xref: /freebsd/sys/dev/random/nehemiah.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a) 
1 /*-
2  * Copyright (c) 2004 Mark R V Murray
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer
10  *    in this position and unchanged.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  *
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <sys/time.h>
33 #include <sys/lock.h>
34 #include <sys/mutex.h>
35 #include <sys/selinfo.h>
36 #include <sys/systm.h>
37 
38 #include <machine/pcb.h>
39 
40 #include <dev/random/randomdev.h>
41 
42 #define RANDOM_BLOCK_SIZE	256
43 #define CIPHER_BLOCK_SIZE	16
44 
45 static void random_nehemiah_init(void);
46 static void random_nehemiah_deinit(void);
47 static int random_nehemiah_read(void *, int);
48 
49 struct random_systat random_nehemiah = {
50 	.ident = "Hardware, VIA Nehemiah",
51 	.init = random_nehemiah_init,
52 	.deinit = random_nehemiah_deinit,
53 	.read = random_nehemiah_read,
54 	.write = (random_write_func_t *)random_null_func,
55 	.reseed = (random_reseed_func_t *)random_null_func,
56 	.seeded = 1,
57 };
58 
59 union VIA_ACE_CW {
60 	uint64_t raw;
61 	struct {
62 		u_int round_count : 4;
63 		u_int algorithm_type : 3;
64 		u_int key_generation_type : 1;
65 		u_int intermediate : 1;
66 		u_int decrypt : 1;
67 		u_int key_size : 2;
68 		u_int filler0 : 20;
69 		u_int filler1 : 32;
70 		u_int filler2 : 32;
71 		u_int filler3 : 32;
72 	} field;
73 };
74 
75 /* The extra 7 is to allow an 8-byte write on the last byte of the
76  * arrays.  The ACE wants the AES data 16-byte/128-bit aligned, and
77  * it _always_ writes n*64 bits. The RNG does not care about alignment,
78  * and it always writes n*32 bits or n*64 bits.
79  */
80 static uint8_t key[CIPHER_BLOCK_SIZE+7]	__aligned(16);
81 static uint8_t iv[CIPHER_BLOCK_SIZE+7]	__aligned(16);
82 static uint8_t in[RANDOM_BLOCK_SIZE+7]	__aligned(16);
83 static uint8_t out[RANDOM_BLOCK_SIZE+7]	__aligned(16);
84 
85 static union VIA_ACE_CW acw		__aligned(16);
86 
87 static struct fpu_kern_ctx fpu_ctx_save;
88 
89 static struct mtx random_nehemiah_mtx;
90 
91 /* ARGSUSED */
92 static __inline size_t
93 VIA_RNG_store(void *buf)
94 {
95 #ifdef __GNUCLIKE_ASM
96 	uint32_t retval = 0;
97 	uint32_t rate = 0;
98 
99 	/* The .byte line is really VIA C3 "xstore" instruction */
100 	__asm __volatile(
101 		"movl	$0,%%edx		\n\t"
102 		".byte	0x0f, 0xa7, 0xc0"
103 			: "=a" (retval), "+d" (rate), "+D" (buf)
104 			:
105 			: "memory"
106 	);
107 	if (rate == 0)
108 		return (retval&0x1f);
109 #endif
110 	return (0);
111 }
112 
113 /* ARGSUSED */
114 static __inline void
115 VIA_ACE_cbc(void *in, void *out, size_t count, void *key, union VIA_ACE_CW *cw, void *iv)
116 {
117 #ifdef __GNUCLIKE_ASM
118 	/* The .byte line is really VIA C3 "xcrypt-cbc" instruction */
119 	__asm __volatile(
120 		"pushf				\n\t"
121 		"popf				\n\t"
122 		"rep				\n\t"
123 		".byte	0x0f, 0xa7, 0xc8"
124 			: "+a" (iv), "+c" (count), "+D" (out), "+S" (in)
125 			: "b" (key), "d" (cw)
126 			: "cc", "memory"
127 		);
128 #endif
129 }
130 
131 static void
132 random_nehemiah_init(void)
133 {
134 	acw.raw = 0ULL;
135 	acw.field.round_count = 12;
136 
137 	mtx_init(&random_nehemiah_mtx, "random nehemiah", NULL, MTX_DEF);
138 }
139 
140 void
141 random_nehemiah_deinit(void)
142 {
143 	mtx_destroy(&random_nehemiah_mtx);
144 }
145 
146 static int
147 random_nehemiah_read(void *buf, int c)
148 {
149 	int i, error;
150 	size_t count, ret;
151 	uint8_t *p;
152 
153 	mtx_lock(&random_nehemiah_mtx);
154 	error = fpu_kern_enter(curthread, &fpu_ctx_save, FPU_KERN_NORMAL);
155 	if (error != 0) {
156 		mtx_unlock(&random_nehemiah_mtx);
157 		return (0);
158 	}
159 
160 	/* Get a random AES key */
161 	count = 0;
162 	p = key;
163 	do {
164 		ret = VIA_RNG_store(p);
165 		p += ret;
166 		count += ret;
167 	} while (count < CIPHER_BLOCK_SIZE);
168 
169 	/* Get a random AES IV */
170 	count = 0;
171 	p = iv;
172 	do {
173 		ret = VIA_RNG_store(p);
174 		p += ret;
175 		count += ret;
176 	} while (count < CIPHER_BLOCK_SIZE);
177 
178 	/* Get a block of random bytes */
179 	count = 0;
180 	p = in;
181 	do {
182 		ret = VIA_RNG_store(p);
183 		p += ret;
184 		count += ret;
185 	} while (count < RANDOM_BLOCK_SIZE);
186 
187 	/* This is a Davies-Meyer hash of the most paranoid variety; the
188 	 * key, IV and the data are all read directly from the hardware RNG.
189 	 * All of these are used precisely once.
190 	 */
191 	VIA_ACE_cbc(in, out, RANDOM_BLOCK_SIZE/CIPHER_BLOCK_SIZE,
192 	    key, &acw, iv);
193 	for (i = 0; i < RANDOM_BLOCK_SIZE; i++)
194 		out[i] ^= in[i];
195 
196 	c = MIN(RANDOM_BLOCK_SIZE, c);
197 	memcpy(buf, out, (size_t)c);
198 
199 	fpu_kern_leave(curthread, &fpu_ctx_save);
200 	mtx_unlock(&random_nehemiah_mtx);
201 	return (c);
202 }
203