aboutsummaryrefslogtreecommitdiff
path: root/sys/libkern
diff options
context:
space:
mode:
authorConrad Meyer <cem@FreeBSD.org>2020-10-10 21:48:06 +0000
committerConrad Meyer <cem@FreeBSD.org>2020-10-10 21:48:06 +0000
commit10b1a17594a27f83c3ddbce44814f15a0b6bab91 (patch)
treefd4767cadb7447afff7aca06e8ade82fdbe06741 /sys/libkern
parenta3c41f8bfbc713e748ee00dd61316c15eea9b3d1 (diff)
downloadsrc-10b1a17594a27f83c3ddbce44814f15a0b6bab91.tar.gz
src-10b1a17594a27f83c3ddbce44814f15a0b6bab91.zip
arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed
There is no functional change for the existing Fortuna random(4) implementation, which remains the default in GENERIC. In the FenestrasX model, when the root CSPRNG is reseeded from pools due to an (infrequent) timer, child CSPRNGs can cheaply detect this condition and reseed. To do so, they just need to track an additional 64-bit value in the associated state, and compare it against the root seed version (generation) on random reads. This revision integrates arc4random(9) into that model without substantially changing the design or implementation of arc4random(9). The motivation is that arc4random(9) is immediately reseeded when the backing random(4) implementation has additional entropy. This is arguably most important during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second intervals. Today, arc4random(9) has a hardcoded 300 second reseed window. Without this mechanism, if arc4random(9) gets weak entropy during initial seed (and arc4random(9) is used early in boot, so this is quite possible), it may continue to emit poorly seeded output for 5 minutes. The FenestrasX push-reseed scheme corrects consumers, like arc4random(9), as soon as possible. Reviewed by: markm Approved by: csprng (markm) Differential Revision: https://reviews.freebsd.org/D22838
Notes
Notes: svn path=/head/; revision=366621
Diffstat (limited to 'sys/libkern')
-rw-r--r--sys/libkern/arc4random.c38
1 files changed, 36 insertions, 2 deletions
diff --git a/sys/libkern/arc4random.c b/sys/libkern/arc4random.c
index 4f733e5cef81..c5ab50a80015 100644
--- a/sys/libkern/arc4random.c
+++ b/sys/libkern/arc4random.c
@@ -40,10 +40,14 @@ __FBSDID("$FreeBSD$");
#include <sys/smp.h>
#include <sys/time.h>
+#include <machine/cpu.h>
+
#include <crypto/chacha20/chacha.h>
#include <crypto/sha2/sha256.h>
#include <dev/random/randomdev.h>
-#include <machine/cpu.h>
+#ifdef RANDOM_FENESTRASX
+#include <dev/random/fenestrasX/fx_pub.h>
+#endif
#define CHACHA20_RESEED_BYTES 65536
#define CHACHA20_RESEED_SECONDS 300
@@ -52,7 +56,9 @@ __FBSDID("$FreeBSD$");
CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN);
+#ifndef RANDOM_FENESTRASX
int arc4rand_iniseed_state = ARC4_ENTR_NONE;
+#endif
MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures");
@@ -62,6 +68,9 @@ struct chacha20_s {
time_t t_reseed;
u_int8_t m_buffer[CHACHA20_BUFFER_SIZE];
struct chacha_ctx ctx;
+#ifdef RANDOM_FENESTRASX
+ uint64_t seed_version;
+#endif
} __aligned(CACHE_LINE_SIZE);
static struct chacha20_s *chacha20inst = NULL;
@@ -79,7 +88,10 @@ chacha20_randomstir(struct chacha20_s *chacha20)
{
struct timeval tv_now;
u_int8_t key[CHACHA20_KEYBYTES];
+#ifdef RANDOM_FENESTRASX
+ uint64_t seed_version;
+#else
if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) {
SHA256_CTX ctx;
uint64_t cc;
@@ -106,6 +118,10 @@ chacha20_randomstir(struct chacha20_s *chacha20)
"make sure 256 bits is still 256 bits");
SHA256_Final(key, &ctx);
} else {
+#endif
+#ifdef RANDOM_FENESTRASX
+ read_random_key(key, CHACHA20_KEYBYTES, &seed_version);
+#else
/*
* If the loader(8) did not have an entropy stash from the
* previous shutdown to load, then we will block. The answer is
@@ -117,6 +133,7 @@ chacha20_randomstir(struct chacha20_s *chacha20)
*/
read_random(key, CHACHA20_KEYBYTES);
}
+#endif
getmicrouptime(&tv_now);
mtx_lock(&chacha20->mtx);
chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8);
@@ -124,6 +141,9 @@ chacha20_randomstir(struct chacha20_s *chacha20)
/* Reset for next reseed cycle. */
chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS;
chacha20->numbytes = 0;
+#ifdef RANDOM_FENESTRASX
+ chacha20->seed_version = seed_version;
+#endif
mtx_unlock(&chacha20->mtx);
}
@@ -173,9 +193,13 @@ arc4rand(void *ptr, u_int len, int reseed)
u_int length;
u_int8_t *p;
+#ifdef RANDOM_FENESTRASX
+ if (__predict_false(reseed))
+#else
if (__predict_false(reseed ||
(arc4rand_iniseed_state == ARC4_ENTR_HAVE &&
atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED))))
+#endif
CHACHA20_FOREACH(chacha20)
chacha20_randomstir(chacha20);
@@ -185,8 +209,18 @@ arc4rand(void *ptr, u_int len, int reseed)
if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed))
chacha20_randomstir(chacha20);
- p = ptr;
mtx_lock(&chacha20->mtx);
+#ifdef RANDOM_FENESTRASX
+ if (__predict_false(
+ atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version
+ )) {
+ mtx_unlock(&chacha20->mtx);
+ chacha20_randomstir(chacha20);
+ mtx_lock(&chacha20->mtx);
+ }
+#endif
+
+ p = ptr;
while (len) {
length = MIN(CHACHA20_BUFFER_SIZE, len);
chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length);