src/sys/dev/random/random_harvestq.c, branch stable/14 FreeBSD source tree random: Make random_source definitions const 2025-09-21T14:52:38+00:00 Mark Johnston markj@FreeBSD.org 2025-08-19T14:06:02+00:00 d93223f34beeb0f57a8bc67fdb9870899934eea8 We can do so trivially, so make these tables read-only. No functional change intended. Reviewed by: cem, emaste MFC after: 2 weeks Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D52003 (cherry picked from commit d5f55356a2fbf8222fb236fe509821e12f1ea456) 
We can do so trivially, so make these tables read-only.  No functional
change intended.

Reviewed by:	cem, emaste
MFC after:	2 weeks
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D52003

(cherry picked from commit d5f55356a2fbf8222fb236fe509821e12f1ea456)
random: Change the entropy harvest event queuing scheme 2025-08-12T12:49:42+00:00 Mark Johnston markj@FreeBSD.org 2025-07-07T15:02:36+00:00 9280aa57a5d262f011030a042aabec97f2de3bf6 The entropy queue stores entropy gathered from environmental sources. Periodically (every 100ms currently), the random kthread will drain this queue and mix it into the CSPRNG's entropy pool(s). The old scheme uses a ring buffer with a mutex to serialize producers, while the sole consumer, the random kthread, avoids using a mutex on the basis that no serialization is needed since nothing else is updating the consumer index. On platforms without total store ordering, however, this isn't sufficient: when a producer inserts a queue entry and updates `ring.in`, there is no guarantee that the consumer will see the updated queue entry upon observing the updated producer index. That is, the update to `ring.in` may be visible before the updated queue entry is visible. As a result, we could end up mixing in zero'ed queue entries, though this race is fairly unlikely in practice given how infrequently the kthread runs. The easiest way to fix this is to make the kthread acquire the mutex as well, and hold it while processing queue entries. However, this might result in a long hold time if there are many queue entries, and we really want the hold times to be short, e.g., to avoid delaying interrupt processing. We could introduce a proper MPSC queue, but this is probably overcomplicated for a consumer which runs at 10Hz. Instead, define two buffers, always with one designated as the "active" buffer. Producers queue entries in the active buffer, and the kthread uses the mutex to atomically flip the two buffers, so it can process entries from the inactive buffer without holding the mutex. This requires more memory, but keeps mutex hold times short and lets us keep the queue implementation very simple. Reviewed by: cem MFC after: 1 month Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51112 (cherry picked from commit 9940c974029ba53fc00696b3fa1784725c48a9e9) 
The entropy queue stores entropy gathered from environmental sources.
Periodically (every 100ms currently), the random kthread will drain this
queue and mix it into the CSPRNG's entropy pool(s).

The old scheme uses a ring buffer with a mutex to serialize producers,
while the sole consumer, the random kthread, avoids using a mutex on the
basis that no serialization is needed since nothing else is updating the
consumer index.  On platforms without total store ordering, however,
this isn't sufficient: when a producer inserts a queue entry and updates
`ring.in`, there is no guarantee that the consumer will see the updated
queue entry upon observing the updated producer index.  That is, the
update to `ring.in` may be visible before the updated queue entry is
visible.  As a result, we could end up mixing in zero'ed queue entries,
though this race is fairly unlikely in practice given how infrequently
the kthread runs.

The easiest way to fix this is to make the kthread acquire the mutex as
well, and hold it while processing queue entries.  However, this might
result in a long hold time if there are many queue entries, and we
really want the hold times to be short, e.g., to avoid delaying
interrupt processing.

We could introduce a proper MPSC queue, but this is probably
overcomplicated for a consumer which runs at 10Hz.

Instead, define two buffers, always with one designated as the "active"
buffer.  Producers queue entries in the active buffer, and the kthread
uses the mutex to atomically flip the two buffers, so it can process
entries from the inactive buffer without holding the mutex.  This
requires more memory, but keeps mutex hold times short and lets us keep
the queue implementation very simple.

Reviewed by:	cem
MFC after:	1 month
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51112

(cherry picked from commit 9940c974029ba53fc00696b3fa1784725c48a9e9)
random: Remove ARGSUSED annotations from random_harvestq.c 2025-07-10T13:51:44+00:00 Mark Johnston markj@FreeBSD.org 2025-07-03T17:28:10+00:00 791ac36668d518b3fff35c21176a31cab66c4e9b Such annotations are obsolete, the compiler tells us when parameters are unused. No functional change intended. Reviewed by: cem MFC after: 1 week Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51114 (cherry picked from commit 5e213d8a7462968e10370506a4905eab0dd48e65) 
Such annotations are obsolete, the compiler tells us when parameters are
unused.  No functional change intended.

Reviewed by:	cem
MFC after:	1 week
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51114

(cherry picked from commit 5e213d8a7462968e10370506a4905eab0dd48e65)
random: Define a macro for getting the CPU cycle count 2025-07-10T13:51:42+00:00 Mark Johnston markj@FreeBSD.org 2025-07-03T17:27:47+00:00 475a36762f9df862b8cce310fccaed3b36ae3cc6 Entropy queue entries always include the low 32 bits of a CPU cycle count reading. Introduce a macro for this instead of hard-coding get_cyclecount() calls everywhere; this is handy for testing purposes since this way, random(4)'s use of the cycle counter (e.g., the number of bits we use) can be changed in one place. No functional change intended. Reviewed by: cem, delphij MFC after: 1 week Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51113 (cherry picked from commit e2a96b83404fcee0a079a3c3adbb448b86a38d1e) 
Entropy queue entries always include the low 32 bits of a CPU cycle
count reading.  Introduce a macro for this instead of hard-coding
get_cyclecount() calls everywhere; this is handy for testing purposes
since this way, random(4)'s use of the cycle counter (e.g., the number
of bits we use) can be changed in one place.

No functional change intended.

Reviewed by:	cem, delphij
MFC after:	1 week
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51113

(cherry picked from commit e2a96b83404fcee0a079a3c3adbb448b86a38d1e)
random: Move entropy harvest queue lock macros to random_harvestq.c 2025-07-10T13:51:41+00:00 Mark Johnston markj@FreeBSD.org 2025-07-03T17:21:37+00:00 11d1a5c57900b9cc77c6b56516c7be3fda4ecc0e They can't be used externally, so it makes no sense to have them in a header. No functional change intended. Reviewed by: cem MFC after: 1 week Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51111 (cherry picked from commit 4b8b872a9c55c040eb83f917fc8fd2bf908b96a9) 
They can't be used externally, so it makes no sense to have them in a
header.  No functional change intended.

Reviewed by:	cem
MFC after:	1 week
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51111

(cherry picked from commit 4b8b872a9c55c040eb83f917fc8fd2bf908b96a9)
random: Replace a comment with a static assertion 2025-07-10T13:51:39+00:00 Mark Johnston markj@FreeBSD.org 2025-07-03T17:21:18+00:00 cf1b83414f1e6bbbcbc22470781e67fc7fe430c9 No functional change intended. Reviewed by: cem MFC after: 1 week Sponsored by: Stormshield Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D51110 (cherry picked from commit 6ccf1801f225a5e3e71d5b707646731542a994c7) 
No functional change intended.

Reviewed by:	cem
MFC after:	1 week
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D51110

(cherry picked from commit 6ccf1801f225a5e3e71d5b707646731542a994c7)
Add an Armv8 rndr random number provider 2024-10-21T15:03:26+00:00 Andrew Turner andrew@FreeBSD.org 2023-11-15T17:42:02+00:00 11b099f8030b4c31af7162b835e7b762b0aa4f08 Armv8.5 adds an optional random number generator. This is implemented as two special registers one to read a random number, the other to re-seed the entropy pool before reading a random number. Both registers will set the condition flags to tell the caller they can't produce a random number in a reasonable amount of time. Without a signal to reseed the entropy pool use the latter register to provide random numbers to the kernel pool. If at a later time we had a way to tell the provider if it needs to reseed or not we could use the former. On an Amazon AWS Graviton3 VM this never failed, however this may not be the case on low end CPUs so retry reading the random number 10 times before returning an error. Reviewed by: imp, delphij (csprng) Sponsored by: The FreeBSD Foundation Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D35411 (cherry picked from commit 9eecef052155646fbc5f8f533b952b372572d06a) 
Armv8.5 adds an optional random number generator. This is implemented
as two special registers one to read a random number, the other to
re-seed the entropy pool before reading a random number. Both registers
will set the condition flags to tell the caller they can't produce a
random number in a reasonable amount of time.

Without a signal to reseed the entropy pool use the latter register
to provide random numbers to the kernel pool. If at a later time we
had a way to tell the provider if it needs to reseed or not we could
use the former.

On an Amazon AWS Graviton3 VM this never failed, however this may not
be the case on low end CPUs so retry reading the random number 10 times
before returning an error.

Reviewed by:	imp, delphij (csprng)
Sponsored by:	The FreeBSD Foundation
Sponsored by:	Arm Ltd
Differential Revision:	https://reviews.freebsd.org/D35411

(cherry picked from commit 9eecef052155646fbc5f8f533b952b372572d06a)
random: Avoid magic numbers 2024-09-29T15:24:52+00:00 Colin Percival cperciva@FreeBSD.org 2024-09-18T05:12:04+00:00 0e9cdcc5141e82ac3d9fa8331c3a4ed19933afa9 Move RANDOM_FORTUNA_{NPOOLS,DEFPOOLSIZE} from fortuna.c to fortuna.h and use RANDOM_FORTUNA_DEFPOOLSIZE in random_harvestq.c rather than having a magic (albeit explained in a comment) number. The NPOOLS value will be used in a later commit. Reviewed by: cem MFC after: 1 week Sponsored by: Amazon Differential Revision: https://reviews.freebsd.org/D46693 (cherry picked from commit 32fce09268ddd97efb4412529ba57293554c5985) 
Move RANDOM_FORTUNA_{NPOOLS,DEFPOOLSIZE} from fortuna.c to fortuna.h
and use RANDOM_FORTUNA_DEFPOOLSIZE in random_harvestq.c rather than
having a magic (albeit explained in a comment) number.  The NPOOLS
value will be used in a later commit.

Reviewed by:	cem
MFC after:	1 week
Sponsored by:	Amazon
Differential Revision:	https://reviews.freebsd.org/D46693

(cherry picked from commit 32fce09268ddd97efb4412529ba57293554c5985)
sys: Remove $FreeBSD$: one-line .c pattern 2023-08-16T17:54:36+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:54:36+00:00 685dc743dc3b5645e34836464128e1c0558b404b Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ 
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
random: Ingest extra fast entropy when !seeded 2022-07-20T06:59:40+00:00 Colin Percival cperciva@FreeBSD.org 2022-07-13T00:48:06+00:00 0811ce572394707affe3ad6c17493585940d8ab3 We periodically ingest entropy from pollable entropy sources, but only 8 bytes at a time and only occasionally enough to feed all of Fortuna's pools once per second. This can result in Fortuna remaining unseeded for a nontrivial amount of time when there is no entropy passed in from the boot loader, even if RDRAND is available to quickly provide a large amount of entropy. Detect in random_sources_feed if we are not yet seeded, and increase the amount of immediate entropy harvesting we perform, in order to "fill" Fortuna's entropy pools and avoid having random: randomdev_wait_until_seeded unblock wait stall the boot process when entropy is available. This speeds up the FreeBSD boot in the Firecracker VM by 2.3 seconds. Approved by: csprng (delphij) Sponsored by: https://www.patreon.com/cperciva Differential Revision: https://reviews.freebsd.org/D35802 
We periodically ingest entropy from pollable entropy sources, but only
8 bytes at a time and only occasionally enough to feed all of Fortuna's
pools once per second.  This can result in Fortuna remaining unseeded
for a nontrivial amount of time when there is no entropy passed in from
the boot loader, even if RDRAND is available to quickly provide a large
amount of entropy.

Detect in random_sources_feed if we are not yet seeded, and increase the
amount of immediate entropy harvesting we perform, in order to "fill"
Fortuna's entropy pools and avoid having
  random: randomdev_wait_until_seeded unblock wait
stall the boot process when entropy is available.

This speeds up the FreeBSD boot in the Firecracker VM by 2.3 seconds.

Approved by:	csprng (delphij)
Sponsored by:	https://www.patreon.com/cperciva
Differential Revision:	https://reviews.freebsd.org/D35802