[mirror_ubuntu-bionic-kernel.git] / arch / s390 / crypto / prng.c

/*
 * Copyright IBM Corp. 2006,2007
 * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
 * Driver for the s390 pseudo random number generator
 */
#include <linux/fs.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/miscdevice.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/random.h>
#include <linux/slab.h>
#include <asm/debug.h>
#include <asm/uaccess.h>

#include "crypt_s390.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
MODULE_DESCRIPTION("s390 PRNG interface");

static int prng_chunk_size = 256;
module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");

static int prng_entropy_limit = 4096;
module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
MODULE_PARM_DESC(prng_entropy_limit,
	"PRNG add entropy after that much bytes were produced");

/*
 * Any one who considers arithmetical methods of producing random digits is,
 * of course, in a state of sin. -- John von Neumann
 */

struct s390_prng_data {
	unsigned long count; /* how many bytes were produced */
	char *buf;
};

static struct s390_prng_data *p;

/* copied from libica, use a non-zero initial parameter block */
static unsigned char parm_block[32] = {
0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
};

static int prng_open(struct inode *inode, struct file *file)
{
	return nonseekable_open(inode, file);
}

static void prng_add_entropy(void)
{
	__u64 entropy[4];
	unsigned int i;
	int ret;

	for (i = 0; i < 16; i++) {
		ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
				     (char *)entropy, sizeof(entropy));
		BUG_ON(ret < 0 || ret != sizeof(entropy));
		memcpy(parm_block, entropy, sizeof(entropy));
	}
}

static void prng_seed(int nbytes)
{
	char buf[16];
	int i = 0;

	BUG_ON(nbytes > 16);
	get_random_bytes(buf, nbytes);

	/* Add the entropy */
	while (nbytes >= 8) {
		*((__u64 *)parm_block) ^= *((__u64 *)buf+i*8);
		prng_add_entropy();
		i += 8;
		nbytes -= 8;
	}
	prng_add_entropy();
}

static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
			 loff_t *ppos)
{
	int chunk, n;
	int ret = 0;
	int tmp;

	/* nbytes can be arbitrary length, we split it into chunks */
	while (nbytes) {
		/* same as in extract_entropy_user in random.c */
		if (need_resched()) {
			if (signal_pending(current)) {
				if (ret == 0)
					ret = -ERESTARTSYS;
				break;
			}
			schedule();
		}

		/*
		 * we lose some random bytes if an attacker issues
		 * reads < 8 bytes, but we don't care
		 */
		chunk = min_t(int, nbytes, prng_chunk_size);

		/* PRNG only likes multiples of 8 bytes */
		n = (chunk + 7) & -8;

		if (p->count > prng_entropy_limit)
			prng_seed(8);

		/* if the CPU supports PRNG stckf is present too */
		asm volatile(".insn     s,0xb27c0000,%0"
			     : "=m" (*((unsigned long long *)p->buf)) : : "cc");

		/*
		 * Beside the STCKF the input for the TDES-EDE is the output
		 * of the last operation. We differ here from X9.17 since we
		 * only store one timestamp into the buffer. Padding the whole
		 * buffer with timestamps does not improve security, since
		 * successive stckf have nearly constant offsets.
		 * If an attacker knows the first timestamp it would be
		 * trivial to guess the additional values. One timestamp
		 * is therefore enough and still guarantees unique input values.
		 *
		 * Note: you can still get strict X9.17 conformity by setting
		 * prng_chunk_size to 8 bytes.
		*/
		tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
		BUG_ON((tmp < 0) || (tmp != n));

		p->count += n;

		if (copy_to_user(ubuf, p->buf, chunk))
			return -EFAULT;

		nbytes -= chunk;
		ret += chunk;
		ubuf += chunk;
	}
	return ret;
}

static const struct file_operations prng_fops = {
	.owner		= THIS_MODULE,
	.open		= &prng_open,
	.release	= NULL,
	.read		= &prng_read,
};

static struct miscdevice prng_dev = {
	.name	= "prandom",
	.minor	= MISC_DYNAMIC_MINOR,
	.fops	= &prng_fops,
};

static int __init prng_init(void)
{
	int ret;

	/* check if the CPU has a PRNG */
	if (!crypt_s390_func_available(KMC_PRNG))
		return -EOPNOTSUPP;

	if (prng_chunk_size < 8)
		return -EINVAL;

	p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
	if (!p)
		return -ENOMEM;
	p->count = 0;

	p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
	if (!p->buf) {
		ret = -ENOMEM;
		goto out_free;
	}

	/* initialize the PRNG, add 128 bits of entropy */
	prng_seed(16);

	ret = misc_register(&prng_dev);
	if (ret)
		goto out_buf;
	return 0;

out_buf:
	kfree(p->buf);
out_free:
	kfree(p);
	return ret;
}

static void __exit prng_exit(void)
{
	/* wipe me */
	kzfree(p->buf);
	kfree(p);

	misc_deregister(&prng_dev);
}

module_init(prng_init);
module_exit(prng_exit);
Commit	Line	Data
1b278294 JG	1	/*
	2	* Copyright IBM Corp. 2006,2007
	3	* Author(s): Jan Glauber <jan.glauber@de.ibm.com>
	4	* Driver for the s390 pseudo random number generator
	5	*/
	6	#include <linux/fs.h>
	7	#include <linux/init.h>
	8	#include <linux/kernel.h>
	9	#include <linux/miscdevice.h>
	10	#include <linux/module.h>
	11	#include <linux/moduleparam.h>
	12	#include <linux/random.h>
5a0e3ad6	13	#include <linux/slab.h>
1b278294 JG	14	#include <asm/debug.h>
	15	#include <asm/uaccess.h>
	16
	17	#include "crypt_s390.h"
	18
	19	MODULE_LICENSE("GPL");
	20	MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
	21	MODULE_DESCRIPTION("s390 PRNG interface");
	22
	23	static int prng_chunk_size = 256;
	24	module_param(prng_chunk_size, int, S_IRUSR \| S_IRGRP \| S_IROTH);
	25	MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
	26
	27	static int prng_entropy_limit = 4096;
	28	module_param(prng_entropy_limit, int, S_IRUSR \| S_IRGRP \| S_IROTH \| S_IWUSR);
	29	MODULE_PARM_DESC(prng_entropy_limit,
	30	"PRNG add entropy after that much bytes were produced");
	31
	32	/*
	33	* Any one who considers arithmetical methods of producing random digits is,
	34	* of course, in a state of sin. -- John von Neumann
	35	*/
	36
	37	struct s390_prng_data {
	38	unsigned long count; /* how many bytes were produced */
	39	char *buf;
	40	};
	41
	42	static struct s390_prng_data *p;
	43
	44	/* copied from libica, use a non-zero initial parameter block */
	45	static unsigned char parm_block[32] = {
	46	0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
	47	0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
	48	};
	49
	50	static int prng_open(struct inode inode, struct file file)
	51	{
	52	return nonseekable_open(inode, file);
	53	}
	54
	55	static void prng_add_entropy(void)
	56	{
	57	__u64 entropy[4];
	58	unsigned int i;
	59	int ret;
	60
	61	for (i = 0; i < 16; i++) {
	62	ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
	63	(char *)entropy, sizeof(entropy));
	64	BUG_ON(ret < 0 \|\| ret != sizeof(entropy));
	65	memcpy(parm_block, entropy, sizeof(entropy));
	66	}
	67	}
	68
	69	static void prng_seed(int nbytes)
	70	{
	71	char buf[16];
	72	int i = 0;
	73
	74	BUG_ON(nbytes > 16);
	75	get_random_bytes(buf, nbytes);
	76
	77	/* Add the entropy */
78	while (nbytes >= 8) {
79	((__u64 )parm_block) ^= ((__u64 )buf+i*8);
80	prng_add_entropy();
81	i += 8;
82	nbytes -= 8;
83	}
84	prng_add_entropy();
85	}
86
87	static ssize_t prng_read(struct file file, char __user ubuf, size_t nbytes,
88	loff_t *ppos)
89	{
90	int chunk, n;
91	int ret = 0;
92	int tmp;
93
c2e3bbac	94	/* nbytes can be arbitrary length, we split it into chunks */
1b278294 JG	95	while (nbytes) {
	96	/* same as in extract_entropy_user in random.c */
	97	if (need_resched()) {
	98	if (signal_pending(current)) {
	99	if (ret == 0)
	100	ret = -ERESTARTSYS;
	101	break;
	102	}
	103	schedule();
	104	}
	105
	106	/*
	107	* we lose some random bytes if an attacker issues
	108	* reads < 8 bytes, but we don't care
	109	*/
	110	chunk = min_t(int, nbytes, prng_chunk_size);
	111
	112	/* PRNG only likes multiples of 8 bytes */
	113	n = (chunk + 7) & -8;
	114
	115	if (p->count > prng_entropy_limit)
	116	prng_seed(8);
	117
	118	/* if the CPU supports PRNG stckf is present too */
	119	asm volatile(".insn s,0xb27c0000,%0"
	120	: "=m" (((unsigned long long )p->buf)) : : "cc");
	121
	122	/*
	123	* Beside the STCKF the input for the TDES-EDE is the output
	124	* of the last operation. We differ here from X9.17 since we
	125	* only store one timestamp into the buffer. Padding the whole
	126	* buffer with timestamps does not improve security, since
	127	* successive stckf have nearly constant offsets.
	128	* If an attacker knows the first timestamp it would be
	129	* trivial to guess the additional values. One timestamp
	130	* is therefore enough and still guarantees unique input values.
	131	*
	132	* Note: you can still get strict X9.17 conformity by setting
	133	* prng_chunk_size to 8 bytes.
	134	*/
	135	tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
	136	BUG_ON((tmp < 0) \|\| (tmp != n));
	137
	138	p->count += n;
	139
	140	if (copy_to_user(ubuf, p->buf, chunk))
	141	return -EFAULT;
	142
	143	nbytes -= chunk;
	144	ret += chunk;
	145	ubuf += chunk;
	146	}
	147	return ret;
	148	}
	149
5c81cdbe	150	static const struct file_operations prng_fops = {
1b278294 JG	151	.owner = THIS_MODULE,
	152	.open = &prng_open,
	153	.release = NULL,
	154	.read = &prng_read,
	155	};
	156
	157	static struct miscdevice prng_dev = {
	158	.name = "prandom",
	159	.minor = MISC_DYNAMIC_MINOR,
	160	.fops = &prng_fops,
	161	};
	162
	163	static int __init prng_init(void)
	164	{
	165	int ret;
	166
	167	/* check if the CPU has a PRNG */
	168	if (!crypt_s390_func_available(KMC_PRNG))
	169	return -EOPNOTSUPP;
	170
	171	if (prng_chunk_size < 8)
	172	return -EINVAL;
	173
	174	p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
	175	if (!p)
	176	return -ENOMEM;
	177	p->count = 0;
	178
	179	p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
	180	if (!p->buf) {
	181	ret = -ENOMEM;
	182	goto out_free;
	183	}
	184
	185	/* initialize the PRNG, add 128 bits of entropy */
	186	prng_seed(16);
	187
	188	ret = misc_register(&prng_dev);
d4ebabe8	189	if (ret)
1b278294	190	goto out_buf;
1b278294 JG	191	return 0;
	192
	193	out_buf:
	194	kfree(p->buf);
	195	out_free:
	196	kfree(p);
	197	return ret;
	198	}
	199
	200	static void __exit prng_exit(void)
	201	{
	202	/* wipe me */
3e75a902	203	kzfree(p->buf);
1b278294 JG	204	kfree(p);
	205
	206	misc_deregister(&prng_dev);
	207	}
	208
	209	module_init(prng_init);
	210	module_exit(prng_exit);