[src/trunk]: src/sys/arch/x86/x86 x86/pmap: Feed entropy_extract output throu...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/eda232efa87e
branches:  trunk
changeset: 366064:eda232efa87e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri May 13 09:39:40 2022 +0000

description:
x86/pmap: Feed entropy_extract output through nist_hash_drbg.

The entropy pool algorithm is NOT designed to provide backtracking
resistance on its own -- it MUST be combined with a PRNG/DRBG that
provides that.

The only reason we use entropy_extract here is that cprng(9) is not
available yet (which in turn is because kmem and other basic kernel
facilities aren't available yet), but nist_hash_drbg doesn't have any
initialization order requirements, so we'll just use it directly.

diffstat:

 sys/arch/x86/x86/pmap.c |  38 ++++++++++++++++++++++++++++++++++----
 1 files changed, 34 insertions(+), 4 deletions(-)

diffs (73 lines):

diff -r 21118befd78e -r eda232efa87e sys/arch/x86/x86/pmap.c
--- a/sys/arch/x86/x86/pmap.c   Thu May 12 23:17:42 2022 +0000
+++ b/sys/arch/x86/x86/pmap.c   Fri May 13 09:39:40 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pmap.c,v 1.414 2022/05/07 14:59:25 bouyer Exp $        */
+/*     $NetBSD: pmap.c,v 1.415 2022/05/13 09:39:40 riastradh Exp $     */
 
 /*
  * Copyright (c) 2008, 2010, 2016, 2017, 2019, 2020 The NetBSD Foundation, Inc.
@@ -130,7 +130,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.414 2022/05/07 14:59:25 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.415 2022/05/13 09:39:40 riastradh Exp $");
 
 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@@ -178,6 +178,10 @@
 #include <xen/xenpmap.h>
 #endif
 
+#ifdef __HAVE_DIRECT_MAP
+#include <crypto/nist_hash_drbg/nist_hash_drbg.h>
+#endif
+
 /*
  * general info:
  *
@@ -1602,6 +1606,33 @@
 #endif
 
 #ifdef __HAVE_DIRECT_MAP
+static void
+randomize_hole(size_t *randholep, vaddr_t *randvap)
+{
+       struct nist_hash_drbg drbg;
+       uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES];
+       const char p[] = "x86/directmap";
+       int error;
+
+       entropy_extract(seed, sizeof(seed), 0);
+
+       error = nist_hash_drbg_instantiate(&drbg, seed, sizeof(seed),
+           /*nonce*/NULL, 0,
+           /*personalization*/p, strlen(p));
+       KASSERTMSG(error == 0, "error=%d", error);
+
+       error = nist_hash_drbg_generate(&drbg, randholep, sizeof(*randholep),
+           /*additional*/NULL, 0);
+       KASSERTMSG(error == 0, "error=%d", error);
+
+       error = nist_hash_drbg_generate(&drbg, randvap, sizeof(*randvap),
+           /*additional*/NULL, 0);
+       KASSERTMSG(error == 0, "error=%d", error);
+
+       explicit_memset(seed, 0, sizeof(seed));
+       explicit_memset(&drbg, 0, sizeof(drbg));
+}
+
 /*
  * Create the amd64 direct map. Called only once at boot time. We map all of
  * the physical memory contiguously using 2MB large pages, with RW permissions.
@@ -1648,8 +1679,7 @@
                panic("pmap_init_directmap: lastpa incorrect");
        }
 
-       entropy_extract(&randhole, sizeof randhole, 0);
-       entropy_extract(&randva, sizeof randva, 0);
+       randomize_hole(&randhole, &randva);
        startva = slotspace_rand(SLAREA_DMAP, lastpa, NBPD_L2,
            randhole, randva);
        endva = startva + lastpa;