]>
Commit | Line | Data |
---|---|---|
1b278294 JG |
1 | /* |
2 | * Copyright IBM Corp. 2006,2007 | |
3 | * Author(s): Jan Glauber <jan.glauber@de.ibm.com> | |
4 | * Driver for the s390 pseudo random number generator | |
5 | */ | |
6 | #include <linux/fs.h> | |
7 | #include <linux/init.h> | |
8 | #include <linux/kernel.h> | |
9 | #include <linux/miscdevice.h> | |
10 | #include <linux/module.h> | |
11 | #include <linux/moduleparam.h> | |
12 | #include <linux/random.h> | |
5a0e3ad6 | 13 | #include <linux/slab.h> |
1b278294 JG |
14 | #include <asm/debug.h> |
15 | #include <asm/uaccess.h> | |
16 | ||
17 | #include "crypt_s390.h" | |
18 | ||
19 | MODULE_LICENSE("GPL"); | |
20 | MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>"); | |
21 | MODULE_DESCRIPTION("s390 PRNG interface"); | |
22 | ||
23 | static int prng_chunk_size = 256; | |
24 | module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH); | |
25 | MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); | |
26 | ||
27 | static int prng_entropy_limit = 4096; | |
28 | module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR); | |
29 | MODULE_PARM_DESC(prng_entropy_limit, | |
30 | "PRNG add entropy after that much bytes were produced"); | |
31 | ||
32 | /* | |
33 | * Any one who considers arithmetical methods of producing random digits is, | |
34 | * of course, in a state of sin. -- John von Neumann | |
35 | */ | |
36 | ||
37 | struct s390_prng_data { | |
38 | unsigned long count; /* how many bytes were produced */ | |
39 | char *buf; | |
40 | }; | |
41 | ||
42 | static struct s390_prng_data *p; | |
43 | ||
44 | /* copied from libica, use a non-zero initial parameter block */ | |
45 | static unsigned char parm_block[32] = { | |
46 | 0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4, | |
47 | 0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0, | |
48 | }; | |
49 | ||
50 | static int prng_open(struct inode *inode, struct file *file) | |
51 | { | |
52 | return nonseekable_open(inode, file); | |
53 | } | |
54 | ||
55 | static void prng_add_entropy(void) | |
56 | { | |
57 | __u64 entropy[4]; | |
58 | unsigned int i; | |
59 | int ret; | |
60 | ||
61 | for (i = 0; i < 16; i++) { | |
62 | ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy, | |
63 | (char *)entropy, sizeof(entropy)); | |
64 | BUG_ON(ret < 0 || ret != sizeof(entropy)); | |
65 | memcpy(parm_block, entropy, sizeof(entropy)); | |
66 | } | |
67 | } | |
68 | ||
69 | static void prng_seed(int nbytes) | |
70 | { | |
71 | char buf[16]; | |
72 | int i = 0; | |
73 | ||
74 | BUG_ON(nbytes > 16); | |
75 | get_random_bytes(buf, nbytes); | |
76 | ||
77 | /* Add the entropy */ | |
78 | while (nbytes >= 8) { | |
79 | *((__u64 *)parm_block) ^= *((__u64 *)buf+i*8); | |
80 | prng_add_entropy(); | |
81 | i += 8; | |
82 | nbytes -= 8; | |
83 | } | |
84 | prng_add_entropy(); | |
85 | } | |
86 | ||
87 | static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes, | |
88 | loff_t *ppos) | |
89 | { | |
90 | int chunk, n; | |
91 | int ret = 0; | |
92 | int tmp; | |
93 | ||
c2e3bbac | 94 | /* nbytes can be arbitrary length, we split it into chunks */ |
1b278294 JG |
95 | while (nbytes) { |
96 | /* same as in extract_entropy_user in random.c */ | |
97 | if (need_resched()) { | |
98 | if (signal_pending(current)) { | |
99 | if (ret == 0) | |
100 | ret = -ERESTARTSYS; | |
101 | break; | |
102 | } | |
103 | schedule(); | |
104 | } | |
105 | ||
106 | /* | |
107 | * we lose some random bytes if an attacker issues | |
108 | * reads < 8 bytes, but we don't care | |
109 | */ | |
110 | chunk = min_t(int, nbytes, prng_chunk_size); | |
111 | ||
112 | /* PRNG only likes multiples of 8 bytes */ | |
113 | n = (chunk + 7) & -8; | |
114 | ||
115 | if (p->count > prng_entropy_limit) | |
116 | prng_seed(8); | |
117 | ||
118 | /* if the CPU supports PRNG stckf is present too */ | |
119 | asm volatile(".insn s,0xb27c0000,%0" | |
120 | : "=m" (*((unsigned long long *)p->buf)) : : "cc"); | |
121 | ||
122 | /* | |
123 | * Beside the STCKF the input for the TDES-EDE is the output | |
124 | * of the last operation. We differ here from X9.17 since we | |
125 | * only store one timestamp into the buffer. Padding the whole | |
126 | * buffer with timestamps does not improve security, since | |
127 | * successive stckf have nearly constant offsets. | |
128 | * If an attacker knows the first timestamp it would be | |
129 | * trivial to guess the additional values. One timestamp | |
130 | * is therefore enough and still guarantees unique input values. | |
131 | * | |
132 | * Note: you can still get strict X9.17 conformity by setting | |
133 | * prng_chunk_size to 8 bytes. | |
134 | */ | |
135 | tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n); | |
136 | BUG_ON((tmp < 0) || (tmp != n)); | |
137 | ||
138 | p->count += n; | |
139 | ||
140 | if (copy_to_user(ubuf, p->buf, chunk)) | |
141 | return -EFAULT; | |
142 | ||
143 | nbytes -= chunk; | |
144 | ret += chunk; | |
145 | ubuf += chunk; | |
146 | } | |
147 | return ret; | |
148 | } | |
149 | ||
5c81cdbe | 150 | static const struct file_operations prng_fops = { |
1b278294 JG |
151 | .owner = THIS_MODULE, |
152 | .open = &prng_open, | |
153 | .release = NULL, | |
154 | .read = &prng_read, | |
155 | }; | |
156 | ||
157 | static struct miscdevice prng_dev = { | |
158 | .name = "prandom", | |
159 | .minor = MISC_DYNAMIC_MINOR, | |
160 | .fops = &prng_fops, | |
161 | }; | |
162 | ||
163 | static int __init prng_init(void) | |
164 | { | |
165 | int ret; | |
166 | ||
167 | /* check if the CPU has a PRNG */ | |
168 | if (!crypt_s390_func_available(KMC_PRNG)) | |
169 | return -EOPNOTSUPP; | |
170 | ||
171 | if (prng_chunk_size < 8) | |
172 | return -EINVAL; | |
173 | ||
174 | p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL); | |
175 | if (!p) | |
176 | return -ENOMEM; | |
177 | p->count = 0; | |
178 | ||
179 | p->buf = kmalloc(prng_chunk_size, GFP_KERNEL); | |
180 | if (!p->buf) { | |
181 | ret = -ENOMEM; | |
182 | goto out_free; | |
183 | } | |
184 | ||
185 | /* initialize the PRNG, add 128 bits of entropy */ | |
186 | prng_seed(16); | |
187 | ||
188 | ret = misc_register(&prng_dev); | |
d4ebabe8 | 189 | if (ret) |
1b278294 | 190 | goto out_buf; |
1b278294 JG |
191 | return 0; |
192 | ||
193 | out_buf: | |
194 | kfree(p->buf); | |
195 | out_free: | |
196 | kfree(p); | |
197 | return ret; | |
198 | } | |
199 | ||
200 | static void __exit prng_exit(void) | |
201 | { | |
202 | /* wipe me */ | |
3e75a902 | 203 | kzfree(p->buf); |
1b278294 JG |
204 | kfree(p); |
205 | ||
206 | misc_deregister(&prng_dev); | |
207 | } | |
208 | ||
209 | module_init(prng_init); | |
210 | module_exit(prng_exit); |