]>
Commit | Line | Data |
---|---|---|
bb5530e4 | 1 | /* |
dfc9fa91 SM |
2 | * Non-physical true random number generator based on timing jitter -- |
3 | * Jitter RNG standalone code. | |
bb5530e4 | 4 | * |
bb897c55 | 5 | * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2023 |
bb5530e4 SM |
6 | * |
7 | * Design | |
8 | * ====== | |
9 | * | |
9332a9e7 | 10 | * See https://www.chronox.de/jent.html |
bb5530e4 SM |
11 | * |
12 | * License | |
13 | * ======= | |
14 | * | |
15 | * Redistribution and use in source and binary forms, with or without | |
16 | * modification, are permitted provided that the following conditions | |
17 | * are met: | |
18 | * 1. Redistributions of source code must retain the above copyright | |
19 | * notice, and the entire permission notice in its entirety, | |
20 | * including the disclaimer of warranties. | |
21 | * 2. Redistributions in binary form must reproduce the above copyright | |
22 | * notice, this list of conditions and the following disclaimer in the | |
23 | * documentation and/or other materials provided with the distribution. | |
24 | * 3. The name of the author may not be used to endorse or promote | |
25 | * products derived from this software without specific prior | |
26 | * written permission. | |
27 | * | |
28 | * ALTERNATIVELY, this product may be distributed under the terms of | |
29 | * the GNU General Public License, in which case the provisions of the GPL2 are | |
30 | * required INSTEAD OF the above restrictions. (This clause is | |
31 | * necessary due to a potential bad interaction between the GPL and | |
32 | * the restrictions contained in a BSD-style copyright.) | |
33 | * | |
34 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
35 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
36 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
37 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
38 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
39 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
40 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
41 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
42 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
43 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
44 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
45 | * DAMAGE. | |
46 | */ | |
47 | ||
48 | /* | |
49 | * This Jitterentropy RNG is based on the jitterentropy library | |
bb897c55 | 50 | * version 3.4.0 provided at https://www.chronox.de/jent.html |
bb5530e4 SM |
51 | */ |
52 | ||
dfc9fa91 SM |
53 | #ifdef __OPTIMIZE__ |
54 | #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c." | |
55 | #endif | |
56 | ||
57 | typedef unsigned long long __u64; | |
58 | typedef long long __s64; | |
59 | typedef unsigned int __u32; | |
bb897c55 | 60 | typedef unsigned char u8; |
dfc9fa91 | 61 | #define NULL ((void *) 0) |
bb5530e4 | 62 | |
bb5530e4 SM |
63 | /* The entropy pool */ |
64 | struct rand_data { | |
bb897c55 SM |
65 | /* SHA3-256 is used as conditioner */ |
66 | #define DATA_SIZE_BITS 256 | |
bb5530e4 SM |
67 | /* all data values that are vital to maintain the security |
68 | * of the RNG are marked as SENSITIVE. A user must not | |
69 | * access that information while the RNG executes its loops to | |
70 | * calculate the next random value. */ | |
bb897c55 SM |
71 | void *hash_state; /* SENSITIVE hash state entropy pool */ |
72 | __u64 prev_time; /* SENSITIVE Previous time stamp */ | |
73 | __u64 last_delta; /* SENSITIVE stuck test */ | |
74 | __s64 last_delta2; /* SENSITIVE stuck test */ | |
04597c8d SM |
75 | |
76 | unsigned int flags; /* Flags used to initialize */ | |
bb897c55 | 77 | unsigned int osr; /* Oversample rate */ |
bb5530e4 | 78 | #define JENT_MEMORY_ACCESSLOOPS 128 |
59bcfd78 SM |
79 | #define JENT_MEMORY_SIZE \ |
80 | (CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS * \ | |
81 | CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE) | |
bb5530e4 SM |
82 | unsigned char *mem; /* Memory access location with size of |
83 | * memblocks * memblocksize */ | |
84 | unsigned int memlocation; /* Pointer to byte in *mem */ | |
85 | unsigned int memblocks; /* Number of memory blocks in *mem */ | |
86 | unsigned int memblocksize; /* Size of one memory block in bytes */ | |
87 | unsigned int memaccessloops; /* Number of memory accesses per random | |
88 | * bit generation */ | |
764428fe SM |
89 | |
90 | /* Repetition Count Test */ | |
3fde2fe9 | 91 | unsigned int rct_count; /* Number of stuck values */ |
764428fe | 92 | |
04597c8d SM |
93 | /* Adaptive Proportion Test cutoff values */ |
94 | unsigned int apt_cutoff; /* Intermittent health test failure */ | |
95 | unsigned int apt_cutoff_permanent; /* Permanent health test failure */ | |
764428fe SM |
96 | #define JENT_APT_WINDOW_SIZE 512 /* Data window size */ |
97 | /* LSB of time stamp to process */ | |
98 | #define JENT_APT_LSB 16 | |
99 | #define JENT_APT_WORD_MASK (JENT_APT_LSB - 1) | |
100 | unsigned int apt_observations; /* Number of collected observations */ | |
101 | unsigned int apt_count; /* APT counter */ | |
102 | unsigned int apt_base; /* APT base reference */ | |
103 | unsigned int apt_base_set:1; /* APT base reference set? */ | |
bb5530e4 SM |
104 | }; |
105 | ||
106 | /* Flags that can be used to initialize the RNG */ | |
bb5530e4 SM |
107 | #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more |
108 | * entropy, saves MEMORY_SIZE RAM for | |
109 | * entropy collector */ | |
110 | ||
bb5530e4 SM |
111 | /* -- error codes for init function -- */ |
112 | #define JENT_ENOTIME 1 /* Timer service not available */ | |
113 | #define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */ | |
114 | #define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */ | |
bb5530e4 SM |
115 | #define JENT_EVARVAR 5 /* Timer does not produce variations of |
116 | * variations (2nd derivation of time is | |
117 | * zero). */ | |
d9d67c87 | 118 | #define JENT_ESTUCK 8 /* Too many stuck results during init. */ |
764428fe | 119 | #define JENT_EHEALTH 9 /* Health test failed during initialization */ |
04597c8d SM |
120 | #define JENT_ERCT 10 /* RCT failed during initialization */ |
121 | #define JENT_EHASH 11 /* Hash self test failed */ | |
122 | #define JENT_EMEM 12 /* Can't allocate memory for initialization */ | |
764428fe | 123 | |
908dffaf SM |
124 | /* |
125 | * The output n bits can receive more than n bits of min entropy, of course, | |
126 | * but the fixed output of the conditioning function can only asymptotically | |
127 | * approach the output size bits of min entropy, not attain that bound. Random | |
128 | * maps will tend to have output collisions, which reduces the creditable | |
129 | * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound). | |
130 | * | |
131 | * The value "64" is justified in Appendix A.4 of the current 90C draft, | |
132 | * and aligns with NIST's in "epsilon" definition in this document, which is | |
133 | * that a string can be considered "full entropy" if you can bound the min | |
134 | * entropy in each bit of output to at least 1-epsilon, where epsilon is | |
135 | * required to be <= 2^(-32). | |
136 | */ | |
137 | #define JENT_ENTROPY_SAFETY_FACTOR 64 | |
138 | ||
139 | #include <linux/fips.h> | |
764428fe | 140 | #include "jitterentropy.h" |
bb5530e4 SM |
141 | |
142 | /*************************************************************************** | |
764428fe SM |
143 | * Adaptive Proportion Test |
144 | * | |
145 | * This test complies with SP800-90B section 4.4.2. | |
bb5530e4 SM |
146 | ***************************************************************************/ |
147 | ||
04597c8d SM |
148 | /* |
149 | * See the SP 800-90B comment #10b for the corrected cutoff for the SP 800-90B | |
150 | * APT. | |
151 | * http://www.untruth.org/~josh/sp80090b/UL%20SP800-90B-final%20comments%20v1.9%2020191212.pdf | |
152 | * In in the syntax of R, this is C = 2 + qbinom(1 − 2^(−30), 511, 2^(-1/osr)). | |
153 | * (The original formula wasn't correct because the first symbol must | |
154 | * necessarily have been observed, so there is no chance of observing 0 of these | |
155 | * symbols.) | |
156 | * | |
157 | * For the alpha < 2^-53, R cannot be used as it uses a float data type without | |
158 | * arbitrary precision. A SageMath script is used to calculate those cutoff | |
159 | * values. | |
160 | * | |
161 | * For any value above 14, this yields the maximal allowable value of 512 | |
162 | * (by FIPS 140-2 IG 7.19 Resolution # 16, we cannot choose a cutoff value that | |
163 | * renders the test unable to fail). | |
164 | */ | |
165 | static const unsigned int jent_apt_cutoff_lookup[15] = { | |
166 | 325, 422, 459, 477, 488, 494, 499, 502, | |
167 | 505, 507, 508, 509, 510, 511, 512 }; | |
168 | static const unsigned int jent_apt_cutoff_permanent_lookup[15] = { | |
169 | 355, 447, 479, 494, 502, 507, 510, 512, | |
170 | 512, 512, 512, 512, 512, 512, 512 }; | |
171 | #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) | |
172 | ||
173 | static void jent_apt_init(struct rand_data *ec, unsigned int osr) | |
174 | { | |
175 | /* | |
176 | * Establish the apt_cutoff based on the presumed entropy rate of | |
177 | * 1/osr. | |
178 | */ | |
179 | if (osr >= ARRAY_SIZE(jent_apt_cutoff_lookup)) { | |
180 | ec->apt_cutoff = jent_apt_cutoff_lookup[ | |
181 | ARRAY_SIZE(jent_apt_cutoff_lookup) - 1]; | |
182 | ec->apt_cutoff_permanent = jent_apt_cutoff_permanent_lookup[ | |
183 | ARRAY_SIZE(jent_apt_cutoff_permanent_lookup) - 1]; | |
184 | } else { | |
185 | ec->apt_cutoff = jent_apt_cutoff_lookup[osr - 1]; | |
186 | ec->apt_cutoff_permanent = | |
187 | jent_apt_cutoff_permanent_lookup[osr - 1]; | |
188 | } | |
189 | } | |
04cb788e | 190 | /* |
764428fe SM |
191 | * Reset the APT counter |
192 | * | |
193 | * @ec [in] Reference to entropy collector | |
194 | */ | |
195 | static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked) | |
196 | { | |
197 | /* Reset APT counter */ | |
198 | ec->apt_count = 0; | |
199 | ec->apt_base = delta_masked; | |
200 | ec->apt_observations = 0; | |
201 | } | |
202 | ||
04cb788e | 203 | /* |
764428fe SM |
204 | * Insert a new entropy event into APT |
205 | * | |
206 | * @ec [in] Reference to entropy collector | |
207 | * @delta_masked [in] Masked time delta to process | |
208 | */ | |
209 | static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked) | |
210 | { | |
211 | /* Initialize the base reference */ | |
212 | if (!ec->apt_base_set) { | |
213 | ec->apt_base = delta_masked; | |
214 | ec->apt_base_set = 1; | |
215 | return; | |
216 | } | |
217 | ||
3fde2fe9 | 218 | if (delta_masked == ec->apt_base) |
764428fe SM |
219 | ec->apt_count++; |
220 | ||
764428fe SM |
221 | ec->apt_observations++; |
222 | ||
223 | if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) | |
224 | jent_apt_reset(ec, delta_masked); | |
225 | } | |
226 | ||
3fde2fe9 SM |
227 | /* APT health test failure detection */ |
228 | static int jent_apt_permanent_failure(struct rand_data *ec) | |
229 | { | |
04597c8d | 230 | return (ec->apt_count >= ec->apt_cutoff_permanent) ? 1 : 0; |
3fde2fe9 SM |
231 | } |
232 | ||
233 | static int jent_apt_failure(struct rand_data *ec) | |
234 | { | |
04597c8d | 235 | return (ec->apt_count >= ec->apt_cutoff) ? 1 : 0; |
3fde2fe9 SM |
236 | } |
237 | ||
764428fe SM |
238 | /*************************************************************************** |
239 | * Stuck Test and its use as Repetition Count Test | |
240 | * | |
241 | * The Jitter RNG uses an enhanced version of the Repetition Count Test | |
242 | * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical | |
243 | * back-to-back values, the input to the RCT is the counting of the stuck | |
244 | * values during the generation of one Jitter RNG output block. | |
245 | * | |
246 | * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8. | |
247 | * | |
248 | * During the counting operation, the Jitter RNG always calculates the RCT | |
249 | * cut-off value of C. If that value exceeds the allowed cut-off value, | |
250 | * the Jitter RNG output block will be calculated completely but discarded at | |
251 | * the end. The caller of the Jitter RNG is informed with an error code. | |
252 | ***************************************************************************/ | |
253 | ||
04cb788e | 254 | /* |
764428fe SM |
255 | * Repetition Count Test as defined in SP800-90B section 4.4.1 |
256 | * | |
257 | * @ec [in] Reference to entropy collector | |
258 | * @stuck [in] Indicator whether the value is stuck | |
259 | */ | |
260 | static void jent_rct_insert(struct rand_data *ec, int stuck) | |
261 | { | |
764428fe SM |
262 | if (stuck) { |
263 | ec->rct_count++; | |
764428fe | 264 | } else { |
3fde2fe9 | 265 | /* Reset RCT */ |
764428fe SM |
266 | ec->rct_count = 0; |
267 | } | |
268 | } | |
269 | ||
764428fe SM |
270 | static inline __u64 jent_delta(__u64 prev, __u64 next) |
271 | { | |
272 | #define JENT_UINT64_MAX (__u64)(~((__u64) 0)) | |
273 | return (prev < next) ? (next - prev) : | |
274 | (JENT_UINT64_MAX - prev + 1 + next); | |
275 | } | |
276 | ||
04cb788e | 277 | /* |
764428fe SM |
278 | * Stuck test by checking the: |
279 | * 1st derivative of the jitter measurement (time delta) | |
280 | * 2nd derivative of the jitter measurement (delta of time deltas) | |
281 | * 3rd derivative of the jitter measurement (delta of delta of time deltas) | |
282 | * | |
283 | * All values must always be non-zero. | |
284 | * | |
285 | * @ec [in] Reference to entropy collector | |
286 | * @current_delta [in] Jitter time delta | |
287 | * | |
288 | * @return | |
289 | * 0 jitter measurement not stuck (good bit) | |
290 | * 1 jitter measurement stuck (reject bit) | |
291 | */ | |
292 | static int jent_stuck(struct rand_data *ec, __u64 current_delta) | |
293 | { | |
294 | __u64 delta2 = jent_delta(ec->last_delta, current_delta); | |
295 | __u64 delta3 = jent_delta(ec->last_delta2, delta2); | |
764428fe SM |
296 | |
297 | ec->last_delta = current_delta; | |
298 | ec->last_delta2 = delta2; | |
299 | ||
300 | /* | |
301 | * Insert the result of the comparison of two back-to-back time | |
302 | * deltas. | |
303 | */ | |
552d03a2 | 304 | jent_apt_insert(ec, current_delta); |
764428fe SM |
305 | |
306 | if (!current_delta || !delta2 || !delta3) { | |
307 | /* RCT with a stuck bit */ | |
308 | jent_rct_insert(ec, 1); | |
309 | return 1; | |
310 | } | |
311 | ||
312 | /* RCT with a non-stuck bit */ | |
313 | jent_rct_insert(ec, 0); | |
314 | ||
315 | return 0; | |
316 | } | |
317 | ||
04597c8d SM |
318 | /* |
319 | * The cutoff value is based on the following consideration: | |
320 | * alpha = 2^-30 or 2^-60 as recommended in SP800-90B. | |
321 | * In addition, we require an entropy value H of 1/osr as this is the minimum | |
322 | * entropy required to provide full entropy. | |
323 | * Note, we collect (DATA_SIZE_BITS + ENTROPY_SAFETY_FACTOR)*osr deltas for | |
324 | * inserting them into the entropy pool which should then have (close to) | |
325 | * DATA_SIZE_BITS bits of entropy in the conditioned output. | |
326 | * | |
327 | * Note, ec->rct_count (which equals to value B in the pseudo code of SP800-90B | |
328 | * section 4.4.1) starts with zero. Hence we need to subtract one from the | |
329 | * cutoff value as calculated following SP800-90B. Thus | |
330 | * C = ceil(-log_2(alpha)/H) = 30*osr or 60*osr. | |
331 | */ | |
3fde2fe9 SM |
332 | static int jent_rct_permanent_failure(struct rand_data *ec) |
333 | { | |
04597c8d | 334 | return (ec->rct_count >= (60 * ec->osr)) ? 1 : 0; |
3fde2fe9 SM |
335 | } |
336 | ||
337 | static int jent_rct_failure(struct rand_data *ec) | |
338 | { | |
04597c8d | 339 | return (ec->rct_count >= (30 * ec->osr)) ? 1 : 0; |
3fde2fe9 SM |
340 | } |
341 | ||
342 | /* Report of health test failures */ | |
764428fe SM |
343 | static int jent_health_failure(struct rand_data *ec) |
344 | { | |
3fde2fe9 SM |
345 | return jent_rct_failure(ec) | jent_apt_failure(ec); |
346 | } | |
347 | ||
348 | static int jent_permanent_health_failure(struct rand_data *ec) | |
349 | { | |
350 | return jent_rct_permanent_failure(ec) | jent_apt_permanent_failure(ec); | |
764428fe SM |
351 | } |
352 | ||
353 | /*************************************************************************** | |
354 | * Noise sources | |
355 | ***************************************************************************/ | |
bb5530e4 | 356 | |
04cb788e | 357 | /* |
bb5530e4 SM |
358 | * Update of the loop count used for the next round of |
359 | * an entropy collection. | |
360 | * | |
361 | * Input: | |
bb5530e4 SM |
362 | * @bits is the number of low bits of the timer to consider |
363 | * @min is the number of bits we shift the timer value to the right at | |
364 | * the end to make sure we have a guaranteed minimum value | |
365 | * | |
366 | * @return Newly calculated loop counter | |
367 | */ | |
bb897c55 | 368 | static __u64 jent_loop_shuffle(unsigned int bits, unsigned int min) |
bb5530e4 SM |
369 | { |
370 | __u64 time = 0; | |
371 | __u64 shuffle = 0; | |
372 | unsigned int i = 0; | |
373 | unsigned int mask = (1<<bits) - 1; | |
374 | ||
375 | jent_get_nstime(&time); | |
bb897c55 | 376 | |
bb5530e4 | 377 | /* |
d9d67c87 SM |
378 | * We fold the time value as much as possible to ensure that as many |
379 | * bits of the time stamp are included as possible. | |
bb5530e4 | 380 | */ |
d9d67c87 | 381 | for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { |
bb5530e4 SM |
382 | shuffle ^= time & mask; |
383 | time = time >> bits; | |
384 | } | |
385 | ||
386 | /* | |
387 | * We add a lower boundary value to ensure we have a minimum | |
388 | * RNG loop count. | |
389 | */ | |
390 | return (shuffle + (1<<min)); | |
391 | } | |
392 | ||
04cb788e | 393 | /* |
bb5530e4 SM |
394 | * CPU Jitter noise source -- this is the noise source based on the CPU |
395 | * execution time jitter | |
396 | * | |
d9d67c87 | 397 | * This function injects the individual bits of the time value into the |
bb897c55 | 398 | * entropy pool using a hash. |
bb5530e4 | 399 | * |
bb897c55 SM |
400 | * ec [in] entropy collector |
401 | * time [in] time stamp to be injected | |
402 | * stuck [in] Is the time stamp identified as stuck? | |
bb5530e4 SM |
403 | * |
404 | * Output: | |
bb897c55 | 405 | * updated hash context in the entropy collector or error code |
bb5530e4 | 406 | */ |
bb897c55 | 407 | static int jent_condition_data(struct rand_data *ec, __u64 time, int stuck) |
bb5530e4 | 408 | { |
bb897c55 SM |
409 | #define SHA3_HASH_LOOP (1<<3) |
410 | struct { | |
411 | int rct_count; | |
412 | unsigned int apt_observations; | |
413 | unsigned int apt_count; | |
414 | unsigned int apt_base; | |
415 | } addtl = { | |
416 | ec->rct_count, | |
417 | ec->apt_observations, | |
418 | ec->apt_count, | |
419 | ec->apt_base | |
420 | }; | |
421 | ||
422 | return jent_hash_time(ec->hash_state, time, (u8 *)&addtl, sizeof(addtl), | |
423 | SHA3_HASH_LOOP, stuck); | |
bb5530e4 SM |
424 | } |
425 | ||
04cb788e | 426 | /* |
bb5530e4 SM |
427 | * Memory Access noise source -- this is a noise source based on variations in |
428 | * memory access times | |
429 | * | |
430 | * This function performs memory accesses which will add to the timing | |
431 | * variations due to an unknown amount of CPU wait states that need to be | |
432 | * added when accessing memory. The memory size should be larger than the L1 | |
433 | * caches as outlined in the documentation and the associated testing. | |
434 | * | |
435 | * The L1 cache has a very high bandwidth, albeit its access rate is usually | |
436 | * slower than accessing CPU registers. Therefore, L1 accesses only add minimal | |
437 | * variations as the CPU has hardly to wait. Starting with L2, significant | |
438 | * variations are added because L2 typically does not belong to the CPU any more | |
439 | * and therefore a wider range of CPU wait states is necessary for accesses. | |
440 | * L3 and real memory accesses have even a wider range of wait states. However, | |
441 | * to reliably access either L3 or memory, the ec->mem memory must be quite | |
442 | * large which is usually not desirable. | |
443 | * | |
764428fe SM |
444 | * @ec [in] Reference to the entropy collector with the memory access data -- if |
445 | * the reference to the memory block to be accessed is NULL, this noise | |
446 | * source is disabled | |
447 | * @loop_cnt [in] if a value not equal to 0 is set, use the given value | |
448 | * number of loops to perform the LFSR | |
bb5530e4 | 449 | */ |
764428fe | 450 | static void jent_memaccess(struct rand_data *ec, __u64 loop_cnt) |
bb5530e4 | 451 | { |
bb5530e4 SM |
452 | unsigned int wrap = 0; |
453 | __u64 i = 0; | |
454 | #define MAX_ACC_LOOP_BIT 7 | |
455 | #define MIN_ACC_LOOP_BIT 0 | |
456 | __u64 acc_loop_cnt = | |
bb897c55 | 457 | jent_loop_shuffle(MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); |
bb5530e4 SM |
458 | |
459 | if (NULL == ec || NULL == ec->mem) | |
764428fe | 460 | return; |
bb5530e4 SM |
461 | wrap = ec->memblocksize * ec->memblocks; |
462 | ||
463 | /* | |
464 | * testing purposes -- allow test app to set the counter, not | |
465 | * needed during runtime | |
466 | */ | |
467 | if (loop_cnt) | |
468 | acc_loop_cnt = loop_cnt; | |
469 | ||
470 | for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { | |
d9d67c87 | 471 | unsigned char *tmpval = ec->mem + ec->memlocation; |
bb5530e4 SM |
472 | /* |
473 | * memory access: just add 1 to one byte, | |
474 | * wrap at 255 -- memory access implies read | |
475 | * from and write to memory location | |
476 | */ | |
477 | *tmpval = (*tmpval + 1) & 0xff; | |
478 | /* | |
479 | * Addition of memblocksize - 1 to pointer | |
480 | * with wrap around logic to ensure that every | |
481 | * memory location is hit evenly | |
482 | */ | |
483 | ec->memlocation = ec->memlocation + ec->memblocksize - 1; | |
484 | ec->memlocation = ec->memlocation % wrap; | |
485 | } | |
bb5530e4 SM |
486 | } |
487 | ||
488 | /*************************************************************************** | |
489 | * Start of entropy processing logic | |
490 | ***************************************************************************/ | |
04cb788e | 491 | /* |
bb5530e4 | 492 | * This is the heart of the entropy generation: calculate time deltas and |
d9d67c87 SM |
493 | * use the CPU jitter in the time deltas. The jitter is injected into the |
494 | * entropy pool. | |
bb5530e4 SM |
495 | * |
496 | * WARNING: ensure that ->prev_time is primed before using the output | |
497 | * of this function! This can be done by calling this function | |
498 | * and not using its result. | |
499 | * | |
764428fe | 500 | * @ec [in] Reference to entropy collector |
bb5530e4 | 501 | * |
d9d67c87 | 502 | * @return result of stuck test |
bb5530e4 | 503 | */ |
04597c8d | 504 | static int jent_measure_jitter(struct rand_data *ec, __u64 *ret_current_delta) |
bb5530e4 SM |
505 | { |
506 | __u64 time = 0; | |
bb5530e4 | 507 | __u64 current_delta = 0; |
764428fe | 508 | int stuck; |
bb5530e4 SM |
509 | |
510 | /* Invoke one noise source before time measurement to add variations */ | |
511 | jent_memaccess(ec, 0); | |
512 | ||
513 | /* | |
514 | * Get time stamp and calculate time delta to previous | |
515 | * invocation to measure the timing variations | |
516 | */ | |
517 | jent_get_nstime(&time); | |
764428fe | 518 | current_delta = jent_delta(ec->prev_time, time); |
bb5530e4 SM |
519 | ec->prev_time = time; |
520 | ||
764428fe SM |
521 | /* Check whether we have a stuck measurement. */ |
522 | stuck = jent_stuck(ec, current_delta); | |
523 | ||
d9d67c87 | 524 | /* Now call the next noise sources which also injects the data */ |
bb897c55 SM |
525 | if (jent_condition_data(ec, current_delta, stuck)) |
526 | stuck = 1; | |
bb5530e4 | 527 | |
04597c8d SM |
528 | /* return the raw entropy value */ |
529 | if (ret_current_delta) | |
530 | *ret_current_delta = current_delta; | |
531 | ||
764428fe | 532 | return stuck; |
bb5530e4 SM |
533 | } |
534 | ||
04cb788e | 535 | /* |
bb5530e4 | 536 | * Generator of one 64 bit random number |
bb897c55 | 537 | * Function fills rand_data->hash_state |
bb5530e4 | 538 | * |
764428fe | 539 | * @ec [in] Reference to entropy collector |
bb5530e4 SM |
540 | */ |
541 | static void jent_gen_entropy(struct rand_data *ec) | |
542 | { | |
908dffaf SM |
543 | unsigned int k = 0, safety_factor = 0; |
544 | ||
545 | if (fips_enabled) | |
546 | safety_factor = JENT_ENTROPY_SAFETY_FACTOR; | |
bb5530e4 SM |
547 | |
548 | /* priming of the ->prev_time value */ | |
04597c8d | 549 | jent_measure_jitter(ec, NULL); |
bb5530e4 | 550 | |
710ce4b8 | 551 | while (!jent_health_failure(ec)) { |
d9d67c87 | 552 | /* If a stuck measurement is received, repeat measurement */ |
04597c8d | 553 | if (jent_measure_jitter(ec, NULL)) |
bb5530e4 | 554 | continue; |
bb5530e4 SM |
555 | |
556 | /* | |
557 | * We multiply the loop value with ->osr to obtain the | |
558 | * oversampling rate requested by the caller | |
559 | */ | |
908dffaf | 560 | if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr)) |
bb5530e4 SM |
561 | break; |
562 | } | |
bb5530e4 SM |
563 | } |
564 | ||
04cb788e | 565 | /* |
bb5530e4 SM |
566 | * Entry function: Obtain entropy for the caller. |
567 | * | |
568 | * This function invokes the entropy gathering logic as often to generate | |
569 | * as many bytes as requested by the caller. The entropy gathering logic | |
570 | * creates 64 bit per invocation. | |
571 | * | |
572 | * This function truncates the last 64 bit entropy value output to the exact | |
573 | * size specified by the caller. | |
574 | * | |
764428fe SM |
575 | * @ec [in] Reference to entropy collector |
576 | * @data [in] pointer to buffer for storing random data -- buffer must already | |
577 | * exist | |
578 | * @len [in] size of the buffer, specifying also the requested number of random | |
579 | * in bytes | |
bb5530e4 SM |
580 | * |
581 | * @return 0 when request is fulfilled or an error | |
582 | * | |
583 | * The following error codes can occur: | |
bb897c55 | 584 | * -1 entropy_collector is NULL or the generation failed |
3fde2fe9 SM |
585 | * -2 Intermittent health failure |
586 | * -3 Permanent health failure | |
bb5530e4 | 587 | */ |
dfc9fa91 SM |
588 | int jent_read_entropy(struct rand_data *ec, unsigned char *data, |
589 | unsigned int len) | |
bb5530e4 | 590 | { |
dfc9fa91 | 591 | unsigned char *p = data; |
bb5530e4 SM |
592 | |
593 | if (!ec) | |
dfc9fa91 | 594 | return -1; |
bb5530e4 | 595 | |
36c25011 | 596 | while (len > 0) { |
dfc9fa91 | 597 | unsigned int tocopy; |
bb5530e4 SM |
598 | |
599 | jent_gen_entropy(ec); | |
764428fe | 600 | |
3fde2fe9 | 601 | if (jent_permanent_health_failure(ec)) { |
764428fe | 602 | /* |
3fde2fe9 SM |
603 | * At this point, the Jitter RNG instance is considered |
604 | * as a failed instance. There is no rerun of the | |
605 | * startup test any more, because the caller | |
606 | * is assumed to not further use this instance. | |
764428fe | 607 | */ |
3fde2fe9 SM |
608 | return -3; |
609 | } else if (jent_health_failure(ec)) { | |
764428fe | 610 | /* |
3fde2fe9 SM |
611 | * Perform startup health tests and return permanent |
612 | * error if it fails. | |
764428fe | 613 | */ |
04597c8d SM |
614 | if (jent_entropy_init(ec->osr, ec->flags, |
615 | ec->hash_state)) | |
3fde2fe9 SM |
616 | return -3; |
617 | ||
618 | return -2; | |
764428fe SM |
619 | } |
620 | ||
bb5530e4 SM |
621 | if ((DATA_SIZE_BITS / 8) < len) |
622 | tocopy = (DATA_SIZE_BITS / 8); | |
623 | else | |
624 | tocopy = len; | |
bb897c55 SM |
625 | if (jent_read_random_block(ec->hash_state, p, tocopy)) |
626 | return -1; | |
bb5530e4 SM |
627 | |
628 | len -= tocopy; | |
629 | p += tocopy; | |
630 | } | |
631 | ||
632 | return 0; | |
633 | } | |
634 | ||
635 | /*************************************************************************** | |
636 | * Initialization logic | |
637 | ***************************************************************************/ | |
638 | ||
dfc9fa91 | 639 | struct rand_data *jent_entropy_collector_alloc(unsigned int osr, |
bb897c55 SM |
640 | unsigned int flags, |
641 | void *hash_state) | |
bb5530e4 SM |
642 | { |
643 | struct rand_data *entropy_collector; | |
644 | ||
dfc9fa91 | 645 | entropy_collector = jent_zalloc(sizeof(struct rand_data)); |
bb5530e4 SM |
646 | if (!entropy_collector) |
647 | return NULL; | |
648 | ||
649 | if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { | |
650 | /* Allocate memory for adding variations based on memory | |
651 | * access | |
652 | */ | |
59bcfd78 | 653 | entropy_collector->mem = jent_kvzalloc(JENT_MEMORY_SIZE); |
bb5530e4 | 654 | if (!entropy_collector->mem) { |
dfc9fa91 | 655 | jent_zfree(entropy_collector); |
bb5530e4 SM |
656 | return NULL; |
657 | } | |
59bcfd78 SM |
658 | entropy_collector->memblocksize = |
659 | CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE; | |
660 | entropy_collector->memblocks = | |
661 | CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS; | |
bb5530e4 SM |
662 | entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; |
663 | } | |
664 | ||
665 | /* verify and set the oversampling rate */ | |
36c25011 | 666 | if (osr == 0) |
04597c8d | 667 | osr = 1; /* H_submitter = 1 / osr */ |
bb5530e4 | 668 | entropy_collector->osr = osr; |
04597c8d | 669 | entropy_collector->flags = flags; |
bb5530e4 | 670 | |
bb897c55 SM |
671 | entropy_collector->hash_state = hash_state; |
672 | ||
04597c8d SM |
673 | /* Initialize the APT */ |
674 | jent_apt_init(entropy_collector, osr); | |
675 | ||
bb5530e4 SM |
676 | /* fill the data pad with non-zero values */ |
677 | jent_gen_entropy(entropy_collector); | |
678 | ||
679 | return entropy_collector; | |
680 | } | |
681 | ||
dfc9fa91 | 682 | void jent_entropy_collector_free(struct rand_data *entropy_collector) |
bb5530e4 | 683 | { |
59bcfd78 | 684 | jent_kvzfree(entropy_collector->mem, JENT_MEMORY_SIZE); |
bb5530e4 | 685 | entropy_collector->mem = NULL; |
cea0a3c3 | 686 | jent_zfree(entropy_collector); |
bb5530e4 SM |
687 | } |
688 | ||
04597c8d | 689 | int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state) |
bb5530e4 | 690 | { |
04597c8d SM |
691 | struct rand_data *ec; |
692 | int i, time_backwards = 0, ret = 0; | |
693 | ||
694 | ec = jent_entropy_collector_alloc(osr, flags, hash_state); | |
695 | if (!ec) | |
696 | return JENT_EMEM; | |
764428fe | 697 | |
bb5530e4 SM |
698 | /* We could perform statistical tests here, but the problem is |
699 | * that we only have a few loop counts to do testing. These | |
700 | * loop counts may show some slight skew and we produce | |
701 | * false positives. | |
702 | * | |
703 | * Moreover, only old systems show potentially problematic | |
704 | * jitter entropy that could potentially be caught here. But | |
705 | * the RNG is intended for hardware that is available or widely | |
706 | * used, but not old systems that are long out of favor. Thus, | |
707 | * no statistical tests. | |
708 | */ | |
709 | ||
710 | /* | |
711 | * We could add a check for system capabilities such as clock_getres or | |
712 | * check for CONFIG_X86_TSC, but it does not make much sense as the | |
713 | * following sanity checks verify that we have a high-resolution | |
714 | * timer. | |
715 | */ | |
716 | /* | |
717 | * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is | |
718 | * definitely too little. | |
764428fe SM |
719 | * |
720 | * SP800-90B requires at least 1024 initial test cycles. | |
bb5530e4 | 721 | */ |
764428fe | 722 | #define TESTLOOPCOUNT 1024 |
bb5530e4 SM |
723 | #define CLEARCACHE 100 |
724 | for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { | |
04597c8d | 725 | __u64 start_time = 0, end_time = 0, delta = 0; |
bb5530e4 | 726 | |
d9d67c87 | 727 | /* Invoke core entropy collection logic */ |
04597c8d SM |
728 | jent_measure_jitter(ec, &delta); |
729 | end_time = ec->prev_time; | |
730 | start_time = ec->prev_time - delta; | |
bb5530e4 SM |
731 | |
732 | /* test whether timer works */ | |
04597c8d SM |
733 | if (!start_time || !end_time) { |
734 | ret = JENT_ENOTIME; | |
735 | goto out; | |
736 | } | |
737 | ||
bb5530e4 SM |
738 | /* |
739 | * test whether timer is fine grained enough to provide | |
740 | * delta even when called shortly after each other -- this | |
741 | * implies that we also have a high resolution timer | |
742 | */ | |
04597c8d SM |
743 | if (!delta || (end_time == start_time)) { |
744 | ret = JENT_ECOARSETIME; | |
745 | goto out; | |
746 | } | |
d9d67c87 | 747 | |
bb5530e4 SM |
748 | /* |
749 | * up to here we did not modify any variable that will be | |
750 | * evaluated later, but we already performed some work. Thus we | |
751 | * already have had an impact on the caches, branch prediction, | |
752 | * etc. with the goal to clear it to get the worst case | |
753 | * measurements. | |
754 | */ | |
36c25011 | 755 | if (i < CLEARCACHE) |
bb5530e4 SM |
756 | continue; |
757 | ||
758 | /* test whether we have an increasing timer */ | |
04597c8d | 759 | if (!(end_time > start_time)) |
bb5530e4 | 760 | time_backwards++; |
bb5530e4 SM |
761 | } |
762 | ||
763 | /* | |
764 | * we allow up to three times the time running backwards. | |
765 | * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, | |
766 | * if such an operation just happens to interfere with our test, it | |
767 | * should not fail. The value of 3 should cover the NTP case being | |
768 | * performed during our test run. | |
769 | */ | |
04597c8d SM |
770 | if (time_backwards > 3) { |
771 | ret = JENT_ENOMONOTONIC; | |
772 | goto out; | |
773 | } | |
bb5530e4 | 774 | |
04597c8d SM |
775 | /* Did we encounter a health test failure? */ |
776 | if (jent_rct_failure(ec)) { | |
777 | ret = JENT_ERCT; | |
778 | goto out; | |
779 | } | |
780 | if (jent_apt_failure(ec)) { | |
781 | ret = JENT_EHEALTH; | |
782 | goto out; | |
783 | } | |
bb5530e4 | 784 | |
04597c8d SM |
785 | out: |
786 | jent_entropy_collector_free(ec); | |
d9d67c87 | 787 | |
04597c8d | 788 | return ret; |
bb5530e4 | 789 | } |