From 0c0ad482a09a0d7d0bed8d58994255081ce6e8d0 Mon Sep 17 00:00:00 2001 From: cem Date: Sat, 10 Oct 2020 21:48:06 +0000 Subject: [PATCH] arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed There is no functional change for the existing Fortuna random(4) implementation, which remains the default in GENERIC. In the FenestrasX model, when the root CSPRNG is reseeded from pools due to an (infrequent) timer, child CSPRNGs can cheaply detect this condition and reseed. To do so, they just need to track an additional 64-bit value in the associated state, and compare it against the root seed version (generation) on random reads. This revision integrates arc4random(9) into that model without substantially changing the design or implementation of arc4random(9). The motivation is that arc4random(9) is immediately reseeded when the backing random(4) implementation has additional entropy. This is arguably most important during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second intervals. Today, arc4random(9) has a hardcoded 300 second reseed window. Without this mechanism, if arc4random(9) gets weak entropy during initial seed (and arc4random(9) is used early in boot, so this is quite possible), it may continue to emit poorly seeded output for 5 minutes. The FenestrasX push-reseed scheme corrects consumers, like arc4random(9), as soon as possible. Reviewed by: markm Approved by: csprng (markm) Differential Revision: https://reviews.freebsd.org/D22838 --- sys/dev/random/fenestrasX/fx_brng.c | 1 + sys/dev/random/fenestrasX/fx_main.c | 26 ++++++++++++-- sys/dev/random/fenestrasX/fx_pool.c | 1 + sys/dev/random/fenestrasX/fx_priv.h | 1 - sys/dev/random/fenestrasX/fx_pub.h | 53 +++++++++++++++++++++++++++++ sys/dev/random/randomdev.c | 2 ++ sys/libkern/arc4random.c | 38 +++++++++++++++++++-- sys/sys/libkern.h | 2 ++ 8 files changed, 119 insertions(+), 5 deletions(-) create mode 100644 sys/dev/random/fenestrasX/fx_pub.h diff --git a/sys/dev/random/fenestrasX/fx_brng.c b/sys/dev/random/fenestrasX/fx_brng.c index 8cb07139ecb..1759f10b180 100644 --- a/sys/dev/random/fenestrasX/fx_brng.c +++ b/sys/dev/random/fenestrasX/fx_brng.c @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include /* diff --git a/sys/dev/random/fenestrasX/fx_main.c b/sys/dev/random/fenestrasX/fx_main.c index 40220f4c892..ce851109c3f 100644 --- a/sys/dev/random/fenestrasX/fx_main.c +++ b/sys/dev/random/fenestrasX/fx_main.c @@ -88,7 +88,6 @@ * a while). * * Not yet implemented, not in scope, or todo: - * - arc4random(9) injection/replacement * - Userspace portions -- shared page, like timehands vdso? */ @@ -125,6 +124,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include struct fxrng_buffered_rng fxrng_root; @@ -142,7 +142,7 @@ DPCPU_DEFINE_STATIC(struct fxrng_buffered_rng *, fxrng_brng); * the root generation number >0. */ static void -fxrng_alg_read(uint8_t *output, size_t nbytes) +_fxrng_alg_read(uint8_t *output, size_t nbytes, uint64_t *seed_version_out) { struct fxrng_buffered_rng **pcpu_brng_p, *rng, *tmp; struct pcpu *pcpu; @@ -248,10 +248,32 @@ fxrng_alg_read(uint8_t *output, size_t nbytes) have_valid_rng: /* At this point we have a valid, initialized and seeded rng pointer. */ FXRNG_BRNG_LOCK(rng); + if (seed_version_out != NULL) + *seed_version_out = rng->brng_generation; fxrng_brng_read(rng, output, nbytes); FXRNG_BRNG_ASSERT_NOT(rng); } +static void +fxrng_alg_read(uint8_t *output, size_t nbytes) +{ + _fxrng_alg_read(output, nbytes, NULL); +} + +/* + * External API for arc4random(9) to fetch new key material and associated seed + * version in chacha20_randomstir(). + */ +void +read_random_key(void *output, size_t nbytes, uint64_t *seed_version_out) +{ + /* Ensure _fxrng_alg_read invariant. */ + if (__predict_false(atomic_load_acq_64(&fxrng_root_generation) == 0)) + (void)fxrng_alg_seeded(); + + _fxrng_alg_read(output, nbytes, seed_version_out); +} + static void fxrng_init_alg(void *dummy __unused) { diff --git a/sys/dev/random/fenestrasX/fx_pool.c b/sys/dev/random/fenestrasX/fx_pool.c index 5fce3cf3b95..b6cc0dad349 100644 --- a/sys/dev/random/fenestrasX/fx_pool.c +++ b/sys/dev/random/fenestrasX/fx_pool.c @@ -53,6 +53,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include /* * Timer-based reseed interval growth factor and limit in seconds. (§ 3.2) diff --git a/sys/dev/random/fenestrasX/fx_priv.h b/sys/dev/random/fenestrasX/fx_priv.h index ddf187e4888..5760140a533 100644 --- a/sys/dev/random/fenestrasX/fx_priv.h +++ b/sys/dev/random/fenestrasX/fx_priv.h @@ -46,4 +46,3 @@ #endif extern struct fxrng_buffered_rng fxrng_root; -extern uint64_t __read_mostly fxrng_root_generation; diff --git a/sys/dev/random/fenestrasX/fx_pub.h b/sys/dev/random/fenestrasX/fx_pub.h new file mode 100644 index 00000000000..cb6eebe1c96 --- /dev/null +++ b/sys/dev/random/fenestrasX/fx_pub.h @@ -0,0 +1,53 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2019 Conrad Meyer + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ +#pragma once + +#include + +/* + * The root BRNG seed version, or generation. + * + * FenestrasX-aware downstream CSPRNGs (i.e., arc4random(9)) should track the + * generation number they seeded from, using the read_random_key(9) API below. + * If their current seed version is older than the root generation, they should + * reseed before producing output. + * + * The variable is read-only outside of the fenestrasX implementation and + * should be accessed using 'atomic_load_acq_64(&fxrng_root_generation)'. + * Reseeds are extremely infrequent, so callers may wish to hint to the + * compiler that a matching generation is the expected case, with + * __predict_true() or __predict_false(). + */ +extern uint64_t __read_mostly fxrng_root_generation; + +/* + * A routine for generating seed/key material + * Bypasses random(4) for now, but conceivably could be incorporated into that. + */ +void read_random_key(void *buf, size_t nbytes, uint64_t *seed_version_out); diff --git a/sys/dev/random/randomdev.c b/sys/dev/random/randomdev.c index 363d91c3773..114246415aa 100644 --- a/sys/dev/random/randomdev.c +++ b/sys/dev/random/randomdev.c @@ -373,8 +373,10 @@ randomdev_unblock(void) selwakeuppri(&rsel, PUSER); wakeup(p_random_alg_context); printf("random: unblocking device.\n"); +#ifndef RANDOM_FENESTRASX /* Do random(9) a favour while we are about it. */ (void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE, ARC4_ENTR_HAVE); +#endif } /* ARGSUSED */ diff --git a/sys/libkern/arc4random.c b/sys/libkern/arc4random.c index 4f733e5cef8..c5ab50a8001 100644 --- a/sys/libkern/arc4random.c +++ b/sys/libkern/arc4random.c @@ -40,10 +40,14 @@ __FBSDID("$FreeBSD$"); #include #include +#include + #include #include #include -#include +#ifdef RANDOM_FENESTRASX +#include +#endif #define CHACHA20_RESEED_BYTES 65536 #define CHACHA20_RESEED_SECONDS 300 @@ -52,7 +56,9 @@ __FBSDID("$FreeBSD$"); CTASSERT(CHACHA20_KEYBYTES*8 >= CHACHA_MINKEYLEN); +#ifndef RANDOM_FENESTRASX int arc4rand_iniseed_state = ARC4_ENTR_NONE; +#endif MALLOC_DEFINE(M_CHACHA20RANDOM, "chacha20random", "chacha20random structures"); @@ -62,6 +68,9 @@ struct chacha20_s { time_t t_reseed; u_int8_t m_buffer[CHACHA20_BUFFER_SIZE]; struct chacha_ctx ctx; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#endif } __aligned(CACHE_LINE_SIZE); static struct chacha20_s *chacha20inst = NULL; @@ -79,7 +88,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) { struct timeval tv_now; u_int8_t key[CHACHA20_KEYBYTES]; +#ifdef RANDOM_FENESTRASX + uint64_t seed_version; +#else if (__predict_false(random_bypass_before_seeding && !is_random_seeded())) { SHA256_CTX ctx; uint64_t cc; @@ -106,6 +118,10 @@ chacha20_randomstir(struct chacha20_s *chacha20) "make sure 256 bits is still 256 bits"); SHA256_Final(key, &ctx); } else { +#endif +#ifdef RANDOM_FENESTRASX + read_random_key(key, CHACHA20_KEYBYTES, &seed_version); +#else /* * If the loader(8) did not have an entropy stash from the * previous shutdown to load, then we will block. The answer is @@ -117,6 +133,7 @@ chacha20_randomstir(struct chacha20_s *chacha20) */ read_random(key, CHACHA20_KEYBYTES); } +#endif getmicrouptime(&tv_now); mtx_lock(&chacha20->mtx); chacha_keysetup(&chacha20->ctx, key, CHACHA20_KEYBYTES*8); @@ -124,6 +141,9 @@ chacha20_randomstir(struct chacha20_s *chacha20) /* Reset for next reseed cycle. */ chacha20->t_reseed = tv_now.tv_sec + CHACHA20_RESEED_SECONDS; chacha20->numbytes = 0; +#ifdef RANDOM_FENESTRASX + chacha20->seed_version = seed_version; +#endif mtx_unlock(&chacha20->mtx); } @@ -173,9 +193,13 @@ arc4rand(void *ptr, u_int len, int reseed) u_int length; u_int8_t *p; +#ifdef RANDOM_FENESTRASX + if (__predict_false(reseed)) +#else if (__predict_false(reseed || (arc4rand_iniseed_state == ARC4_ENTR_HAVE && atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, ARC4_ENTR_SEED)))) +#endif CHACHA20_FOREACH(chacha20) chacha20_randomstir(chacha20); @@ -185,8 +209,18 @@ arc4rand(void *ptr, u_int len, int reseed) if ((chacha20->numbytes > CHACHA20_RESEED_BYTES) || (tv.tv_sec > chacha20->t_reseed)) chacha20_randomstir(chacha20); - p = ptr; mtx_lock(&chacha20->mtx); +#ifdef RANDOM_FENESTRASX + if (__predict_false( + atomic_load_acq_64(&fxrng_root_generation) != chacha20->seed_version + )) { + mtx_unlock(&chacha20->mtx); + chacha20_randomstir(chacha20); + mtx_lock(&chacha20->mtx); + } +#endif + + p = ptr; while (len) { length = MIN(CHACHA20_BUFFER_SIZE, len); chacha_encrypt_bytes(&chacha20->ctx, chacha20->m_buffer, p, length); diff --git a/sys/sys/libkern.h b/sys/sys/libkern.h index 8d976e18ea2..7385df13929 100644 --- a/sys/sys/libkern.h +++ b/sys/sys/libkern.h @@ -116,10 +116,12 @@ static __inline int abs(int a) { return (a < 0 ? -a : a); } static __inline long labs(long a) { return (a < 0 ? -a : a); } static __inline quad_t qabs(quad_t a) { return (a < 0 ? -a : a); } +#ifndef RANDOM_FENESTRASX #define ARC4_ENTR_NONE 0 /* Don't have entropy yet. */ #define ARC4_ENTR_HAVE 1 /* Have entropy. */ #define ARC4_ENTR_SEED 2 /* Reseeding. */ extern int arc4rand_iniseed_state; +#endif /* Prototypes for non-quad routines. */ struct malloc_type; -- 2.45.0