xref: /illumos-gate/usr/src/uts/sun4v/io/n2rng/n2rng_provider.c (revision 7247f8883be6bcac5fe4735b6f87f873387dbbef)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/modctl.h>
31 #include <sys/conf.h>
32 #include <sys/devops.h>
33 #include <sys/cmn_err.h>
34 #include <sys/kmem.h>
35 #include <sys/stat.h>
36 #include <sys/open.h>
37 #include <sys/file.h>
38 #include <sys/cpuvar.h>
39 #include <sys/disp.h>
40 #include <sys/hsvc.h>
41 #include <sys/machsystm.h>
42 #include <sys/ksynch.h>
43 #include <sys/hypervisor_api.h>
44 #include <sys/n2rng.h>
45 #include <sys/sha1.h>
46 #include <sys/ddi.h>  /* near end to get min and max macros right */
47 #include <sys/sunddi.h>
48 
49 /* n must be a power of 2 */
50 #define	ROUNDUP(k, n)		(((k) + (n) - 1) & ~((n) - 1))
51 #define	SHA1BLOCKBITS		512
52 #define	SHA1BLOCKBYTES		(SHA1BLOCKBITS / 8)
53 #define	SHA1WORDS		5
54 #define	SHA1BYTES		(4 * SHA1WORDS)
55 
56 
57 /*
58  * Policy.  ENTROPY_STARVATION is the maximum number of calls each
59  * FIPS instance will accept without successfully getting more
60  * entropy.  It needs to be large enough to allow RNG operations to
61  * not stall because of health checks, etc.  But we don't want it too
62  * large.  FIPS 186-2 change 1 (5 October 2001) states that no more
63  * that 2,000,000 DSA signatures (done using this algorithm) should be
64  * done without reseeding.  We make sure we add 64 bits of entropy at
65  * most every 10000 operations, hence we will have stirred in 160 bits
66  * of entropy at most once every 30000 operations.  Normally, we stir
67  * in 64 bits of entropy for every number generated.
68  */
69 #define	ENTROPY_STARVATION	10000ULL
70 
71 extern int	n2rng_herr2kerr(uint64_t);
72 
73 
74 /*
75  * Adds val1 and val2 and stores result into sum.  The various input
76  * pointers can be exactly aliased.  (They cannot be offset and
77  * overlapping, but no one would ever do that.)  Values are big endian
78  * by words and native byte order within words.  The return value's
79  * 2-bit is 0 if the result is zero, it's 1 bit is carry out.  (This
80  * is reused code.  The return code is not used by n2rng.)  Thus,
81  * calling with both carryin and complement_val2 ones does a
82  * subtraction.  A null sum pointer parameter is allowed.  The
83  * subtraction features were required when this code was orginally
84  * written so it could do a mod q operation.
85  */
86 static int
87 add160(uint32_t *sum, uint32_t const *val1, uint32_t const *val2,
88     const unsigned carryin, const int complement_val2)
89 {
90 	int i;
91 	uint32_t partialsum;
92 	uint32_t carry = (carryin > 0);
93 	uint32_t non_zero = 0;
94 
95 	for (i = 4; i >= 0; --i) {
96 		partialsum = val1[i] + (complement_val2 ? ~val2[i] : val2[i]) +
97 		    carry;
98 		if (carry) {
99 			carry = (partialsum <= val1[i]);
100 		} else {
101 			carry = (partialsum < val1[i]);
102 		}
103 		if (sum) {
104 			sum[i] = partialsum;
105 		}
106 		non_zero |= partialsum;
107 	}
108 
109 	return (((non_zero != 0) * 2) | carry);
110 }
111 
112 
113 
114 /*
115  * Computes a new random value, which is stored in x_j; updates XKEY
116  * in the *rs.  XSEED_j is additional input.  In principle, we should
117  * protect XKEY, perhaps by putting it on a non-pagable page, but we
118  * aways clobber XKEY with fresh entropy just before we use it.  And
119  * step 3d irreversibly updates it just after we use it.  The only
120  * risk is that if an attacker captured the state while the entropy
121  * generator was broken, the attacker could predict future values.
122  * There are two cases: 1.  The attack gets root access to a live
123  * system.  But there is no defense against that.  2.  The attacker
124  * gets access to a crash dump.  But by then no values are being
125  * generated.
126  *
127  * Note that XSEEDj is overwritten with sensitive stuff, and must be
128  * zeroed by the caller.  We use two separate symbols (XVAL and
129  * XSEEDj) to make each step match the notation in FIPS 186-2.
130  */
131 static void
132 fips_random_inner(fipsrandomstruct_t *frsp, uint32_t *x_j,
133     uint32_t *XSEED_j)
134 {
135 	int		i;
136 	SHA1_CTX	sha1_context;
137 	/* Alias to preserve terminology from FIPS 186-2 */
138 #define	XVAL XSEED_j
139 	/*
140 	 * K&R section A8.7: If the array has fixed size, the number
141 	 * of initializers may not exceed the number of members in the
142 	 * array; if there are fewer, the trailing members are
143 	 * initialized with 0.
144 	 */
145 	static const char	zero[SHA1BLOCKBYTES - SHA1BYTES] = {0};
146 
147 	/*
148 	 * Step 3b: XVAL = (XKEY + XSEED_sub_j) mod 2^b.  The mod is
149 	 * implicit in the 160 bit representation.  Note that XVAL and
150 	 * XSEED_j are actually the same location.
151 	 */
152 	(void) add160(XVAL, frsp->XKEY, XSEED_j, 0, 0);
153 	/*
154 	 * Step 3c: x_sub_j = G(t, XVAL) mod q.
155 	 */
156 	SHA1Init(&sha1_context);
157 	SHA1Update(&sha1_context, (unsigned char *)XVAL, SHA1BYTES);
158 	/*
159 	 * Filling to 64 bytes is requried by FIPS 186-2 Appendix 3.3.
160 	 * It also triggers SHA1Transform (the steps a-e of the spec).
161 	 *
162 	 * zero is a const char[], but SHA1update does not declare its
163 	 * second parameter const, even though it does not modify it,
164 	 * so we cast to suppress a compiler warning.
165 	 */
166 	SHA1Update(&sha1_context, (unsigned char *)zero,
167 	    SHA1BLOCKBYTES - SHA1BYTES);
168 	/*
169 	 * The code below directly accesses the state field of
170 	 * sha1_context, which is of type SHA1_CTX, defined in sha1.h.
171 	 * This has been deemed acceptable, because that typedef is
172 	 * Consolidation Private, and n2rng is in the same
173 	 * consolidation.
174 	 */
175 	/* copy out to x_j */
176 	for (i = 0; i < 5; i++) {
177 		x_j[i] = sha1_context.state[i];
178 	}
179 	/*
180 	 * Step 3d: XKEY = (1 + XKEY + x_sub_j) mod 2^b.  b=160.  The
181 	 * mod 2^160 is implicit in the 160 bit representation.  The
182 	 * one is added via the carry-in flag.
183 	 */
184 	(void) add160(frsp->XKEY, frsp->XKEY, x_j, 1, 0);
185 #undef XVAL
186 }
187 
188 int
189 fips_random(n2rng_t *n2rng, uint8_t *out, size_t nbytes)
190 {
191 	int			i;
192 	fipsrandomstruct_t	*frsp;
193 	union {
194 		uint32_t	as32[SHA1WORDS];
195 		uint64_t	as64[ROUNDUP(SHA1WORDS, 2) >> 1];
196 	} entropy = {0};
197 	uint32_t		tempout[SHA1WORDS];
198 
199 
200 	for (i = 0; i < nbytes; i += SHA1BYTES) {
201 		/*
202 		 * Since in the new scheme of things, the RNG latency
203 		 * will be high on reads after the first, we get just
204 		 * one word of entropy per call.  And if it fails, we
205 		 * just go on, but if the number of successive
206 		 * failures gets too big, we fail.
207 		 */
208 		if (n2rng_getentropy(n2rng, (void *)&entropy.as64[1],
209 		    sizeof (uint64_t))) {
210 			/* failure case */
211 			entropy.as64[1] = 0;
212 		}
213 
214 		/*
215 		 * The idea here is that a Niagara2 chip is highly
216 		 * parallel, with many strands.  If we have just one
217 		 * instance of the FIPS data, then only one FIPS
218 		 * computation can happen at a time, serializeing all
219 		 * the RNG stuff.  So we make N2RNG_FIPS_INSTANCES,
220 		 * and use them round-robin, with the counter being
221 		 * n2rng->n_frs.fips_round_robin_j.  We increment the
222 		 * counter with an atomic op, avoiding having to have
223 		 * a global muxtex.  The atomic ops are also
224 		 * significantly faster than mutexes.  The mutex is
225 		 * put inside the loop, otherwise one thread reading
226 		 * many blocks could stall all other strands.
227 		 */
228 		frsp = &n2rng->n_frs.fipsarray[
229 		    atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
230 		    N2RNG_FIPS_INSTANCES];
231 
232 		mutex_enter(&frsp->mtx);
233 
234 		if (entropy.as64[1] == 0) {
235 			/*
236 			 * If we did not get any entropy, entropyword
237 			 * is zero.  We get a false positive with
238 			 * probablitity 2^-64.  It's not worth a few
239 			 * extra stores and tests eliminate the false
240 			 * positive.
241 			 */
242 			if (++frsp->entropyhunger > ENTROPY_STARVATION) {
243 				mutex_exit(&frsp->mtx);
244 				cmn_err(CE_WARN, "n2rng: not generating "
245 				    "entropy");
246 				return (EIO);
247 			}
248 		} else {
249 			frsp->entropyhunger = 0;
250 		}
251 
252 		/* nbytes - i is bytes to go */
253 		fips_random_inner(frsp, tempout, entropy.as32);
254 		bcopy(tempout, &out[i], min(nbytes - i,  SHA1BYTES));
255 
256 		mutex_exit(&frsp->mtx);
257 	}
258 
259 	/* Zeroize sensitive information */
260 
261 	entropy.as64[1] = 0;
262 	bzero(tempout, SHA1BYTES);
263 
264 	return (0);
265 }
266 
267 /*
268  * Initializes one FIPS RNG instance.  Must be called once for each
269  * instance.
270  */
271 int
272 n2rng_fips_random_init(n2rng_t *n2rng, fipsrandomstruct_t *frsp)
273 {
274 	/*
275 	 * All FIPS-approved algorithms will operate as cryptograpic
276 	 * quality PRNGs even if there is no entropy source.  (In
277 	 * fact, this the only one that accepts entropy on the fly.)
278 	 * One motivation for this is that they system keeps on
279 	 * delivering cryptographic quality random numbers, even if
280 	 * the entropy source fails.
281 	 */
282 
283 	int rv;
284 
285 	rv = n2rng_getentropy(n2rng, (void *)frsp->XKEY, ROUNDUP(SHA1BYTES, 8));
286 	if (rv) {
287 		return (rv);
288 	}
289 
290 	mutex_init(&frsp->mtx, NULL, MUTEX_DRIVER, NULL);
291 
292 	return (0);
293 }
294 
295 void
296 n2rng_fips_random_fini(fipsrandomstruct_t *frsp)
297 {
298 	mutex_destroy(&frsp->mtx);
299 	/*
300 	 * Zeroise fips data.  Not really necessary, since the
301 	 * algorithm has backtracking resistance, but do it anyway.
302 	 */
303 	bzero(frsp, sizeof (fipsrandomstruct_t));
304 }
305