Date: Thu, 7 Mar 2019 20:48:58 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Conrad Meyer <cem@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r344913 - head/sys/dev/random Message-ID: <20190308014858.2kowmri5nx7oa7a5@mutt-hbsd> In-Reply-To: <201903080117.x281HK4N002587@repo.freebsd.org> References: <201903080117.x281HK4N002587@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--iyadebnuiasa6kxb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey Conrad, On Fri, Mar 08, 2019 at 01:17:20AM +0000, Conrad Meyer wrote: > Author: cem > Date: Fri Mar 8 01:17:20 2019 > New Revision: 344913 > URL: https://svnweb.freebsd.org/changeset/base/344913 >=20 > Log: > Fortuna: Add Chacha20 as an alternative stream cipher > =20 > Chacha20 with a 256 bit key and 128 bit counter size is a good match fo= r an > AES256-ICM replacement. > =20 > In userspace, Chacha20 is typically marginally slower than AES-ICM on > machines with AESNI intrinsics, but typically much faster than AES on > machines without special intrinsics. ChaCha20 does well on typical mod= ern > architectures with SIMD instructions, which includes most types of mach= ines > FreeBSD runs on. > =20 > In the kernel, we can't (or don't) make use of AESNI intrinsics for > random(4) anyway. So even on amd64, using Chacha provides a modest > performance improvement in random device throughput today. > =20 > This change makes the stream cipher used by random(4) configurable at b= oot > time with the 'kern.random.use_chacha20_cipher' tunable. > =20 > Very rough, non-scientific measurements at the /dev/random device, on a > GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throug= hput > for Chacha20 over the existing AES-ICM mode. > =20 > Reviewed by: delphij, markm > Approved by: secteam (delphij) > Differential Revision: https://reviews.freebsd.org/D19475 >=20 > Modified: > head/sys/dev/random/fortuna.c > head/sys/dev/random/hash.c > head/sys/dev/random/hash.h > head/sys/dev/random/uint128.h > > Modified: head/sys/dev/random/hash.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/dev/random/hash.c Fri Mar 8 01:04:19 2019 (r344912) > +++ head/sys/dev/random/hash.c Fri Mar 8 01:17:20 2019 (r344913) > +/* Validate that full Chacha IV is as large as the 128-bit counter */ > +_Static_assert(CHACHA_STATELEN =3D=3D RANDOM_BLOCKSIZE, ""); > + > +/* > + * Experimental Chacha20-based PRF for Fortuna keystream primitive. For= now, > + * disabled by default. But we may enable it in the future. > + * > + * Benefits include somewhat faster keystream generation compared with > + * unaccelerated AES-ICM. > + */ > +bool random_chachamode =3D false; > +#ifdef _KERNEL > +SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN, > + &random_chachamode, 0, > + "If non-zero, use the ChaCha20 cipher for randomdev PRF. " > + "If zero, use AES-ICM cipher for randomdev PRF (default)."); > +#endif I'm curious if that sysctl node could be documented in a manpage, perhaps the random(4) manpage would be a good candidate for updating. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --iyadebnuiasa6kxb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlyByggACgkQaoRlj1JF bu66sQ//bUflj/qhnl9tOaGhDP2jAsWeIFGZ7WCzeCpkeFzhxT4LHvQveJnjtFhX p4ub4qGvbLGv0fDHRxIuP4S8NObaI5mkIivCAmdPOApNT5RBYtasoz8Y0O+A0Xkm x647JwVGdmPtXY8gGJPNuQKeMGMav7YX5gUxTDlh3M4Qasje+dxM9j/0adEYp6EX jZdPvtisT/iIH+eDvFZA2ayjsQ2BPB7ADKXkHEnmhi9JXyyX6hzX+bSbYSU2ry9g 9LupckX3RFXWFrvHqKPfKzmzGVmUiA4GZP3rjCc1rOsUmHeVO8PfzjZ/yWKGA8JU p7S8RnnPfb0ji5Edp9wO4WnXaCnpdsCTipBLMd9Z+WPQog+xkq1Es/H3owjAbVtY t5FTv3Pay63sGj3CgodkJU9lbslmJgX2yyoyZJa9LNGPow5bJmeHEoCN3wCHERTD uSdgQX4xoQlCrW+fMn5FDCrtNr+rLHYIbwQSBEXGAvINDFsGjRVGnwWRi2oH8Xqq BCMu9giAm3j+BVMtSeBD/jf0XUv3CaYEzOrAQjMRuwBf6rUXGmR9CY0wR6gdzZcw QXkTC3UZAYJZi8SXkEZKzpC3jT11Dl7TPNsoLWI/gGR7ZKWXz9jrNtDyC2l3mrfg qkhceGVfYIA9WKAhlUvsCA/gL66CiCqz/52jm+aPBRgUKNwCJ2A= =1COL -----END PGP SIGNATURE----- --iyadebnuiasa6kxb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190308014858.2kowmri5nx7oa7a5>