Hey Conrad, On Fri, Mar 08, 2019 at 01:17:20AM +0000, Conrad Meyer wrote: > Author: cem > Date: Fri Mar 8 01:17:20 2019 > New Revision: 344913 > URL: https://svnweb.freebsd.org/changeset/base/344913 > > Log: > Fortuna: Add Chacha20 as an alternative stream cipher > > Chacha20 with a 256 bit key and 128 bit counter size is a good match for an > AES256-ICM replacement. > > In userspace, Chacha20 is typically marginally slower than AES-ICM on > machines with AESNI intrinsics, but typically much faster than AES on > machines without special intrinsics. ChaCha20 does well on typical modern > architectures with SIMD instructions, which includes most types of machines > FreeBSD runs on. > > In the kernel, we can't (or don't) make use of AESNI intrinsics for > random(4) anyway. So even on amd64, using Chacha provides a modest > performance improvement in random device throughput today. > > This change makes the stream cipher used by random(4) configurable at boot > time with the 'kern.random.use_chacha20_cipher' tunable. > > Very rough, non-scientific measurements at the /dev/random device, on a > GENERIC-NODEBUG amd64 VM with 'pv', show a factor of 2.2x higher throughput > for Chacha20 over the existing AES-ICM mode. > > Reviewed by: delphij, markm > Approved by: secteam (delphij) > Differential Revision: https://reviews.freebsd.org/D19475 > > Modified: > head/sys/dev/random/fortuna.c > head/sys/dev/random/hash.c > head/sys/dev/random/hash.h > head/sys/dev/random/uint128.h > > Modified: head/sys/dev/random/hash.c > ============================================================================== > --- head/sys/dev/random/hash.c Fri Mar 8 01:04:19 2019 > (r344912) > +++ head/sys/dev/random/hash.c Fri Mar 8 01:17:20 2019 > (r344913) > +/* Validate that full Chacha IV is as large as the 128-bit counter */ > +_Static_assert(CHACHA_STATELEN == RANDOM_BLOCKSIZE, ""); > + > +/* > + * Experimental Chacha20-based PRF for Fortuna keystream primitive. For now, > + * disabled by default. But we may enable it in the future. > + * > + * Benefits include somewhat faster keystream generation compared with > + * unaccelerated AES-ICM. > + */ > +bool random_chachamode = false; > +#ifdef _KERNEL > +SYSCTL_BOOL(_kern_random, OID_AUTO, use_chacha20_cipher, CTLFLAG_RDTUN, > + &random_chachamode, 0, > + "If non-zero, use the ChaCha20 cipher for randomdev PRF. " > + "If zero, use AES-ICM cipher for randomdev PRF (default)."); > +#endif
I'm curious if that sysctl node could be documented in a manpage, perhaps the random(4) manpage would be a good candidate for updating. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature