]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - crypto/jitterentropy.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
crypto: jitterentropy - add jitterentropy RNG
[mirror_ubuntu-bionic-kernel.git] / crypto / jitterentropy.c
CommitLineData
bb5530e4
SM		 1/*
2 * Non-physical true random number generator based on timing jitter.
3 *
4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
5 *
6 * Design
7 * ======
8 *
9 * See http://www.chronox.de/jent.html
10 *
11 * License
12 * =======
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, and the entire permission notice in its entirety,
19 * including the disclaimer of warranties.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The name of the author may not be used to endorse or promote
24 * products derived from this software without specific prior
25 * written permission.
26 *
27 * ALTERNATIVELY, this product may be distributed under the terms of
28 * the GNU General Public License, in which case the provisions of the GPL2 are
29 * required INSTEAD OF the above restrictions. (This clause is
30 * necessary due to a potential bad interaction between the GPL and
31 * the restrictions contained in a BSD-style copyright.)
32 *
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
34 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
36 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
37 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
38 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
39 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
40 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
41 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
42 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
43 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
44 * DAMAGE.
45 */
46
47/*
48 * This Jitterentropy RNG is based on the jitterentropy library
49 * version 1.1.0 provided at http://www.chronox.de/jent.html
50 */
51
52#include <linux/module.h>
53#include <linux/slab.h>
54#include <linux/module.h>
55#include <linux/fips.h>
56#include <linux/time.h>
57#include <linux/crypto.h>
58#include <crypto/internal/rng.h>
59
60#ifdef __OPTIMIZE__
61 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
62#endif
63
64/* The entropy pool */
65struct rand_data {
66 /* all data values that are vital to maintain the security
67 * of the RNG are marked as SENSITIVE. A user must not
68 * access that information while the RNG executes its loops to
69 * calculate the next random value. */
70 __u64 data; /* SENSITIVE Actual random number */
71 __u64 old_data; /* SENSITIVE Previous random number */
72 __u64 prev_time; /* SENSITIVE Previous time stamp */
73#define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
74 __u64 last_delta; /* SENSITIVE stuck test */
75 __s64 last_delta2; /* SENSITIVE stuck test */
76 unsigned int stuck:1; /* Time measurement stuck */
77 unsigned int osr; /* Oversample rate */
78 unsigned int stir:1; /* Post-processing stirring */
79 unsigned int disable_unbias:1; /* Deactivate Von-Neuman unbias */
80#define JENT_MEMORY_BLOCKS 64
81#define JENT_MEMORY_BLOCKSIZE 32
82#define JENT_MEMORY_ACCESSLOOPS 128
83#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
84 unsigned char *mem; /* Memory access location with size of
85 * memblocks * memblocksize */
86 unsigned int memlocation; /* Pointer to byte in *mem */
87 unsigned int memblocks; /* Number of memory blocks in *mem */
88 unsigned int memblocksize; /* Size of one memory block in bytes */
89 unsigned int memaccessloops; /* Number of memory accesses per random
90 * bit generation */
91};
92
93/* Flags that can be used to initialize the RNG */
94#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
95#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
96#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
97 * entropy, saves MEMORY_SIZE RAM for
98 * entropy collector */
99
100#define DRIVER_NAME "jitterentropy"
101
102/* -- error codes for init function -- */
103#define JENT_ENOTIME 1 /* Timer service not available */
104#define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */
105#define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */
106#define JENT_EMINVARIATION 4 /* Timer variations too small for RNG */
107#define JENT_EVARVAR 5 /* Timer does not produce variations of
108 * variations (2nd derivation of time is
109 * zero). */
110#define JENT_EMINVARVAR 6 /* Timer variations of variations is tooi
111 * small. */
112
113/***************************************************************************
114 * Helper functions
115 ***************************************************************************/
116
117static inline void jent_get_nstime(__u64 *out)
118{
119 struct timespec ts;
120 __u64 tmp = 0;
121
122 tmp = random_get_entropy();
123
124 /*
125 * If random_get_entropy does not return a value (which is possible on,
126 * for example, MIPS), invoke __getnstimeofday
127 * hoping that there are timers we can work with.
128 *
129 * The list of available timers can be obtained from
130 * /sys/devices/system/clocksource/clocksource0/available_clocksource
131 * and are registered with clocksource_register()
132 */
133 if ((0 == tmp) &&
134#ifndef MODULE
135 (0 == timekeeping_valid_for_hres()) &&
136#endif
137 (0 == __getnstimeofday(&ts))) {
138 tmp = ts.tv_sec;
139 tmp = tmp << 32;
140 tmp = tmp | ts.tv_nsec;
141 }
142
143 *out = tmp;
144}
145
146
147/**
148 * Update of the loop count used for the next round of
149 * an entropy collection.
150 *
151 * Input:
152 * @ec entropy collector struct -- may be NULL
153 * @bits is the number of low bits of the timer to consider
154 * @min is the number of bits we shift the timer value to the right at
155 * the end to make sure we have a guaranteed minimum value
156 *
157 * @return Newly calculated loop counter
158 */
159static __u64 jent_loop_shuffle(struct rand_data *ec,
160 unsigned int bits, unsigned int min)
161{
162 __u64 time = 0;
163 __u64 shuffle = 0;
164 unsigned int i = 0;
165 unsigned int mask = (1<<bits) - 1;
166
167 jent_get_nstime(&time);
168 /*
169 * mix the current state of the random number into the shuffle
170 * calculation to balance that shuffle a bit more
171 */
172 if (ec)
173 time ^= ec->data;
174 /*
175 * we fold the time value as much as possible to ensure that as many
176 * bits of the time stamp are included as possible
177 */
178 for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) {
179 shuffle ^= time & mask;
180 time = time >> bits;
181 }
182
183 /*
184 * We add a lower boundary value to ensure we have a minimum
185 * RNG loop count.
186 */
187 return (shuffle + (1<<min));
188}
189
190/***************************************************************************
191 * Noise sources
192 ***************************************************************************/
193
194/**
195 * CPU Jitter noise source -- this is the noise source based on the CPU
196 * execution time jitter
197 *
198 * This function folds the time into one bit units by iterating
199 * through the DATA_SIZE_BITS bit time value as follows: assume our time value
200 * is 0xabcd
201 * 1st loop, 1st shift generates 0xd000
202 * 1st loop, 2nd shift generates 0x000d
203 * 2nd loop, 1st shift generates 0xcd00
204 * 2nd loop, 2nd shift generates 0x000c
205 * 3rd loop, 1st shift generates 0xbcd0
206 * 3rd loop, 2nd shift generates 0x000b
207 * 4th loop, 1st shift generates 0xabcd
208 * 4th loop, 2nd shift generates 0x000a
209 * Now, the values at the end of the 2nd shifts are XORed together.
210 *
211 * The code is deliberately inefficient and shall stay that way. This function
212 * is the root cause why the code shall be compiled without optimization. This
213 * function not only acts as folding operation, but this function's execution
214 * is used to measure the CPU execution time jitter. Any change to the loop in
215 * this function implies that careful retesting must be done.
216 *
217 * Input:
218 * @ec entropy collector struct -- may be NULL
219 * @time time stamp to be folded
220 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
221 * loops to perform the folding
222 *
223 * Output:
224 * @folded result of folding operation
225 *
226 * @return Number of loops the folding operation is performed
227 */
228static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
229 __u64 *folded, __u64 loop_cnt)
230{
231 unsigned int i;
232 __u64 j = 0;
233 __u64 new = 0;
234#define MAX_FOLD_LOOP_BIT 4
235#define MIN_FOLD_LOOP_BIT 0
236 __u64 fold_loop_cnt =
237 jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT);
238
239 /*
240 * testing purposes -- allow test app to set the counter, not
241 * needed during runtime
242 */
243 if (loop_cnt)
244 fold_loop_cnt = loop_cnt;
245 for (j = 0; j < fold_loop_cnt; j++) {
246 new = 0;
247 for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
248 __u64 tmp = time << (DATA_SIZE_BITS - i);
249
250 tmp = tmp >> (DATA_SIZE_BITS - 1);
251 new ^= tmp;
252 }
253 }
254 *folded = new;
255 return fold_loop_cnt;
256}
257
258/**
259 * Memory Access noise source -- this is a noise source based on variations in
260 * memory access times
261 *
262 * This function performs memory accesses which will add to the timing
263 * variations due to an unknown amount of CPU wait states that need to be
264 * added when accessing memory. The memory size should be larger than the L1
265 * caches as outlined in the documentation and the associated testing.
266 *
267 * The L1 cache has a very high bandwidth, albeit its access rate is usually
268 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
269 * variations as the CPU has hardly to wait. Starting with L2, significant
270 * variations are added because L2 typically does not belong to the CPU any more
271 * and therefore a wider range of CPU wait states is necessary for accesses.
272 * L3 and real memory accesses have even a wider range of wait states. However,
273 * to reliably access either L3 or memory, the ec->mem memory must be quite
274 * large which is usually not desirable.
275 *
276 * Input:
277 * @ec Reference to the entropy collector with the memory access data -- if
278 * the reference to the memory block to be accessed is NULL, this noise
279 * source is disabled
280 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
281 * loops to perform the folding
282 *
283 * @return Number of memory access operations
284 */
285static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
286{
287 unsigned char *tmpval = NULL;
288 unsigned int wrap = 0;
289 __u64 i = 0;
290#define MAX_ACC_LOOP_BIT 7
291#define MIN_ACC_LOOP_BIT 0
292 __u64 acc_loop_cnt =
293 jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
294
295 if (NULL == ec || NULL == ec->mem)
296 return 0;
297 wrap = ec->memblocksize * ec->memblocks;
298
299 /*
300 * testing purposes -- allow test app to set the counter, not
301 * needed during runtime
302 */
303 if (loop_cnt)
304 acc_loop_cnt = loop_cnt;
305
306 for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
307 tmpval = ec->mem + ec->memlocation;
308 /*
309 * memory access: just add 1 to one byte,
310 * wrap at 255 -- memory access implies read
311 * from and write to memory location
312 */
313 *tmpval = (*tmpval + 1) & 0xff;
314 /*
315 * Addition of memblocksize - 1 to pointer
316 * with wrap around logic to ensure that every
317 * memory location is hit evenly
318 */
319 ec->memlocation = ec->memlocation + ec->memblocksize - 1;
320 ec->memlocation = ec->memlocation % wrap;
321 }
322 return i;
323}
324
325/***************************************************************************
326 * Start of entropy processing logic
327 ***************************************************************************/
328
329/**
330 * Stuck test by checking the:
331 * 1st derivation of the jitter measurement (time delta)
332 * 2nd derivation of the jitter measurement (delta of time deltas)
333 * 3rd derivation of the jitter measurement (delta of delta of time deltas)
334 *
335 * All values must always be non-zero.
336 *
337 * Input:
338 * @ec Reference to entropy collector
339 * @current_delta Jitter time delta
340 *
341 * @return
342 * 0 jitter measurement not stuck (good bit)
343 * 1 jitter measurement stuck (reject bit)
344 */
345static void jent_stuck(struct rand_data *ec, __u64 current_delta)
346{
347 __s64 delta2 = ec->last_delta - current_delta;
348 __s64 delta3 = delta2 - ec->last_delta2;
349
350 ec->last_delta = current_delta;
351 ec->last_delta2 = delta2;
352
353 if (!current_delta || !delta2 || !delta3)
354 ec->stuck = 1;
355}
356
357/**
358 * This is the heart of the entropy generation: calculate time deltas and
359 * use the CPU jitter in the time deltas. The jitter is folded into one
360 * bit. You can call this function the "random bit generator" as it
361 * produces one random bit per invocation.
362 *
363 * WARNING: ensure that ->prev_time is primed before using the output
364 * of this function! This can be done by calling this function
365 * and not using its result.
366 *
367 * Input:
368 * @entropy_collector Reference to entropy collector
369 *
370 * @return One random bit
371 */
372static __u64 jent_measure_jitter(struct rand_data *ec)
373{
374 __u64 time = 0;
375 __u64 data = 0;
376 __u64 current_delta = 0;
377
378 /* Invoke one noise source before time measurement to add variations */
379 jent_memaccess(ec, 0);
380
381 /*
382 * Get time stamp and calculate time delta to previous
383 * invocation to measure the timing variations
384 */
385 jent_get_nstime(&time);
386 current_delta = time - ec->prev_time;
387 ec->prev_time = time;
388
389 /* Now call the next noise sources which also folds the data */
390 jent_fold_time(ec, current_delta, &data, 0);
391
392 /*
393 * Check whether we have a stuck measurement. The enforcement
394 * is performed after the stuck value has been mixed into the
395 * entropy pool.
396 */
397 jent_stuck(ec, current_delta);
398
399 return data;
400}
401
402/**
403 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
404 * documentation of that RNG, the bits from jent_measure_jitter are considered
405 * independent which implies that the Von Neuman unbias operation is applicable.
406 * A proof of the Von-Neumann unbias operation to remove skews is given in the
407 * document "A proposal for: Functionality classes for random number
408 * generators", version 2.0 by Werner Schindler, section 5.4.1.
409 *
410 * Input:
411 * @entropy_collector Reference to entropy collector
412 *
413 * @return One random bit
414 */
415static __u64 jent_unbiased_bit(struct rand_data *entropy_collector)
416{
417 do {
418 __u64 a = jent_measure_jitter(entropy_collector);
419 __u64 b = jent_measure_jitter(entropy_collector);
420
421 if (a == b)
422 continue;
423 if (1 == a)
424 return 1;
425 else
426 return 0;
427 } while (1);
428}
429
430/**
431 * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
432 * into the pool.
433 *
434 * The function generates a mixer value that depends on the bits set and the
435 * location of the set bits in the random number generated by the entropy
436 * source. Therefore, based on the generated random number, this mixer value
437 * can have 2**64 different values. That mixer value is initialized with the
438 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
439 * the random number.
440 *
441 * The mixer value is not assumed to contain any entropy. But due to the XOR
442 * operation, it can also not destroy any entropy present in the entropy pool.
443 *
444 * Input:
445 * @entropy_collector Reference to entropy collector
446 */
447static void jent_stir_pool(struct rand_data *entropy_collector)
448{
449 /*
450 * to shut up GCC on 32 bit, we have to initialize the 64 variable
451 * with two 32 bit variables
452 */
453 union c {
454 __u64 u64;
455 __u32 u32[2];
456 };
457 /*
458 * This constant is derived from the first two 32 bit initialization
459 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
460 */
461 union c constant;
462 /*
463 * The start value of the mixer variable is derived from the third
464 * and fourth 32 bit initialization vector of SHA-1 as defined in
465 * FIPS 180-4 section 5.3.1
466 */
467 union c mixer;
468 unsigned int i = 0;
469
470 /*
471 * Store the SHA-1 constants in reverse order to make up the 64 bit
472 * value -- this applies to a little endian system, on a big endian
473 * system, it reverses as expected. But this really does not matter
474 * as we do not rely on the specific numbers. We just pick the SHA-1
475 * constants as they have a good mix of bit set and unset.
476 */
477 constant.u32[1] = 0x67452301;
478 constant.u32[0] = 0xefcdab89;
479 mixer.u32[1] = 0x98badcfe;
480 mixer.u32[0] = 0x10325476;
481
482 for (i = 0; i < DATA_SIZE_BITS; i++) {
483 /*
484 * get the i-th bit of the input random number and only XOR
485 * the constant into the mixer value when that bit is set
486 */
487 if ((entropy_collector->data >> i) & 1)
488 mixer.u64 ^= constant.u64;
489 mixer.u64 = rol64(mixer.u64, 1);
490 }
491 entropy_collector->data ^= mixer.u64;
492}
493
494/**
495 * Generator of one 64 bit random number
496 * Function fills rand_data->data
497 *
498 * Input:
499 * @ec Reference to entropy collector
500 */
501static void jent_gen_entropy(struct rand_data *ec)
502{
503 unsigned int k = 0;
504
505 /* priming of the ->prev_time value */
506 jent_measure_jitter(ec);
507
508 while (1) {
509 __u64 data = 0;
510
511 if (ec->disable_unbias == 1)
512 data = jent_measure_jitter(ec);
513 else
514 data = jent_unbiased_bit(ec);
515
516 /* enforcement of the jent_stuck test */
517 if (ec->stuck) {
518 /*
519 * We only mix in the bit considered not appropriate
520 * without the LSFR. The reason is that if we apply
521 * the LSFR and we do not rotate, the 2nd bit with LSFR
522 * will cancel out the first LSFR application on the
523 * bad bit.
524 *
525 * And we do not rotate as we apply the next bit to the
526 * current bit location again.
527 */
528 ec->data ^= data;
529 ec->stuck = 0;
530 continue;
531 }
532
533 /*
534 * Fibonacci LSFR with polynom of
535 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
536 * primitive according to
537 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
538 * (the shift values are the polynom values minus one
539 * due to counting bits from 0 to 63). As the current
540 * position is always the LSB, the polynom only needs
541 * to shift data in from the left without wrap.
542 */
543 ec->data ^= data;
544 ec->data ^= ((ec->data >> 63) & 1);
545 ec->data ^= ((ec->data >> 60) & 1);
546 ec->data ^= ((ec->data >> 55) & 1);
547 ec->data ^= ((ec->data >> 30) & 1);
548 ec->data ^= ((ec->data >> 27) & 1);
549 ec->data ^= ((ec->data >> 22) & 1);
550 ec->data = rol64(ec->data, 1);
551
552 /*
553 * We multiply the loop value with ->osr to obtain the
554 * oversampling rate requested by the caller
555 */
556 if (++k >= (DATA_SIZE_BITS * ec->osr))
557 break;
558 }
559 if (ec->stir)
560 jent_stir_pool(ec);
561}
562
563/**
564 * The continuous test required by FIPS 140-2 -- the function automatically
565 * primes the test if needed.
566 *
567 * Return:
568 * 0 if FIPS test passed
569 * < 0 if FIPS test failed
570 */
571static void jent_fips_test(struct rand_data *ec)
572{
573 if (!fips_enabled)
574 return;
575
576 /* prime the FIPS test */
577 if (!ec->old_data) {
578 ec->old_data = ec->data;
579 jent_gen_entropy(ec);
580 }
581
582 if (ec->data == ec->old_data)
583 panic(DRIVER_NAME ": Duplicate output detected\n");
584
585 ec->old_data = ec->data;
586}
587
588
589/**
590 * Entry function: Obtain entropy for the caller.
591 *
592 * This function invokes the entropy gathering logic as often to generate
593 * as many bytes as requested by the caller. The entropy gathering logic
594 * creates 64 bit per invocation.
595 *
596 * This function truncates the last 64 bit entropy value output to the exact
597 * size specified by the caller.
598 *
599 * Input:
600 * @ec Reference to entropy collector
601 * @data pointer to buffer for storing random data -- buffer must already
602 * exist
603 * @len size of the buffer, specifying also the requested number of random
604 * in bytes
605 *
606 * @return 0 when request is fulfilled or an error
607 *
608 * The following error codes can occur:
609 * -1 entropy_collector is NULL
610 */
611static ssize_t jent_read_entropy(struct rand_data *ec, u8 *data, size_t len)
612{
613 u8 *p = data;
614
615 if (!ec)
616 return -EINVAL;
617
618 while (0 < len) {
619 size_t tocopy;
620
621 jent_gen_entropy(ec);
622 jent_fips_test(ec);
623 if ((DATA_SIZE_BITS / 8) < len)
624 tocopy = (DATA_SIZE_BITS / 8);
625 else
626 tocopy = len;
627 memcpy(p, &ec->data, tocopy);
628
629 len -= tocopy;
630 p += tocopy;
631 }
632
633 return 0;
634}
635
636/***************************************************************************
637 * Initialization logic
638 ***************************************************************************/
639
640static struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
641 unsigned int flags)
642{
643 struct rand_data *entropy_collector;
644
645 entropy_collector = kzalloc(sizeof(struct rand_data), GFP_KERNEL);
646 if (!entropy_collector)
647 return NULL;
648
649 if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
650 /* Allocate memory for adding variations based on memory
651 * access
652 */
653 entropy_collector->mem = kzalloc(JENT_MEMORY_SIZE, GFP_KERNEL);
654 if (!entropy_collector->mem) {
655 kfree(entropy_collector);
656 return NULL;
657 }
658 entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;
659 entropy_collector->memblocks = JENT_MEMORY_BLOCKS;
660 entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
661 }
662
663 /* verify and set the oversampling rate */
664 if (0 == osr)
665 osr = 1; /* minimum sampling rate is 1 */
666 entropy_collector->osr = osr;
667
668 entropy_collector->stir = 1;
669 if (flags & JENT_DISABLE_STIR)
670 entropy_collector->stir = 0;
671 if (flags & JENT_DISABLE_UNBIAS)
672 entropy_collector->disable_unbias = 1;
673
674 /* fill the data pad with non-zero values */
675 jent_gen_entropy(entropy_collector);
676
677 return entropy_collector;
678}
679
680static void jent_entropy_collector_free(struct rand_data *entropy_collector)
681{
682 if (entropy_collector->mem)
683 kzfree(entropy_collector->mem);
684 entropy_collector->mem = NULL;
685 if (entropy_collector)
686 kzfree(entropy_collector);
687 entropy_collector = NULL;
688}
689
690static int jent_entropy_init(void)
691{
692 int i;
693 __u64 delta_sum = 0;
694 __u64 old_delta = 0;
695 int time_backwards = 0;
696 int count_var = 0;
697 int count_mod = 0;
698
699 /* We could perform statistical tests here, but the problem is
700 * that we only have a few loop counts to do testing. These
701 * loop counts may show some slight skew and we produce
702 * false positives.
703 *
704 * Moreover, only old systems show potentially problematic
705 * jitter entropy that could potentially be caught here. But
706 * the RNG is intended for hardware that is available or widely
707 * used, but not old systems that are long out of favor. Thus,
708 * no statistical tests.
709 */
710
711 /*
712 * We could add a check for system capabilities such as clock_getres or
713 * check for CONFIG_X86_TSC, but it does not make much sense as the
714 * following sanity checks verify that we have a high-resolution
715 * timer.
716 */
717 /*
718 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
719 * definitely too little.
720 */
721#define TESTLOOPCOUNT 300
722#define CLEARCACHE 100
723 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
724 __u64 time = 0;
725 __u64 time2 = 0;
726 __u64 folded = 0;
727 __u64 delta = 0;
728 unsigned int lowdelta = 0;
729
730 jent_get_nstime(&time);
731 jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT);
732 jent_get_nstime(&time2);
733
734 /* test whether timer works */
735 if (!time || !time2)
736 return JENT_ENOTIME;
737 delta = time2 - time;
738 /*
739 * test whether timer is fine grained enough to provide
740 * delta even when called shortly after each other -- this
741 * implies that we also have a high resolution timer
742 */
743 if (!delta)
744 return JENT_ECOARSETIME;
745
746 /*
747 * up to here we did not modify any variable that will be
748 * evaluated later, but we already performed some work. Thus we
749 * already have had an impact on the caches, branch prediction,
750 * etc. with the goal to clear it to get the worst case
751 * measurements.
752 */
753 if (CLEARCACHE > i)
754 continue;
755
756 /* test whether we have an increasing timer */
757 if (!(time2 > time))
758 time_backwards++;
759
760 /*
761 * Avoid modulo of 64 bit integer to allow code to compile
762 * on 32 bit architectures.
763 */
764 lowdelta = time2 - time;
765 if (!(lowdelta % 100))
766 count_mod++;
767
768 /*
769 * ensure that we have a varying delta timer which is necessary
770 * for the calculation of entropy -- perform this check
771 * only after the first loop is executed as we need to prime
772 * the old_data value
773 */
774 if (i) {
775 if (delta != old_delta)
776 count_var++;
777 if (delta > old_delta)
778 delta_sum += (delta - old_delta);
779 else
780 delta_sum += (old_delta - delta);
781 }
782 old_delta = delta;
783 }
784
785 /*
786 * we allow up to three times the time running backwards.
787 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
788 * if such an operation just happens to interfere with our test, it
789 * should not fail. The value of 3 should cover the NTP case being
790 * performed during our test run.
791 */
792 if (3 < time_backwards)
793 return JENT_ENOMONOTONIC;
794 /* Error if the time variances are always identical */
795 if (!delta_sum)
796 return JENT_EVARVAR;
797
798 /*
799 * Variations of deltas of time must on average be larger
800 * than 1 to ensure the entropy estimation
801 * implied with 1 is preserved
802 */
803 if (delta_sum <= 1)
804 return JENT_EMINVARVAR;
805
806 /*
807 * Ensure that we have variations in the time stamp below 10 for at
808 * least 10% of all checks -- on some platforms, the counter
809 * increments in multiples of 100, but not always
810 */
811 if ((TESTLOOPCOUNT/10 * 9) < count_mod)
812 return JENT_ECOARSETIME;
813
814 return 0;
815}
816
817/***************************************************************************
818 * Kernel crypto API interface
819 ***************************************************************************/
820
821struct jitterentropy {
822 spinlock_t jent_lock;
823 struct rand_data *entropy_collector;
824};
825
826static int jent_kcapi_init(struct crypto_tfm *tfm)
827{
828 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
829 int ret = 0;
830
831 rng->entropy_collector = jent_entropy_collector_alloc(1, 0);
832 if (!rng->entropy_collector)
833 ret = -ENOMEM;
834
835 spin_lock_init(&rng->jent_lock);
836 return ret;
837}
838
839static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
840{
841 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
842
843 spin_lock(&rng->jent_lock);
844 if (rng->entropy_collector)
845 jent_entropy_collector_free(rng->entropy_collector);
846 rng->entropy_collector = NULL;
847 spin_unlock(&rng->jent_lock);
848}
849
850static int jent_kcapi_random(struct crypto_rng *tfm,
851 const u8 *src, unsigned int slen,
852 u8 *rdata, unsigned int dlen)
853{
854 struct jitterentropy *rng = crypto_rng_ctx(tfm);
855 int ret = 0;
856
857 spin_lock(&rng->jent_lock);
858 ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
859 spin_unlock(&rng->jent_lock);
860
861 return ret;
862}
863
864static int jent_kcapi_reset(struct crypto_rng *tfm,
865 const u8 *seed, unsigned int slen)
866{
867 return 0;
868}
869
870static struct rng_alg jent_alg = {
871 .generate = jent_kcapi_random,
872 .seed = jent_kcapi_reset,
873 .seedsize = 0,
874 .base = {
875 .cra_name = "jitterentropy_rng",
876 .cra_driver_name = "jitterentropy_rng",
877 .cra_priority = 100,
878 .cra_ctxsize = sizeof(struct jitterentropy),
879 .cra_module = THIS_MODULE,
880 .cra_init = jent_kcapi_init,
881 .cra_exit = jent_kcapi_cleanup,
882
883 }
884};
885
886static int __init jent_mod_init(void)
887{
888 int ret = 0;
889
890 ret = jent_entropy_init();
891 if (ret) {
892 pr_info(DRIVER_NAME ": Initialization failed with host not compliant with requirements: %d\n", ret);
893 return -EFAULT;
894 }
895 return crypto_register_rng(&jent_alg);
896}
897
898static void __exit jent_mod_exit(void)
899{
900 crypto_unregister_rng(&jent_alg);
901}
902
903module_init(jent_mod_init);
904module_exit(jent_mod_exit);
905
906MODULE_LICENSE("Dual BSD/GPL");
907MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
908MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter");
909MODULE_ALIAS_CRYPTO("jitterentropy_rng");
ubuntu-bionic-kernel mirror