rndctl(8): Take omitted name/type as empty device name.

This can now be used to change flags for all sources at once.

XXX pullup-10

rndctl(8): to -l, add a "samples" column separate to "bits"

rename the "bits" column to "estimated bits".

this provides a clear indication when a source is being used, but
not increasing the entrop

rndctl(8): to -l, add a "samples" column separate to "bits"

rename the "bits" column to "estimated bits".

this provides a clear indication when a source is being used, but
not increasing the entropy counter.

this commit fixes an unrelated bug where verbose output functioned
incorrectly when a class of device was specified with -t.

while here, reduce code duplication.

"gofer it" riastradh@

show more ...

rndctl(8): remove no-longer-useful stats from -s

these are always 0 now.

"gofer it" riastradh@

rndctl: make -l's "Flags" field reflect current reality

don't print "legacy options" RND_FLAG_ESTIMATE_TIME and
"RND_FLAG_ESTIMATE_VALUE"

only print "estimate" if we have actually counted any bits

rndctl: make -l's "Flags" field reflect current reality

don't print "legacy options" RND_FLAG_ESTIMATE_TIME and
"RND_FLAG_ESTIMATE_VALUE"

only print "estimate" if we have actually counted any bits from
something, since it's no longer really possible to "enable estimation".

ideally, there should also be a "samples" field so it's clear
collected bits are not being counted.

show more ...

Whitespace alignment nits.

Trigger entropy consolidation before saving seed.

This way, whenever /etc/security runs infrequently (daily), or the
operator manually issues rndctl -S, we ensure that all samples taken
during the e

Trigger entropy consolidation before saving seed.

This way, whenever /etc/security runs infrequently (daily), or the
operator manually issues rndctl -S, we ensure that all samples taken
during the entire boot are hashed together in the seed for the next
boot.

This should be infrequent enough that it's unlikely to enable the
iterative-guessing attacks that we try to mitigate by not frequently
consolidating entropy.

show more ...

Rework rndctl seed load sequence again.

Go back to the book's order, now that writing to /dev/random
guarantees to consolidate entropy -- this way the _next_ boot is no
less secure than the current

Rework rndctl seed load sequence again.

Go back to the book's order, now that writing to /dev/random
guarantees to consolidate entropy -- this way the _next_ boot is no
less secure than the current boot, in the event that entropy sources
like interrupt timings provided any security that we just don't know
how to measure honestly.

Make sure to open the old seed to overwrite and the new seed to write
anew first so that we can determine whether the medium is read-only
before accepting the file's entropy estimate.

show more ...

Tweak logic to decide whether a medium is safe for an rndseed.

- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.

- Teach rndctl to

Tweak logic to decide whether a medium is safe for an rndseed.

- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.

- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.

- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)

Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.

show more ...

Sort includes.

Accept both byte orders for random seed in `rndctl -L'.

The file format was defined with a machine-dependent 32-bit integer
field (the estimated number of bits of entropy in the process that
generat

Accept both byte orders for random seed in `rndctl -L'.

The file format was defined with a machine-dependent 32-bit integer
field (the estimated number of bits of entropy in the process that
generated it). Take whichever byte order gives a number that is
reasonable, i.e. lower than the number of bits in the buffer.

Continue to have `rndctl -S' generate it in machine-dependent byte
order for now, so that if you roll back to an older rndctl(8) then
`rndctl -L' on the same machine will still be able to load it with
the right entropy estimate. In a future revision, perhaps we can
change it to be little-endian.

show more ...

Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, a

Teach `rndctl -L' to update the seed file, not just delete it.

The seed file is updated by entering the old seed into the system and
then hashing the old seed together with data from /dev/urandom, and
writing it atomically with write-to-temporary/rename-to-permanent.

This way, interruption by crash or power loss does not obliterate
your persistent entropy (unless it causes file system corruption).

show more ...

Use <sys/rndio.h> instead of <sys/rnd.h>.

Sync usage with manpage a bit more.

Merge tls-earlyentropy branch into HEAD.

Overwrite the seed file from the beginning, using pwrite(2).

Fix arguments for write.

Use _PATH_URANDOM from paths(3).

Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entrop

Entropy-pool implementation move and cleanup.

1) Move core entropy-pool code and source/sink/sample management code
to sys/kern from sys/dev.

2) Remove use of NRND as test for presence of entropy-pool code throughout
source tree.

3) Remove use of RND_ENABLED in device drivers as microoptimization to
avoid expensive operations on disabled entropy sources; make the
rnd_add calls do this directly so all callers benefit.

4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might
have lead to slight entropy overestimation for some sources.

5) Add new source types for environmental sensors, power sensors, VM
system events, and skew between clocks, with a sample implementation
for each.

ok releng to go in before the branch due to the difficulty of later
pullup (widespread #ifdef removal and moved files). Tested with release
builds on amd64 and evbarm and live testing on amd64.

show more ...

Make "rndctl -L" overwrite the file with zeros, not with the
same data that was just read from the file.

Make the rndsave structure public -- the kernel will learn to read it
and sysinst may learn to write it (since, on some systems, most of
the keyboard input they ever get happens to be during install)

Make the rndsave structure public -- the kernel will learn to read it
and sysinst may learn to write it (since, on some systems, most of
the keyboard input they ever get happens to be during install). Fix a
couple of minor problems with the random_seed rc script addition.

show more ...

Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesy

Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesystems.

Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.

show more ...

static + const + __dead

fix sign-compare issues

* Instead of silently ignoring extra args, print a usage error. This
adddresses the silent failure reported in PR 39862 by Brian A. Seklecki
* Adjust usage message to match the synopsis in the man

* Instead of silently ignoring extra args, print a usage error. This
adddresses the silent failure reported in PR 39862 by Brian A. Seklecki
* Adjust usage message to match the synopsis in the man page.

show more ...

Move WARNS=3 to the Makefile.inc, and add a little const to the remaining
programs that did not compile before.