5 files changed, 326 insertions, 112 deletions
diff --git a/sys/dev/random/fenestrasX/fx_pool.c b/sys/dev/random/fenestrasX/fx_pool.c
index d2e6f0db71ee..59273a0a3f9d 100644
--- a/sys/dev/random/fenestrasX/fx_pool.c
+++ b/sys/dev/random/fenestrasX/fx_pool.c
@@ -127,7 +127,7 @@ static const struct fxrng_ent_cls fxrng_garbage = {
  */
 static const struct fxrng_ent_char {
 	const struct fxrng_ent_cls	*entc_cls;
-} fxrng_ent_char[ENTROPYSOURCE] = {
+} fxrng_ent_char[/*ENTROPYSOURCE*/] = {
 	[RANDOM_CACHED] = {
 		.entc_cls = &fxrng_hi_push,
 	},
@@ -164,21 +164,18 @@ static const struct fxrng_ent_char {
 	[RANDOM_CALLOUT] = {
 		.entc_cls = &fxrng_lo_push,
 	},
-	[RANDOM_PURE_OCTEON] = {
-		.entc_cls = &fxrng_hi_push,	/* Could be made pull. */
-	},
-	[RANDOM_PURE_SAFE] = {
-		.entc_cls = &fxrng_hi_push,
-	},
-	[RANDOM_PURE_GLXSB] = {
-		.entc_cls = &fxrng_hi_push,
+	[RANDOM_RANDOMDEV] = {
+		.entc_cls = &fxrng_lo_push,
 	},
-	[RANDOM_PURE_HIFN] = {
+	[RANDOM_PURE_TPM] = {
 		.entc_cls = &fxrng_hi_push,
 	},
 	[RANDOM_PURE_RDRAND] = {
 		.entc_cls = &fxrng_hi_pull,
 	},
+	[RANDOM_PURE_RDSEED] = {
+		.entc_cls = &fxrng_hi_pull,
+	},
 	[RANDOM_PURE_NEHEMIAH] = {
 		.entc_cls = &fxrng_hi_pull,
 	},
@@ -197,13 +194,26 @@ static const struct fxrng_ent_char {
 	[RANDOM_PURE_DARN] = {
 		.entc_cls = &fxrng_hi_pull,
 	},
-	[RANDOM_PURE_TPM] = {
+	[RANDOM_PURE_VMGENID] = {
 		.entc_cls = &fxrng_hi_push,
 	},
-	[RANDOM_PURE_VMGENID] = {
+	[RANDOM_PURE_QUALCOMM] = {
+		.entc_cls = &fxrng_hi_pull,
+	},
+	[RANDOM_PURE_ARMV8] = {
+		.entc_cls = &fxrng_hi_pull,
+	},
+	[RANDOM_PURE_ARM_TRNG] = {
+		.entc_cls = &fxrng_hi_pull,
+	},
+	[RANDOM_PURE_SAFE] = {
+		.entc_cls = &fxrng_hi_push,
+	},
+	[RANDOM_PURE_GLXSB] = {
 		.entc_cls = &fxrng_hi_push,
 	},
 };
+CTASSERT(nitems(fxrng_ent_char) == ENTROPYSOURCE);
 
 /* Useful for single-bit-per-source state. */
 BITSET_DEFINE(fxrng_bits, ENTROPYSOURCE);
diff --git a/sys/dev/random/ivy.c b/sys/dev/random/ivy.c
index fa1e4831f1b9..3eb0f261e6dc 100644
--- a/sys/dev/random/ivy.c
+++ b/sys/dev/random/ivy.c
@@ -1,6 +1,6 @@
 /*-
+ * Copyright (c) 2013, 2025, David E. O'Brien <deo@NUXI.org>
  * Copyright (c) 2013 The FreeBSD Foundation
- * Copyright (c) 2013 David E. O'Brien <obrien@NUXI.org>
  * Copyright (c) 2012 Konstantin Belousov <kib@FreeBSD.org>
  * All rights reserved.
  *
@@ -48,7 +48,6 @@
 
 #define	RETRY_COUNT	10
 
-static bool has_rdrand, has_rdseed;
 static u_int random_ivy_read(void *, u_int);
 
 static const struct random_source random_ivy = {
@@ -57,13 +56,7 @@ static const struct random_source random_ivy = {
 	.rs_read = random_ivy_read
 };
 
-SYSCTL_NODE(_kern_random, OID_AUTO, rdrand, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
-    "rdrand (ivy) entropy source");
 static bool acquire_independent_seed_samples = false;
-SYSCTL_BOOL(_kern_random_rdrand, OID_AUTO, rdrand_independent_seed,
-    CTLFLAG_RWTUN, &acquire_independent_seed_samples, 0,
-    "If non-zero, use more expensive and slow, but safer, seeded samples "
-    "where RDSEED is not present.");
 
 static bool
 x86_rdrand_store(u_long *buf)
@@ -99,45 +92,6 @@ x86_rdrand_store(u_long *buf)
 	return (true);
 }
 
-static bool
-x86_rdseed_store(u_long *buf)
-{
-	u_long rndval;
-	int retry;
-
-	retry = RETRY_COUNT;
-	__asm __volatile(
-	    "1:\n\t"
-	    "rdseed	%1\n\t"	/* read randomness into rndval */
-	    "jc		2f\n\t" /* CF is set on success, exit retry loop */
-	    "dec	%0\n\t" /* otherwise, retry-- */
-	    "jne	1b\n\t" /* and loop if retries are not exhausted */
-	    "2:"
-	    : "+r" (retry), "=r" (rndval) : : "cc");
-	*buf = rndval;
-	return (retry != 0);
-}
-
-static bool
-x86_unimpl_store(u_long *buf __unused)
-{
-
-	panic("%s called", __func__);
-}
-
-DEFINE_IFUNC(static, bool, x86_rng_store, (u_long *buf))
-{
-	has_rdrand = (cpu_feature2 & CPUID2_RDRAND);
-	has_rdseed = (cpu_stdext_feature & CPUID_STDEXT_RDSEED);
-
-	if (has_rdseed)
-		return (x86_rdseed_store);
-	else if (has_rdrand)
-		return (x86_rdrand_store);
-	else
-		return (x86_unimpl_store);
-}
-
 /* It is required that buf length is a multiple of sizeof(u_long). */
 static u_int
 random_ivy_read(void *buf, u_int c)
@@ -148,7 +102,7 @@ random_ivy_read(void *buf, u_int c)
 	KASSERT(c % sizeof(*b) == 0, ("partial read %d", c));
 	b = buf;
 	for (count = c; count > 0; count -= sizeof(*b)) {
-		if (!x86_rng_store(&rndval))
+		if (!x86_rdrand_store(&rndval))
 			break;
 		*b++ = rndval;
 	}
@@ -158,18 +112,33 @@ random_ivy_read(void *buf, u_int c)
 static int
 rdrand_modevent(module_t mod, int type, void *unused)
 {
+	struct sysctl_ctx_list ctx;
+	struct sysctl_oid *o;
+	bool has_rdrand, has_rdseed;
 	int error = 0;
 
+	has_rdrand = (cpu_feature2 & CPUID2_RDRAND);
+	has_rdseed = (cpu_stdext_feature & CPUID_STDEXT_RDSEED);
+
 	switch (type) {
 	case MOD_LOAD:
-		if (has_rdrand || has_rdseed) {
+		if (has_rdrand && !has_rdseed) {
+			sysctl_ctx_init(&ctx);
+			o = SYSCTL_ADD_NODE(&ctx, SYSCTL_STATIC_CHILDREN(_kern_random),
+			    OID_AUTO, "rdrand", CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+			    "rdrand (ivy) entropy source");
+			SYSCTL_ADD_BOOL(&ctx, SYSCTL_CHILDREN(o), OID_AUTO,
+			    "rdrand_independent_seed", CTLFLAG_RDTUN,
+			    &acquire_independent_seed_samples, 0,
+	"If non-zero, use more expensive and slow, but safer, seeded samples "
+	"where RDSEED is not present.");
 			random_source_register(&random_ivy);
 			printf("random: fast provider: \"%s\"\n", random_ivy.rs_ident);
 		}
 		break;
 
 	case MOD_UNLOAD:
-		if (has_rdrand || has_rdseed)
+		if (has_rdrand && !has_rdseed)
 			random_source_deregister(&random_ivy);
 		break;
 
diff --git a/sys/dev/random/random_harvestq.c b/sys/dev/random/random_harvestq.c
index 84ec174bd08e..296721d2c4e9 100644
--- a/sys/dev/random/random_harvestq.c
+++ b/sys/dev/random/random_harvestq.c
@@ -88,7 +88,7 @@ static void random_sources_feed(void);
 static __read_mostly bool epoch_inited;
 static __read_mostly epoch_t rs_epoch;
 
-static const char *random_source_descr[ENTROPYSOURCE];
+static const char *random_source_descr[];
 
 /*
  * How many events to queue up. We create this many items in
@@ -103,10 +103,13 @@ static const char *random_source_descr[ENTROPYSOURCE];
 volatile int random_kthread_control;
 
 
-/* Allow the sysadmin to select the broad category of
- * entropy types to harvest.
+/*
+ * Allow the sysadmin to select the broad category of entropy types to harvest.
+ *
+ * Updates are synchronized by the harvest mutex.
  */
 __read_frequently u_int hc_source_mask;
+CTASSERT(ENTROPYSOURCE <= sizeof(hc_source_mask) * NBBY);
 
 struct random_sources {
 	CK_LIST_ENTRY(random_sources)	 rrs_entries;
@@ -278,8 +281,15 @@ random_sources_feed(void)
 		epoch_enter_preempt(rs_epoch, &et);
 	CK_LIST_FOREACH(rrs, &source_list, rrs_entries) {
 		for (i = 0; i < npools; i++) {
+			if (rrs->rrs_source->rs_read == NULL) {
+				/* Source pushes entropy asynchronously. */
+				continue;
+			}
 			n = rrs->rrs_source->rs_read(entropy, sizeof(entropy));
-			KASSERT((n <= sizeof(entropy)), ("%s: rs_read returned too much data (%u > %zu)", __func__, n, sizeof(entropy)));
+			KASSERT((n <= sizeof(entropy)),
+			    ("%s: rs_read returned too much data (%u > %zu)",
+			    __func__, n, sizeof(entropy)));
+
 			/*
 			 * Sometimes the HW entropy source doesn't have anything
 			 * ready for us.  This isn't necessarily untrustworthy.
@@ -334,7 +344,17 @@ copy_event(uint32_t dst[static HARVESTSIZE + 1],
 {
 	memset(dst, 0, sizeof(uint32_t) * (HARVESTSIZE + 1));
 	memcpy(dst, event->he_entropy, event->he_size);
-	dst[HARVESTSIZE] = event->he_somecounter;
+	if (event->he_source <= RANDOM_ENVIRONMENTAL_END) {
+		/*
+		 * For pure entropy sources the timestamp counter is generally
+		 * quite determinstic since samples are taken at regular
+		 * intervals, so does not contribute much to the entropy.  To
+		 * make health tests more effective, exclude it from the sample,
+		 * since it might otherwise defeat the health tests in a
+		 * scenario where the source is stuck.
+		 */
+		dst[HARVESTSIZE] = event->he_somecounter;
+	}
 }
 
 static void
@@ -464,11 +484,12 @@ SYSCTL_BOOL(_kern_random, OID_AUTO, nist_healthtest_enabled,
     "Enable NIST SP 800-90B health tests for noise sources");
 
 static void
-random_healthtest_init(enum random_entropy_source source)
+random_healthtest_init(enum random_entropy_source source, int min_entropy)
 {
 	struct health_test_softc *ht;
 
 	ht = &healthtest[source];
+	memset(ht, 0, sizeof(*ht));
 	KASSERT(ht->ht_state == INIT,
 	    ("%s: health test state is %d for source %d",
 	    __func__, ht->ht_state, source));
@@ -485,20 +506,62 @@ random_healthtest_init(enum random_entropy_source source)
 	}
 
 	/*
-	 * Set cutoff values for the two tests, assuming that each sample has
-	 * min-entropy of 1 bit and allowing for an error rate of 1 in 2^{34}.
-	 * With a sample rate of RANDOM_KTHREAD_HZ, we expect to see an false
-	 * positive once in ~54.5 years.
+	 * Set cutoff values for the two tests, given a min-entropy estimate for
+	 * the source and allowing for an error rate of 1 in 2^{34}.  With a
+	 * min-entropy estimate of 1 bit and a sample rate of RANDOM_KTHREAD_HZ,
+	 * we expect to see an false positive once in ~54.5 years.
 	 *
 	 * The RCT limit comes from the formula in section 4.4.1.
 	 *
-	 * The APT cutoff is calculated using the formula in section 4.4.2
+	 * The APT cutoffs are calculated using the formula in section 4.4.2
 	 * footnote 10 with the number of Bernoulli trials changed from W to
 	 * W-1, since the test as written counts the number of samples equal to
-	 * the first sample in the window, and thus tests W-1 samples.
+	 * the first sample in the window, and thus tests W-1 samples.  We
+	 * provide cutoffs for estimates up to sizeof(uint32_t)*HARVESTSIZE*8
+	 * bits.
 	 */
-	ht->ht_rct_limit = 35;
-	ht->ht_apt_cutoff = 330;
+	const int apt_cutoffs[] = {
+		[1] = 329,
+		[2] = 195,
+		[3] = 118,
+		[4] = 73,
+		[5] = 48,
+		[6] = 33,
+		[7] = 23,
+		[8] = 17,
+		[9] = 13,
+		[10] = 11,
+		[11] = 9,
+		[12] = 8,
+		[13] = 7,
+		[14] = 6,
+		[15] = 5,
+		[16] = 5,
+		[17 ... 19] = 4,
+		[20 ... 25] = 3,
+		[26 ... 42] = 2,
+		[43 ... 64] = 1,
+	};
+	const int error_rate = 34;
+
+	if (min_entropy == 0) {
+		/*
+		 * For environmental sources, the main source of entropy is the
+		 * associated timecounter value.  Since these sources can be
+		 * influenced by unprivileged users, we conservatively use a
+		 * min-entropy estimate of 1 bit per sample.  For "pure"
+		 * sources, we assume 8 bits per sample, as such sources provide
+		 * a variable amount of data per read and in particular might
+		 * only provide a single byte at a time.
+		 */
+		min_entropy = source >= RANDOM_PURE_START ? 8 : 1;
+	} else if (min_entropy < 0 || min_entropy >= nitems(apt_cutoffs)) {
+		panic("invalid min_entropy %d for %s", min_entropy,
+		    random_source_descr[source]);
+	}
+
+	ht->ht_rct_limit = 1 + howmany(error_rate, min_entropy);
+	ht->ht_apt_cutoff = apt_cutoffs[min_entropy];
 }
 
 static int
@@ -533,9 +596,9 @@ random_check_uint_harvestmask(SYSCTL_HANDLER_ARGS)
 	    _RANDOM_HARVEST_ETHER_OFF | _RANDOM_HARVEST_UMA_OFF;
 
 	int error;
-	u_int value, orig_value;
+	u_int value;
 
-	orig_value = value = hc_source_mask;
+	value = atomic_load_int(&hc_source_mask);
 	error = sysctl_handle_int(oidp, &value, 0, req);
 	if (error != 0 || req->newptr == NULL)
 		return (error);
@@ -546,12 +609,14 @@ random_check_uint_harvestmask(SYSCTL_HANDLER_ARGS)
 	/*
 	 * Disallow userspace modification of pure entropy sources.
 	 */
+	RANDOM_HARVEST_LOCK();
 	hc_source_mask = (value & ~user_immutable_mask) |
-	    (orig_value & user_immutable_mask);
+	    (hc_source_mask & user_immutable_mask);
+	RANDOM_HARVEST_UNLOCK();
 	return (0);
 }
 SYSCTL_PROC(_kern_random_harvest, OID_AUTO, mask,
-    CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, NULL, 0,
+    CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, 0,
     random_check_uint_harvestmask, "IU",
     "Entropy harvesting mask");
 
@@ -563,9 +628,16 @@ random_print_harvestmask(SYSCTL_HANDLER_ARGS)
 
 	error = sysctl_wire_old_buffer(req, 0);
 	if (error == 0) {
+		u_int mask;
+
 		sbuf_new_for_sysctl(&sbuf, NULL, 128, req);
-		for (i = ENTROPYSOURCE - 1; i >= 0; i--)
-			sbuf_cat(&sbuf, (hc_source_mask & (1 << i)) ? "1" : "0");
+		mask = atomic_load_int(&hc_source_mask);
+		for (i = ENTROPYSOURCE - 1; i >= 0; i--) {
+			bool present;
+
+			present = (mask & (1u << i)) != 0;
+			sbuf_cat(&sbuf, present ? "1" : "0");
+		}
 		error = sbuf_finish(&sbuf);
 		sbuf_delete(&sbuf);
 	}
@@ -576,7 +648,7 @@ SYSCTL_PROC(_kern_random_harvest, OID_AUTO, mask_bin,
     random_print_harvestmask, "A",
     "Entropy harvesting mask (printable)");
 
-static const char *random_source_descr[ENTROPYSOURCE] = {
+static const char *random_source_descr[/*ENTROPYSOURCE*/] = {
 	[RANDOM_CACHED] = "CACHED",
 	[RANDOM_ATTACH] = "ATTACH",
 	[RANDOM_KEYBOARD] = "KEYBOARD",
@@ -590,24 +662,24 @@ static const char *random_source_descr[ENTROPYSOURCE] = {
 	[RANDOM_UMA] = "UMA",
 	[RANDOM_CALLOUT] = "CALLOUT",
 	[RANDOM_RANDOMDEV] = "RANDOMDEV", /* ENVIRONMENTAL_END */
-	[RANDOM_PURE_OCTEON] = "PURE_OCTEON", /* PURE_START */
-	[RANDOM_PURE_SAFE] = "PURE_SAFE",
-	[RANDOM_PURE_GLXSB] = "PURE_GLXSB",
-	[RANDOM_PURE_HIFN] = "PURE_HIFN",
+	[RANDOM_PURE_TPM] = "PURE_TPM", /* PURE_START */
 	[RANDOM_PURE_RDRAND] = "PURE_RDRAND",
+	[RANDOM_PURE_RDSEED] = "PURE_RDSEED",
 	[RANDOM_PURE_NEHEMIAH] = "PURE_NEHEMIAH",
 	[RANDOM_PURE_RNDTEST] = "PURE_RNDTEST",
 	[RANDOM_PURE_VIRTIO] = "PURE_VIRTIO",
 	[RANDOM_PURE_BROADCOM] = "PURE_BROADCOM",
 	[RANDOM_PURE_CCP] = "PURE_CCP",
 	[RANDOM_PURE_DARN] = "PURE_DARN",
-	[RANDOM_PURE_TPM] = "PURE_TPM",
 	[RANDOM_PURE_VMGENID] = "PURE_VMGENID",
 	[RANDOM_PURE_QUALCOMM] = "PURE_QUALCOMM",
 	[RANDOM_PURE_ARMV8] = "PURE_ARMV8",
 	[RANDOM_PURE_ARM_TRNG] = "PURE_ARM_TRNG",
+	[RANDOM_PURE_SAFE] = "PURE_SAFE",
+	[RANDOM_PURE_GLXSB] = "PURE_GLXSB",
 	/* "ENTROPYSOURCE" */
 };
+CTASSERT(nitems(random_source_descr) == ENTROPYSOURCE);
 
 static int
 random_print_harvestmask_symbolic(SYSCTL_HANDLER_ARGS)
@@ -619,16 +691,21 @@ random_print_harvestmask_symbolic(SYSCTL_HANDLER_ARGS)
 	first = true;
 	error = sysctl_wire_old_buffer(req, 0);
 	if (error == 0) {
+		u_int mask;
+
 		sbuf_new_for_sysctl(&sbuf, NULL, 128, req);
+		mask = atomic_load_int(&hc_source_mask);
 		for (i = ENTROPYSOURCE - 1; i >= 0; i--) {
-			if (i >= RANDOM_PURE_START &&
-			    (hc_source_mask & (1 << i)) == 0)
+			bool present;
+
+			present = (mask & (1u << i)) != 0;
+			if (i >= RANDOM_PURE_START && !present)
 				continue;
 			if (!first)
 				sbuf_cat(&sbuf, ",");
-			sbuf_cat(&sbuf, !(hc_source_mask & (1 << i)) ? "[" : "");
+			sbuf_cat(&sbuf, !present ? "[" : "");
 			sbuf_cat(&sbuf, random_source_descr[i]);
-			sbuf_cat(&sbuf, !(hc_source_mask & (1 << i)) ? "]" : "");
+			sbuf_cat(&sbuf, !present ? "]" : "");
 			first = false;
 		}
 		error = sbuf_finish(&sbuf);
@@ -652,8 +729,8 @@ random_harvestq_init(void *unused __unused)
 	RANDOM_HARVEST_INIT_LOCK();
 	harvest_context.hc_active_buf = 0;
 
-	for (int i = 0; i < ENTROPYSOURCE; i++)
-		random_healthtest_init(i);
+	for (int i = RANDOM_START; i <= RANDOM_ENVIRONMENTAL_END; i++)
+		random_healthtest_init(i, 0);
 }
 SYSINIT(random_device_h_init, SI_SUB_RANDOM, SI_ORDER_THIRD, random_harvestq_init, NULL);
 
@@ -835,20 +912,6 @@ random_harvest_direct_(const void *entropy, u_int size, enum random_entropy_sour
 }
 
 void
-random_harvest_register_source(enum random_entropy_source source)
-{
-
-	hc_source_mask |= (1 << source);
-}
-
-void
-random_harvest_deregister_source(enum random_entropy_source source)
-{
-
-	hc_source_mask &= ~(1 << source);
-}
-
-void
 random_source_register(const struct random_source *rsource)
 {
 	struct random_sources *rrs;
@@ -858,11 +921,12 @@ random_source_register(const struct random_source *rsource)
 	rrs = malloc(sizeof(*rrs), M_ENTROPY, M_WAITOK);
 	rrs->rrs_source = rsource;
 
-	random_harvest_register_source(rsource->rs_source);
-
 	printf("random: registering fast source %s\n", rsource->rs_ident);
 
+	random_healthtest_init(rsource->rs_source, rsource->rs_min_entropy);
+
 	RANDOM_HARVEST_LOCK();
+	hc_source_mask |= (1 << rsource->rs_source);
 	CK_LIST_INSERT_HEAD(&source_list, rrs, rrs_entries);
 	RANDOM_HARVEST_UNLOCK();
 }
@@ -874,9 +938,8 @@ random_source_deregister(const struct random_source *rsource)
 
 	KASSERT(rsource != NULL, ("invalid input to %s", __func__));
 
-	random_harvest_deregister_source(rsource->rs_source);
-
 	RANDOM_HARVEST_LOCK();
+	hc_source_mask &= ~(1 << rsource->rs_source);
 	CK_LIST_FOREACH(rrs, &source_list, rrs_entries)
 		if (rrs->rrs_source == rsource) {
 			CK_LIST_REMOVE(rrs, rrs_entries);
diff --git a/sys/dev/random/randomdev.h b/sys/dev/random/randomdev.h
index 6d742447ea8b..a6ca66c7d92e 100644
--- a/sys/dev/random/randomdev.h
+++ b/sys/dev/random/randomdev.h
@@ -52,7 +52,9 @@ random_check_uint_##name(SYSCTL_HANDLER_ARGS)				\
 }
 #endif /* SYSCTL_DECL */
 
+#ifdef MALLOC_DECLARE
 MALLOC_DECLARE(M_ENTROPY);
+#endif
 
 extern bool random_bypass_before_seeding;
 extern bool read_random_bypassed_before_seeding;
@@ -101,6 +103,7 @@ struct random_source {
 	const char			*rs_ident;
 	enum random_entropy_source	 rs_source;
 	random_source_read_t		*rs_read;
+	int				 rs_min_entropy;
 };
 
 void random_source_register(const struct random_source *);
diff --git a/sys/dev/random/rdseed.c b/sys/dev/random/rdseed.c
new file mode 100644
index 000000000000..af084aab4ed9
--- /dev/null
+++ b/sys/dev/random/rdseed.c
@@ -0,0 +1,169 @@
+/*-
+ * Copyright (c) 2013, 2025, David E. O'Brien <deo@NUXI.org>
+ * Copyright (c) 2013 The FreeBSD Foundation
+ * Copyright (c) 2012 Konstantin Belousov <kib@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Konstantin Belousov
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/conf.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/module.h>
+#include <sys/random.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+
+#include <machine/md_var.h>
+#include <machine/specialreg.h>
+#include <x86/ifunc.h>
+
+#include <dev/random/randomdev.h>
+
+#define	RETRY_COUNT	10
+
+static u_int random_rdseed_read(void *, u_int);
+
+static struct random_source random_rdseed = {
+	.rs_ident = "Intel Secure Key Seed",
+	.rs_source = RANDOM_PURE_RDSEED,
+	.rs_read = random_rdseed_read
+};
+
+SYSCTL_NODE(_kern_random, OID_AUTO, rdseed, CTLFLAG_RW, 0,
+    "rdseed (x86) entropy source");
+/* XXX: kern.random.rdseed.enabled=0 also disables RDRAND */
+static bool enabled = true;
+SYSCTL_BOOL(_kern_random_rdseed, OID_AUTO, enabled, CTLFLAG_RDTUN, &enabled, 0,
+    "If zero, disable the use of RDSEED.");
+
+static bool
+x86_rdseed_store(u_long *buf)
+{
+	u_long rndval;
+	int retry;
+
+	retry = RETRY_COUNT;
+	__asm __volatile(
+	    "1:\n\t"
+	    "rdseed	%1\n\t"	/* read randomness into rndval */
+	    "jc		2f\n\t" /* CF is set on success, exit retry loop */
+	    "dec	%0\n\t" /* otherwise, retry-- */
+	    "jne	1b\n\t" /* and loop if retries are not exhausted */
+	    "2:"
+	    : "+r" (retry), "=r" (rndval) : : "cc");
+	*buf = rndval;
+	return (retry != 0);
+}
+
+/* It is required that buf length is a multiple of sizeof(u_long). */
+static u_int
+random_rdseed_read(void *buf, u_int c)
+{
+	u_long *b, rndval;
+	u_int count;
+
+	KASSERT(c % sizeof(*b) == 0, ("partial read %d", c));
+	b = buf;
+	for (count = c; count > 0; count -= sizeof(*b)) {
+		if (!x86_rdseed_store(&rndval))
+			break;
+		*b++ = rndval;
+	}
+	return (c - count);
+}
+
+static int
+rdseed_modevent(module_t mod, int type, void *unused)
+{
+	bool has_rdseed;
+	int error = 0;
+
+	has_rdseed = (cpu_stdext_feature & CPUID_STDEXT_RDSEED);
+
+	switch (type) {
+	case MOD_LOAD:
+		if (has_rdseed && enabled) {
+			random_source_register(&random_rdseed);
+			printf("random: fast provider: \"%s\"\n", random_rdseed.rs_ident);
+		}
+		break;
+
+	case MOD_UNLOAD:
+		if (has_rdseed)
+			random_source_deregister(&random_rdseed);
+		break;
+
+	case MOD_SHUTDOWN:
+		break;
+
+	default:
+		error = EOPNOTSUPP;
+		break;
+
+	}
+
+	return (error);
+}
+
+static moduledata_t rdseed_mod = {
+	"rdseed",
+	rdseed_modevent,
+	0
+};
+
+DECLARE_MODULE(rdseed, rdseed_mod, SI_SUB_RANDOM, SI_ORDER_FOURTH);
+MODULE_VERSION(rdseed, 1);
+MODULE_DEPEND(rdseed, random_harvestq, 1, 1, 1);
+
+/*
+ * Intel's RDSEED Entropy Assessment Report min-entropy claim is 0.6 Shannons
+ * per bit of data output.  Rrefer to the following Entropy Source Validation
+ * (ESV) certificates:
+ *
+ *	E#87:	Junos OS Physical Entropy Source - Broadwell EP 10-Core Die
+ *		Broadwell-EP-10 FCLGA2011 Intel(R) Xeon(R) E5-2620 V4 Processor
+ *		https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/87
+ *		(URLs below omitted for brevity but follow same format.)
+ *
+ *	E#121:	Junos OS Physical Entropy Source - Intel Atom C3000 Series
+ *		(Denverton) 16 Core Die with FCBGA1310 Package
+ *
+ *	E#122:	Junos OS Physical Entropy Source - Intel Xeon D-1500 Family
+ *		(Broadwell) 8 Core Die with FCBGA1667 Package
+ *
+ *	E#123:	Junos OS Physical Entropy Source - Intel Xeon D-2100 Series
+ *		(Skylake) 18 Core Die with FCBGA2518 Package
+ *
+ *	E#141:	Junos OS Physical Entropy Source - Intel Xeon D-10 Series
+ *		(Ice Lake-D-10) Die with FCBGA2227 Package
+ *
+ *	E#169:	Junos OS Physical Entropy Source - Intel Xeon AWS-1000 v4 and
+ *		E5 v4 (Broadwell EP) 15 Core Die with FCLGA2011 Package
+ */