b0dcb77676
Add experimental feature to increase concurrency in Fortuna. As this diverges slightly from canonical Fortuna, and due to the security sensitivity of random(4), it is off by default. To enable it, set the tunable kern.random.fortuna.concurrent_read="1". The rest of this commit message describes the behavior when enabled. Readers continue to update shared Fortuna state under global mutex, as they do in the status quo implementation of the algorithm, but shift the actual PRF generation out from under the global lock. This massively reduces the CPU time readers spend holding the global lock, allowing for increased concurrency on SMP systems and less bullying of the harvestq kthread. It is somewhat of a deviation from FS&K. I think the primary difference is that the specific sequence of AES keys will differ if READ_RANDOM_UIO is accessed concurrently (as the 2nd thread to take the mutex will no longer receive a key derived from rekeying the first thread). However, I believe the goals of rekeying AES are maintained: trivially, we continue to rekey every 1MB for the statistical property; and each consumer gets a forward-secret, independent AES key for their PRF. Since Chacha doesn't need to rekey for sequences of any length, this change makes no difference to the sequence of Chacha keys and PRF generated when Chacha is used in place of AES. On a GENERIC 4-thread VM (so, INVARIANTS/WITNESS, numbers not necessarily representative), 3x concurrent AES performance jumped from ~55 MiB/s per thread to ~197 MB/s per thread. Concurrent Chacha20 at 3 threads went from roughly ~113 MB/s per thread to ~430 MB/s per thread. Prior to this change, the system was extremely unresponsive with 3-4 concurrent random readers; each thread had high variance in latency and throughput, depending on who got lucky and won the lock. "rand_harvestq" thread CPU use was high (double digits), seemingly due to spinning on the global lock. After the change, concurrent random readers and the system in general are much more responsive, and rand_harvestq CPU use dropped to basically zero. Tests are added to the devrandom suite to ensure the uint128_add64 primitive utilized by unlocked read functions to specification. Reviewed by: markm Approved by: secteam(delphij) Relnotes: yes Differential Revision: https://reviews.freebsd.org/D20313
72 lines
2.7 KiB
C
72 lines
2.7 KiB
C
/*-
|
|
* Copyright (c) 2000-2015 Mark R V Murray
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer
|
|
* in this position and unchanged.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef SYS_DEV_RANDOM_HASH_H_INCLUDED
|
|
#define SYS_DEV_RANDOM_HASH_H_INCLUDED
|
|
|
|
#include <crypto/chacha20/_chacha.h>
|
|
#include <dev/random/uint128.h>
|
|
|
|
#ifndef _KERNEL
|
|
#define __read_frequently
|
|
#endif
|
|
|
|
/* Keys are formed from cipher blocks */
|
|
#define RANDOM_KEYSIZE 32 /* (in bytes) == 256 bits */
|
|
#define RANDOM_KEYSIZE_WORDS (RANDOM_KEYSIZE/sizeof(uint32_t))
|
|
#define RANDOM_BLOCKSIZE 16 /* (in bytes) == 128 bits */
|
|
#define RANDOM_BLOCKSIZE_WORDS (RANDOM_BLOCKSIZE/sizeof(uint32_t))
|
|
#define RANDOM_KEYS_PER_BLOCK (RANDOM_KEYSIZE/RANDOM_BLOCKSIZE)
|
|
|
|
/* The size of the zero block portion used to form H_d(m) */
|
|
#define RANDOM_ZERO_BLOCKSIZE 64 /* (in bytes) == 512 zero bits */
|
|
|
|
struct randomdev_hash {
|
|
SHA256_CTX sha;
|
|
};
|
|
|
|
union randomdev_key {
|
|
struct {
|
|
keyInstance key; /* Key schedule */
|
|
cipherInstance cipher; /* Rijndael internal */
|
|
};
|
|
struct chacha_ctx chacha;
|
|
};
|
|
|
|
extern bool random_chachamode;
|
|
|
|
void randomdev_hash_init(struct randomdev_hash *);
|
|
void randomdev_hash_iterate(struct randomdev_hash *, const void *, size_t);
|
|
void randomdev_hash_finish(struct randomdev_hash *, void *);
|
|
|
|
void randomdev_encrypt_init(union randomdev_key *, const void *);
|
|
void randomdev_keystream(union randomdev_key *context, uint128_t *, void *, size_t);
|
|
void randomdev_getkey(union randomdev_key *, const void **, size_t *);
|
|
|
|
#endif /* SYS_DEV_RANDOM_HASH_H_INCLUDED */
|