random: add RDSEED as a provably unique entropy source
NIST SP800-90B allows for only a single entropy source to be claimed
in a FIPS-140-3 certificate. In addition, only hardware sources that
have a NIST Entropy Source Validation (ESV) certificate, backed by
a SP800-90B Entropy Assessment Report, are usable. Intel has obtained
ESV certificates for several of their processors, so RDSEED is a
FIPS-140-3 suitable entropy source.
However, even though RDRAND is seeded by RDSEED internally, RDRAND
would need a RBG certificate and CAVP testing run on the DRBG in order
to use it for FIPS-140-3 (SP800-90B) purposes. So we need to know
down in the CSPRNG-subsystem which source the entropy came from.
In light of the potential issues surrounding AMD Zen 5 CPU's RDSEED
implementation[*], allow RDSEED to be disabled in loader.conf.
Reviewed by: cem
MFC after: 3 days
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D53150
Differential Revision: https://reviews.freebsd.org/D53291
(cherry picked from commit 3a12982962ce330c37c154bb2eb8ae0539fc6f48)
(cherry picked from commit 38e9d282cd7dacbf64883b45544723408cfd4d09)