Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Mar 2019 20:48:58 -0500
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Conrad Meyer <cem@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r344913 - head/sys/dev/random
Message-ID:  <20190308014858.2kowmri5nx7oa7a5@mutt-hbsd>
In-Reply-To: <201903080117.x281HK4N002587@repo.freebsd.org>
References:  <201903080117.x281HK4N002587@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--iyadebnuiasa6kxb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hey Conrad,

On Fri, Mar 08, 2019 at 01:17:20AM +0000, Conrad Meyer wrote:
> Author: cem
> Date: Fri Mar  8 01:17:20 2019
> New Revision: 344913
> URL: https://svnweb.freebsd.org/changeset/base/344913
>=20
> Log:
>   Fortuna: Add Chacha20 as an alternative stream cipher
>  =20
>   Chacha20 with a 256 bit key and 128 bit counter size is a good match fo=
r an
>   AES256-ICM replacement.
>  =20
>   In userspace, Chacha20 is typically marginally slower than AES-ICM on
>   machines with AESNI intrinsics, but typically much faster than AES on
>   machines without special intrinsics.  ChaCha20 does well on typical mod=
ern
>   architectures with SIMD instructions, which includes most types of mach=
ines
>   FreeBSD runs on.
>  =20
>   In the kernel, we can't (or don't) make use of AESNI intrinsics for
>   random(4) anyway.  So even on amd64, using Chacha provides a modest
>   performance improvement in random device throughput today.
>  =20
>   This change makes the stream cipher used by random(4) configurable at b=
oot
>   time with the 'kern.random.use_chacha20_cipher' tunable.
>  =20
>   Very rough, non-scientific measurements at the /dev/random device, on a
>   GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throug=
hput
>   for Chacha20 over the existing AES-ICM mode.
>  =20
>   Reviewed by:	delphij, markm
>   Approved by:	secteam (delphij)
>   Differential Revision:	https://reviews.freebsd.org/D19475
>=20
> Modified:
>   head/sys/dev/random/fortuna.c
>   head/sys/dev/random/hash.c
>   head/sys/dev/random/hash.h
>   head/sys/dev/random/uint128.h
>
> Modified: head/sys/dev/random/hash.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- head/sys/dev/random/hash.c	Fri Mar  8 01:04:19 2019	(r344912)
> +++ head/sys/dev/random/hash.c	Fri Mar  8 01:17:20 2019	(r344913)
> +/* Validate that full Chacha IV is as large as the 128-bit counter */
> +_Static_assert(CHACHA_STATELEN =3D=3D RANDOM_BLOCKSIZE, "");
> +
> +/*
> + * Experimental Chacha20-based PRF for Fortuna keystream primitive.  For=
 now,
> + * disabled by default.  But we may enable it in the future.
> + *
> + * Benefits include somewhat faster keystream generation compared with
> + * unaccelerated AES-ICM.
> + */
> +bool random_chachamode =3D false;
> +#ifdef _KERNEL
> +SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN,
> +    &random_chachamode, 0,
> +    "If non-zero, use the ChaCha20 cipher for randomdev PRF.  "
> +    "If zero, use AES-ICM cipher for randomdev PRF (default).");
> +#endif

I'm curious if that sysctl node could be documented in a manpage,
perhaps the random(4) manpage would be a good candidate for updating.


Thanks,

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--iyadebnuiasa6kxb
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlyByggACgkQaoRlj1JF
bu66sQ//bUflj/qhnl9tOaGhDP2jAsWeIFGZ7WCzeCpkeFzhxT4LHvQveJnjtFhX
p4ub4qGvbLGv0fDHRxIuP4S8NObaI5mkIivCAmdPOApNT5RBYtasoz8Y0O+A0Xkm
x647JwVGdmPtXY8gGJPNuQKeMGMav7YX5gUxTDlh3M4Qasje+dxM9j/0adEYp6EX
jZdPvtisT/iIH+eDvFZA2ayjsQ2BPB7ADKXkHEnmhi9JXyyX6hzX+bSbYSU2ry9g
9LupckX3RFXWFrvHqKPfKzmzGVmUiA4GZP3rjCc1rOsUmHeVO8PfzjZ/yWKGA8JU
p7S8RnnPfb0ji5Edp9wO4WnXaCnpdsCTipBLMd9Z+WPQog+xkq1Es/H3owjAbVtY
t5FTv3Pay63sGj3CgodkJU9lbslmJgX2yyoyZJa9LNGPow5bJmeHEoCN3wCHERTD
uSdgQX4xoQlCrW+fMn5FDCrtNr+rLHYIbwQSBEXGAvINDFsGjRVGnwWRi2oH8Xqq
BCMu9giAm3j+BVMtSeBD/jf0XUv3CaYEzOrAQjMRuwBf6rUXGmR9CY0wR6gdzZcw
QXkTC3UZAYJZi8SXkEZKzpC3jT11Dl7TPNsoLWI/gGR7ZKWXz9jrNtDyC2l3mrfg
qkhceGVfYIA9WKAhlUvsCA/gL66CiCqz/52jm+aPBRgUKNwCJ2A=
=1COL
-----END PGP SIGNATURE-----

--iyadebnuiasa6kxb--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190308014858.2kowmri5nx7oa7a5>