NetBSD Problem Report #58632
From www@netbsd.org Sat Aug 24 14:15:43 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5D8781A9242
for <gnats-bugs@gnats.NetBSD.org>; Sat, 24 Aug 2024 14:15:43 +0000 (UTC)
Message-Id: <20240824141542.38E2F1A9243@mollari.NetBSD.org>
Date: Sat, 24 Aug 2024 14:15:42 +0000 (UTC)
From: jonas.boettiger@icloud.com
Reply-To: jonas.boettiger@icloud.com
To: gnats-bugs@NetBSD.org
Subject: getentropy(2) and arc4random(3) do not reseed on VM fork
X-Send-Pr-Version: www-1.0
>Number: 58632
>Category: kern
>Synopsis: getentropy(2) and arc4random(3) do not reseed on VM fork
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 24 14:20:00 +0000 2024
>Closed-Date: Wed Oct 09 13:40:00 +0000 2024
>Last-Modified: Wed Oct 09 13:40:00 +0000 2024
>Originator: Jonas Böttiger
>Release:
>Organization:
rust-lang
>Environment:
>Description:
Both getentropy(2) and arc4random(3) do not reseed when a VM is cloned or multiple VMs are resumed from the same snapshot, so the new VMs will all produce the same or similar output from getentropy(2) and arc4random(3), which could be used for attacks on keys used for cryptography.
>How-To-Repeat:
>Fix:
Multiple VMs – e.g. QEMU – expose a special VM generation ID device via the ACPI that allows retrieving a randomized VM ID and notifies the system whenever this changes. This ID can then be used as input to the RNG, ensuring randomization.
The newly introduced vDSO version of getrandom(2) on Linux also uses an entropy pool generation counter that is updated by the kernel whenever necessary to ensure that the userspace RNGs also perform a reseed. This strategy could allow resolving this issue for arc4random(3) as well.
https://www.qemu.org/docs/master/specs/vmgenid.html
https://lwn.net/Articles/886004/
https://lwn.net/ml/linux-kernel/20230101162910.710293-1-Jason@zx2c4.com/
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->riastradh
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sun, 25 Aug 2024 01:36:18 +0000
Responsible-Changed-Why:
I'll take care of this
From: Taylor R Campbell <riastradh@NetBSD.org>
To: jonas.boettiger@icloud.com
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/58632 (getentropy(2) and arc4random(3) do not reseed on VM fork)
Date: Sun, 25 Aug 2024 20:52:37 +0000
This is a multi-part message in MIME format.
--=_kfI//mdIC0kx2NGNjppVUyLgYbxCgVBW
The attached patch addresses part of the problem.
There are some other parts to address -- noted in the man page for the
new acpivmgenid(4) driver -- which I'll pick up later.
--=_kfI//mdIC0kx2NGNjppVUyLgYbxCgVBW
Content-Type: text/plain; charset="ISO-8859-1"; name="pr58632-vmgenid"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pr58632-vmgenid.patch"
# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1724594231 0
# Sun Aug 25 13:57:11 2024 +0000
# Branch trunk
# Node ID 5be00488683c99f21ab86a2ae2106bacf7f3888a
# Parent cf7a8f9687ea781207542c43a006460dc134ea3b
# EXP-Topic riastradh-pr58632-vmgenid
acpivmgenid(4): New driver for virtual machine generation ID.
Added to amd64/ALL and i386/ALL kernel configurations, and made
available as a loadable module acpivmgenid.kmod on x86, for now.
TBD: Add to all ACPI-supporting GENERIC kernels.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/man/mi Sun Aug 25 13:57:11 2024 +0000
@@ -834,6 +834,7 @@
./usr/share/man/cat4/acpismbus.0 man-sys-catman .cat
./usr/share/man/cat4/acpitz.0 man-sys-catman .cat
./usr/share/man/cat4/acpivga.0 man-sys-catman .cat
+./usr/share/man/cat4/acpivmgenid.0 man-sys-catman .cat
./usr/share/man/cat4/acpiwdrt.0 man-sys-catman .cat
./usr/share/man/cat4/acpiwmi.0 man-sys-catman .cat
./usr/share/man/cat4/adb.0 man-sys-catman .cat
@@ -4391,6 +4392,7 @@
./usr/share/man/man4/acpismbus.4 man-sys-man .man
./usr/share/man/man4/acpitz.4 man-sys-man .man
./usr/share/man/man4/acpivga.4 man-sys-man .man
+./usr/share/man/man4/acpivmgenid.4 man-sys-man .man
./usr/share/man/man4/acpiwdrt.4 man-sys-man .man
./usr/share/man/man4/acpiwmi.4 man-sys-man .man
./usr/share/man/man4/adb.4 man-sys-man .man
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/manhtml/mi
--- a/distrib/sets/lists/manhtml/mi Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/manhtml/mi Sun Aug 25 13:57:11 2024 +0000
@@ -755,6 +755,7 @@
./usr/share/man/html4/acpismbus.html man-sys-htmlman html
./usr/share/man/html4/acpitz.html man-sys-htmlman html
./usr/share/man/html4/acpivga.html man-sys-htmlman html
+./usr/share/man/html4/acpivmgenid.html man-sys-htmlman html
./usr/share/man/html4/acpiwdrt.html man-sys-htmlman html
./usr/share/man/html4/acpiwmi.html man-sys-htmlman html
./usr/share/man/html4/adb.html man-sys-htmlman html
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/modules/md.amd64
--- a/distrib/sets/lists/modules/md.amd64 Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/modules/md.amd64 Sun Aug 25 13:57:11 2024 +0000
@@ -24,6 +24,8 @@
./@MODULEDIR@/acpiverbose/acpiverbose.kmod modules-base-kernel kmod
./@MODULEDIR@/acpivga modules-base-kernel kmod
./@MODULEDIR@/acpivga/acpivga.kmod modules-base-kernel kmod
+./@MODULEDIR@/acpivmgenid modules-base-kernel kmod
+./@MODULEDIR@/acpivmgenid/acpivmgenid.kmod modules-base-kernel kmod
./@MODULEDIR@/acpiwdrt modules-base-kernel kmod
./@MODULEDIR@/acpiwdrt/acpiwdrt.kmod modules-base-kernel kmod
./@MODULEDIR@/acpiwmi modules-base-kernel kmod
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/modules/md.i386
--- a/distrib/sets/lists/modules/md.i386 Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/modules/md.i386 Sun Aug 25 13:57:11 2024 +0000
@@ -24,6 +24,8 @@
./@MODULEDIR@/acpiverbose/acpiverbose.kmod modules-base-kernel kmod
./@MODULEDIR@/acpivga modules-base-kernel kmod
./@MODULEDIR@/acpivga/acpivga.kmod modules-base-kernel kmod
+./@MODULEDIR@/acpivmgenid modules-base-kernel kmod
+./@MODULEDIR@/acpivmgenid/acpivmgenid.kmod modules-base-kernel kmod
./@MODULEDIR@/acpiwdrt modules-base-kernel kmod
./@MODULEDIR@/acpiwdrt/acpiwdrt.kmod modules-base-kernel kmod
./@MODULEDIR@/acpiwmi modules-base-kernel kmod
diff -r cf7a8f9687ea -r 5be00488683c share/man/man4/Makefile
--- a/share/man/man4/Makefile Sat Aug 24 07:24:34 2024 +0000
+++ b/share/man/man4/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -100,7 +100,8 @@ MAN+=3D irframe.4 cir.4 irframetty.4 oboe.
# ACPI devices
MAN+=3D acpi.4 acpiacad.4 acpibat.4 acpibut.4 acpicpu.4 \
acpidalb.4 acpiec.4 acpifan.4 acpihed.4 acpilid.4 \
- acpipmtr.4 acpismbus.4 acpitz.4 acpivga.4 acpiwdrt.4 acpiwmi.4
+ acpipmtr.4 acpismbus.4 acpitz.4 acpivga.4 acpivmgenid.4 \
+ acpiwdrt.4 acpiwmi.4
MAN+=3D apei.4
=20
# Radio devices
diff -r cf7a8f9687ea -r 5be00488683c share/man/man4/acpivmgenid.4
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man4/acpivmgenid.4 Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,112 @@
+.\" $NetBSD$
+.\"
+.\" Copyright (c) 2024 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUT=
ORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LI=
MITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTIC=
ULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUT=
ORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINE=
SS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF=
THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 25, 2024
+.Dt ACPIVMGENID 4
+.Os
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh NAME
+.Nm acpivmgenid
+.Nd ACPI Virtual Machine Generation ID
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh SYNOPSIS
+.Cd "acpivmgenid* at acpi?"
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh DESCRIPTION
+.Nm
+provides a generation ID for virtual machines.
+.Pp
+When starting two otherwise identical virtual machines, whether from
+the same clean image or by cloning snapshots or any other mechanism,
+the VM host may choose a different generation ID.
+Although this generation ID is not secret, it is incorporated into the
+.Xr entropy 7
+pool (with a measure of zero entropy) so that the two virtual machines
+will produce independent random output.
+.Pp
+If a live VM is cloned, the VM host may change the generation ID in one
+or both of the clones and notify them through the
+.Nm
+device.
+When this happens,
+.Nx
+will reseed system random number generators, so that output of
+.Pa /dev/urandom
+and
+.Xr getentropy 3
+will be independent in the two clones.
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh SYSCTLS
+The following
+.Xr sysctl 7
+nodes are available:
+.Bl -tag -width Li
+.It Li "hw.acpivmgenid" Ns Va N Ns Li ".id"
+The current 16-byte VM generation ID.
+.It Li "hw.acpivmgenid" Ns Va N Ns Li ".paddr"
+The physical address of the VM generation ID provided by the host.
+.El
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh SEE ALSO
+.Xr arc4random 3 ,
+.Xr getentropy 3 ,
+.Xr rnd 4 ,
+.Xr entropy 7
+.Rs
+.%T Virtual Machine Generation ID
+.%Q Microsoft
+.%D 2018-08-01
+.%U http://go.microsoft.com/fwlink/?LinkId=3D260709
+.Re
+.Rs
+.%T Virtual Machine Generation ID Device
+.%Q The QEMU Project Developers
+.%U https://www.qemu.org/docs/master/specs/vmgenid.html
+.Re
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh HISTORY
+The
+.Nm
+driver first appeared in
+.Nx 11.0 .
+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
"""""
+.Sh BUGS
+Currently
+.Nx
+does not request fresh samples from all on-demand entropy sources when
+the VM generation ID changes, so although the outputs of the system
+entropy pool appear independent to an outside observer, disclosing the
+kernel memory of one VM clone to an adversary may allow the adversary
+to predict another VM clone's
+.Pa /dev/urandom
+outputs.
+.Pp
+Currently
+.Xr arc4random 3
+is not reseeded when the VM generation ID changes.
+.Pp
+Currently there is no cheaper way to detect VM generation ID changes
+than to query sysctl.
diff -r cf7a8f9687ea -r 5be00488683c sys/arch/amd64/conf/ALL
--- a/sys/arch/amd64/conf/ALL Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/arch/amd64/conf/ALL Sun Aug 25 13:57:11 2024 +0000
@@ -381,6 +381,7 @@ acpismbus* at acpi? # ACPI SMBus CMI (e
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r cf7a8f9687ea -r 5be00488683c sys/arch/i386/conf/ALL
--- a/sys/arch/i386/conf/ALL Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/arch/i386/conf/ALL Sun Aug 25 13:57:11 2024 +0000
@@ -368,6 +368,7 @@ acpismbus* at acpi? # ACPI SMBus CMI (e
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r cf7a8f9687ea -r 5be00488683c sys/dev/acpi/acpi_vmgenid.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/dev/acpi/acpi_vmgenid.c Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,346 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2024 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTO=
RS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIM=
ITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICU=
LAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTO=
RS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF =
THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Virtual Machine Generation ID
+ *
+ * The VMGENID is an 8-byte cookie shared between a VM host and VM
+ * guest. Whenever the host clones a VM, it changes the VMGENID
+ * and sends an ACPI notification to the guest.
+ *
+ * References:
+ *
+ * `Virtual Machine Generation ID', Microsoft, 2012-08-01.
+ * http://go.microsoft.com/fwlink/?LinkId=3D260709
+ *
+ * `Virtual Machine Generation ID Device', The QEMU Project
+ * Developers.
+ * https://www.qemu.org/docs/master/specs/vmgenid.html
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD$");
+
+#include <sys/device.h>
+#include <sys/entropy.h>
+#include <sys/module.h>
+#include <sys/rndsource.h>
+#include <sys/sysctl.h>
+
+#include <dev/acpi/acpireg.h>
+#include <dev/acpi/acpivar.h>
+
+#define _COMPONENT ACPI_RESOURCE_COMPONENT
+ACPI_MODULE_NAME ("acpi_vmgenid")
+
+struct acpivmgenid {
+ uint8_t id[16];
+} __aligned(8);
+
+struct acpivmgenid_softc {
+ device_t sc_dev;
+ struct acpi_devnode *sc_node;
+ uint64_t sc_paddr;
+ struct acpivmgenid *sc_vaddr;
+ struct acpivmgenid sc_cur;
+ struct krndsource sc_rndsource;
+ struct sysctllog *sc_sysctllog;
+ const struct sysctlnode *sc_sysctlroot;
+};
+
+static int acpivmgenid_match(device_t, cfdata_t, void *);
+static void acpivmgenid_attach(device_t, device_t, void *);
+static int acpivmgenid_detach(device_t, int);
+static void acpivmgenid_set(struct acpivmgenid_softc *, const char *);
+static void acpivmgenid_notify(ACPI_HANDLE, uint32_t, void *);
+static void acpivmgenid_reset(void *);
+static int acpivmgenid_sysctl(SYSCTLFN_ARGS);
+
+static const struct device_compatible_entry compat_data[] =3D {
+ { .compat =3D "VM_Gen_Counter" }, /* from the Microsoft spec */
+ { .compat =3D "VM_GEN_COUNTER" }, /* used by qemu */
+ { .compat =3D "VMGENCTR" }, /* recognized by Linux */
+ DEVICE_COMPAT_EOL
+};
+
+CFATTACH_DECL_NEW(acpivmgenid, sizeof(struct acpivmgenid_softc),
+ acpivmgenid_match, acpivmgenid_attach, acpivmgenid_detach, NULL);
+
+static int
+acpivmgenid_match(device_t parent, cfdata_t match, void *aux)
+{
+ const struct acpi_attach_args *const aa =3D aux;
+
+ return acpi_compatible_match(aa, compat_data);
+}
+
+static void
+acpivmgenid_attach(device_t parent, device_t self, void *aux)
+{
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+ const struct acpi_attach_args *const aa =3D aux;
+ ACPI_BUFFER addrbuf =3D {
+ .Pointer =3D NULL,
+ .Length =3D ACPI_ALLOCATE_BUFFER,
+ };
+ ACPI_OBJECT *addrobj, *addrarr;
+ ACPI_STATUS rv;
+ int error;
+
+ aprint_naive(": ACPI VM Generation ID\n");
+ aprint_normal(": ACPI VM Generation ID\n");
+
+ sc->sc_dev =3D self;
+ sc->sc_node =3D aa->aa_node;
+
+ /*
+ * Get the address from the ADDR object, which is a package of
+ * two 32-bit integers representing the low and high halves of
+ * a 64-bit physical address.
+ */
+ rv =3D AcpiEvaluateObjectTyped(sc->sc_node->ad_handle, "ADDR", NULL,
+ &addrbuf, ACPI_TYPE_PACKAGE);
+ if (ACPI_FAILURE(rv)) {
+ aprint_error_dev(self, "failed to get ADDR: %s\n",
+ AcpiFormatException(rv));
+ goto out;
+ }
+ addrobj =3D addrbuf.Pointer;
+ if (addrobj->Type !=3D ACPI_TYPE_PACKAGE ||
+ addrobj->Package.Count !=3D 2) {
+ aprint_error_dev(self, "invalid ADDR\n");
+ goto out;
+ }
+ addrarr =3D addrobj->Package.Elements;
+ if (addrarr[0].Type !=3D ACPI_TYPE_INTEGER ||
+ addrarr[1].Type !=3D ACPI_TYPE_INTEGER ||
+ addrarr[0].Integer.Value > UINT32_MAX ||
+ addrarr[1].Integer.Value > UINT32_MAX) {
+ aprint_error_dev(self, "invalid ADDR\n");
+ goto out;
+ }
+ sc->sc_paddr =3D (ACPI_PHYSICAL_ADDRESS)addrarr[0].Integer.Value;
+ sc->sc_paddr |=3D (ACPI_PHYSICAL_ADDRESS)addrarr[1].Integer.Value << 32;
+ aprint_normal_dev(self, "paddr=3D0x%"PRIx64"\n", (uint64_t)sc->sc_paddr);
+
+ /*
+ * Map the physical address into virtual address space.
+ */
+ sc->sc_vaddr =3D AcpiOsMapMemory(sc->sc_paddr, sizeof(*sc->sc_vaddr));
+ if (sc->sc_vaddr =3D=3D NULL) {
+ aprint_error_dev(self, "failed to map address\n");
+ goto out;
+ }
+
+ /*
+ * Register a random source so we can attribute samples.
+ */
+ rnd_attach_source(&sc->sc_rndsource, device_xname(self),
+ RND_TYPE_UNKNOWN, RND_FLAG_COLLECT_TIME|RND_FLAG_COLLECT_VALUE);
+
+ /*
+ * Register an ACPI notifier so that we can detect changes.
+ */
+ (void)acpi_register_notify(sc->sc_node, acpivmgenid_notify);
+
+ /*
+ * Now that we have registered a random source and a notifier,
+ * read out the first value.
+ */
+ acpivmgenid_set(sc, "initial");
+
+ /*
+ * Attach a sysctl tree, rooted at hw.acpivmgenidN.
+ */
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, NULL, &sc->sc_sysctlroot,
+ CTLFLAG_PERMANENT, CTLTYPE_NODE, device_xname(self),
+ SYSCTL_DESCR("Virtual Machine Generation ID device"),
+ NULL, 0, NULL, 0,
+ CTL_HW, CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self, "failed to create sysctl hw.%s: %d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+ /*
+ * hw.acpivmgenidN.id (`struct', 16-byte array)
+ */
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, &sc->sc_sysctlroot, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READONLY|CTLFLAG_PRIVATE, CTLTYPE_STRUCT,
+ "id", SYSCTL_DESCR("Virtual Machine Generation ID device"),
+ &acpivmgenid_sysctl, 0, sc, sizeof(struct acpivmgenid),
+ CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self,
+ "failed to create sysctl hw.%s.id: %d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+ /*
+ * hw.acpivmgenidN.paddr (64-bit integer)
+ */
+ __CTASSERT(sizeof(ACPI_PHYSICAL_ADDRESS) =3D=3D sizeof(long));
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, &sc->sc_sysctlroot, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READONLY|CTLFLAG_PRIVATE, CTLTYPE_LONG,
+ "paddr", SYSCTL_DESCR("Virtual Machine Generation ID device"),
+ NULL, 0, &sc->sc_paddr, sizeof(sc->sc_paddr),
+ CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self,
+ "failed to create sysctl hw.%s.paddr: %d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+out: ACPI_FREE(addrbuf.Pointer);
+}
+
+static int
+acpivmgenid_detach(device_t self, int flags)
+{
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+ int error;
+
+ error =3D config_detach_children(self, flags);
+ if (error)
+ return error;
+
+ sysctl_teardown(&sc->sc_sysctllog);
+ acpi_deregister_notify(sc->sc_node);
+ rnd_detach_source(&sc->sc_rndsource);
+ if (sc->sc_vaddr) {
+ AcpiOsUnmapMemory(sc->sc_vaddr, sizeof(*sc->sc_vaddr));
+ sc->sc_vaddr =3D NULL; /* paranoia */
+ }
+ sc->sc_paddr =3D 0; /* paranoia */
+
+ return 0;
+}
+
+static void
+acpivmgenid_set(struct acpivmgenid_softc *sc, const char *prefix)
+{
+ struct acpivmgenid vmgenid;
+ char vmgenidstr[2*__arraycount(vmgenid.id) + 1];
+ unsigned i;
+
+ /*
+ * Grab the current VM generation ID. No obvious way to make
+ * this atomic, so let's hope if it changes in the middle we'll
+ * get another notification.
+ */
+ memcpy(&vmgenid, sc->sc_vaddr, sizeof(vmgenid));
+
+ /*
+ * Print the VM generation ID to the console for posterity.
+ */
+ for (i =3D 0; i < __arraycount(vmgenid.id); i++) {
+ vmgenidstr[2*i] =3D "0123456789abcdef"[vmgenid.id[i] >> 4];
+ vmgenidstr[2*i + 1] =3D "0123456789abcdef"[vmgenid.id[i] & 0xf];
+ }
+ vmgenidstr[2*sizeof(vmgenid)] =3D '\0';
+ aprint_verbose_dev(sc->sc_dev, "%s: %s\n", prefix, vmgenidstr);
+
+ /*
+ * Enter the new VM generation ID into the entropy pool.
+ */
+ rnd_add_data(&sc->sc_rndsource, &vmgenid, sizeof(vmgenid), 0);
+}
+
+static void
+acpivmgenid_notify(ACPI_HANDLE hdl, uint32_t notify, void *opaque)
+{
+ const device_t self =3D opaque;
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+
+ if (notify !=3D 0x80) {
+ aprint_debug_dev(self, "unknown notify 0x%02x\n", notify);
+ return;
+ }
+
+ (void)AcpiOsExecute(OSL_NOTIFY_HANDLER, &acpivmgenid_reset, sc);
+}
+
+static void
+acpivmgenid_reset(void *cookie)
+{
+ struct acpivmgenid_softc *const sc =3D cookie;
+
+ /*
+ * Grab the current VM generation ID to put it into the entropy
+ * pool; then force consolidation so it affects all subsequent
+ * draws from the entropy pool and the entropy epoch advances.
+ *
+ * XXX This should also reset the entropy count and request new
+ * samples from all sources, but there currently isn't a good
+ * way to do that after boot.
+ */
+ acpivmgenid_set(sc, "cloned");
+ entropy_consolidate();
+}
+
+static int
+acpivmgenid_sysctl(SYSCTLFN_ARGS)
+{
+ struct sysctlnode node =3D *rnode;
+ struct acpivmgenid_softc *const sc =3D node.sysctl_data;
+
+ node.sysctl_data =3D sc->sc_vaddr;
+ return sysctl_lookup(SYSCTLFN_CALL(&node));
+}
+
+MODULE(MODULE_CLASS_DRIVER, acpivmgenid, NULL);
+
+#ifdef _MODULE
+#include "ioconf.c"
+#endif
+
+static int
+acpivmgenid_modcmd(modcmd_t cmd, void *opaque)
+{
+ int error =3D 0;
+
+ switch (cmd) {
+ case MODULE_CMD_INIT:
+#ifdef _MODULE
+ error =3D config_init_component(cfdriver_ioconf_acpivmgenid,
+ cfattach_ioconf_acpivmgenid, cfdata_ioconf_acpivmgenid);
+#endif
+ return error;
+ case MODULE_CMD_FINI:
+#ifdef _MODULE
+ error =3D config_fini_component(cfdriver_ioconf_acpivmgenid,
+ cfattach_ioconf_acpivmgenid, cfdata_ioconf_acpivmgenid);
+#endif
+ return error;
+ default:
+ return ENOTTY;
+ }
+}
diff -r cf7a8f9687ea -r 5be00488683c sys/dev/acpi/files.acpi
--- a/sys/dev/acpi/files.acpi Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/dev/acpi/files.acpi Sun Aug 25 13:57:11 2024 +0000
@@ -116,6 +116,11 @@ device acpicppc: acpipcc
attach acpicppc at acpinodebus
file dev/acpi/acpi_cppc.c acpicppc
=20
+# ACPI Virtual Machine Generation ID
+device acpivmgenid
+attach acpivmgenid at acpinodebus
+file dev/acpi/acpi_vmgenid.c acpivmgenid
+
# ACPI Platform Error Interface
device apei
attach apei at apeibus
diff -r cf7a8f9687ea -r 5be00488683c sys/modules/Makefile
--- a/sys/modules/Makefile Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/modules/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -298,6 +298,7 @@ SUBDIR+=3D acpilid
SUBDIR+=3D acpipmtr
SUBDIR+=3D acpitz
SUBDIR+=3D acpivga
+SUBDIR+=3D acpivmgenid
SUBDIR+=3D acpiwdrt
SUBDIR+=3D acpiwmi
SUBDIR+=3D aibs
diff -r cf7a8f9687ea -r 5be00488683c sys/modules/acpivmgenid/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/modules/acpivmgenid/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,11 @@
+# $NetBSD$
+
+.include "../Makefile.inc"
+
+.PATH: ${S}/dev/acpi
+
+KMOD=3D acpivmgenid
+IOCONF=3D acpivmgenid.ioconf
+SRCS=3D acpi_vmgenid.c
+
+.include <bsd.kmodule.mk>
diff -r cf7a8f9687ea -r 5be00488683c sys/modules/acpivmgenid/acpivmgenid.io=
conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/modules/acpivmgenid/acpivmgenid.ioconf Sun Aug 25 13:57:11 2024 +=
0000
@@ -0,0 +1,10 @@
+# $NetBSD$
+
+ioconf acpivmgenid
+
+include "conf/files"
+include "dev/acpi/files.acpi"
+
+pseudo-root acpi*
+
+acpivmgenid* at acpi?
# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1724594459 0
# Sun Aug 25 14:00:59 2024 +0000
# Branch trunk
# Node ID 1209429d9c2f1be453574307f2a1b7021ff1bfbd
# Parent 5be00488683c99f21ab86a2ae2106bacf7f3888a
# EXP-Topic riastradh-pr58632-vmgenid
amd64, evbarm, i386: Add acpivmgenid(4) to GENERIC.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
diff -r 5be00488683c -r 1209429d9c2f sys/arch/amd64/conf/GENERIC
--- a/sys/arch/amd64/conf/GENERIC Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/amd64/conf/GENERIC Sun Aug 25 14:00:59 2024 +0000
@@ -341,6 +341,7 @@ acpilid* at acpi? # ACPI Lid Switch
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r 5be00488683c -r 1209429d9c2f sys/arch/evbarm/conf/GENERIC64
--- a/sys/arch/evbarm/conf/GENERIC64 Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/evbarm/conf/GENERIC64 Sun Aug 25 14:00:59 2024 +0000
@@ -127,6 +127,7 @@ acpifan* at acpi?
acpiged* at acpi?
acpilid* at acpi?
acpitz* at acpi?
+acpivmgenid* at acpi?
=20
# CPUs
cpus* at fdt? pass 0
diff -r 5be00488683c -r 1209429d9c2f sys/arch/i386/conf/GENERIC
--- a/sys/arch/i386/conf/GENERIC Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/i386/conf/GENERIC Sun Aug 25 14:00:59 2024 +0000
@@ -324,6 +324,7 @@ acpilid* at acpi? # ACPI Lid Switch
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
--=_kfI//mdIC0kx2NGNjppVUyLgYbxCgVBW--
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src
Date: Mon, 26 Aug 2024 13:38:29 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 13:38:29 UTC 2024
Modified Files:
src/distrib/sets/lists/man: mi
src/distrib/sets/lists/manhtml: mi
src/distrib/sets/lists/modules: md.amd64 md.i386
src/share/man/man4: Makefile
src/sys/arch/amd64/conf: ALL
src/sys/arch/i386/conf: ALL
src/sys/dev/acpi: files.acpi
src/sys/modules: Makefile
Added Files:
src/share/man/man4: acpivmgenid.4
src/sys/dev/acpi: acpi_vmgenid.c
src/sys/modules/acpivmgenid: Makefile acpivmgenid.ioconf
Log Message:
acpivmgenid(4): New driver for virtual machine generation ID.
Added to amd64/ALL and i386/ALL kernel configurations, and made
available as a loadable module acpivmgenid.kmod on x86, for now.
TBD: Add to all ACPI-supporting GENERIC kernels.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.1785 -r1.1786 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.7 -r1.8 src/distrib/sets/lists/manhtml/mi
cvs rdiff -u -r1.102 -r1.103 src/distrib/sets/lists/modules/md.amd64
cvs rdiff -u -r1.99 -r1.100 src/distrib/sets/lists/modules/md.i386
cvs rdiff -u -r1.734 -r1.735 src/share/man/man4/Makefile
cvs rdiff -u -r0 -r1.1 src/share/man/man4/acpivmgenid.4
cvs rdiff -u -r1.189 -r1.190 src/sys/arch/amd64/conf/ALL
cvs rdiff -u -r1.520 -r1.521 src/sys/arch/i386/conf/ALL
cvs rdiff -u -r0 -r1.1 src/sys/dev/acpi/acpi_vmgenid.c
cvs rdiff -u -r1.132 -r1.133 src/sys/dev/acpi/files.acpi
cvs rdiff -u -r1.291 -r1.292 src/sys/modules/Makefile
cvs rdiff -u -r0 -r1.1 src/sys/modules/acpivmgenid/Makefile \
src/sys/modules/acpivmgenid/acpivmgenid.ioconf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/sys
Date: Mon, 26 Aug 2024 13:52:57 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 13:52:56 UTC 2024
Modified Files:
src/sys/kern: kern_entropy.c
src/sys/sys: entropy.h
Log Message:
entropy(9): Factor out subroutines to reset and gather entropy.
`Reset' means we keep the data in the pool, but assume it had zero
entropy. `Gather' means we request samples from all on-demand
sources and wait for the synchronous ones to complete.
No functional change intended, other than to expose new symbols --
just preparation to expose these to acpivmgenid(4), so it can use
these when the VM host notifies us that we, the guest, have been
cloned.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.70 src/sys/kern/kern_entropy.c
cvs rdiff -u -r1.5 -r1.6 src/sys/sys/entropy.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/sys/dev/acpi
Date: Mon, 26 Aug 2024 13:53:22 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 13:53:22 UTC 2024
Modified Files:
src/sys/dev/acpi: acpi_vmgenid.c
Log Message:
acpivmgenid(4): Reset and gather entropy on VM clone notification.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/dev/acpi/acpi_vmgenid.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/lib/libc/gen
Date: Mon, 26 Aug 2024 15:19:23 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 15:19:22 UTC 2024
Modified Files:
src/lib/libc/gen: arc4random.c
Log Message:
arc4random(3): Reseed if system entropy epoch changes.
This can happen, for example, if the system is a VM instance, and the
VM is cloned.
This incurs the cost of a system call on every arc4random call, which
is unfortunate, but
1. we don't currently have a (machine-independent) mechanism for
exposing a read-only page to userland shared by the kernel to
enable a cheaper access path to the entropy epoch; and
2. the algorithm here -- a simple application of ChaCha -- is likely
also a bottleneck and could be much cheaper by
(a) using sys/crypto/chacha for machine-dependent vectorized
ChaCha code, and
(b) filling a buffer (somewhere between a cipher block and a page)
in a batch at a time, instead of running ChaCha to generate
only 32 bytes at a time.
So although this might be a performance hit, the security benefit is
worthwhile and we have a clear path to do better than reversing the
performance hit later.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/lib/libc/gen/arc4random.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/share/man/man4
Date: Mon, 26 Aug 2024 15:28:58 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 15:28:58 UTC 2024
Modified Files:
src/share/man/man4: acpivmgenid.4
Log Message:
acpivmgenid(4): Nix BUGS that have been squashed.
Reference kern.entropy.epoch for the remaining bug (which is a
performance issue, not a security issue).
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/share/man/man4/acpivmgenid.4
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 26 Aug 2024 15:33:29 +0000
State-Changed-Why:
fixed in HEAD, needs pullup-10
pullup-9 is not likely to happen
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/sys/kern
Date: Mon, 26 Aug 2024 15:50:15 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 15:50:15 UTC 2024
Modified Files:
src/sys/kern: kern_entropy.c
Log Message:
entropy(9): Allow unprivileged reads of sysctl kern.entropy.epoch.
Applications need this in order to know when to reseed. (We should
also expose it through a page shared read-only with userland for
cheaper access, but until we do, let's let applications get at it
through sysctl.)
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.71 src/sys/kern/kern_entropy.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/lib/libc/gen
Date: Mon, 26 Aug 2024 15:50:26 +0000
Module Name: src
Committed By: riastradh
Date: Mon Aug 26 15:50:26 UTC 2024
Modified Files:
src/lib/libc/gen: arc4random.c
Log Message:
arc4random.c: Fix test program.
This isn't wired up anywhere, but let's reduce the bitrot. It was
helpful in reminding me that kern.entropy.epoch was, for reasons I
can't remember, restricted to privileged access.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/lib/libc/gen/arc4random.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/sys/arch
Date: Tue, 27 Aug 2024 00:56:16 +0000
Module Name: src
Committed By: riastradh
Date: Tue Aug 27 00:56:16 UTC 2024
Modified Files:
src/sys/arch/amd64/conf: GENERIC
src/sys/arch/evbarm/conf: GENERIC64
src/sys/arch/i386/conf: GENERIC
Log Message:
amd64, evbarm, i386: Add acpivmgenid(4) to GENERIC.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.613 -r1.614 src/sys/arch/amd64/conf/GENERIC
cvs rdiff -u -r1.218 -r1.219 src/sys/arch/evbarm/conf/GENERIC64
cvs rdiff -u -r1.1257 -r1.1258 src/sys/arch/i386/conf/GENERIC
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: =?utf-8?Q?Jonas_B=C3=B6ttiger?= <jonas.boettiger@icloud.com>
To: Taylor R Campbell <riastradh@NetBSD.org>
Cc: "gnats-bugs@netbsd.org" <gnats-bugs@NetBSD.org>,
"netbsd-bugs@netbsd.org" <netbsd-bugs@NetBSD.org>
Subject: Re: kern/58632 (getentropy(2) and arc4random(3) do not reseed on VM
fork)
Date: Tue, 27 Aug 2024 12:28:11 +0200
--Apple-Mail=_8F5D9F90-5683-49D7-B788-791C1D0129CA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Thank you for the quick patch, awesome work!
One more thing: would it make sense to mention this in the man page for =
arc4random and getentropy? For context, I=E2=80=99m implementing random =
number generation in the Rust standard library (see =
https://github.com/rust-lang/rust/pull/129201), and the library team =
would quite like to make sure that the system sources we use protect =
against VM forks =
(https://github.com/rust-lang/rust/pull/129201#issuecomment-2302563968), =
so having this as an explicit guarantee on NetBSD would ease some =
concerns.
> On 25. Aug 2024, at 22:52, Taylor R Campbell <riastradh@NetBSD.org> =
wrote:
>=20
> The attached patch addresses part of the problem.
>=20
> There are some other parts to address -- noted in the man page for the
> new acpivmgenid(4) driver -- which I'll pick up later.
=EF=BF=BC
--Apple-Mail=_8F5D9F90-5683-49D7-B788-791C1D0129CA
Content-Type: multipart/mixed;
boundary="Apple-Mail=_802E65D2-E476-4204-8205-1F07FBBF065A"
--Apple-Mail=_802E65D2-E476-4204-8205-1F07FBBF065A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;">Thank you for =
the quick patch, awesome work!<div><br></div><div>One more thing: would =
it make sense to mention this in the man page for arc4random and =
getentropy? For context, I=E2=80=99m implementing random number =
generation in the Rust standard library (see <a =
href=3D"https://github.com/rust-lang/rust/pull/129201">https://github.com/=
rust-lang/rust/pull/129201</a>), and the library team would quite like =
to make sure that the system sources we use protect against VM forks (<a =
href=3D"https://github.com/rust-lang/rust/pull/129201#issuecomment-2302563=
968">https://github.com/rust-lang/rust/pull/129201#issuecomment-2302563968=
</a>), so having this as an explicit guarantee on NetBSD would ease some =
concerns.<br id=3D"lineBreakAtBeginningOfMessage"><div><br><blockquote =
type=3D"cite"><div>On 25. Aug 2024, at 22:52, Taylor R Campbell =
<riastradh@NetBSD.org> wrote:</div><br =
class=3D"Apple-interchange-newline"><div><div>The attached patch =
addresses part of the problem.<br><br>There are some other parts to =
address -- noted in the man page for the<br>new acpivmgenid(4) driver -- =
which I'll pick up =
later.<br></div></div></blockquote></div></div></body></html>=
--Apple-Mail=_802E65D2-E476-4204-8205-1F07FBBF065A
Content-Disposition: attachment;
filename=pr58632-vmgenid.patch
Content-Type: text/plain;
x-unix-mode=0666;
name="pr58632-vmgenid.patch"
Content-Transfer-Encoding: quoted-printable
# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1724594231 0
# Sun Aug 25 13:57:11 2024 +0000
# Branch trunk
# Node ID 5be00488683c99f21ab86a2ae2106bacf7f3888a
# Parent cf7a8f9687ea781207542c43a006460dc134ea3b
# EXP-Topic riastradh-pr58632-vmgenid
acpivmgenid(4): New driver for virtual machine generation ID.
Added to amd64/ALL and i386/ALL kernel configurations, and made
available as a loadable module acpivmgenid.kmod on x86, for now.
TBD: Add to all ACPI-supporting GENERIC kernels.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/man/mi Sun Aug 25 13:57:11 2024 +0000
@@ -834,6 +834,7 @@
./usr/share/man/cat4/acpismbus.0 man-sys-catman =
.cat
./usr/share/man/cat4/acpitz.0 man-sys-catman =
.cat
./usr/share/man/cat4/acpivga.0 man-sys-catman =
.cat
+./usr/share/man/cat4/acpivmgenid.0 man-sys-catman =
.cat
./usr/share/man/cat4/acpiwdrt.0 man-sys-catman =
.cat
./usr/share/man/cat4/acpiwmi.0 man-sys-catman =
.cat
./usr/share/man/cat4/adb.0 man-sys-catman =
.cat
@@ -4391,6 +4392,7 @@
./usr/share/man/man4/acpismbus.4 man-sys-man =
.man
./usr/share/man/man4/acpitz.4 man-sys-man =
.man
./usr/share/man/man4/acpivga.4 man-sys-man =
.man
+./usr/share/man/man4/acpivmgenid.4 man-sys-man =
.man
./usr/share/man/man4/acpiwdrt.4 man-sys-man =
.man
./usr/share/man/man4/acpiwmi.4 man-sys-man =
.man
./usr/share/man/man4/adb.4 man-sys-man =
.man
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/manhtml/mi
--- a/distrib/sets/lists/manhtml/mi Sat Aug 24 07:24:34 2024 +0000
+++ b/distrib/sets/lists/manhtml/mi Sun Aug 25 13:57:11 2024 +0000
@@ -755,6 +755,7 @@
./usr/share/man/html4/acpismbus.html man-sys-htmlman =
html
./usr/share/man/html4/acpitz.html man-sys-htmlman =
html
./usr/share/man/html4/acpivga.html man-sys-htmlman =
html
+./usr/share/man/html4/acpivmgenid.html man-sys-htmlman =
html
./usr/share/man/html4/acpiwdrt.html man-sys-htmlman =
html
./usr/share/man/html4/acpiwmi.html man-sys-htmlman =
html
./usr/share/man/html4/adb.html man-sys-htmlman =
html
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/modules/md.amd64
--- a/distrib/sets/lists/modules/md.amd64 Sat Aug 24 07:24:34 2024 =
+0000
+++ b/distrib/sets/lists/modules/md.amd64 Sun Aug 25 13:57:11 2024 =
+0000
@@ -24,6 +24,8 @@
./@MODULEDIR@/acpiverbose/acpiverbose.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpivga modules-base-kernel =
kmod
./@MODULEDIR@/acpivga/acpivga.kmod modules-base-kernel =
kmod
+./@MODULEDIR@/acpivmgenid modules-base-kernel =
kmod
+./@MODULEDIR@/acpivmgenid/acpivmgenid.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpiwdrt modules-base-kernel =
kmod
./@MODULEDIR@/acpiwdrt/acpiwdrt.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpiwmi modules-base-kernel =
kmod
diff -r cf7a8f9687ea -r 5be00488683c distrib/sets/lists/modules/md.i386
--- a/distrib/sets/lists/modules/md.i386 Sat Aug 24 07:24:34 2024 =
+0000
+++ b/distrib/sets/lists/modules/md.i386 Sun Aug 25 13:57:11 2024 =
+0000
@@ -24,6 +24,8 @@
./@MODULEDIR@/acpiverbose/acpiverbose.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpivga modules-base-kernel =
kmod
./@MODULEDIR@/acpivga/acpivga.kmod modules-base-kernel =
kmod
+./@MODULEDIR@/acpivmgenid modules-base-kernel =
kmod
+./@MODULEDIR@/acpivmgenid/acpivmgenid.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpiwdrt modules-base-kernel =
kmod
./@MODULEDIR@/acpiwdrt/acpiwdrt.kmod modules-base-kernel =
kmod
./@MODULEDIR@/acpiwmi modules-base-kernel =
kmod
diff -r cf7a8f9687ea -r 5be00488683c share/man/man4/Makefile
--- a/share/man/man4/Makefile Sat Aug 24 07:24:34 2024 +0000
+++ b/share/man/man4/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -100,7 +100,8 @@ MAN+=3D irframe.4 cir.4 irframetty.4 oboe.
# ACPI devices
MAN+=3D acpi.4 acpiacad.4 acpibat.4 acpibut.4 acpicpu.4 \
acpidalb.4 acpiec.4 acpifan.4 acpihed.4 acpilid.4 \
- acpipmtr.4 acpismbus.4 acpitz.4 acpivga.4 acpiwdrt.4 acpiwmi.4
+ acpipmtr.4 acpismbus.4 acpitz.4 acpivga.4 acpivmgenid.4 \
+ acpiwdrt.4 acpiwmi.4
MAN+=3D apei.4
=20
# Radio devices
diff -r cf7a8f9687ea -r 5be00488683c share/man/man4/acpivmgenid.4
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man4/acpivmgenid.4 Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,112 @@
+.\" $NetBSD$
+.\"
+.\" Copyright (c) 2024 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above =
copyright
+.\" notice, this list of conditions and the following disclaimer in =
the
+.\" documentation and/or other materials provided with the =
distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND =
CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT =
LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A =
PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR =
CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, =
OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT =
OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR =
BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, =
WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR =
OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED =
OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 25, 2024
+.Dt ACPIVMGENID 4
+.Os
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh NAME
+.Nm acpivmgenid
+.Nd ACPI Virtual Machine Generation ID
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh SYNOPSIS
+.Cd "acpivmgenid* at acpi?"
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh DESCRIPTION
+.Nm
+provides a generation ID for virtual machines.
+.Pp
+When starting two otherwise identical virtual machines, whether from
+the same clean image or by cloning snapshots or any other mechanism,
+the VM host may choose a different generation ID.
+Although this generation ID is not secret, it is incorporated into the
+.Xr entropy 7
+pool (with a measure of zero entropy) so that the two virtual machines
+will produce independent random output.
+.Pp
+If a live VM is cloned, the VM host may change the generation ID in one
+or both of the clones and notify them through the
+.Nm
+device.
+When this happens,
+.Nx
+will reseed system random number generators, so that output of
+.Pa /dev/urandom
+and
+.Xr getentropy 3
+will be independent in the two clones.
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh SYSCTLS
+The following
+.Xr sysctl 7
+nodes are available:
+.Bl -tag -width Li
+.It Li "hw.acpivmgenid" Ns Va N Ns Li ".id"
+The current 16-byte VM generation ID.
+.It Li "hw.acpivmgenid" Ns Va N Ns Li ".paddr"
+The physical address of the VM generation ID provided by the host.
+.El
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh SEE ALSO
+.Xr arc4random 3 ,
+.Xr getentropy 3 ,
+.Xr rnd 4 ,
+.Xr entropy 7
+.Rs
+.%T Virtual Machine Generation ID
+.%Q Microsoft
+.%D 2018-08-01
+.%U http://go.microsoft.com/fwlink/?LinkId=3D260709
+.Re
+.Rs
+.%T Virtual Machine Generation ID Device
+.%Q The QEMU Project Developers
+.%U https://www.qemu.org/docs/master/specs/vmgenid.html
+.Re
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh HISTORY
+The
+.Nm
+driver first appeared in
+.Nx 11.0 .
=
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""=
""""""
+.Sh BUGS
+Currently
+.Nx
+does not request fresh samples from all on-demand entropy sources when
+the VM generation ID changes, so although the outputs of the system
+entropy pool appear independent to an outside observer, disclosing the
+kernel memory of one VM clone to an adversary may allow the adversary
+to predict another VM clone's
+.Pa /dev/urandom
+outputs.
+.Pp
+Currently
+.Xr arc4random 3
+is not reseeded when the VM generation ID changes.
+.Pp
+Currently there is no cheaper way to detect VM generation ID changes
+than to query sysctl.
diff -r cf7a8f9687ea -r 5be00488683c sys/arch/amd64/conf/ALL
--- a/sys/arch/amd64/conf/ALL Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/arch/amd64/conf/ALL Sun Aug 25 13:57:11 2024 +0000
@@ -381,6 +381,7 @@ acpismbus* at acpi? # ACPI SMBus CMI =
(e
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine =
Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r cf7a8f9687ea -r 5be00488683c sys/arch/i386/conf/ALL
--- a/sys/arch/i386/conf/ALL Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/arch/i386/conf/ALL Sun Aug 25 13:57:11 2024 +0000
@@ -368,6 +368,7 @@ acpismbus* at acpi? # ACPI SMBus CMI =
(e
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine =
Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r cf7a8f9687ea -r 5be00488683c sys/dev/acpi/acpi_vmgenid.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/dev/acpi/acpi_vmgenid.c Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,346 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2024 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in =
the
+ * documentation and/or other materials provided with the =
distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND =
CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT =
LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A =
PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR =
CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, =
OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR =
BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER =
IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR =
OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED =
OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Virtual Machine Generation ID
+ *
+ * The VMGENID is an 8-byte cookie shared between a VM host and VM
+ * guest. Whenever the host clones a VM, it changes the VMGENID
+ * and sends an ACPI notification to the guest.
+ *
+ * References:
+ *
+ * `Virtual Machine Generation ID', Microsoft, 2012-08-01.
+ * http://go.microsoft.com/fwlink/?LinkId=3D260709
+ *
+ * `Virtual Machine Generation ID Device', The QEMU Project
+ * Developers.
+ * https://www.qemu.org/docs/master/specs/vmgenid.html
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD$");
+
+#include <sys/device.h>
+#include <sys/entropy.h>
+#include <sys/module.h>
+#include <sys/rndsource.h>
+#include <sys/sysctl.h>
+
+#include <dev/acpi/acpireg.h>
+#include <dev/acpi/acpivar.h>
+
+#define _COMPONENT ACPI_RESOURCE_COMPONENT
+ACPI_MODULE_NAME ("acpi_vmgenid")
+
+struct acpivmgenid {
+ uint8_t id[16];
+} __aligned(8);
+
+struct acpivmgenid_softc {
+ device_t sc_dev;
+ struct acpi_devnode *sc_node;
+ uint64_t sc_paddr;
+ struct acpivmgenid *sc_vaddr;
+ struct acpivmgenid sc_cur;
+ struct krndsource sc_rndsource;
+ struct sysctllog *sc_sysctllog;
+ const struct sysctlnode *sc_sysctlroot;
+};
+
+static int acpivmgenid_match(device_t, cfdata_t, void *);
+static void acpivmgenid_attach(device_t, device_t, void *);
+static int acpivmgenid_detach(device_t, int);
+static void acpivmgenid_set(struct acpivmgenid_softc *, const char *);
+static void acpivmgenid_notify(ACPI_HANDLE, uint32_t, void *);
+static void acpivmgenid_reset(void *);
+static int acpivmgenid_sysctl(SYSCTLFN_ARGS);
+
+static const struct device_compatible_entry compat_data[] =3D {
+ { .compat =3D "VM_Gen_Counter" }, /* from the =
Microsoft spec */
+ { .compat =3D "VM_GEN_COUNTER" }, /* used by qemu =
*/
+ { .compat =3D "VMGENCTR" }, /* recognized by Linux =
*/
+ DEVICE_COMPAT_EOL
+};
+
+CFATTACH_DECL_NEW(acpivmgenid, sizeof(struct acpivmgenid_softc),
+ acpivmgenid_match, acpivmgenid_attach, acpivmgenid_detach, NULL);
+
+static int
+acpivmgenid_match(device_t parent, cfdata_t match, void *aux)
+{
+ const struct acpi_attach_args *const aa =3D aux;
+
+ return acpi_compatible_match(aa, compat_data);
+}
+
+static void
+acpivmgenid_attach(device_t parent, device_t self, void *aux)
+{
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+ const struct acpi_attach_args *const aa =3D aux;
+ ACPI_BUFFER addrbuf =3D {
+ .Pointer =3D NULL,
+ .Length =3D ACPI_ALLOCATE_BUFFER,
+ };
+ ACPI_OBJECT *addrobj, *addrarr;
+ ACPI_STATUS rv;
+ int error;
+
+ aprint_naive(": ACPI VM Generation ID\n");
+ aprint_normal(": ACPI VM Generation ID\n");
+
+ sc->sc_dev =3D self;
+ sc->sc_node =3D aa->aa_node;
+
+ /*
+ * Get the address from the ADDR object, which is a package of
+ * two 32-bit integers representing the low and high halves of
+ * a 64-bit physical address.
+ */
+ rv =3D AcpiEvaluateObjectTyped(sc->sc_node->ad_handle, "ADDR", =
NULL,
+ &addrbuf, ACPI_TYPE_PACKAGE);
+ if (ACPI_FAILURE(rv)) {
+ aprint_error_dev(self, "failed to get ADDR: %s\n",
+ AcpiFormatException(rv));
+ goto out;
+ }
+ addrobj =3D addrbuf.Pointer;
+ if (addrobj->Type !=3D ACPI_TYPE_PACKAGE ||
+ addrobj->Package.Count !=3D 2) {
+ aprint_error_dev(self, "invalid ADDR\n");
+ goto out;
+ }
+ addrarr =3D addrobj->Package.Elements;
+ if (addrarr[0].Type !=3D ACPI_TYPE_INTEGER ||
+ addrarr[1].Type !=3D ACPI_TYPE_INTEGER ||
+ addrarr[0].Integer.Value > UINT32_MAX ||
+ addrarr[1].Integer.Value > UINT32_MAX) {
+ aprint_error_dev(self, "invalid ADDR\n");
+ goto out;
+ }
+ sc->sc_paddr =3D =
(ACPI_PHYSICAL_ADDRESS)addrarr[0].Integer.Value;
+ sc->sc_paddr |=3D =
(ACPI_PHYSICAL_ADDRESS)addrarr[1].Integer.Value << 32;
+ aprint_normal_dev(self, "paddr=3D0x%"PRIx64"\n", =
(uint64_t)sc->sc_paddr);
+
+ /*
+ * Map the physical address into virtual address space.
+ */
+ sc->sc_vaddr =3D AcpiOsMapMemory(sc->sc_paddr, =
sizeof(*sc->sc_vaddr));
+ if (sc->sc_vaddr =3D=3D NULL) {
+ aprint_error_dev(self, "failed to map address\n");
+ goto out;
+ }
+
+ /*
+ * Register a random source so we can attribute samples.
+ */
+ rnd_attach_source(&sc->sc_rndsource, device_xname(self),
+ RND_TYPE_UNKNOWN, =
RND_FLAG_COLLECT_TIME|RND_FLAG_COLLECT_VALUE);
+
+ /*
+ * Register an ACPI notifier so that we can detect changes.
+ */
+ (void)acpi_register_notify(sc->sc_node, acpivmgenid_notify);
+
+ /*
+ * Now that we have registered a random source and a notifier,
+ * read out the first value.
+ */
+ acpivmgenid_set(sc, "initial");
+
+ /*
+ * Attach a sysctl tree, rooted at hw.acpivmgenidN.
+ */
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, NULL, =
&sc->sc_sysctlroot,
+ CTLFLAG_PERMANENT, CTLTYPE_NODE, device_xname(self),
+ SYSCTL_DESCR("Virtual Machine Generation ID device"),
+ NULL, 0, NULL, 0,
+ CTL_HW, CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self, "failed to create sysctl hw.%s: =
%d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+ /*
+ * hw.acpivmgenidN.id (`struct', 16-byte array)
+ */
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, =
&sc->sc_sysctlroot, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READONLY|CTLFLAG_PRIVATE, =
CTLTYPE_STRUCT,
+ "id", SYSCTL_DESCR("Virtual Machine Generation ID device"),
+ &acpivmgenid_sysctl, 0, sc, sizeof(struct acpivmgenid),
+ CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self,
+ "failed to create sysctl hw.%s.id: %d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+ /*
+ * hw.acpivmgenidN.paddr (64-bit integer)
+ */
+ __CTASSERT(sizeof(ACPI_PHYSICAL_ADDRESS) =3D=3D sizeof(long));
+ error =3D sysctl_createv(&sc->sc_sysctllog, 0, =
&sc->sc_sysctlroot, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READONLY|CTLFLAG_PRIVATE, =
CTLTYPE_LONG,
+ "paddr", SYSCTL_DESCR("Virtual Machine Generation ID =
device"),
+ NULL, 0, &sc->sc_paddr, sizeof(sc->sc_paddr),
+ CTL_CREATE, CTL_EOL);
+ if (error) {
+ aprint_error_dev(self,
+ "failed to create sysctl hw.%s.paddr: %d\n",
+ device_xname(self), error);
+ goto out;
+ }
+
+out: ACPI_FREE(addrbuf.Pointer);
+}
+
+static int
+acpivmgenid_detach(device_t self, int flags)
+{
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+ int error;
+
+ error =3D config_detach_children(self, flags);
+ if (error)
+ return error;
+
+ sysctl_teardown(&sc->sc_sysctllog);
+ acpi_deregister_notify(sc->sc_node);
+ rnd_detach_source(&sc->sc_rndsource);
+ if (sc->sc_vaddr) {
+ AcpiOsUnmapMemory(sc->sc_vaddr, sizeof(*sc->sc_vaddr));
+ sc->sc_vaddr =3D NULL; /* paranoia */
+ }
+ sc->sc_paddr =3D 0; /* paranoia */
+
+ return 0;
+}
+
+static void
+acpivmgenid_set(struct acpivmgenid_softc *sc, const char *prefix)
+{
+ struct acpivmgenid vmgenid;
+ char vmgenidstr[2*__arraycount(vmgenid.id) + 1];
+ unsigned i;
+
+ /*
+ * Grab the current VM generation ID. No obvious way to make
+ * this atomic, so let's hope if it changes in the middle we'll
+ * get another notification.
+ */
+ memcpy(&vmgenid, sc->sc_vaddr, sizeof(vmgenid));
+
+ /*
+ * Print the VM generation ID to the console for posterity.
+ */
+ for (i =3D 0; i < __arraycount(vmgenid.id); i++) {
+ vmgenidstr[2*i] =3D "0123456789abcdef"[vmgenid.id[i] >> =
4];
+ vmgenidstr[2*i + 1] =3D "0123456789abcdef"[vmgenid.id[i] =
& 0xf];
+ }
+ vmgenidstr[2*sizeof(vmgenid)] =3D '\0';
+ aprint_verbose_dev(sc->sc_dev, "%s: %s\n", prefix, vmgenidstr);
+
+ /*
+ * Enter the new VM generation ID into the entropy pool.
+ */
+ rnd_add_data(&sc->sc_rndsource, &vmgenid, sizeof(vmgenid), 0);
+}
+
+static void
+acpivmgenid_notify(ACPI_HANDLE hdl, uint32_t notify, void *opaque)
+{
+ const device_t self =3D opaque;
+ struct acpivmgenid_softc *const sc =3D device_private(self);
+
+ if (notify !=3D 0x80) {
+ aprint_debug_dev(self, "unknown notify 0x%02x\n", =
notify);
+ return;
+ }
+
+ (void)AcpiOsExecute(OSL_NOTIFY_HANDLER, &acpivmgenid_reset, sc);
+}
+
+static void
+acpivmgenid_reset(void *cookie)
+{
+ struct acpivmgenid_softc *const sc =3D cookie;
+
+ /*
+ * Grab the current VM generation ID to put it into the entropy
+ * pool; then force consolidation so it affects all subsequent
+ * draws from the entropy pool and the entropy epoch advances.
+ *
+ * XXX This should also reset the entropy count and request new
+ * samples from all sources, but there currently isn't a good
+ * way to do that after boot.
+ */
+ acpivmgenid_set(sc, "cloned");
+ entropy_consolidate();
+}
+
+static int
+acpivmgenid_sysctl(SYSCTLFN_ARGS)
+{
+ struct sysctlnode node =3D *rnode;
+ struct acpivmgenid_softc *const sc =3D node.sysctl_data;
+
+ node.sysctl_data =3D sc->sc_vaddr;
+ return sysctl_lookup(SYSCTLFN_CALL(&node));
+}
+
+MODULE(MODULE_CLASS_DRIVER, acpivmgenid, NULL);
+
+#ifdef _MODULE
+#include "ioconf.c"
+#endif
+
+static int
+acpivmgenid_modcmd(modcmd_t cmd, void *opaque)
+{
+ int error =3D 0;
+
+ switch (cmd) {
+ case MODULE_CMD_INIT:
+#ifdef _MODULE
+ error =3D =
config_init_component(cfdriver_ioconf_acpivmgenid,
+ cfattach_ioconf_acpivmgenid, =
cfdata_ioconf_acpivmgenid);
+#endif
+ return error;
+ case MODULE_CMD_FINI:
+#ifdef _MODULE
+ error =3D =
config_fini_component(cfdriver_ioconf_acpivmgenid,
+ cfattach_ioconf_acpivmgenid, =
cfdata_ioconf_acpivmgenid);
+#endif
+ return error;
+ default:
+ return ENOTTY;
+ }
+}
diff -r cf7a8f9687ea -r 5be00488683c sys/dev/acpi/files.acpi
--- a/sys/dev/acpi/files.acpi Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/dev/acpi/files.acpi Sun Aug 25 13:57:11 2024 +0000
@@ -116,6 +116,11 @@ device acpicppc: acpipcc
attach acpicppc at acpinodebus
file dev/acpi/acpi_cppc.c acpicppc
=20
+# ACPI Virtual Machine Generation ID
+device acpivmgenid
+attach acpivmgenid at acpinodebus
+file dev/acpi/acpi_vmgenid.c acpivmgenid
+
# ACPI Platform Error Interface
device apei
attach apei at apeibus
diff -r cf7a8f9687ea -r 5be00488683c sys/modules/Makefile
--- a/sys/modules/Makefile Sat Aug 24 07:24:34 2024 +0000
+++ b/sys/modules/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -298,6 +298,7 @@ SUBDIR+=3D acpilid
SUBDIR+=3D acpipmtr
SUBDIR+=3D acpitz
SUBDIR+=3D acpivga
+SUBDIR+=3D acpivmgenid
SUBDIR+=3D acpiwdrt
SUBDIR+=3D acpiwmi
SUBDIR+=3D aibs
diff -r cf7a8f9687ea -r 5be00488683c sys/modules/acpivmgenid/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/modules/acpivmgenid/Makefile Sun Aug 25 13:57:11 2024 +0000
@@ -0,0 +1,11 @@
+# $NetBSD$
+
+.include "../Makefile.inc"
+
+.PATH: ${S}/dev/acpi
+
+KMOD=3D acpivmgenid
+IOCONF=3D acpivmgenid.ioconf
+SRCS=3D acpi_vmgenid.c
+
+.include <bsd.kmodule.mk>
diff -r cf7a8f9687ea -r 5be00488683c =
sys/modules/acpivmgenid/acpivmgenid.ioconf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/modules/acpivmgenid/acpivmgenid.ioconf Sun Aug 25 =
13:57:11 2024 +0000
@@ -0,0 +1,10 @@
+# $NetBSD$
+
+ioconf acpivmgenid
+
+include "conf/files"
+include "dev/acpi/files.acpi"
+
+pseudo-root acpi*
+
+acpivmgenid* at acpi?
# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1724594459 0
# Sun Aug 25 14:00:59 2024 +0000
# Branch trunk
# Node ID 1209429d9c2f1be453574307f2a1b7021ff1bfbd
# Parent 5be00488683c99f21ab86a2ae2106bacf7f3888a
# EXP-Topic riastradh-pr58632-vmgenid
amd64, evbarm, i386: Add acpivmgenid(4) to GENERIC.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
diff -r 5be00488683c -r 1209429d9c2f sys/arch/amd64/conf/GENERIC
--- a/sys/arch/amd64/conf/GENERIC Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/amd64/conf/GENERIC Sun Aug 25 14:00:59 2024 +0000
@@ -341,6 +341,7 @@ acpilid* at acpi? # ACPI Lid =
Switch
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine =
Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
diff -r 5be00488683c -r 1209429d9c2f sys/arch/evbarm/conf/GENERIC64
--- a/sys/arch/evbarm/conf/GENERIC64 Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/evbarm/conf/GENERIC64 Sun Aug 25 14:00:59 2024 +0000
@@ -127,6 +127,7 @@ acpifan* at acpi?
acpiged* at acpi?
acpilid* at acpi?
acpitz* at acpi?
+acpivmgenid* at acpi?
=20
# CPUs
cpus* at fdt? pass 0
diff -r 5be00488683c -r 1209429d9c2f sys/arch/i386/conf/GENERIC
--- a/sys/arch/i386/conf/GENERIC Sun Aug 25 13:57:11 2024 +0000
+++ b/sys/arch/i386/conf/GENERIC Sun Aug 25 14:00:59 2024 +0000
@@ -324,6 +324,7 @@ acpilid* at acpi? # ACPI Lid =
Switch
acpitz* at acpi? # ACPI Thermal Zone
acpivga* at acpi? # ACPI Display Adapter
acpiout* at acpivga? # ACPI Display Output Device
+acpivmgenid* at acpi? # ACPI Virtual Machine =
Generation ID
acpiwdrt* at acpi? # ACPI Watchdog Resource Table
acpiwmi* at acpi? # ACPI WMI Mapper
apei* at apeibus? # ACPI Platform Error Interfaces
--Apple-Mail=_802E65D2-E476-4204-8205-1F07FBBF065A
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div><div><blockquote type="cite"><div><div></div></div></blockquote></div><br></div></body></html>
--Apple-Mail=_802E65D2-E476-4204-8205-1F07FBBF065A--
--Apple-Mail=_8F5D9F90-5683-49D7-B788-791C1D0129CA--
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/share/man/man4
Date: Tue, 27 Aug 2024 11:21:02 +0000
Module Name: src
Committed By: riastradh
Date: Tue Aug 27 11:21:02 UTC 2024
Modified Files:
src/share/man/man4: rnd.4
Log Message:
rnd(4): Document kern.entropy.epoch is unprivileged and elaborate.
Cross-reference acpivmgenid(4).
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/share/man/man4/rnd.4
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/lib/libc/gen
Date: Tue, 27 Aug 2024 11:55:16 +0000
Module Name: src
Committed By: riastradh
Date: Tue Aug 27 11:55:16 UTC 2024
Modified Files:
src/lib/libc/gen: arc4random.3
Log Message:
arc4random(3): Note that arc4random respects kern.entropy.epoch.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/lib/libc/gen/arc4random.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src
Date: Tue, 27 Aug 2024 13:43:02 +0000
Module Name: src
Committed By: riastradh
Date: Tue Aug 27 13:43:02 UTC 2024
Modified Files:
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/lib/libc/gen: arc4random.c
src/lib/libc/include: reentrant.h
src/tests/lib/libc/gen: Makefile
Added Files:
src/lib/libc/include: arc4random.h
src/tests/lib/libc/gen: t_arc4random.c
Log Message:
arc4random(3): Add automatic tests.
This verifies that:
- arc4random zeroes its state and reseeds itself on fork
- arc4random reseeds itself on entropy consolidation (e.g., VM clone)
- arc4random falls back to global state if it can't allocate local
state because address space limits cause mmap to fail
NOTE: This adds a new libc symbol __arc4random_global, but it's in
the reserved namespace and only used by t_arc4random, so no libc
minor bump.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.445 -r1.446 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1333 -r1.1334 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.36 -r1.37 src/lib/libc/gen/arc4random.c
cvs rdiff -u -r0 -r1.1 src/lib/libc/include/arc4random.h
cvs rdiff -u -r1.21 -r1.22 src/lib/libc/include/reentrant.h
cvs rdiff -u -r1.55 -r1.56 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/lib/libc/gen/t_arc4random.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: kern/58632: getentropy(2) and arc4random(3) do not reseed on VM fork
Date: Wed, 28 Aug 2024 13:45:11 +0000
Missed a spot for pullup-10:
https://mail-index.netbsd.org/source-changes/2024/08/27/msg153091.html
Module Name: src
Committed By: martin
Date: Tue Aug 27 13:30:57 UTC 2024
Modified Files:
src/distrib/sets/lists/debug: module.md.amd64 module.md.i386
Log Message:
Add debug info for new acpivmgenid module
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/distrib/sets/lists/debug/module.md.amd64
cvs rdiff -u -r1.11 -r1.12 src/distrib/sets/lists/debug/module.md.i386
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/lib/libc/gen
Date: Wed, 28 Aug 2024 14:08:48 +0000
Module Name: src
Committed By: riastradh
Date: Wed Aug 28 14:08:48 UTC 2024
Modified Files:
src/lib/libc/gen: getentropy.3
Log Message:
getentropy(3): Note intent to reseed on VM clone, and caveats.
Tidy markup and pacify some mandoc -Tlint complaints while here.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/lib/libc/gen/getentropy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src
Date: Wed, 28 Aug 2024 14:39:16 +0000
Module Name: src
Committed By: riastradh
Date: Wed Aug 28 14:39:16 UTC 2024
Modified Files:
src/lib/libc/gen: arc4random.3
src/share/man/man4: acpivmgenid.4 rnd.4
Log Message:
Bump dates on man pages recently updated to mention VM clones.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/lib/libc/gen/arc4random.3
cvs rdiff -u -r1.2 -r1.3 src/share/man/man4/acpivmgenid.4
cvs rdiff -u -r1.43 -r1.44 src/share/man/man4/rnd.4
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: src/lib/libc/gen
Date: Thu, 29 Aug 2024 13:39:42 +0000
Module Name: src
Committed By: riastradh
Date: Thu Aug 29 13:39:42 UTC 2024
Modified Files:
src/lib/libc/gen: Makefile.inc arc4random.c
Log Message:
arc4random(3): Pacify some of lint's complaints.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
To generate a diff of this commit:
cvs rdiff -u -r1.218 -r1.219 src/lib/libc/gen/Makefile.inc
cvs rdiff -u -r1.37 -r1.38 src/lib/libc/gen/arc4random.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Wed, 09 Oct 2024 02:18:43 +0000
State-Changed-Why:
pullup-10 #939 https://releng.netbsd.org/cgi-bin/req-10.cgi?show=939
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58632 CVS commit: [netbsd-10] src
Date: Wed, 9 Oct 2024 13:25:14 +0000
Module Name: src
Committed By: martin
Date: Wed Oct 9 13:25:13 UTC 2024
Modified Files:
src/distrib/sets/lists/debug [netbsd-10]: mi module.md.amd64
module.md.i386
src/distrib/sets/lists/man [netbsd-10]: mi
src/distrib/sets/lists/modules [netbsd-10]: md.amd64 md.i386
src/distrib/sets/lists/tests [netbsd-10]: mi
src/lib/libc/gen [netbsd-10]: Makefile.inc arc4random.3 arc4random.c
getentropy.3
src/lib/libc/include [netbsd-10]: reentrant.h
src/share/man/man4 [netbsd-10]: Makefile rnd.4
src/sys/arch/amd64/conf [netbsd-10]: ALL GENERIC
src/sys/arch/evbarm/conf [netbsd-10]: GENERIC64
src/sys/arch/i386/conf [netbsd-10]: ALL GENERIC
src/sys/dev/acpi [netbsd-10]: files.acpi
src/sys/kern [netbsd-10]: kern_entropy.c
src/sys/modules [netbsd-10]: Makefile
src/sys/sys [netbsd-10]: entropy.h
src/tests/lib/libc/gen [netbsd-10]: Makefile
Added Files:
src/lib/libc/include [netbsd-10]: arc4random.h
src/share/man/man4 [netbsd-10]: acpivmgenid.4
src/sys/dev/acpi [netbsd-10]: acpi_vmgenid.c
src/sys/modules/acpivmgenid [netbsd-10]: Makefile acpivmgenid.ioconf
src/tests/lib/libc/gen [netbsd-10]: t_arc4random.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #939):
distrib/sets/lists/debug/module.md.amd64: revision 1.18
sys/modules/Makefile: revision 1.292
lib/libc/gen/arc4random.c: revision 1.34
lib/libc/gen/arc4random.c: revision 1.35
lib/libc/gen/arc4random.c: revision 1.36
lib/libc/gen/arc4random.c: revision 1.37
sys/kern/kern_entropy.c: revision 1.70
lib/libc/gen/arc4random.c: revision 1.38
sys/kern/kern_entropy.c: revision 1.71
lib/libc/gen/getentropy.3: revision 1.8
distrib/sets/lists/modules/md.amd64: revision 1.103
share/man/man4/rnd.4: revision 1.42
share/man/man4/rnd.4: revision 1.44
lib/libc/include/arc4random.h: revision 1.1
distrib/sets/lists/man/mi: revision 1.1786
sys/arch/i386/conf/GENERIC: revision 1.1258
sys/modules/acpivmgenid/acpivmgenid.ioconf: revision 1.1
sys/arch/amd64/conf/ALL: revision 1.190
distrib/sets/lists/debug/mi: revision 1.446
sys/arch/i386/conf/ALL: revision 1.521
lib/libc/gen/Makefile.inc: revision 1.219
distrib/sets/lists/debug/module.md.i386: revision 1.12
sys/dev/acpi/acpi_vmgenid.c: revision 1.1
sys/dev/acpi/acpi_vmgenid.c: revision 1.2
lib/libc/include/reentrant.h: revision 1.22
sys/arch/evbarm/conf/GENERIC64: revision 1.219
share/man/man4/Makefile: revision 1.735
distrib/sets/lists/modules/md.i386: revision 1.100
distrib/sets/lists/tests/mi: revision 1.1334
lib/libc/gen/arc4random.3: revision 1.22
sys/dev/acpi/files.acpi: revision 1.133
lib/libc/gen/arc4random.3: revision 1.23
tests/lib/libc/gen/t_arc4random.c: revision 1.1
sys/sys/entropy.h: revision 1.6
sys/arch/amd64/conf/GENERIC: revision 1.614
sys/modules/acpivmgenid/Makefile: revision 1.1
share/man/man4/acpivmgenid.4: revision 1.1
lib/libc/gen/Makefile.inc: revision 1.220
tests/lib/libc/gen/Makefile: revision 1.56
share/man/man4/acpivmgenid.4: revision 1.2
share/man/man4/acpivmgenid.4: revision 1.3
(all via patch)
Catch up with all the lint warnings since exit on warning was disabled.
Disable 'missing header declaration' and 'nested extern' warnings for now.
acpivmgenid(4): New driver for virtual machine generation ID.
Added to amd64/ALL and i386/ALL kernel configurations, and made
available as a loadable module acpivmgenid.kmod on x86, for now.
TBD: Add to all ACPI-supporting GENERIC kernels.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
entropy(9): Factor out subroutines to reset and gather entropy.
`Reset' means we keep the data in the pool, but assume it had zero
entropy. `Gather' means we request samples from all on-demand
sources and wait for the synchronous ones to complete.
No functional change intended, other than to expose new symbols --
just preparation to expose these to acpivmgenid(4), so it can use
these when the VM host notifies us that we, the guest, have been
cloned.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
acpivmgenid(4): Reset and gather entropy on VM clone notification.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
arc4random(3): Reseed if system entropy epoch changes.
This can happen, for example, if the system is a VM instance, and the
VM is cloned.
This incurs the cost of a system call on every arc4random call, which
is unfortunate, but
1. we don't currently have a (machine-independent) mechanism for
exposing a read-only page to userland shared by the kernel to
enable a cheaper access path to the entropy epoch; and
2. the algorithm here -- a simple application of ChaCha -- is likely
also a bottleneck and could be much cheaper by
(a) using sys/crypto/chacha for machine-dependent vectorized
ChaCha code, and
(b) filling a buffer (somewhere between a cipher block and a page)
in a batch at a time, instead of running ChaCha to generate
only 32 bytes at a time.
So although this might be a performance hit, the security benefit is
worthwhile and we have a clear path to do better than reversing the
performance hit later.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
acpivmgenid(4): Nix BUGS that have been squashed.
Reference kern.entropy.epoch for the remaining bug (which is a
performance issue, not a security issue).
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
entropy(9): Allow unprivileged reads of sysctl kern.entropy.epoch.
Applications need this in order to know when to reseed. (We should
also expose it through a page shared read-only with userland for
cheaper access, but until we do, let's let applications get at it
through sysctl.)
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
arc4random.c: Fix test program.
This isn't wired up anywhere, but let's reduce the bitrot. It was
helpful in reminding me that kern.entropy.epoch was, for reasons I
can't remember, restricted to privileged access.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
amd64, evbarm, i386: Add acpivmgenid(4) to GENERIC.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
rnd(4): Document kern.entropy.epoch is unprivileged and elaborate.
Cross-reference acpivmgenid(4).
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
arc4random(3): Note that arc4random respects kern.entropy.epoch.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
Add debug info for new acpivmgenid module
arc4random(3): Add automatic tests.
This verifies that:
- arc4random zeroes its state and reseeds itself on fork
- arc4random reseeds itself on entropy consolidation (e.g., VM clone)
- arc4random falls back to global state if it can't allocate local
state because address space limits cause mmap to fail
NOTE: This adds a new libc symbol __arc4random_global, but it's in
the reserved namespace and only used by t_arc4random, so no libc
minor bump.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
getentropy(3): Note intent to reseed on VM clone, and caveats.
Tidy markup and pacify some mandoc -Tlint complaints while here.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
Bump dates on man pages recently updated to mention VM clones.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
arc4random(3): Pacify some of lint's complaints.
PR kern/58632: getentropy(2) and arc4random(3) do not reseed on VM
fork
arc4random: suppress another lint warning
To generate a diff of this commit:
cvs rdiff -u -r1.394.2.10 -r1.394.2.11 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.12.2.2 -r1.12.2.3 \
src/distrib/sets/lists/debug/module.md.amd64
cvs rdiff -u -r1.7.2.2 -r1.7.2.3 src/distrib/sets/lists/debug/module.md.i386
cvs rdiff -u -r1.1757.2.13 -r1.1757.2.14 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.98.2.2 -r1.98.2.3 src/distrib/sets/lists/modules/md.amd64
cvs rdiff -u -r1.96.2.2 -r1.96.2.3 src/distrib/sets/lists/modules/md.i386
cvs rdiff -u -r1.1238.2.12 -r1.1238.2.13 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.216.2.1 -r1.216.2.2 src/lib/libc/gen/Makefile.inc
cvs rdiff -u -r1.21 -r1.21.24.1 src/lib/libc/gen/arc4random.3
cvs rdiff -u -r1.33 -r1.33.2.1 src/lib/libc/gen/arc4random.c
cvs rdiff -u -r1.4.2.2 -r1.4.2.3 src/lib/libc/gen/getentropy.3
cvs rdiff -u -r0 -r1.1.2.2 src/lib/libc/include/arc4random.h
cvs rdiff -u -r1.21 -r1.21.2.1 src/lib/libc/include/reentrant.h
cvs rdiff -u -r1.730.2.3 -r1.730.2.4 src/share/man/man4/Makefile
cvs rdiff -u -r0 -r1.3.2.2 src/share/man/man4/acpivmgenid.4
cvs rdiff -u -r1.40.2.1 -r1.40.2.2 src/share/man/man4/rnd.4
cvs rdiff -u -r1.174.4.4 -r1.174.4.5 src/sys/arch/amd64/conf/ALL
cvs rdiff -u -r1.599.4.6 -r1.599.4.7 src/sys/arch/amd64/conf/GENERIC
cvs rdiff -u -r1.206.2.4 -r1.206.2.5 src/sys/arch/evbarm/conf/GENERIC64
cvs rdiff -u -r1.503.4.4 -r1.503.4.5 src/sys/arch/i386/conf/ALL
cvs rdiff -u -r1.1243.2.4 -r1.1243.2.5 src/sys/arch/i386/conf/GENERIC
cvs rdiff -u -r0 -r1.3.2.2 src/sys/dev/acpi/acpi_vmgenid.c
cvs rdiff -u -r1.126.4.3 -r1.126.4.4 src/sys/dev/acpi/files.acpi
cvs rdiff -u -r1.57.4.5 -r1.57.4.6 src/sys/kern/kern_entropy.c
cvs rdiff -u -r1.274.2.6 -r1.274.2.7 src/sys/modules/Makefile
cvs rdiff -u -r0 -r1.1.2.2 src/sys/modules/acpivmgenid/Makefile \
src/sys/modules/acpivmgenid/acpivmgenid.ioconf
cvs rdiff -u -r1.4.20.1 -r1.4.20.2 src/sys/sys/entropy.h
cvs rdiff -u -r1.55 -r1.55.2.1 src/tests/lib/libc/gen/Makefile
cvs rdiff -u -r0 -r1.1.2.2 src/tests/lib/libc/gen/t_arc4random.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Wed, 09 Oct 2024 13:40:00 +0000
State-Changed-Why:
I think this is all fixed in HEAD now and pulled up to 10, so when 10.1
is out within the next few weeks, it should reseed itself on VM fork.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.