| Age | Commit message (Collapse) | Author |
|---|
|
this gets rid of the source annotation which doesn't really add
anything other than adding complexitiy. randomess is generally
good enough that the few extra bits that the source type would
add are not worth it.
ok mikeb@ deraadt@
|
|
random data. But a new source of entropy arrived a few months ago
-- KARL generates highly disturbed images for some kernels (well,
not for bsd.rd)
This assumes the tail of text (just before etext[]) is readable.
We are trying to use a portable symbol name, and also avoid reading
a locore0 which has been unmapped...
ok mortimer
|
|
ok deraadt@
|
|
grabbing the rnglock repeatedly.
ok deraadt@ djm@
|
|
|
|
A lot of randomness event producers are executed in the interrupt
context increasing the time spent in the interrupt handler resulting
in extra costs when adding randomness data to the pool. However, in
practice randomness event producers require interlocking between each
other, but not with with consumers due to the opportunistic nature of
event consumers.
To be able to take advantage of this idea, the ring buffer indexing
is now done with two free running producer and consumer counters modulo
power of 2 size of the ring buffer.
With input from and OK visa, tb, jasper
|
|
sections, such as __attribute__((section(".openbsd.randomdata"))), may be
non-zero. In combination with "const" or "static" the compiler becomes even
more sure nothing can influence the object and assumes the value will be 0.
A few optimizations later, a security requirement has been removed.
Until a better annotation arrives in compilers, be warned: Do not mix
const or static with these random objects, you won't get what you want.
Spotted in a regression test by bluhm, long discussion with kettenis.
|
|
|
|
|
|
too late, leading to poor rng in the kernel early on. a behavioural
artifact in vmm spotted the issue.
ok tedu guenther mlarkin
|
|
|
|
remove it another relic of the superstitious past.
ok deraadt millert mikeb
|
|
from rob pierce
|
|
known and we rely on the bootpath to prime us anyways.
This also solves the issue raised by kettenis, of version potentially
being non-word aligned
ok kettenis djm
|
|
beyond the end of .text/.rodata.
ok deraadt@
|
|
the alias mapping when clearing it, since there is no guarantee the pool is
page aligned.
ok deraadt@
|
|
also do so in the kernel, which gains us RO ssp cookie, which will prevent
spraying attacks.
The random layer was openbsd.randomdata annotating working entropy/chacha
buffers which in turn required them to be RW. To make that work again,
so we need to copy RO seeds to RW working buffers, and later clear the
RO seed buffers afterwards using a temporary RW mapping.
help & ok kettenis, ok guenther
|
|
"another leftover of the bean counter"
od tedu@ deraadt@
|
|
ones are capable of giving valuable works vs does-not-work evidence.
ok tedu
|
|
we don't drop any events when the queue is full. They are instead mixed
into previous events.
The mixing function selected is addition instead of xor to reduce the
possibility that new values effectively erase existing ones.
Convert some types to u_int to ensure defined overflow.
ok deraadt djm
|
|
Pointed out by Martin Natano, slightly tweaked by me.
ok deraadt@
|
|
Diff from Martin Natano, thanks!
ok kettenis@, deraadt@
|
|
from Martin Natano (and also reported by Stefan Kempf)
|
|
specify custom counter value when setting up Chacha context.
ok reyk djm
|
|
|
|
ok djm@ miod@ deraadt@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
failure to fire the collection timeout. discovered by markus.
the order of events here doesn't actually matter, so switch to a simple
stack, which is easier to understand. ok markus
|
|
- rename uiomove() to uiomovei() and update all its users.
- introduce uiomove(), which is similar to uiomovei() but with a size_t.
- rewrite uiomovei() as an uiomove() wrapper.
ok kettenis@
|
|
boot.
ok mlarkin
|
|
when workqs were introduced, we provided a second argument so you
could pass a thing and some context to work on it in. there were
very few things that took advantage of the second argument, so when
i introduced pools i suggested removing it. since tasks were meant
to replace workqs, it was requested that we keep the second argument
to make porting from workqs to tasks easier.
now that workqs are gone, i had a look at the use of the second
argument again and found only one good use of it (vdsp(4) on sparc64
if you're interested) and a tiny handful of questionable uses. the
vast majority of tasks only used a single argument. i have since
modified all tasks that used two args to only use one, so now we
can remove the second argument.
so this is a mechanical change. all tasks only passed NULL as their
second argument, so we can just remove it.
ok krw@
|
|
|
|
|
|
|
|
ok deraadt djm
|
|
process all queued entropy and create a brand new pool to prevent
backtracking upon resume. At resume time, process the entropy queue
(since other resume code paths which run earlier can enqueue entropy)
and force all higher to reseed.
ok reyk djm
|
|
|
|
|
|
|
|
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
buffersize is enforced strictly, this supplies sufficient entropy
payload to act as seed material. Discourage general use of this
API, but lock down this function name as the go-to for userland
PRNG seeding. Improve documentation.
ok miod matthew
|
|
I accepted that he's right (again) to seperate this out from heavy
sysctl API and this will simply a variety of things. Functionname
is not used by anyone in the ports tree, so we guess we can use it.
Shocking that no application has a function called this.
ok matthew & others who pushed him to start this early on
|
|
|
|
ok deraadt@
|
|
on first call, very early on, from boot-supplied entropy, then feed from
that. Later when we have more subsystems ready, the main() can properly
initialize the entropy-driven model. Lots of discussion with mikeb.
ok kettenis markus mikeb
|
|
is no longer providing significant value. The random subsystem is in
pretty good state, and moments later userland will feed the dmesg.
ok jsing
|
|
it at startup, or in cpu_startup(). Improve comments to explain what is
happening here.
ok kettenis jsing
|
|
Also allow random_init() to be called later, by moving a few
entropy control initializions into the lower-level _rs_seed() layer.
tested by jsing, phessler and a few others
|
