diff options
| author | Conrad Meyer <cem@FreeBSD.org> | 2020-10-10 21:48:06 +0000 |
|---|---|---|
| committer | Conrad Meyer <cem@FreeBSD.org> | 2020-10-10 21:48:06 +0000 |
| commit | 10b1a17594a27f83c3ddbce44814f15a0b6bab91 (patch) | |
| tree | fd4767cadb7447afff7aca06e8ade82fdbe06741 /sys/libkern | |
| parent | a3c41f8bfbc713e748ee00dd61316c15eea9b3d1 (diff) | |
| download | src-10b1a17594a27f83c3ddbce44814f15a0b6bab91.tar.gz src-10b1a17594a27f83c3ddbce44814f15a0b6bab91.zip | |
arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed
There is no functional change for the existing Fortuna random(4)
implementation, which remains the default in GENERIC.
In the FenestrasX model, when the root CSPRNG is reseeded from pools due to
an (infrequent) timer, child CSPRNGs can cheaply detect this condition and
reseed. To do so, they just need to track an additional 64-bit value in the
associated state, and compare it against the root seed version (generation)
on random reads.
This revision integrates arc4random(9) into that model without substantially
changing the design or implementation of arc4random(9). The motivation is
that arc4random(9) is immediately reseeded when the backing random(4)
implementation has additional entropy. This is arguably most important
during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second
intervals. Today, arc4random(9) has a hardcoded 300 second reseed window.
Without this mechanism, if arc4random(9) gets weak entropy during initial
seed (and arc4random(9) is used early in boot, so this is quite possible),
it may continue to emit poorly seeded output for 5 minutes. The FenestrasX
push-reseed scheme corrects consumers, like arc4random(9), as soon as
possible.
Reviewed by: markm
Approved by: csprng (markm)
Differential Revision: https://reviews.freebsd.org/D22838
Notes
Notes:
svn path=/head/; revision=366621
Diffstat (limited to 'sys/libkern')
| -rw-r--r-- | sys/libkern/arc4random.c | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/sys/libkern/arc4random.c b/sys/libkern/arc4random.c index 4f733e5cef81..c5ab50a80015 100644 --- a/sys/libkern/arc4random.c +++ b/sys/libkern/arc4random.c @@ -40,10 +40,14 @@ __FBSDID("$FreeBSD$"); #include <sys/smp.h> #include <sys/time.h> +#include <machine/cpu.h> + #include <crypto/chacha20/chacha.h> #include <crypto/sha2/sha256.h> #include <dev/random/randomdev.h> -#include <machine/cpu.h> +#ifdef RANDOM_FENESTRASX +#include <dev/random/fenestrasX/fx_pub.h> +#endif #define CHACHA20_RESEED_BYTES 65536 #define CHACHA20_RESEED_SECONDS 300 @@ -52,7 +56,9 @@ __FBSDID("$FreeBSD$"); CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN); +#ifndef RANDOM_FENESTRASX int arc4rand_iniseed_state = ARC4_ENTR_NONE; +#endif MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures"); @@ -62,6 +68,9 @@ struct chacha20_s { time_t t_reseed; u_int8_t m_buffer[CHACHA20_BUFFER_SIZE]; struct chacha_ctx ctx; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#endif } __aligned(CACHE_LINE_SIZE); static struct chacha20_s *chacha20inst = NULL; @@ -79,7 +88,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) { struct timeval tv_now; u_int8_t key[CHACHA20_KEYBYTES]; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#else if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) { SHA256_CTX ctx; uint64_t cc; @@ -106,6 +118,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) "make sure 256 bits is still 256 bits"); SHA256_Final(key, &ctx); } else { +#endif +#ifdef RANDOM_FENESTRASX + read_random_key(key, CHACHA20_KEYBYTES, &seed_version); +#else /* * If the loader(8) did not have an entropy stash from the * previous shutdown to load, then we will block. The answer is @@ -117,6 +133,7 @@ chacha20_randomstir(struct chacha20_s *chacha20) */ read_random(key, CHACHA20_KEYBYTES); } +#endif getmicrouptime(&tv_now); mtx_lock(&chacha20->mtx); chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8); @@ -124,6 +141,9 @@ chacha20_randomstir(struct chacha20_s *chacha20) /* Reset for next reseed cycle. */ chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS; chacha20->numbytes = 0; +#ifdef RANDOM_FENESTRASX + chacha20->seed_version = seed_version; +#endif mtx_unlock(&chacha20->mtx); } @@ -173,9 +193,13 @@ arc4rand(void *ptr, u_int len, int reseed) u_int length; u_int8_t *p; +#ifdef RANDOM_FENESTRASX + if (__predict_false(reseed)) +#else if (__predict_false(reseed || (arc4rand_iniseed_state == ARC4_ENTR_HAVE && atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED)))) +#endif CHACHA20_FOREACH(chacha20) chacha20_randomstir(chacha20); @@ -185,8 +209,18 @@ arc4rand(void *ptr, u_int len, int reseed) if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed)) chacha20_randomstir(chacha20); - p = ptr; mtx_lock(&chacha20->mtx); +#ifdef RANDOM_FENESTRASX + if (__predict_false( + atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version + )) { + mtx_unlock(&chacha20->mtx); + chacha20_randomstir(chacha20); + mtx_lock(&chacha20->mtx); + } +#endif + + p = ptr; while (len) { length = MIN(CHACHA20_BUFFER_SIZE, len); chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length); |