| History log of /src/sys/rump/dev/lib/librnd/Makefile |
| Revision | | Date | Author | Comments |
| 1.12 |
| 30-Apr-2020 |
riastradh | Rewrite entropy subsystem.
Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
|
| 1.11 |
| 26-Jan-2016 |
pooka | Put the kernelside rump kernel headers into <rump-sys> instead of
sprinkling them around the faction directories. Avoids having
to add a CPPFLAGS (or several) to pretty much every component
Makefile.
Leave compat headers around in the old locations.
The commit changes some autogenerated files, but I'll fix the
generators shortly and regen.
|
| 1.10 |
| 19-Oct-2015 |
pooka | Add a COMMENT describing what each component roughly does.
"make describe" prints the comment.
Requested/inspired by Vincent Schwarzer on rumpkernel-users
|
| 1.9 |
| 20-Aug-2015 |
christos | use ioconf files for pseudo-device attach prototypes
|
| 1.8 |
| 14-Apr-2015 |
riastradh | Fix rump build: rndpseudo_50.c now needed by kernel, not rnd device.
|
| 1.7 |
| 13-Mar-2014 |
pooka | branches: 1.7.6;
rename component.c -> rnd_component.c
|
| 1.6 |
| 02-Feb-2012 |
tls | branches: 1.6.6; 1.6.10;
Entropy-pool implementation move and cleanup.
1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.
2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.
3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.
4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.
5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.
ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.
|
| 1.5 |
| 20-Dec-2011 |
apb | Put the path to the compat/common directory in a .PATH line, not in
an element of the SRCS list. This should fix a problem in which build
products were created in the source tree.
Also add a comment about where COMPAT_50 is defined.
|
| 1.4 |
| 19-Dec-2011 |
apb | SRCS += ${.CURDIR}/../../../../compat/common/rndpseudo_50.c
to fix build errors like this:
DESTDIR/usr/lib/librumpdev_rnd.so: undefined reference to
`rumpns_compat_50_rnd_ioctl'
|
| 1.3 |
| 17-Dec-2011 |
tls | Separate /dev/random pseudodevice implemenation from kernel entropy pool
implementation. Rewrite pseudodevice code to use cprng_strong(9).
The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key. Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.
The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256. This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.
Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.
For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved. For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.
|
| 1.2 |
| 16-Feb-2010 |
pooka | branches: 1.2.10; 1.2.14;
Globally define -Wno-pointer-sign, as it has become a pointless
exercise of "add it to every Makefile individually".
XXX: should autosynchronize with the rest of the kernel buildflags
in sys/conf/Makefile.kern.inc.
|
| 1.1 |
| 08-Sep-2009 |
pooka | branches: 1.1.2; 1.1.4;
add rump rnd device component
|
| 1.1.4.1 |
| 30-Apr-2010 |
uebayasi | Sync with HEAD.
|
| 1.1.2.3 |
| 11-Mar-2010 |
yamt | sync with head
|
| 1.1.2.2 |
| 16-Sep-2009 |
yamt | sync with head
|
| 1.1.2.1 |
| 08-Sep-2009 |
yamt | file Makefile was added on branch yamt-nfs-mp on 2009-09-16 13:38:04 +0000
|
| 1.2.14.1 |
| 18-Feb-2012 |
mrg | merge to -current.
|
| 1.2.10.2 |
| 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.2.10.1 |
| 17-Apr-2012 |
yamt | sync with head
|
| 1.6.10.1 |
| 18-May-2014 |
rmind | sync with head
|
| 1.6.6.2 |
| 03-Dec-2017 |
jdolecek | update from HEAD
|
| 1.6.6.1 |
| 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.7.6.4 |
| 19-Mar-2016 |
skrll | Sync with HEAD
|
| 1.7.6.3 |
| 27-Dec-2015 |
skrll | Sync with HEAD (as of 26th Dec)
|
| 1.7.6.2 |
| 22-Sep-2015 |
skrll | Sync with HEAD
|
| 1.7.6.1 |
| 06-Jun-2015 |
skrll | Sync with HEAD
|
