Date: Sat, 10 Oct 2020 21:48:06 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366621 - in head/sys: dev/random dev/random/fenestrasX libkern sys Message-ID: <202010102148.09ALm6Sm098779@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Sat Oct 10 21:48:06 2020 New Revision: 366621 URL: https://svnweb.freebsd.org/changeset/base/366621 Log: arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed There is no functional change for the existing Fortuna random(4) implementation, which remains the default in GENERIC. In the FenestrasX model, when the root CSPRNG is reseeded from pools due to an (infrequent) timer, child CSPRNGs can cheaply detect this condition and reseed. To do so, they just need to track an additional 64-bit value in the associated state, and compare it against the root seed version (generation) on random reads. This revision integrates arc4random(9) into that model without substantially changing the design or implementation of arc4random(9). The motivation is that arc4random(9) is immediately reseeded when the backing random(4) implementation has additional entropy. This is arguably most important during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second intervals. Today, arc4random(9) has a hardcoded 300 second reseed window. Without this mechanism, if arc4random(9) gets weak entropy during initial seed (and arc4random(9) is used early in boot, so this is quite possible), it may continue to emit poorly seeded output for 5 minutes. The FenestrasX push-reseed scheme corrects consumers, like arc4random(9), as soon as possible. Reviewed by: markm Approved by: csprng (markm) Differential Revision: https://reviews.freebsd.org/D22838 Added: head/sys/dev/random/fenestrasX/fx_pub.h (contents, props changed) Modified: head/sys/dev/random/fenestrasX/fx_brng.c head/sys/dev/random/fenestrasX/fx_main.c head/sys/dev/random/fenestrasX/fx_pool.c head/sys/dev/random/fenestrasX/fx_priv.h head/sys/dev/random/randomdev.c head/sys/libkern/arc4random.c head/sys/sys/libkern.h Modified: head/sys/dev/random/fenestrasX/fx_brng.c ============================================================================== --- head/sys/dev/random/fenestrasX/fx_brng.c Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/dev/random/fenestrasX/fx_brng.c Sat Oct 10 21:48:06 2020 (r366621) @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include <dev/random/fenestrasX/fx_brng.h> #include <dev/random/fenestrasX/fx_priv.h> +#include <dev/random/fenestrasX/fx_pub.h> #include <dev/random/fenestrasX/fx_rng.h> /* Modified: head/sys/dev/random/fenestrasX/fx_main.c ============================================================================== --- head/sys/dev/random/fenestrasX/fx_main.c Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/dev/random/fenestrasX/fx_main.c Sat Oct 10 21:48:06 2020 (r366621) @@ -88,7 +88,6 @@ * a while). * * Not yet implemented, not in scope, or todo: - * - arc4random(9) injection/replacement * - Userspace portions -- shared page, like timehands vdso? */ @@ -125,6 +124,7 @@ __FBSDID("$FreeBSD$"); #include <dev/random/fenestrasX/fx_hash.h> #include <dev/random/fenestrasX/fx_pool.h> #include <dev/random/fenestrasX/fx_priv.h> +#include <dev/random/fenestrasX/fx_pub.h> #include <dev/random/fenestrasX/fx_rng.h> struct fxrng_buffered_rng fxrng_root; @@ -142,7 +142,7 @@ DPCPU_DEFINE_STATIC(struct fxrng_buffered_rng *, fxrng * the root generation number >0. */ static void -fxrng_alg_read(uint8_t *output, size_t nbytes) +_fxrng_alg_read(uint8_t *output, size_t nbytes, uint64_t *seed_version_out) { struct fxrng_buffered_rng **pcpu_brng_p, *rng, *tmp; struct pcpu *pcpu; @@ -248,8 +248,30 @@ fxrng_alg_read(uint8_t *output, size_t nbytes) have_valid_rng: /* At this point we have a valid, initialized and seeded rng pointer. */ FXRNG_BRNG_LOCK(rng); + if (seed_version_out != NULL) + *seed_version_out = rng->brng_generation; fxrng_brng_read(rng, output, nbytes); FXRNG_BRNG_ASSERT_NOT(rng); +} + +static void +fxrng_alg_read(uint8_t *output, size_t nbytes) +{ + _fxrng_alg_read(output, nbytes, NULL); +} + +/* + * External API for arc4random(9) to fetch new key material and associated seed + * version in chacha20_randomstir(). + */ +void +read_random_key(void *output, size_t nbytes, uint64_t *seed_version_out) +{ + /* Ensure _fxrng_alg_read invariant. */ + if (__predict_false(atomic_load_acq_64(&fxrng_root_generation) == 0)) + (void)fxrng_alg_seeded(); + + _fxrng_alg_read(output, nbytes, seed_version_out); } static void Modified: head/sys/dev/random/fenestrasX/fx_pool.c ============================================================================== --- head/sys/dev/random/fenestrasX/fx_pool.c Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/dev/random/fenestrasX/fx_pool.c Sat Oct 10 21:48:06 2020 (r366621) @@ -53,6 +53,7 @@ __FBSDID("$FreeBSD$"); #include <dev/random/fenestrasX/fx_hash.h> #include <dev/random/fenestrasX/fx_pool.h> #include <dev/random/fenestrasX/fx_priv.h> +#include <dev/random/fenestrasX/fx_pub.h> /* * Timer-based reseed interval growth factor and limit in seconds. (ยง 3.2) Modified: head/sys/dev/random/fenestrasX/fx_priv.h ============================================================================== --- head/sys/dev/random/fenestrasX/fx_priv.h Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/dev/random/fenestrasX/fx_priv.h Sat Oct 10 21:48:06 2020 (r366621) @@ -46,4 +46,3 @@ #endif extern struct fxrng_buffered_rng fxrng_root; -extern uint64_t __read_mostly fxrng_root_generation; Added: head/sys/dev/random/fenestrasX/fx_pub.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/dev/random/fenestrasX/fx_pub.h Sat Oct 10 21:48:06 2020 (r366621) @@ -0,0 +1,53 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2019 Conrad Meyer <cem@FreeBSD.org> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ +#pragma once + +#include <sys/systm.h> + +/* + * The root BRNG seed version, or generation. + * + * FenestrasX-aware downstream CSPRNGs (i.e., arc4random(9)) should track the + * generation number they seeded from, using the read_random_key(9) API below. + * If their current seed version is older than the root generation, they should + * reseed before producing output. + * + * The variable is read-only outside of the fenestrasX implementation and + * should be accessed using 'atomic_load_acq_64(&fxrng_root_generation)'. + * Reseeds are extremely infrequent, so callers may wish to hint to the + * compiler that a matching generation is the expected case, with + * __predict_true() or __predict_false(). + */ +extern uint64_t __read_mostly fxrng_root_generation; + +/* + * A routine for generating seed/key material + * Bypasses random(4) for now, but conceivably could be incorporated into that. + */ +void read_random_key(void *buf, size_t nbytes, uint64_t *seed_version_out); Modified: head/sys/dev/random/randomdev.c ============================================================================== --- head/sys/dev/random/randomdev.c Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/dev/random/randomdev.c Sat Oct 10 21:48:06 2020 (r366621) @@ -373,8 +373,10 @@ randomdev_unblock(void) selwakeuppri(&rsel, PUSER); wakeup(p_random_alg_context); printf("random: unblocking device.\n"); +#ifndef RANDOM_FENESTRASX /* Do random(9) a favour while we are about it. */ (void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE, ARC4_ENTR_HAVE); +#endif } /* ARGSUSED */ Modified: head/sys/libkern/arc4random.c ============================================================================== --- head/sys/libkern/arc4random.c Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/libkern/arc4random.c Sat Oct 10 21:48:06 2020 (r366621) @@ -40,10 +40,14 @@ __FBSDID("$FreeBSD$"); #include <sys/smp.h> #include <sys/time.h> +#include <machine/cpu.h> + #include <crypto/chacha20/chacha.h> #include <crypto/sha2/sha256.h> #include <dev/random/randomdev.h> -#include <machine/cpu.h> +#ifdef RANDOM_FENESTRASX +#include <dev/random/fenestrasX/fx_pub.h> +#endif #define CHACHA20_RESEED_BYTES 65536 #define CHACHA20_RESEED_SECONDS 300 @@ -52,7 +56,9 @@ __FBSDID("$FreeBSD$"); CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN); +#ifndef RANDOM_FENESTRASX int arc4rand_iniseed_state = ARC4_ENTR_NONE; +#endif MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures"); @@ -62,6 +68,9 @@ struct chacha20_s { time_t t_reseed; u_int8_t m_buffer[CHACHA20_BUFFER_SIZE]; struct chacha_ctx ctx; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#endif } __aligned(CACHE_LINE_SIZE); static struct chacha20_s *chacha20inst = NULL; @@ -79,7 +88,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) { struct timeval tv_now; u_int8_t key[CHACHA20_KEYBYTES]; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#else if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) { SHA256_CTX ctx; uint64_t cc; @@ -106,6 +118,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) "make sure 256 bits is still 256 bits"); SHA256_Final(key, &ctx); } else { +#endif +#ifdef RANDOM_FENESTRASX + read_random_key(key, CHACHA20_KEYBYTES, &seed_version); +#else /* * If the loader(8) did not have an entropy stash from the * previous shutdown to load, then we will block. The answer is @@ -117,6 +133,7 @@ chacha20_randomstir(struct chacha20_s *chacha20) */ read_random(key, CHACHA20_KEYBYTES); } +#endif getmicrouptime(&tv_now); mtx_lock(&chacha20->mtx); chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8); @@ -124,6 +141,9 @@ chacha20_randomstir(struct chacha20_s *chacha20) /* Reset for next reseed cycle. */ chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS; chacha20->numbytes = 0; +#ifdef RANDOM_FENESTRASX + chacha20->seed_version = seed_version; +#endif mtx_unlock(&chacha20->mtx); } @@ -173,9 +193,13 @@ arc4rand(void *ptr, u_int len, int reseed) u_int length; u_int8_t *p; +#ifdef RANDOM_FENESTRASX + if (__predict_false(reseed)) +#else if (__predict_false(reseed || (arc4rand_iniseed_state == ARC4_ENTR_HAVE && atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED)))) +#endif CHACHA20_FOREACH(chacha20) chacha20_randomstir(chacha20); @@ -185,8 +209,18 @@ arc4rand(void *ptr, u_int len, int reseed) if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed)) chacha20_randomstir(chacha20); - p = ptr; mtx_lock(&chacha20->mtx); +#ifdef RANDOM_FENESTRASX + if (__predict_false( + atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version + )) { + mtx_unlock(&chacha20->mtx); + chacha20_randomstir(chacha20); + mtx_lock(&chacha20->mtx); + } +#endif + + p = ptr; while (len) { length = MIN(CHACHA20_BUFFER_SIZE, len); chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length); Modified: head/sys/sys/libkern.h ============================================================================== --- head/sys/sys/libkern.h Sat Oct 10 21:45:59 2020 (r366620) +++ head/sys/sys/libkern.h Sat Oct 10 21:48:06 2020 (r366621) @@ -116,10 +116,12 @@ static __inline int abs(int a) { return (a < 0 ? -a : static __inline long labs(long a) { return (a < 0 ? -a : a); } static __inline quad_t qabs(quad_t a) { return (a < 0 ? -a : a); } +#ifndef RANDOM_FENESTRASX #define ARC4_ENTR_NONE 0 /* Don't have entropy yet. */ #define ARC4_ENTR_HAVE 1 /* Have entropy. */ #define ARC4_ENTR_SEED 2 /* Reseeding. */ extern int arc4rand_iniseed_state; +#endif /* Prototypes for non-quad routines. */ struct malloc_type;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010102148.09ALm6Sm098779>