git: e24be8a6b6d6 - stable/12 - random(4): update Fortuna generator Chacha20 documentation.

From: David E. O'Brien <obrien_at_FreeBSD.org>
Date: Thu, 17 Feb 2022 05:06:02 UTC
The branch stable/12 has been updated by obrien:

URL: https://cgit.FreeBSD.org/src/commit/?id=e24be8a6b6d6db00c474b11f2353f237689090f7

commit e24be8a6b6d6db00c474b11f2353f237689090f7
Author:     Conrad Meyer <cem@FreeBSD.org>
AuthorDate: 2019-12-20 21:11:00 +0000
Commit:     David E. O'Brien <obrien@FreeBSD.org>
CommitDate: 2022-02-17 04:57:46 +0000

    random(4): update Fortuna generator Chacha20 documentation.
    
    The implementation was landed in r344913 and has had some bake time (at
    least on my personal systems).  There is some discussion of the motivation
    for defaulting to this cipher as a PRF in the commit log for r344913.
    
    Administrators retain the prior (AES-ICM) mode of operation by default.
    The new mode may be used by setting the 'kern.random.use_chacha20_cipher'
    tunable to "1" in loader.conf(5).
    
    (cherry picked from commit 68b97d40fbe826585813f05042209db5490dbe08)
---
 sys/dev/random/hash.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sys/dev/random/hash.c b/sys/dev/random/hash.c
index 99965513350d..5903394eee3c 100644
--- a/sys/dev/random/hash.c
+++ b/sys/dev/random/hash.c
@@ -68,18 +68,18 @@ CTASSERT(RANDOM_KEYSIZE == 2*RANDOM_BLOCKSIZE);
 _Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, "");
 
 /*
- * Experimental Chacha20-based PRF for Fortuna keystream primitive.  For now,
- * disabled by default.  But we may enable it in the future.
+ * Knob to control use of Chacha20-based PRF for Fortuna keystream primitive.
  *
  * Benefits include somewhat faster keystream generation compared with
- * unaccelerated AES-ICM.
+ * unaccelerated AES-ICM; reseeding is much cheaper than computing AES key
+ * schedules.
  */
 bool random_chachamode __read_frequently = false;
 #ifdef _KERNEL
 SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN,
     &random_chachamode, 0,
-    "If non-zero, use the ChaCha20 cipher for randomdev PRF.  "
-    "If zero, use AES-ICM cipher for randomdev PRF (default).");
+    "If non-zero, use the ChaCha20 cipher for randomdev PRF (13.0+ default). "
+    "If zero, use AES-ICM cipher for randomdev PRF (12.x default).");
 #endif
 
 /* Initialise the hash */