xref: /freebsd/sys/dev/random/nehemiah.c (revision 2546665afcaf0d53dc2c7058fee96354b3680f5a) 
1 /*-
2  * Copyright (c) 2004 Mark R V Murray
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer
10  *    in this position and unchanged.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  *
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <sys/time.h>
33 #include <sys/lock.h>
34 #include <sys/mutex.h>
35 #include <sys/selinfo.h>
36 #include <sys/systm.h>
37 
38 #include <dev/random/randomdev.h>
39 
40 #define RANDOM_BLOCK_SIZE	256
41 #define CIPHER_BLOCK_SIZE	16
42 
43 static void random_nehemiah_init(void);
44 static int random_nehemiah_read(void *, int);
45 
46 struct random_systat random_nehemiah = {
47 	.ident = "Hardware, VIA Nehemiah",
48 	.init = random_nehemiah_init,
49 	.deinit = (random_deinit_func_t *)random_null_func,
50 	.read = random_nehemiah_read,
51 	.write = (random_write_func_t *)random_null_func,
52 	.reseed = (random_reseed_func_t *)random_null_func,
53 	.seeded = 1,
54 };
55 
56 union VIA_ACE_CW {
57 	uint64_t raw;
58 	struct {
59 		u_int round_count : 4;
60 		u_int algorithm_type : 3;
61 		u_int key_generation_type : 1;
62 		u_int intermediate : 1;
63 		u_int decrypt : 1;
64 		u_int key_size : 2;
65 		u_int filler0 : 20;
66 		u_int filler1 : 32;
67 		u_int filler2 : 32;
68 		u_int filler3 : 32;
69 	} field;
70 };
71 
72 /* The extra 7 is to allow an 8-byte write on the last byte of the
73  * arrays.  The ACE wants the AES data 16-byte/128-bit aligned, and
74  * it _always_ writes n*64 bits. The RNG does not care about alignment,
75  * and it always writes n*32 bits or n*64 bits.
76  */
77 static uint8_t key[CIPHER_BLOCK_SIZE+7]	__aligned(16);
78 static uint8_t iv[CIPHER_BLOCK_SIZE+7]	__aligned(16);
79 static uint8_t in[RANDOM_BLOCK_SIZE+7]	__aligned(16);
80 static uint8_t out[RANDOM_BLOCK_SIZE+7]	__aligned(16);
81 
82 static union VIA_ACE_CW acw		__aligned(16);
83 
84 /* ARGSUSED */
85 static __inline size_t
86 VIA_RNG_store(void *buf)
87 {
88 #if defined(__GNUC__) || defined(__INTEL_COMPILER)
89 	uint32_t retval = 0;
90 	uint32_t rate = 0;
91 
92 	/* The .byte line is really VIA C3 "xstore" instruction */
93 	__asm __volatile(
94 		"movl	$0,%%edx		\n\t"
95 		".byte	0x0f, 0xa7, 0xc0"
96 			: "=a" (retval), "+d" (rate), "+D" (buf)
97 			:
98 			: "memory"
99 	);
100 	if (rate == 0)
101 		return (retval&0x1f);
102 #endif
103 	return (0);
104 }
105 
106 /* ARGSUSED */
107 static __inline void
108 VIA_ACE_cbc(void *in, void *out, size_t count, void *key, union VIA_ACE_CW *cw, void *iv)
109 {
110 #if defined(__GNUC__) || defined(__INTEL_COMPILER)
111 	/* The .byte line is really VIA C3 "xcrypt-cbc" instruction */
112 	__asm __volatile(
113 		"pushf				\n\t"
114 		"popf				\n\t"
115 		"rep				\n\t"
116 		".byte	0x0f, 0xa7, 0xc8"
117 			: "+a" (iv), "+c" (count), "+D" (out), "+S" (in)
118 			: "b" (key), "d" (cw)
119 			: "cc", "memory"
120 		);
121 #endif
122 }
123 
124 static void
125 random_nehemiah_init(void)
126 {
127 	acw.raw = 0ULL;
128 	acw.field.round_count = 12;
129 }
130 
131 static int
132 random_nehemiah_read(void *buf, int c)
133 {
134 	int i;
135 	size_t count, ret;
136 	uint8_t *p;
137 
138 	/* Get a random AES key */
139 	count = 0;
140 	p = key;
141 	do {
142 		ret = VIA_RNG_store(p);
143 		p += ret;
144 		count += ret;
145 	} while (count < CIPHER_BLOCK_SIZE);
146 
147 	/* Get a random AES IV */
148 	count = 0;
149 	p = iv;
150 	do {
151 		ret = VIA_RNG_store(p);
152 		p += ret;
153 		count += ret;
154 	} while (count < CIPHER_BLOCK_SIZE);
155 
156 	/* Get a block of random bytes */
157 	count = 0;
158 	p = in;
159 	do {
160 		ret = VIA_RNG_store(p);
161 		p += ret;
162 		count += ret;
163 	} while (count < RANDOM_BLOCK_SIZE);
164 
165 	/* This is a Davies-Meyer hash of the most paranoid variety; the
166 	 * key, IV and the data are all read directly from the hardware RNG.
167 	 * All of these are used precisely once.
168 	 */
169 	VIA_ACE_cbc(in, out, RANDOM_BLOCK_SIZE/CIPHER_BLOCK_SIZE,
170 	    key, &acw, iv);
171 	for (i = 0; i < RANDOM_BLOCK_SIZE; i++)
172 		out[i] ^= in[i];
173 
174 	c = MIN(RANDOM_BLOCK_SIZE, c);
175 	memcpy(buf, out, (size_t)c);
176 
177 	return (c);
178 }
179