2 * Copyright (c) 2012-2014, Intel Corporation
3 * Authors: Richard B. Hill <richard.b.hill@intel.com>,
4 * H. Peter Anvin <hpa@linux.intel.com>,
5 * John P. Mechalas <john.p.mechalas@intel.com>
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms and conditions of the GNU General Public License,
9 * version 2, as published by the Free Software Foundation.
11 * This program is distributed in the hope it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
16 * You should have received a copy of the GNU General Public License along with
17 * this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
25 #error Invalid or missing autoconf build environment
28 #include "rng-tools-config.h"
33 #include <sys/types.h>
47 #include "rngd_entsource.h"
49 #if defined(__i386__) || defined(__x86_64__)
51 /* Struct for CPUID return values */
53 uint32_t eax
, ecx
, edx
, ebx
;
57 * Get data from RDRAND. The count is in bytes, but the function can
58 * round *up* the count to the nearest 4- or 8-byte boundary. The caller
59 * needs to take that into account.
61 * The function returns the number of bytes actually written.
63 extern unsigned int x86_rdrand_bytes(void *ptr
, unsigned int count
);
65 /* Condition RDRAND for seed-grade entropy */
66 extern void x86_aes_mangle(void *data
, void *state
);
68 /* Expand an AES key for future use */
69 extern void x86_aes_expand_key(const void *key
);
72 typedef uint64_t unative_t
; /* x86-64 or x32 */
74 typedef uint32_t unative_t
; /* i386 */
77 /* Checking eflags to confirm cpuid instruction available */
78 static inline int x86_has_eflag(unative_t flag
)
91 : "=&r" (f0
), "=&r" (f1
)
93 return !!((f0
^f1
) & flag
);
96 static inline int x86_has_cpuid(void)
99 return x86_has_eflag(1 << 21); /* ID flag */
101 return 1; /* x86-64 always has CPUID */
105 /* Calling cpuid instruction to verify rdrand and aes-ni capability */
106 static void cpuid(unsigned int leaf
, unsigned int subleaf
, struct cpuid
*out
)
109 /* %ebx is a forbidden register if we compile with -fPIC or -fPIE */
110 asm volatile("movl %%ebx,%0 ; cpuid ; xchgl %%ebx,%0"
115 : "a" (leaf
), "c" (subleaf
));
122 : "a" (leaf
), "c" (subleaf
));
126 /* Read data from the drng in chunks of 128 bytes for AES scrambling */
128 #define CHUNK_SIZE (AES_BLOCK*8) /* 8 parallel streams */
129 #define RDRAND_ROUNDS 512 /* 512:1 data reduction */
131 static unsigned char iv_buf
[CHUNK_SIZE
] __attribute__((aligned(128)));
132 static int have_aesni
;
134 /* Necessary if we have RDRAND but not AES-NI */
136 #ifdef HAVE_LIBGCRYPT
138 #define MIN_GCRYPT_VERSION "1.0.0"
140 static gcry_cipher_hd_t gcry_cipher_hd
;
144 static inline int gcrypt_mangle(unsigned char *tmp
)
146 #ifdef HAVE_LIBGCRYPT
147 gcry_error_t gcry_error
;
149 /* Encrypt tmp in-place. */
151 gcry_error
= gcry_cipher_encrypt(gcry_cipher_hd
, tmp
,
152 AES_BLOCK
* RDRAND_ROUNDS
,
156 message(LOG_DAEMON
|LOG_ERR
,
157 "gcry_cipher_encrypt error: %s\n",
158 gcry_strerror(gcry_error
));
168 int xread_drng(void *buf
, size_t size
, struct rng
*ent_src
)
173 unsigned char rdrand_buf
[CHUNK_SIZE
* RDRAND_ROUNDS
]
174 __attribute__((aligned(128)));
175 unsigned int rand_bytes
;
180 rand_bytes
= have_aesni
181 ? CHUNK_SIZE
* RDRAND_ROUNDS
182 : AES_BLOCK
* RDRAND_ROUNDS
;
185 if (x86_rdrand_bytes(rdrand_buf
, rand_bytes
) != rand_bytes
) {
186 message(LOG_DAEMON
|LOG_ERR
, "read error\n");
191 * Use 128-bit AES in CBC mode to reduce the
192 * data by a factor of RDRAND_ROUNDS
195 x86_aes_mangle(rdrand_buf
, iv_buf
);
198 } else if (!gcrypt_mangle(rdrand_buf
)) {
199 data
= rdrand_buf
+ AES_BLOCK
* (RDRAND_ROUNDS
- 1);
205 chunk
= (chunk
> size
) ? size
: chunk
;
206 memcpy(p
, data
, chunk
);
214 static int init_aesni(const void *key
)
219 x86_aes_expand_key(key
);
223 static int init_gcrypt(const void *key
)
225 #ifdef HAVE_LIBGCRYPT
226 gcry_error_t gcry_error
;
228 if (!gcry_check_version(MIN_GCRYPT_VERSION
)) {
229 message(LOG_DAEMON
|LOG_ERR
,
230 "libgcrypt version mismatch: have %s, require >= %s\n",
231 gcry_check_version(NULL
), MIN_GCRYPT_VERSION
);
235 gcry_error
= gcry_cipher_open(&gcry_cipher_hd
, GCRY_CIPHER_AES128
,
236 GCRY_CIPHER_MODE_CBC
, 0);
239 gcry_error
= gcry_cipher_setkey(gcry_cipher_hd
, key
, AES_BLOCK
);
243 * Only need the first 16 bytes of iv_buf. AES-NI can
244 * encrypt multiple blocks in parallel but we can't.
246 gcry_error
= gcry_cipher_setiv(gcry_cipher_hd
, iv_buf
, AES_BLOCK
);
250 message(LOG_DAEMON
|LOG_ERR
,
251 "could not set key or IV: %s\n",
252 gcry_strerror(gcry_error
));
253 gcry_cipher_close(gcry_cipher_hd
);
264 * Confirm RDRAND capabilities for drng entropy source
266 int init_drng_entropy_source(struct rng
*ent_src
)
269 /* We need RDRAND, but AESni is optional */
270 const uint32_t features_ecx1_rdrand
= 1 << 30;
271 const uint32_t features_ecx1_aesni
= 1 << 25;
272 static unsigned char key
[AES_BLOCK
] = {
273 0x00,0x10,0x20,0x30,0x40,0x50,0x60,0x70,
274 0x80,0x90,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0
275 }; /* AES data reduction key */
276 unsigned char xkey
[AES_BLOCK
]; /* Material to XOR into the key */
280 if (!x86_has_cpuid())
281 return 1; /* No CPUID instruction */
287 if (!(info
.ecx
& features_ecx1_rdrand
))
290 have_aesni
= !!(info
.ecx
& features_ecx1_aesni
);
292 /* Randomize the AES data reduction key the best we can */
293 if (x86_rdrand_bytes(xkey
, sizeof xkey
) != sizeof xkey
)
296 fd
= open("/dev/urandom", O_RDONLY
);
298 read(fd
, key
, sizeof key
);
302 for (i
= 0; i
< sizeof key
; i
++)
305 /* Initialize the IV buffer */
306 if (x86_rdrand_bytes(iv_buf
, CHUNK_SIZE
) != CHUNK_SIZE
)
309 if (init_aesni(key
) && init_gcrypt(key
))
310 return 1; /* We need one crypto or the other... */
312 src_list_add(ent_src
);
313 /* Bootstrap FIPS tests */
314 ent_src
->fipsctx
= malloc(sizeof(fips_ctx_t
));
315 fips_init(ent_src
->fipsctx
, 0);
319 #else /* Not i386 or x86-64 */
321 int init_drng_entropy_source(struct rng
*ent_src
)
327 int xread_drng(void *buf
, size_t size
, struct rng
*ent_src
)
336 #endif /* Not i386 or x86-64 */