1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2019 Conrad Meyer <cem@FreeBSD.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 #include <sys/param.h>
30 #include <sys/domainset.h>
31 #include <sys/fail.h>
32 #include <sys/limits.h>
33 #include <sys/lock.h>
34 #include <sys/kernel.h>
35 #include <sys/malloc.h>
36 #include <sys/mutex.h>
37 #include <sys/queue.h>
38 #include <sys/random.h>
39 #include <sys/sdt.h>
40 #include <sys/sysctl.h>
41 #include <sys/systm.h>
42 #include <sys/taskqueue.h>
43
44 #include <machine/atomic.h>
45 #include <machine/smp.h>
46
47 #include <dev/random/randomdev.h>
48 #include <dev/random/random_harvestq.h>
49
50 #include <dev/random/fenestrasX/fx_brng.h>
51 #include <dev/random/fenestrasX/fx_hash.h>
52 #include <dev/random/fenestrasX/fx_pool.h>
53 #include <dev/random/fenestrasX/fx_priv.h>
54 #include <dev/random/fenestrasX/fx_pub.h>
55
56 /*
57 * Timer-based reseed interval growth factor and limit in seconds. (§ 3.2)
58 */
59 #define FXENT_RESSED_INTVL_GFACT 3
60 #define FXENT_RESEED_INTVL_MAX 3600
61
62 /*
63 * Pool reseed schedule. Initially, only pool 0 is active. Until the timer
64 * interval reaches INTVL_MAX, only pool 0 is used.
65 *
66 * After reaching INTVL_MAX, pool k is either activated (if inactive) or used
67 * (if active) every 3^k timer reseeds. (§ 3.3)
68 *
69 * (Entropy harvesting only round robins across active pools.)
70 */
71 #define FXENT_RESEED_BASE 3
72
73 /*
74 * Number of bytes from high quality sources to allocate to pool 0 before
75 * normal round-robin allocation after each timer reseed. (§ 3.4)
76 */
77 #define FXENT_HI_SRC_POOL0_BYTES 32
78
79 /*
80 * § 3.1
81 *
82 * Low sources provide unconditioned entropy, such as mouse movements; high
83 * sources are assumed to provide high-quality random bytes. Pull sources are
84 * those which can be polled, i.e., anything randomdev calls a "random_source."
85 *
86 * In the whitepaper, low sources are pull. For us, at least in the existing
87 * design, low-quality sources push into some global ring buffer and then get
88 * forwarded into the RNG by a thread that continually polls. Presumably their
89 * design batches low entopy signals in some way (SHA512?) and only requests
90 * them dynamically on reseed. I'm not sure what the benefit is vs feeding
91 * into the pools directly.
92 */
93 enum fxrng_ent_access_cls {
94 FXRNG_PUSH,
95 FXRNG_PULL,
96 };
97 enum fxrng_ent_source_cls {
98 FXRNG_HI,
99 FXRNG_LO,
100 FXRNG_GARBAGE,
101 };
102 struct fxrng_ent_cls {
103 enum fxrng_ent_access_cls entc_axx_cls;
104 enum fxrng_ent_source_cls entc_src_cls;
105 };
106
107 static const struct fxrng_ent_cls fxrng_hi_pull = {
108 .entc_axx_cls = FXRNG_PULL,
109 .entc_src_cls = FXRNG_HI,
110 };
111 static const struct fxrng_ent_cls fxrng_hi_push = {
112 .entc_axx_cls = FXRNG_PUSH,
113 .entc_src_cls = FXRNG_HI,
114 };
115 static const struct fxrng_ent_cls fxrng_lo_push = {
116 .entc_axx_cls = FXRNG_PUSH,
117 .entc_src_cls = FXRNG_LO,
118 };
119 static const struct fxrng_ent_cls fxrng_garbage = {
120 .entc_axx_cls = FXRNG_PUSH,
121 .entc_src_cls = FXRNG_GARBAGE,
122 };
123
124 /*
125 * This table is a mapping of randomdev's current source abstractions to the
126 * designations above; at some point, if the design seems reasonable, it would
127 * make more sense to pull this up into the abstraction layer instead.
128 */
129 static const struct fxrng_ent_char {
130 const struct fxrng_ent_cls *entc_cls;
131 } fxrng_ent_char[ENTROPYSOURCE] = {
132 [RANDOM_CACHED] = {
133 .entc_cls = &fxrng_hi_push,
134 },
135 [RANDOM_ATTACH] = {
136 .entc_cls = &fxrng_lo_push,
137 },
138 [RANDOM_KEYBOARD] = {
139 .entc_cls = &fxrng_lo_push,
140 },
141 [RANDOM_MOUSE] = {
142 .entc_cls = &fxrng_lo_push,
143 },
144 [RANDOM_NET_TUN] = {
145 .entc_cls = &fxrng_lo_push,
146 },
147 [RANDOM_NET_ETHER] = {
148 .entc_cls = &fxrng_lo_push,
149 },
150 [RANDOM_NET_NG] = {
151 .entc_cls = &fxrng_lo_push,
152 },
153 [RANDOM_INTERRUPT] = {
154 .entc_cls = &fxrng_lo_push,
155 },
156 [RANDOM_SWI] = {
157 .entc_cls = &fxrng_lo_push,
158 },
159 [RANDOM_FS_ATIME] = {
160 .entc_cls = &fxrng_lo_push,
161 },
162 [RANDOM_UMA] = {
163 .entc_cls = &fxrng_lo_push,
164 },
165 [RANDOM_PURE_OCTEON] = {
166 .entc_cls = &fxrng_hi_push, /* Could be made pull. */
167 },
168 [RANDOM_PURE_SAFE] = {
169 .entc_cls = &fxrng_hi_push,
170 },
171 [RANDOM_PURE_GLXSB] = {
172 .entc_cls = &fxrng_hi_push,
173 },
174 [RANDOM_PURE_HIFN] = {
175 .entc_cls = &fxrng_hi_push,
176 },
177 [RANDOM_PURE_RDRAND] = {
178 .entc_cls = &fxrng_hi_pull,
179 },
180 [RANDOM_PURE_NEHEMIAH] = {
181 .entc_cls = &fxrng_hi_pull,
182 },
183 [RANDOM_PURE_RNDTEST] = {
184 .entc_cls = &fxrng_garbage,
185 },
186 [RANDOM_PURE_VIRTIO] = {
187 .entc_cls = &fxrng_hi_pull,
188 },
189 [RANDOM_PURE_BROADCOM] = {
190 .entc_cls = &fxrng_hi_push,
191 },
192 [RANDOM_PURE_CCP] = {
193 .entc_cls = &fxrng_hi_pull,
194 },
195 [RANDOM_PURE_DARN] = {
196 .entc_cls = &fxrng_hi_pull,
197 },
198 [RANDOM_PURE_TPM] = {
199 .entc_cls = &fxrng_hi_push,
200 },
201 [RANDOM_PURE_VMGENID] = {
202 .entc_cls = &fxrng_hi_push,
203 },
204 };
205
206 /* Useful for single-bit-per-source state. */
207 BITSET_DEFINE(fxrng_bits, ENTROPYSOURCE);
208
209 /* XXX Borrowed from not-yet-committed D22702. */
210 #ifndef BIT_TEST_SET_ATOMIC_ACQ
211 #define BIT_TEST_SET_ATOMIC_ACQ(_s, n, p) \
212 (atomic_testandset_acq_long( \
213 &(p)->__bits[__bitset_word((_s), (n))], (n)) != 0)
214 #endif
215 #define FXENT_TEST_SET_ATOMIC_ACQ(n, p) \
216 BIT_TEST_SET_ATOMIC_ACQ(ENTROPYSOURCE, n, p)
217
218 /* For special behavior on first-time entropy sources. (§ 3.1) */
219 static struct fxrng_bits __read_mostly fxrng_seen;
220
221 /* For special behavior for high-entropy sources after a reseed. (§ 3.4) */
222 _Static_assert(FXENT_HI_SRC_POOL0_BYTES <= UINT8_MAX, "");
223 static uint8_t __read_mostly fxrng_reseed_seen[ENTROPYSOURCE];
224
225 /* Entropy pools. Lock order is ENT -> RNG(root) -> RNG(leaf). */
226 static struct mtx fxent_pool_lk;
227 MTX_SYSINIT(fx_pool, &fxent_pool_lk, "fx entropy pool lock", MTX_DEF);
228 #define FXENT_LOCK() mtx_lock(&fxent_pool_lk)
229 #define FXENT_UNLOCK() mtx_unlock(&fxent_pool_lk)
230 #define FXENT_ASSERT(rng) mtx_assert(&fxent_pool_lk, MA_OWNED)
231 #define FXENT_ASSERT_NOT(rng) mtx_assert(&fxent_pool_lk, MA_NOTOWNED)
232 static struct fxrng_hash fxent_pool[FXRNG_NPOOLS];
233 static unsigned __read_mostly fxent_nactpools = 1;
234 static struct timeout_task fxent_reseed_timer;
235 static int __read_mostly fxent_timer_ready;
236
237 /*
238 * Track number of bytes of entropy harvested from high-quality sources prior
239 * to initial keying. The idea is to collect more jitter entropy when fewer
240 * high-quality bytes were available and less if we had other good sources. We
241 * want to provide always-on availability but don't necessarily have *any*
242 * great sources on some platforms.
243 *
244 * Like fxrng_ent_char: at some point, if the design seems reasonable, it would
245 * make more sense to pull this up into the abstraction layer instead.
246 *
247 * Jitter entropy is unimplemented for now.
248 */
249 static unsigned long fxrng_preseed_ent;
250
251 void
fxrng_pools_init(void)252 fxrng_pools_init(void)
253 {
254 size_t i;
255
256 for (i = 0; i < nitems(fxent_pool); i++)
257 fxrng_hash_init(&fxent_pool[i]);
258 }
259
260 static inline bool
fxrng_hi_source(enum random_entropy_source src)261 fxrng_hi_source(enum random_entropy_source src)
262 {
263 return (fxrng_ent_char[src].entc_cls->entc_src_cls == FXRNG_HI);
264 }
265
266 /*
267 * A racy check that this high-entropy source's event should contribute to
268 * pool0 on the basis of per-source byte count. The check is racy for two
269 * reasons:
270 * - Performance: The vast majority of the time, we've already taken 32 bytes
271 * from any present high quality source and the racy check lets us avoid
272 * dirtying the cache for the global array.
273 * - Correctness: It's fine that the check is racy. The failure modes are:
274 * • False positive: We will detect when we take the lock.
275 * • False negative: We still collect the entropy; it just won't be
276 * preferentially placed in pool0 in this case.
277 */
278 static inline bool
fxrng_hi_pool0_eligible_racy(enum random_entropy_source src)279 fxrng_hi_pool0_eligible_racy(enum random_entropy_source src)
280 {
281 return (atomic_load_acq_8(&fxrng_reseed_seen[src]) <
282 FXENT_HI_SRC_POOL0_BYTES);
283 }
284
285 /*
286 * Top level entropy processing API from randomdev.
287 *
288 * Invoked by the core randomdev subsystem both for preload entropy, "push"
289 * sources (like interrupts, keyboard, etc) and pull sources (RDRAND, etc).
290 */
291 void
fxrng_event_processor(struct harvest_event * event)292 fxrng_event_processor(struct harvest_event *event)
293 {
294 enum random_entropy_source src;
295 unsigned pool;
296 bool first_time, first_32;
297
298 src = event->he_source;
299
300 ASSERT_DEBUG(event->he_size <= sizeof(event->he_entropy),
301 "%s: he_size: %u > sizeof(he_entropy): %zu", __func__,
302 (unsigned)event->he_size, sizeof(event->he_entropy));
303
304 /*
305 * Zero bytes of source entropy doesn't count as observing this source
306 * for the first time. We still harvest the counter entropy.
307 */
308 first_time = event->he_size > 0 &&
309 !FXENT_TEST_SET_ATOMIC_ACQ(src, &fxrng_seen);
310 if (__predict_false(first_time)) {
311 /*
312 * "The first time [any source] provides entropy, it is used to
313 * directly reseed the root PRNG. The entropy pools are
314 * bypassed." (§ 3.1)
315 *
316 * Unlike Windows, we cannot rely on loader(8) seed material
317 * being present, so we perform initial keying in the kernel.
318 * We use brng_generation 0 to represent an unkeyed state.
319 *
320 * Prior to initial keying, it doesn't make sense to try to mix
321 * the entropy directly with the root PRNG state, as the root
322 * PRNG is unkeyed. Instead, we collect pre-keying dynamic
323 * entropy in pool0 and do not bump the root PRNG seed version
324 * or set its key. Initial keying will incorporate pool0 and
325 * bump the brng_generation (seed version).
326 *
327 * After initial keying, we do directly mix in first-time
328 * entropy sources. We use the root BRNG to generate 32 bytes
329 * and use fxrng_hash to mix it with the new entropy source and
330 * re-key with the first 256 bits of hash output.
331 */
332 FXENT_LOCK();
333 FXRNG_BRNG_LOCK(&fxrng_root);
334 if (__predict_true(fxrng_root.brng_generation > 0)) {
335 /* Bypass the pools: */
336 FXENT_UNLOCK();
337 fxrng_brng_src_reseed(event);
338 FXRNG_BRNG_ASSERT_NOT(&fxrng_root);
339 return;
340 }
341
342 /*
343 * Keying the root PRNG requires both FXENT_LOCK and the PRNG's
344 * lock, so we only need to hold on to the pool lock to prevent
345 * initial keying without this entropy.
346 */
347 FXRNG_BRNG_UNLOCK(&fxrng_root);
348
349 /* Root PRNG hasn't been keyed yet, just accumulate event. */
350 fxrng_hash_update(&fxent_pool[0], &event->he_somecounter,
351 sizeof(event->he_somecounter));
352 fxrng_hash_update(&fxent_pool[0], event->he_entropy,
353 event->he_size);
354
355 if (fxrng_hi_source(src)) {
356 /* Prevent overflow. */
357 if (fxrng_preseed_ent <= ULONG_MAX - event->he_size)
358 fxrng_preseed_ent += event->he_size;
359 }
360 FXENT_UNLOCK();
361 return;
362 }
363 /* !first_time */
364
365 /*
366 * "The first 32 bytes produced by a high entropy source after a reseed
367 * from the pools is always put in pool 0." (§ 3.4)
368 *
369 * The first-32-byte tracking data in fxrng_reseed_seen is reset in
370 * fxent_timer_reseed_npools() below.
371 */
372 first_32 = event->he_size > 0 &&
373 fxrng_hi_source(src) &&
374 atomic_load_acq_int(&fxent_nactpools) > 1 &&
375 fxrng_hi_pool0_eligible_racy(src);
376 if (__predict_false(first_32)) {
377 unsigned rem, seen;
378
379 FXENT_LOCK();
380 seen = fxrng_reseed_seen[src];
381 if (seen == FXENT_HI_SRC_POOL0_BYTES)
382 goto round_robin;
383
384 rem = FXENT_HI_SRC_POOL0_BYTES - seen;
385 rem = MIN(rem, event->he_size);
386
387 fxrng_reseed_seen[src] = seen + rem;
388
389 /*
390 * We put 'rem' bytes in pool0, and any remaining bytes are
391 * round-robin'd across other pools.
392 */
393 fxrng_hash_update(&fxent_pool[0],
394 ((uint8_t *)event->he_entropy) + event->he_size - rem,
395 rem);
396 if (rem == event->he_size) {
397 fxrng_hash_update(&fxent_pool[0], &event->he_somecounter,
398 sizeof(event->he_somecounter));
399 FXENT_UNLOCK();
400 return;
401 }
402
403 /*
404 * If fewer bytes were needed than this even provied, We only
405 * take the last rem bytes of the entropy buffer and leave the
406 * timecounter to be round-robin'd with the remaining entropy.
407 */
408 event->he_size -= rem;
409 goto round_robin;
410 }
411 /* !first_32 */
412
413 FXENT_LOCK();
414
415 round_robin:
416 FXENT_ASSERT();
417 pool = event->he_destination % fxent_nactpools;
418 fxrng_hash_update(&fxent_pool[pool], event->he_entropy,
419 event->he_size);
420 fxrng_hash_update(&fxent_pool[pool], &event->he_somecounter,
421 sizeof(event->he_somecounter));
422
423 if (__predict_false(fxrng_hi_source(src) &&
424 atomic_load_acq_64(&fxrng_root_generation) == 0)) {
425 /* Prevent overflow. */
426 if (fxrng_preseed_ent <= ULONG_MAX - event->he_size)
427 fxrng_preseed_ent += event->he_size;
428 }
429 FXENT_UNLOCK();
430 }
431
432 /*
433 * Top level "seeded" API/signal from randomdev.
434 *
435 * This is our warning that a request is coming: we need to be seeded. In
436 * fenestrasX, a request for random bytes _never_ fails. "We (ed: ditto) have
437 * observed that there are many callers that never check for the error code,
438 * even if they are generating cryptographic key material." (§ 1.6)
439 *
440 * If we returned 'false', both read_random(9) and chacha20_randomstir()
441 * (arc4random(9)) will blindly charge on with something almost certainly worse
442 * than what we've got, or are able to get quickly enough.
443 */
444 bool
fxrng_alg_seeded(void)445 fxrng_alg_seeded(void)
446 {
447 uint8_t hash[FXRNG_HASH_SZ];
448 sbintime_t sbt;
449
450 /* The vast majority of the time, we expect to already be seeded. */
451 if (__predict_true(atomic_load_acq_64(&fxrng_root_generation) != 0))
452 return (true);
453
454 /*
455 * Take the lock and recheck; only one thread needs to do the initial
456 * seeding work.
457 */
458 FXENT_LOCK();
459 if (atomic_load_acq_64(&fxrng_root_generation) != 0) {
460 FXENT_UNLOCK();
461 return (true);
462 }
463 /* XXX Any one-off initial seeding goes here. */
464
465 fxrng_hash_finish(&fxent_pool[0], hash, sizeof(hash));
466 fxrng_hash_init(&fxent_pool[0]);
467
468 fxrng_brng_reseed(hash, sizeof(hash));
469 FXENT_UNLOCK();
470
471 randomdev_unblock();
472 explicit_bzero(hash, sizeof(hash));
473
474 /*
475 * This may be called too early for taskqueue_thread to be initialized.
476 * fxent_pool_timer_init will detect if we've already unblocked and
477 * queue the first timer reseed at that point.
478 */
479 if (atomic_load_acq_int(&fxent_timer_ready) != 0) {
480 sbt = SBT_1S;
481 taskqueue_enqueue_timeout_sbt(taskqueue_thread,
482 &fxent_reseed_timer, -sbt, (sbt / 3), C_PREL(2));
483 }
484 return (true);
485 }
486
487 /*
488 * Timer-based reseeds and pool expansion.
489 */
490 static void
fxent_timer_reseed_npools(unsigned n)491 fxent_timer_reseed_npools(unsigned n)
492 {
493 /*
494 * 64 * 8 => moderately large 512 bytes. Could be static, as we are
495 * only used in a static context. On the other hand, this is in
496 * threadqueue TASK context and we're likely nearly at top of stack
497 * already.
498 */
499 uint8_t hash[FXRNG_HASH_SZ * FXRNG_NPOOLS];
500 unsigned i;
501
502 ASSERT_DEBUG(n > 0 && n <= FXRNG_NPOOLS, "n:%u", n);
503
504 FXENT_ASSERT();
505 /*
506 * Collect entropy from pools 0..n-1 by concatenating the output hashes
507 * and then feeding them into fxrng_brng_reseed, which will hash the
508 * aggregate together with the current root PRNG keystate to produce a
509 * new key. It will also bump the global generation counter
510 * appropriately.
511 */
512 for (i = 0; i < n; i++) {
513 fxrng_hash_finish(&fxent_pool[i], hash + i * FXRNG_HASH_SZ,
514 FXRNG_HASH_SZ);
515 fxrng_hash_init(&fxent_pool[i]);
516 }
517
518 fxrng_brng_reseed(hash, n * FXRNG_HASH_SZ);
519 explicit_bzero(hash, n * FXRNG_HASH_SZ);
520
521 /*
522 * "The first 32 bytes produced by a high entropy source after a reseed
523 * from the pools is always put in pool 0." (§ 3.4)
524 *
525 * So here we reset the tracking (somewhat naively given the majority
526 * of sources on most machines are not what we consider "high", but at
527 * 32 bytes it's smaller than a cache line), so the next 32 bytes are
528 * prioritized into pool0.
529 *
530 * See corresponding use of fxrng_reseed_seen in fxrng_event_processor.
531 */
532 memset(fxrng_reseed_seen, 0, sizeof(fxrng_reseed_seen));
533 FXENT_ASSERT();
534 }
535
536 static void
fxent_timer_reseed(void * ctx __unused,int pending __unused)537 fxent_timer_reseed(void *ctx __unused, int pending __unused)
538 {
539 static unsigned reseed_intvl_sec = 1;
540 /* Only reseeds after FXENT_RESEED_INTVL_MAX is achieved. */
541 static uint64_t reseed_number = 1;
542
543 unsigned next_ival, i, k;
544 sbintime_t sbt;
545
546 if (reseed_intvl_sec < FXENT_RESEED_INTVL_MAX) {
547 next_ival = FXENT_RESSED_INTVL_GFACT * reseed_intvl_sec;
548 if (next_ival > FXENT_RESEED_INTVL_MAX)
549 next_ival = FXENT_RESEED_INTVL_MAX;
550 FXENT_LOCK();
551 fxent_timer_reseed_npools(1);
552 FXENT_UNLOCK();
553 } else {
554 /*
555 * The creation of entropy pools beyond 0 is enabled when the
556 * reseed interval hits the maximum. (§ 3.3)
557 */
558 next_ival = reseed_intvl_sec;
559
560 /*
561 * Pool 0 is used every reseed; pool 1..0 every 3rd reseed; and in
562 * general, pool n..0 every 3^n reseeds.
563 */
564 k = reseed_number;
565 reseed_number++;
566
567 /* Count how many pools, from [0, i), to use for reseed. */
568 for (i = 1; i < MIN(fxent_nactpools + 1, FXRNG_NPOOLS); i++) {
569 if ((k % FXENT_RESEED_BASE) != 0)
570 break;
571 k /= FXENT_RESEED_BASE;
572 }
573
574 /*
575 * If we haven't activated pool i yet, activate it and only
576 * reseed from [0, i-1). (§ 3.3)
577 */
578 FXENT_LOCK();
579 if (i == fxent_nactpools + 1) {
580 fxent_timer_reseed_npools(fxent_nactpools);
581 fxent_nactpools++;
582 } else {
583 /* Just reseed from [0, i). */
584 fxent_timer_reseed_npools(i);
585 }
586 FXENT_UNLOCK();
587 }
588
589 /* Schedule the next reseed. */
590 sbt = next_ival * SBT_1S;
591 taskqueue_enqueue_timeout_sbt(taskqueue_thread, &fxent_reseed_timer,
592 -sbt, (sbt / 3), C_PREL(2));
593
594 reseed_intvl_sec = next_ival;
595 }
596
597 static void
fxent_pool_timer_init(void * dummy __unused)598 fxent_pool_timer_init(void *dummy __unused)
599 {
600 sbintime_t sbt;
601
602 TIMEOUT_TASK_INIT(taskqueue_thread, &fxent_reseed_timer, 0,
603 fxent_timer_reseed, NULL);
604
605 if (atomic_load_acq_64(&fxrng_root_generation) != 0) {
606 sbt = SBT_1S;
607 taskqueue_enqueue_timeout_sbt(taskqueue_thread,
608 &fxent_reseed_timer, -sbt, (sbt / 3), C_PREL(2));
609 }
610 atomic_store_rel_int(&fxent_timer_ready, 1);
611 }
612 /* After taskqueue_thread is initialized in SI_SUB_TASKQ:SI_ORDER_SECOND. */
613 SYSINIT(fxent_pool_timer_init, SI_SUB_TASKQ, SI_ORDER_ANY,
614 fxent_pool_timer_init, NULL);
615