CVS commit: src/sys

Thu, 07 May 2020 12:06:28 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Thu May  7 19:05:51 UTC 2020
Modified Files:
        src/sys/dev: random.c
        src/sys/kern: kern_entropy.c
        src/sys/sys: entropy.h

Log Message:
Consolidate entropy on RNDADDDATA and writes to /dev/random.

The man page for some time has advertised:

  Writing to either /dev/random or /dev/urandom influences subsequent
  output of both devices, guaranteed to take effect at next open.

So let's make that true again.

It is a conscious choice _not_ to consolidate entropy frequently.
For example, if you have a _slow_ HWRNG, which provides 32 bits of
entropy every few seconds, and you reveal a hash that to the
adversary before any more comes in, the adversary can in principle
just keep guessing the intermediate state by a brute force search
over ~2^32 possibilities.

To mitigate this, the kernel generally tries to avoid consolidating
entropy from the per-CPU pools until doing so would bring us from
zero entropy to full entropy.

However, there are various _possible_ sources of entropy which are
just hard to give honest estimates for that are valid on ~all
machines -- like interrupt timings.  The time at which we read a seed
in, which usually happens via /etc/rc.d/random_seed early in
userland, is a reasonable time to gather this up.  An operator or
system engineer who knows another opportune moment can always issue
`sysctl -w kern.entropy.consolidate=1'.

Prompted by a suggestion from nia@ to consolidate entropy at the
first transition to userland.  I chose not to do that because it
would likely cause warning fatigue on systems that are perfectly fine
with a random seed -- doing it this way instead lets rndctl -L
trigger the consolidation automatically.  A subsequent commit will
reorder the operations in rndctl again to make it work out better.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/dev/random.c
cvs rdiff -u -r1.12 -r1.13 src/sys/kern/kern_entropy.c
cvs rdiff -u -r1.1 -r1.2 src/sys/sys/entropy.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Reply via email to