| jitterentropy-kcapi.c (50282fd57bcd3525c9d81eef58df8718e4337c6d) | jitterentropy-kcapi.c (bb897c55042e9330bcf88b4b13cbdd6f9fabdd5e) |
|---|---|
| 1/* 2 * Non-physical true random number generator based on timing jitter -- 3 * Linux Kernel Crypto API specific code 4 * | 1/* 2 * Non-physical true random number generator based on timing jitter -- 3 * Linux Kernel Crypto API specific code 4 * |
| 5 * Copyright Stephan Mueller <smueller@chronox.de>, 2015 | 5 * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2023 |
| 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, and the entire permission notice in its entirety, 12 * including the disclaimer of warranties. 13 * 2. Redistributions in binary form must reproduce the above copyright --- 18 unchanged lines hidden (view full) --- 32 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 33 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 34 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 36 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 37 * DAMAGE. 38 */ 39 | 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, and the entire permission notice in its entirety, 12 * including the disclaimer of warranties. 13 * 2. Redistributions in binary form must reproduce the above copyright --- 18 unchanged lines hidden (view full) --- 32 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 33 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 34 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 36 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 37 * DAMAGE. 38 */ 39 |
| 40#include <crypto/hash.h> 41#include <crypto/sha3.h> |
|
| 40#include <linux/fips.h> 41#include <linux/kernel.h> 42#include <linux/module.h> 43#include <linux/slab.h> 44#include <linux/time.h> 45#include <crypto/internal/rng.h> 46 47#include "jitterentropy.h" 48 | 42#include <linux/fips.h> 43#include <linux/kernel.h> 44#include <linux/module.h> 45#include <linux/slab.h> 46#include <linux/time.h> 47#include <crypto/internal/rng.h> 48 49#include "jitterentropy.h" 50 |
| 51#define JENT_CONDITIONING_HASH "sha3-256-generic" 52 |
|
| 49/*************************************************************************** 50 * Helper function 51 ***************************************************************************/ 52 53void *jent_zalloc(unsigned int len) 54{ 55 return kzalloc(len, GFP_KERNEL); 56} 57 58void jent_zfree(void *ptr) 59{ 60 kfree_sensitive(ptr); 61} 62 | 53/*************************************************************************** 54 * Helper function 55 ***************************************************************************/ 56 57void *jent_zalloc(unsigned int len) 58{ 59 return kzalloc(len, GFP_KERNEL); 60} 61 62void jent_zfree(void *ptr) 63{ 64 kfree_sensitive(ptr); 65} 66 |
| 63void jent_memcpy(void *dest, const void *src, unsigned int n) 64{ 65 memcpy(dest, src, n); 66} 67 | |
| 68/* 69 * Obtain a high-resolution time stamp value. The time stamp is used to measure 70 * the execution time of a given code path and its variations. Hence, the time 71 * stamp must have a sufficiently high resolution. 72 * 73 * Note, if the function returns zero because a given architecture does not 74 * implement a high-resolution time stamp, the RNG code's runtime test 75 * will detect it and will not produce output. --- 10 unchanged lines hidden (view full) --- 86 * hoping that there are timers we can work with. 87 */ 88 if (tmp == 0) 89 tmp = ktime_get_ns(); 90 91 *out = tmp; 92} 93 | 67/* 68 * Obtain a high-resolution time stamp value. The time stamp is used to measure 69 * the execution time of a given code path and its variations. Hence, the time 70 * stamp must have a sufficiently high resolution. 71 * 72 * Note, if the function returns zero because a given architecture does not 73 * implement a high-resolution time stamp, the RNG code's runtime test 74 * will detect it and will not produce output. --- 10 unchanged lines hidden (view full) --- 85 * hoping that there are timers we can work with. 86 */ 87 if (tmp == 0) 88 tmp = ktime_get_ns(); 89 90 *out = tmp; 91} 92 |
| 93int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, 94 unsigned int addtl_len, __u64 hash_loop_cnt, 95 unsigned int stuck) 96{ 97 struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; 98 SHASH_DESC_ON_STACK(desc, hash_state_desc->tfm); 99 u8 intermediary[SHA3_256_DIGEST_SIZE]; 100 __u64 j = 0; 101 int ret; 102 103 desc->tfm = hash_state_desc->tfm; 104 105 if (sizeof(intermediary) != crypto_shash_digestsize(desc->tfm)) { 106 pr_warn_ratelimited("Unexpected digest size\n"); 107 return -EINVAL; 108 } 109 110 /* 111 * This loop fills a buffer which is injected into the entropy pool. 112 * The main reason for this loop is to execute something over which we 113 * can perform a timing measurement. The injection of the resulting 114 * data into the pool is performed to ensure the result is used and 115 * the compiler cannot optimize the loop away in case the result is not 116 * used at all. Yet that data is considered "additional information" 117 * considering the terminology from SP800-90A without any entropy. 118 * 119 * Note, it does not matter which or how much data you inject, we are 120 * interested in one Keccack1600 compression operation performed with 121 * the crypto_shash_final. 122 */ 123 for (j = 0; j < hash_loop_cnt; j++) { 124 ret = crypto_shash_init(desc) ?: 125 crypto_shash_update(desc, intermediary, 126 sizeof(intermediary)) ?: 127 crypto_shash_finup(desc, addtl, addtl_len, intermediary); 128 if (ret) 129 goto err; 130 } 131 132 /* 133 * Inject the data from the previous loop into the pool. This data is 134 * not considered to contain any entropy, but it stirs the pool a bit. 135 */ 136 ret = crypto_shash_update(desc, intermediary, sizeof(intermediary)); 137 if (ret) 138 goto err; 139 140 /* 141 * Insert the time stamp into the hash context representing the pool. 142 * 143 * If the time stamp is stuck, do not finally insert the value into the 144 * entropy pool. Although this operation should not do any harm even 145 * when the time stamp has no entropy, SP800-90B requires that any 146 * conditioning operation to have an identical amount of input data 147 * according to section 3.1.5. 148 */ 149 if (!stuck) { 150 ret = crypto_shash_update(hash_state_desc, (u8 *)&time, 151 sizeof(__u64)); 152 } 153 154err: 155 shash_desc_zero(desc); 156 memzero_explicit(intermediary, sizeof(intermediary)); 157 158 return ret; 159} 160 161int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len) 162{ 163 struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; 164 u8 jent_block[SHA3_256_DIGEST_SIZE]; 165 /* Obtain data from entropy pool and re-initialize it */ 166 int ret = crypto_shash_final(hash_state_desc, jent_block) ?: 167 crypto_shash_init(hash_state_desc) ?: 168 crypto_shash_update(hash_state_desc, jent_block, 169 sizeof(jent_block)); 170 171 if (!ret && dst_len) 172 memcpy(dst, jent_block, dst_len); 173 174 memzero_explicit(jent_block, sizeof(jent_block)); 175 return ret; 176} 177 |
|
| 94/*************************************************************************** 95 * Kernel crypto API interface 96 ***************************************************************************/ 97 98struct jitterentropy { 99 spinlock_t jent_lock; 100 struct rand_data *entropy_collector; | 178/*************************************************************************** 179 * Kernel crypto API interface 180 ***************************************************************************/ 181 182struct jitterentropy { 183 spinlock_t jent_lock; 184 struct rand_data *entropy_collector; |
| 185 struct crypto_shash *tfm; 186 struct shash_desc *sdesc; |
|
| 101}; 102 | 187}; 188 |
| 103static int jent_kcapi_init(struct crypto_tfm *tfm) | 189static void jent_kcapi_cleanup(struct crypto_tfm *tfm) |
| 104{ 105 struct jitterentropy *rng = crypto_tfm_ctx(tfm); | 190{ 191 struct jitterentropy *rng = crypto_tfm_ctx(tfm); |
| 106 int ret = 0; | |
| 107 | 192 |
| 108 rng->entropy_collector = jent_entropy_collector_alloc(1, 0); 109 if (!rng->entropy_collector) 110 ret = -ENOMEM; | 193 spin_lock(&rng->jent_lock); |
| 111 | 194 |
| 112 spin_lock_init(&rng->jent_lock); 113 return ret; 114} | 195 if (rng->sdesc) { 196 shash_desc_zero(rng->sdesc); 197 kfree(rng->sdesc); 198 } 199 rng->sdesc = NULL; |
| 115 | 200 |
| 116static void jent_kcapi_cleanup(struct crypto_tfm *tfm) 117{ 118 struct jitterentropy *rng = crypto_tfm_ctx(tfm); | 201 if (rng->tfm) 202 crypto_free_shash(rng->tfm); 203 rng->tfm = NULL; |
| 119 | 204 |
| 120 spin_lock(&rng->jent_lock); | |
| 121 if (rng->entropy_collector) 122 jent_entropy_collector_free(rng->entropy_collector); 123 rng->entropy_collector = NULL; 124 spin_unlock(&rng->jent_lock); 125} 126 | 205 if (rng->entropy_collector) 206 jent_entropy_collector_free(rng->entropy_collector); 207 rng->entropy_collector = NULL; 208 spin_unlock(&rng->jent_lock); 209} 210 |
| 211static int jent_kcapi_init(struct crypto_tfm *tfm) 212{ 213 struct jitterentropy *rng = crypto_tfm_ctx(tfm); 214 struct crypto_shash *hash; 215 struct shash_desc *sdesc; 216 int size, ret = 0; 217 218 spin_lock_init(&rng->jent_lock); 219 220 /* 221 * Use SHA3-256 as conditioner. We allocate only the generic 222 * implementation as we are not interested in high-performance. The 223 * execution time of the SHA3 operation is measured and adds to the 224 * Jitter RNG's unpredictable behavior. If we have a slower hash 225 * implementation, the execution timing variations are larger. When 226 * using a fast implementation, we would need to call it more often 227 * as its variations are lower. 228 */ 229 hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); 230 if (IS_ERR(hash)) { 231 pr_err("Cannot allocate conditioning digest\n"); 232 return PTR_ERR(hash); 233 } 234 rng->tfm = hash; 235 236 size = sizeof(struct shash_desc) + crypto_shash_descsize(hash); 237 sdesc = kmalloc(size, GFP_KERNEL); 238 if (!sdesc) { 239 ret = -ENOMEM; 240 goto err; 241 } 242 243 sdesc->tfm = hash; 244 crypto_shash_init(sdesc); 245 rng->sdesc = sdesc; 246 247 rng->entropy_collector = jent_entropy_collector_alloc(1, 0, sdesc); 248 if (!rng->entropy_collector) { 249 ret = -ENOMEM; 250 goto err; 251 } 252 253 spin_lock_init(&rng->jent_lock); 254 return 0; 255 256err: 257 jent_kcapi_cleanup(tfm); 258 return ret; 259} 260 |
|
| 127static int jent_kcapi_random(struct crypto_rng *tfm, 128 const u8 *src, unsigned int slen, 129 u8 *rdata, unsigned int dlen) 130{ 131 struct jitterentropy *rng = crypto_rng_ctx(tfm); 132 int ret = 0; 133 134 spin_lock(&rng->jent_lock); --- 40 unchanged lines hidden (view full) --- 175 .base = { 176 .cra_name = "jitterentropy_rng", 177 .cra_driver_name = "jitterentropy_rng", 178 .cra_priority = 100, 179 .cra_ctxsize = sizeof(struct jitterentropy), 180 .cra_module = THIS_MODULE, 181 .cra_init = jent_kcapi_init, 182 .cra_exit = jent_kcapi_cleanup, | 261static int jent_kcapi_random(struct crypto_rng *tfm, 262 const u8 *src, unsigned int slen, 263 u8 *rdata, unsigned int dlen) 264{ 265 struct jitterentropy *rng = crypto_rng_ctx(tfm); 266 int ret = 0; 267 268 spin_lock(&rng->jent_lock); --- 40 unchanged lines hidden (view full) --- 309 .base = { 310 .cra_name = "jitterentropy_rng", 311 .cra_driver_name = "jitterentropy_rng", 312 .cra_priority = 100, 313 .cra_ctxsize = sizeof(struct jitterentropy), 314 .cra_module = THIS_MODULE, 315 .cra_init = jent_kcapi_init, 316 .cra_exit = jent_kcapi_cleanup, |
| 183 | |
| 184 } 185}; 186 187static int __init jent_mod_init(void) 188{ | 317 } 318}; 319 320static int __init jent_mod_init(void) 321{ |
| 322 SHASH_DESC_ON_STACK(desc, tfm); 323 struct crypto_shash *tfm; |
|
| 189 int ret = 0; 190 | 324 int ret = 0; 325 |
| 191 ret = jent_entropy_init(); | 326 tfm = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); 327 if (IS_ERR(tfm)) 328 return PTR_ERR(tfm); 329 330 desc->tfm = tfm; 331 crypto_shash_init(desc); 332 ret = jent_entropy_init(desc); 333 shash_desc_zero(desc); 334 crypto_free_shash(tfm); |
| 192 if (ret) { 193 /* Handle permanent health test error */ 194 if (fips_enabled) 195 panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); 196 197 pr_info("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); 198 return -EFAULT; 199 } --- 15 unchanged lines hidden --- | 335 if (ret) { 336 /* Handle permanent health test error */ 337 if (fips_enabled) 338 panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); 339 340 pr_info("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); 341 return -EFAULT; 342 } --- 15 unchanged lines hidden --- |