Looks good to me in principal.

LGTM.

+markj and bz@ for the DTrace probe.

I think this can go independently with other changes: is there some reason that you would like to wait instead of proceeding?

Looks reasonable to me.

Warner -- can you commit this change?

Committed as rS347244.

I think the change as-is is fine.

I'll commit this after a universe build.

LGTM in principle

No objection from me.

(I'm not against with the overall plan, but see my comments about use of hash function inline).

For a stopgap fix I think it's fine. Note that it's probably better to derive __stack_chk_guard from SHA512 of something that we change often (e.g. __FreeBSD_version) concatenate with something that potentially varies, like getcyclecount(), for the fallback guard data: these are not secure random numbers, but would make it harder for an attacker to develop more generic smashing attack.

I'm in favor of this change; please consider this as an explicit "accepted" if nobody objects in a week.

The code changes looks good to me -- and thanks for working on this!

In D19713#427179, @mindal_semihalf.com wrote:

In D19713#427028, @delphij wrote:

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

Noticed a few minor issues, please see comment inline. Overall I think the change is good.

LGTM, thanks!

The shutdown script change LGTM, but I insist that libexec/save-entropy/save-entropy.sh line 83 should be removed as explained in previous comment.

In D19742#423456, @cem wrote:

In D19742#423197, @delphij wrote:

I think a 'fsync saved-entropy.1 .' should be sufficient.

We don't really care if the renames were not persistent until the new entropy is saved,

Sure, if that is the power-fail/crash behavior of un-fsynced renames. But I don't believe that model is accurate. There is no requirement that the underlying filesystem order the dirent writes in a way that matches this observable behavior; the only requirement is that it is persisted by fsync.

FS&K §9.6.2 is clear, "All updates to the seed file must be atomic" and goes into more detail in §9.6.5.

I think you should separate most of the read_random() -> arc4random_buf() change out because in most cases the code should use the latter exclusively, especially places where the return value of read_random() were not tested because it would be a strict improvement to the status quo.

I think a 'fsync saved-entropy.1 .' should be sufficient.

In D19706#422829, @ota_j.email.ne.jp wrote:

I need to understand better kernel malloc/free as they take 1 extra argument compare to stdlib.h.

Hi, first of all, kudos for taking on this! The change looks mostly Ok to me except a few minor issues commented inline.

Why is the partition index changed from 1 to 2? (The change looks otherwise fine to me).

Thanks! LGTM (note that discard_buffer_callout should probably also be drained, but it's unrelated to this change).

I have noticed a few minor issues and have commented inline.

(Note that randomdev_getkey() have similar issue and should be fixed too, feel free to fix it prior to commit)

Looks good to me in principle and I like the fact that fortuna.c no longer cares about the keystream context internals.

Abandoned in favor of D19216.

Sorry, this looks good to me & thanks!

Ah I didn't realized that we haven't upstreamed it & thanks for forward-porting it for so many years...

In D18920#405658, @oshogbo wrote:

Is this some common pattern?

One last change request -- could you please use ${PAGER} instead of $PAGER while there? The change looks otherwise fine to me.

LGTM & Thanks for your work!

In D18859#403540, @aryeeteygerald_rogers.com wrote:

Note that most IDS_run output shouldn't be considered as "informational", especially checksum differences: these should not be suppressed because they suggest there are real issues.

Where are the checksum diffs? I don't think they are currently suppressed but maybe I missed it.

I like this change in principle, but I think you could simplify the code a little bit (see my comments in line).

I really don't like this approach because it would bar us from retrofit publishing freebsd-update bits (and would create problems for users who have their own freebsd-update instance running). I think it's more appropriate to make fetch_key to provide more meaningful output instead of "Fetching public key from ... failed".

LGTM in principal (except the style issue raised by @emaste which is minor and I think he would take care of it when committing).

In D18859#403307, @aryeeteygerald_rogers.com wrote:

It may be because it is hard to follow but warnings/errors are redirected to the stderr

LGTM, thanks!

I think this is not complete. For example, /usr may be a symlink to somewhere else, and freebsd-update needs to have write access there (this applies to /boot, /var, etc. too).

I like the idea in general, but I think there were some implementation issues: