From 092b85e9365ae401e2309735ba81bda56829074d Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 11 Jul 2023 22:51:53 +0000 Subject: [PATCH] entropy(9): Statically split interrupt and non-interrupt entry paths. - Allow rnd_add_uint32 to run in hard interrupt context or with spin locks held, but defer processing to softint and drop samples on the floor if buffer is full. This is mainly used for cheaply tossing samples from drivers for non-HWRNG devices into the entropy pool, so it is often used from interrupt context and/or under spin locks. - New rnd_add_data_intr provides the interrupt-like data entry path for arbitrary buffers and driver-specified entropy estimates: defer processing to softint and drop samples on the floor if buffer is full. - Document that rnd_add_data is forbidden under spin locks outside interrupt context (will crash in LOCKDEBUG), and inadvisable in interrupt context (but technically permitted just in case there are compatibility issues for now); later we can forbid it altogether in interrupt context or under spin locks. - Audit all uses of rnd_add_data to use rnd_add_data_intr where it might be used in interrupt context or under a spin lock. This fixes a regression from last year when the global entropy lock was changed from IPL_VM (spin) to IPL_SOFTSERIAL (adaptive). Thought I'd caught all the problems from that, but another one bit three different people this week, presumably because of recent changes that led to more non-HWRNG drivers entering the entropy consolidation path from rnd_add_uint32. In my attempt to preserve the rnd(9) API for the (now long-since abandoned) prospect of pullup to netbsd-9 in my rewrite of the entropy subsystem in 2020, I didn't introduce a separate entry point for entering entropy from interrupt context or equivalent, i.e., spin locks held, and instead made rnd_add_data rely on cpu_intr_p() to decide whether to process the whole sample under a lock or only take as much as there's buffer space for before scheduling a softint. In retrospect, that was a mistake (though perhaps not as much of a mistake as other entropy API decisions...), a mistake which is finally getting rectified now by rnd_add_data_intr. XXX pullup-10 --- share/man/man9/rnd.9 | 61 ++++++++++++++++++-- sys/dev/pci/hifn7751.c | 4 +- sys/dev/pci/ubsec.c | 2 +- sys/dev/pci/viornd.c | 5 +- sys/kern/kern_entropy.c | 125 +++++++++++++++++++++++++++++++--------- sys/kern/subr_prf.c | 4 +- sys/sys/rndsource.h | 2 + 7 files changed, 164 insertions(+), 39 deletions(-) diff --git a/share/man/man9/rnd.9 b/share/man/man9/rnd.9 index e18f56e85a0d..4385689564c1 100644 --- a/share/man/man9/rnd.9 +++ b/share/man/man9/rnd.9 @@ -35,6 +35,7 @@ .Nm rnd_attach_source , .Nm rnd_detach_source , .Nm rnd_add_data , +.Nm rnd_add_data_intr , .Nm rnd_add_data_sync , .Nm rnd_add_uint32 .Nd functions to make a device available for entropy collection @@ -50,6 +51,8 @@ .Ft void .Fn rnd_add_data "krndsource_t *rnd_source" "void *data" "uint32_t len" "uint32_t entropy" .Ft void +.Fn rnd_add_data_intr "krndsource_t *rnd_source" "void *data" "uint32_t len" "uint32_t entropy" +.Ft void .Fn rnd_add_data_sync "krndsource_t *rnd_source" "void *data" "uint32_t len" "uint32_t entropy" .Ft void .Fn rnd_add_uint32 "krndsource_t *rnd_source" "uint32_t datum" @@ -82,7 +85,8 @@ Attach the random source with .Fn rnd_attach_source . .It Enter data with -.Fn rnd_add_data +.Fn rnd_add_data , +.Fn rnd_add_data_intr , or .Fn rnd_add_uint32 , or, if in the callback, @@ -147,7 +151,8 @@ The callback normally does one of two things: Sends a request to a hardware device for entropy and returns. The hardware will later return data asynchronously by an interrupt, and the callback will use -.Fn rnd_add_data +.Fn rnd_add_data , +.Fn rnd_add_data_intr , or .Fn rnd_add_uint32 to add the data to the pool. @@ -161,9 +166,10 @@ returning, the callback use .Fn rnd_add_data_sync , not -.Fn rnd_add_data +.Fn rnd_add_data , +.Fn rnd_add_data_intr \" this works for now but no promises or -.Fn rnd_add_uint32 . +.Fn rnd_add_uint32 . \" this also works for now but no promises .El .Pp .Nm @@ -285,22 +291,65 @@ be used during a callback as set with use .Fn rnd_add_data_sync instead. +.Pp +.Fn rnd_add_data +.Em must not +be called from thread context with spin locks held. +.Pp +For compatibility, +.Fn rnd_add_data +currently +.Em may +but +.Em should not +be called from interrupt context, possibly with spin locks held. +However, this may be forbidden in the future; use +.Fn rnd_add_data_intr +from interrupt context instead, if the work can't be usefully deferred +to softint or thread. +.It Fn rnd_add_data_intr "rnd_source" "data" "len" "entropy" +Tries to enter +.Fa len +bytes at +.Fa data +into the entropy pool like +.Fn rnd_add_data , +but if this fills or would overflow a sample buffer, schedules a +softint to process it and discards an unspecified subset of the data +while counting zero entropy for the sample. +.Pp +.Fn rnd_add_data_intr +may be called from any context, including hard interrupt context, +including contexts where spin locks are held, except that it +.Em must not +be used during a callback as set with +.Fn rndsource_setcb ; +use +.Fn rnd_add_data_sync +in that context instead. .It Fn rnd_add_data_sync "rnd_source" "data" "len" "entropy" Like .Fn rnd_add_data , but may be used in a callback as set with .Fn rndsource_setcb . +Must always be called in thread context. .It Fn rnd_add_uint32 "rnd_source" "datum" Equivalent to -.Li rnd_add_data Ns ( Ns Fa rnd_source , Li & Ns Fa datum , Li 4 , 0 ) . +.Li rnd_add_data_intr Ns ( Ns Fa rnd_source , Li & Ns Fa datum , Li 4 , 0 ) . .Pp .Fn rnd_add_uint32 +may be called from any context, including hard interrupt context, +including contexts where spin locks are held, except that it .Em must not be used during a callback as set with .Fn rndsource_setcb ; use .Fn rnd_add_data_sync -instead. +in that context instead. +.Pp +.Fn rnd_add_uint32 +is meant for cheaply taking samples from devices that aren't designed +to be hardware random number generators. .El .Sh FILES These functions are declared in src/sys/sys/rndsource.h and defined in diff --git a/sys/dev/pci/hifn7751.c b/sys/dev/pci/hifn7751.c index 3fced5cfd1a4..df3edb289d53 100644 --- a/sys/dev/pci/hifn7751.c +++ b/sys/dev/pci/hifn7751.c @@ -655,7 +655,7 @@ hifn_rng(struct hifn_softc *sc) hexdump(printf, "hifn", num, sizeof num); #endif entropybits = NBBY*sizeof(num)/HIFN_RNG_BITSPER; - rnd_add_data(&sc->sc_rnd_source, num, sizeof(num), + rnd_add_data_intr(&sc->sc_rnd_source, num, sizeof(num), entropybits); entropybits = MAX(entropybits, 1); entropybits = MIN(entropybits, sc->sc_rng_needbits); @@ -693,7 +693,7 @@ hifn_rng(struct hifn_softc *sc) hexdump(printf, "hifn", num, sizeof num); #endif entropybits = NBBY*sizeof(num)/HIFN_RNG_BITSPER; - rnd_add_data(&sc->sc_rnd_source, num, sizeof num, + rnd_add_data_intr(&sc->sc_rnd_source, num, sizeof num, entropybits); entropybits = MAX(entropybits, 1); entropybits = MIN(entropybits, sc->sc_rng_needbits); diff --git a/sys/dev/pci/ubsec.c b/sys/dev/pci/ubsec.c index dbbf7b97f639..61d693070cce 100644 --- a/sys/dev/pci/ubsec.c +++ b/sys/dev/pci/ubsec.c @@ -1939,7 +1939,7 @@ ubsec_callback2(struct ubsec_softc *sc, struct ubsec_q2 *q) rng->rng_buf.dma_map->dm_mapsize, BUS_DMASYNC_POSTREAD); p = (u_int32_t *)rng->rng_buf.dma_vaddr; i = UBSEC_RNG_BUFSIZ * sizeof(u_int32_t); - rnd_add_data(&sc->sc_rnd_source, (char *)p, i, i * NBBY); + rnd_add_data_intr(&sc->sc_rnd_source, (char *)p, i, i * NBBY); sc->sc_rng_need -= i; rng->rng_used = 0; if (sc->sc_rng_need > 0) { diff --git a/sys/dev/pci/viornd.c b/sys/dev/pci/viornd.c index dd33fd4e9332..c2f72bef0646 100644 --- a/sys/dev/pci/viornd.c +++ b/sys/dev/pci/viornd.c @@ -245,8 +245,9 @@ viornd_vq_done(struct virtqueue *vq) #if VIORND_DEBUG aprint_normal("%s: got %d bytes of entropy\n", __func__, len); #endif - rnd_add_data(&sc->sc_rndsource, sc->sc_buf, VIORND_BUFSIZE, - VIORND_BUFSIZE * NBBY); + /* XXX Shouldn't this be len instead of VIORND_BUFSIZE? */ + rnd_add_data_intr(&sc->sc_rndsource, sc->sc_buf, VIORND_BUFSIZE, + VIORND_BUFSIZE * NBBY); out: virtio_dequeue_commit(vsc, vq, slot); mutex_exit(&sc->sc_mutex); diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index a7e57fcd6f27..1a5e2cea56d8 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -265,8 +265,10 @@ static int sysctl_entropy_gather(SYSCTLFN_ARGS); static void filt_entropy_read_detach(struct knote *); static int filt_entropy_read_event(struct knote *, long); static int entropy_request(size_t, int); +static void rnd_add_data_internal(struct krndsource *, const void *, + uint32_t, uint32_t, bool); static void rnd_add_data_1(struct krndsource *, const void *, uint32_t, - uint32_t, bool, uint32_t); + uint32_t, bool, uint32_t, bool); static unsigned rndsource_entropybits(struct krndsource *); static void rndsource_entropybits_cpu(void *, void *, struct cpu_info *); static void rndsource_to_user(struct krndsource *, rndsource_t *); @@ -981,8 +983,9 @@ entropy_enter(const void *buf, size_t len, unsigned nbits, bool count) * instance. Schedule a softint to stir the entropy pool if * needed. Return true if used fully, false if truncated at all. * - * Using this in thread context will work, but you might as well - * use entropy_enter in that case. + * Using this in thread or softint context with no spin locks held + * will work, but you might as well use entropy_enter in that + * case. */ static bool entropy_enter_intr(const void *buf, size_t len, unsigned nbits, bool count) @@ -992,7 +995,6 @@ entropy_enter_intr(const void *buf, size_t len, unsigned nbits, bool count) uint32_t bitspending, samplespending; void *sih; - KASSERT(cpu_intr_p()); KASSERTMSG(howmany(nbits, NBBY) <= len, "impossible entropy rate: %u bits in %zu-byte string", nbits, len); @@ -2030,30 +2032,34 @@ rnd_dt_estimate(struct krndsource *rs, uint32_t t) * * Enter 32 bits of data from an entropy source into the pool. * - * If rs is NULL, may not be called from interrupt context. + * May be called from any context or with spin locks held, but may + * drop data. * - * If rs is non-NULL, may be called from any context. May drop - * data if called from interrupt context. + * This is meant for cheaply taking samples from devices that + * aren't designed to be hardware random number generators. */ void rnd_add_uint32(struct krndsource *rs, uint32_t value) { + bool intr_p = true; - rnd_add_data(rs, &value, sizeof value, 0); + rnd_add_data_internal(rs, &value, sizeof value, 0, intr_p); } void _rnd_add_uint32(struct krndsource *rs, uint32_t value) { + bool intr_p = true; - rnd_add_data(rs, &value, sizeof value, 0); + rnd_add_data_internal(rs, &value, sizeof value, 0, intr_p); } void _rnd_add_uint64(struct krndsource *rs, uint64_t value) { + bool intr_p = true; - rnd_add_data(rs, &value, sizeof value, 0); + rnd_add_data_internal(rs, &value, sizeof value, 0, intr_p); } /* @@ -2064,25 +2070,38 @@ _rnd_add_uint64(struct krndsource *rs, uint64_t value) * the data has. If RND_FLAG_NO_ESTIMATE, we ignore the driver's * estimate and treat it as zero. * - * If rs is NULL, may not be called from interrupt context. - * - * If rs is non-NULL, may be called from any context. May drop - * data if called from interrupt context. + * rs MAY but SHOULD NOT be NULL. If rs is NULL, MUST NOT be + * called from interrupt context or with spin locks held. + * + * If rs is non-NULL, MAY but SHOULD NOT be called from interrupt + * context, in which case act like rnd_add_data_intr -- if the + * sample buffer is full, schedule a softint and drop any + * additional data on the floor. (This may change later once we + * fix drivers that still call this from interrupt context to use + * rnd_add_data_intr instead.) MUST NOT be called with spin locks + * held if not in hard interrupt context -- i.e., MUST NOT be + * called in thread context or softint context with spin locks + * held. */ void rnd_add_data(struct krndsource *rs, const void *buf, uint32_t len, uint32_t entropybits) { - uint32_t extra; - uint32_t flags; - - KASSERTMSG(howmany(entropybits, NBBY) <= len, - "%s: impossible entropy rate:" - " %"PRIu32" bits in %"PRIu32"-byte string", - rs ? rs->name : "(anonymous)", entropybits, len); + bool intr_p = cpu_intr_p(); /* XXX make this unconditionally false */ - /* If there's no rndsource, just enter the data and time now. */ + /* + * Weird legacy exception that we should rip out and replace by + * creating new rndsources to attribute entropy to the callers: + * If there's no rndsource, just enter the data and time now. + */ if (rs == NULL) { + uint32_t extra; + + KASSERT(!intr_p); + KASSERTMSG(howmany(entropybits, NBBY) <= len, + "%s: impossible entropy rate:" + " %"PRIu32" bits in %"PRIu32"-byte string", + rs ? rs->name : "(anonymous)", entropybits, len); entropy_enter(buf, len, entropybits, /*count*/false); extra = entropy_timer(); entropy_enter(&extra, sizeof extra, 0, /*count*/false); @@ -2090,6 +2109,51 @@ rnd_add_data(struct krndsource *rs, const void *buf, uint32_t len, return; } + rnd_add_data_internal(rs, buf, len, entropybits, intr_p); +} + +/* + * rnd_add_data_intr(rs, buf, len, entropybits) + * + * Try to enter data from an entropy source into the pool, with a + * driver's estimate of how much entropy the physical source of + * the data has. If RND_FLAG_NO_ESTIMATE, we ignore the driver's + * estimate and treat it as zero. If the sample buffer is full, + * schedule a softint and drop any additional data on the floor. + * + * MUST NOT be called with a spin lock held early at boot before + * curlwp has been initialized. + */ +void +rnd_add_data_intr(struct krndsource *rs, const void *buf, uint32_t len, + uint32_t entropybits) +{ + bool intr_p = true; + + rnd_add_data_internal(rs, buf, len, entropybits, intr_p); +} + +/* + * rnd_add_data_internal(rs, buf, len, entropybits, intr_p) + * + * Internal subroutine to decide whether or not to enter data or + * timing for a particular rndsource, and if so, to enter it. + * + * intr_p is true for callers from interrupt context or spin locks + * held, and false for callers from thread or soft interrupt + * context and no spin locks held. + */ +static void +rnd_add_data_internal(struct krndsource *rs, const void *buf, uint32_t len, + uint32_t entropybits, bool intr_p) +{ + uint32_t flags; + + KASSERTMSG(howmany(entropybits, NBBY) <= len, + "%s: impossible entropy rate:" + " %"PRIu32" bits in %"PRIu32"-byte string", + rs ? rs->name : "(anonymous)", entropybits, len); + /* * Hold up the reset xcall before it zeroes the entropy counts * on this CPU or globally. Otherwise, we might leave some @@ -2119,11 +2183,12 @@ rnd_add_data(struct krndsource *rs, const void *buf, uint32_t len, /* If we are collecting data, enter them. */ if (ISSET(flags, RND_FLAG_COLLECT_VALUE)) { rnd_add_data_1(rs, buf, len, entropybits, /*count*/false, - RND_FLAG_COLLECT_VALUE); + RND_FLAG_COLLECT_VALUE, intr_p); } /* If we are collecting timings, enter one. */ if (ISSET(flags, RND_FLAG_COLLECT_TIME)) { + uint32_t extra; bool count; /* Sample a timer. */ @@ -2137,7 +2202,7 @@ rnd_add_data(struct krndsource *rs, const void *buf, uint32_t len, count = false; rnd_add_data_1(rs, &extra, sizeof extra, 0, count, - RND_FLAG_COLLECT_TIME); + RND_FLAG_COLLECT_TIME, intr_p); } out: /* Allow concurrent changes to flags to finish. */ @@ -2161,7 +2226,7 @@ add_sat(unsigned a, unsigned b) */ static void rnd_add_data_1(struct krndsource *rs, const void *buf, uint32_t len, - uint32_t entropybits, bool count, uint32_t flag) + uint32_t entropybits, bool count, uint32_t flag, bool intr_p) { bool fullyused; @@ -2170,9 +2235,17 @@ rnd_add_data_1(struct krndsource *rs, const void *buf, uint32_t len, * take note of whether it consumed the full sample; if not, * use entropy_enter, which always consumes the full sample. */ - if (curlwp && cpu_intr_p()) { + if (curlwp && intr_p) { fullyused = entropy_enter_intr(buf, len, entropybits, count); } else { + /* + * If curlwp is null, we must be cold so interrupts + * can't be running yet. However, the caller must not + * hold spin locks in that case. Probably not an issue + * because that's such an obscure case, but I'm leaving + * this comment here so you can find it through the + * stack trace if you make that mistake. + */ entropy_enter(buf, len, entropybits, count); fullyused = true; } diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index ad65c64ee1a5..8b0c95962eef 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -521,7 +521,7 @@ putchar(int c, int flags, struct tty *tp) #ifdef RND_PRINTF if (__predict_true(kprintf_inited)) { unsigned char ch = c; - rnd_add_data(&rnd_printf_source, &ch, 1, 0); + rnd_add_data_intr(&rnd_printf_source, &ch, 1, 0); } #endif } @@ -1623,7 +1623,7 @@ done: #ifdef RND_PRINTF if (__predict_true(kprintf_inited)) - rnd_add_data(&rnd_printf_source, NULL, 0, 0); + rnd_add_data_intr(&rnd_printf_source, NULL, 0, 0); #endif return ret; } diff --git a/sys/sys/rndsource.h b/sys/sys/rndsource.h index f5440970864f..6eeb8fa549e8 100644 --- a/sys/sys/rndsource.h +++ b/sys/sys/rndsource.h @@ -94,6 +94,8 @@ void _rnd_add_uint64(struct krndsource *, uint64_t); /* legacy */ void rnd_add_uint32(struct krndsource *, uint32_t); void rnd_add_data(struct krndsource *, const void *, uint32_t, uint32_t); +void rnd_add_data_intr(struct krndsource *, const void *, uint32_t, + uint32_t); void rnd_add_data_sync(struct krndsource *, const void *, uint32_t, uint32_t);