1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Software based random number provider for the Kernel Cryptographic 28 * Framework (KCF). This provider periodically collects unpredictable input 29 * from external sources and processes it into a pool of entropy (randomness) 30 * in order to satisfy requests for random bits from kCF. It implements 31 * software-based mixing, extraction, and generation algorithms. 32 * 33 * A history note: The software-based algorithms in this file used to be 34 * part of the /dev/random driver. 35 */ 36 37 #include <sys/types.h> 38 #include <sys/errno.h> 39 #include <sys/debug.h> 40 #include <vm/seg_kmem.h> 41 #include <vm/hat.h> 42 #include <sys/systm.h> 43 #include <sys/memlist.h> 44 #include <sys/cmn_err.h> 45 #include <sys/ksynch.h> 46 #include <sys/random.h> 47 #include <sys/ddi.h> 48 #include <sys/mman.h> 49 #include <sys/sysmacros.h> 50 #include <sys/mem_config.h> 51 #include <sys/time.h> 52 #include <sys/crypto/spi.h> 53 #include <sys/sha1.h> 54 #include <sys/sunddi.h> 55 #include <sys/modctl.h> 56 #include <sys/hold_page.h> 57 #include <rng/fips_random.h> 58 59 #define RNDPOOLSIZE 1024 /* Pool size in bytes */ 60 #define HASHBUFSIZE 64 /* Buffer size used for pool mixing */ 61 #define MAXMEMBLOCKS 16384 /* Number of memory blocks to scan */ 62 #define MEMBLOCKSIZE 4096 /* Size of memory block to read */ 63 #define MINEXTRACTBITS 160 /* Min entropy level for extraction */ 64 #define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */ 65 66 /* Hash-algo generic definitions. For now, they are SHA1's. */ 67 #define HASHSIZE 20 68 #define HASH_CTX SHA1_CTX 69 #define HashInit(ctx) SHA1Init((ctx)) 70 #define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s)) 71 #define HashFinal(d, ctx) SHA1Final((d), (ctx)) 72 73 /* Physical memory entropy source */ 74 typedef struct physmem_entsrc_s { 75 uint8_t *parity; /* parity bit vector */ 76 caddr_t pmbuf; /* buffer for memory block */ 77 uint32_t nblocks; /* number of memory blocks */ 78 int entperblock; /* entropy bits per block read */ 79 hrtime_t last_diff; /* previous time to process a block */ 80 hrtime_t last_delta; /* previous time delta */ 81 hrtime_t last_delta2; /* previous 2nd order time delta */ 82 } physmem_entsrc_t; 83 84 static uint32_t srndpool[RNDPOOLSIZE/4]; /* Pool of random bits */ 85 static uint32_t buffer[RNDPOOLSIZE/4]; /* entropy mixed in later */ 86 static int buffer_bytes; /* bytes written to buffer */ 87 static uint32_t entropy_bits; /* pool's current amount of entropy */ 88 static kmutex_t srndpool_lock; /* protects r/w accesses to the pool, */ 89 /* and the global variables */ 90 static kmutex_t buffer_lock; /* protects r/w accesses to buffer */ 91 static kcondvar_t srndpool_read_cv; /* serializes poll/read syscalls */ 92 static int pindex; /* Global index for adding/extracting */ 93 /* from the pool */ 94 static int bstart, bindex; /* Global vars for adding/extracting */ 95 /* from the buffer */ 96 static uint8_t leftover[HASHSIZE]; /* leftover output */ 97 static uint32_t swrand_XKEY[6]; /* one extra word for getentropy */ 98 static int leftover_bytes; /* leftover length */ 99 static uint32_t previous_bytes[HASHSIZE/BYTES_IN_WORD]; /* prev random bytes */ 100 101 static physmem_entsrc_t entsrc; /* Physical mem as an entropy source */ 102 static timeout_id_t rnd_timeout_id; 103 static int snum_waiters; 104 static crypto_kcf_provider_handle_t swrand_prov_handle = 0; 105 swrand_stats_t swrand_stats; 106 107 static int physmem_ent_init(physmem_entsrc_t *); 108 static void physmem_ent_fini(physmem_entsrc_t *); 109 static void physmem_ent_gen(physmem_entsrc_t *); 110 static int physmem_parity_update(uint8_t *, uint32_t, int); 111 static void physmem_count_blocks(); 112 static void rnd_dr_callback_post_add(void *, pgcnt_t); 113 static int rnd_dr_callback_pre_del(void *, pgcnt_t); 114 static void rnd_dr_callback_post_del(void *, pgcnt_t, int); 115 static void rnd_handler(void *arg); 116 static void swrand_init(); 117 static void swrand_schedule_timeout(void); 118 static int swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t); 119 static void swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est); 120 static void swrand_add_entropy_later(uint8_t *ptr, size_t len); 121 122 /* Dynamic Reconfiguration related declarations */ 123 kphysm_setup_vector_t rnd_dr_callback_vec = { 124 KPHYSM_SETUP_VECTOR_VERSION, 125 rnd_dr_callback_post_add, 126 rnd_dr_callback_pre_del, 127 rnd_dr_callback_post_del 128 }; 129 130 extern struct mod_ops mod_cryptoops; 131 132 /* 133 * Module linkage information for the kernel. 134 */ 135 static struct modlcrypto modlcrypto = { 136 &mod_cryptoops, 137 "Kernel Random number Provider" 138 }; 139 140 static struct modlinkage modlinkage = { 141 MODREV_1, 142 (void *)&modlcrypto, 143 NULL 144 }; 145 146 /* 147 * CSPI information (entry points, provider info, etc.) 148 */ 149 static void swrand_provider_status(crypto_provider_handle_t, uint_t *); 150 151 static crypto_control_ops_t swrand_control_ops = { 152 swrand_provider_status 153 }; 154 155 static int swrand_seed_random(crypto_provider_handle_t, crypto_session_id_t, 156 uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t); 157 static int swrand_generate_random(crypto_provider_handle_t, 158 crypto_session_id_t, uchar_t *, size_t, crypto_req_handle_t); 159 160 static crypto_random_number_ops_t swrand_random_number_ops = { 161 swrand_seed_random, 162 swrand_generate_random 163 }; 164 165 static crypto_ops_t swrand_crypto_ops = { 166 &swrand_control_ops, 167 NULL, 168 NULL, 169 NULL, 170 NULL, 171 NULL, 172 NULL, 173 NULL, 174 &swrand_random_number_ops, 175 NULL, 176 NULL, 177 NULL, 178 NULL, 179 NULL, 180 NULL, 181 NULL, 182 NULL, 183 }; 184 185 static crypto_provider_info_t swrand_prov_info = { 186 CRYPTO_SPI_VERSION_4, 187 "Kernel Random Number Provider", 188 CRYPTO_SW_PROVIDER, 189 {&modlinkage}, 190 NULL, 191 &swrand_crypto_ops, 192 0, 193 NULL 194 }; 195 196 int 197 _init(void) 198 { 199 int ret; 200 hrtime_t ts; 201 time_t now; 202 203 mutex_init(&srndpool_lock, NULL, MUTEX_DEFAULT, NULL); 204 mutex_init(&buffer_lock, NULL, MUTEX_DEFAULT, NULL); 205 cv_init(&srndpool_read_cv, NULL, CV_DEFAULT, NULL); 206 entropy_bits = 0; 207 pindex = 0; 208 bindex = 0; 209 bstart = 0; 210 snum_waiters = 0; 211 leftover_bytes = 0; 212 buffer_bytes = 0; 213 214 /* 215 * Initialize the pool using 216 * . 2 unpredictable times: high resolution time since the boot-time, 217 * and the current time-of-the day. 218 * . The initial physical memory state. 219 */ 220 ts = gethrtime(); 221 swrand_add_entropy((uint8_t *)&ts, sizeof (ts), 0); 222 223 (void) drv_getparm(TIME, &now); 224 swrand_add_entropy((uint8_t *)&now, sizeof (now), 0); 225 226 ret = kphysm_setup_func_register(&rnd_dr_callback_vec, NULL); 227 ASSERT(ret == 0); 228 229 if (physmem_ent_init(&entsrc) != 0) { 230 ret = ENOMEM; 231 goto exit1; 232 } 233 234 if ((ret = mod_install(&modlinkage)) != 0) 235 goto exit2; 236 237 /* Schedule periodic mixing of the pool. */ 238 mutex_enter(&srndpool_lock); 239 swrand_schedule_timeout(); 240 mutex_exit(&srndpool_lock); 241 (void) swrand_get_entropy((uint8_t *)swrand_XKEY, HASHSIZE, B_TRUE); 242 bcopy(swrand_XKEY, previous_bytes, HASHSIZE); 243 244 /* Register with KCF. If the registration fails, return error. */ 245 if (crypto_register_provider(&swrand_prov_info, &swrand_prov_handle)) { 246 (void) mod_remove(&modlinkage); 247 ret = EACCES; 248 goto exit2; 249 } 250 251 return (0); 252 253 exit2: 254 physmem_ent_fini(&entsrc); 255 exit1: 256 mutex_destroy(&srndpool_lock); 257 mutex_destroy(&buffer_lock); 258 cv_destroy(&srndpool_read_cv); 259 return (ret); 260 } 261 262 int 263 _info(struct modinfo *modinfop) 264 { 265 return (mod_info(&modlinkage, modinfop)); 266 } 267 268 /* 269 * Control entry points. 270 */ 271 /* ARGSUSED */ 272 static void 273 swrand_provider_status(crypto_provider_handle_t provider, uint_t *status) 274 { 275 *status = CRYPTO_PROVIDER_READY; 276 } 277 278 /* 279 * Random number entry points. 280 */ 281 /* ARGSUSED */ 282 static int 283 swrand_seed_random(crypto_provider_handle_t provider, crypto_session_id_t sid, 284 uchar_t *buf, size_t len, uint_t entropy_est, uint32_t flags, 285 crypto_req_handle_t req) 286 { 287 /* The entropy estimate is always 0 in this path */ 288 if (flags & CRYPTO_SEED_NOW) 289 swrand_add_entropy(buf, len, 0); 290 else 291 swrand_add_entropy_later(buf, len); 292 return (CRYPTO_SUCCESS); 293 } 294 295 /* ARGSUSED */ 296 static int 297 swrand_generate_random(crypto_provider_handle_t provider, 298 crypto_session_id_t sid, uchar_t *buf, size_t len, crypto_req_handle_t req) 299 { 300 if (crypto_kmflag(req) == KM_NOSLEEP) 301 (void) swrand_get_entropy(buf, len, B_TRUE); 302 else 303 (void) swrand_get_entropy(buf, len, B_FALSE); 304 305 return (CRYPTO_SUCCESS); 306 } 307 308 /* 309 * Extraction of entropy from the pool. 310 * 311 * Returns "len" random bytes in *ptr. 312 * Try to gather some more entropy by calling physmem_ent_gen() when less than 313 * MINEXTRACTBITS are present in the pool. 314 * Will block if not enough entropy was available and the call is blocking. 315 */ 316 static int 317 swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t nonblock) 318 { 319 int i, bytes; 320 HASH_CTX hashctx; 321 uint8_t digest[HASHSIZE], *pool; 322 uint32_t tempout[HASHSIZE/BYTES_IN_WORD]; 323 int size; 324 325 mutex_enter(&srndpool_lock); 326 if (leftover_bytes > 0) { 327 bytes = min(len, leftover_bytes); 328 bcopy(leftover, ptr, bytes); 329 len -= bytes; 330 ptr += bytes; 331 leftover_bytes -= bytes; 332 if (leftover_bytes > 0) 333 ovbcopy(leftover+bytes, leftover, leftover_bytes); 334 } 335 336 while (len > 0) { 337 /* Check if there is enough entropy */ 338 while (entropy_bits < MINEXTRACTBITS) { 339 340 physmem_ent_gen(&entsrc); 341 342 if (entropy_bits < MINEXTRACTBITS && 343 nonblock == B_TRUE) { 344 mutex_exit(&srndpool_lock); 345 return (EAGAIN); 346 } 347 348 if (entropy_bits < MINEXTRACTBITS) { 349 ASSERT(nonblock == B_FALSE); 350 snum_waiters++; 351 if (cv_wait_sig(&srndpool_read_cv, 352 &srndpool_lock) == 0) { 353 snum_waiters--; 354 mutex_exit(&srndpool_lock); 355 return (EINTR); 356 } 357 snum_waiters--; 358 } 359 } 360 361 /* Figure out how many bytes to extract */ 362 bytes = min(HASHSIZE, len); 363 bytes = min(bytes, CRYPTO_BITS2BYTES(entropy_bits)); 364 entropy_bits -= CRYPTO_BYTES2BITS(bytes); 365 BUMP_SWRAND_STATS(ss_entOut, CRYPTO_BYTES2BITS(bytes)); 366 swrand_stats.ss_entEst = entropy_bits; 367 368 /* Extract entropy by hashing pool content */ 369 HashInit(&hashctx); 370 HashUpdate(&hashctx, (uint8_t *)srndpool, RNDPOOLSIZE); 371 HashFinal(digest, &hashctx); 372 373 /* 374 * Feed the digest back into the pool so next 375 * extraction produces different result 376 */ 377 pool = (uint8_t *)srndpool; 378 for (i = 0; i < HASHSIZE; i++) { 379 pool[pindex++] ^= digest[i]; 380 /* pindex modulo RNDPOOLSIZE */ 381 pindex &= (RNDPOOLSIZE - 1); 382 } 383 384 /* LINTED E_BAD_PTR_CAST_ALIGN */ 385 fips_random_inner(swrand_XKEY, tempout, (uint32_t *)digest); 386 387 if (len >= HASHSIZE) { 388 size = HASHSIZE; 389 } else { 390 size = min(bytes, HASHSIZE); 391 } 392 393 /* 394 * FIPS 140-2: Continuous RNG test - each generation 395 * of an n-bit block shall be compared with the previously 396 * generated block. Test shall fail if any two compared 397 * n-bit blocks are equal. 398 */ 399 for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) { 400 if (tempout[i] != previous_bytes[i]) 401 break; 402 } 403 404 if (i == HASHSIZE/BYTES_IN_WORD) { 405 cmn_err(CE_WARN, "swrand: The value of 160-bit block " 406 "random bytes are same as the previous one.\n"); 407 /* discard random bytes and return error */ 408 return (EIO); 409 } 410 411 bcopy(tempout, previous_bytes, HASHSIZE); 412 413 bcopy(tempout, ptr, size); 414 if (len < HASHSIZE) { 415 leftover_bytes = HASHSIZE - bytes; 416 bcopy((uint8_t *)tempout + bytes, leftover, 417 leftover_bytes); 418 } 419 420 ptr += size; 421 len -= size; 422 BUMP_SWRAND_STATS(ss_bytesOut, size); 423 } 424 425 /* Zero out sensitive information */ 426 bzero(digest, HASHSIZE); 427 bzero(tempout, HASHSIZE); 428 mutex_exit(&srndpool_lock); 429 return (0); 430 } 431 432 #define SWRAND_ADD_BYTES(ptr, len, i, pool) \ 433 ASSERT((ptr) != NULL && (len) > 0); \ 434 BUMP_SWRAND_STATS(ss_bytesIn, (len)); \ 435 while ((len)--) { \ 436 (pool)[(i)++] ^= *(ptr); \ 437 (ptr)++; \ 438 (i) &= (RNDPOOLSIZE - 1); \ 439 } 440 441 /* Write some more user-provided entropy to the pool */ 442 static void 443 swrand_add_bytes(uint8_t *ptr, size_t len) 444 { 445 uint8_t *pool = (uint8_t *)srndpool; 446 447 ASSERT(MUTEX_HELD(&srndpool_lock)); 448 SWRAND_ADD_BYTES(ptr, len, pindex, pool); 449 } 450 451 /* 452 * Add bytes to buffer. Adding the buffer to the random pool 453 * is deferred until the random pool is mixed. 454 */ 455 static void 456 swrand_add_bytes_later(uint8_t *ptr, size_t len) 457 { 458 uint8_t *pool = (uint8_t *)buffer; 459 460 ASSERT(MUTEX_HELD(&buffer_lock)); 461 SWRAND_ADD_BYTES(ptr, len, bindex, pool); 462 buffer_bytes += len; 463 } 464 465 #undef SWRAND_ADD_BYTES 466 467 /* Mix the pool */ 468 static void 469 swrand_mix_pool(uint16_t entropy_est) 470 { 471 int i, j, k, start; 472 HASH_CTX hashctx; 473 uint8_t digest[HASHSIZE]; 474 uint8_t *pool = (uint8_t *)srndpool; 475 uint8_t *bp = (uint8_t *)buffer; 476 477 ASSERT(MUTEX_HELD(&srndpool_lock)); 478 479 /* add deferred bytes */ 480 mutex_enter(&buffer_lock); 481 if (buffer_bytes > 0) { 482 if (buffer_bytes >= RNDPOOLSIZE) { 483 for (i = 0; i < RNDPOOLSIZE/4; i++) { 484 srndpool[i] ^= buffer[i]; 485 buffer[i] = 0; 486 } 487 bstart = bindex = 0; 488 } else { 489 for (i = 0; i < buffer_bytes; i++) { 490 pool[pindex++] ^= bp[bstart]; 491 bp[bstart++] = 0; 492 pindex &= (RNDPOOLSIZE - 1); 493 bstart &= (RNDPOOLSIZE - 1); 494 } 495 ASSERT(bstart == bindex); 496 } 497 buffer_bytes = 0; 498 } 499 mutex_exit(&buffer_lock); 500 501 start = 0; 502 for (i = 0; i < RNDPOOLSIZE/HASHSIZE + 1; i++) { 503 HashInit(&hashctx); 504 505 /* Hash a buffer centered on a block in the pool */ 506 if (start + HASHBUFSIZE <= RNDPOOLSIZE) 507 HashUpdate(&hashctx, &pool[start], HASHBUFSIZE); 508 else { 509 HashUpdate(&hashctx, &pool[start], 510 RNDPOOLSIZE - start); 511 HashUpdate(&hashctx, pool, 512 HASHBUFSIZE - RNDPOOLSIZE + start); 513 } 514 HashFinal(digest, &hashctx); 515 516 /* XOR the hash result back into the block */ 517 k = (start + HASHSIZE) & (RNDPOOLSIZE - 1); 518 for (j = 0; j < HASHSIZE; j++) { 519 pool[k++] ^= digest[j]; 520 k &= (RNDPOOLSIZE - 1); 521 } 522 523 /* Slide the hash buffer and repeat with next block */ 524 start = (start + HASHSIZE) & (RNDPOOLSIZE - 1); 525 } 526 527 entropy_bits += entropy_est; 528 if (entropy_bits > CRYPTO_BYTES2BITS(RNDPOOLSIZE)) 529 entropy_bits = CRYPTO_BYTES2BITS(RNDPOOLSIZE); 530 531 swrand_stats.ss_entEst = entropy_bits; 532 BUMP_SWRAND_STATS(ss_entIn, entropy_est); 533 } 534 535 static void 536 swrand_add_entropy_later(uint8_t *ptr, size_t len) 537 { 538 mutex_enter(&buffer_lock); 539 swrand_add_bytes_later(ptr, len); 540 mutex_exit(&buffer_lock); 541 } 542 543 static void 544 swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est) 545 { 546 mutex_enter(&srndpool_lock); 547 swrand_add_bytes(ptr, len); 548 swrand_mix_pool(entropy_est); 549 mutex_exit(&srndpool_lock); 550 } 551 552 /* 553 * The physmem_* routines below generate entropy by reading blocks of 554 * physical memory. Entropy is gathered in a couple of ways: 555 * 556 * - By reading blocks of physical memory and detecting if changes 557 * occurred in the blocks read. 558 * 559 * - By measuring the time it takes to load and hash a block of memory 560 * and computing the differences in the measured time. 561 * 562 * The first method was used in the CryptoRand implementation. Physical 563 * memory is divided into blocks of fixed size. A block of memory is 564 * chosen from the possible blocks and hashed to produce a digest. This 565 * digest is then mixed into the pool. A single bit from the digest is 566 * used as a parity bit or "checksum" and compared against the previous 567 * "checksum" computed for the block. If the single-bit checksum has not 568 * changed, no entropy is credited to the pool. If there is a change, 569 * then the assumption is that at least one bit in the block has changed. 570 * The possible locations within the memory block of where the bit change 571 * occurred is used as a measure of entropy. For example, if a block 572 * size of 4096 bytes is used, about log_2(4096*8)=15 bits worth of 573 * entropy is available. Because the single-bit checksum will miss half 574 * of the changes, the amount of entropy credited to the pool is doubled 575 * when a change is detected. With a 4096 byte block size, a block 576 * change will add a total of 30 bits of entropy to the pool. 577 * 578 * The second method measures the amount of time it takes to read and 579 * hash a physical memory block (as described above). The time measured 580 * can vary depending on system load, scheduling and other factors. 581 * Differences between consecutive measurements are computed to come up 582 * with an entropy estimate. The first, second, and third order delta is 583 * calculated to determine the minimum delta value. The number of bits 584 * present in this minimum delta value is the entropy estimate. This 585 * entropy estimation technique using time deltas is similar to that used 586 * in /dev/random implementations from Linux/BSD. 587 */ 588 589 static int 590 physmem_ent_init(physmem_entsrc_t *entsrc) 591 { 592 uint8_t *ptr; 593 int i; 594 595 bzero(entsrc, sizeof (*entsrc)); 596 597 /* 598 * The maximum entropy amount in bits per block of memory read is 599 * log_2(MEMBLOCKSIZE * 8); 600 */ 601 i = CRYPTO_BYTES2BITS(MEMBLOCKSIZE); 602 while (i >>= 1) 603 entsrc->entperblock++; 604 605 /* Initialize entsrc->nblocks */ 606 physmem_count_blocks(); 607 608 if (entsrc->nblocks == 0) { 609 cmn_err(CE_WARN, "no memory blocks to scan!"); 610 return (-1); 611 } 612 613 /* Allocate space for the parity vector and memory page */ 614 entsrc->parity = kmem_alloc(howmany(entsrc->nblocks, 8), 615 KM_SLEEP); 616 entsrc->pmbuf = vmem_alloc(heap_arena, PAGESIZE, VM_SLEEP); 617 618 619 /* Initialize parity vector with bits from the pool */ 620 i = howmany(entsrc->nblocks, 8); 621 ptr = entsrc->parity; 622 while (i > 0) { 623 if (i > RNDPOOLSIZE) { 624 bcopy(srndpool, ptr, RNDPOOLSIZE); 625 mutex_enter(&srndpool_lock); 626 swrand_mix_pool(0); 627 mutex_exit(&srndpool_lock); 628 ptr += RNDPOOLSIZE; 629 i -= RNDPOOLSIZE; 630 } else { 631 bcopy(srndpool, ptr, i); 632 break; 633 } 634 } 635 636 /* Generate some entropy to further initialize the pool */ 637 mutex_enter(&srndpool_lock); 638 physmem_ent_gen(entsrc); 639 entropy_bits = 0; 640 mutex_exit(&srndpool_lock); 641 642 return (0); 643 } 644 645 static void 646 physmem_ent_fini(physmem_entsrc_t *entsrc) 647 { 648 if (entsrc->pmbuf != NULL) 649 vmem_free(heap_arena, entsrc->pmbuf, PAGESIZE); 650 if (entsrc->parity != NULL) 651 kmem_free(entsrc->parity, howmany(entsrc->nblocks, 8)); 652 bzero(entsrc, sizeof (*entsrc)); 653 } 654 655 static void 656 physmem_ent_gen(physmem_entsrc_t *entsrc) 657 { 658 struct memlist *pmem; 659 offset_t offset, poffset; 660 pfn_t pfn; 661 int i, nbytes, len, ent = 0; 662 uint32_t block, oblock; 663 hrtime_t ts1, ts2, diff, delta, delta2, delta3; 664 uint8_t digest[HASHSIZE]; 665 HASH_CTX ctx; 666 page_t *pp; 667 668 /* 669 * Use each 32-bit quantity in the pool to pick a memory 670 * block to read. 671 */ 672 for (i = 0; i < RNDPOOLSIZE/4; i++) { 673 674 /* If the pool is "full", stop after one block */ 675 if (entropy_bits + ent >= CRYPTO_BYTES2BITS(RNDPOOLSIZE)) { 676 if (i > 0) 677 break; 678 } 679 680 /* 681 * This lock protects reading of phys_install. 682 * Any changes to this list, by DR, are done while 683 * holding this lock. So, holding this lock is sufficient 684 * to handle DR also. 685 */ 686 memlist_read_lock(); 687 688 /* We're left with less than 4K of memory after DR */ 689 ASSERT(entsrc->nblocks > 0); 690 691 /* Pick a memory block to read */ 692 block = oblock = srndpool[i] % entsrc->nblocks; 693 694 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) { 695 if (block < pmem->ml_size / MEMBLOCKSIZE) 696 break; 697 block -= pmem->ml_size / MEMBLOCKSIZE; 698 } 699 700 ASSERT(pmem != NULL); 701 702 offset = pmem->ml_address + block * MEMBLOCKSIZE; 703 704 if (!address_in_memlist(phys_install, offset, MEMBLOCKSIZE)) { 705 memlist_read_unlock(); 706 continue; 707 } 708 709 /* 710 * Do an initial check to see if the address is safe 711 */ 712 if (plat_hold_page(offset >> PAGESHIFT, PLAT_HOLD_NO_LOCK, NULL) 713 == PLAT_HOLD_FAIL) { 714 memlist_read_unlock(); 715 continue; 716 } 717 718 /* 719 * Figure out which page to load to read the 720 * memory block. Load the page and compute the 721 * hash of the memory block. 722 */ 723 len = MEMBLOCKSIZE; 724 ts1 = gethrtime(); 725 HashInit(&ctx); 726 while (len) { 727 pfn = offset >> PAGESHIFT; 728 poffset = offset & PAGEOFFSET; 729 nbytes = PAGESIZE - poffset < len ? 730 PAGESIZE - poffset : len; 731 732 /* 733 * Re-check the offset, and lock the frame. If the 734 * page was given away after the above check, we'll 735 * just bail out. 736 */ 737 if (plat_hold_page(pfn, PLAT_HOLD_LOCK, &pp) == 738 PLAT_HOLD_FAIL) 739 break; 740 741 hat_devload(kas.a_hat, entsrc->pmbuf, 742 PAGESIZE, pfn, PROT_READ, 743 HAT_LOAD_NOCONSIST | HAT_LOAD_LOCK); 744 745 HashUpdate(&ctx, (uint8_t *)entsrc->pmbuf + poffset, 746 nbytes); 747 748 hat_unload(kas.a_hat, entsrc->pmbuf, PAGESIZE, 749 HAT_UNLOAD_UNLOCK); 750 751 plat_release_page(pp); 752 753 len -= nbytes; 754 offset += nbytes; 755 } 756 /* We got our pages. Let the DR roll */ 757 memlist_read_unlock(); 758 759 /* See if we had to bail out due to a page being given away */ 760 if (len) 761 continue; 762 763 HashFinal(digest, &ctx); 764 ts2 = gethrtime(); 765 766 /* 767 * Compute the time it took to load and hash the 768 * block and compare it against the previous 769 * measurement. The delta of the time values 770 * provides a small amount of entropy. The 771 * minimum of the first, second, and third order 772 * delta is used to estimate how much entropy 773 * is present. 774 */ 775 diff = ts2 - ts1; 776 delta = diff - entsrc->last_diff; 777 if (delta < 0) 778 delta = -delta; 779 delta2 = delta - entsrc->last_delta; 780 if (delta2 < 0) 781 delta2 = -delta2; 782 delta3 = delta2 - entsrc->last_delta2; 783 if (delta3 < 0) 784 delta3 = -delta3; 785 entsrc->last_diff = diff; 786 entsrc->last_delta = delta; 787 entsrc->last_delta2 = delta2; 788 789 if (delta > delta2) 790 delta = delta2; 791 if (delta > delta3) 792 delta = delta3; 793 delta2 = 0; 794 while (delta >>= 1) 795 delta2++; 796 ent += delta2; 797 798 /* 799 * If the memory block has changed, credit the pool with 800 * the entropy estimate. The entropy estimate is doubled 801 * because the single-bit checksum misses half the change 802 * on average. 803 */ 804 if (physmem_parity_update(entsrc->parity, oblock, 805 digest[0] & 1)) 806 ent += 2 * entsrc->entperblock; 807 808 /* Add the entropy bytes to the pool */ 809 swrand_add_bytes(digest, HASHSIZE); 810 swrand_add_bytes((uint8_t *)&ts1, sizeof (ts1)); 811 swrand_add_bytes((uint8_t *)&ts2, sizeof (ts2)); 812 } 813 814 swrand_mix_pool(ent); 815 } 816 817 static int 818 physmem_parity_update(uint8_t *parity_vec, uint32_t block, int parity) 819 { 820 /* Test and set the parity bit, return 1 if changed */ 821 if (parity == ((parity_vec[block >> 3] >> (block & 7)) & 1)) 822 return (0); 823 parity_vec[block >> 3] ^= 1 << (block & 7); 824 return (1); 825 } 826 827 /* Compute number of memory blocks available to scan */ 828 static void 829 physmem_count_blocks() 830 { 831 struct memlist *pmem; 832 833 memlist_read_lock(); 834 entsrc.nblocks = 0; 835 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) { 836 entsrc.nblocks += pmem->ml_size / MEMBLOCKSIZE; 837 if (entsrc.nblocks > MAXMEMBLOCKS) { 838 entsrc.nblocks = MAXMEMBLOCKS; 839 break; 840 } 841 } 842 memlist_read_unlock(); 843 } 844 845 /* 846 * Dynamic Reconfiguration call-back functions 847 */ 848 849 /* ARGSUSED */ 850 static void 851 rnd_dr_callback_post_add(void *arg, pgcnt_t delta) 852 { 853 /* More memory is available now, so update entsrc->nblocks. */ 854 physmem_count_blocks(); 855 } 856 857 /* Call-back routine invoked before the DR starts a memory removal. */ 858 /* ARGSUSED */ 859 static int 860 rnd_dr_callback_pre_del(void *arg, pgcnt_t delta) 861 { 862 return (0); 863 } 864 865 /* Call-back routine invoked after the DR starts a memory removal. */ 866 /* ARGSUSED */ 867 static void 868 rnd_dr_callback_post_del(void *arg, pgcnt_t delta, int cancelled) 869 { 870 /* Memory has shrunk, so update entsrc->nblocks. */ 871 physmem_count_blocks(); 872 } 873 874 /* Timeout handling to gather entropy from physmem events */ 875 static void 876 swrand_schedule_timeout(void) 877 { 878 clock_t ut; /* time in microseconds */ 879 880 ASSERT(MUTEX_HELD(&srndpool_lock)); 881 /* 882 * The new timeout value is taken from the pool of random bits. 883 * We're merely reading the first 32 bits from the pool here, not 884 * consuming any entropy. 885 * This routine is usually called right after stirring the pool, so 886 * srndpool[0] will have a *fresh* random value each time. 887 * The timeout multiplier value is a random value between 0.7 sec and 888 * 1.748575 sec (0.7 sec + 0xFFFFF microseconds). 889 * The new timeout is TIMEOUT_INTERVAL times that multiplier. 890 */ 891 ut = 700000 + (clock_t)(srndpool[0] & 0xFFFFF); 892 rnd_timeout_id = timeout(rnd_handler, NULL, 893 TIMEOUT_INTERVAL * drv_usectohz(ut)); 894 } 895 896 /*ARGSUSED*/ 897 static void 898 rnd_handler(void *arg) 899 { 900 mutex_enter(&srndpool_lock); 901 902 physmem_ent_gen(&entsrc); 903 if (snum_waiters > 0) 904 cv_broadcast(&srndpool_read_cv); 905 swrand_schedule_timeout(); 906 907 mutex_exit(&srndpool_lock); 908 } 909