| Age | Commit message (Collapse) | Author |
|---|
|
instead of hand-rolling the same code to set up a temporary ChaCha
instance.
tweak/ok semarie@, ok deraadt@
|
|
will frantically compensate.
ok kettenis
|
|
But it was a constant, that is really silly. Pass back the first
word from the middle layer.
ok visa
|
|
enqueue_randomness(), so make them local static instead of global.
|
|
defining the [size]
|
|
|
|
|
|
and change wording from 'entropy queue', what we have is a ring which
collects 'damage' from successive calls until drawn down
|
|
it suggests we should reconsider this mechanism and do something
simpler... delete the explanation for now.
|
|
misleading, so rewrite it.
The interesting parts are bootblock-seeding from file + hwrng,
arc4random() being available incredibly early, and seperate timeouts
to pull entropy data forward into a stir of the chacha state (one for
entropy ring crc whitening into a buffer, the 2nd for buffer folding
into the chacha)
Now that it is better documented, I can try to improve each component.
|
|
|
|
ok deraadt@
|
|
hit by millert
|
|
ok djm markus
|
|
adding more filter properties without cluttering the struct.
OK mpi@, anton@
|
|
make the structs const so that the data are put in .rodata.
OK mpi@, deraadt@, anton@, bluhm@
|
|
this gets rid of the source annotation which doesn't really add
anything other than adding complexitiy. randomess is generally
good enough that the few extra bits that the source type would
add are not worth it.
ok mikeb@ deraadt@
|
|
random data. But a new source of entropy arrived a few months ago
-- KARL generates highly disturbed images for some kernels (well,
not for bsd.rd)
This assumes the tail of text (just before etext[]) is readable.
We are trying to use a portable symbol name, and also avoid reading
a locore0 which has been unmapped...
ok mortimer
|
|
ok deraadt@
|
|
grabbing the rnglock repeatedly.
ok deraadt@ djm@
|
|
|
|
A lot of randomness event producers are executed in the interrupt
context increasing the time spent in the interrupt handler resulting
in extra costs when adding randomness data to the pool. However, in
practice randomness event producers require interlocking between each
other, but not with with consumers due to the opportunistic nature of
event consumers.
To be able to take advantage of this idea, the ring buffer indexing
is now done with two free running producer and consumer counters modulo
power of 2 size of the ring buffer.
With input from and OK visa, tb, jasper
|
|
sections, such as __attribute__((section(".openbsd.randomdata"))), may be
non-zero. In combination with "const" or "static" the compiler becomes even
more sure nothing can influence the object and assumes the value will be 0.
A few optimizations later, a security requirement has been removed.
Until a better annotation arrives in compilers, be warned: Do not mix
const or static with these random objects, you won't get what you want.
Spotted in a regression test by bluhm, long discussion with kettenis.
|
|
|
|
|
|
too late, leading to poor rng in the kernel early on. a behavioural
artifact in vmm spotted the issue.
ok tedu guenther mlarkin
|
|
|
|
remove it another relic of the superstitious past.
ok deraadt millert mikeb
|
|
from rob pierce
|
|
known and we rely on the bootpath to prime us anyways.
This also solves the issue raised by kettenis, of version potentially
being non-word aligned
ok kettenis djm
|
|
beyond the end of .text/.rodata.
ok deraadt@
|
|
the alias mapping when clearing it, since there is no guarantee the pool is
page aligned.
ok deraadt@
|
|
also do so in the kernel, which gains us RO ssp cookie, which will prevent
spraying attacks.
The random layer was openbsd.randomdata annotating working entropy/chacha
buffers which in turn required them to be RW. To make that work again,
so we need to copy RO seeds to RW working buffers, and later clear the
RO seed buffers afterwards using a temporary RW mapping.
help & ok kettenis, ok guenther
|
|
"another leftover of the bean counter"
od tedu@ deraadt@
|
|
ones are capable of giving valuable works vs does-not-work evidence.
ok tedu
|
|
we don't drop any events when the queue is full. They are instead mixed
into previous events.
The mixing function selected is addition instead of xor to reduce the
possibility that new values effectively erase existing ones.
Convert some types to u_int to ensure defined overflow.
ok deraadt djm
|
|
Pointed out by Martin Natano, slightly tweaked by me.
ok deraadt@
|
|
Diff from Martin Natano, thanks!
ok kettenis@, deraadt@
|
|
from Martin Natano (and also reported by Stefan Kempf)
|
|
specify custom counter value when setting up Chacha context.
ok reyk djm
|
|
|
|
ok djm@ miod@ deraadt@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
failure to fire the collection timeout. discovered by markus.
the order of events here doesn't actually matter, so switch to a simple
stack, which is easier to understand. ok markus
|
|
- rename uiomove() to uiomovei() and update all its users.
- introduce uiomove(), which is similar to uiomovei() but with a size_t.
- rewrite uiomovei() as an uiomove() wrapper.
ok kettenis@
|
|
boot.
ok mlarkin
|
|
when workqs were introduced, we provided a second argument so you
could pass a thing and some context to work on it in. there were
very few things that took advantage of the second argument, so when
i introduced pools i suggested removing it. since tasks were meant
to replace workqs, it was requested that we keep the second argument
to make porting from workqs to tasks easier.
now that workqs are gone, i had a look at the use of the second
argument again and found only one good use of it (vdsp(4) on sparc64
if you're interested) and a tiny handful of questionable uses. the
vast majority of tasks only used a single argument. i have since
modified all tasks that used two args to only use one, so now we
can remove the second argument.
so this is a mechanical change. all tasks only passed NULL as their
second argument, so we can just remove it.
ok krw@
|
|
|
|
|
|
|
