Re: svn commit: r339492 - head/sys/dev/random

[Mark R V Murray]

> On 20 Oct 2018, at 22:09, Conrad Meyer  wrote:
> 
> Author: cem
> Date: Sat Oct 20 21:09:12 2018
> New Revision: 339492
> URL: https://svnweb.freebsd.org/changeset/base/339492
> 
> Log:
>  Fortuna: ... 

... and a few others.

Thanks, Conrad, for picking these up! Having code reviewed well is a
good feeling :-)

M
-- 

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 20:26, Dag-Erling Smørgrav <d...@des.no> wrote:
> 
> Mark Murray <ma...@freebsd.org> writes:
>> Added:
>>  head/sys/crypto/chacha20/chacha.c   (contents, props changed)
>>  head/sys/crypto/chacha20/chacha.h   (contents, props changed)
> 
> Really?  You committed this code despite having been informed of its
> dubious legal status, and despite knowing full well that another
> implementation was already available?

"Dubious legal status"? Please go and look at the chacha that OpenSSH uses.
You will find it strangely familiar.

You informed me *that* you had written another implementation. You didn't
inform me *when* you were going to pull the trigger.

The time between warning me and committing was a shade over 2 hours.

The fact that 1) yours is optional (arc4random needs standard) 2) your API
is incompatible and 3) both code-sets can co-exist without conflict means
that there is no technical problem, except for the time taken adapt to your
API and bikeshed out the module "standard" vs "optional" status. Oh, and
the time to retest everything.

In the past you have made me wait *months* to make changes to my own code.
Your commit took 2 *hours* between first warning of commit and it hitting
the tree.

You can't say you didn't know my commit was imminent. I had just gotten
a green light from the SO a day or so before.

Here's the timeline:

18th March: I open D10048 - a change that replaces RC4 with ChaCha as
underlying algorithm for arc4random(9). I choose the OpenSSH copy
of chacha.c.

21st March: A brief exchange of emails where DES' Chacha is announced
as existing. No timeline for its committal is discussed.

Fri 14th April, 2:58: SO Green-lights my commit after a few rounds of
changes and discussion.

Sat 14th April, 17:45: DES Adds himself to the reviewer list of D10048
for the first time and makes this comment "Please allow me some time
to commit my Chacha20 implementation first so we can use that instead
of the legally dubious version which is included in this patch. I hit
a snag that I haven't had time to debug, but I'm hoping to have it done
by Tuesday."

Sat 14th April, 19:54: DES make this comment: "Turns out the snag was
that I was loading the wrong version of the module. I have committed
it now (r316982). If anyone is interested, I have a version that
includes test vectors and runs self-tests when loaded, but I removed
them from the final version as they are about six times larger than
the actual code."

DES - are you kidding me??! 2 hours 9 minutes warning? I already had
a green light; I wan't watching Phabricator, I was prepping my commit!

"Please allow me some time", then you drop your warning from 3 days
to 2 hours!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 15:26, Conrad Meyer <c...@freebsd.org> wrote:
> * I believe you've taken the right approach.  But somehow your import
> of chacha should be reconciled with DES' import (i.e., keep only one
> copy in the tree).
> * I don't believe the chacha code being standard is an undue burden.
> Especially balanced by kicking out RC4.

This is the way I'd like to see things go.

> Thanks for doing this work.

You are most welcome!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 17:04, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> 
> wrote:
> So you can understand me being started when any of this arrived?  I am
> on several of the mailling list, and I think -security is probably one
> of them.

I was thoroughly ignored last time I tried to use -security. It was, however,
a while back. I'll try again.

> What watch list is this?  And do we have a watch list that is just "New 
> Phabricator
> created" so we can make just that incident go to some mailling list so people 
> stop
> getting caught off guard by commits that have been reviews that they wish 
> they had
> even known there was a review?  We just need a way for being allerted there 
> is a
> new review that we *might* be interested, or care to participate in without 
> being
> on all the watch lists.

There is 'secteam' on Phabricator.

> And to add my hidden Blue Paint, we need to stop fearing the bike shed, the 
> project
> seems to have stifled the communications process to the point it is becoming a
> closed door shop with everyone working in secret then dumping a commit in 
> once they
> are done.  Yes, bike sheds are a bit time consuming, but so is duplicate work 
> cause
> you had no idea someone else was working in the same area (your LKM suprize is
> an excellent example).

> We must stop working in vacuums and start to communicate, and if that means we
> have a few bike sheds... well.. paints on me (though I reserve the blue for 
> personal use!)

Can't please everybody, but I'll add -security to the list next time.

There is a fair bit of history that predates your return to the project; me 
getting
attention to folks prepared to do reviews is a sore point. I use Phabricator 
because
it works for me (I get reviews). I was largely ignored on the mailing lists 
last time
I had a big commit. 

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 15:21, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> 
> wrote:
>>>> RC4 has been standard for many years.
>>> Probably another rapid mode of design rather than a thoughful mode, we
>>> have a chance to correct this here, and imho, should.
>> 
>> Fix it, sure. What's wrong with doing that as a next step? Why does this
>> change need to be held to ransom?
> 
> Thats a fair point, let me counter, why do I want this change at all?

RC4 is broken cryptographically. FreeBSD was lagging behind in still using it.

> Is it just the new kid on the block and everyone wants to play with the
> new toy, or does it bring the users some wonderful star bright feature
> that they just can not live without?  Is arc4random(9) some how fundementaly
> broken without chacha?

Most folks won't notice a darn thing. Crap random numbers are very often
hard to tell apart from good ones, and if you are not depending on them in a
relevant way you won't notice anything.

The big deal is that the attack vector for folks counting on (broken)
RC4 is now gone. For most FreeBSD users this is theoretical interest only.

> Your code in and working now? 

Yes.

> We just have 2 implementations of chacha, correct?

Correct.

> One in your static compiled in kernel section, and one as an LKM?

Correct. The latter startled me when it arrived.

>>>> Up until now, arc4random worked with unconditional RC4.
>>> 
>>> And your wanting to just replace unconditional RC4 for unconditional chacha?
>>> Or actuall, aleady did?
>> 
>> Correct. Both counts. It was up on Phabricator for weeks, BTW.
> 
> We are having what I believe is a very serious disjoint in project 
> communications
> caused by phabricator.  How are the developers notified of new things going
> up in phabricator?  I get bugzilla reports, but I get zip from phabriactor 
> unless
> I go ask it for stuff.   I get #network stuff cause I saw that in a commit 
> that
> I would of liked to been aware of early and added into that project, but 
> overall
> I think we need to work on this communcations too.

True. I promised SO@ that I would get all my CSPRNG stuff reviewed in 
Phabricator
before committing it. All the folks who in the past have cared about my work now
are on the relevant watch-list. Apart from spamming everyone, what do you 
suggest?

M
-- 
Mark R V Murray
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 13:30, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> 
> wrote:
> 
>> The RC4 algorithm is standard. Making the alogorithm pluggable means more
>> code, more testing and more time (time which I am rather short of).
> 
> I would rather see a proper implementation later, than a poor design
> decision today.

I would love to see a perfect solution too. As I don't have the time for it,
I took the time to get a working solution reviewed and pretty heavily tested.
Reviewed by SO@, that is.

>>> Also you can always compile in a module, you can not compile out
>>> a 'standard' file.
>>> 
>>> For now could you just add
>>> options chacha #Required by arc4random, do not remove
>>> to your kernel and move on?  For me this would be an acceptable
>>> developement, even releasable, way to proceed while the more
>>> complex issue of how to make the kernel RNG use plagable lkm
>>> lower layers.
>> 
>> It would have to be unconditionally added to *all* kernels. Could be
>> done, I guess.
> 
> We dont have that many in base kernel configs do we?

No. But what about folks' own configs that break all-of-a-sudden? I've
been pretty angry n a few occasions when I'm trying to fix my own problems
and I had to waste time sorting out tangential, avoidable problems.

What's the difference between making this 'standard' in sys/files/conf
and adding a compulsory change to ALL kernel files (apart from the fact
that we miss the users' kernel configs)? We can even keep the
module stubs in the code. Later, when/if arc4random(9) becomes a loadable
module (I'd *LOVE* to see how we get that right without compromising
the RNG early start), we can make it optional. That is a one line change
to sys/conf/files.

>> RC4 has been standard for many years.
> Probably another rapid mode of design rather than a thoughful mode, we
> have a chance to correct this here, and imho, should.

Fix it, sure. What's wrong with doing that as a next step? Why does this
change need to be held to ransom?

>> Up until now, arc4random worked with unconditional RC4.
> 
> And your wanting to just replace unconditional RC4 for unconditional chacha?
> Or actuall, aleady did?

Correct. Both counts. It was up on Phabricator for weeks, BTW.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 13:07, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> 
> wrote:
> 
>>> From replacing the rc4 algorithm with chacha20, this chalice has now
>> become poisoned with the job of redesigning the entire structure of
>> kernel random-number generation.
>> 
>> This may take a while, and I'm already behind on RNG jobs.
> 
> I do not see how this is a complete redesign of RNG, and if it is
> such a heart ache to change algorithms in this code then it probably
> should be redesigned?

The RC4 algorithm is standard. Making the alogorithm pluggable means more
code, more testing and more time (time which I am rather short of).

> Also you can always compile in a module, you can not compile out
> a 'standard' file.
> 
> For now could you just add
>   options chacha #Required by arc4random, do not remove
> to your kernel and move on?  For me this would be an acceptable
> developement, even releasable, way to proceed while the more
> complex issue of how to make the kernel RNG use plagable lkm
> lower layers.

It would have to be unconditionally added to *all* kernels. Could be
done, I guess.

RC4 has been standard for many years.

>>> I am sure with careful though we can find a way to allow arc4random
>>> to use a pointer that knows if the chacha code is avaliable, and use
>>> it if so, and if not fall back to something else, or punt with an
>>> error return.
>> 
>> Error return is out of the question; arc4random() is pretty fundamental.
>> The alternative is to return no or fake random numbers, which rather
>> misses the point of what this is for. But it can be done.
> 
> Arc4random works today without chacha, why would adding support for chache
> as an optional loadable function break that?  *truely confused*

Up until now, arc4random worked with unconditional RC4.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

> On 16 Apr 2017, at 12:50, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> 
> wrote:
> 
>> This does not use DES' Chacha20 commit, as I had already completed the
>> testing for it, and received SO@ approval.
>> 
>> DES's commit made Chaha20 a module. This is of no use to arc4random(9),
>> which needs the code to be standard. Also his API is different.
>> 
>> I have no objection to reworking the arc4random/Chacha below to use DES'
>> version of Chacha, but his code needs to be standard library code,
>> not an optional module.
>> 
>> Any objections to me doing this?
> 
> Yes
> 
> We need to move towards more modules, not less.  Having this standard
> does not even allow one to compile a kernel without it.  I should be
> able to compile a kernel without arc4random(9) and without chacha if
> I so desire.  And I should be able to load and unload these if I so
> desire.  This later feature is VERY usefull for developement and
> debug cycles.

>From replacing the rc4 algorithm with chacha20, this chalice has now
become poisoned with the job of redesigning the entire structure of
kernel random-number generation.

This may take a while, and I'm already behind on RNG jobs.

> I am sure with careful though we can find a way to allow arc4random
> to use a pointer that knows if the chacha code is avaliable, and use
> it if so, and if not fall back to something else, or punt with an
> error return.

Error return is out of the question; arc4random() is pretty fundamental.
The alternative is to return no or fake random numbers, which rather
misses the point of what this is for. But it can be done.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r317015 - in head/sys: boot/forth conf crypto/chacha20 dev/random libkern sys

[Mark R V Murray]

U8TO32_LITTLE(m + 4));
> +x2 = XOR(x2,U8TO32_LITTLE(m + 8));
> +x3 = XOR(x3,U8TO32_LITTLE(m + 12));
> +x4 = XOR(x4,U8TO32_LITTLE(m + 16));
> +x5 = XOR(x5,U8TO32_LITTLE(m + 20));
> +x6 = XOR(x6,U8TO32_LITTLE(m + 24));
> +x7 = XOR(x7,U8TO32_LITTLE(m + 28));
> +x8 = XOR(x8,U8TO32_LITTLE(m + 32));
> +x9 = XOR(x9,U8TO32_LITTLE(m + 36));
> +x10 = XOR(x10,U8TO32_LITTLE(m + 40));
> +x11 = XOR(x11,U8TO32_LITTLE(m + 44));
> +x12 = XOR(x12,U8TO32_LITTLE(m + 48));
> +x13 = XOR(x13,U8TO32_LITTLE(m + 52));
> +x14 = XOR(x14,U8TO32_LITTLE(m + 56));
> +x15 = XOR(x15,U8TO32_LITTLE(m + 60));
> +
> +j12 = PLUSONE(j12);
> +if (!j12) {
> +  j13 = PLUSONE(j13);
> +  /* stopping at 2^70 bytes per nonce is user's responsibility */
> +}
> +
> +U32TO8_LITTLE(c + 0,x0);
> +U32TO8_LITTLE(c + 4,x1);
> +U32TO8_LITTLE(c + 8,x2);
> +U32TO8_LITTLE(c + 12,x3);
> +U32TO8_LITTLE(c + 16,x4);
> +U32TO8_LITTLE(c + 20,x5);
> +U32TO8_LITTLE(c + 24,x6);
> +U32TO8_LITTLE(c + 28,x7);
> +U32TO8_LITTLE(c + 32,x8);
> +U32TO8_LITTLE(c + 36,x9);
> +U32TO8_LITTLE(c + 40,x10);
> +U32TO8_LITTLE(c + 44,x11);
> +U32TO8_LITTLE(c + 48,x12);
> +U32TO8_LITTLE(c + 52,x13);
> +U32TO8_LITTLE(c + 56,x14);
> +U32TO8_LITTLE(c + 60,x15);
> +
> +if (bytes <= 64) {
> +  if (bytes < 64) {
> +for (i = 0;i < bytes;++i) ctarget[i] = c[i];
> +  }
> +  x->input[12] = j12;
> +  x->input[13] = j13;
> +  return;
> +}
> +bytes -= 64;
> +c += 64;
> +m += 64;
> +  }
> +}
> 
> Added: head/sys/crypto/chacha20/chacha.h
> ==
> --- /dev/null 00:00:00 1970   (empty, because file is newly added)
> +++ head/sys/crypto/chacha20/chacha.h Sun Apr 16 09:11:02 2017
> (r317015)
> @@ -0,0 +1,32 @@
> +/* $OpenBSD: chacha.h,v 1.4 2016/08/27 04:04:56 guenther Exp $ */
> +
> +/*
> +chacha-merged.c version 20080118
> +D. J. Bernstein
> +Public domain.
> +
> + $FreeBSD$
> +*/
> +
> +#ifndef CHACHA_H
> +#define CHACHA_H
> +
> +#include 
> +
> +struct chacha_ctx {
> + u_int input[16];
> +};
> +
> +#define CHACHA_MINKEYLEN 16
> +#define CHACHA_NONCELEN  8
> +#define CHACHA_CTRLEN8
> +#define CHACHA_STATELEN  (CHACHA_NONCELEN+CHACHA_CTRLEN)
> +#define CHACHA_BLOCKLEN  64
> +
> +void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits);
> +void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char 
> *ctr);
> +void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
> +u_char *c, u_int bytes);
> +
> +#endif   /* CHACHA_H */
> +
> 
> Modified: head/sys/dev/random/random_harvestq.c
> ==
> --- head/sys/dev/random/random_harvestq.c Sun Apr 16 09:00:10 2017
> (r317014)
> +++ head/sys/dev/random/random_harvestq.c Sun Apr 16 09:11:02 2017
> (r317015)
> @@ -352,10 +352,19 @@ random_harvestq_prime(void *unused __unu
>* Get entropy that may have been preloaded by loader(8)
>    * and use it to pre-charge the entropy harvest queue.
>*/
> - keyfile = preload_search_by_type(RANDOM_HARVESTQ_BOOT_ENTROPY_FILE);
> + keyfile = preload_search_by_type(RANDOM_CACHED_BOOT_ENTROPY_MODULE);
> +#ifndef NO_BACKWARD_COMPATIBILITY
> + if (keyfile == NULL)
> + keyfile = preload_search_by_type(RANDOM_LEGACY_BOOT_ENTROPY_MODULE);
> +#endif
>   if (keyfile != NULL) {
>   data = preload_fetch_addr(keyfile);
>   size = preload_fetch_size(keyfile);
> + /* skip the first bit of the stash so others like arc4 can also 
> have some. */
> + if (size > RANDOM_CACHED_SKIP_START) {
> + data += RANDOM_CACHED_SKIP_START;
> + size -= RANDOM_CACHED_SKIP_START;
> + }
>   /* Trim the size. If the admin has a file with a funny size, we 
> lose some. Tough. */
>   size -= (size % sizeof(event.he_entropy));
>   if (data != NULL && size != 0) {
> 
> Modified: head/sys/dev/random/random_harvestq.h
> ==
> --- head/sys/dev/random/random_harvestq.h Sun Apr 16 09:00:10 2017
> (r317014)
> +++ head/sys/dev/random/random_harvestq.h Sun Apr 16 09:11:02 2017
> (r317015)
> @@ -1,5 +1,5 @@
> /*-
> - * Copyright (c) 20

Re: svn commit: r316982 - in head/sys: conf crypto/chacha20 modules modules/chacha20

[Mark R V Murray]

> On 15 Apr 2017, at 21:51, Dag-Erling Smørgrav <d...@freebsd.org> wrote:
> 
> Author: des
> Date: Sat Apr 15 20:51:53 2017
> New Revision: 316982
> URL: https://svnweb.freebsd.org/changeset/base/316982
> 
> Log:
>  3BSD-licensed implementation of the chacha20 stream cipher, intended for
>  use by the upcoming arc4random replacement.
> 
> Added:
>  head/sys/crypto/chacha20/
>  head/sys/crypto/chacha20/chacha20.c   (contents, props changed)
>  head/sys/crypto/chacha20/chacha20.h   (contents, props changed)
>  head/sys/modules/chacha20/
>  head/sys/modules/chacha20/Makefile   (contents, props changed)
> Modified:
>  head/sys/conf/files
>  head/sys/modules/Makefile

This is a loadable module, unlike the RC4 code which it needs to replace, and 
which is standard.

Making it loadable makes no sense in the context of arc4random(9).

Do you mind if I strip out the module bits in order to get my arc4random(9) 
commit completed?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r303035 - in head/sys: arm/broadcom/bcm2835 boot/fdt/dts/arm sys

[Mark R V Murray]

 stall");
> +#ifdef BCM2835_RNG_DEBUG_REGISTERS
> + SYSCTL_ADD_PROC(sysctl_ctx, SYSCTL_CHILDREN(sysctl_tree), OID_AUTO,
> + "dumpregs", CTLTYPE_STRING | CTLFLAG_RD, sc, 0,
> + sysctl_bcm2835_rng_dump, "S", "Dump RNG registers");
> +#endif
> +
> +#if defined(BCM2835_RNG_USE_CALLOUT)
> + /* Reset callout */
> + if (hz >= 100)
> + sc->sc_rnghz = hz / 100;
> + else
> + sc->sc_rnghz = 1;
> + callout_reset(>sc_rngto, sc->sc_rnghz, bcm2835_rng_harvest, sc);
> +#endif
> +
> + return (0);
> +}
> +
> +static int
> +bcm2835_rng_detach(device_t dev)
> +{
> + struct bcm2835_rng_softc *sc;
> +#if defined(BCM2835_RNG_USE_INTERRUPT)
> + int error;
> +#endif
> +
> + sc = device_get_softc(dev);
> +
> + /* Stop the RNG */
> + bcm2835_rng_stop(sc);
> +
> + /* Drain the callout it */
> +#if defined(BCM2835_RNG_USE_CALLOUT)
> + callout_drain(>sc_rngto);
> +#endif
> +
> +#if defined(BCM2835_RNG_USE_INTERRUPT)
> + /* Tear down the interrupt */
> + if (sc->sc_irq_res && sc->sc_intr_hdl) {
> + error = bus_teardown_intr(dev, sc->sc_irq_res, sc->sc_intr_hdl);
> + if (error != 0) {
> + device_printf(dev, "could not tear down IRQ\n");
> + return (error);
> + }
> + sc->sc_intr_hdl = NULL;
> + }
> +
> + /* Release interrupt resource */
> + if (sc->sc_irq_res) {
> + bus_release_resource(dev, SYS_RES_IRQ, 0, sc->sc_irq_res);
> + sc->sc_irq_res = NULL;
> + }
> +#endif
> +
> + /* Release memory resource */
> + if (sc->sc_mem_res != NULL)
> + bus_release_resource(dev, SYS_RES_MEMORY, 0, sc->sc_mem_res);
> +
> + return (0);
> +}
> +
> +static device_method_t bcm2835_rng_methods[] = {
> + /* Device interface */
> + DEVMETHOD(device_probe, bcm2835_rng_probe),
> + DEVMETHOD(device_attach,bcm2835_rng_attach),
> + DEVMETHOD(device_detach,bcm2835_rng_detach),
> +
> + DEVMETHOD_END
> +};
> +
> +static driver_t bcm2835_rng_driver = {
> + "bcmrng",
> + bcm2835_rng_methods,
> + sizeof(struct bcm2835_rng_softc)
> +};
> +static devclass_t bcm2835_rng_devclass;
> +
> +DRIVER_MODULE(bcm2835_rng, simplebus, bcm2835_rng_driver,
> +bcm2835_rng_devclass, 0, 0);
> +DRIVER_MODULE(bcm2835_rng, ofwbus, bcm2835_rng_driver, bcm2835_rng_devclass, 
> 0,
> +0);
> +MODULE_VERSION(bcm2835_rng, 1);
> +MODULE_DEPEND(bcm2835_rng, randomdev, 1, 1, 1);
> 
> Modified: head/sys/arm/broadcom/bcm2835/files.bcm283x
> ==
> --- head/sys/arm/broadcom/bcm2835/files.bcm283x   Tue Jul 19 18:05:25 
> 2016(r303034)
> +++ head/sys/arm/broadcom/bcm2835/files.bcm283x   Tue Jul 19 18:07:47 
> 2016(r303035)
> @@ -10,6 +10,7 @@ arm/broadcom/bcm2835/bcm2835_gpio.c opt
> arm/broadcom/bcm2835/bcm2835_intr.c   standard
> arm/broadcom/bcm2835/bcm2835_machdep.cstandard
> arm/broadcom/bcm2835/bcm2835_mbox.c   standard
> +arm/broadcom/bcm2835/bcm2835_rng.c   optional random
> arm/broadcom/bcm2835/bcm2835_sdhci.c  optional sdhci
> arm/broadcom/bcm2835/bcm2835_spi.coptional bcm2835_spi
> arm/broadcom/bcm2835/bcm2835_vcio.c   standard
> 
> Modified: head/sys/boot/fdt/dts/arm/bcm2835.dtsi
> ==
> --- head/sys/boot/fdt/dts/arm/bcm2835.dtsiTue Jul 19 18:05:25 2016
> (r303034)
> +++ head/sys/boot/fdt/dts/arm/bcm2835.dtsiTue Jul 19 18:07:47 2016
> (r303035)
> @@ -396,6 +396,14 @@
>   };
>   };
> 
> + rng {
> + compatible = "broadcom,bcm2835-rng",
> +  "broadcom,bcm2708-rng";
> + reg = <0x104000 0x20>;
> + interrupts = <69>;
> + interrupt-parent = <>;
> + };
> +
>   bsc0 {
>   #address-cells = <1>;
>   #size-cells = <0>;
> 
> Modified: head/sys/boot/fdt/dts/arm/bcm2836.dtsi
> ==
> --- head/sys/boot/fdt/dts/arm/bcm2836.dtsiTue Jul 19 18:05:25 2016
> (r303034)
> +++ head/sys/boot/fdt/dts/arm/bcm2836.dtsiTue Jul 19 18:07:47 2016
> (r303035)
> @@ -389,6 +389,14 @@
>   };
>   };
> 
> + rng {
> + compatible = "broadcom,bcm2835-rng",
> +  "broadcom,bcm2708-rng";
> + reg = <0x104000 0x20>;
> + interrupts = <69>;
> + interrupt-parent = <>;
> + };
> +
>   bsc0 {
>   #address-cells = <1>;
>   #size-cells = <0>;
> 
> Modified: head/sys/sys/random.h
> ==
> --- head/sys/sys/random.h Tue Jul 19 18:05:25 2016(r303034)
> +++ head/sys/sys/random.h Tue Jul 19 18:07:47 2016(r303035)
> @@ -90,6 +90,7 @@ enum random_entropy_source {
>   RANDOM_PURE_NEHEMIAH,
>   RANDOM_PURE_RNDTEST,
>   RANDOM_PURE_VIRTIO,
> + RANDOM_PURE_BROADCOM,
>   ENTROPYSOURCE
> };
> 
> 

--
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r286984 - head/sys/modules/zfs

[Mark R V Murray]

 On 21 Aug 2015, at 09:20, Andriy Gapon a...@freebsd.org wrote:
 
 
 Precisely because it's the standalone build (cd sys/modules/zfs  make
 ...) that was affected.  Building the module as a part of the kernel
 build worked just fine.

That makes sense. Now I need a regression test to ensure at this problem
is not elsewhere and doesn’t return.

Where do folks put these? I don’t mind writing one.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r286984 - head/sys/modules/zfs

[Mark R V Murray]

Thanks!

I’ve been running “make universe” here as a build-test. I wonder why this was 
not picked up?

M

 On 21 Aug 2015, at 09:06, Andriy Gapon a...@freebsd.org wrote:
 
 Author: avg
 Date: Fri Aug 21 08:06:18 2015
 New Revision: 286984
 URL: https://svnweb.freebsd.org/changeset/base/286984
 
 Log:
  fix standalone build of zfs module
 
  Not sure if this is a proper fix, but it does the job.
 
 Modified:
  head/sys/modules/zfs/Makefile
 
 Modified: head/sys/modules/zfs/Makefile
 ==
 --- head/sys/modules/zfs/Makefile Fri Aug 21 08:04:56 2015
 (r286983)
 +++ head/sys/modules/zfs/Makefile Fri Aug 21 08:06:18 2015
 (r286984)
 @@ -4,7 +4,7 @@ SYSDIR?=${.CURDIR}/../..
 
 KMOD= zfs
 
 -SRCS=bus_if.h device_if.h vnode_if.h opt_kstack_pages.h
 +SRCS=bus_if.h device_if.h vnode_if.h opt_kstack_pages.h opt_random.h
 
 SUNW= ${SYSDIR}/cddl/contrib/opensolaris
 
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 00:07, Simon J. Gerraty s...@juniper.net wrote:
 
 Mark Murray ma...@freebsd.org wrote:
  * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h
  - Remove; plugability is no longer used. Compile-time algorithm
selection is the way to go.
 
 Errr we use that and need it.
 Please put it back.
 
 Whether we agree with NIST's ideas about how randomness should be
 handled or not, we need to to be able to comply and we do not want to
 burn their desired arrangement into our kernels.

I’m nearly done with this. Please be patient for a few more days.

Thanks!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 25 Jul 2015, at 06:06, Scott Long scott4l...@yahoo.com wrote:
 
 I’m working on a premise of “tools, not policy”. I’d like there to be
 enough harvesting points for the box owner to get the warm fuzzies.
 If they choose to use less, fine by me.
 
 
 Sure, and that’s not an unreasonable goal, but the devil is in the details.

Yes, indeed!

 It’s an unfortunate fact of modern CPU architecture that even something
 as simple and innocent as a run-time control that checks a variable can
 cause significant performance problems, thanks to the penalty of cache
 misses and bus contention between lots of CPU cores.  Maybe these
 “extended” collection points should be controlled with a compile-time
 option?

They can. I’ve coded it already, but not tested it properly, and will
commit in a week or two. :-)

 
 Many of the issues that FreeBSD sees with lack of entropy at start up
 is more of a problem on how systems are installed and provisioned.  I
 don't believe that we currently store any entropy from the install
 process, yet this is one of the best places to get it, the user is
 banging on keyboard selecting options, etc.  If an image is designed
 to be cloned (vm images or appliance images) we need to have a
 mechanism to ensure that before we start, we get the entropy from
 other sources, be it a hardware RNG or the console.
 
 Getting an initial entropy bundle for first boot is high up on my
 TODO list. :-) Patches welcome! We need the usual /entropy (or
 /var/db/entropy/… or whatever) and crucially we need /boot/entropy
 and the correct invocation in /boot/loader.conf.
 
 
 I agree that bootstrap entropy is a big deal, especially with the increasing
 prevalence of using virtual machine containers, cloned images, and
 datacenter automation.  Addressing that is an interesting problem, and
 goes well beyond the scope of in-kernel entropy collection.  I wish I had
 a simple answer or a patch for you ;-)

The hard stuff has been done. We just need to write (e.g.) 4k of good
numbers to /boot/entropy and job nearly done. This could be done by
sysinstall or by the cloning system, for example.

The embedded folks will still need a bit more careful etc/rc.d/* design.

 Well, sure, but what if you don’t have microphone? I want lots
 of choices, in anticipation of only a subset being usable.
 
 
 I still think that for most use cases where you have a high likelyhood
 of draining /dev/random of useful bits, you’re likely already on a tight
 budget for CPU cycles and you’ll probably just look to a hardware
 accelerator rather than sacrifice even more CPU cycles.  At least,
 that’s what the nice sale people at Cavium and Intel tell me ;-)

Sure, but I don’t trust them either. This is the professional mistrust
of crypto, not an assertion of incompetence or malice. ;-) They do,
however, fulfil a need, but I don’t like the idea of trusting a single
source unless that source has been properly vetted.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 25 Jul 2015, at 07:26, John-Mark Gurney j...@funkthat.com wrote:
 
 Once you have enough useful bits in /dev/random, you can NEVER run out
 of useful bits from /dev/random...
 
 [Well, not quite NEVER, but not for a few millennia.]


So is your position effectively anti-harvesting, or at least to turn
off all harvesting after a certain time and never turn it on again?

If so, we are pretty far apart philosophically.

DJB’s position is interesting, but I am far from persuaded by it.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 25 Jul 2015, at 17:05, Scott Long scott4l...@yahoo.com wrote:
 
 
 What you posted this morning for review is a great start.  Thanks for the
 productive conversation on this.

:-)

I will do the same/similar for networking and for file ATIME mods.

What else causes grief for you?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 25 Jul 2015, at 18:46, John-Mark Gurney j...@funkthat.com wrote:
 
 Mark R V Murray wrote this message on Sat, Jul 25, 2015 at 09:22 +0100:
 On 25 Jul 2015, at 07:26, John-Mark Gurney j...@funkthat.com wrote:
 
 Once you have enough useful bits in /dev/random, you can NEVER run out
 of useful bits from /dev/random...
 
 [Well, not quite NEVER, but not for a few millennia.]
 
 So is your position effectively anti-harvesting, or at least to turn
 off all harvesting after a certain time and never turn it on again?
 
 No, I am not, I was just stating a fact of how CSPRNGs work that
 people keep forgetting…

I think you need to consider the attack/recovery practicalities as
well as the theory.

 I'm totally against massive collection that has minimal benefit,
 but massive performance costs...  I raised this issue in the review
 and you still haven't disabled INODE collection, plus you admitted
 that you hadn't done benchmarks on the uma case…

Are you following my conversation with ScottL? I’ve agreed this.

 It's way more important to have a good seed at first boot for your
 rng when you generate long term ssh keys and the like than it is to
 continually collecting high rate randomness from the system…

And that is what the current setup achieves, or achieved. What I had
set up was a high-rate collection to unlock the RNG, and the faster
stuff was disabled at multi-user time.

Unfortunately, even those remnants were too much for UMA, so they
will be disabled more permanently. No worries - back to the design
board!

 If so, we are pretty far apart philosophically.
 
 DJB???s position is interesting, but I am far from persuaded by it.
 
 What points are you not persuaded by?  Are there any questions that
 I could get answers for that would persuade you to change your
 mind?

The passage of time will do it, I think. I don’t see much overt
support for this (I will look out for it), but crucially I’m not
aware of a great deal agains it. Its just too, erm, individual
right now. :-)

 I'm not against continually collecting entropy, I just don't think it
 needs to be high speed, or that frequent..  My suggestion is for a
 thread to run every few seconds to grovel around collecting some
 entropy, and adding it...  Obviously low perf impact collection points
 like the keyboard should remain as that continues to one of the best
 sources (when active/available)…

The position of the Fortuna authors is that harvesting should be fast
enough to thwart attack, and attack is facilitated by reading. Thus
a high-speed reader should be backed by a proportionally high-speed
harvesting.

For ScottL the randomness requirements are low-ish. For (say) a bank,
they may be a lot higher, and I see no reason to deny them this if
they have no high throughput requirements.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 25 Jul 2015, at 19:31, John-Mark Gurney j...@funkthat.com wrote:
 
 virtual machines have things like virtio_random, most embedded gadgets
 have an ADC that could be used...  Appliances a little more difficult,
 but trusted computers probably have a hardware RNG anyways…

You need to research this more carefully. Ask Ian Lepore about the
paucity of entropy on his boxes.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 24 Jul 2015, at 02:25, John-Mark Gurney j...@funkthat.com wrote:
 
 I would like to point out that the goal of collecting large amounts
 is starting to fall out of favor, and I happen to agree with the likes
 of djb[1] that we don't need an infinite amount of entropy collected by
 the system.  If the attacker can read out our RNG state, then we are
 already screwed due to many other vulns.

I’m working on a premise of “tools, not policy”. I’d like there to be
enough harvesting points for the box owner to get the warm fuzzies.
If they choose to use less, fine by me.

 Many of the issues that FreeBSD sees with lack of entropy at start up
 is more of a problem on how systems are installed and provisioned.  I
 don't believe that we currently store any entropy from the install
 process, yet this is one of the best places to get it, the user is
 banging on keyboard selecting options, etc.  If an image is designed
 to be cloned (vm images or appliance images) we need to have a
 mechanism to ensure that before we start, we get the entropy from
 other sources, be it a hardware RNG or the console.

Getting an initial entropy bundle for first boot is high up on my
TODO list. :-) Patches welcome! We need the usual /entropy (or
/var/db/entropy/… or whatever) and crucially we need /boot/entropy
and the correct invocation in /boot/loader.conf.

 I would like to see us scale back the entropy collection, and replace
 it with something like scan the zone once an hour or something
 similar.  Or do something dtrace style, where we nop/jmp the
 collection after we feel that the system has collected enough.

Most of the current entropy gathering is just about invisible
anyway. I think the above goes too far, but may be a useful way
of enabling/disabling (say) UMA gathering on the fly.

 Heck, piping in mic data to /dev/random is a good way to seed the
 rng on many machines.

Well, sure, but what if you don’t have microphone? I want lots
of choices, in anticipation of only a subset being usable.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 24 Jul 2015, at 16:25, Ian Lepore i...@freebsd.org wrote:
 
 But keep in mind that loader(8) is optional and not used at all on some
 non-x86 systems.
 

Duly noted. It’s on my TODO list to talk to you embedded folks about this.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 23 Jul 2015, at 14:45, Scott Long scott4l...@yahoo.com wrote:
 
 OK - I’m sold! I’ll make a kernel option defaulting to off. :-)
 
 
 
 Hi Mark,
 
 Thanks for making this concession.  I wanted to add a bit of historical 
 perspective.  When Yarrow was introduced in the previous decade, it was 
 initially wired into nearly all interrupt sources.  It turned out to be so 
 expensive to those sources, especially for high-speed sources at the time 
 like network and caching RAID drivers, that we then spent months disabling it 
 from those sources.  In the end, a lot of code thrash happened and the 
 effectiveness of Yarrow was questionable.

OK. OUCH. I wish I’d known this earlier, or, if I *was* told, I wish I’d paid a 
bit more attention. :-]

In a nod towards efficiency, I have supplied graded (*_fast(), *_queue(), 
*_direct()) harvesting types, but it would appear that these are insufficient 
for your purposes. No problem, I’m glad we could come to another compromise!

 Fast forward to now with your recent work.  If UMA becomes expensive for 
 high-speed use, everyone will go back to developing private per-driver and 
 per-subsystem allocators to avoid it.  This will happen whether or not the 
 UMA collector is controllable at run-time; if it’s enabled by default, 
 benchmarks will be impacted and people will react.  That’ll be a huge step 
 backwards for FreeBSD.

Understood, and thanks. If you have any suitable benchmark code that I could 
have, please, I’d be very grateful.

 I also strongly agree with Jeff’s point on the questionable nature of this 
 kind of fast-and-monotonic entropy collection, and Warner and Kip’s point on 
 the finite number of clock cycles available for doing 100Gb networking.  If 
 really high quality entropy is desired, won’t most serious people use a 
 hardware source instead of a software source?  Not that I think that software 
 entropy is useless, but it’s a question of how much effort and tradeoffs are 
 put into it for what result.  An academically beautiful entropy system that 
 hamstrings the OS from doing other essential things isn’t all that 
 interesting, IMO.

I am kinda hoping to be useful for everybody without being a nuisance. Fortuna 
(and Yarrow) work best with diverse sources of entropy, and we have declared 
our distrust in single sources (thanks Snowden!). Thus it is good to mix as 
much as possible. Now your requirements may not be as strong as the next 
fellow’s so disabling some sources would be a reasonable idea.

I trust this direction will work better for more folks?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 23 Jul 2015, at 18:30, Alexey Dokuchaev da...@freebsd.org wrote:
 
 [ Guys, please teach your MUA to wrap messages over 72-76 boundary and trim
  excessive/irrelevant quoting, thank you. ]

Oops sorry!

 So far it looks like this to me (having read no papers):
 
 1) Fortuna attempts to get the most entropy from all available sources,
 trusting none of them.  (Which is good.)

Accurate.

 2) Some of them might/will cause unwanted performance loss under certain
 circumstances, which becomes a show-stopper (finite number of clock cycles
 available, etc.) for some use cases.

Again accurate.

 If Fortuna is so flexible, why can't some of its sources be conditionally
 disabled (kernel option/boot.conf/systct) or down-weighted through some
 more sophisticated, self-adjusting configuration technique during runtime?

This is already present, but some if these checks, while very cheap, are
still too expensive in very high-performance areas of the code.

 How dynamic it is?  Mark, is there a (algorithmically?) reliable way to
 tell how many bits of good entropy is being added to the pool, and then
 tune the harvesting strategy accordingly?

No. Not an absolute “no”, but The Yarrow algorithm required this, and it
was never implemented satisfactorily by anyone due to its difficulty.
Yarrow is now no longer supported by its authors due to this, amongst
other problems.

 Is there some sort of restricted, private API to get a clue about current
 entropy status?

Sort of. By turning on the RANDOM_DEBUG option, Fortuna will periodically
print out the “message lengths” of all 32 accumulation pools. These are
very vaguely indicative of the accumulated entropy. Pool[0] is used for
reseeding; the rest are there for my interest and will be removed at some
point.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 23 Jul 2015, at 00:53, Warner Losh i...@bsdimp.com wrote:
 
 Neither filesystem operations nor allocations are random events.  They are 
 trivially influenced by user code.  A malicious attacker could create 
 repeated patterns of allocations or filesystem activity through the 
 syscall path to degrade your random sample source.
 
 I?m not sure I accept that - Fortuna is very careful about using 
 non-reversible hashing in it?s accumulation, and countering such 
 degradation is one of the algorithm?s strong points. There is perhaps risk 
 of *no* entropy, but even the per-event timing jitter will be providing 
 this, if nothing else.
 
 I’m not sure I’m happy about this answer. Do you have some research backing 
 up such cavalier claims?

It was not my intention to sound cavalier. Apologies.

Fortuna was developed to account for many sources of entropy, good and bad 
alike, and Jeff’s observation is an attack on that design. I accept that the 
randomness of these events is poor, but they are high-rate, and this product of 
high-rate*low entropy is what I seek. I pulled out numbers with dtrace, and 
basic statistics showed that the harvesting was not useless. I completely 
understand that under the right circumstances these numbers might be lousy - 
please read the Fortuna design document to understand why this doesn’t matter. 
*ALL* entropy inputs to Fortuna are considered attackable, including the 
dedicated hardware sources.

I have also read cryptanalyses of Fortuna, not all of them to be sure, and so 
far the design appears strong. The best attack that I have seen (very academic) 
suggests an improvement which I may incorporate.

 Perhaps more importantly to me, this is an unacceptable performance burden 
 for the allocator.  At a minimum it should compile out by default. Great 
 care has been taken to reduce the fast path of the allocator to the 
 minimum number of cycles and even cache misses.
 
 As currently set up in etc/rc.d/* by default, there is a simple check at 
 each UMA harvesting opportunity, and no further action. I asked Robert 
 Watson if this was burdensome, and he said it was not.
 
 I find this burdensome.  You can easily add a macro around the calls or hide 
 them in an inline with a default to off.  Even a function call that checks a 
 global and does nothing else is a handful of new cache misses.  A 
 microbenchmark will not realize the full cost of this.  You will instead get 
 the dozen or so instructions of overhead which I still find objectionable.
 
 Kip's observations about packet cycle budgets in high-performance 
 applications are accurate and this is something we have put great care into 
 over time.
 
 A certain video streaming company will be pushing the envelope to get to 
 100Gbps very soon. Even a few extra instructions on every packet / allocation 
 will be a killer. Especially if one is an almost guaranteed cache miss. This 
 most certainly will be burdensome. There absolutely must be a way to turn 
 this off at compile time. We don’t care that much about entropy to leave 
 performance on the table.

OK - I’m sold! I’ll make a kernel option defaulting to off. :-)

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 23 Jul 2015, at 08:59, Jeff Roberson jrober...@jroberson.net wrote:
 
 
 OK - I?m sold! I?ll make a kernel option defaulting to off. :-)
 
 There are other sources that occur less frequently than millions of times 
 per-second that may still provide some usefull entropy while being less 
 performance critical under normal conditions.

I’m sure there are, and I’m keen to discover more! I’m not exactly the worlds 
best kernel hacker, so I’ll be requesting help.

My own crappy benchmark is “make world” and for that, I notice very little. For 
Video at Ludicrous Speed(™), I’m well prepared to accept otherwise! For crypto 
purposes, UMA is brilliant, though (but that won’t stop me defaulting it to 
“compiled out”).

 For example, context switches, traps, etc.  I could also imagine wiring up a 
 pmc counter to something like cache misses or branch mispredicts that would 
 be more difficult to game, especially if the counter was cycled irregularly.

Help requested here, please! If you could point out suitable harvesting points, 
I’ll see if the numbers from them look good.

Thanks!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 22 Jul 2015, at 22:42, Jeff Roberson jrober...@jroberson.net wrote:
 
 On Tue, 30 Jun 2015, Mark Murray wrote:
 
 - Add harvesting of slab allocator events. This needs to be checked for
   weighing down the allocator code.
 
 Neither filesystem operations nor allocations are random events.  They are 
 trivially influenced by user code.  A malicious attacker could create 
 repeated patterns of allocations or filesystem activity through the syscall 
 path to degrade your random sample source.

I’m not sure I accept that - Fortuna is very careful about using non-reversible 
hashing in it’s accumulation, and countering such degradation is one of the 
algorithm’s strong points. There is perhaps risk of *no* entropy, but even the 
per-event timing jitter will be providing this, if nothing else.

 Perhaps more importantly to me, this is an unacceptable performance burden 
 for the allocator.  At a minimum it should compile out by default.  Great 
 care has been taken to reduce the fast path of the allocator to the minimum 
 number of cycles and even cache misses.

As currently set up in etc/rc.d/* by default, there is a simple check at each 
UMA harvesting opportunity, and no further action. I asked Robert Watson if 
this was burdensome, and he said it was not.

I’m willing to discuss optimising this, and have plans for some 
micro-benchmarks.

M
-- 
Mark R V Murray

PS: Please trim mail when responding - was it necessary to send me back the 
whole commit message and diff?

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 19 Jul 2015, at 20:40, Simon J. Gerraty s...@juniper.net wrote:
 
 Mark R V Murray ma...@freebsd.org wrote:
 On Thu, Jul 02, 2015 at 11:36:27AM -0700, Simon J. Gerraty wrote:
 Sound like you just need to be able to select a single KLD at boot time?
 
 Mark, do you have an estimate of when loadable modules will be supported
 again?

About a week, I’d say.

 We've been holding off sync'ing from head - which is hardly ideal.

Apologies. I will expedite.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285692 - head/sys/dev/random

[Mark R V Murray]

 On 19 Jul 2015, at 18:02, Konstantin Belousov kostik...@gmail.com wrote:
 
 -printf(random: %s unblock wait\n, __func__);
 +/* Only bother the console every 10 seconds or so */
 +if (spamcount == 0)
 +printf(random: %s unblock wait\n, __func__);
 +spamcount = (spamcount + 1)%100;
 Is ppsratecheck() not suitable for this due to use of  1 sec period ?

Oooh! Very probably, thank you.

 +error = tsleep(random_alg_context, PCATCH, randseed, hz/10);
 +if ((error == ERESTART | error == EINTR))
 This is probably still valid, but I wonder if you mean || there.
 Then you could also remove extra ().

Oh, nuts. Got the wrong patch. Thank you.

 All your commits are breaking all style(9) rules.  It would be nice to keep
 the style at least for the files where you added random harvesting and which
 are already mostly style compliant.  E.g., what about wrapping lines at
 position somewhere between 72 and 80 ?

I’ll look, thanks!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

CC’ing to original lists.

Kip’s problem has come to conclusion, and our final (private) email
is forwarded to the lists with permission.

It should be noted that Kip was importing CURRENT to a fork of
FreeBSD, and there was a potential merging problem that may have
caused a link failure.

M

 On 17 Jul 2015, at 23:14, K. Macy km...@freebsd.org wrote:
 
 On Fri, Jul 17, 2015 at 3:01 PM, Mark R V Murray ma...@freebsd.org wrote:
 
 On 17 Jul 2015, at 22:39, K. Macy km...@freebsd.org wrote:
 Like I said, the linking issue isn't a concern. My problem is that
 it's not booting because it hangs in an uninterruptible sleep in dd.
 In addition, I strongly disagree with a change that by default could
 adversely impact network performance.
 
 I’ve agreed that the fact that it is uninterruptible is cause for
 concern, and I’ve now coded but not tested or committed a fix.
 
 
 Glad to hear it.
 
 The fact that RANDOM_DUMMY never unblocks is a feature not a bug.
 
 I don't recall having suggested otherwise. Returning with no entropy
 would be undesirable. But as you now, presumably, realize - having the
 reader be unkillable as a result of this wait is highly undesirable.
 
 
 If you say that you've tested RANDOM_DUMMY and it works for you then I
 guess I'm on my own.
 
 RANDOM_DUMMY is for folks who don’t want a CSPRNG. It sounds like you
 need one.
 
 Yes. I had already reached the obvious conclusion that enabling
 fortuna would have bypassed all this grief.
 
 
 Cheers.
 
 -K
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 17 Jul 2015, at 07:47, Adrian Chadd adrian.ch...@gmail.com wrote:
 
 hi,
 
 So I'll have to update the AP images that I build, as now I have to
 add that sysctl to things.

Well, measure the effect. It may not be as bad as it may seem! :-)

 It also means everyone has to update their /etc after updating or
 they'll end up with this particular mode not being disabled.

That is usual, right? Do a mergemaster after a make world?

 i think we need to get this better documented so people aren't bitten
 when they merge code in from -HEAD or whenever you do MFC this back to
 stable/10.

I’m not yet planning an MFC to 10.x

 -adrian 

M
— 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285550 - head/usr.bin/w

[Mark R V Murray]

 On 16 Jul 2015, at 20:46, Ed Schouten e...@nuxi.nl wrote:
 
 Hi Mark,

Hi!

 2015-07-14 20:53 GMT+02:00 Mark Murray ma...@freebsd.org:
 Log:
  Widen the host field so that a full IPv6 address will be seen.
 
 
 Quick question: does this column width adjust itself automatically?
 The WHAT column of w(1) is already pretty narrow.

No. This column is statically sized.

The “what column” prints arbitrary length lines. I’ve hardly ever
seen anything long in practice though.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285550 - head/usr.bin/w

[Mark R V Murray]

 On 16 Jul 2015, at 18:35, Bryan Drewery bdrew...@freebsd.org wrote:
 
 On 7/14/15 11:53 AM, Mark Murray wrote:
 Author: markm
 Date: Tue Jul 14 18:53:24 2015
 New Revision: 285550
 URL: https://svnweb.freebsd.org/changeset/base/285550
 
 Log:
  Widen the host field so that a full IPv6 address will be seen.
 
 Relnotes: yes!

Damn you! ;-)

I’ve just had to install the kitchen sink to do this!

(The building is a bit out of date; the optional ports
don’t exist, and installing textproc/fpo resulted in a
tool that did not make a readable PDF).

 MFC: Please

Er, sure!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 16 Jul 2015, at 15:08, Ian Lepore i...@freebsd.org wrote:
 
 On Thu, 2015-07-16 at 06:39 +0100, Mark Murray wrote:
 On 15 Jul 2015, at 23:43, Adrian Chadd adrian.ch...@gmail.com wrote:
 
 - Add harvesting of slab allocator events. This needs to be checked for
   weighing down the allocator code.
 
 Hi,
 
 Is this really doing it upon every one of those events? eg, for each
 mbuf alloc through UMA?
 
 Only if you turn it on!
 
 M
 
 
 In random_harvestq_init() I see
 
 harvest_context.hc_source_mask = RANDOM_HARVEST_EVERYTHING_MASK;
 
 and
 
 #define RANDOM_HARVEST_EVERYTHING_MASK ((1  (RANDOM_ENVIRONMENTAL_END
 + 1)) - 1)
 
 So doesn't that include the RANDOM_FAST flag that controls harvesting
 during every UMA alloc and free call?  And that harvesting appears to be
 anything but fast, at least at a glance... it looks like it passes the
 entire struct uma_zone to the jenkins hash function... is there really
 useful entropy in all the data in that struct?

Well spotted, but fear not. All sources are on at startup, and this
is to ensure that the generator has maximal access to entropy while
booting.

One of the default duties of etc/rc.d/random is to turn off the UMA
and ATIME sources. These may be turned on if you want them, but by
default on the fully booted system they are off.

See ‘sysctl kern.random.harvest.mask_symbolic’ and note that the
disabled sources are in [].

I have yet to do a full set of benchmarks, but I have discussed
this with RWatson. A silly benchmark (make world) shows little
effect, but I will be doing this properly in coming months.

In answer to you final question - yes. The UMA entropy is a bit
spread out, but it is good.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285422 - in head: share/man/man4 sys/conf sys/dev/random sys/net sys/netgraph

[Mark R V Murray]

 On 13 Jul 2015, at 08:40, Mark R V Murray ma...@freebsd.org wrote:
 
 I started getting kernel panics on boot after this commit.
 Can you look at this:
 
 https://jenkins.freebsd.org/job/FreeBSD_HEAD-tests/1177/console 
 https://jenkins.freebsd.org/job/FreeBSD_HEAD-tests/1177/consoleI'm onto it 
 now. Thanks and apologies.

A fix is in - r285439.

Apologies again.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285439 - head/sys/dev/random

[Mark R V Murray]

 On 13 Jul 2015, at 20:25, Peter Jeremy pe...@rulingia.com wrote:
 
 On 2015-Jul-13 08:38:21 +, Mark Murray ma...@freebsd.org wrote:
 +/*
 + * Belt-and-braces.
 + * Round up the read length to a crypto block size 
 multiple,
 + * which is what the underlying generator is expecting.
 + * See the random_buf size requirements in the 
 Yarrow/Fortuna code.
 + */
 +read_len += RANDOM_BLOCKSIZE;
 +read_len -= read_len % RANDOM_BLOCKSIZE;
 
 Note that if read_len was already a multiple of RANDOM_BLOCKSIZE, this will
 pad it by an additional RANDOM_BLOCKSIZE.  I don't think this matters but
 it's not what the comment implies.  (The comment also goes over 80 columns).

Yes - this is overly conservative ;-)

I’ve done a further tightening up, but I want to let it settle and not
churn the code.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285422 - in head: share/man/man4 sys/conf sys/dev/random sys/net sys/netgraph

[Mark R V Murray]

Hi,

 On 13 Jul 2015, at 01:52, Craig Rodrigues rodr...@crodrigues.org wrote:
 On Jul 12, 2015 2:14 PM, Mark Murray ma...@freebsd.org 
 mailto:ma...@freebsd.org wrote:
 
  Author: markm
  Date: Sun Jul 12 18:14:38 2015
  New Revision: 285422
  URL: https://svnweb.freebsd.org/changeset/base/285422 
  https://svnweb.freebsd.org/changeset/base/285422
 
  Log:
* Address review (and add a bit myself).
 - Tweek man page.
 - Remove all mention of RANDOM_FORTUNA. If the system owner wants YARROW 
  or DUMMY, they ask for it, otherwise they get FORTUNA.
 
 I started getting kernel panics on boot after this commit.
 Can you look at this:
 
 https://jenkins.freebsd.org/job/FreeBSD_HEAD-tests/1177/console 
 https://jenkins.freebsd.org/job/FreeBSD_HEAD-tests/1177/consoleI'm onto it 
 now. Thanks and apologies.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r285288 - head/etc/rc.d

[Mark R V Murray]

Apologies!

M

 On 8 Jul 2015, at 21:37, Andriy Gapon a...@freebsd.org wrote:
 
 On 08/07/2015 21:46, Mark Murray wrote:
 Author: markm
 Date: Wed Jul  8 18:46:44 2015
 New Revision: 285288
 URL: https://svnweb.freebsd.org/changeset/base/285288
 
 Log:
  Address review.
 
 This commit message sucks...
 
  Differential Revision: https://reviews.freebsd.org/D2924
 
 
 -- 
 Andriy Gapon
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 00:07, Simon J. Gerraty s...@juniper.net wrote:
 
 Mark Murray ma...@freebsd.org wrote:
  * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h
  - Remove; plugability is no longer used. Compile-time algorithm
selection is the way to go.
 
 Errr we use that and need it.
 Please put it back.

Do you really need full the plugability (including run-time selection of 
algorithm), or do you just need to have KLD modules back?

I intend to do the latter, but in a different way. The adaptor code and 
run-time section was a locking liability.

 Whether we agree with NIST's ideas about how randomness should be
 handled or not, we need to to be able to comply and we do not want to
 burn their desired arrangement into our kernels.

Sound like you just need to be able to select a single KLD at boot time?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 19:36, Simon J. Gerraty s...@juniper.net wrote:
 
 Mark R V Murray ma...@freebsd.org wrote:
 - Remove; plugability is no longer used. Compile-time algorithm
   selection is the way to go.
 
 Errr we use that and need it.
 Please put it back.
 
 Do you really need full the plugability (including run-time selection
 of algorithm), or do you just need to have KLD modules back?
 
 We need KLD for sure, and the ablity to leave out a mixer like
 yarrow/fortuna - we do not expect any of our customers (except those
 forced to by govt) to use that arrangement though.

Excellent! :-)

 I intend to do the latter, but in a different way. The adaptor code
 and run-time section was a locking liability.
 
 Whether we agree with NIST's ideas about how randomness should be
 handled or not, we need to to be able to comply and we do not want to
 burn their desired arrangement into our kernels.
 
 Sound like you just need to be able to select a single KLD at boot time?
 
 Quite possibly.
 
 Will confirm…

Great, thanks!

If so, can I confirm that you may be rolling your own non-Yarrow/Fortuna
mixer(s)?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 19:42, Arthur Mesh am...@juniper.net wrote:
 
 On Thu, Jul 02, 2015 at 11:36:27AM -0700, Simon J. Gerraty wrote:
 Sound like you just need to be able to select a single KLD at boot time?
 
 Quite possibly.
 
 Will confirm...
 
 Hello,
 
 We need to be able to select a random adaptor at load time. I.e. loader
 is the one selecting it based on configuration.
 
 I.e., if the box is configured to boot in FIPS mode, it should use NIST
 SP800-90 HMAC-DRBG adaptor. Otherwise, it uses the default FreeBSD
 adaptor (Fortuna I guess).

No problem!

Could you please let me know your implementation’s API? If I have that,
or at least an approximation, I can make a framework in which you can
insert your code.

 We do not need ability to switch adaptors at run-time.

Excellent. This has been causing trouble for me for ages.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 19:55, Simon J. Gerraty s...@juniper.net wrote:
 
 Mark R V Murray ma...@freebsd.org wrote:
 If so, can I confirm that you may be rolling your own non-Yarrow/Fortuna
 mixer(s)?
 
 AFAIK no mixer allowed; just direct SP800-90 compliant HMAC-DRBG.
 You can probably guess why we don't agree that's a brilliant arrangement
 but its not an argument we can win.

IIRC, that still requires some stochastic input?

 Same would apply for anyone else doing FIPS 140 evaled products.

Sure.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random s

[Mark R V Murray]

 On 2 Jul 2015, at 20:28, Arthur Mesh am...@juniper.net wrote:
 
 On Thu, Jul 02, 2015 at 08:21:31PM +0100, Mark R V Murray wrote:
 I.e., if the box is configured to boot in FIPS mode, it should use NIST
 SP800-90 HMAC-DRBG adaptor. Otherwise, it uses the default FreeBSD
 adaptor (Fortuna I guess).
 
 No problem!
 
 Could you please let me know your implementation???s API? If I have that,
 or at least an approximation, I can make a framework in which you can
 insert your code.
 
 Sure, Here is the shim between HMAC_DRBG and struct random_adaptor (that
 used to plug-in before removal on 2015/6/30).

Magic, thank you!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r280955 - in head/sys: modules/notrandom dev/notrandom

[Mark R V Murray]

 On 1 Apr 2015, at 16:13, Julian Elischer jul...@freebsd.org wrote:
 
 On 4/1/15 11:11 PM, Julian Elischer wrote:
 On 4/1/15 10:18 PM, Ian Lepore wrote:
 On Wed, 2015-04-01 at 13:52 +0200, Mateusz Guzik wrote:
 As a side note I'm surprised with the choice of 7.
 
 I would expect 3, no more, no less. 3 would be the number returned,
 and the number readers receive would be 3.
 5 would be right out.
 
 there is prior art for 7...  I remember seeing it once.. 7, 7, 7, 7, 7 ...
 that's the trouble with randomness, you can't really tell..
 I remember a part of a paper on the topic by Adams S,  et al.
 I think it was towards the end of the paper.
 
 I stand corrected...  the number selected in the paper was 9

Well spotted!

Before someone makes a terrible mistake, I should point out that 4 is confirmed 
random, as cited here: https://xkcd.com/221/

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r280955 - in head/sys: modules/notrandom dev/notrandom

[Mark R V Murray]

 On 1 Apr 2015, at 16:46, Mateusz Guzik mjgu...@gmail.com wrote:
 We can add an ioctl to control this.

Thats a bad idea, because some fool may set up their local instance to return a 
random number (like 4), and that will badly break the intent of this device.

And before somebody says “tools, not policy”, there is SOME level of protection 
that you must allow for to prevent completely idiotic admins to foul things up!

 Opinions?

“Pah!”?

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r278907 - head/sys/dev/random

[Mark R V Murray]

 void dummy_random_read_phony(uint8_t *, u_int);
 
 /* kern.random sysctls */
 #ifdef SYSCTL_DECL/* from sysctl.h */
 

--
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

Hi all

Apologies for my relative silence; I have been looking at this - promise!

 On 2 Nov 2014, at 00:12, Adrian Chadd adr...@freebsd.org wrote:
 
 So, hm. How do us embedded people just unblock it for now at boot, so
 we can actually _get_ enough entropy?

Depending on your requirements, if switching to Fortuna[*] doesn’t solve your 
problem (Fortuna will be the default some time in the future anyway), then try 
this hack:

In yarrow.c, line 156, change

yarrow_state.seeded = 0;

to

yarrow_state.seeded = 1;

M

[*] In your kernel:

options RANDOM_DEBUG# Expose the reseed progress
options RANDOM_FORTUNA  # Use the Fortuna CSPRNG

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273957 - in head: . etc/rc.d

[Mark R V Murray]

Nice move, thanks! :-)

M

 On 2 Nov 2014, at 01:47, Dag-Erling Smørgrav d...@freebsd.org wrote:
 
 Author: des
 Date: Sun Nov  2 01:47:27 2014
 New Revision: 273957
 URL: https://svnweb.freebsd.org/changeset/base/273957
 
 Log:
  Get rid of the postrandom script.  It was born in a time when the
  random script ran before filesystems were mounted, which is no
  longer the case.
 
  In random_start(), immediately delete each file that is fed into
  /dev/random, and recreate the default entropy file immediately
  after reading and deleting it.  The logic used in random_stop()
  to determine which file to write to should probably be factored
  out and used here as well.
 
 Deleted:
  head/etc/rc.d/postrandom
 Modified:
  head/ObsoleteFiles.inc
  head/etc/rc.d/Makefile
  head/etc/rc.d/adjkerntz
  head/etc/rc.d/random
 
 Modified: head/ObsoleteFiles.inc
 ==
 --- head/ObsoleteFiles.incSun Nov  2 01:13:11 2014(r273956)
 +++ head/ObsoleteFiles.incSun Nov  2 01:47:27 2014(r273957)
 @@ -38,6 +38,8 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
 +# 20141102: postrandom obsoleted by new /dev/random code
 +OLD_FILES+=etc/rc.d/postrandom
 # 20141031: initrandom obsoleted by new /dev/random code
 OLD_FILES+=etc/rc.d/initrandom
 # 20141028: debug files accidentally installed as directory name
 
 Modified: head/etc/rc.d/Makefile
 ==
 --- head/etc/rc.d/MakefileSun Nov  2 01:13:11 2014(r273956)
 +++ head/etc/rc.d/MakefileSun Nov  2 01:47:27 2014(r273957)
 @@ -112,7 +112,6 @@ FILES=DAEMON \
   pf \
   pflog \
   pfsync \
 - postrandom \
   powerd \
   power_profile \
   ppp \
 
 Modified: head/etc/rc.d/adjkerntz
 ==
 --- head/etc/rc.d/adjkerntz   Sun Nov  2 01:13:11 2014(r273956)
 +++ head/etc/rc.d/adjkerntz   Sun Nov  2 01:47:27 2014(r273957)
 @@ -4,7 +4,7 @@
 #
 
 # PROVIDE: adjkerntz
 -# REQUIRE: FILESYSTEMS postrandom
 +# REQUIRE: FILESYSTEMS
 # BEFORE: netif
 # KEYWORD: nojail
 
 
 Modified: head/etc/rc.d/random
 ==
 --- head/etc/rc.d/random  Sun Nov  2 01:13:11 2014(r273956)
 +++ head/etc/rc.d/random  Sun Nov  2 01:47:27 2014(r273957)
 @@ -17,41 +17,58 @@ stop_cmd=random_stop
 extra_commands=saveseed
 saveseed_cmd=${name}_stop
 
 +save_dev_random()
 +{
 + for f ; do
 + if :$f ; then
 + debug saving entropy to $f
 + dd if=/dev/random of=$f bs=4096 count=1 2/dev/null
 + fi
 + done
 +}
 +
 feed_dev_random()
 {
 - if [ -f ${1} -a -r ${1} -a -s ${1} ]; then
 - cat ${1} | dd of=/dev/random bs=8k 2/dev/null
 - fi
 + for f ; do
 + if [ -f $f -a -r $f -a -s $f ] ; then
 + if dd if=$f of=/dev/random bs=4096 2/dev/null ; then
 + debug entropy read from $f
 + rm -f $f
 + fi
 + fi
 + done
 }
 
 random_start()
 {
 + echo -n 'Feeding entropy:'
 +
 + if [ ! -w /dev/random ] ; then
 + warn /dev/random is not writeable
 + return 1
 + fi
 +
   # Reseed /dev/random with previously stored entropy.
 - case ${entropy_dir} in
 + case ${entropy_dir:=/var/db/entropy} in
   [Nn][Oo])
   ;;
   *)
 - entropy_dir=${entropy_dir:-/var/db/entropy}
 - if [ -d ${entropy_dir} ]; then
 - if [ -w /dev/random ]; then
 - for seedfile in ${entropy_dir}/*; do
 - feed_dev_random ${seedfile}
 - done
 - fi
 + if [ -d ${entropy_dir} ] ; then
 + feed_dev_random ${entropy_dir}/*
   fi
   ;;
   esac
 
 - case ${entropy_file} in
 + case ${entropy_file:=/entropy} in
   [Nn][Oo] | '')
   ;;
   *)
 - if [ -w /dev/random ]; then
 - feed_dev_random ${entropy_file}
 - feed_dev_random /var/db/entropy-file
 - fi
 + feed_dev_random ${entropy_file} /var/db/entropy-file
 + save_dev_random ${entropy_file}
   ;;
   esac
 +
 + echo '.'
 }
 
 random_stop()
 @@ -59,7 +76,7 @@ random_stop()
   # Write some entropy so when the machine reboots /dev/random
   # can be reseeded
   #
 - case ${entropy_file} in
 + case ${entropy_file:=/entropy} in
   [Nn][Oo] | '')
   ;;
   *)
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

Hi DES,

I’m scared witless of this being on-by-default, for the reason given in the 
removed comment. I’d much prefer to see it only turned on if a kernel option is 
set, and the embedded folks /et al/ can use that.

Please reinstate the #ifdef RANDOM_AUTOSEED, and set a kernel option to turn it 
on. Please also leave the comment; summarily turning on an unprepared generator 
is not going to be obvious to anyone but an attacker.

Moving the point of the auto-firstseed to where is good, thanks.

M

 On 2 Nov 2014, at 02:01, Dag-Erling Smørgrav d...@freebsd.org wrote:
 
 Author: des
 Date: Sun Nov  2 02:01:55 2014
 New Revision: 273958
 URL: https://svnweb.freebsd.org/changeset/base/273958
 
 Log:
  Restore the auto-reseed logic, but move it to a much later point,
  immediately before kick_init.
 
  Approved by: so (self)
 
 Modified:
  head/sys/dev/random/random_adaptors.c
  head/sys/dev/random/yarrow.c
 
 Modified: head/sys/dev/random/random_adaptors.c
 ==
 --- head/sys/dev/random/random_adaptors.c Sun Nov  2 01:47:27 2014
 (r273957)
 +++ head/sys/dev/random/random_adaptors.c Sun Nov  2 02:01:55 2014
 (r273958)
 @@ -447,30 +447,8 @@ random_adaptors_deinit(void)
 }
 
 /*
 - * First seed.
 - *
 - * NB! NB! NB!
 - * NB! NB! NB!
 - *
 - * It turns out this is bloody dangerous. I was fiddling with code elsewhere
 - * and managed to get conditions where a safe (i.e. seeded) entropy device 
 should
 - * not have been possible. This managed to hide that by unblocking the 
 device anyway.
 - * As crap randomness is not directly distinguishable from good randomness, 
 this
 - * could have gone unnoticed for quite a while.
 - *
 - * NB! NB! NB!
 - * NB! NB! NB!
 - *
 - * Very luckily, the probe-time entropy is very nearly good enough to cause a
 - * first seed all of the time, and the default settings for other entropy
 - * harvesting causes a proper, safe, first seed (unblock) in short order 
 after that.
 - *
 - * That said, the below would be useful where folks are more concerned with
 - * a quick start than with extra paranoia in a low-entropy environment.
 - *
 - * markm - October 2013.
 + * Reseed the active adaptor shortly before starting init(8).
  */
 -#ifdef RANDOM_AUTOSEED
 /* ARGSUSED */
 static void
 random_adaptors_seed(void *unused __unused)
 @@ -484,6 +462,5 @@ random_adaptors_seed(void *unused __unus
 
   arc4rand(NULL, 0, 1);
 }
 -SYSINIT(random_seed, SI_SUB_INTRINSIC_POST, SI_ORDER_LAST,
 -random_adaptors_reseed, NULL);
 -#endif /*  RANDOM_AUTOSEED */
 +SYSINIT(random_seed, SI_SUB_KTHREAD_INIT, SI_ORDER_FIRST,
 +random_adaptors_seed, NULL);
 
 Modified: head/sys/dev/random/yarrow.c
 ==
 --- head/sys/dev/random/yarrow.c  Sun Nov  2 01:47:27 2014
 (r273957)
 +++ head/sys/dev/random/yarrow.c  Sun Nov  2 02:01:55 2014
 (r273958)
 @@ -508,7 +508,9 @@ void
 random_yarrow_reseed(void)
 {
 
 + mtx_lock(random_reseed_mtx);
   reseed(SLOW);
 + mtx_unlock(random_reseed_mtx);
 }
 
 int
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 09:59, Andrey Chernov a...@freebsd.org wrote:
 
 On 02.11.2014 12:45, Mark R V Murray wrote:
 Hi DES,
 
 I’m scared witless of this being on-by-default, for the reason given in the 
 removed comment. I’d much prefer to see it only turned on if a kernel option 
 is set, and the embedded folks /et al/ can use that.
 
 We don't need yet one kernel knob to make sysadmin life a bit more
 harder. This thing needs to be autosensed somehow. F.e. if no disk
 interrupts or ethernet interrupt hooks are executed, switch to AUTOSEED
 automatically (or by any other automatic way).

DES’s change makes no difference in a Tier-1 platform, except potentially 
hiding a security problem.

In the embedded world Tier-2+ (MIPS/ARM) where the problem is raising its head, 
customised kernels are very common indeed, and this option gives further 
control to the engineer configuring the system.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

 On 2 Nov 2014, at 12:51, Dag-Erling Smørgrav d...@des.no wrote:
 
 Jan Beich jbe...@vfemail.net writes:
 I have a minimalistic kernel where everything is pushed to a module for
 easier/faster debugging before kload. As its config has no |device random|
 loading random.ko fails because nothing provides random_adaptors [...]
 
 Yes, there is work to be done there.  Ideally, the random module should
 include the random_adaptors framework and /dev/random itself, while
 Yarrow and Fortuna should be separate modules which can coexist, rather
 than mutually exclusive kernel options.

Compiling both into the kernel is possible, but tricky, so I didn’t do it
this time round. The reason for the trickiness is that randomdev_soft.c gets
compiled for each hash (Yarrow, Fortuna) with hash-specific #defines set.

Not insoluble, but I just didn’t get to it.

I’ll fix the random_adaptors bit shortly.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 12:41, Dag-Erling Smørgrav d...@des.no wrote:
 
 Mark R V Murray m...@grondar.org writes:
 I’m scared witless of this being on-by-default, for the reason given
 in the removed comment. I’d much prefer to see it only turned on if a
 kernel option is set, and the embedded folks /et al/ can use that.
 
 You didn't seem to mind this code when we introduced it in 10-CURRENT.
 Removing it breaks pretty much everything, not just embedded systems.
 We can add a sysctl to turn it off, but it has to be on by default.

I’ve had a closer look at things, and I’m coming round to your side.

Note that this has NO effect on Fortuna. Fortuna’s self-starting appears
to be more reliable.

 Note that the alternative is to feed more trash into /dev/random at
 boot, as we did before.  It may give us a warm and fuzzy feeling which
 we don't get from automatically seeding, but the reality is that we have
 no idea how good that trash is either.  In fact, most of what we used to
 feed into /dev/random at boot (ps, sysctls etc) was constant or nearly
 so.  I prefer to trust that we get enough entropy from attachtimes and
 I/O in the boot process - and the data I gathered indicates that there
 is more than enough entropy from attachtimes alone, even on SFF systems
 and VMs.

OK, Fair enough. :-)

 Moving the point of the auto-firstseed to where is good, thanks.
 
 ...except that I'm not sure it doesn't break root-on-geli etc, but at
 least it doesn't break it more than not having auto-firstseed at all.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 12:42, Dag-Erling Smørgrav d...@des.no wrote:
 
 Mark R V Murray m...@grondar.org writes:
 DES’s change makes no difference in a Tier-1 platform, except
 potentially hiding a security problem.
 
 I will assume that you did not read the discussion that lead up to my
 commits, because if you did, you know this is a lie.

Telling me that I got it wrong would be a lot more accurate than
accusing me of lying. Lying would require an act of malice on my
part, which I can assure you is absent.

Please choose your words more carefully.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 13:22, Ian Lepore i...@freebsd.org wrote:
 
 On Sun, 2014-11-02 at 09:45 +, Mark R V Murray wrote:
 Hi DES,
 
 I´m scared witless of this being on-by-default, for the reason given in the 
 removed comment. I´d much prefer to see it only turned on if a kernel option 
 is set, and the embedded folks /et al/ can use that.
 
 Please reinstate the #ifdef RANDOM_AUTOSEED, and set a kernel option to turn 
 it on. Please also leave the comment; summarily turning on an unprepared 
 generator is not going to be obvious to anyone but an attacker.
 
 Moving the point of the auto-firstseed to where is good, thanks.
 
 M
 
 
 To give you some idea of how usable this new stuff is on a system that
 isn't an x86 server or someone's desktop or laptop... after commenting
 out the postrandom so that a board would at least boot (but before DES'
 resend change), I left a board sitting idle at the login prompt.  It was
 somewhere between 40 minutes and an hour before I saw this:
 
 FreeBSD/arm (rpi) (ttyu0)
 
 login: random: reseed - fast - thresh 96,1 -  0 48 0 0 0 130 0 0 620 0 0 0 0 
 0 0 0 0 0 0 0
 random: reseed - slow - thresh 128,2 -  0 44 0 0 0 130 0 0 619 0 0 0 0 0 0 0 
 0 0 0 0
 random: unblocking device.

Thanks for doing this, Ian. This is good information, and tells me a lot
about Yarrow on some systems.

 Securing a system against some theoretical attack has value only to the
 point where the system is no longer usable at all.  At that point you
 kind of have to declare the attacker the winner, and he didn't even have
 to actually launch an attack.

Point conceded. :-)

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

 On 2 Nov 2014, at 19:07, Adrian Chadd adr...@freebsd.org wrote:
 
 On 2 November 2014 05:08, Mark R V Murray ma...@freebsd.org wrote:
 
 On 2 Nov 2014, at 12:51, Dag-Erling Smørgrav d...@des.no wrote:
 
 Jan Beich jbe...@vfemail.net writes:
 I have a minimalistic kernel where everything is pushed to a module for
 easier/faster debugging before kload. As its config has no |device random|
 loading random.ko fails because nothing provides random_adaptors [...]
 
 Yes, there is work to be done there.  Ideally, the random module should
 include the random_adaptors framework and /dev/random itself, while
 Yarrow and Fortuna should be separate modules which can coexist, rather
 than mutually exclusive kernel options.
 
 Compiling both into the kernel is possible, but tricky, so I didn’t do it
 this time round. The reason for the trickiness is that randomdev_soft.c gets
 compiled for each hash (Yarrow, Fortuna) with hash-specific #defines set.
 
 Not insoluble, but I just didn’t get to it.
 
 I’ll fix the random_adaptors bit shortly.
 
 Also as a side note - the kernel on the embedded MIPS boards here are
 now  1MiB compressed now because loading random as a module isn't
 supported or working right. :(

I’m looking at it.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 19:20, Konstantin Belousov kostik...@gmail.com wrote:
 
 On Sun, Nov 02, 2014 at 11:05:27AM -0800, Adrian Chadd wrote:
 [snip all the conversation]
 
 Ok. There's still a problem that I can trigger by trying to Ctrl-C a
 process that's blocked reading for randomness. I'll try to chase up
 more details about and file a PR about it.
 
 The unfortunate part is that the kernel side stack trace of the
 offending / hung process isn't currently helpful. :(
 
 
 From what I see, signals are essentially ignored in the read code.
 See random_adaptors.c:random_adaptor_read():
 
   /* Sleep instead of going into a spin-frenzy */
   tsleep(random_adaptor, PUSER | PCATCH, block, hz/10);
 
 The error which would indicate the signal catch, is dropped.  Also,
 unbound sleep does not drop random_adaptor_lock, which means that
 you cannot module which could provide some more randomness for you,
 while any thread is stuck in read loop.

Hi

I don’t quite follow what you mean, but it sounds like you understand
the problem. Could you please explain with a bit more detail?

Thanks,

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

 On 2 Nov 2014, at 19:46, Konstantin Belousov kostik...@gmail.com wrote:
 
 I don???t quite follow what you mean, but it sounds like you understand
 the problem. Could you please explain with a bit more detail?
 
 Which problem ? There are two.
 
 One is the Adrian' complain. tsleep(9) catches signals, and return
 EINTR/ERESTART when catched.  Typical driver code checks for the
 errors from {t,m}sleep(9) and aborts the operation if error is
 returned.  I.e. you should do
   error = tsleep(...);
   if (error != 0) {
   abort the loop;
   return to caller;
   }
 The fine detail is that for the case when read has already partially
 progressed, i.e. something was copied out to uio, the error must
 not be returned, but short read performed instead.

OK, I think I follow this.

In another mail you say:
 Yes, this is because error from tsleep() in random_adaptor_read()
 does not abort the loop.  But next loop iteration calls tsleep()
 which returns immediately since there is still pending signal.
 The process continues indefinitely.

.. which supports this what you say further above. Thanks.

 This leads to another question about the code in random_adapter_read():
 if ra_read method sleeps, it must handle the signals as well, return
 error, and the second loop which perorms ra_read/uiomove should be
 aborted as well.  Again, error from either ra_read or uiomove(9)
 must result in short read if something was already copied to uio.
 Currently, there is no error returned by ra_read (or it is ignored),
 and error from uiomove always returned, even if something was already
 copied.

Are you saying the same thing again, or something else? If you are saying
something else, then I am struggling to follow you.

 Second problem is that random_adaptor_lock is owned while tsleep()
 is called (or whatever sleep primitive is used inside ra_read).  If
 platform could only provide randomness through some hw, and module
 is loaded while thread is blocked, module cannot register, while
 reading thread cannot make progress.

I’m sorry, I don’t understand this.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273958 - head/sys/dev/random

[Mark R V Murray]

This look visually OK to me.

I’ll run it locally, but it needs So permission to commit. I guess
you can self-certify, right? :-)

M
 
 On 2 Nov 2014, at 20:27, Xin Li delp...@delphij.net wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hi, Mark,
 
 I'd like to propose the attached patch for review.  It replaces
 tsleep's with sx_sleep's, then checks the return value and quit the loop.
 
 Cheers,
 - -- 
 Xin LI delp...@delphij.nethttps://www.delphij.net/
 FreeBSD - The Power to Serve!   Live free or die
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0
 
 iQIcBAEBCgAGBQJUVpO0AAoJEJW2GBstM+nsTcoQAKQglUQUKCh4h+flynK+of1J
 I8pyCJTqkJHsvQu7Lj8Nh4gd6OQM3+XdpEGymA/wB1Q906cNI8ieLwuXCOmCxYhw
 xs2XJL5cyp1myDqCp3BRrNta8PPSF8gxfnCeU/0LuItrvcNaE3axNb/eu4g3u5s7
 NZObx84C03uRoHMz+9qG0qkZbutY/qN8YP3DQ1WvkYom/i4UT2NGa1EgHLYa9Ofu
 REQ/lADumxqn5Cw6viKym1wI1HrCu00X602jGjivEzn1L7DSfKFJjckyLC2IbbdY
 Ydy4ejsILJRPFDt6PrcSWkaSBIy585wP90YsFvSK4riyy1i3HUF4pE5wQPPG/ogV
 ATm4S9GZgr4mM3SHZrcaTDyrm9BEsEizqBs/F3yyuKBqZt0xtTjv+tupCN5AG1LX
 DnfgLj7pNAW2SIF7lul34/CzisoKB7b5oEpL9YWOh8DvZiEgHMex4nRqTNAt9T8F
 7f5bGvcMHfkIOQIUanxlganUW2ZgVaDPYQADjrEsfqD2pTwwK7glN0jXKJ9YStGW
 kzbjAQil9X/fliVSzPubbO0XTqAtjnPwONBbjw06vlrwZlkHbLOTz0VVZ3cAJcei
 4CkCiEQtuFWbD9QVCUe6snztRRTI542dIlWSDPhSxYV3+hrkCgCeJ3fMvTutf7YZ
 ejIPZ/NOkhddVmvjMHKw
 =XrYs
 -END PGP SIGNATURE-
 random-tsleep.diffrandom-tsleep.diff.sig

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

Hi Garrett,

 On 31 Oct 2014, at 21:04, Garrett Cooper yaneurab...@gmail.com wrote:
 Could you please add an UPDATING entry for this? Some users (like me) who do 
 make installworld from old kernels are experiencing issues (some dealing with 
 filesystem corruption). Please see this thread on -current@ for more details: 
 https://lists.freebsd.org/pipermail/freebsd-current/2014-October/053039.html

Will do. Thanks for the reminder.

 This also should have had “Relnotes: yes” in the commit message because this 
 deserves to be put in the release notes for 11.0

Oops. :-(

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

Hi

I’m not sure what you are showing me here?

How yo you draw the “not enough entropy” conclusion?

The writing happens at shutdown; before you do the shutdown could you please do 
a ‘sysctl kern.random’ and post the result?

Do you have anything random-related in your rc.conf?

Could you please do a verbose boot on a kernel with “options RANDOM_DEBUG” set 
and send me the dmesg output from a failing box.

M

 On 1 Nov 2014, at 22:15, Alexander Kabaev kab...@gmail.com wrote:
 
 On Sat, 1 Nov 2014 14:57:02 -0700
 Adrian Chadd adr...@freebsd.org wrote:
 
 Hi,
 
 I'm having a problem with this on MIPS router boards now:
 
 db bt 277
 Tracing pid 277 tid 100034 td 0x80d7b9c0
 cpu_switch+90 (?,?,?,?) ra ca90db68 sp 0 sz 0
 sched_switch+224 (?,?,?,?) ra ca90db680028 sp 0 sz 0
 mi_switch+27c (?,?,?,?) ra ca90db900020 sp 0 sz 0
 80176358+1a0 (?,?,?,?) ra ca90dbb00028 sp 0 sz 0
 801765dc+2d0 (?,?,?,?) ra ca90dbd80030 sp 0 sz 0
 sleepq_timedwait_sig+18 (?,?,?,?) ra ca90dc080020 sp 0 sz 0
 _sleep+3b8 (?,?,?,803199e0) ra ca90dc280068 sp 0 sz 0
 random_adaptor_read+114 (?,?,?,?) ra ca90dc900038 sp 0 sz 0
 800b1898+c0 (?,?,?,?) ra ca90dcc80048 sp 0 sz 0
 80187450+6c (?,?,?,?) ra ca90dd100028 sp 0 sz 0
 kern_readv+8c (?,?,?,?) ra ca90dd380050 sp 0 sz 0
 sys_read+48 (?,?,?,?) ra ca90dd880040 sp 0 sz 0
 trap+7f0 (?,?,?,?) ra ca90ddc800b8 sp 0 sz 0
 MipsUserGenException+10c (?,?,?,408ed960) ra ca90de80 sp 0 sz
 0
 
 ... I've included random into the kernel rather than as a module
 now.
 
 This -looks- like it's not getting enough entropy now?
 
 
 
 -adrian
 
 
 Me too, on amd64 box. The machine gets hung for several minutes after
 'writing entropy file' until random is unblocked. Anecdotally, banging
 on the keyboard trying to help the entropy gathering along seems to
 speed the process up.
 
 -- 
 Alexander Kabaev

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

 On 31 Oct 2014, at 14:22, Dag-Erling Smørgrav d...@des.no wrote:
 
 Andrey Chernov a...@freebsd.org writes:
 Mark Murray ma...@freebsd.org writes:
 Deleted:
  head/etc/rc.d/initrandom
 It should be added to ObsoleteFiles.inc
 
 Good catch, fixed in r273907.

Thanks!

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r273872 - in head: etc/defaults etc/rc.d libexec/save-entropy share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/random sys/kern sys/modules sys/modules/padlock_rng sys/m

[Mark R V Murray]

 On 31 Oct 2014, at 14:22, Dag-Erling Smørgrav d...@des.no wrote:
 
 Mark Murray ma...@freebsd.org writes:
 Log:
  This is the much-discussed major upgrade to the random(4) device,
  known to you all as /dev/random.
 
 Much discussed and long-awaited :)  Thank you for your hard work and
 persistence!

Thank you!

  Reviewed by:trasz,des(partial),imp(partial?),rwatson(partial?)
 
 Must...  resist...  tentation to make a joke about imp(partial?)…

*snigger* :-)

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

Hi Michael,

If that works, then Brilliant! :-) :-)

Could you please fix this so the _PMC_USER_READ_WRITE_ is all in one place 
(it’s too dangerous to split up), and put an architecture-specific #ifdef 
around just the MCR instruction we care about.

With that, its good to commit, I’d say. I’ll likely follow up and exclude the 
architectures that are unproven.

M

On 17 Jun 2014, at 10:52, Michael Tuexen tue...@freebsd.org wrote:

 On 16 Jun 2014, at 22:13, Mark R V Murray ma...@freebsd.org wrote:
 Hi Mark,
 
 I just adopted the comments to the code change. So here is the improved patch:
 
 Index: cpufunc.c
 ===
 --- cpufunc.c (revision 267575)
 +++ cpufunc.c (working copy)
 @@ -1404,18 +1404,36 @@
 static __inline void
 cpu_scc_setup_ccnt(void)
 {
 -/* This is how you give userland access to the CCNT and PMCn
 - * registers.
 - * BEWARE! This gives write access also, which may not be what
 - * you want!
 - */
 +#if defined(CPU_ARM1136) || defined(CPU_ARM1176)
 #ifdef _PMC_USER_READ_WRITE_
 - /* Set PMUSERENR[0] to allow userland access */
 + /* This is how you give userland access to the CCNT and PMCn
 +  * registers.
 +  * BEWARE! This gives write access also, which may not be what
 +  * you want!
 +  * Use the Secure User and Non-secure Access Validation Control Register
 +  * to allow userland access 
 +  */
 + __asm volatile (mcrp15, 0, %0, c15, c9, 0\n\t
 + :
 + : r(0x0001));
 +#endif
 + /* Set PMCR[2,0] to enable counters and reset CCNT */
 + __asm volatile (mcrp15, 0, %0, c15, c12, 0\n\t
 + :
 + : r(0x0005));
 +#else
 +#ifdef _PMC_USER_READ_WRITE_
 + /* This is how you give userland access to the CCNT and PMCn
 +  * registers.
 +  * BEWARE! This gives write access also, which may not be what
 +  * you want!
 +  * Set PMUSERENR[0] to allow userland access
 +  */
   __asm volatile (mcrp15, 0, %0, c9, c14, 0\n\t
   :
   : r(0x0001));
 #endif
 -/* Set up the PMCCNTR register as a cyclecounter:
 + /* Set up the PMCCNTR register as a cyclecounter:
* Set PMINTENCLR to 0x to block interrupts
* Set PMCR[2,0] to enable counters and reset CCNT
* Set PMCNTENSET to 0x8000 to enable CCNT */
 @@ -1426,6 +1444,7 @@
   : r(0x),
 r(0x0005),
 r(0x8000));
 +#endif
 }
 #endif
 
 Let me know if I can help.
 
 Best regards
 Michael
 
 On 16 Jun 2014, at 20:38, Michael Tuexen tue...@freebsd.org wrote:
 Hmm, the documentation reads
 
 Which docs are you using?
 
 I’m using DDI0360F. (And that could easily be a wrong choice).
 
 M
 -- 
 Mark R V Murray
 
 
 

-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 17 Jun 2014, at 19:58, Michael Tuexen tue...@freebsd.org wrote:
 So you want something like:

Yup! Looks good! :-)

If you want to blame me for reviewing this, thats fine, but I’ve not run it 
(I’m waiting for a replacement RPI, still).

Please don’t be offended if a follow-up commit of mine rearranges this 
slightly! (It won’t be for a week or two).

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 16 Jun 2014, at 08:28, Michael Tuexen tue...@freebsd.org wrote:
 your patch for accessing the value is correct. However, the initialisation 
 code also
 needs to be adopted to the platform. So in addition to your patch, you also 
 need:

Thanks!

 Is there an easy test to see if the code actually works as expected and not 
 that it just
 allows the system to boot?

Yes. :-)

#include sys/types.h

#include stdio.h

static __inline uint64_t
get_cyclecount(void)
{
uint32_t ccnt;
uint64_t tsc;

/* Read CCNT.  */
__asm __volatile(mrc p15, 0, %0, c15, c12, 1: =r (ccnt));

tsc = (uint64_t)ccnt;

return (tsc);
}

#define N 10

int
main(int argc, char *argv[])
{
int i;
uint64_t ccnt[N];

for (i = 0; i  N; i++)
ccnt[i] = get_cyclecount();

for (i = 1; i  N; i++)
printf(%6d %016llX %16llu\n, i, ccnt[i], ccnt[i] - ccnt[i - 
1]);


return (0);
}

Should print a whole lotta numbers, incrementing, unless you hit the wraparound.

 Regarding the 32-bit limitation: Do we want to increment the register only 
 every
 64 clock cycle?

Definitely not! The value is in the low bits; wrap is of little consequence.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 16 Jun 2014, at 20:25, Michael Tuexen tue...@freebsd.org wrote:
 Should print a whole lotta numbers, incrementing, unless you hit the 
 wraparound.
 Don't I need to compile a kernel with _PMC_USER_READ_WRITE_ being defined, 
 since
 without it a user process can't access the register. When running it on a 
 kernel
 not defining _PMC_USER_READ_WRITE_, I get a core with Illegal instruction.

No. That only enables _write_ access. That’s on ARMv7. What’s in ARMv6 may also 
work.

 Let me build a kernel with the above define and retest.

Please try without it.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 16 Jun 2014, at 20:38, Michael Tuexen tue...@freebsd.org wrote:
 Hmm, the documentation reads

Which docs are you using?

I’m using DDI0360F. (And that could easily be a wrong choice).

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 30 May 2014, at 09:42, Michael Tuexen tue...@fh-muenster.de wrote:

 On 29 May 2014, at 21:21, Mark R V Murray ma...@freebsd.org wrote:
 
 
 On 29 May 2014, at 19:27, Michael Tuexen tue...@fh-muenster.de wrote:
 
 On 29 May 2014, at 20:15, Mark R V Murray ma...@freebsd.org wrote:
 
 
 On 29 May 2014, at 19:13, Michael Tuexen tue...@fh-muenster.de wrote:
 
 I can make it work on RPI, but trying to find what else it will/won’t 
 work on is more problematic.
 Wouldn't it require to use different registers on the RPI? This would 
 mean you
 would need more #ifdefs…
 
 Thats the problem; too many #ifdefs.
 So you could just keep the code for now, but reduce the #ifdefs to the ones 
 you
 know that work. Later on, you can replace it by the driver stuff…
 
 That’s what I was thinking, yes.
 Great. Let me know if you need testing support on the RPI…

I’ve come to the conclusion that my RPI-B is hosed. It doesn’t even boot 
Raspian properly. Sorry about how long this has taken.

Please could someone with a working RPI please check that the following patch 
works (may need to apply by hand due to cut/paste).

Thanks, with repeated apologies.

M
-- 
Mark R V Murray

--- include/cpu.h   (revision 267507)
+++ include/cpu.h   (working copy)
@@ -25,7 +25,16 @@
 * Read PMCCNTR. Curses! Its only 32 bits.
 * TODO: Fix this by catching overflow with interrupt?
 */
+/* The ARMv6 vs ARMv7 divide is going to need a better way of
+ * distinguishing between them.
+ */
+#if defined(CPU_ARM1136) || defined(CPU_ARM1176)
+   /* ARMv6 - Earlier model SCCs */
+   __asm __volatile(mrc p15, 0, %0, c15, c12, 1: =r (ccnt));
+#else
+   /* ARMv7 - Later model SCCs */
__asm __volatile(mrc p15, 0, %0, c9, c13, 0: =r (ccnt));
+#endif
ccnt64 = (uint64_t)ccnt;
return (ccnt64);
 #else /* No performance counters, so use binuptime(9). This is slow */

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 29 May 2014, at 12:05, Hans Petter Selasky h...@selasky.org wrote:

 On 05/22/14 09:09, Mark R V Murray wrote:
 
 On 21 May 2014, at 21:15, Hans Petter Selasky h...@selasky.org wrote:
 
 On 05/14/14 21:11, Mark Murray wrote:
 Author: markm
 Date: Wed May 14 19:11:15 2014
 New Revision: 266083
 URL: http://svnweb.freebsd.org/changeset/base/266083
 
 Log:
   Give suitably-endowed ARMs a register similar to the x86 TSC register.
 
 
 Hi,
 
 Regression issue:
 This commit prevents RPI-B from booting.
 
 Thanks, I’ll look at it ASAP.
 
 M
 
 
 Any news on this issue?

Hi

Yes, thanks!

I can make it work on RPI, but trying to find what else it will/won’t work on 
is more problematic.

I’m considering disabling this on RPI, and then spending a bit of time writing 
a full driver for this counter, then the annoying details of the problem can be 
solved in FDT code.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 29 May 2014, at 19:13, Michael Tuexen tue...@fh-muenster.de wrote:

 I can make it work on RPI, but trying to find what else it will/won’t work 
 on is more problematic.
 Wouldn't it require to use different registers on the RPI? This would mean you
 would need more #ifdefs…

Thats the problem; too many #ifdefs.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 29 May 2014, at 19:27, Michael Tuexen tue...@fh-muenster.de wrote:

 On 29 May 2014, at 20:15, Mark R V Murray ma...@freebsd.org wrote:
 
 
 On 29 May 2014, at 19:13, Michael Tuexen tue...@fh-muenster.de wrote:
 
 I can make it work on RPI, but trying to find what else it will/won’t work 
 on is more problematic.
 Wouldn't it require to use different registers on the RPI? This would mean 
 you
 would need more #ifdefs…
 
 Thats the problem; too many #ifdefs.
 So you could just keep the code for now, but reduce the #ifdefs to the ones 
 you
 know that work. Later on, you can replace it by the driver stuff…

That’s what I was thinking, yes.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r266083 - in head/sys/arm: arm include

[Mark R V Murray]

On 21 May 2014, at 21:15, Hans Petter Selasky h...@selasky.org wrote:

 On 05/14/14 21:11, Mark Murray wrote:
 Author: markm
 Date: Wed May 14 19:11:15 2014
 New Revision: 266083
 URL: http://svnweb.freebsd.org/changeset/base/266083
 
 Log:
   Give suitably-endowed ARMs a register similar to the x86 TSC register.
 
 
 Hi,
 
 Regression issue:
 This commit prevents RPI-B from booting.

Thanks, I’ll look at it ASAP.

M
-- 
Mark R V Murray

___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

Re: svn commit: r263218 - in head: lib/libcrypt lib/libmd sys/conf sys/crypto/sha2

[Mark R V Murray]

On 16 Mar 2014, at 21:15, John-Mark Gurney j...@funkthat.com wrote:

 Mark Murray wrote this message on Sun, Mar 16, 2014 at 17:24 +:
 I haven?t looked at this closely, but if you?ve dropped support for sha256, 
 then sys/dev/random/... can?t use it :-(
 
 Please read closer...  To many things would break if sha256 was really
 removed…

Oops! Thanks! *blush*

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r263218 - in head: lib/libcrypt lib/libmd sys/conf sys/crypto/sha2

[Mark R V Murray]

 {
 - u_int32_t   state[8];
 - u_int64_t   bitcount;
 - u_int8_tbuffer[SHA256_BLOCK_LENGTH];
 -} SHA256_CTX;
 -typedef struct _SHA512_CTX {
 - u_int64_t   state[8];
 - u_int64_t   bitcount[2];
 - u_int8_tbuffer[SHA512_BLOCK_LENGTH];
 -} SHA512_CTX;
 -
 -#endif /* SHA2_USE_INTTYPES_H */
 -
 typedef SHA512_CTX SHA384_CTX;
 
 
 -/*** SHA-256/384/512 Function Prototypes **/
 -
 -void SHA256_Init(SHA256_CTX *);
 -void SHA256_Update(SHA256_CTX*, const u_int8_t*, size_t);
 -void SHA256_Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*);
 -char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]);
 -char* SHA256_Data(const u_int8_t*, size_t, 
 char[SHA256_DIGEST_STRING_LENGTH]);
 +/*** SHA-384/512 Function Prototypes **/
 
 void SHA384_Init(SHA384_CTX*);
 void SHA384_Update(SHA384_CTX*, const u_int8_t*, size_t);
 @@ -137,4 +84,6 @@ char* SHA512_Data(const u_int8_t*, size_
 }
 #endif /* __cplusplus */
 
 +#include sha256.h
 +
 #endif /* __SHA2_H__ */
 
 Modified: head/sys/crypto/sha2/sha256.h
 ==
 --- head/sys/crypto/sha2/sha256.h Sun Mar 16 01:22:23 2014
 (r263217)
 +++ head/sys/crypto/sha2/sha256.h Sun Mar 16 01:43:23 2014
 (r263218)
 @@ -29,12 +29,14 @@
 #ifndef _SHA256_H_
 #define _SHA256_H_
 
 +#ifndef _KERNEL
 #include sys/types.h
 +#endif
 
 typedef struct SHA256Context {
   uint32_t state[8];
   uint64_t count;
 - unsigned char buf[64];
 + uint8_t buf[64];
 } SHA256_CTX;
 
 __BEGIN_DECLS
 @@ -42,9 +44,11 @@ void   SHA256_Init(SHA256_CTX *);
 void  SHA256_Update(SHA256_CTX *, const void *, size_t);
 void  SHA256_Final(unsigned char [32], SHA256_CTX *);
 char   *SHA256_End(SHA256_CTX *, char *);
 +char   *SHA256_Data(const void *, unsigned int, char *);
 +#ifndef _KERNEL
 char   *SHA256_File(const char *, char *);
 char   *SHA256_FileChunk(const char *, char *, off_t, off_t);
 -char   *SHA256_Data(const void *, unsigned int, char *);
 +#endif
 __END_DECLS
 
 #endif /* !_SHA256_H_ */
 
 Modified: head/sys/crypto/sha2/sha256c.c
 ==
 --- head/sys/crypto/sha2/sha256c.cSun Mar 16 01:22:23 2014
 (r263217)
 +++ head/sys/crypto/sha2/sha256c.cSun Mar 16 01:43:23 2014
 (r263218)
 @@ -30,7 +30,11 @@ __FBSDID($FreeBSD$);
 #include sys/endian.h
 #include sys/types.h
 
 +#ifdef _KERNEL
 +#include sys/systm.h
 +#else
 #include string.h
 +#endif
 
 #include sha256.h
 
 

-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r257535 - head/sys/netgraph

[Mark R V Murray]

On 2 Nov 2013, at 05:53, Adrian Chadd adr...@freebsd.org wrote:

 Hm! A good question!
 
 On 1 November 2013 22:22, Bruce Evans b...@optusnet.com.au wrote:
 
if (harvest.point_to_point)
 -   random_harvest((m-m_data), 12, 2, RANDOM_NET_NG);
 
 
 '(m-m_data)' is not just a pair of style bugs.  It gives address of
 the pointer (somewhere in the mbuf header), not the address of pointed-
 to data, so the randomness was almost null.  The style bugs are
 excessive parentheses and chumminess with the implementation (non-use
 of the accessor function mtod()).
 
 
 +   random_harvest(mtod(m, const void *), 12, 2,
 RANDOM_NET_NG);
 
 
 Presumably you really do want to harvest the pointed-to data and there
 are at least 12 bytes of it, so the semantic fix isn't backwards or a
 buffer overrun.
 
 
 
 Mark - did you initially mean the address of the mbuf m_data pointer,
 or the data payload itself?

As Bruce says - the address of payload data itself. We don’t have 12-byte 
pointers in FreeBSD. :-)

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r257535 - head/sys/netgraph

[Mark R V Murray]

On 2 Nov 2013, at 09:32, Mark R V Murray m...@grondar.org wrote:
 Mark - did you initially mean the address of the mbuf m_data pointer,
 or the data payload itself?
 
 As Bruce says - the address of payload data itself. We don’t have 12-byte 
 pointers in FreeBSD. :-)

Cancel that.

The address passed must be the address of the m_data field in the mbuf 
structure. The harvested data is 12 bytes from that address forward, so not the 
data pointed to by that m_data pointer but the pointer value itself and some 
following junk too.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r257535 - head/sys/netgraph

[Mark R V Murray]

On 2 Nov 2013, at 22:28, Bruce Evans b...@optusnet.com.au wrote:

 On Sat, 2 Nov 2013, Mark R V Murray wrote:
 
 On 2 Nov 2013, at 09:32, Mark R V Murray m...@grondar.org wrote:
 Mark - did you initially mean the address of the mbuf m_data pointer,
 or the data payload itself?
 
 As Bruce says - the address of payload data itself. We don’t have 12-byte 
 pointers in FreeBSD. :-)
 
 Cancel that.
 
 The address passed must be the address of the m_data field in the mbuf 
 structure. The harvested data is 12 bytes from that address forward, so not 
 the data pointed to by that m_data pointer but the pointer value itself and 
 some following junk too.
 
 Is that really worth using?

Yes. Most of the value comes from the timing. The 12 bytes we snatch on the way 
past are opportunistic, and hopefully cheap due to being in-cache.

M
-- 
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 13 Oct 2013, at 08:48, Konstantin Belousov kostik...@gmail.com wrote:

 On Sat, Oct 12, 2013 at 12:57:57PM +, Mark Murray wrote:
 Author: markm
 Date: Sat Oct 12 12:57:57 2013
 New Revision: 256377
 URL: http://svnweb.freebsd.org/changeset/base/256377
 
 Log:
  Merge from project branch. Uninteresting commits are trimmed.
 
  Refactor of /dev/random device. Main points include:
 
 The random.ko is broken.  On boot, I get
 link_elf_obj: symbol live_entropy_source_deregister undefined
 KLD file random.ko - could not finalize loading
 
 There are several files from dev/random which are listed as
 'optional random' in conf/files but are not added to the SRCS in
 modules/random/Makefile. I do not know the intent of splitting the
 dev/random into the module and non-optional part of the kernel, so
 cannot provide the patch.

Ah - I know what is going on here. Fix coming, thanks!

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 13 Oct 2013, at 08:48, Konstantin Belousov kostik...@gmail.com wrote:

 On Sat, Oct 12, 2013 at 12:57:57PM +, Mark Murray wrote:
 Author: markm
 Date: Sat Oct 12 12:57:57 2013
 New Revision: 256377
 URL: http://svnweb.freebsd.org/changeset/base/256377
 
 Log:
  Merge from project branch. Uninteresting commits are trimmed.
 
  Refactor of /dev/random device. Main points include:
 
 The random.ko is broken.  On boot, I get
 link_elf_obj: symbol live_entropy_source_deregister undefined
 KLD file random.ko - could not finalize loading
 
 There are several files from dev/random which are listed as
 'optional random' in conf/files but are not added to the SRCS in
 modules/random/Makefile. I do not know the intent of splitting the
 dev/random into the module and non-optional part of the kernel, so
 cannot provide the patch.
 
 Please fix.

Here's the fix:

Index: sys/modules/random/Makefile
===
--- sys/modules/random/Makefile (revision 256427)
+++ sys/modules/random/Makefile (working copy)
@@ -10,7 +10,8 @@
 SRCS+= nehemiah.c
 SRCS+= ivy.c
 .endif
-SRCS+= randomdev_soft.c yarrow.c hash.c
+SRCS+= randomdev_soft.c random_harvestq.c live_entropy_sources.c
+SRCS+= yarrow.c hash.c rwfile.c
 SRCS+= rijndael-alg-fst.c rijndael-api-fst.c sha2.c
 SRCS+= bus_if.h device_if.h vnode_if.h opt_cpu.h opt_random.h



M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 13 Oct 2013, at 16:13, Konstantin Belousov kostik...@gmail.com wrote:
 Surely this works, thank you. The rwfile.c content probably should be
 taken under the #ifdef RANDOM_RWFILE.

OK - thanks for the feedback!

 But I do not see much use for the randomdev_read_file() and
 randomdev_write_file() functions. It would be better to directly code
 the VFS calls in the random_harvestq_cache(). For one thing, it would
 eliminate unneccessary close and open of the entropy file.

There is some uncertainty about the future of that code, so I want
to keep it that way for now. Writing files from the kernel is making so@
very uncomfortable, and there is too much scope for error there.

We'll settle it down properly in 11.*.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 13 Oct 2013, at 17:18, Ian Lepore i...@freebsd.org wrote:

 On Sun, 2013-10-13 at 16:18 +0100, Mark R V Murray wrote:
 On 13 Oct 2013, at 16:13, Konstantin Belousov kostik...@gmail.com wrote:
 Surely this works, thank you. The rwfile.c content probably should be
 taken under the #ifdef RANDOM_RWFILE.
 
 OK - thanks for the feedback!
 
 But I do not see much use for the randomdev_read_file() and
 randomdev_write_file() functions. It would be better to directly code
 the VFS calls in the random_harvestq_cache(). For one thing, it would
 eliminate unneccessary close and open of the entropy file.
 
 There is some uncertainty about the future of that code, so I want
 to keep it that way for now. Writing files from the kernel is making so@
 very uncomfortable, and there is too much scope for error there.
 
 
 Indeed, it makes me nervous too, as a heavy user of readonly root
 filesystems.  If writing this file is so critical that it has to be done
 by the kernel, then what happens when it fails?  Right now it prints an
 error and continues -- if it is not so critical that failure means
 panic, then why is the kernel doing it at all?

Good points all. The intent is not to win the arms-race outright, but to
win the common-case battles as convincingly as possible. That said, its
not looking good for the process, but I still want to give it a decent
look before/if yanking it.

 Why is the file even in the root filesystem?  /var/db seems to be the
 right place for a transient file needed by the system.

Because that appears to be the best place to put first-boot entropy from
sysinstall/bsdinstall. /var/db/entropy/... will also be used if possible;
watch this space.

 Speaking of errors, that might include things like the current code
 calling vn_close() with the FREAD flag on a file open for writing.


Thanks :-( :-)

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 13 Oct 2013, at 19:08, Adrian Chadd adr...@freebsd.org wrote:

 Hi Mark,
 
 Can we make the VFS random seeding stuff a compile time option, so we can 
 disable it for the embedded platforms where we'll never use it?

Like 'options RANDOM_RWFILE'?

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 12 Oct 2013, at 17:27, Adrian Chadd adr...@freebsd.org wrote:

 hihi,
 
 I've just test booted this on a MIPS board. It doesn't hang at boot waiting 
 for entropy.
 
 http://people.freebsd.org/~adrian/mips/20131012-ar9344-boot-1.txt
 
 Thanks!

You are most welcome!

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 12 Oct 2013, at 17:35, Teske, Devin devin.te...@fisglobal.com wrote:
 Can you maybe test with ZFS + Geli? I'm concerned because we told it to use 
 random(4)
 instead of urandom(4). I hope there's enough entropy when creating the geli 
 stuff that
 said process doesn't hang. I think DES's patch will help there too (not that 
 anyone
 testing our ZFS patches reported any hangs... including when testing GELI -- 
 this was
 before DES's patch).

urandom is a symlink to random.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 12 Oct 2013, at 17:44, Teske, Devin devin.te...@fisglobal.com wrote:

 You know... for years I've been compiling a custom apache for $work and using 
 the
 --with-random=/dev/urandom flag. And then recently in the past couple years 
 in 8.x
 I recall having problems with a GnuPG related tool that would hang due to 
 lack of
 entropy on a freshly installed box when generating stuff using random(4).
 
 Are the days of choosing between urandom(4) and random(4) over?

They were over last millennium :-)

 Would SSL function great on a freshly installed box even if using random(4) 
 for
 apache? (it wants to default to /dev/random anyways)

Yup! No worse than usual.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: etc/defaults etc/rc.d share/examples/kld/random_adaptor share/man/man4 sys/boot/forth sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe

[Mark R V Murray]

On 12 Oct 2013, at 17:49, Teske, Devin devin.te...@fisglobal.com wrote:
 Doubly-thanks!

Glad to be useful.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r256377 - in head: problems on ARM BEAGLEBONE

[Mark R V Murray]

On 13 Oct 2013, at 01:07, Ian Lepore i...@freebsd.org wrote:
 It looks like the cause of the problem is that both the dummy and the
 yarrow generators register, dummy first, and so it gets chosen even
 though yarrow is available.

Correct diagnosis!

This is now fixed; sorry for the hassle.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r255362 - in head: share/examples/kld share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/ubsec sys/kern sys/mips/

[Mark R V Murray]

On 7 Sep 2013, at 17:40, Dag-Erling Smørgrav d...@des.no wrote:

 Mark Murray ma...@freebsd.org writes:
 Log:
  Bring in some behind-the-scenes development, mainly By Arthur Mesh,
  the rest by me.
 
 Umm, this should have been submitted to secteam@ for review.

My bad.

I made the presumption that since we had discussed it in person that
this would be OK, so my fault.

I'd prefer not to churn by backing out, but will do so if needed.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r255362 - in head: share/examples/kld share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/ubsec sys/kern sys/mips/

[Mark R V Murray]

On 7 Sep 2013, at 17:55, Glen Barber g...@freebsd.org wrote:

 On Sat, Sep 07, 2013 at 06:40:32PM +0200, Dag-Erling Smørgrav wrote:
 Mark Murray ma...@freebsd.org writes:
 Log:
  Bring in some behind-the-scenes development, mainly By Arthur Mesh,
  the rest by me.
 
 Umm, this should have been submitted to secteam@ for review.
 
 
 This also causes problems booting when /dev/random is nonexistent.
 
 See the new thread on -current@ with subject random(4) update causes
 mips compile fail | mips boot fail.
 
 Sean confirmed r255361 does not exhibit the boot failure.

I can't find that thread :-(

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r255362 - in head: share/examples/kld share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/ubsec sys/kern sys/mips/

[Mark R V Murray]

On 7 Sep 2013, at 18:20, Dag-Erling Smørgrav d...@des.no wrote:

 Mark R V Murray m...@grondar.org writes:
 Dag-Erling Smørgrav d...@des.no writes:
 Umm, this should have been submitted to secteam@ for review.
 I made the presumption that since we had discussed it in person that
 this would be OK, so my fault.
 
 We discussed the outline, but we still need to review the details.
 
 I'd prefer not to churn by backing out, but will do so if needed.
 
 I'm reviewing the patch as we speak.  I haven't yet seen anything that
 would justify reverting the commit, but the mips breakage Glen mentioned
 needs to be fixed.

OK, thanks, I'm on that MIPS breakage.

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r255362 - in head: share/examples/kld share/examples/kld/random_adaptor sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/ubsec sys/kern sys/mips/

[Mark R V Murray]

On 7 Sep 2013, at 19:34, Dag-Erling Smørgrav d...@des.no wrote:

 I didn't see anything that deviated from the plan we agreed upon in
 Cambridge.

That was the idea! :-D

 Several random_harvest() calls have been changed to reduce the entropy
 estimate - that's a good thing (as long as we don't reduce it to an
 unusable level, which I don't think is the case).  I also see that the
 network entropy harvesting bug we talked about has been fixed, which is
 also a good thing.  As far as I can tell, these are the only changes
 which affect the quality of the output.

Indeed.

 The renaming part made the patch hard to read - IWBNI it had been
 committed separately, but it didn't kill me.  Another factor that
 reduces readability is that the patch needlessly unfolds
 previously wrapped lines, e.g.
 
 - if (++random_state.outputblocks =
 - random_state.gengateinterval) {
 + if (++random_state.outputblocks = 
 random_state.gengateinterval) {
 
 which doesn't actually change anything but introduces a style bug and
 increases the reviewers' workload.  In fact, the patch introduces quite
 a few style bugs (including some that I personally aprove of but bde@
 may complain about, such as s/u_char/uint8_t/), but that can be
 addressed when we get a fresh batch of round tuts.

Apologies for making your life hard; that was unintended. I'll be working on
this code some more; I'll fix those long lines then.

 (joking aside - barring an overriding reason, we should strive to always
 conform to style(9))

Indeed; while this may not be a perfect lurch in that direction, the uintN_t
changes were a style(9) nod.

 In Yarrow, buffer sizes are now consistently referred to by BLOCKSIZE
 rather than a mix of BLOCKSIZE and (int)sizeof(whatever), which improves
 code readability at the cost of patch readability.  However, it appears
 that the *meaning* of BLOCKSIZE has changed from bits to bytes, and if I
 read the code correctly, it used to be 256 bits but is now 128.

Correct; it was a mess and I tidied it up. Having 256-bit blocks bought
us nothing; the intent is to use the natural key and block sizes of the
AES and SHA256 building-blocks.

 I dislike the use of pseudo in sys/dev/random/pseudo_rng.c since it is
 easily confused with the P in PRNG and pseudo_rng.c is actually not a
 PRNG but rather a collection of fake or dummy RNGs for testing purposes.
 Perhaps s/pseudo/dummy/g would be in order.

Good point. I'll do that.

 So, this is a provisional OK from my part.  *However*, I did not review
 the new harvesting queue in detail, and a bug there could, in the worst
 case, result in all the harvested entropy being discarded and Yarrow
 receiving kilobyte upon kilobyte of zeroes; so I'd like to get a second
 opinion.

Of course!

M
-- 
Mark R V Murray



signature.asc
Description: Message signed with OpenPGP using GPGMail