionally, I discovered that virtio_random was missing a MODULE_DEPEND on
random_device, which breaks kld load/link of the driver on RANDOM_LOADABLE
kernels.  Address that issue as well.

PR:		238223
Reported by:	Eir Nym <eirnym AT gmail.com>
Reviewed by:	delphij, markm
Approved by:	secteam(delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D20466
2019-06-01 01:22:21 +00:00
Conrad Meyer
00e0e488a0 random(4): deduplicate explicit_bzero() in harvest
Pull the responsibility for zeroing events, which is general to any
conceivable implementation of a random device algorithm, out of the
algorithm-specific Fortuna code and into the callers.  Most callers
indirect through random_fortuna_process_event(), so add the logic there.
Most callers already explicitly bzeroed the events they provided, so the
logic in Fortuna was mostly redundant.

Add one missing bzero in randomdev_accumulate().  Also, remove a redundant
bzero in the same function -- randomdev_hash_finish() is obliged to bzero
the hash state.

Reviewed by:	delphij
Approved by:	secteam(delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D20318
2019-05-23 21:02:27 +00:00
Konstantin Belousov
7c5a46a1bc Remove resolver_qual from DEFINE_IFUNC/DEFINE_UIFUNC macros.
In all practical situations, the resolver visibility is static.

Requested by:	markj
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Approved by:	so (emaste)
Differential revision:	https://reviews.freebsd.org/D20281
2019-05-16 22:20:54 +00:00
Conrad Meyer
e8e1f0b420 Fortuna: Fix false negatives in is_random_seeded()
(1) We may have had sufficient entropy to consider Fortuna seeded, but the
random_fortuna_seeded() function would produce a false negative if
fs_counter was still zero.  This condition could arise after
random_harvestq_prime() processed the /boot/entropy file and before any
read-type operation invoked "pre_read()."  Fortuna's fs_counter variable is
only incremented (if certain conditions are met) by reseeding, which is
invoked by random_fortuna_pre_read().

is_random_seeded(9) was introduced in r346282, but the function was unused
prior to r346358, which introduced this regression.  The regression broke
initial seeding of arc4random(9) and broke periodic reseeding[A], until something
other than arc4random(9) invoked read_random(9) or read_random_uio(9) directly.
(Such as userspace getrandom(2) or read(2) of /dev/random.  By default,
/etc/rc.d/random does this during multiuser start-up.)

(2) The conditions under which Fortuna will reseed (including initial seeding)
are: (a) sufficient "entropy" (by sheer byte count; default 64) is collected
in the zeroth pool (of 32 pools), and (b) it has been at least 100ms since
the last reseed (to prevent trivial DoS; part of FS&K design).  Prior to
this revision, initial seeding might have been prevented if the reseed
function was invoked during the first 100ms of boot.

This revision addresses both of these issues.  If random_fortuna_seeded()
observes a zero fs_counter, it invokes random_fortuna_pre_read() and checks
again.  This addresses the problem where entropy actually was sufficient,
but nothing had attempted a read -> pre_read yet.

The second change is to disable the 100ms reseed guard when Fortuna has
never been seeded yet (fs_lasttime == 0).  The guard is intended to prevent
gratuitous subsequent reseeds, not initial seeding!

Machines running CURRENT between r346358 and this revision are encouraged to
refresh when possible.  Keys generated by userspace with /dev/random or
getrandom(9) during this timeframe are safe, but any long-term session keys
generated by kernel arc4random consumers are potentially suspect.

[A]: Broken in the sense that is_random_seeded(9) false negatives would cause
arc4random(9) to (re-)seed with weak entropy (SHA256(cyclecount ||
FreeBSD_version)).

PR:		237869
Reported by:	delphij, dim
Reviewed by:	delphij
Approved by:	secteam(delphij)
X-MFC-With:	r346282, r346358 (if ever)
Security:	yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D20239
2019-05-13 19:35:35 +00:00
Mark Johnston
b870199522 Avoid returning a NULL pointer from the Intel hw PRNG ifunc resolver.
DTrace expects kernel function symbols of a non-zero size to have an
implementation, which is a reasonable invariant to preserve.

Reported and tested by:	ler
Reviewed by:	cem, kib
Approved by:	so (delphij)
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D20218
2019-05-10 04:28:17 +00:00
Conrad Meyer
e01ada5c44 random(4): Don't complain noisily when an entropy source is slow
Mjg@ reports that RDSEED (r347239) causes a lot of logspam from this printf,
and I don't feel that it is especially useful (even ratelimited).  There are
many other quality/quantity checks we're not performing on entropy sources;
lack of high frequency availability does not disqualify a good entropy
source.

There is some discussion in the linked Differential about what logging might
be appropriate and/or polling policy for slower TRNG sources.  Please feel
free to chime in if you have opinions.

Reported by:	mjg
Reviewed by:	markm, delphij
Approved by:	secteam(delphij)
X-MFC-With:	r347239
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D20195
2019-05-08 14:54:32 +00:00
Conrad Meyer
2cb54a800c random: x86 driver: Prefer RDSEED over RDRAND when available
Per
https://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed
, RDRAND is a PRNG seeded from the same source as RDSEED.  The source is
more suitable as PRNG seed material, so prefer it when the RDSEED intrinsic
is available (indicated in CPU feature bits).

Reviewed by:	delphij, jhb, imp (earlier version)
Approved by:	secteam(delphij)
Security:	yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D20192
2019-05-08 00:45:16 +00:00
Conrad Meyer
3782136ff1 random(4): Restore availability tradeoff prior to r346250
As discussed in that commit message, it is a dangerous default.  But the
safe default causes enough pain on a variety of platforms that for now,
restore the prior default.

Some of this is self-induced pain we should/could do better about; for
example, programmatic CI systems and VM managers should introduce entropy
from the host for individual VM instances.  This is considered a future work
item.

On modern x86 and Power9 systems, this may be wholly unnecessary after
D19928 lands (even in the non-ideal case where early /boot/entropy is
unavailable), because they have fast hardware random sources available early
in boot.  But D19928 is not yet landed and we have a host of architectures
which do not provide fast random sources.

This change adds several tunables and diagnostic sysctls, documented
thoroughly in UPDATING and sys/dev/random/random_infra.c.

PR:		230875 (reopens)
Reported by:	adrian, jhb, imp, and probably others
Reviewed by:	delphij, imp (earlier version), markm (earlier version)
Discussed with:	adrian
Approved by:	secteam(delphij)
Relnotes:	yeah
Security:	related
Differential Revision:	https://reviews.freebsd.org/D19944
2019-04-18 20:48:54 +00:00
Conrad Meyer
f3d2512db6 random(4): Add is_random_seeded(9) KPI
The imagined use is for early boot consumers of random to be able to make
decisions based on whether random is available yet or not.  One such
consumer seems to be __stack_chk_init(), which runs immediately after random
is initialized.  A follow-up patch will attempt to address that.

Reported by:	many
Reviewed by:	delphij (except man page)
Approved by:	secteam(delphij)
Differential Revision:	https://reviews.freebsd.org/D19926
2019-04-16 17:12:17 +00:00
Conrad Meyer
13774e8228 random(4): Block read_random(9) on initial seeding
read_random() is/was used, mostly without error checking, in a lot of
very sensitive places in the kernel -- including seeding the widely used
arc4random(9).

Most uses, especially arc4random(9), should block until the device is seeded
rather than proceeding with a bogus or empty seed.  I did not spy any
obvious kernel consumers where blocking would be inappropriate (in the
sense that lack of entropy would be ok -- I did not investigate locking
angle thoroughly).  In many instances, arc4random_buf(9) or that family
of APIs would be more appropriate anyway; that work was done in r345865.

A minor cleanup was made to the implementation of the READ_RANDOM function:
instead of using a variable-length array on the stack to temporarily store
all full random blocks sufficient to satisfy the requested 'len', only store
a single block on the stack.  This has some benefit in terms of reducing
stack usage, reducing memcpy overhead and reducing devrandom output leakage
via the stack.  Additionally, the stack block is now safely zeroed if it was
used.

One caveat of this change is that the kern.arandom sysctl no longer returns
zero bytes immediately if the random device is not seeded.  This means that
FreeBSD-specific userspace applications which attempted to handle an
unseeded random device may be broken by this change.  If such behavior is
needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK
option.

On any typical FreeBSD system, entropy is persisted on read/write media and
used to seed the random device very early in boot, and blocking is never a
problem.

This change primarily impacts the behavior of /dev/random on embedded
systems with read-only media that do not configure "nodevice random".  We
toggle the default from 'charge on blindly with no entropy' to 'block
indefinitely.'  This default is safer, but may cause frustration.  Embedded
system designers using FreeBSD have several options.  The most obvious is to
plan to have a small writable NVRAM or NAND to persist entropy, like larger
systems.  Early entropy can be fed from any loader, or by writing directly
to /dev/random during boot.  Some embedded SoCs now provide a fast hardware
entropy source; this would also work for quickly seeding Fortuna.  A 3rd
option would be creating an embedded-specific, more simplistic random
module, like that designed by DJB in [1] (this design still requires a small
rewritable media for forward secrecy).  Finally, the least preferred option
might be "nodevice random", although I plan to remove this in a subsequent
revision.

To help developers emulate the behavior of these embedded systems on
ordinary workstations, the tunable kern.random.block_seeded_status was
added.  When set to 1, it blocks the random device.

I attempted to document this change in random.4 and random.9 and ran into a
bunch of out-of-date or irrelevant or inaccurate content and ended up
rototilling those documents more than I intended to.  Sorry.  I think
they're in a better state now.

PR:		230875
Reviewed by:	delphij, markm (earlier version)
Approved by:	secteam(delphij), devrandom(markm)
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D19744
2019-04-15 18:40:36 +00:00
Marcin Wojtas
4ee7d3b011 Allow using TPM as entropy source.
TPM has a built-in RNG, with its own entropy source.
The driver was extended to harvest 16 random bytes from TPM every 10 seconds.
A new build option "TPM_HARVEST" was introduced - for now, however, it
is not enabled by default in the GENERIC config.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: markm, delphij
Approved by: secteam
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19620
2019-03-23 05:13:51 +00:00
Conrad Meyer
ab69c4858c Fortuna: Add Chacha20 as an alternative stream cipher
Chacha20 with a 256 bit key and 128 bit counter size is a good match for an
AES256-ICM replacement.

In userspace, Chacha20 is typically marginally slower than AES-ICM on
machines with AESNI intrinsics, but typically much faster than AES on
machines without special intrinsics.  ChaCha20 does well on typical modern
architectures with SIMD instructions, which includes most types of machines
FreeBSD runs on.

In the kernel, we can't (or don't) make use of AESNI intrinsics for
random(4) anyway.  So even on amd64, using Chacha provides a modest
performance improvement in random device throughput today.

This change makes the stream cipher used by random(4) configurable at boot
time with the 'kern.random.use_chacha20_cipher' tunable.

Very rough, non-scientific measurements at the /dev/random device, on a
GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throughput
for Chacha20 over the existing AES-ICM mode.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Differential Revision:	https://reviews.freebsd.org/D19475
2019-03-08 01:17:20 +00:00
Conrad Meyer
e66ccbeaa3 fortuna: Deduplicate kernel vs user includes
No functional change.

Reviewed by:	markj, markm
Approved by:	secteam (delphij), core (brooks)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D19409
2019-03-01 22:51:45 +00:00
Conrad Meyer
51c68d18e2 Fortuna: push CTR-mode loop down into randomdev hash.h interface
As a step towards adding other potential streaming ciphers.  As well as just
pushing the loop down into the rijndael APIs (basically 128-bit wide AES-ICM
mode) to eliminate some excess explicit_bzero().

No functional change intended.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D19411
2019-03-01 19:21:45 +00:00
Conrad Meyer
37136b849f random(4): Match enabled sources mask to build options
r287023 and r334450 added build option mechanisms to permanently disable
spammy and/or low quality entropy sources.

Follow-up those changes by updating the 'enabled' sources mask to match.
When sources are compile-time disabled, represent them as disabled in the
source mask, and prevent users from modifying that, like pure sources.
(Modifying the mask bit would have no effect, but users might think it did
if it was not prevented.)

Mostly a cosmetic change.

Reviewed by:	markm
Approved by:	secteam (gordon)
X-MFC-With:	334450
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D17252
2018-10-27 15:09:35 +00:00
Conrad Meyer
9b8d0fe462 Fortuna: Add failpoints to simulate initial seeding conditions
Set debug.fail_point.random_fortuna_pre_read=return(1) and
debug.fail_point.random_fortuna_seeded=return(1) to return to unseeded
status (sort of).  See the Differential URL for more detail.

The goal is to reproduce e.g. Lev's recent CURRENT report[1] about failing
newfs arc4random(3) usage (fixed in r338542).

No functional change when failpoints are not set.

[1]: https://lists.freebsd.org/pipermail/freebsd-current/2018-September/071067.html

Reported by:	lev
Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D17047
2018-10-26 21:03:57 +00:00
Conrad Meyer
7be4093a84 fortuna: Drop global lock to zero stack variables
Also drop explicit zeroing of hash context -- hash finish() operation is
expected to do this.

PR:		230877
Suggested by:	delphij@
Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16986
2018-10-26 21:00:26 +00:00
Conrad Meyer
9a88479843 Fortuna: fix a correctness issue in reseed (fortuna_pre_read)
'i' counts the number of pools included in the array 's'.  Passing 'i+1' to
reseed_internal() as the number of blocks in 's' is a bogus overrun of the
initialized portion of 's' -- technically UB.

I found this via code inspection, referencing §9.5.2 "Pools" of the Fortuna
chapter, but I would expect Coverity to notice the same issue.
Unfortunately, it doesn't appear to.

Reviewed by:	markm
Approved by:	secteam (gordon)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16985
2018-10-26 20:55:01 +00:00
Conrad Meyer
5528565a76 Fortuna: Fix a race to prevent reseed spamming
If multiple threads enter fortuna_pre_read contemporaneously, such as via
read(2) or getrandom(2), they could race to check how long it has been since
the last update due to a TOCTOU problem with 'now'.

Here is an example problematic execution:

Thread A:                       Thread B:
now_A = getsbinuptime();
                                now_B = getsbinuptime();  // now_B > now_A
                                RANDOM_RESEED_LOCK();
                                if (now - fs_lasttime > SBT_1S/10) {
                                        fs_lasttime = now;
                                        ... // reseed
                                }
                                RANDOM_RESEED_UNLOCK();
RANDOM_RESEED_LOCK();
if (now_A - fs_lasttime > SBT_1S/10)  // now_A - fs_lasttime underflows
        fs_lasttime = now_A;
        ... // reseed again, despite less than 100ms elapsing
}
RANDOM_RESEED_UNLOCK();

To resolve the race, simply check the current time after we win the lock
race.

If getsbinuptime is perceived to be expensive, another option might be to
just accept the race and validate that fs_lasttime isn't "in the future."
(It should be within the last ~2^31 seconds out of ~2^32 seconds
representable duration.)

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16984
2018-10-20 21:09:12 +00:00
Conrad Meyer
93d587e4d0 random(4): Correct a bare zero to the appropriate enum
The convention for updating hc_destination[] is to index with a
random_entropy_source.  Zero happens to match RANDOM_CACHED, which is
correct for this source (early random data).  Spell the zero value as the
enum name instead of the magic constant.

No functional change.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16983
2018-10-20 21:06:15 +00:00
Conrad Meyer
494dda455c Fortuna: trivial static variable cleanup
Remove unnecessary use of function-local static variable.  32 bytes is
small enough to live on the stack.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16937
2018-10-20 20:15:06 +00:00
Conrad Meyer
84880efae7 Fortuna: Add trivial assert to match FS&K definition
FS&K GenerateBlocks function asserts C (counter) != 0.  This should also
be true in our implementation.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16936
2018-10-20 20:12:57 +00:00
Conrad Meyer
90545403e9 Fortuna: Clean up reseeding key material to closer match FS&K
When reseeding, only incorporate actual key material.  Do not include e.g.
the derived key schedules or other AES context.

I don't think the extra material was harmful here, just not beneficial.

Reviewed by:	delphij, markm
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16934
2018-10-20 19:44:59 +00:00
Xin LI
7a8d266139 random(4): Squash non-error timeout codes from tsleep(9).
In both scenarios a timeout (EWOULDBLOCK) is considered as a
normal condition and the error should not pop up to upper layers.

PR:		231181
Submitted by:	cem
Reported by:	lev
Reviewed by:	vangyzen, markm, delphij
Approved by:	re (kib)
Approved by:	secteam (delphij)
Differential Revision:	https://reviews.freebsd.org/D17049
2018-09-09 17:12:31 +00:00
Mark Murray
19fa89e938 Remove the Yarrow PRNG algorithm option in accordance with due notice
given in random(4).

This includes updating of the relevant man pages, and no-longer-used
harvesting parameters.

Ensure that the pseudo-unit-test still does something useful, now also
with the "other" algorithm instead of Yarrow.

PR:		230870
Reviewed by:	cem
Approved by:	so(delphij,gtetlow)
Approved by:	re(marius)
Differential Revision:	https://reviews.freebsd.org/D16898
2018-08-26 12:51:46 +00:00
Mark Murray
29f9b2a93e Limit the amount of "fast" entropy. We don't need nearly as much
for security, and the excess just slows things down badly.

PR:             230808
Submitted by:   rwmaillists@googlemail.com, but tweeked by me
Reported by:    Danilo Egea Gondolfo <danilo@FreeBSD.org>
Reviewed by:	cem,delphij
Approved by:	re(rgrimes)
Approved by:	so(delphij)
MFC after:      1 Month
Differential Revision:	https://reviews.freebsd.org/D16873
2018-08-24 14:53:46 +00:00
Mark Murray
27064b30f2 Fix braino of mine where the reseeds would happen far too often,
making the kernel process way too busy.

PR:             230808
Submitted by:   Conrad Meyer <cem@FreeBSD.org>
Reported by:    Danilo Egea Gondolfo <danilo@FreeBSD.org>
Reviewed by:	cem,delphij
Approved by:	re(rgrimes)
Approved by:	so(delphij)
MFC after:      1 Month
Security:	Yes
Differential Revision:	https://reviews.freebsd.org/D16872
2018-08-24 14:53:42 +00:00
Justin Hibbits
b14959dacc random: Add PowerPC 'darn' instruction entropy source
Summary:
PowerISA 3.0 adds a 'darn' instruction to "deliver a random number".  This
driver was modeled after (rather, copied and gutted of) the Ivy Bridge
rdrand driver.

This uses the "Conditional Random Number" behavior to remove input bias.

From the ISA reference the 'darn' instruction, and the random number
generator backing it, conforms to the NIST SP800-90B and SP800-90C
standards, compliant to the extent possible at the time the hardware was
designed, and guarantees a minimum 0.5 bits of entropy per bit returned.

Reviewed By:	markm, secteam (delphij)
Approved by:	secteam (delphij)
Differential Revision: https://reviews.freebsd.org/D16552
2018-08-17 03:49:07 +00:00
Matt Macy
a6bc59f203 Reduce overhead of entropy collection
- move harvest mask check inline
- move harvest mask to frequently_read out of actively
  modified cache line
- disable ether_input collection and describe its limitations
  in NOTES

Typically entropy collection in ether_input was stirring zero
in to the entropy pool while at the same time greatly reducing
max pps. This indicates that perhaps we should more closely
scrutinize how much entropy we're getting from a given source
as well as what our actual entropy collection needs are for
seeding Yarrow.

Reviewed by: cem, gallatin, delphij
Approved by: secteam
Differential Revision: https://reviews.freebsd.org/D15526
2018-05-31 21:53:07 +00:00
Conrad Meyer
db488e4f52 random(4): Poll for signals during large reads
Occasionally poll for signals during large reads of the /dev/u?random
devices.  This allows cancellation via SIGINT of accidental invocations of
very large reads.  (A 2GB /dev/random read, which takes about 10 seconds on
my 2017 AMD Zen processor, can be aborted.)

I believe this behavior was intended since 2014 (r273997), just not fully
implemented.

This is motivated by a potential getrandom(2) interface that may not
explicitly forbid extremely large reads on 64-bit platforms -- even larger
than the 2GB limit imposed on devfs I/O by default.  Such reads, if they are
to be allowed, should be cancellable by the user or administrator.

Reviewed by:	delphij
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D14684
2018-03-16 18:50:26 +00:00
Conrad Meyer
849ce31a82 Remove unused error return from API that cannot fail
No implementation of fpu_kern_enter() can fail, and it was causing needless
error checking boilerplate and confusion. Change the return code to void to
match reality.

(This trivial change took nine days to land because of the commit hook on
sys/dev/random.  Please consider removing the hook or otherwise lowering the
bar -- secteam never seems to have free time to review patches.)

Reported by:	Lachlan McIlroy <Lachlan.McIlroy AT isilon.com>
Reviewed by:	delphij
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D14380
2018-02-23 20:15:19 +00:00
Conrad Meyer
e170090541 random(4): Add CCP random source definitions
The implementation will follow (D12723).  For now, get the changes to
commit-protected files out of the way.

Approved by:	secteam (gordon)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D13925
2018-01-16 02:56:27 +00:00
Conrad Meyer
095db7e6e7 random(4): Gather entropy from Pure sources
At initialization, hc_source_mask only includes non-Pure sources.

The patch changes source registration to enable the registered source in the
hc_source_mask bitmask. This mask governs which sources are harvested.

This patch also disallows userspace from disabling such sources.

PR:		222807
Submitted by:	W. Dean Freeman <badfilemagic AT gmail.com>
Reviewed by:	jmg (earlier version), delphij
Approved by:	secteam (delphij)
Obtained from:	HBSD 0054e3e170e083811acc9f3b637f8be8a86c03e7
Security:	yes
Differential Revision:	https://reviews.freebsd.org/D12611
2017-10-07 19:02:03 +00:00
Conrad Meyer
f04c11c32b random(4): Add missing source descriptions
Add source descriptions missed in r260847, r303035.

While here, convert the array to C99 initializers.

Reviewed by:	delphij
Approved by:	secteam (delphij)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12618
2017-10-07 18:59:29 +00:00
Conrad Meyer
58900beed3 random(4): Discard low entropy inputs
The later fields of the harvest_event structure are predictable and provide
little value to the entropy pool.  Only feed in the relatively high entropy
counter and explicit entropy buffer to increase measured input entropy.

See also:
https://people.freebsd.org/~jmg/vbsdcon_2017_ddfreebsdrng_slides.pdf

PR:		222807
Submitted by:	W. Dean Freeman <badfilemagic AT gmail.com>
Reviewed by:	jmg (earlier version), delphij
Approved by:	secteam (delphij)
Obtained from:	HBSD 8d809124d563937edd84c9c9d5494406e359c55c
Security:	no -- low entropy marginal input has no known negative affect on pool quality
Differential Revision:	https://reviews.freebsd.org/D12610
2017-10-06 18:27:55 +00:00
Mark Murray
150890b0c6 Replace the RC4 algorithm for generating in-kernel secure random
numbers with Chacha20. Keep the API, though, as that is what the
other *BSD's have done.

Use the boot-time entropy stash (if present) to bootstrap the
in-kernel entropy source.

Reviewed by: delphij,rwatson
Approved by: so(delphij)
MFC after: 2 months
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D10048
2017-04-16 09:11:02 +00:00
Simon J. Gerraty
208250ed4d Revert previous commit, until issue with sparc64 resolved.
Approved by:	so (implicit)
2016-06-09 14:44:05 +00:00
Simon J. Gerraty
6aacec26cc Add a prototype for random_harvest_queue to dev/random/random_harvestq.h
This fixes a warning that occurs in a number of files that use the
random_harvest_queue function.

Differential Revision:	https://reviews.freebsd.org/D4229
Submitted by:	stevek@juniper.net
Reviewed by:	markm
Approved by:	so
2016-06-09 01:50:43 +00:00
Eitan Adler
cef367e6a1 Don't repeat the the word 'the'
(one manual change to fix grammar)

Confirmed With: db
Approved by: secteam (not really, but this is a comment typo fix)
2016-05-17 12:52:31 +00:00
Pedro F. Giffuni
32a71a72e1 dev/random: minor spelling fixes in comments.
No functional change.

Reviewed by:	markm
Approved by:	so
2016-05-02 14:35:57 +00:00
Pedro F. Giffuni
7b250b1ec9 dev/random: use our roundup() macro instead of re-implementing it.
While here also use howmany() macro from sys/param.h
No functional change.

Reviewed by:	markm (roundup replacement part)
Approved by:	so
2016-04-25 21:14:32 +00:00
Konstantin Belousov
97b9c34fc2 Fix rdrand_rng.ko and padlock_rng.ko dependencies, making modules
loadable when not compiled into the kernel.

Approved by:	so (delphij)
Sponsored by:	The FreeBSD Foundation
2016-04-16 06:10:47 +00:00
John Baldwin
dd52390836 Don't start the random harvester process until timers are working.
This is a no-op currently, but in kernels with earlier AP startup, the
random kthread was trying to use timeouts with sleeps before timers are
working.  Wait until SI_SUB_KICK_SCHEDULER to start the random kproc.

Reviewed by:	delphij, imp, markm
Approved by:	so
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D5712
2016-03-28 21:51:56 +00:00
Gleb Smirnoff
9389e53fd4 Add missing braces.
Found by:	PVS-Studio
Approved by:	so (implicit)
2016-02-17 21:09:19 +00:00
Allan Jude
7a3f5d11fb Replace sys/crypto/sha2/sha2.c with lib/libmd/sha512c.c
cperciva's libmd implementation is 5-30% faster

The same was done for SHA256 previously in r263218

cperciva's implementation was lacking SHA-384 which I implemented, validated against OpenSSL and the NIST documentation

Extend sbin/md5 to create sha384(1)

Chase dependancies on sys/crypto/sha2/sha2.{c,h} and replace them with sha512{c.c,.h}

Reviewed by:	cperciva, des, delphij
Approved by:	secteam, bapt (mentor)
MFC after:	2 weeks
Sponsored by:	ScaleEngine Inc.
Differential Revision:	https://reviews.freebsd.org/D3929
2015-12-27 17:33:59 +00:00
Mark Murray
dcabe03158 Fix printf-like formats for KASSERT.
Submitted by:	jenkins
Approved by:	so (/dev/random blanket)
2015-10-05 10:45:52 +00:00