xref: /illumos-gate/usr/src/uts/sun4v/io/n2rng/n2rng_provider.c (revision d321a33cdd896e6b211d113a33698dd76e89b861)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/modctl.h>
31 #include <sys/conf.h>
32 #include <sys/devops.h>
33 #include <sys/cmn_err.h>
34 #include <sys/kmem.h>
35 #include <sys/stat.h>
36 #include <sys/open.h>
37 #include <sys/file.h>
38 #include <sys/cpuvar.h>
39 #include <sys/disp.h>
40 #include <sys/hsvc.h>
41 #include <sys/machsystm.h>
42 #include <sys/ksynch.h>
43 #include <sys/hypervisor_api.h>
44 #include <sys/n2rng.h>
45 #include <sys/sha1.h>
46 #include <sys/ddi.h>  /* near end to get min and max macros right */
47 #include <sys/sunddi.h>
48 
49 /* n must be a power of 2 */
50 #define	ROUNDUP(k, n)		(((k) + (n) - 1) & ~((n) - 1))
51 #define	SHA1BLOCKBITS		512
52 #define	SHA1BLOCKBYTES		(SHA1BLOCKBITS / 8)
53 #define	SHA1WORDS		5
54 #define	SHA1BYTES		(4 * SHA1WORDS)
55 
56 
57 /*
58  * Policy.  ENTROPY_STARVATION is the maximum number of calls each
59  * FIPS instance will accept without successfully getting more
60  * entropy.  It needs to be large enough to allow RNG operations to
61  * not stall because of health checks, etc.  But we don't want it too
62  * large.  FIPS 186-2 change 1 (5 October 2001) states that no more
63  * that 2,000,000 DSA signatures (done using this algorithm) should be
64  * done without reseeding.  We make sure we add 64 bits of entropy at
65  * most every 10000 operations, hence we will have stirred in 160 bits
66  * of entropy at most once every 30000 operations.  Normally, we stir
67  * in 64 bits of entropy for every number generated.
68  */
69 #define	ENTROPY_STARVATION	10000ULL
70 
71 /*
72  * Adds val1 and val2 and stores result into sum.  The various input
73  * pointers can be exactly aliased.  (They cannot be offset and
74  * overlapping, but no one would ever do that.)  Values are big endian
75  * by words and native byte order within words.  The return value's
76  * 2-bit is 0 if the result is zero, it's 1 bit is carry out.  (This
77  * is reused code.  The return code is not used by n2rng.)  Thus,
78  * calling with both carryin and complement_val2 ones does a
79  * subtraction.  A null sum pointer parameter is allowed.  The
80  * subtraction features were required when this code was orginally
81  * written so it could do a mod q operation.
82  */
83 static int
84 add160(uint32_t *sum, uint32_t const *val1, uint32_t const *val2,
85     const unsigned carryin, const int complement_val2)
86 {
87 	int i;
88 	uint32_t partialsum;
89 	uint32_t carry = (carryin > 0);
90 	uint32_t non_zero = 0;
91 
92 	for (i = 4; i >= 0; --i) {
93 		partialsum = val1[i] + (complement_val2 ? ~val2[i] : val2[i]) +
94 		    carry;
95 		if (carry) {
96 			carry = (partialsum <= val1[i]);
97 		} else {
98 			carry = (partialsum < val1[i]);
99 		}
100 		if (sum) {
101 			sum[i] = partialsum;
102 		}
103 		non_zero |= partialsum;
104 	}
105 
106 	return (((non_zero != 0) * 2) | carry);
107 }
108 
109 
110 
111 /*
112  * Computes a new random value, which is stored in x_j; updates XKEY
113  * in the *rs.  XSEED_j is additional input.  In principle, we should
114  * protect XKEY, perhaps by putting it on a non-pagable page, but we
115  * aways clobber XKEY with fresh entropy just before we use it.  And
116  * step 3d irreversibly updates it just after we use it.  The only
117  * risk is that if an attacker captured the state while the entropy
118  * generator was broken, the attacker could predict future values.
119  * There are two cases: 1.  The attack gets root access to a live
120  * system.  But there is no defense against that.  2.  The attacker
121  * gets access to a crash dump.  But by then no values are being
122  * generated.
123  *
124  * Note that XSEEDj is overwritten with sensitive stuff, and must be
125  * zeroed by the caller.  We use two separate symbols (XVAL and
126  * XSEEDj) to make each step match the notation in FIPS 186-2.
127  */
128 static void
129 fips_random_inner(fipsrandomstruct_t *frsp, uint32_t *x_j,
130     uint32_t *XSEED_j)
131 {
132 	int		i;
133 	SHA1_CTX	sha1_context;
134 	/* Alias to preserve terminology from FIPS 186-2 */
135 #define	XVAL XSEED_j
136 	/*
137 	 * K&R section A8.7: If the array has fixed size, the number
138 	 * of initializers may not exceed the number of members in the
139 	 * array; if there are fewer, the trailing members are
140 	 * initialized with 0.
141 	 */
142 	static const char	zero[SHA1BLOCKBYTES - SHA1BYTES] = {0};
143 
144 	/*
145 	 * Step 3b: XVAL = (XKEY + XSEED_sub_j) mod 2^b.  The mod is
146 	 * implicit in the 160 bit representation.  Note that XVAL and
147 	 * XSEED_j are actually the same location.
148 	 */
149 	(void) add160(XVAL, frsp->XKEY, XSEED_j, 0, 0);
150 	/*
151 	 * Step 3c: x_sub_j = G(t, XVAL)
152 	 */
153 	SHA1Init(&sha1_context);
154 	SHA1Update(&sha1_context, (unsigned char *)XVAL, SHA1BYTES);
155 	/*
156 	 * Filling to 64 bytes is requried by FIPS 186-2 Appendix 3.3.
157 	 * It also triggers SHA1Transform (the steps a-e of the spec).
158 	 *
159 	 * zero is a const char[], but SHA1update does not declare its
160 	 * second parameter const, even though it does not modify it,
161 	 * so we cast to suppress a compiler warning.
162 	 */
163 	SHA1Update(&sha1_context, (unsigned char *)zero,
164 	    SHA1BLOCKBYTES - SHA1BYTES);
165 	/*
166 	 * The code below directly accesses the state field of
167 	 * sha1_context, which is of type SHA1_CTX, defined in sha1.h.
168 	 * This has been deemed acceptable, because that typedef is
169 	 * Consolidation Private, and n2rng is in the same
170 	 * consolidation.
171 	 */
172 	/* copy out to x_j */
173 	for (i = 0; i < 5; i++) {
174 		x_j[i] = sha1_context.state[i];
175 	}
176 	/*
177 	 * Step 3d: XKEY = (1 + XKEY + x_sub_j) mod 2^b.  b=160.  The
178 	 * mod 2^160 is implicit in the 160 bit representation.  The
179 	 * one is added via the carry-in flag.
180 	 */
181 	(void) add160(frsp->XKEY, frsp->XKEY, x_j, 1, 0);
182 #undef XVAL
183 }
184 
185 int
186 fips_random(n2rng_t *n2rng, uint8_t *out, size_t nbytes)
187 {
188 	int			i;
189 	fipsrandomstruct_t	*frsp;
190 	int			rv;
191 	union {
192 		uint32_t	as32[SHA1WORDS];
193 		uint64_t	as64[ROUNDUP(SHA1WORDS, 2) >> 1];
194 	} entropy = {0};
195 	uint32_t		tempout[SHA1WORDS];
196 
197 
198 	for (i = 0; i < nbytes; i += SHA1BYTES) {
199 		frsp = &n2rng->n_frs.fipsarray[
200 		    atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
201 		    N2RNG_FIPS_INSTANCES];
202 		/*
203 		 * Since in the new scheme of things, the RNG latency
204 		 * will be high on reads after the first, we get just
205 		 * one word of entropy per call.
206 		 */
207 		if ((rv = n2rng_getentropy(n2rng, (void *)&entropy.as64[1],
208 		    sizeof (uint64_t))) != 0) {
209 
210 			/*
211 			 * If all rngs have failed, dispatch task to unregister
212 			 * from kcf and put the driver in an error state.  If
213 			 * recoverable errors persist, a configuration retry
214 			 * will be initiated.
215 			 */
216 			if (rv == EPERM) {
217 				n2rng_failure(n2rng);
218 				return (EIO);
219 			}
220 			/* Failure with possible recovery */
221 			entropy.as64[1] = 0;
222 		}
223 
224 		/*
225 		 * The idea here is that a Niagara2 chip is highly
226 		 * parallel, with many strands.  If we have just one
227 		 * instance of the FIPS data, then only one FIPS
228 		 * computation can happen at a time, serializeing all
229 		 * the RNG stuff.  So we make N2RNG_FIPS_INSTANCES,
230 		 * and use them round-robin, with the counter being
231 		 * n2rng->n_frs.fips_round_robin_j.  We increment the
232 		 * counter with an atomic op, avoiding having to have
233 		 * a global muxtex.  The atomic ops are also
234 		 * significantly faster than mutexes.  The mutex is
235 		 * put inside the loop, otherwise one thread reading
236 		 * many blocks could stall all other strands.
237 		 */
238 		frsp = &n2rng->n_frs.fipsarray[
239 		    atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
240 		    N2RNG_FIPS_INSTANCES];
241 
242 		mutex_enter(&frsp->mtx);
243 
244 		if (entropy.as64[1] == 0) {
245 			/*
246 			 * If we did not get any entropy, entropyword
247 			 * is zero.  We get a false positive with
248 			 * probablitity 2^-64.  It's not worth a few
249 			 * extra stores and tests eliminate the false
250 			 * positive.
251 			 */
252 			if (++frsp->entropyhunger > ENTROPY_STARVATION) {
253 				mutex_exit(&frsp->mtx);
254 				n2rng_unconfigured(n2rng);
255 				return (EIO);
256 			}
257 		} else {
258 			frsp->entropyhunger = 0;
259 		}
260 
261 		/* nbytes - i is bytes to go */
262 		fips_random_inner(frsp, tempout, entropy.as32);
263 		bcopy(tempout, &out[i], min(nbytes - i,  SHA1BYTES));
264 
265 		mutex_exit(&frsp->mtx);
266 	}
267 
268 	/* Zeroize sensitive information */
269 
270 	entropy.as64[1] = 0;
271 	bzero(tempout, SHA1BYTES);
272 
273 	return (0);
274 }
275 
276 /*
277  * Initializes one FIPS RNG instance.  Must be called once for each
278  * instance.
279  */
280 int
281 n2rng_fips_random_init(n2rng_t *n2rng, fipsrandomstruct_t *frsp)
282 {
283 	/*
284 	 * All FIPS-approved algorithms will operate as cryptograpic
285 	 * quality PRNGs even if there is no entropy source.  (In
286 	 * fact, this the only one that accepts entropy on the fly.)
287 	 * One motivation for this is that they system keeps on
288 	 * delivering cryptographic quality random numbers, even if
289 	 * the entropy source fails.
290 	 */
291 
292 	int rv;
293 
294 	rv = n2rng_getentropy(n2rng, (void *)frsp->XKEY, ROUNDUP(SHA1BYTES, 8));
295 	if (rv) {
296 		return (rv);
297 	}
298 	frsp->entropyhunger = 0;
299 	mutex_init(&frsp->mtx, NULL, MUTEX_DRIVER, NULL);
300 
301 	return (0);
302 }
303 
304 void
305 n2rng_fips_random_fini(fipsrandomstruct_t *frsp)
306 {
307 	mutex_destroy(&frsp->mtx);
308 	/*
309 	 * Zeroise fips data.  Not really necessary, since the
310 	 * algorithm has backtracking resistance, but do it anyway.
311 	 */
312 	bzero(frsp, sizeof (fipsrandomstruct_t));
313 }
314