![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man9
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.3, Thu Apr 30 03:28:18 2020 UTC (3 years, 11 months ago) by riastradh
Branch: MAIN
CVS Tags: cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
HEAD
Changes since 1.2: +1 -1
lines
FILE REMOVED
Rewrite entropy subsystem.
Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
Revision 1.2.10.2 / (download) - annotate - [select for diffs], Wed Aug 20 00:02:37 2014 UTC (9 years, 8 months ago) by tls
Branch: tls-maxphys
Changes since 1.2.10.1: +147 -0
lines
Diff to previous 1.2.10.1 (colored) to branchpoint 1.2 (colored) next main 1.3 (colored)
Rebase to HEAD as of a few days ago.
Revision 1.2.6.2 / (download) - annotate - [select for diffs], Thu May 22 11:37:52 2014 UTC (9 years, 10 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.2.6.1: +147 -0
lines
Diff to previous 1.2.6.1 (colored) to branchpoint 1.2 (colored) next main 1.3 (colored)
sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
Revision 1.2.10.1, Mon Jun 24 04:21:20 2013 UTC (10 years, 9 months ago) by tls
Branch: tls-maxphys
Changes since 1.2: +0 -147
lines
FILE REMOVED
file rndsink.9 was added on branch tls-maxphys on 2014-08-20 00:02:37 +0000
Revision 1.2.6.1, Mon Jun 24 04:21:20 2013 UTC (10 years, 9 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.2: +0 -147
lines
FILE REMOVED
file rndsink.9 was added on branch yamt-pagecache on 2014-05-22 11:37:52 +0000
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 24 04:21:20 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
CVS Tags: yamt-pagecache-base9,
tls-maxphys-base,
tls-earlyentropy-base,
tls-earlyentropy,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3,
riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2,
prg-localcount2-base3,
prg-localcount2-base2,
prg-localcount2-base1,
prg-localcount2-base,
prg-localcount2,
phil-wifi-base,
phil-wifi-20200421,
phil-wifi-20200411,
phil-wifi-20200406,
phil-wifi-20191119,
phil-wifi-20190609,
phil-wifi,
pgoyette-localcount-base,
pgoyette-localcount-20170426,
pgoyette-localcount-20170320,
pgoyette-localcount-20170107,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
pgoyette-localcount,
pgoyette-compat-merge-20190127,
pgoyette-compat-base,
pgoyette-compat-20190127,
pgoyette-compat-20190118,
pgoyette-compat-1226,
pgoyette-compat-1126,
pgoyette-compat-1020,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625,
pgoyette-compat-0521,
pgoyette-compat-0502,
pgoyette-compat-0422,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315,
pgoyette-compat,
perseant-stdc-iso10646-base,
perseant-stdc-iso10646,
netbsd-9-base,
netbsd-9-3-RELEASE,
netbsd-9-2-RELEASE,
netbsd-9-1-RELEASE,
netbsd-9-0-RELEASE,
netbsd-9-0-RC2,
netbsd-9-0-RC1,
netbsd-9,
netbsd-8-base,
netbsd-8-2-RELEASE,
netbsd-8-1-RELEASE,
netbsd-8-1-RC1,
netbsd-8-0-RELEASE,
netbsd-8-0-RC2,
netbsd-8-0-RC1,
netbsd-8,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-1,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE,
netbsd-7-0,
netbsd-7,
matt-nb8-mediatek-base,
matt-nb8-mediatek,
localcount-20160914,
is-mlppp-base,
is-mlppp,
bouyer-socketcan-base1,
bouyer-socketcan-base,
bouyer-socketcan
Branch point for: yamt-pagecache,
tls-maxphys
Changes since 1.1: +3 -3
lines
Diff to previous 1.1 (colored)
Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset. consttime_memequal is the same as the old consttime_bcmp. explicit_memset is to memset as explicit_bzero was to bcmp. Passes amd64 release and i386/ALL, but I'm sure I missed some spots, so please let me know.
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 23 02:35:23 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
Rework rndsink(9) abstraction and adapt arc4random(9) and cprng(9). rndsink(9): - Simplify API. - Simplify locking scheme. - Add a man page. - Avoid races in destruction. - Avoid races in requesting entropy now and scheduling entropy later. Periodic distribution of entropy to sinks reduces the need for the last one, but this way we don't need to rely on periodic distribution (e.g., in a future tickless NetBSD). rndsinks_lock should probably eventually merge with the rndpool lock, but we'll put that off for now. cprng(9): - Make struct cprng_strong opaque. - Move rndpseudo.c parts that futz with cprng guts to subr_cprng.c. - Fix kevent locking. (Is kevent locking documented anywhere?) - Stub out rump cprng further until we can rumpify rndsink instead. - Strip code to grovel through struct cprng_strong in fstat.