1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if defined(__i386__) || defined(__x86_64__)
17 # include <sys/auxv.h>
21 # include <sys/random.h>
23 # include <linux/random.h>
26 #include "alloc-util.h"
30 #include "random-util.h"
31 #include "siphash24.h"
32 #include "time-util.h"
34 int rdrand(unsigned long *ret
) {
36 #if defined(__i386__) || defined(__x86_64__)
37 static int have_rdrand
= -1;
41 if (have_rdrand
< 0) {
42 uint32_t eax
, ebx
, ecx
, edx
;
44 /* Check if RDRAND is supported by the CPU */
45 if (__get_cpuid(1, &eax
, &ebx
, &ecx
, &edx
) == 0) {
50 /* Compat with old gcc where bit_RDRND didn't exist yet */
52 #define bit_RDRND (1U << 30)
55 have_rdrand
= !!(ecx
& bit_RDRND
);
61 asm volatile("rdrand %0;"
65 msan_unpoison(&success
, sizeof(success
));
69 /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
70 * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
71 * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
72 * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
73 * only however and something AMD really should fix properly. The Linux kernel should probably work
74 * around this issue by turning off RDRAND altogether on those CPUs. See:
75 * https://github.com/systemd/systemd/issues/11810 */
76 if (v
== 0 || v
== ULONG_MAX
)
77 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
78 "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v
);
87 int genuine_random_bytes(void *p
, size_t n
, RandomFlags flags
) {
88 static int have_syscall
= -1;
89 _cleanup_close_
int fd
= -1;
90 bool got_some
= false;
93 /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This
94 * call won't block, unless the RANDOM_BLOCK flag is set. If RANDOM_MAY_FAIL is set, an error is
95 * returned if the random pool is not initialized. Otherwise it will always return some data from the
96 * kernel, regardless of whether the random pool is fully initialized or not. */
101 if (FLAGS_SET(flags
, RANDOM_ALLOW_RDRAND
))
102 /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
103 * not required, as we don't trust it (who does?). Note that we only do a single iteration of
104 * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
105 * invocations or so. That's because we don't really care about the quality here. We
106 * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
107 * the kernel's random subsystem by accessing it before the pool is initialized (after all it
108 * will kmsg log about every attempt to do so)..*/
113 if (rdrand(&u
) < 0) {
114 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
115 /* Fill in the remaining bytes using pseudo-random values */
116 pseudo_random_bytes(p
, n
);
120 /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
124 m
= MIN(sizeof(u
), n
);
127 p
= (uint8_t*) p
+ m
;
131 return 0; /* Yay, success! */
136 /* Use the getrandom() syscall unless we know we don't have it. */
137 if (have_syscall
!= 0 && !HAS_FEATURE_MEMORY_SANITIZER
) {
140 r
= getrandom(p
, n
, FLAGS_SET(flags
, RANDOM_BLOCK
) ? 0 : GRND_NONBLOCK
);
145 return 0; /* Yay, success! */
147 assert((size_t) r
< n
);
148 p
= (uint8_t*) p
+ r
;
151 if (FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
152 /* Fill in the remaining bytes using pseudo-random values */
153 pseudo_random_bytes(p
, n
);
159 /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
160 if (FLAGS_SET(flags
, RANDOM_BLOCK
))
163 /* Fill in the rest with /dev/urandom */
170 } else if (errno
== ENOSYS
) {
171 /* We lack the syscall, continue with reading from /dev/urandom. */
172 have_syscall
= false;
175 } else if (errno
== EAGAIN
) {
176 /* The kernel has no entropy whatsoever. Let's remember to use the syscall
177 * the next time again though.
179 * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
180 * produce some pseudo-random bytes instead. Otherwise, fall back to
181 * /dev/urandom, which we know is empty, but the kernel will produce some
182 * bytes for us on a best-effort basis. */
185 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
186 /* Fill in the remaining bytes using pseudorandom values */
187 pseudo_random_bytes(p
, n
);
191 if (FLAGS_SET(flags
, RANDOM_MAY_FAIL
))
194 /* Use /dev/urandom instead */
201 fd
= open("/dev/urandom", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
203 return errno
== ENOENT
? -ENOSYS
: -errno
;
205 return loop_read_exact(fd
, p
, n
, true);
208 void initialize_srand(void) {
209 static bool srand_called
= false;
220 /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
221 * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
222 * to recover the original value by watching any pseudo-random bits we generate. After all the
223 * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
224 * leak the seed for that. */
226 auxv
= ULONG_TO_PTR(getauxval(AT_RANDOM
));
228 static const uint8_t auxval_hash_key
[16] = {
229 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
232 x
= (unsigned) siphash24(auxv
, 16, auxval_hash_key
);
237 x
^= (unsigned) now(CLOCK_REALTIME
);
238 x
^= (unsigned) gettid();
247 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
248 #if RAND_MAX >= INT_MAX
251 /* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
255 void pseudo_random_bytes(void *p
, size_t n
) {
260 for (q
= p
; q
< (uint8_t*) p
+ n
; q
+= RAND_STEP
) {
263 rr
= (unsigned) rand();
266 if ((size_t) (q
- (uint8_t*) p
+ 2) < n
)
270 if ((size_t) (q
- (uint8_t*) p
+ 1) < n
)
277 void random_bytes(void *p
, size_t n
) {
279 if (genuine_random_bytes(p
, n
, RANDOM_EXTEND_WITH_PSEUDO
|RANDOM_MAY_FAIL
|RANDOM_ALLOW_RDRAND
) >= 0)
282 /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
283 pseudo_random_bytes(p
, n
);