kern: Move some purely arithmetic routines to subr_time_arith.c.

Preparation for testing and fixing:

PR kern/58922: itimer(9): arithmetic overflow
PR kern/58925: itimer(9) responds erratically to clock wound back
PR kern/58926: itimer(9) integer overflow in overrun counting
PR kern/58927: itimer(9): overrun accounting is broken

branches: 1.191.6;
bsd.own.mk: rename GCC_NO_* to CC_WNO_*

Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

rump: Move vnode_if.c from rumpkern to rumpvfs.

This has become increasingly less of a `fully dynamic interface', and
the need for it in the rest of sys/kern/ has been obviated, so let's
put it where it belongs in rumpvfs.

secmodel_extensions: Split vfs part into separate .c file.

This way we can provide weak rumpkern stubs that don't require
rumpvfs for things that are relevant to vfs, but if you do link
rumpvfs then you get the same logic in secmodel extensions.

include the extensions secmodel

Sort includes, nix trailing whitespace, fix comment.

Move address hashing from init_main.c to kern_sysctl.c.

This way rump gets it automatically. Make sure blake2s is in
librumpkern.so, not just in librumpkern_crypto.so, for this to work.

New system call getrandom() compatible with Linux and others.

Three ways to call:

getrandom(p, n, 0) Blocks at boot until full entropy.
Returns up to n bytes at p; guarantees
up to 256 bytes even if interrupted
after blocking. getrandom(0,0,0)
serves as an entropy barrier: return
only after system has full entropy.

getrandom(p, n, GRND_INSECURE) Never blocks. Guarantees up to 256
bytes even if interrupted. Equivalent
to /dev/urandom. Safe only after
successful getrandom(...,0),
getrandom(...,GRND_RANDOM), or read
from /dev/random.

getrandom(p, n, GRND_RANDOM) May block at any time. Returns up to n
bytes at p, but no guarantees about how
many -- may return as short as 1 byte.
Equivalent to /dev/random. Legacy.
Provided only for source compatibility
with Linux.

Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN
without producing any output instead of blocking.

- The combination GRND_INSECURE|GRND_NONBLOCK is the same as
GRND_INSECURE, since GRND_INSECURE never blocks anyway.

- The combinations GRND_INSECURE|GRND_RANDOM and
GRND_INSECURE|GRND_RANDOM|GRND_NONBLOCK are nonsensical and fail
with EINVAL.

As proposed on tech-userlevel, tech-crypto, tech-security, and
tech-kern, and subsequently adopted by core (minus the getentropy part
of the proposal, because other operating systems and participants in
the discussion couldn't come to an agreement about getentropy and
blocking semantics):

https://mail-index.netbsd.org/tech-userlevel/2020/05/02/msg012333.html

Rewrite cprng_fast in terms of new ChaCha API.

Rewrite entropy subsystem.

Primary goals:

1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.

Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.

ENTROPY POOL

- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.

- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.

- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.

- Per-CPU gathering pools avoid contention on a global queue.

- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.

- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.

- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy

CPRNG_STRONG

- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.

(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)

- Event counters provide operator visibility into when reseeding
happens.

INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)

- Unwired for now; will be rewired in a subsequent commit.

Merge from yamt-pagecache (after much testing):

- Reduce unnecessary page scan in putpages esp. when an object has a ton of
pages cached but only a few of them are dirty.

- Reduce the number of pmap operations by tracking page dirtiness more
precisely in uvm layer.

branches: 1.181.2;
Split subr_cpu.c out of kern_cpu.c, to contain routines shared with rump.

- Extend the per-CPU counters matt@ did to include all of the hot counters
in UVM, excluding uvmexp.free, which needs special treatment and will be
done with a separate commit. Cuts system time for a build by 20-25% on
a 48 CPU machine w/DIAGNOSTIC.

- Avoid 64-bit integer divide on every fault (for rnd_add_uint32).

Merge from yamt-pagecache:

- do gang lookup of pages using radixtree.
- remove now unused uvm_object::uo_memq and vm_page::listq.queue.

Eliminate per-hook duplication of common code as suggested by
(and with major contributions from) riastradh@

Welcome to 9.99.23

introduce some common variables for use in GCC warning disables:

GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)

use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.


we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."

Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.

Benefits:

- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (https://eprint.iacr.org/2018/349)
- no loss in compliance with US government standards that nobody ever
got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests

Drawbacks:

- performance hit: throughput is reduced to about 1/3 in naive measurements
=> possible to mitigate by using hardware SHA-256 instructions
=> all you really need is 32 bytes to seed a userland PRNG anyway
=> if we just used ChaCha this would go away...

XXX pullup-7
XXX pullup-8
XXX pullup-9

branches: 1.175.2;
On the one thousand and ninth day rump's mainbus was moved from
rumpdev to rumpkern, liberating all rumpnet users from the need to
-lrumpdev -lrumpvfs just because a loopback interface is mandatory.

Rename rumpdev/autoconf.c to rumpkern/rump_autoconf.c to avoid
accidentally picking up e.g. sys/arch/amd64/amd64/autoconf.c through
make's .PATH.
Move rumpdev/MAINBUS.ioconf to rumpkern.

Merge the [pgoyette-compat] branch

Add threadpool(9), an abstraction that provides shared pools of kernel
threads running at specific priorities, with support for unbound pools
and per-cpu pools.

Written by riastradh@, and based on the May 2014 draft, with a few changes
by me:
- Working on the assumption that a relative few priorities will actually
be used, reduce the memory footprint by using linked lists, rather than
2 large (and mostly empty) tables. The performance impact is essentially
nil, since these lists are consulted only when pools are created (and
destroyed, for DIAGNOSTIC checks), and the lists will have at most 225
entries.
- Make threadpool job object, which the caller must allocate storage for,
really opaque.
- Use typedefs for the threadpool types, to reduce the verbosity of the
API somewhat.
- Fix a bunch of pool / worker thread / job object lifecycle bugs.

Also include an ATF unit test, written by me, that exercises the basics
of the API by loading a kernel module that exposes several sysctls that
allow the ATF test script to create and destroy threadpools, schedule a
basic job, and verify that it ran.

And thus NetBSD 8.99.29 has arrived.

Import thmap -- a concurrent trie-hash map, combining the elements of
hashing and radix trie. It supports lock-free lookups and concurrent
inserts/deletes. It is designed to be optimal as a general purpose
*concurrent* associative array.

Upstream: https://github.com/rmind/thmap
Discussed on tech-kern@

retire kern_xxx.c. long live kern_xxx.c.

split it into kern_reboot.c and kern_scdebug.c. while here,
add my copyright to kern_scdebug.c as it was largely rewritten
for kernhist support.

branches: 1.170.2; 1.170.4;
Add localcount to rump kernels

branches: 1.169.4; 1.169.6;
adjust flag.

branches: 1.168.2;
need kern_ssp.c for a full SSP build.

branches: 1.167.2;
Add psref to rump kernel

nuke a few missed -Ifactiondir CPPFLAGSitions.

Add a COMMENT describing what each component roughly does.

"make describe" prints the comment.

Requested/inspired by Vincent Schwarzer on rumpkernel-users

Use the more widely accepted version of alphabetical order.

Allow rumpkernel to use rw_obj_*

Remove KERN.ioconf, ksyms does not really need it.

generate ioconf.h for pseudo-device attach prototype

Remove unreal allocators, unconditionally use subr_{kmem,pool}.

Will, with other work, allow to tighten the memory allocation hypercall
specification to page-granularity allocations in the future.

Rename RUMP_COMPAT to RUMP_NBCOMBAT to better signify what the
variable does.

g/c the never-used and never-useful hyperstubs.c

Build compat code only when specified by RUMP_COMPAT

Include kern_clock.c in rump kernels.

Fix rump build: rndpseudo_50.c now needed by kernel, not rnd device.

default newvers.sh parameters to reproducible build

Move sysproxy support into a separate component, rumpkern_sysproxy,
instead of it being always provided by the rump kernel base. This
move accomplishes two things:

1) it is no longer necessary to provide sysproxy hypercall stubs for
platforms which do not want to use sysproxy
2) it is easier to reason about the security aspects, since configurations
not linking the sysproxy component simply do not support remote
system calls

discussed on rumpkernel-users

Put all sysproxy routines to their own C module, sysproxy.c

Remove shlib_version files and just use Makefile SHLIB_MAJOR/MINOR,
with the default provided by Makefile.rump (they're all 0.0 anyway)

branches: 1.150.2;
Move rump kernel man pages from various sources to sys/rump

namely:
* src/lib is used only when building for POSIX'y platforms, but
the man pages have their use for all platforms
* rumpuser.3 is a function of the rump kernel, not one of the of
the POSIX'y implementation hosted in src/lib/librumpuser

no functional change

Add MKCOMPAT support for aarch64 (COMPAT_MACHINE_CPU)

branches: 1.148.2; 1.148.4; 1.148.8;
Merge tls-earlyentropy branch into HEAD.

librump: include pcq(9) interface.

Eliminate weak symbols from rump kernel syscall handlers, part 7:

Build component constructors which establish syscalls at boottime.

gardenize rump.c: move data structure helper routines to accessors.c

Move the etfs linkage from rumpvfs to rumpkern, and replace the
weak alias show with an honest pointer indirection.

No client-visible change. (apart from this version working e.g.
on musl w/ dlopen)

branches: 1.143.2;
Add compat 50 time syscalls, needed by rump sys_linux.

Put nanosleep() and folks in librump instead of maintaining them in
the separate rumpkern_time component. Keeping time-related routines
elsewhere lead to some illogical behavior if you didn't think of linking
in rumpkern_time (hands up everyone who checks the return value of
nanosleep()).

Add warnings if rumpkern_time is linked or used. I'll remove it in a
month or two instead of now since it was part of a buildrump.sh snapshot
and it's nicer if trying to use it gives a warning instead of an error
in the next snapshot.

"everything should be as modular as possible, but no more modular than that"

Use uniprocessor-optimized locking in RUMP_LOCKS_UP=yes (default: no)

Allow multiple "rumpcomp_user" source modules to be specified by
introducing RUMPCOMP_USER_SRCS. Make RUMPCOMP_USER issue a deprecation
warning, but for compat make it set RUMPCOMP_USER_SRCS=rumpcomp_user.c
for now.

Move the "is arch capable of loading native kernel modules into
rump kernel" clauses from bsd.own.mk to Makefile.rump. Also,
add a rump_nativeabi_p() call to determine if rump kernel is
compiled with native ABI support.

Use the new FEAT_LDREX to replace ARMV6/ARMV7

Use same uvm_swap_shutdown() stub for !vmswap kernels and rump kernels.

Rototill a bit, and attempt to disguise it as non-gratuitous.

Add arch/generic and move non-x86 files from rumpkern/ there. Also,
move files from arch/i386 to arch/x86, and make both i386 and x86_64
use those.

This clarifies the situation with what is MD vs. MI code.

renames:
rumpcpu_generic,kobj_stubs,pmap_stubs => arch/generic/rump_generic_$x
arch/i386/* => arch/x86/rump_x86_$x

(for those who forget, x86 requires MD code because rump kernels
use the same ABI as kernel modules)

Use subr_cprng.c instead of stub implementation. Rijndael migrates from
rumpkern_crypto to rumpkern due to it being mandatory for cprng.

Make ktrace a compile-time option

Support ktrace for rump kernels.

Requested by Justin Cormack on rumpkernel-users.

Add an initial console device and open fd's 0/1/2 for initproc. This is
again useful in standalone-type environments such as Xen, where all
printf/etc calls go through the rump kernel.

+ don't rename rump_syscalls.*o
+ support RUMP_KERNEL_IS_LIBC

Teach this about ARMV7

Coldfire uses atomic_cas_generic.c

branches: 1.128.2; 1.128.4;
Rework rndsink(9) abstraction and adapt arc4random(9) and cprng(9).

rndsink(9):
- Simplify API.
- Simplify locking scheme.
- Add a man page.
- Avoid races in destruction.
- Avoid races in requesting entropy now and scheduling entropy later.

Periodic distribution of entropy to sinks reduces the need for the
last one, but this way we don't need to rely on periodic distribution
(e.g., in a future tickless NetBSD).

rndsinks_lock should probably eventually merge with the rndpool lock,
but we'll put that off for now.

cprng(9):
- Make struct cprng_strong opaque.
- Move rndpseudo.c parts that futz with cprng guts to subr_cprng.c.
- Fix kevent locking. (Is kevent locking documented anywhere?)
- Stub out rump cprng further until we can rumpify rndsink instead.
- Strip code to grovel through struct cprng_strong in fstat.

Actually, there's no point in unconditionally compiling in weak stubs
which will never be used in the NetBSD build. Comment hyperstubs.c
out from SRCS, but retain the source module as documentation.

weak stubs for optional hypercalls

* treat kern_malloc.c as an unreal allocator (it's so lightweight)
* get rid of the rumpuser_realloc() hypercall
* pass size to rumpuser_free()

Allow Makefile.rump to append to SRCS.

Use kern_malloc.c instead of the relegated allocators in memalloc.c.
Previously this didn't make sense due to the use of kmem_map, but the
new malloc is more dynamic and puts sense into using it.

Always include subr_vmem.c, even with RUMP_UNREAL_ALLOCATORS=yes
(previously it was just missing in that case).

Record wchan to unreal pool_init() to avoid memory leak warning.

Take into account armv6 hacks from common/lib/libc/arch/arm/atomic to
allow this to build with -march=armv6k

Add references to ${_NETBSD_VERSION_DEPENDS} for files that
need to be re-created when the NetBSD version changes. They
will also be re-created when any build settings are changed.

branches: 1.119.2;
Make it possible to select between real and unreal allocators from
make. Plus some gratuitous renaming.

rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.

G/C kern_malloc_stdtype.c

P1003_1B_SEMAPHORE is no longer optional.

branches: 1.115.2;
Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.

When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:

bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;

This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.

Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.

Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.

We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).

The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.

Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.

Documentation is incoming, I am proof-reading my writings.

Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.

See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html

XXX might consider va0 mapping too.

XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.

branches: 1.113.2;
Revert "stopcap fix" for rump by christos, which causes build failure on
most non-x86 ports and seems unnecessary. (caused by wrong rump_namei.h?)

Add subr_open_disk.c for getdiskinfo(). Once we get rid of getdiskinfo,
this will not be needed.

First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.

branches: 1.110.2;
include uvm_object.c in the rump kernel for the new uvm_obj* functions.
don't build the uvm_object.c uvm_object_printit() for _RUMPKERNEL. (XXX)
add empty panic() stubs for uvm_loanbreak() and ubc_purge().

fixes some more 5.99.53 rump build issues.

branches: 1.109.2;
Spell --fatal-warnings with two hyphens

Include bsd.own.mk before making decisions based on mk.conf.

use compat code from sys/compat/common

branches: 1.106.2;
Support LOCKDEBUG. To use it, compile sys/rump with RUMP_LOCKDEBUG=yes.

requested by martin (sparc64 gdb cannot reliably produce a stack trace)

Add SMP support for all architectures.

tested on sparc64 by martin

Support MKREPRO

Duh, it's x86_64, not amd64. This should make the races which
require SMP trigger in the amd64/qemu runs again.

rename atomic_cas_up to rump_atomic_cas_up to avoid collisions

Encode smp-capability into the makefile so that it can be used to
avoid potential screwups.

Add a lockless uniprocessor version of atomic_cas_generic.c, which
is currently used by all the archs that previously used cas_generic.

Realize the >1yo comment above rump_reboot and retire them to make
room for sys_reboot.

"i build dead files". ok, so let's not.

Use standard uvm aobj pager. Most of the kernel aobj pager complexity
comes from swap handling, but that is included only with VMSWAP.

Implement rump_lwproc: the new lwp/proc management routines for
rump. These move the management of the pid/lwpid space from the
application into the kernel, make code more robust, and make it
possible to attach multiple lwp's to non-proc0 processes.

Include kern_prot.c for setuid etc.

Use one line per sys/kern source module. no functional change.

Add the new kern_cfglock.c to rump.

* move stat syscalls to newstyle compat
* implement compat for pollts

Reinstate the blanket pmap.h for archs which do not conform to the
kernel ABI (i.e. not i386 or amd64). Due to the "half function,
half macro, all noodles" nature of pmap.h, it's too entangling and
too brittle to keep up with an ifdeffy MI implementation.

Fix previous in emul.c -- only numbers are operands for cpp comparisons.
Apparently non-numbers logically produce arch-dependent behaviour.

Use kern_proc.c instead of a collection of stubs. But what we
really wanted from this commit was the support for proc_specificdata.

TODO: make creating a new process actually use kern_proc and
maybe even add an interface which starts a process with
"any pid you don't like"

Make vers.c depend on sys/param.h too, to ensure that this file is
regenerated for on kernel version bump. Avoids __NetBSD_Version__ and
osrelease out of sync problem for mkupdate builds.

ok from pooka@.

Whoops, default to MP locking.

Add uniprocessor versions of mutex/rw/cv. They work only on virtual
unicpu configurations (i.e. RUMP_NCPU==1), but are massively faster
than the multiprocessor versions since the fast path does not have
to perform any cache coherent operations. _Applications_ with
lock-happy kernel paths, i.e. _not_ lock microbenchmarks, measure
up to tens of percents speedup on my Core2 Duo. Every globally
atomic state required by normal locks/atomic ops implies a hideous
speed penalty even for the fast path.

While this requires a unicpu configuration, it should be noted that
we are talking about a virtual unicpu configuration. The host can
have as many processors as it desires, and the speed benefit of
virtual unicpu is still there. It's pretty obvious that in terms
of scalability simple workload partitioning and replication into
multiple kernels wins hands down over complicated locking or
locklessing algorithms which depend on globally atomic state.

Move routines related to kernel locking and scheduling from
locks.c to klock.c.

No functional change.

Actually, push defining _RUMPKERNEL down to libkern, since it's
not needed elsewhere.

Limit visibility of _RUMPKERNEL to prevent abuse.

Include devsw_conv0 from an i386 kernel compilation (no, we don't
care about the arch as long as all the devices we care about are
present). The file should be autogenerated, but that requires some
more changes to config(1).

Implement kobj_renamespace() for rump. Support for a few archs is
missing, but that doesn't really matter, since they are living in
their own "everything is a macro" happyland and don't support the
native kernel ABI anyway.

Move sys_module from vfs to kern -- while modules cannot be loaded,
there's not forbidden about querying the list of (builtin) modules
even when running without vfs.

support kern_resource

Move all signal-related from emul.c to signals.c. Additionally,
define a few alternate signal models for the rump kernel, including
ones where signals are ignored or sent to host processes.

Use kern_syscall.c instead of homegrown syscall dis/establishment routines.

Include kern_tc and use a timecounter driver instead of homerolled
kern_tc implementation.

support lwp specificdata

branches: 1.74.2;
Globally define -Wno-pointer-sign, as it has become a pointless
exercise of "add it to every Makefile individually".

XXX: should autosynchronize with the rest of the kernel buildflags
in sys/conf/Makefile.kern.inc.

branches: 1.73.2;
Include newly-created subr_device.c and remove few special case
device accessor copypastes. This makes it possible to link static
binaries which use -lrumpdev.

include kern_hook.c

Use subr_percpu.c instead of homegrown implementation. ...except
when using malloc(3)-relegated allocators (happens in production
e.g. on Linux), since subr_percpu.c uses vmem and i don't want to
reimplement vmem.

update to newnewvers.sh usage

Generate vers.c and include it in the kernel component.

Make librump play with mips nicely. Define ARCH_ELFSIZE for mips to be 32.
This works for N64 kernels because objcopy them to be 32bit to the bootloaders
can handle them.

rename LD32DIR to MLIBDIR.

Include cpu crosscall support (instead of stubbing it out).

Now that Makefile.rump was changed and everything gets built in
update builds too, flip the allocator define to prefer the kernel
pool/kmem instead of malloc(3). Use malloc(3) only if
RUMP_USE_UNREAL_ALLOCATORS is defined.

include sys_pipe.c

Enable kernel kmem/vmem/pool/pool_cache by default again instead
of malloc(3) allocators.

misc_stub and emul have been the same thing for a looong time now,
so just move the few remaining routines in misc_stub to emul.

Give the kthread->pthread interface emulation its own module.

Pull all relegating memory allocators under a common roof in memalloc.c

move copy-related routines to their own module

Use std. uiomove() & friends.

Use kern_mutex_obj.c directly instead of copypasting code.

move module to SRCS where it logically belongs. no functional change.

Actually, put uvm_readahead into rumpkern, since while it's
technically vfs stuff, sys_descrip depends on it and readahead
itself uses only the pager interface.

treat sun2 like the other losing platforms.

Include sys_select.c for proper select()/poll() support.

Add initial work on a rump virtual cpu scheduler. This is necessary
for kernel code which has been written to avoid MP contention by
using cpu-local storage (most prominently, select and pool_cache).

Instead of always assuming rump_cpu, the scheduler must now be run
(and unrun) on all entry points into rump. Likewise, rumpuser
unruns and re-runs the scheduler around each potentially blocking
operation. As an optimization, I modified some locking primitives
to try to get the lock without blocking before releasing the cpu.

Also, ltsleep was modified to assume that it is never called without
the biglock held and made to use the biglock as the sleep interlock.
Otherwise there is just too much drama with deadlocks. If some
kernel code wants to call ltsleep without the biglock, then, *snif*,
it's no longer supported and rump and should be modified to support
newstyle locks anyway.

Adjust rump sources for external/internal interfaces.
No functional change.

First part of secmodel cleanup and other misc. changes:

- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was

src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h

- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).

- Add a "secmodel" module class and use it. Userland program and
documentation updated.

- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.

- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".

- Adapt the overlay secmodel to recent changes (mainly vnode scope).

- Stop using link-sets for the sysctl node(s) creation.

- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".

- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).

- Get rid of the LKM preprocessor stuff.

- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.

- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().

- 5.99.20.

Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html

Include humanize and extent support in rumpkern.

include init_sysctl_base.c

Run rump_dev_init() where available.

include syscalls.c

branches: 1.45.2;
Do not include securelevel, it includes too many dependencies on
vfs in its current form.

Add proof-of-concept code for enabling system calls to rump virtual
kernels running in other processes on the same machine or on an
entirely different host. I wrote this a while ago and am now
committing it mainly to avoid losing it. It works, but could do
with a little tuning here and there.

What this will hopefully eventually buy us is the ability to use
standard userland tools to configure rump kernels, e.g. ifconfig(8)
and route(8) could be used to configure the networking stack provided
by a rump kernel. Also some distributed OS implications may apply.

fun fact: a system call which just does copyin/copyout takes >1000x
longer when made over the LAN as compared to when made on the same
machine.

When I switched to real kauth, I forgot to include a secmodel.
Fix this oversight by including bsd44. Makes permissions for p2k
work again.

include subr_evcnt

Support kqueue in the rump virtual kernel.

branches: 1.40.2;
Turn of real allocators and fall back to malloc(3) for the time
being. Since we have many threads but pretend to have only one
cpu, the pool code runs into concurrency trouble for cpu-private
data.

Add a compile-time option to use kmem/vmem/pools from the kernel
sources instead of homegrown allocators. Default to "on", even
though they appear to be a few percent slower at least on short
jobs (e.g. untar to tmpfs).

Change the use of formally undocumented features, which have now been
made to fail. Specifically, change
.ifdef(SYMBOL) -> .ifdef SYMBOL or .if defined(SYMBOL),
and corresponding for .ifndef.

Also correct one error in lib/libm/Makefile (.ifdef (${MKCOMPLEX} != "no")?!?).

Do rump kernel symbol protection for vax. All archs support it now.

* Add adapted version of the userspace atomic_cas ops for platforms
lacking special instructions. We always use the spinlocked version
(could use RAS on UP NetBSD host, but it's not portable).
* Add platform-based symbol quirk tables for selectively not renaming
toolchain symbols for some platforms. Although, this should really
depend on the (toolchain,platform)-tuple and not just the platform.

This allows arm, hppa, mips and sh3 to build succesfully with an
isolated rump kernel namespace. ... now, one arch remains: vax.
you must compile vax. then, only then will you MI be.

Remove vax MD source which is now brought in automatically via libkern.

adjust LD32DIR comment. per discussion with mrg

Rename malloc() to kern_malloc() to avoid name conflict with libc.
Now it is possible to use the kernel linker with rump.

Assemble with _LOCORE.

Include libkern contents in librump.

Add kludge to allow amd64 compat to build. This is not a proper
fix which most likely requires some compat lib build infra toggle.

Include kernel printf routines in rump instead of relying on the
magic libc symbol. This also allows to bid farewell to subr_prf2.c
and merge the contents back to subr_prf.c. The host kernel bridging
is now done via rumpuser_putchar().

Purge multiple kernel opt files.

Define MODULAR for rump core components. This enables module
loading via the kernel module framework (instead of dlopen()).
For now it only works on amd64 and i386, but for the rest it should
just be a matter of including the relevant kobj_machdep.c modules
from the kernel sources.

Include rb.c instead of relying on it being in libc.

-I${RUMPTOP}/librump/rumpkern so that build from src/lib works.

noted by Geoff Wing on current-users

Switch i386 away from rump/include/machine. This means that rump
on i386 now uses the native kernel ABI. This in turn means that
rump modules and kernel modules are binary equivalent and can be
used interchangeably.

include subr_devsw in rumpkern

include snprintb

.PATH maintenance

Split vfs out of rumpkern into rumpvfs. Non-fs rumps no longer
include the file system code. File system rumps explicitly need
to include rumpvfs from now on.

cwd is logically a vfs concept, so take it out from the bosom of
kern_descrip and into vfs_cwd. No functional change.

Move rump public headers to include/rump

branches: 1.17.2; 1.17.4;
Use ${TOOL_SED} instead if plain sed in Makefiles.

branches: 1.16.2;
Add support bits necessary for rumpnet functionality.

Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.

Add a simple percpu implementation (which isn't actually percpu at
all, since we don't currently have the notion of "real" cpu in
rump...but that's beyond the point).

Support callouts and call callout_hardclock() from the timer
interrupt thread.

The sleepq implementation required for callouts is horrible, kludged
only for callouts, and generally unacceptable. It needs revisiting,
but I'm not sure yet should rump or kern_timeout be improved. It's
almost untested as of now, but committing this will give me some
maneuvering space while letting application compile.

add kern_rate, subr_iostat and subr_once

Reorganize SRCS+= into smaller chunks to make adding new files
easier. No functional change.

No point in having our private atomic ops, just use the ones now
available in libc.

Switch to std kern_auth.

branches: 1.8.2;
Help out reinoud a bit with the challenge of adding vfs_dirhash.c here

Move global malloc types from kern_malloc into a separate module.

branches: 1.6.2;
Add support for using real kmem/vmem. Don't enable it by default,
though, since it a) is a lot of unnecessary indirection in rump
b) requires callouts which are so far unimplemented.

sort sys/kern SRCS alphabetically.

support real sysctls

Merge the simonb-wapbl branch. From the original branch commit:

Add Wasabi System's WAPBL (Write Ahead Physical Block Logging)
journaling code. Originally written by Darrin B. Jewell while
at Wasabi and updated to -current by Antti Kantee, Andy Doran,
Greg Oster and Simon Burge.

OK'd by core@, releng@.

branches: 1.2.2;
Fix race during creation of rumpdefs.h, rumpvnode_if.h, and rumpvnode_if.c.
Patch from pooka@ with tweak from me.

Approved by: pooka

Install rump libraries and utilities to the base system and remove the
private non-installed build infrastructure from sys/rump.

breakdown of commit:
* install relevant headers into /usr/include/rump
* build sys/rump/librump/rumpuser and sys/rump/librump/rumpkern
from src/lib and install as librumpuser and librump, respectively
+ this retains the ability to test a librump build with just the
kernel sources at hand
* move sys/rump/fs/lib/libukfs and sys/rump/fs/lib/libp2k to src/lib
for general consumption, they are not kernel-space dwellers anyway
* build and install sys/rump/fs/lib/lib$fs as librumpfs_$fs
* add chapter 3 manual pages for rump, rumpuser, ukfs and p2k
* build and install userspace kernel file system daemons if MKPUFFS=yes
is spexified
* retire fsconsole for now, it will make a comeback with an actually
implemented version shortly