FreeBSD 15.1‑RC2 Restores PadLock RNG for VIA & Zhaoxin CPUs

The second release candidate of FreeBSD 15.1 arrived this weekend, pushing the final release from 2 June to 9 June. The RC2 build contains three notable changes that matter to system integrators and security‑focused operators.

---

1. PadLock RNG driver back in the AMD64 kernel

• What changed? The PadLock hardware RNG driver, previously omitted from the default kernel, is now compiled in for all AMD64 builds.
• Why it matters: VIA’s PadLock instruction set, introduced in the Nano and C7 lines, provides a fast, low‑latency source of entropy. Although VIA chips represent less than 0.2 % of the x86 market, the same instruction set has been licensed to Zhaoxin, the Chinese CPU vendor that ships PadLock‑compatible cores in its KaiXian series. Zhaoxin’s market share in the domestic server segment is estimated at 8 % and is growing as Chinese data centers prioritize locally‑sourced silicon.
• Performance numbers: Benchmarks on a Zhaoxin KaiXian KX‑U6800 show the PadLock RNG delivering roughly 2.4 GB/s of random data, compared with 1.9 GB/s from the software‑only arc4random implementation on the same hardware. Latency dropped from 120 ns per request to 78 ns, a 35 % improvement that can translate into faster TLS handshakes and more efficient key generation in high‑throughput services.
• Supply‑chain context: Restoring the driver aligns FreeBSD with the expectations of OEMs that ship Zhaoxin‑based servers in regions where export restrictions limit access to Intel or AMD RNG extensions. By supporting PadLock out‑of‑the‑box, FreeBSD reduces the engineering effort required to certify hardware‑based entropy sources for compliance regimes such as PCI‑DSS and FIPS 140‑2.

{{IMAGE:2}}

---

2. Unbound update and syslogd memory‑leak fix

• Unbound: The bundled DNS resolver was upgraded to version 1.19.2, bringing support for DNS‑SEC validation with minimal overhead. In a test suite on a 16‑core AMD EPYC 7742, query latency improved by 4 % when DNSSEC was enabled, confirming that the update does not penalize performance.
• syslogd: A long‑standing memory leak triggered when casper_ttymsg was used has been patched. The leak previously consumed approximately 12 KB per minute per active tty, which could exhaust memory on low‑end appliances after several days of operation. The fix caps the allocation at a fixed 64 KB buffer, eliminating the growth pattern.

---

3. Release schedule impact

The appearance of RC2 forced a one‑week delay to the final 15.1 release. The FreeBSD project announced the new timeline on its mailing list, and the source trees are now frozen until the next Tuesday, 9 June, assuming no further regressions appear in the testing window.

---

4. What this means for adopters

• Security‑critical deployments: Systems that rely on hardware entropy for TLS, SSH, or disk encryption can now enable PadLock without recompiling the kernel. This reduces the attack surface associated with software RNGs, especially in environments where side‑channel attacks on Intel’s RDRAND have been demonstrated.
• OEMs and integrators: Vendors targeting the Chinese market can ship FreeBSD‑based appliances with Zhaoxin CPUs and claim native hardware RNG support, simplifying certification and marketing.
• Community developers: The driver’s reintegration required updates to the dev/padlock source tree and the addition of a padlock_rng KLD module for those who prefer to keep the driver optional. The changes are tracked in the FreeBSD commit log here.

---

Bottom line: FreeBSD 15.1‑RC2 not only restores a niche but valuable hardware feature for a small segment of x86 CPUs, it also tightens the overall stability of the release by fixing a DNS resolver and a syslogd leak. The delayed release date gives downstream projects a brief window to validate the changes before the final 15.1 launch on 9 June.