Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata

section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue.  (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/stand/boot/boot.c b/sys/stand/boot/boot.c
index ccf23960338..0b322faec12 100644
--- a/sys/stand/boot/boot.c
+++ b/sys/stand/boot/boot.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: boot.c,v 1.49 2019/08/03 15:22:19 deraadt Exp $	*/
+/*	$OpenBSD: boot.c,v 1.50 2019/10/29 02:55:50 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2003 Dale Rahn
@@ -34,6 +34,7 @@
 #include <libsa.h>
 #include <lib/libsa/loadfile.h>
 #include <lib/libkern/funcs.h>
+#include <lib/libsa/arc4.h>
 
 #include <stand/boot/bootarg.h>
 
@@ -55,6 +56,7 @@ char *kernelfile = KERNEL;		/* can be changed by MD code */
 int boottimeout = 5;			/* can be changed by MD code */
 
 char	rnddata[BOOTRANDOM_MAX];
+struct rc4_ctx randomctx;
 
 void
 boot(dev_t bootdev)
@@ -112,6 +114,8 @@ boot(dev_t bootdev)
 #ifdef FWRANDOM
 		fwrandom(rnddata, sizeof(rnddata));
 #endif
+		rc4_keysetup(&randomctx, rnddata, sizeof rnddata);
+		rc4_skip(&randomctx, 1536);
 
 		st = 0;
 		bootprompt = 1;	/* allow reselect should we fail */