line longer than 80 character.

line longer than 80 chars, there are a few more, 245 and 248, so I'll stop, but they need to be fixed.

Add a KASSERT that bytecount is a multiple of RANDOM_BLOCKSIZE here. If not we are at risk of overflowing buf or put it in random_fortuna_read, but here is better. The caller, random_fortuna_read is documented as requiring a multiple, but does not enforce it, and this is a public interface.

I have looked at the calling code, and it looks like all the calling code ensures that there are enough bytes at the end of the buffer, but still, intentionally overrunning the buffer is terrible and should never be used in security code like this.

We've accepted C99 as our standard, so these extra braces are unneeded, as C99 allows you to declare a new variable anywhere.

should we specify that this is a CSPRNG?

We should link or comment that the system by default does this w/ the rc scripts.

do we want to pipe this to hexdump -C so that people don't break their terminals when the run this?

drop the, or add device after random(4).

What about the discussion of the yarrow sysctls? Yes, the defaults are only fortuna, but we are loosing the information about yarrow.

why only better? maybe change to:

The
.Fn arc4rand
function will return crypographicly secure random numbers,
which are suitable for security and cryptographic purposes.

Or is this because when it isn't seeded, it isn't suitable?

Why do we talk about arc4rand and read_random here, then use random() in the example?

Just change this to .Fn instead of using .Fo/.Fc.

replace the " w/
.Em Dq very conservatively

can't you just drop the random random_yarrow from the spec? as it is covered by the random !random_dummy clause.

it sure would make things easier if we could specify random_fortuna as the default option.

same here wrt to dropping random random_yarrow.

If this is a unit test, it should be moved to src/tests/sys/dev/random and integrated into ATF.

Erm, sorry - I don't do the 80-column-only thing any more.

I disagree that this needs fixing.

OK, will fix.

I'm happy to put in the KASSERT, but this is no public interface.

I'll remove them when this can compile on MIPS (using GCC 4.2.n).

I will comment, thanks!

Maybe not any more. At one point the kernel couldn't handle big stack variables.

Could be - I'll change it.

Will do.

Magic number. BAD, BAD! :-)

That comment needs some TLC. Will fix.

I've deliberately removed the RANDOM_ prefixes here.

Will fix, thanks!

Will investigate and fix.

Will fix.

Oy. How did I end up writing *that*?

Very good point!

Another good point!

I'm very keen to get an adaptive read rate on the "free" entropy sources. I'll be looking at this code again, myself.

these also go beyond 80 columns

KASSERT?

Not sure what this means.

Will do.

"Complete waste of time" ;-)

It is a null function to stub a function call in higher layers.

(It may be possible to remove this; I'll check)

"Intentionally overrunning the buffer" is needed no matter what. The block cipher must generate enough data to fulfil the request, which means sometimes generating too much. I do things this way to avoid unnecessary block-transfers.

this random code is not performance critical code and being security code it should be coded safely. If you insist upon performance over safety, then you should document your assumptions, and the requirement that the calling code handle the intentional overflow. This helps people understand why the "bug" is there and is not a bug, and that future people who call the function won't misuse it.

the random(4) device is seeded.

should probably just delete this, if you really need to know, you can turn on SYSINIT debugging which will print this.

We don't have a check for both _DUMMY and _FORTUNA.

We may also need a check for both _FORTUNA and _YARROW here, haven't checked.

This isn't a minor number, this is a unit number, rename to RANDOM_UNIT?

there is no lock protecting this list. It can be added/modified at run time, and we walk the list 10 times a second.

why is this tsleep here? this appears to just be to slow things down, It can't depend upon randomdev_unblock to wake it up, as there is no lock to ensure that the wakeup happens, and for fortuna will only happen once.

Even switching to a pause doesn't make sense, because we don't check to make sure there is no more data and pause then. And it'd be trivial to bypass this check, as all you do is span lots of threads to do the write.

Ok, I think that we should make this loop fill up hc_entropy_fast_accumulator's buf, and no more... xor'ing many, many times from rdrand or other sources doesn't make much sense... I could possibly see doing it two or three times buf size, but doing this possibly 100's of times doesn't make sense... There is only so much that xor'ing random data with more random data gets you.

Looks like ||defined(RANDOM_FORTUNA) needs to be added here.

might want to comment that word0 is the least significant word.

rdtsc can be provided by machine/cpufunc.h instead of coping the code here.

this also may read beyond buf if wordcount is odd.

KASSERT that this is a multiple of RANDOM_BLOCKSIZE.

Did this get properly reviewed? Aren't there issues w/ the random device being blocked on boot, etc?

I didn't see any discussion of this.

I'm not sure this is correct or good.

this is probably worse than before... if it's always zero before seeded, we now have a 100% predictable key instead of before we had a mostly predictable key.

why is this needed? The random module doesn't depend upon the crypto module, so there shouldn't be any changes here.

have you evaluated the impact of harvesting over 11x more data from ethernet subroutines than before?

This seems like a really bad change. We are now harvesting 136 bytes (on amd64) instead of only 12 bytes.

If the above change was good, why wasn't it made here too?

and here?

has any benchmarks been run to test this? It's now enabled by default, but per your comment, seems expensive.

There probably was a reason why this wasn't enabled by default, benchmarks?

buf should be bytecount here

buf should be bytecount here.

I believe this should be RANDOM_ACCUM_MAX not RANDOM_RING_MAX.

I'm happy to comment/document this.

This is a part of the kernel that confuses the hell out of me. Could you please propose a suitable fix?

There is no _FORTUNA option. It is implied by a lack of _DUMMY and _YARROW. I'll be removing a commented out _FORTUNA from sys/conf/NOTES.

I'll be taking that risk in the sort term. A fix is on my TODO list.

Please propose a fix. Linearising the writes is a desirable thing, and throttling the rate is a goal.

Revisiting this is on my TODO list.

Negative. RANDOM_FORTUNA is implied by the absence of the other two.

I think the average programmer could figure that out for themselves.

I'll look at this again when I finish the test for ARM.

Please make a concrete proposal.

rwatson disagrees with the approach, citing this paper: http://pdos.csail.mit.edu/papers/ub:apsys12.pdf

Modules are returning. I'm leaving it there to avoid churn.

I have done some, and I have evaluated the entropy so gained, and found it good. I'm hoping to publish this some time in the medium future, but for now the coverage is very useful. Where it is a burden, it can be disabled.

Because I don't use the tun(4) device much, but good point, thanks!

Same issue; I'm not much of a NG user.

Basic benchmarks are OK. It can be disabled, and I intend to return for a proper research project.

Folks are very sensitive about messing with it, and I haven't done the micro-benchmarks yet. Coarse benchmarks seem OK, and a face-to-face with rwatson has me not unhappy with this.

read_random is not taking care that len is a multiple of RANDOM_BLOCKSIZE here

this causes ZFS to panic when it tries to generate a GUID to create a new pool.

spa_generate_guid tries to read 8 bytes of random via read_random

random_fortuna_read() ASSERTs because bytecount (= 8) must be a multiple of 16

Fixing now. Thanks!