src/sys/dev/random, branch release/12.3.0

fortuna: Deduplicate kernel vs user includes

2021-08-06T05:12:21Z

No functional change. Reviewed by: markj, markm Approved by: secteam (delphij), core (brooks) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19409 (cherry picked from commit e66ccbeaa3613d022dbc07b9f7403c6bfbe40be6)

Fortuna: Add failpoints to simulate initial seeding conditions

2021-08-06T05:12:16Z

Set debug.fail_point.random_fortuna_pre_read=return(1) and debug.fail_point.random_fortuna_seeded=return(1) to return to unseeded status (sort of). See the Differential URL for more detail. The goal is to reproduce e.g. Lev's recent CURRENT report[1] about failing newfs arc4random(3) usage (fixed in r338542). No functional change when failpoints are not set. [1]: https://lists.freebsd.org/pipermail/freebsd-current/2018-September/071067.html Reported by: lev Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D17047 (cherry picked from commit 9b8d0fe462b2f3f689cb87fe34bd42c388e23d49)

fortuna: Drop global lock to zero stack variables

2021-08-06T05:12:10Z

Also drop explicit zeroing of hash context -- hash finish() operation is expected to do this. PR: 230877 Suggested by: delphij@ Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16986 (cherry picked from commit 7be4093a844e80a591221e93d03f3daf6a972be3)

Fortuna: fix a correctness issue in reseed (fortuna_pre_read)

2021-08-06T05:12:05Z

'i' counts the number of pools included in the array 's'. Passing 'i+1' to reseed_internal() as the number of blocks in 's' is a bogus overrun of the initialized portion of 's' -- technically UB. I found this via code inspection, referencing §9.5.2 "Pools" of the Fortuna chapter, but I would expect Coverity to notice the same issue. Unfortunately, it doesn't appear to. Reviewed by: markm Approved by: secteam (gordon) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16985 (cherry picked from commit 9a88479843e2314018f66fd2cdad5ae0200393d0)

Fortuna: Fix a race to prevent reseed spamming

2021-08-06T05:12:00Z

If multiple threads enter fortuna_pre_read contemporaneously, such as via read(2) or getrandom(2), they could race to check how long it has been since the last update due to a TOCTOU problem with 'now'. Here is an example problematic execution: Thread A: Thread B: now_A = getsbinuptime(); now_B = getsbinuptime(); // now_B > now_A RANDOM_RESEED_LOCK(); if (now - fs_lasttime > SBT_1S/10) { fs_lasttime = now; ... // reseed } RANDOM_RESEED_UNLOCK(); RANDOM_RESEED_LOCK(); if (now_A - fs_lasttime > SBT_1S/10) // now_A - fs_lasttime underflows fs_lasttime = now_A; ... // reseed again, despite less than 100ms elapsing } RANDOM_RESEED_UNLOCK(); To resolve the race, simply check the current time after we win the lock race. If getsbinuptime is perceived to be expensive, another option might be to just accept the race and validate that fs_lasttime isn't "in the future." (It should be within the last ~2^31 seconds out of ~2^32 seconds representable duration.) Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16984 (cherry picked from commit 5528565a76f5caae336d4f13213108dc1fad4ae0)

Fortuna: trivial static variable cleanup

2021-08-06T00:28:01Z

Remove unnecessary use of function-local static variable. 32 bytes is small enough to live on the stack. Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16937 (cherry picked from commit 494dda455cd1dad0277a35e292735243f92ec10a)

Fortuna: Add trivial assert to match FS&K definition

2021-08-06T00:28:00Z

FS&K GenerateBlocks function asserts C (counter) != 0. This should also be true in our implementation. Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16936 (cherry picked from commit 84880efae7040bb55e6f63166f53158135574e3a)

Fortuna: Clean up reseeding key material to closer match FS&K

2021-08-06T00:27:56Z

When reseeding, only incorporate actual key material. Do not include e.g. the derived key schedules or other AES context. I don't think the extra material was harmful here, just not beneficial. Reviewed by: delphij, markm Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16934 (cherry picked from commit 90545403e9d293efb0b843a75ad02361eadaae6d)

MFC r345438,r345842,r346259,r346261: TPM as possible entropy source

2019-04-26T01:41:55Z

r345438: Allow using TPM as entropy source TPM has a built-in RNG, with its own entropy source. The driver was extended to harvest 16 random bytes from TPM every 10 seconds. A new build option "TPM_HARVEST" was introduced - for now, however, it is not enabled by default in the GENERIC config. r345842: Add a cv_wait to the TPM2.0 harvesting function r346259: tpm: Prevent session hijack r346261: Improve tpm20 style Submitted by: Kornel Duleba Obtained from: Semihalf Sponsored by: Stormshield

random(4): Squash non-error timeout codes from tsleep(9).

2018-09-09T17:12:31Z

In both scenarios a timeout (EWOULDBLOCK) is considered as a normal condition and the error should not pop up to upper layers. PR: 231181 Submitted by: cem Reported by: lev Reviewed by: vangyzen, markm, delphij Approved by: re (kib) Approved by: secteam (delphij) Differential Revision: https://reviews.freebsd.org/D17049