Changeset View
Standalone View
sys/sys/random.h
Show All 28 Lines | |||||
*/ | */ | ||||
#ifndef _SYS_RANDOM_H_ | #ifndef _SYS_RANDOM_H_ | ||||
#define _SYS_RANDOM_H_ | #define _SYS_RANDOM_H_ | ||||
#include <sys/types.h> | #include <sys/types.h> | ||||
#ifdef _KERNEL | #ifdef _KERNEL | ||||
#include <sys/systm.h> | |||||
struct uio; | struct uio; | ||||
#if defined(DEV_RANDOM) | #if defined(DEV_RANDOM) | ||||
u_int read_random(void *, u_int); | void read_random(void *, u_int); | ||||
int read_random_uio(struct uio *, bool); | int read_random_uio(struct uio *, bool); | ||||
#else | #else | ||||
static __inline int | static __inline int | ||||
read_random_uio(void *a __unused, u_int b __unused) | read_random_uio(void *a __unused, u_int b __unused) | ||||
{ | { | ||||
return (0); | return (0); | ||||
} | } | ||||
static __inline u_int | static __inline void | ||||
read_random(void *a __unused, u_int b __unused) | read_random(void *a __unused, u_int b __unused) | ||||
{ | { | ||||
return (0); | panic("!defined(DEV_RANDOM) read_random"); | ||||
delphij: Probably keep the return instead of panicking?
If the goal is to intentionally break ! | |||||
cemAuthorUnsubmitted Done Inline ActionsWhile I don't understand the rationale for !DEV_RANDOM, I'm not intending to remove it without that understanding why it exists and who needs it. In such a build, read_random() (with new API specification) should not be invoked at all. One alternative to immediate panic would be to block forever (since random is never seeded). That doesn't seem like a better option to me. cem: While I don't understand the rationale for `!DEV_RANDOM`, I'm not intending to remove it… | |||||
delphijUnsubmitted Done Inline ActionsThere is no existing mechanism in the kernel that prevents calling of read_random(), which is called by arc4random() and is used widely in various parts of kernel, including the TCP/IP stack and several file systems. By removing the symbol you would at least save other developers some time because that would give them a link time error vs seeing the system crash at random times. The option was introduced in rS286839 by the way, I doubt it's actually being used by anyone in practice, and since your change would break it it's probably time to just go ahead and remove it altogether. @markm can you confirm? delphij: There is no existing mechanism in the kernel that prevents calling of read_random(), which is… | |||||
} | } | ||||
#endif | #endif | ||||
/* | /* | ||||
* Note: if you add or remove members of random_entropy_source, remember to | * Note: if you add or remove members of random_entropy_source, remember to | ||||
* also update the strings in the static array random_source_descr[] in | * also update the strings in the static array random_source_descr[] in | ||||
* random_harvestq.c. | * random_harvestq.c. | ||||
*/ | */ | ||||
Show All 29 Lines | enum random_entropy_source { | ||||
RANDOM_PURE_TPM, | RANDOM_PURE_TPM, | ||||
ENTROPYSOURCE | ENTROPYSOURCE | ||||
}; | }; | ||||
_Static_assert(ENTROPYSOURCE <= 32, | _Static_assert(ENTROPYSOURCE <= 32, | ||||
"hardcoded assumption that values fit in a typical word-sized bitset"); | "hardcoded assumption that values fit in a typical word-sized bitset"); | ||||
#define RANDOM_LEGACY_BOOT_ENTROPY_MODULE "/boot/entropy" | #define RANDOM_LEGACY_BOOT_ENTROPY_MODULE "/boot/entropy" | ||||
#define RANDOM_CACHED_BOOT_ENTROPY_MODULE "boot_entropy_cache" | #define RANDOM_CACHED_BOOT_ENTROPY_MODULE "boot_entropy_cache" | ||||
#define RANDOM_CACHED_SKIP_START 256 | |||||
#if defined(DEV_RANDOM) | #if defined(DEV_RANDOM) | ||||
extern u_int hc_source_mask; | extern u_int hc_source_mask; | ||||
void random_harvest_queue_(const void *, u_int, enum random_entropy_source); | void random_harvest_queue_(const void *, u_int, enum random_entropy_source); | ||||
void random_harvest_fast_(const void *, u_int); | void random_harvest_fast_(const void *, u_int); | ||||
void random_harvest_direct_(const void *, u_int, enum random_entropy_source); | void random_harvest_direct_(const void *, u_int, enum random_entropy_source); | ||||
static __inline void | static __inline void | ||||
▲ Show 20 Lines • Show All 56 Lines • Show Last 20 Lines |
Probably keep the return instead of panicking?
If the goal is to intentionally break !DEV_RANDOM case, you can remove this symbol or use #error here, it's better because it would become immediately visible for the user who builds it that way at compile time.
Personally, I think it's totally fine if they choose to not have any randomness, though, and if a case is intentionally broken, the opposite should be the default and option should be removed.