diff options
Diffstat (limited to 'arch/s390/crypto')
-rw-r--r-- | arch/s390/crypto/Makefile | 1 | ||||
-rw-r--r-- | arch/s390/crypto/crypt_s390.h | 1 | ||||
-rw-r--r-- | arch/s390/crypto/prng.c | 213 |
3 files changed, 215 insertions, 0 deletions
diff --git a/arch/s390/crypto/Makefile b/arch/s390/crypto/Makefile index 21720c03d653..14e552c5cc43 100644 --- a/arch/s390/crypto/Makefile +++ b/arch/s390/crypto/Makefile | |||
@@ -6,3 +6,4 @@ obj-$(CONFIG_CRYPTO_SHA1_S390) += sha1_s390.o | |||
6 | obj-$(CONFIG_CRYPTO_SHA256_S390) += sha256_s390.o | 6 | obj-$(CONFIG_CRYPTO_SHA256_S390) += sha256_s390.o |
7 | obj-$(CONFIG_CRYPTO_DES_S390) += des_s390.o des_check_key.o | 7 | obj-$(CONFIG_CRYPTO_DES_S390) += des_s390.o des_check_key.o |
8 | obj-$(CONFIG_CRYPTO_AES_S390) += aes_s390.o | 8 | obj-$(CONFIG_CRYPTO_AES_S390) += aes_s390.o |
9 | obj-$(CONFIG_S390_PRNG) += prng.o | ||
diff --git a/arch/s390/crypto/crypt_s390.h b/arch/s390/crypto/crypt_s390.h index 2b92c2fd12d4..2775d2618332 100644 --- a/arch/s390/crypto/crypt_s390.h +++ b/arch/s390/crypto/crypt_s390.h | |||
@@ -71,6 +71,7 @@ enum crypt_s390_kmc_func { | |||
71 | KMC_AES_192_DECRYPT = CRYPT_S390_KMC | 0x13 | 0x80, | 71 | KMC_AES_192_DECRYPT = CRYPT_S390_KMC | 0x13 | 0x80, |
72 | KMC_AES_256_ENCRYPT = CRYPT_S390_KMC | 0x14, | 72 | KMC_AES_256_ENCRYPT = CRYPT_S390_KMC | 0x14, |
73 | KMC_AES_256_DECRYPT = CRYPT_S390_KMC | 0x14 | 0x80, | 73 | KMC_AES_256_DECRYPT = CRYPT_S390_KMC | 0x14 | 0x80, |
74 | KMC_PRNG = CRYPT_S390_KMC | 0x43, | ||
74 | }; | 75 | }; |
75 | 76 | ||
76 | /* | 77 | /* |
diff --git a/arch/s390/crypto/prng.c b/arch/s390/crypto/prng.c new file mode 100644 index 000000000000..8eb3a1aedc22 --- /dev/null +++ b/arch/s390/crypto/prng.c | |||
@@ -0,0 +1,213 @@ | |||
1 | /* | ||
2 | * Copyright IBM Corp. 2006,2007 | ||
3 | * Author(s): Jan Glauber <jan.glauber@de.ibm.com> | ||
4 | * Driver for the s390 pseudo random number generator | ||
5 | */ | ||
6 | #include <linux/fs.h> | ||
7 | #include <linux/init.h> | ||
8 | #include <linux/kernel.h> | ||
9 | #include <linux/miscdevice.h> | ||
10 | #include <linux/module.h> | ||
11 | #include <linux/moduleparam.h> | ||
12 | #include <linux/random.h> | ||
13 | #include <asm/debug.h> | ||
14 | #include <asm/uaccess.h> | ||
15 | |||
16 | #include "crypt_s390.h" | ||
17 | |||
18 | MODULE_LICENSE("GPL"); | ||
19 | MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>"); | ||
20 | MODULE_DESCRIPTION("s390 PRNG interface"); | ||
21 | |||
22 | static int prng_chunk_size = 256; | ||
23 | module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH); | ||
24 | MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); | ||
25 | |||
26 | static int prng_entropy_limit = 4096; | ||
27 | module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR); | ||
28 | MODULE_PARM_DESC(prng_entropy_limit, | ||
29 | "PRNG add entropy after that much bytes were produced"); | ||
30 | |||
31 | /* | ||
32 | * Any one who considers arithmetical methods of producing random digits is, | ||
33 | * of course, in a state of sin. -- John von Neumann | ||
34 | */ | ||
35 | |||
36 | struct s390_prng_data { | ||
37 | unsigned long count; /* how many bytes were produced */ | ||
38 | char *buf; | ||
39 | }; | ||
40 | |||
41 | static struct s390_prng_data *p; | ||
42 | |||
43 | /* copied from libica, use a non-zero initial parameter block */ | ||
44 | static unsigned char parm_block[32] = { | ||
45 | 0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4, | ||
46 | 0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0, | ||
47 | }; | ||
48 | |||
49 | static int prng_open(struct inode *inode, struct file *file) | ||
50 | { | ||
51 | return nonseekable_open(inode, file); | ||
52 | } | ||
53 | |||
54 | static void prng_add_entropy(void) | ||
55 | { | ||
56 | __u64 entropy[4]; | ||
57 | unsigned int i; | ||
58 | int ret; | ||
59 | |||
60 | for (i = 0; i < 16; i++) { | ||
61 | ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy, | ||
62 | (char *)entropy, sizeof(entropy)); | ||
63 | BUG_ON(ret < 0 || ret != sizeof(entropy)); | ||
64 | memcpy(parm_block, entropy, sizeof(entropy)); | ||
65 | } | ||
66 | } | ||
67 | |||
68 | static void prng_seed(int nbytes) | ||
69 | { | ||
70 | char buf[16]; | ||
71 | int i = 0; | ||
72 | |||
73 | BUG_ON(nbytes > 16); | ||
74 | get_random_bytes(buf, nbytes); | ||
75 | |||
76 | /* Add the entropy */ | ||
77 | while (nbytes >= 8) { | ||
78 | *((__u64 *)parm_block) ^= *((__u64 *)buf+i*8); | ||
79 | prng_add_entropy(); | ||
80 | i += 8; | ||
81 | nbytes -= 8; | ||
82 | } | ||
83 | prng_add_entropy(); | ||
84 | } | ||
85 | |||
86 | static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes, | ||
87 | loff_t *ppos) | ||
88 | { | ||
89 | int chunk, n; | ||
90 | int ret = 0; | ||
91 | int tmp; | ||
92 | |||
93 | /* nbytes can be arbitrary long, we spilt it into chunks */ | ||
94 | while (nbytes) { | ||
95 | /* same as in extract_entropy_user in random.c */ | ||
96 | if (need_resched()) { | ||
97 | if (signal_pending(current)) { | ||
98 | if (ret == 0) | ||
99 | ret = -ERESTARTSYS; | ||
100 | break; | ||
101 | } | ||
102 | schedule(); | ||
103 | } | ||
104 | |||
105 | /* | ||
106 | * we lose some random bytes if an attacker issues | ||
107 | * reads < 8 bytes, but we don't care | ||
108 | */ | ||
109 | chunk = min_t(int, nbytes, prng_chunk_size); | ||
110 | |||
111 | /* PRNG only likes multiples of 8 bytes */ | ||
112 | n = (chunk + 7) & -8; | ||
113 | |||
114 | if (p->count > prng_entropy_limit) | ||
115 | prng_seed(8); | ||
116 | |||
117 | /* if the CPU supports PRNG stckf is present too */ | ||
118 | asm volatile(".insn s,0xb27c0000,%0" | ||
119 | : "=m" (*((unsigned long long *)p->buf)) : : "cc"); | ||
120 | |||
121 | /* | ||
122 | * Beside the STCKF the input for the TDES-EDE is the output | ||
123 | * of the last operation. We differ here from X9.17 since we | ||
124 | * only store one timestamp into the buffer. Padding the whole | ||
125 | * buffer with timestamps does not improve security, since | ||
126 | * successive stckf have nearly constant offsets. | ||
127 | * If an attacker knows the first timestamp it would be | ||
128 | * trivial to guess the additional values. One timestamp | ||
129 | * is therefore enough and still guarantees unique input values. | ||
130 | * | ||
131 | * Note: you can still get strict X9.17 conformity by setting | ||
132 | * prng_chunk_size to 8 bytes. | ||
133 | */ | ||
134 | tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n); | ||
135 | BUG_ON((tmp < 0) || (tmp != n)); | ||
136 | |||
137 | p->count += n; | ||
138 | |||
139 | if (copy_to_user(ubuf, p->buf, chunk)) | ||
140 | return -EFAULT; | ||
141 | |||
142 | nbytes -= chunk; | ||
143 | ret += chunk; | ||
144 | ubuf += chunk; | ||
145 | } | ||
146 | return ret; | ||
147 | } | ||
148 | |||
149 | static struct file_operations prng_fops = { | ||
150 | .owner = THIS_MODULE, | ||
151 | .open = &prng_open, | ||
152 | .release = NULL, | ||
153 | .read = &prng_read, | ||
154 | }; | ||
155 | |||
156 | static struct miscdevice prng_dev = { | ||
157 | .name = "prandom", | ||
158 | .minor = MISC_DYNAMIC_MINOR, | ||
159 | .fops = &prng_fops, | ||
160 | }; | ||
161 | |||
162 | static int __init prng_init(void) | ||
163 | { | ||
164 | int ret; | ||
165 | |||
166 | /* check if the CPU has a PRNG */ | ||
167 | if (!crypt_s390_func_available(KMC_PRNG)) | ||
168 | return -EOPNOTSUPP; | ||
169 | |||
170 | if (prng_chunk_size < 8) | ||
171 | return -EINVAL; | ||
172 | |||
173 | p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL); | ||
174 | if (!p) | ||
175 | return -ENOMEM; | ||
176 | p->count = 0; | ||
177 | |||
178 | p->buf = kmalloc(prng_chunk_size, GFP_KERNEL); | ||
179 | if (!p->buf) { | ||
180 | ret = -ENOMEM; | ||
181 | goto out_free; | ||
182 | } | ||
183 | |||
184 | /* initialize the PRNG, add 128 bits of entropy */ | ||
185 | prng_seed(16); | ||
186 | |||
187 | ret = misc_register(&prng_dev); | ||
188 | if (ret) { | ||
189 | printk(KERN_WARNING | ||
190 | "Could not register misc device for PRNG.\n"); | ||
191 | goto out_buf; | ||
192 | } | ||
193 | return 0; | ||
194 | |||
195 | out_buf: | ||
196 | kfree(p->buf); | ||
197 | out_free: | ||
198 | kfree(p); | ||
199 | return ret; | ||
200 | } | ||
201 | |||
202 | static void __exit prng_exit(void) | ||
203 | { | ||
204 | /* wipe me */ | ||
205 | memset(p->buf, 0, prng_chunk_size); | ||
206 | kfree(p->buf); | ||
207 | kfree(p); | ||
208 | |||
209 | misc_deregister(&prng_dev); | ||
210 | } | ||
211 | |||
212 | module_init(prng_init); | ||
213 | module_exit(prng_exit); | ||