svn commit: r344913 - head/sys/dev/random

Shawn Webb shawn.webb at hardenedbsd.org
Fri Mar 8 01:49:36 UTC 2019 

Hey Conrad,

On Fri, Mar 08, 2019 at 01:17:20AM +0000, Conrad Meyer wrote:
> Author: cem
> Date: Fri Mar  8 01:17:20 2019
> New Revision: 344913
> URL: https://svnweb.freebsd.org/changeset/base/344913
> 
> Log:
>   Fortuna: Add Chacha20 as an alternative stream cipher
>   
>   Chacha20 with a 256 bit key and 128 bit counter size is a good match for an
>   AES256-ICM replacement.
>   
>   In userspace, Chacha20 is typically marginally slower than AES-ICM on
>   machines with AESNI intrinsics, but typically much faster than AES on
>   machines without special intrinsics.  ChaCha20 does well on typical modern
>   architectures with SIMD instructions, which includes most types of machines
>   FreeBSD runs on.
>   
>   In the kernel, we can't (or don't) make use of AESNI intrinsics for
>   random(4) anyway.  So even on amd64, using Chacha provides a modest
>   performance improvement in random device throughput today.
>   
>   This change makes the stream cipher used by random(4) configurable at boot
>   time with the 'kern.random.use_chacha20_cipher' tunable.
>   
>   Very rough, non-scientific measurements at the /dev/random device, on a
>   GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throughput
>   for Chacha20 over the existing AES-ICM mode.
>   
>   Reviewed by:	delphij, markm
>   Approved by:	secteam (delphij)
>   Differential Revision:	https://reviews.freebsd.org/D19475
> 
> Modified:
>   head/sys/dev/random/fortuna.c
>   head/sys/dev/random/hash.c
>   head/sys/dev/random/hash.h
>   head/sys/dev/random/uint128.h
>
> Modified: head/sys/dev/random/hash.c
> ==============================================================================
> --- head/sys/dev/random/hash.c	Fri Mar  8 01:04:19 2019	(r344912)
> +++ head/sys/dev/random/hash.c	Fri Mar  8 01:17:20 2019	(r344913)
> +/* Validate that full Chacha IV is as large as the 128-bit counter */
> +_Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, "");
> +
> +/*
> + * Experimental Chacha20-based PRF for Fortuna keystream primitive.  For now,
> + * disabled by default.  But we may enable it in the future.
> + *
> + * Benefits include somewhat faster keystream generation compared with
> + * unaccelerated AES-ICM.
> + */
> +bool random_chachamode = false;
> +#ifdef _KERNEL
> +SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN,
> +    &random_chachamode, 0,
> +    "If non-zero, use the ChaCha20 cipher for randomdev PRF.  "
> +    "If zero, use AES-ICM cipher for randomdev PRF (default).");
> +#endif

I'm curious if that sysctl node could be documented in a manpage,
perhaps the random(4) manpage would be a good candidate for updating.


Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20190307/b7f84dc0/attachment.sig>

More information about the svn-src-head mailing list