2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2019 Conrad Meyer <cem@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/param.h>
33 #include <sys/limits.h>
35 #include <sys/kernel.h>
36 #include <sys/malloc.h>
37 #include <sys/mutex.h>
38 #include <sys/random.h>
40 #include <sys/sysctl.h>
41 #include <sys/systm.h>
44 #include <machine/cpu.h>
46 #include <dev/random/randomdev.h>
47 #include <dev/random/random_harvestq.h>
48 #include <dev/random/uint128.h>
50 #include <dev/random/fenestrasX/fx_brng.h>
51 #include <dev/random/fenestrasX/fx_priv.h>
52 #include <dev/random/fenestrasX/fx_pub.h>
53 #include <dev/random/fenestrasX/fx_rng.h>
56 * Implementation of a buffered RNG, described in § 1.2-1.4 of the whitepaper.
60 * Initialize a buffered rng instance (either the static root instance, or a
61 * per-cpu instance on the heap. Both should be zero initialized before this
65 fxrng_brng_init(struct fxrng_buffered_rng *rng)
67 fxrng_rng_init(&rng->brng_rng, rng == &fxrng_root);
69 /* I.e., the buffer is empty. */
70 rng->brng_avail_idx = sizeof(rng->brng_buffer);
73 * It is fine and correct for brng_generation and brng_buffer to be
76 * brng_prf and brng_generation must be initialized later.
77 * Initialization is special for the root BRNG. PCPU child instances
78 * use fxrng_brng_produce_seed_data_internal() below.
83 * Directly reseed the root BRNG from a first-time entropy source,
84 * incorporating the existing BRNG state. The main motivation for doing so "is
85 * to ensure that as soon as an entropy source produces data, PRNG output
86 * depends on the data from that source." (§ 3.1)
88 * The root BRNG is locked on entry and initial keying (brng_generation > 0)
89 * has already been performed. The root BRNG is unlocked on return.
92 fxrng_brng_src_reseed(const struct harvest_event *event)
94 struct fxrng_buffered_rng *rng;
97 FXRNG_BRNG_ASSERT(rng);
98 ASSERT_DEBUG(rng->brng_generation > 0, "root RNG not seeded");
100 fxrng_rng_src_reseed(&rng->brng_rng, event);
101 FXRNG_BRNG_ASSERT(rng);
104 * Bump root generation (which is costly) to force downstream BRNGs to
105 * reseed and quickly incorporate the new entropy. The intuition is
106 * that this tradeoff is worth it because new sources show up extremely
107 * rarely (limiting cost) and if they can contribute any entropy to a
108 * weak state, we want to propagate it to all generators ASAP.
110 rng->brng_generation++;
111 atomic_store_rel_64(&fxrng_root_generation, rng->brng_generation);
112 /* Update VDSO version. */
113 fxrng_push_seed_generation(rng->brng_generation);
114 FXRNG_BRNG_UNLOCK(rng);
118 * Reseed a brng from some amount of pooled entropy (determined in fx_pool.c by
119 * fxent_timer_reseed_npools). For initial seeding, we pool entropy in a
120 * single pool and use this API as well (fxrng_alg_seeded).
123 fxrng_brng_reseed(const void *entr, size_t sz)
125 struct fxrng_buffered_rng *rng;
128 FXRNG_BRNG_LOCK(rng);
130 fxrng_rng_reseed(&rng->brng_rng, (rng->brng_generation > 0), entr, sz);
131 FXRNG_BRNG_ASSERT(rng);
133 rng->brng_generation++;
134 atomic_store_rel_64(&fxrng_root_generation, rng->brng_generation);
135 /* Update VDSO version. */
136 fxrng_push_seed_generation(rng->brng_generation);
137 FXRNG_BRNG_UNLOCK(rng);
141 * Sysentvec and VDSO are initialized much later than SI_SUB_RANDOM. When
142 * they're online, go ahead and push an initial root seed version.
143 * INIT_SYSENTVEC runs at SI_SUB_EXEC:SI_ORDER_ANY, and SI_ORDER_ANY is the
144 * maximum value, so we must run at SI_SUB_EXEC+1.
147 fxrng_vdso_sysinit(void *dummy __unused)
149 FXRNG_BRNG_LOCK(&fxrng_root);
150 fxrng_push_seed_generation(fxrng_root.brng_generation);
151 FXRNG_BRNG_UNLOCK(&fxrng_root);
153 SYSINIT(fxrng_vdso, SI_SUB_EXEC + 1, SI_ORDER_ANY, fxrng_vdso_sysinit, NULL);
156 * Grab some bytes off an initialized, current generation RNG.
158 * (Does not handle reseeding if our generation is stale.)
160 * Locking protocol is a bit odd. The RNG is locked on entrance, but the lock
161 * is dropped on exit. This avoids holding a lock during expensive and slow
165 fxrng_brng_getbytes_internal(struct fxrng_buffered_rng *rng, void *buf,
169 FXRNG_BRNG_ASSERT(rng);
171 /* Make the zero request impossible for the rest of the logic. */
172 if (__predict_false(nbytes == 0)) {
173 FXRNG_BRNG_UNLOCK(rng);
177 /* Fast/easy case: Use some bytes from the buffer. */
178 if (rng->brng_avail_idx + nbytes <= sizeof(rng->brng_buffer)) {
179 memcpy(buf, &rng->brng_buffer[rng->brng_avail_idx], nbytes);
180 explicit_bzero(&rng->brng_buffer[rng->brng_avail_idx], nbytes);
181 rng->brng_avail_idx += nbytes;
182 FXRNG_BRNG_UNLOCK(rng);
187 if (nbytes < sizeof(rng->brng_buffer)) {
190 /* Drain anything left in the buffer first. */
191 if (rng->brng_avail_idx < sizeof(rng->brng_buffer)) {
192 rem = sizeof(rng->brng_buffer) - rng->brng_avail_idx;
193 ASSERT_DEBUG(nbytes > rem, "invariant");
195 memcpy(buf, &rng->brng_buffer[rng->brng_avail_idx], rem);
197 buf = (uint8_t*)buf + rem;
199 ASSERT_DEBUG(nbytes != 0, "invariant");
203 * Partial fill from first buffer, have to rekey and generate a
204 * new buffer to do the rest.
206 fxrng_rng_genrandom_internal(&rng->brng_rng, rng->brng_buffer,
207 sizeof(rng->brng_buffer), false);
208 FXRNG_BRNG_ASSERT(rng);
209 rng->brng_avail_idx = 0;
211 memcpy(buf, &rng->brng_buffer[rng->brng_avail_idx], nbytes);
212 explicit_bzero(&rng->brng_buffer[rng->brng_avail_idx], nbytes);
213 rng->brng_avail_idx += nbytes;
214 FXRNG_BRNG_UNLOCK(rng);
218 /* Large request; skip the buffer. */
219 fxrng_rng_genrandom_internal(&rng->brng_rng, buf, nbytes, true);
222 FXRNG_BRNG_ASSERT_NOT(rng);
227 * API to get a new key for a downstream RNG. Returns the new key in 'buf', as
228 * well as the generator's reseed_generation.
230 * 'rng' is locked on entry and unlocked on return.
232 * Only valid after confirming the caller's seed version or reseed_generation
233 * matches roots (or we are root). (For now, this is only used to reseed the
234 * per-CPU generators from root.)
237 fxrng_brng_produce_seed_data_internal(struct fxrng_buffered_rng *rng,
238 void *buf, size_t keysz, uint64_t *seed_generation)
240 FXRNG_BRNG_ASSERT(rng);
241 ASSERT_DEBUG(keysz == FX_CHACHA20_KEYSIZE, "keysz: %zu", keysz);
243 *seed_generation = rng->brng_generation;
244 fxrng_brng_getbytes_internal(rng, buf, keysz);
245 FXRNG_BRNG_ASSERT_NOT(rng);
249 * Read from an allocated and initialized buffered BRNG. This a high-level
250 * API, but doesn't handle PCPU BRNG allocation.
252 * BRNG is locked on entry. It is unlocked on return.
255 fxrng_brng_read(struct fxrng_buffered_rng *rng, void *buf, size_t nbytes)
257 uint8_t newkey[FX_CHACHA20_KEYSIZE];
259 FXRNG_BRNG_ASSERT(rng);
261 /* Fast path: there hasn't been a global reseed since last read. */
262 if (rng->brng_generation == atomic_load_acq_64(&fxrng_root_generation))
265 ASSERT(rng != &fxrng_root, "root rng inconsistent seed version");
268 * Slow path: We need to rekey from the parent BRNG to incorporate new
271 * Lock order is always root -> percpu.
273 FXRNG_BRNG_UNLOCK(rng);
274 FXRNG_BRNG_LOCK(&fxrng_root);
275 FXRNG_BRNG_LOCK(rng);
278 * If we lost the reseeding race when the lock was dropped, don't
281 if (__predict_false(rng->brng_generation ==
282 atomic_load_acq_64(&fxrng_root_generation))) {
283 FXRNG_BRNG_UNLOCK(&fxrng_root);
287 fxrng_brng_produce_seed_data_internal(&fxrng_root, newkey,
288 sizeof(newkey), &rng->brng_generation);
290 FXRNG_BRNG_ASSERT_NOT(&fxrng_root);
291 FXRNG_BRNG_ASSERT(rng);
293 fxrng_rng_setkey(&rng->brng_rng, newkey, sizeof(newkey));
294 explicit_bzero(newkey, sizeof(newkey));
297 * A reseed invalidates any previous buffered contents. Here, we
298 * forward the available index to the end of the buffer, i.e., empty.
299 * Requests that would use the buffer (< 128 bytes) will refill its
300 * contents on demand.
302 * It is explicitly ok that we do not zero out any remaining buffer
303 * bytes; they will never be handed out to callers, and they reveal
304 * nothing about the reseeded key (which came from the root BRNG).
307 rng->brng_avail_idx = sizeof(rng->brng_buffer);
310 if (rng != &fxrng_root)
311 FXRNG_BRNG_ASSERT_NOT(&fxrng_root);
312 FXRNG_BRNG_ASSERT(rng);
314 fxrng_brng_getbytes_internal(rng, buf, nbytes);
315 FXRNG_BRNG_ASSERT_NOT(rng);