random: add RDSEED as a provably unique entropy source

NIST SP800-90B allows for only a single entropy source to be claimed
in a FIPS-140-3 certificate. In addition, only hardware sources that
have

random: add RDSEED as a provably unique entropy source

NIST SP800-90B allows for only a single entropy source to be claimed
in a FIPS-140-3 certificate. In addition, only hardware sources that
have a NIST Entropy Source Validation (ESV) certificate, backed by
a SP800-90B Entropy Assessment Report, are usable. Intel has obtained
ESV certificates for several of their processors, so RDSEED is a
FIPS-140-3 suitable entropy source.

However, even though RDRAND is seeded by RDSEED internally, RDRAND
would need a RBG certificate and CAVP testing run on the DRBG in order
to use it for FIPS-140-3 (SP800-90B) purposes. So we need to know
down in the CSPRNG-subsystem which source the entropy came from.

In light of the potential issues surrounding AMD Zen 5 CPU's RDSEED
implementation[*], allow RDSEED to be disabled in loader.conf.
[*] https://www.phoronix.com/news/AMD-EPYC-Turin-RDSEED-Bug

Reviewed by: cem
MFC after: 3 days
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D53150

show more ...