Home | History | Annotate | only in /src/sys/crypto/cprng_fast
History log of /src/sys/crypto/cprng_fast
RevisionDateAuthorComments
 1.20 15-Oct-2024  riastradh Revert cprng_fast(9) to seed and reseed asynchronously in softint.

This reverts sys/crypto/cprng_fast/cprng_fast.c revisions 1.17-1.19.

I thought we had eliminated all paths into cprng_fast(9) from hard
interrupt context, which would allow us to call into cprng_strong(9)
and entropy(9) to synchronously reseed whenever needed -- this would
improve security over netbsd-9 for the first query to cprng_intr(9)
on each CPU.

Unfortunately, I missed the calls under spin locks (which are
effectively also hard interrupt context, in that they hold up
interrupts on this CPU or interrupt handlers trying to take the lock
on other CPUs). And one such spin lock is struct ifnet::ifq_lock at
IPL_NET, which is held by if_transmit when it calls IFQ_ENQUEUE which
calls into altq(4) which sometimes does, e.g., red_addq which calls
cprng_fast32.

Until we migrate ifq_lock to IPL_SOFTNET (which is potentially
feasible, because most of the network stack runs in softint now, but
it requires a lot of auditing and maybe changes to lots of drivers),
we'll have to make sure cprng_fast(9) doesn't try to take an adaptive
lock.

And the simplest way to ensure that is to just revert back to the
netbsd-9 semantics of asynchronously reseeding in softint, at the
cost of a potential security weakness. I don't expect this
regression to be permanent -- we just can't restore the change as is
until we deal with ifq_lock.

1.19 cprng_fast(9): Drop and retake percpu reference across cprng_strong.
1.18 cprng_fast(9): Assert not in pserialize read section.
1.17 cprng(9): cprng_fast is no longer used from interrupt context.

PR kern/58575: altq(4) takes adaptive lock while holding spin lock
 1.19 05-Aug-2023  riastradh branches: 1.19.6;
cprng_fast(9): Drop and retake percpu reference across cprng_strong.

cprng_strong may sleep on an adaptive lock (via entropy_extract),
which invalidates percpu(9) references.

Discovered by stumbling upon this panic in a test run:

panic: kernel diagnostic assertion "(cprng == percpu_getref(cprng_fast_percpu)) && (percpu_putref(cprng_fast_percpu), true)" failed: file "/home/riastradh/netbsd/current/src/sys/rump/librump/rumpkern/../../../crypto/cprng_fast/cprng_fast.c", line 117

XXX pullup-10
 1.18 01-Sep-2022  riastradh branches: 1.18.4;
cprng_fast(9): Assert not in pserialize read section.

This may sleep to take the global entropy lock in case it needs to be
reseeded. If that happens we can't be in a pserialize read section.
 1.17 01-Jun-2022  riastradh cprng(9): cprng_fast is no longer used from interrupt context.

Rip out logic to defer reseeding to softint.
 1.16 28-Jul-2020  riastradh Rewrite cprng_fast in terms of new ChaCha API.
 1.15 30-Apr-2020  riastradh Count cprng_fast reseed events.
 1.14 30-Apr-2020  riastradh Adapt cprng_fast to use entropy_epoch(), not rnd_initial_entropy.

This way it has an opportunity to be reseeded after boot.
 1.13 13-Apr-2015  riastradh More rnd.h user cleanup.
 1.12 13-Apr-2015  riastradh cprng_strong(kern_cprng, ...) never blocks, pass 0 for flags.

FASYNC was wrong anyway! It's FNONBLOCK.
 1.11 11-Aug-2014  justin branches: 1.11.2; 1.11.4;
Fix inconsistent use of inline in prototype and definition
 1.10 11-Aug-2014  riastradh Tweak cprng_fast_buf to use 32-bit unaligned writes if possible.
 1.9 11-Aug-2014  riastradh Move initial entropy bookkeeping out of the fast path.
 1.8 11-Aug-2014  riastradh Use percpu_foreach instead of manual iteration.
 1.7 11-Aug-2014  riastradh Access to struct cprng_fast must be consistently at IPL_VM.
 1.6 11-Aug-2014  riastradh branches: 1.6.2;
No need for cprng_fast_seed to be inline.
 1.5 11-Aug-2014  riastradh Include <sys/rnd.h>, don't copypasta declare rnd_initial_entropy.
 1.4 11-Aug-2014  riastradh Sort #includes.
 1.3 10-Aug-2014  justin define function consistently as inline
 1.2 10-Aug-2014  tls Merge tls-earlyentropy branch into HEAD.
 1.1 09-Aug-2014  tls branches: 1.1.2;
file cprng_fast.c was initially added on branch tls-earlyentropy.
 1.1.2.1 09-Aug-2014  tls Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller
and somewhat simpler one. Fix rump builds so we can build a distribution.
 1.6.2.1 15-Aug-2014  martin Pull up following revision(s) (requested by riastradh in ticket #16):
sys/crypto/cprng_fast/cprng_fast.c: revision 1.7
sys/crypto/cprng_fast/cprng_fast.c: revision 1.8
sys/crypto/cprng_fast/cprng_fast.c: revision 1.9
sys/crypto/cprng_fast/cprng_fast.c: revision 1.10
Access to struct cprng_fast must be consistently at IPL_VM.
Use percpu_foreach instead of manual iteration.
Move initial entropy bookkeeping out of the fast path.
Tweak cprng_fast_buf to use 32-bit unaligned writes if possible.
 1.11.4.1 06-Jun-2015  skrll Sync with HEAD
 1.11.2.3 03-Dec-2017  jdolecek update from HEAD
 1.11.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.11.2.1 11-Aug-2014  tls file cprng_fast.c was added on branch tls-maxphys on 2014-08-20 00:03:34 +0000
 1.18.4.2 26-Oct-2024  martin Pull up following revision(s) (requested by riastradh in ticket #990):

sys/crypto/cprng_fast/cprng_fast.c: revision 1.20

Revert cprng_fast(9) to seed and reseed asynchronously in softint.

This reverts sys/crypto/cprng_fast/cprng_fast.c revisions 1.17-1.19.

I thought we had eliminated all paths into cprng_fast(9) from hard
interrupt context, which would allow us to call into cprng_strong(9)
and entropy(9) to synchronously reseed whenever needed -- this would
improve security over netbsd-9 for the first query to cprng_intr(9)
on each CPU.

Unfortunately, I missed the calls under spin locks (which are
effectively also hard interrupt context, in that they hold up
interrupts on this CPU or interrupt handlers trying to take the lock
on other CPUs). And one such spin lock is struct ifnet::ifq_lock at
IPL_NET, which is held by if_transmit when it calls IFQ_ENQUEUE which
calls into altq(4) which sometimes does, e.g., red_addq which calls
cprng_fast32.

Until we migrate ifq_lock to IPL_SOFTNET (which is potentially
feasible, because most of the network stack runs in softint now, but
it requires a lot of auditing and maybe changes to lots of drivers),
we'll have to make sure cprng_fast(9) doesn't try to take an adaptive
lock.

And the simplest way to ensure that is to just revert back to the
netbsd-9 semantics of asynchronously reseeding in softint, at the
cost of a potential security weakness. I don't expect this
regression to be permanent -- we just can't restore the change as is
until we deal with ifq_lock.

1.19 cprng_fast(9): Drop and retake percpu reference across cprng_strong.
1.18 cprng_fast(9): Assert not in pserialize read section.
1.17 cprng(9): cprng_fast is no longer used from interrupt context.

PR kern/58575: altq(4) takes adaptive lock while holding spin lock
 1.18.4.1 11-Aug-2023  martin Pull up following revision(s) (requested by riastradh in ticket #319):

sys/dev/pci/ubsec.c: revision 1.64
sys/dev/pci/hifn7751.c: revision 1.82
lib/libc/gen/getentropy.3: revision 1.5
lib/libc/gen/getentropy.3: revision 1.6
share/man/man4/rnd.4: revision 1.41
lib/libc/sys/getrandom.2: revision 1.2
lib/libc/sys/getrandom.2: revision 1.3
share/man/man5/rc.conf.5: revision 1.193
share/man/man7/entropy.7: revision 1.5
share/man/man7/entropy.7: revision 1.6
share/man/man7/entropy.7: revision 1.7
share/man/man7/entropy.7: revision 1.8
etc/security: revision 1.130
share/man/man7/entropy.7: revision 1.9
etc/security: revision 1.131
sys/crypto/cprng_fast/cprng_fast.c: revision 1.19
sys/sys/rndio.h: revision 1.3
tests/lib/libc/sys/t_getrandom.c: revision 1.5
etc/defaults/rc.conf: revision 1.164
etc/defaults/rc.conf: revision 1.165
sys/sys/rndsource.h: revision 1.10
sys/kern/kern_entropy.c: revision 1.62
sys/kern/kern_entropy.c: revision 1.63
sys/kern/kern_entropy.c: revision 1.64
sys/kern/subr_cprng.c: revision 1.44
sys/kern/kern_entropy.c: revision 1.65
sys/kern/kern_clock.c: revision 1.149
sys/dev/pci/viornd.c: revision 1.22
share/man/man9/rnd.9: revision 1.32
sys/kern/subr_prf.c: revision 1.202
sys/sys/rndsource.h: revision 1.8
sys/sys/rndsource.h: revision 1.9
share/man/man7/entropy.7: revision 1.10

1. Reinstate netbsd<=9 entropy estimator to unblock /dev/random, in
parallel with assessment of only confident entropy sources (seed,
HWRNG) for security warnings like sshd keys in motd and daily
insecurity report.

2. Make multiuser boot wait for first /dev/random output soon after
loading a seed and configuring rndctl, so that getentropy(3) meets
its contract starting early at boot without introducing blocking
paths that could cause hangs in init(8) or single-user mode.
Operators can choose to disable this wait in rc.conf.

3. Fix some bugs left over from reducing the global entropy lock from
a spin lock at IPL_VM to an adaptive lock at IPL_SOFTSERIAL.

4. Update man pages.
 1.19.6.1 02-Aug-2025  perseant Sync with HEAD
 1.2 10-Aug-2014  tls branches: 1.2.4;
Merge tls-earlyentropy branch into HEAD.
 1.1 09-Aug-2014  tls branches: 1.1.2;
file cprng_fast.h was initially added on branch tls-earlyentropy.
 1.1.2.1 09-Aug-2014  tls Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller
and somewhat simpler one. Fix rump builds so we can build a distribution.
 1.2.4.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.2.4.1 10-Aug-2014  tls file cprng_fast.h was added on branch tls-maxphys on 2014-08-20 00:03:34 +0000
 1.3 28-Jul-2020  riastradh Rewrite cprng_fast in terms of new ChaCha API.
 1.2 10-Aug-2014  tls branches: 1.2.4;
Merge tls-earlyentropy branch into HEAD.
 1.1 09-Aug-2014  tls branches: 1.1.2;
file files.cprng_fast was initially added on branch tls-earlyentropy.
 1.1.2.1 09-Aug-2014  tls Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller
and somewhat simpler one. Fix rump builds so we can build a distribution.
 1.2.4.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.2.4.1 10-Aug-2014  tls file files.cprng_fast was added on branch tls-maxphys on 2014-08-20 00:03:34 +0000

RSS XML Feed