aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/jitterentropy.c
diff options
context:
space:
mode:
authorStephan Mueller <smueller@chronox.de>2015-05-25 09:10:20 -0400
committerHerbert Xu <herbert@gondor.apana.org.au>2015-05-27 05:51:54 -0400
commitbb5530e4082446aac3a3d69780cd4dbfa4520013 (patch)
tree4303ec9cfc45093ae835d642b043413965c1ce84 /crypto/jitterentropy.c
parentb8ec5ba42c4a3854e27c44e697d9b4f0b84b32bb (diff)
crypto: jitterentropy - add jitterentropy RNG
The CPU Jitter RNG provides a source of good entropy by collecting CPU executing time jitter. The entropy in the CPU execution time jitter is magnified by the CPU Jitter Random Number Generator. The CPU Jitter Random Number Generator uses the CPU execution timing jitter to generate a bit stream which complies with different statistical measurements that determine the bit stream is random. The CPU Jitter Random Number Generator delivers entropy which follows information theoretical requirements. Based on these studies and the implementation, the caller can assume that one bit of data extracted from the CPU Jitter Random Number Generator holds one bit of entropy. The CPU Jitter Random Number Generator provides a decentralized source of entropy, i.e. every caller can operate on a private state of the entropy pool. The RNG does not have any dependencies on any other service in the kernel. The RNG only needs a high-resolution time stamp. Further design details, the cryptographic assessment and large array of test results are documented at http://www.chronox.de/jent.html. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/jitterentropy.c')
-rw-r--r--crypto/jitterentropy.c909
1 files changed, 909 insertions, 0 deletions
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
new file mode 100644
index 000000000000..1ebe58a26619
--- /dev/null
+++ b/crypto/jitterentropy.c
@@ -0,0 +1,909 @@
1/*
2 * Non-physical true random number generator based on timing jitter.
3 *
4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
5 *
6 * Design
7 * ======
8 *
9 * See http://www.chronox.de/jent.html
10 *
11 * License
12 * =======
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, and the entire permission notice in its entirety,
19 * including the disclaimer of warranties.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The name of the author may not be used to endorse or promote
24 * products derived from this software without specific prior
25 * written permission.
26 *
27 * ALTERNATIVELY, this product may be distributed under the terms of
28 * the GNU General Public License, in which case the provisions of the GPL2 are
29 * required INSTEAD OF the above restrictions. (This clause is
30 * necessary due to a potential bad interaction between the GPL and
31 * the restrictions contained in a BSD-style copyright.)
32 *
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
34 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
36 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
37 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
38 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
39 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
40 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
41 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
42 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
43 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
44 * DAMAGE.
45 */
46
47/*
48 * This Jitterentropy RNG is based on the jitterentropy library
49 * version 1.1.0 provided at http://www.chronox.de/jent.html
50 */
51
52#include <linux/module.h>
53#include <linux/slab.h>
54#include <linux/module.h>
55#include <linux/fips.h>
56#include <linux/time.h>
57#include <linux/crypto.h>
58#include <crypto/internal/rng.h>
59
60#ifdef __OPTIMIZE__
61 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
62#endif
63
64/* The entropy pool */
65struct rand_data {
66 /* all data values that are vital to maintain the security
67 * of the RNG are marked as SENSITIVE. A user must not
68 * access that information while the RNG executes its loops to
69 * calculate the next random value. */
70 __u64 data; /* SENSITIVE Actual random number */
71 __u64 old_data; /* SENSITIVE Previous random number */
72 __u64 prev_time; /* SENSITIVE Previous time stamp */
73#define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
74 __u64 last_delta; /* SENSITIVE stuck test */
75 __s64 last_delta2; /* SENSITIVE stuck test */
76 unsigned int stuck:1; /* Time measurement stuck */
77 unsigned int osr; /* Oversample rate */
78 unsigned int stir:1; /* Post-processing stirring */
79 unsigned int disable_unbias:1; /* Deactivate Von-Neuman unbias */
80#define JENT_MEMORY_BLOCKS 64
81#define JENT_MEMORY_BLOCKSIZE 32
82#define JENT_MEMORY_ACCESSLOOPS 128
83#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
84 unsigned char *mem; /* Memory access location with size of
85 * memblocks * memblocksize */
86 unsigned int memlocation; /* Pointer to byte in *mem */
87 unsigned int memblocks; /* Number of memory blocks in *mem */
88 unsigned int memblocksize; /* Size of one memory block in bytes */
89 unsigned int memaccessloops; /* Number of memory accesses per random
90 * bit generation */
91};
92
93/* Flags that can be used to initialize the RNG */
94#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
95#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
96#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
97 * entropy, saves MEMORY_SIZE RAM for
98 * entropy collector */
99
100#define DRIVER_NAME "jitterentropy"
101
102/* -- error codes for init function -- */
103#define JENT_ENOTIME 1 /* Timer service not available */
104#define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */
105#define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */
106#define JENT_EMINVARIATION 4 /* Timer variations too small for RNG */
107#define JENT_EVARVAR 5 /* Timer does not produce variations of
108 * variations (2nd derivation of time is
109 * zero). */
110#define JENT_EMINVARVAR 6 /* Timer variations of variations is tooi
111 * small. */
112
113/***************************************************************************
114 * Helper functions
115 ***************************************************************************/
116
117static inline void jent_get_nstime(__u64 *out)
118{
119 struct timespec ts;
120 __u64 tmp = 0;
121
122 tmp = random_get_entropy();
123
124 /*
125 * If random_get_entropy does not return a value (which is possible on,
126 * for example, MIPS), invoke __getnstimeofday
127 * hoping that there are timers we can work with.
128 *
129 * The list of available timers can be obtained from
130 * /sys/devices/system/clocksource/clocksource0/available_clocksource
131 * and are registered with clocksource_register()
132 */
133 if ((0 == tmp) &&
134#ifndef MODULE
135 (0 == timekeeping_valid_for_hres()) &&
136#endif
137 (0 == __getnstimeofday(&ts))) {
138 tmp = ts.tv_sec;
139 tmp = tmp << 32;
140 tmp = tmp | ts.tv_nsec;
141 }
142
143 *out = tmp;
144}
145
146
147/**
148 * Update of the loop count used for the next round of
149 * an entropy collection.
150 *
151 * Input:
152 * @ec entropy collector struct -- may be NULL
153 * @bits is the number of low bits of the timer to consider
154 * @min is the number of bits we shift the timer value to the right at
155 * the end to make sure we have a guaranteed minimum value
156 *
157 * @return Newly calculated loop counter
158 */
159static __u64 jent_loop_shuffle(struct rand_data *ec,
160 unsigned int bits, unsigned int min)
161{
162 __u64 time = 0;
163 __u64 shuffle = 0;
164 unsigned int i = 0;
165 unsigned int mask = (1<<bits) - 1;
166
167 jent_get_nstime(&time);
168 /*
169 * mix the current state of the random number into the shuffle
170 * calculation to balance that shuffle a bit more
171 */
172 if (ec)
173 time ^= ec->data;
174 /*
175 * we fold the time value as much as possible to ensure that as many
176 * bits of the time stamp are included as possible
177 */
178 for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) {
179 shuffle ^= time & mask;
180 time = time >> bits;
181 }
182
183 /*
184 * We add a lower boundary value to ensure we have a minimum
185 * RNG loop count.
186 */
187 return (shuffle + (1<<min));
188}
189
190/***************************************************************************
191 * Noise sources
192 ***************************************************************************/
193
194/**
195 * CPU Jitter noise source -- this is the noise source based on the CPU
196 * execution time jitter
197 *
198 * This function folds the time into one bit units by iterating
199 * through the DATA_SIZE_BITS bit time value as follows: assume our time value
200 * is 0xabcd
201 * 1st loop, 1st shift generates 0xd000
202 * 1st loop, 2nd shift generates 0x000d
203 * 2nd loop, 1st shift generates 0xcd00
204 * 2nd loop, 2nd shift generates 0x000c
205 * 3rd loop, 1st shift generates 0xbcd0
206 * 3rd loop, 2nd shift generates 0x000b
207 * 4th loop, 1st shift generates 0xabcd
208 * 4th loop, 2nd shift generates 0x000a
209 * Now, the values at the end of the 2nd shifts are XORed together.
210 *
211 * The code is deliberately inefficient and shall stay that way. This function
212 * is the root cause why the code shall be compiled without optimization. This
213 * function not only acts as folding operation, but this function's execution
214 * is used to measure the CPU execution time jitter. Any change to the loop in
215 * this function implies that careful retesting must be done.
216 *
217 * Input:
218 * @ec entropy collector struct -- may be NULL
219 * @time time stamp to be folded
220 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
221 * loops to perform the folding
222 *
223 * Output:
224 * @folded result of folding operation
225 *
226 * @return Number of loops the folding operation is performed
227 */
228static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
229 __u64 *folded, __u64 loop_cnt)
230{
231 unsigned int i;
232 __u64 j = 0;
233 __u64 new = 0;
234#define MAX_FOLD_LOOP_BIT 4
235#define MIN_FOLD_LOOP_BIT 0
236 __u64 fold_loop_cnt =
237 jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT);
238
239 /*
240 * testing purposes -- allow test app to set the counter, not
241 * needed during runtime
242 */
243 if (loop_cnt)
244 fold_loop_cnt = loop_cnt;
245 for (j = 0; j < fold_loop_cnt; j++) {
246 new = 0;
247 for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
248 __u64 tmp = time << (DATA_SIZE_BITS - i);
249
250 tmp = tmp >> (DATA_SIZE_BITS - 1);
251 new ^= tmp;
252 }
253 }
254 *folded = new;
255 return fold_loop_cnt;
256}
257
258/**
259 * Memory Access noise source -- this is a noise source based on variations in
260 * memory access times
261 *
262 * This function performs memory accesses which will add to the timing
263 * variations due to an unknown amount of CPU wait states that need to be
264 * added when accessing memory. The memory size should be larger than the L1
265 * caches as outlined in the documentation and the associated testing.
266 *
267 * The L1 cache has a very high bandwidth, albeit its access rate is usually
268 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
269 * variations as the CPU has hardly to wait. Starting with L2, significant
270 * variations are added because L2 typically does not belong to the CPU any more
271 * and therefore a wider range of CPU wait states is necessary for accesses.
272 * L3 and real memory accesses have even a wider range of wait states. However,
273 * to reliably access either L3 or memory, the ec->mem memory must be quite
274 * large which is usually not desirable.
275 *
276 * Input:
277 * @ec Reference to the entropy collector with the memory access data -- if
278 * the reference to the memory block to be accessed is NULL, this noise
279 * source is disabled
280 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
281 * loops to perform the folding
282 *
283 * @return Number of memory access operations
284 */
285static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
286{
287 unsigned char *tmpval = NULL;
288 unsigned int wrap = 0;
289 __u64 i = 0;
290#define MAX_ACC_LOOP_BIT 7
291#define MIN_ACC_LOOP_BIT 0
292 __u64 acc_loop_cnt =
293 jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
294
295 if (NULL == ec || NULL == ec->mem)
296 return 0;
297 wrap = ec->memblocksize * ec->memblocks;
298
299 /*
300 * testing purposes -- allow test app to set the counter, not
301 * needed during runtime
302 */
303 if (loop_cnt)
304 acc_loop_cnt = loop_cnt;
305
306 for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
307 tmpval = ec->mem + ec->memlocation;
308 /*
309 * memory access: just add 1 to one byte,
310 * wrap at 255 -- memory access implies read
311 * from and write to memory location
312 */
313 *tmpval = (*tmpval + 1) & 0xff;
314 /*
315 * Addition of memblocksize - 1 to pointer
316 * with wrap around logic to ensure that every
317 * memory location is hit evenly
318 */
319 ec->memlocation = ec->memlocation + ec->memblocksize - 1;
320 ec->memlocation = ec->memlocation % wrap;
321 }
322 return i;
323}
324
325/***************************************************************************
326 * Start of entropy processing logic
327 ***************************************************************************/
328
329/**
330 * Stuck test by checking the:
331 * 1st derivation of the jitter measurement (time delta)
332 * 2nd derivation of the jitter measurement (delta of time deltas)
333 * 3rd derivation of the jitter measurement (delta of delta of time deltas)
334 *
335 * All values must always be non-zero.
336 *
337 * Input:
338 * @ec Reference to entropy collector
339 * @current_delta Jitter time delta
340 *
341 * @return
342 * 0 jitter measurement not stuck (good bit)
343 * 1 jitter measurement stuck (reject bit)
344 */
345static void jent_stuck(struct rand_data *ec, __u64 current_delta)
346{
347 __s64 delta2 = ec->last_delta - current_delta;
348 __s64 delta3 = delta2 - ec->last_delta2;
349
350 ec->last_delta = current_delta;
351 ec->last_delta2 = delta2;
352
353 if (!current_delta || !delta2 || !delta3)
354 ec->stuck = 1;
355}
356
357/**
358 * This is the heart of the entropy generation: calculate time deltas and
359 * use the CPU jitter in the time deltas. The jitter is folded into one
360 * bit. You can call this function the "random bit generator" as it
361 * produces one random bit per invocation.
362 *
363 * WARNING: ensure that ->prev_time is primed before using the output
364 * of this function! This can be done by calling this function
365 * and not using its result.
366 *
367 * Input:
368 * @entropy_collector Reference to entropy collector
369 *
370 * @return One random bit
371 */
372static __u64 jent_measure_jitter(struct rand_data *ec)
373{
374 __u64 time = 0;
375 __u64 data = 0;
376 __u64 current_delta = 0;
377
378 /* Invoke one noise source before time measurement to add variations */
379 jent_memaccess(ec, 0);
380
381 /*
382 * Get time stamp and calculate time delta to previous
383 * invocation to measure the timing variations
384 */
385 jent_get_nstime(&time);
386 current_delta = time - ec->prev_time;
387 ec->prev_time = time;
388
389 /* Now call the next noise sources which also folds the data */
390 jent_fold_time(ec, current_delta, &data, 0);
391
392 /*
393 * Check whether we have a stuck measurement. The enforcement
394 * is performed after the stuck value has been mixed into the
395 * entropy pool.
396 */
397 jent_stuck(ec, current_delta);
398
399 return data;
400}
401
402/**
403 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
404 * documentation of that RNG, the bits from jent_measure_jitter are considered
405 * independent which implies that the Von Neuman unbias operation is applicable.
406 * A proof of the Von-Neumann unbias operation to remove skews is given in the
407 * document "A proposal for: Functionality classes for random number
408 * generators", version 2.0 by Werner Schindler, section 5.4.1.
409 *
410 * Input:
411 * @entropy_collector Reference to entropy collector
412 *
413 * @return One random bit
414 */
415static __u64 jent_unbiased_bit(struct rand_data *entropy_collector)
416{
417 do {
418 __u64 a = jent_measure_jitter(entropy_collector);
419 __u64 b = jent_measure_jitter(entropy_collector);
420
421 if (a == b)
422 continue;
423 if (1 == a)
424 return 1;
425 else
426 return 0;
427 } while (1);
428}
429
430/**
431 * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
432 * into the pool.
433 *
434 * The function generates a mixer value that depends on the bits set and the
435 * location of the set bits in the random number generated by the entropy
436 * source. Therefore, based on the generated random number, this mixer value
437 * can have 2**64 different values. That mixer value is initialized with the
438 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
439 * the random number.
440 *
441 * The mixer value is not assumed to contain any entropy. But due to the XOR
442 * operation, it can also not destroy any entropy present in the entropy pool.
443 *
444 * Input:
445 * @entropy_collector Reference to entropy collector
446 */
447static void jent_stir_pool(struct rand_data *entropy_collector)
448{
449 /*
450 * to shut up GCC on 32 bit, we have to initialize the 64 variable
451 * with two 32 bit variables
452 */
453 union c {
454 __u64 u64;
455 __u32 u32[2];
456 };
457 /*
458 * This constant is derived from the first two 32 bit initialization
459 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
460 */
461 union c constant;
462 /*
463 * The start value of the mixer variable is derived from the third
464 * and fourth 32 bit initialization vector of SHA-1 as defined in
465 * FIPS 180-4 section 5.3.1
466 */
467 union c mixer;
468 unsigned int i = 0;
469
470 /*
471 * Store the SHA-1 constants in reverse order to make up the 64 bit
472 * value -- this applies to a little endian system, on a big endian
473 * system, it reverses as expected. But this really does not matter
474 * as we do not rely on the specific numbers. We just pick the SHA-1
475 * constants as they have a good mix of bit set and unset.
476 */
477 constant.u32[1] = 0x67452301;
478 constant.u32[0] = 0xefcdab89;
479 mixer.u32[1] = 0x98badcfe;
480 mixer.u32[0] = 0x10325476;
481
482 for (i = 0; i < DATA_SIZE_BITS; i++) {
483 /*
484 * get the i-th bit of the input random number and only XOR
485 * the constant into the mixer value when that bit is set
486 */
487 if ((entropy_collector->data >> i) & 1)
488 mixer.u64 ^= constant.u64;
489 mixer.u64 = rol64(mixer.u64, 1);
490 }
491 entropy_collector->data ^= mixer.u64;
492}
493
494/**
495 * Generator of one 64 bit random number
496 * Function fills rand_data->data
497 *
498 * Input:
499 * @ec Reference to entropy collector
500 */
501static void jent_gen_entropy(struct rand_data *ec)
502{
503 unsigned int k = 0;
504
505 /* priming of the ->prev_time value */
506 jent_measure_jitter(ec);
507
508 while (1) {
509 __u64 data = 0;
510
511 if (ec->disable_unbias == 1)
512 data = jent_measure_jitter(ec);
513 else
514 data = jent_unbiased_bit(ec);
515
516 /* enforcement of the jent_stuck test */
517 if (ec->stuck) {
518 /*
519 * We only mix in the bit considered not appropriate
520 * without the LSFR. The reason is that if we apply
521 * the LSFR and we do not rotate, the 2nd bit with LSFR
522 * will cancel out the first LSFR application on the
523 * bad bit.
524 *
525 * And we do not rotate as we apply the next bit to the
526 * current bit location again.
527 */
528 ec->data ^= data;
529 ec->stuck = 0;
530 continue;
531 }
532
533 /*
534 * Fibonacci LSFR with polynom of
535 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
536 * primitive according to
537 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
538 * (the shift values are the polynom values minus one
539 * due to counting bits from 0 to 63). As the current
540 * position is always the LSB, the polynom only needs
541 * to shift data in from the left without wrap.
542 */
543 ec->data ^= data;
544 ec->data ^= ((ec->data >> 63) & 1);
545 ec->data ^= ((ec->data >> 60) & 1);
546 ec->data ^= ((ec->data >> 55) & 1);
547 ec->data ^= ((ec->data >> 30) & 1);
548 ec->data ^= ((ec->data >> 27) & 1);
549 ec->data ^= ((ec->data >> 22) & 1);
550 ec->data = rol64(ec->data, 1);
551
552 /*
553 * We multiply the loop value with ->osr to obtain the
554 * oversampling rate requested by the caller
555 */
556 if (++k >= (DATA_SIZE_BITS * ec->osr))
557 break;
558 }
559 if (ec->stir)
560 jent_stir_pool(ec);
561}
562
563/**
564 * The continuous test required by FIPS 140-2 -- the function automatically
565 * primes the test if needed.
566 *
567 * Return:
568 * 0 if FIPS test passed
569 * < 0 if FIPS test failed
570 */
571static void jent_fips_test(struct rand_data *ec)
572{
573 if (!fips_enabled)
574 return;
575
576 /* prime the FIPS test */
577 if (!ec->old_data) {
578 ec->old_data = ec->data;
579 jent_gen_entropy(ec);
580 }
581
582 if (ec->data == ec->old_data)
583 panic(DRIVER_NAME ": Duplicate output detected\n");
584
585 ec->old_data = ec->data;
586}
587
588
589/**
590 * Entry function: Obtain entropy for the caller.
591 *
592 * This function invokes the entropy gathering logic as often to generate
593 * as many bytes as requested by the caller. The entropy gathering logic
594 * creates 64 bit per invocation.
595 *
596 * This function truncates the last 64 bit entropy value output to the exact
597 * size specified by the caller.
598 *
599 * Input:
600 * @ec Reference to entropy collector
601 * @data pointer to buffer for storing random data -- buffer must already
602 * exist
603 * @len size of the buffer, specifying also the requested number of random
604 * in bytes
605 *
606 * @return 0 when request is fulfilled or an error
607 *
608 * The following error codes can occur:
609 * -1 entropy_collector is NULL
610 */
611static ssize_t jent_read_entropy(struct rand_data *ec, u8 *data, size_t len)
612{
613 u8 *p = data;
614
615 if (!ec)
616 return -EINVAL;
617
618 while (0 < len) {
619 size_t tocopy;
620
621 jent_gen_entropy(ec);
622 jent_fips_test(ec);
623 if ((DATA_SIZE_BITS / 8) < len)
624 tocopy = (DATA_SIZE_BITS / 8);
625 else
626 tocopy = len;
627 memcpy(p, &ec->data, tocopy);
628
629 len -= tocopy;
630 p += tocopy;
631 }
632
633 return 0;
634}
635
636/***************************************************************************
637 * Initialization logic
638 ***************************************************************************/
639
640static struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
641 unsigned int flags)
642{
643 struct rand_data *entropy_collector;
644
645 entropy_collector = kzalloc(sizeof(struct rand_data), GFP_KERNEL);
646 if (!entropy_collector)
647 return NULL;
648
649 if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
650 /* Allocate memory for adding variations based on memory
651 * access
652 */
653 entropy_collector->mem = kzalloc(JENT_MEMORY_SIZE, GFP_KERNEL);
654 if (!entropy_collector->mem) {
655 kfree(entropy_collector);
656 return NULL;
657 }
658 entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;
659 entropy_collector->memblocks = JENT_MEMORY_BLOCKS;
660 entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
661 }
662
663 /* verify and set the oversampling rate */
664 if (0 == osr)
665 osr = 1; /* minimum sampling rate is 1 */
666 entropy_collector->osr = osr;
667
668 entropy_collector->stir = 1;
669 if (flags & JENT_DISABLE_STIR)
670 entropy_collector->stir = 0;
671 if (flags & JENT_DISABLE_UNBIAS)
672 entropy_collector->disable_unbias = 1;
673
674 /* fill the data pad with non-zero values */
675 jent_gen_entropy(entropy_collector);
676
677 return entropy_collector;
678}
679
680static void jent_entropy_collector_free(struct rand_data *entropy_collector)
681{
682 if (entropy_collector->mem)
683 kzfree(entropy_collector->mem);
684 entropy_collector->mem = NULL;
685 if (entropy_collector)
686 kzfree(entropy_collector);
687 entropy_collector = NULL;
688}
689
690static int jent_entropy_init(void)
691{
692 int i;
693 __u64 delta_sum = 0;
694 __u64 old_delta = 0;
695 int time_backwards = 0;
696 int count_var = 0;
697 int count_mod = 0;
698
699 /* We could perform statistical tests here, but the problem is
700 * that we only have a few loop counts to do testing. These
701 * loop counts may show some slight skew and we produce
702 * false positives.
703 *
704 * Moreover, only old systems show potentially problematic
705 * jitter entropy that could potentially be caught here. But
706 * the RNG is intended for hardware that is available or widely
707 * used, but not old systems that are long out of favor. Thus,
708 * no statistical tests.
709 */
710
711 /*
712 * We could add a check for system capabilities such as clock_getres or
713 * check for CONFIG_X86_TSC, but it does not make much sense as the
714 * following sanity checks verify that we have a high-resolution
715 * timer.
716 */
717 /*
718 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
719 * definitely too little.
720 */
721#define TESTLOOPCOUNT 300
722#define CLEARCACHE 100
723 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
724 __u64 time = 0;
725 __u64 time2 = 0;
726 __u64 folded = 0;
727 __u64 delta = 0;
728 unsigned int lowdelta = 0;
729
730 jent_get_nstime(&time);
731 jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT);
732 jent_get_nstime(&time2);
733
734 /* test whether timer works */
735 if (!time || !time2)
736 return JENT_ENOTIME;
737 delta = time2 - time;
738 /*
739 * test whether timer is fine grained enough to provide
740 * delta even when called shortly after each other -- this
741 * implies that we also have a high resolution timer
742 */
743 if (!delta)
744 return JENT_ECOARSETIME;
745
746 /*
747 * up to here we did not modify any variable that will be
748 * evaluated later, but we already performed some work. Thus we
749 * already have had an impact on the caches, branch prediction,
750 * etc. with the goal to clear it to get the worst case
751 * measurements.
752 */
753 if (CLEARCACHE > i)
754 continue;
755
756 /* test whether we have an increasing timer */
757 if (!(time2 > time))
758 time_backwards++;
759
760 /*
761 * Avoid modulo of 64 bit integer to allow code to compile
762 * on 32 bit architectures.
763 */
764 lowdelta = time2 - time;
765 if (!(lowdelta % 100))
766 count_mod++;
767
768 /*
769 * ensure that we have a varying delta timer which is necessary
770 * for the calculation of entropy -- perform this check
771 * only after the first loop is executed as we need to prime
772 * the old_data value
773 */
774 if (i) {
775 if (delta != old_delta)
776 count_var++;
777 if (delta > old_delta)
778 delta_sum += (delta - old_delta);
779 else
780 delta_sum += (old_delta - delta);
781 }
782 old_delta = delta;
783 }
784
785 /*
786 * we allow up to three times the time running backwards.
787 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
788 * if such an operation just happens to interfere with our test, it
789 * should not fail. The value of 3 should cover the NTP case being
790 * performed during our test run.
791 */
792 if (3 < time_backwards)
793 return JENT_ENOMONOTONIC;
794 /* Error if the time variances are always identical */
795 if (!delta_sum)
796 return JENT_EVARVAR;
797
798 /*
799 * Variations of deltas of time must on average be larger
800 * than 1 to ensure the entropy estimation
801 * implied with 1 is preserved
802 */
803 if (delta_sum <= 1)
804 return JENT_EMINVARVAR;
805
806 /*
807 * Ensure that we have variations in the time stamp below 10 for at
808 * least 10% of all checks -- on some platforms, the counter
809 * increments in multiples of 100, but not always
810 */
811 if ((TESTLOOPCOUNT/10 * 9) < count_mod)
812 return JENT_ECOARSETIME;
813
814 return 0;
815}
816
817/***************************************************************************
818 * Kernel crypto API interface
819 ***************************************************************************/
820
821struct jitterentropy {
822 spinlock_t jent_lock;
823 struct rand_data *entropy_collector;
824};
825
826static int jent_kcapi_init(struct crypto_tfm *tfm)
827{
828 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
829 int ret = 0;
830
831 rng->entropy_collector = jent_entropy_collector_alloc(1, 0);
832 if (!rng->entropy_collector)
833 ret = -ENOMEM;
834
835 spin_lock_init(&rng->jent_lock);
836 return ret;
837}
838
839static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
840{
841 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
842
843 spin_lock(&rng->jent_lock);
844 if (rng->entropy_collector)
845 jent_entropy_collector_free(rng->entropy_collector);
846 rng->entropy_collector = NULL;
847 spin_unlock(&rng->jent_lock);
848}
849
850static int jent_kcapi_random(struct crypto_rng *tfm,
851 const u8 *src, unsigned int slen,
852 u8 *rdata, unsigned int dlen)
853{
854 struct jitterentropy *rng = crypto_rng_ctx(tfm);
855 int ret = 0;
856
857 spin_lock(&rng->jent_lock);
858 ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
859 spin_unlock(&rng->jent_lock);
860
861 return ret;
862}
863
864static int jent_kcapi_reset(struct crypto_rng *tfm,
865 const u8 *seed, unsigned int slen)
866{
867 return 0;
868}
869
870static struct rng_alg jent_alg = {
871 .generate = jent_kcapi_random,
872 .seed = jent_kcapi_reset,
873 .seedsize = 0,
874 .base = {
875 .cra_name = "jitterentropy_rng",
876 .cra_driver_name = "jitterentropy_rng",
877 .cra_priority = 100,
878 .cra_ctxsize = sizeof(struct jitterentropy),
879 .cra_module = THIS_MODULE,
880 .cra_init = jent_kcapi_init,
881 .cra_exit = jent_kcapi_cleanup,
882
883 }
884};
885
886static int __init jent_mod_init(void)
887{
888 int ret = 0;
889
890 ret = jent_entropy_init();
891 if (ret) {
892 pr_info(DRIVER_NAME ": Initialization failed with host not compliant with requirements: %d\n", ret);
893 return -EFAULT;
894 }
895 return crypto_register_rng(&jent_alg);
896}
897
898static void __exit jent_mod_exit(void)
899{
900 crypto_unregister_rng(&jent_alg);
901}
902
903module_init(jent_mod_init);
904module_exit(jent_mod_exit);
905
906MODULE_LICENSE("Dual BSD/GPL");
907MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
908MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter");
909MODULE_ALIAS_CRYPTO("jitterentropy_rng");
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-22 12:32:45 -0500