xref: /linux/arch/s390/crypto/prng.c (revision 0883c2c06fb5bcf5b9e008270827e63c09a88c1e)
1 /*
2  * Copyright IBM Corp. 2006, 2015
3  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
4  *	      Harald Freudenberger <freude@de.ibm.com>
5  * Driver for the s390 pseudo random number generator
6  */
7 
8 #define KMSG_COMPONENT "prng"
9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
10 
11 #include <linux/fs.h>
12 #include <linux/fips.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/device.h>
16 #include <linux/miscdevice.h>
17 #include <linux/module.h>
18 #include <linux/moduleparam.h>
19 #include <linux/mutex.h>
20 #include <linux/cpufeature.h>
21 #include <linux/random.h>
22 #include <linux/slab.h>
23 #include <asm/debug.h>
24 #include <asm/uaccess.h>
25 #include <asm/timex.h>
26 #include <asm/cpacf.h>
27 
28 MODULE_LICENSE("GPL");
29 MODULE_AUTHOR("IBM Corporation");
30 MODULE_DESCRIPTION("s390 PRNG interface");
31 
32 
33 #define PRNG_MODE_AUTO	  0
34 #define PRNG_MODE_TDES	  1
35 #define PRNG_MODE_SHA512  2
36 
37 static unsigned int prng_mode = PRNG_MODE_AUTO;
38 module_param_named(mode, prng_mode, int, 0);
39 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
40 
41 
42 #define PRNG_CHUNKSIZE_TDES_MIN   8
43 #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
44 #define PRNG_CHUNKSIZE_SHA512_MIN 64
45 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
46 
47 static unsigned int prng_chunk_size = 256;
48 module_param_named(chunksize, prng_chunk_size, int, 0);
49 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
50 
51 
52 #define PRNG_RESEED_LIMIT_TDES		 4096
53 #define PRNG_RESEED_LIMIT_TDES_LOWER	 4096
54 #define PRNG_RESEED_LIMIT_SHA512       100000
55 #define PRNG_RESEED_LIMIT_SHA512_LOWER	10000
56 
57 static unsigned int prng_reseed_limit;
58 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
59 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
60 
61 
62 /*
63  * Any one who considers arithmetical methods of producing random digits is,
64  * of course, in a state of sin. -- John von Neumann
65  */
66 
67 static int prng_errorflag;
68 
69 #define PRNG_GEN_ENTROPY_FAILED  1
70 #define PRNG_SELFTEST_FAILED	 2
71 #define PRNG_INSTANTIATE_FAILED  3
72 #define PRNG_SEED_FAILED	 4
73 #define PRNG_RESEED_FAILED	 5
74 #define PRNG_GEN_FAILED		 6
75 
76 struct prng_ws_s {
77 	u8  parm_block[32];
78 	u32 reseed_counter;
79 	u64 byte_counter;
80 };
81 
82 struct ppno_ws_s {
83 	u32 res;
84 	u32 reseed_counter;
85 	u64 stream_bytes;
86 	u8  V[112];
87 	u8  C[112];
88 };
89 
90 struct prng_data_s {
91 	struct mutex mutex;
92 	union {
93 		struct prng_ws_s prngws;
94 		struct ppno_ws_s ppnows;
95 	};
96 	u8 *buf;
97 	u32 rest;
98 	u8 *prev;
99 };
100 
101 static struct prng_data_s *prng_data;
102 
103 /* initial parameter block for tdes mode, copied from libica */
104 static const u8 initial_parm_block[32] __initconst = {
105 	0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
106 	0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
107 	0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
108 	0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
109 
110 
111 /*** helper functions ***/
112 
113 static int generate_entropy(u8 *ebuf, size_t nbytes)
114 {
115 	int n, ret = 0;
116 	u8 *pg, *h, hash[32];
117 
118 	pg = (u8 *) __get_free_page(GFP_KERNEL);
119 	if (!pg) {
120 		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
121 		return -ENOMEM;
122 	}
123 
124 	while (nbytes) {
125 		/* fill page with urandom bytes */
126 		get_random_bytes(pg, PAGE_SIZE);
127 		/* exor page with stckf values */
128 		for (n = 0; n < PAGE_SIZE / sizeof(u64); n++) {
129 			u64 *p = ((u64 *)pg) + n;
130 			*p ^= get_tod_clock_fast();
131 		}
132 		n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash);
133 		if (n < sizeof(hash))
134 			h = hash;
135 		else
136 			h = ebuf;
137 		/* generate sha256 from this page */
138 		if (cpacf_kimd(CPACF_KIMD_SHA_256, h,
139 			       pg, PAGE_SIZE) != PAGE_SIZE) {
140 			prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
141 			ret = -EIO;
142 			goto out;
143 		}
144 		if (n < sizeof(hash))
145 			memcpy(ebuf, hash, n);
146 		ret += n;
147 		ebuf += n;
148 		nbytes -= n;
149 	}
150 
151 out:
152 	free_page((unsigned long)pg);
153 	return ret;
154 }
155 
156 
157 /*** tdes functions ***/
158 
159 static void prng_tdes_add_entropy(void)
160 {
161 	__u64 entropy[4];
162 	unsigned int i;
163 	int ret;
164 
165 	for (i = 0; i < 16; i++) {
166 		ret = cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
167 				(char *)entropy, (char *)entropy,
168 				sizeof(entropy));
169 		BUG_ON(ret < 0 || ret != sizeof(entropy));
170 		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
171 	}
172 }
173 
174 
175 static void prng_tdes_seed(int nbytes)
176 {
177 	char buf[16];
178 	int i = 0;
179 
180 	BUG_ON(nbytes > sizeof(buf));
181 
182 	get_random_bytes(buf, nbytes);
183 
184 	/* Add the entropy */
185 	while (nbytes >= 8) {
186 		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
187 		prng_tdes_add_entropy();
188 		i += 8;
189 		nbytes -= 8;
190 	}
191 	prng_tdes_add_entropy();
192 	prng_data->prngws.reseed_counter = 0;
193 }
194 
195 
196 static int __init prng_tdes_instantiate(void)
197 {
198 	int datalen;
199 
200 	pr_debug("prng runs in TDES mode with "
201 		 "chunksize=%d and reseed_limit=%u\n",
202 		 prng_chunk_size, prng_reseed_limit);
203 
204 	/* memory allocation, prng_data struct init, mutex init */
205 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
206 	prng_data = kzalloc(datalen, GFP_KERNEL);
207 	if (!prng_data) {
208 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
209 		return -ENOMEM;
210 	}
211 	mutex_init(&prng_data->mutex);
212 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
213 	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
214 
215 	/* initialize the PRNG, add 128 bits of entropy */
216 	prng_tdes_seed(16);
217 
218 	return 0;
219 }
220 
221 
222 static void prng_tdes_deinstantiate(void)
223 {
224 	pr_debug("The prng module stopped "
225 		 "after running in triple DES mode\n");
226 	kzfree(prng_data);
227 }
228 
229 
230 /*** sha512 functions ***/
231 
232 static int __init prng_sha512_selftest(void)
233 {
234 	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
235 	static const u8 seed[] __initconst = {
236 		0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
237 		0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
238 		0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
239 		0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
240 		0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
241 		0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
242 	static const u8 V0[] __initconst = {
243 		0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
244 		0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
245 		0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
246 		0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
247 		0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
248 		0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
249 		0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
250 		0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
251 		0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
252 		0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
253 		0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
254 		0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
255 		0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
256 		0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
257 	static const u8 C0[] __initconst = {
258 		0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
259 		0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
260 		0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
261 		0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
262 		0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
263 		0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
264 		0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
265 		0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
266 		0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
267 		0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
268 		0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
269 		0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
270 		0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
271 		0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
272 	static const u8 random[] __initconst = {
273 		0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
274 		0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
275 		0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
276 		0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
277 		0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
278 		0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
279 		0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
280 		0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
281 		0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
282 		0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
283 		0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
284 		0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
285 		0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
286 		0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
287 		0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
288 		0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
289 		0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
290 		0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
291 		0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
292 		0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
293 		0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
294 		0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
295 		0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
296 		0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
297 		0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
298 		0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
299 		0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
300 		0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
301 		0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
302 		0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
303 		0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
304 		0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
305 
306 	int ret = 0;
307 	u8 buf[sizeof(random)];
308 	struct ppno_ws_s ws;
309 
310 	memset(&ws, 0, sizeof(ws));
311 
312 	/* initial seed */
313 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED, &ws, NULL, 0,
314 			 seed, sizeof(seed));
315 	if (ret < 0) {
316 		pr_err("The prng self test seed operation for the "
317 		       "SHA-512 mode failed with rc=%d\n", ret);
318 		prng_errorflag = PRNG_SELFTEST_FAILED;
319 		return -EIO;
320 	}
321 
322 	/* check working states V and C */
323 	if (memcmp(ws.V, V0, sizeof(V0)) != 0
324 	    || memcmp(ws.C, C0, sizeof(C0)) != 0) {
325 		pr_err("The prng self test state test "
326 		       "for the SHA-512 mode failed\n");
327 		prng_errorflag = PRNG_SELFTEST_FAILED;
328 		return -EIO;
329 	}
330 
331 	/* generate random bytes */
332 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN,
333 			 &ws, buf, sizeof(buf), NULL, 0);
334 	if (ret < 0) {
335 		pr_err("The prng self test generate operation for "
336 		       "the SHA-512 mode failed with rc=%d\n", ret);
337 		prng_errorflag = PRNG_SELFTEST_FAILED;
338 		return -EIO;
339 	}
340 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN,
341 			 &ws, buf, sizeof(buf), NULL, 0);
342 	if (ret < 0) {
343 		pr_err("The prng self test generate operation for "
344 		       "the SHA-512 mode failed with rc=%d\n", ret);
345 		prng_errorflag = PRNG_SELFTEST_FAILED;
346 		return -EIO;
347 	}
348 
349 	/* check against expected data */
350 	if (memcmp(buf, random, sizeof(random)) != 0) {
351 		pr_err("The prng self test data test "
352 		       "for the SHA-512 mode failed\n");
353 		prng_errorflag = PRNG_SELFTEST_FAILED;
354 		return -EIO;
355 	}
356 
357 	return 0;
358 }
359 
360 
361 static int __init prng_sha512_instantiate(void)
362 {
363 	int ret, datalen;
364 	u8 seed[64];
365 
366 	pr_debug("prng runs in SHA-512 mode "
367 		 "with chunksize=%d and reseed_limit=%u\n",
368 		 prng_chunk_size, prng_reseed_limit);
369 
370 	/* memory allocation, prng_data struct init, mutex init */
371 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
372 	if (fips_enabled)
373 		datalen += prng_chunk_size;
374 	prng_data = kzalloc(datalen, GFP_KERNEL);
375 	if (!prng_data) {
376 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
377 		return -ENOMEM;
378 	}
379 	mutex_init(&prng_data->mutex);
380 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
381 
382 	/* selftest */
383 	ret = prng_sha512_selftest();
384 	if (ret)
385 		goto outfree;
386 
387 	/* generate initial seed bytestring, first 48 bytes of entropy */
388 	ret = generate_entropy(seed, 48);
389 	if (ret != 48)
390 		goto outfree;
391 	/* followed by 16 bytes of unique nonce */
392 	get_tod_clock_ext(seed + 48);
393 
394 	/* initial seed of the ppno drng */
395 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED,
396 			 &prng_data->ppnows, NULL, 0, seed, sizeof(seed));
397 	if (ret < 0) {
398 		prng_errorflag = PRNG_SEED_FAILED;
399 		ret = -EIO;
400 		goto outfree;
401 	}
402 
403 	/* if fips mode is enabled, generate a first block of random
404 	   bytes for the FIPS 140-2 Conditional Self Test */
405 	if (fips_enabled) {
406 		prng_data->prev = prng_data->buf + prng_chunk_size;
407 		ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN,
408 				 &prng_data->ppnows,
409 				 prng_data->prev, prng_chunk_size, NULL, 0);
410 		if (ret < 0 || ret != prng_chunk_size) {
411 			prng_errorflag = PRNG_GEN_FAILED;
412 			ret = -EIO;
413 			goto outfree;
414 		}
415 	}
416 
417 	return 0;
418 
419 outfree:
420 	kfree(prng_data);
421 	return ret;
422 }
423 
424 
425 static void prng_sha512_deinstantiate(void)
426 {
427 	pr_debug("The prng module stopped after running in SHA-512 mode\n");
428 	kzfree(prng_data);
429 }
430 
431 
432 static int prng_sha512_reseed(void)
433 {
434 	int ret;
435 	u8 seed[32];
436 
437 	/* generate 32 bytes of fresh entropy */
438 	ret = generate_entropy(seed, sizeof(seed));
439 	if (ret != sizeof(seed))
440 		return ret;
441 
442 	/* do a reseed of the ppno drng with this bytestring */
443 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED,
444 			 &prng_data->ppnows, NULL, 0, seed, sizeof(seed));
445 	if (ret) {
446 		prng_errorflag = PRNG_RESEED_FAILED;
447 		return -EIO;
448 	}
449 
450 	return 0;
451 }
452 
453 
454 static int prng_sha512_generate(u8 *buf, size_t nbytes)
455 {
456 	int ret;
457 
458 	/* reseed needed ? */
459 	if (prng_data->ppnows.reseed_counter > prng_reseed_limit) {
460 		ret = prng_sha512_reseed();
461 		if (ret)
462 			return ret;
463 	}
464 
465 	/* PPNO generate */
466 	ret = cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN,
467 			 &prng_data->ppnows, buf, nbytes, NULL, 0);
468 	if (ret < 0 || ret != nbytes) {
469 		prng_errorflag = PRNG_GEN_FAILED;
470 		return -EIO;
471 	}
472 
473 	/* FIPS 140-2 Conditional Self Test */
474 	if (fips_enabled) {
475 		if (!memcmp(prng_data->prev, buf, nbytes)) {
476 			prng_errorflag = PRNG_GEN_FAILED;
477 			return -EILSEQ;
478 		}
479 		memcpy(prng_data->prev, buf, nbytes);
480 	}
481 
482 	return ret;
483 }
484 
485 
486 /*** file io functions ***/
487 
488 static int prng_open(struct inode *inode, struct file *file)
489 {
490 	return nonseekable_open(inode, file);
491 }
492 
493 
494 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
495 			      size_t nbytes, loff_t *ppos)
496 {
497 	int chunk, n, tmp, ret = 0;
498 
499 	/* lock prng_data struct */
500 	if (mutex_lock_interruptible(&prng_data->mutex))
501 		return -ERESTARTSYS;
502 
503 	while (nbytes) {
504 		if (need_resched()) {
505 			if (signal_pending(current)) {
506 				if (ret == 0)
507 					ret = -ERESTARTSYS;
508 				break;
509 			}
510 			/* give mutex free before calling schedule() */
511 			mutex_unlock(&prng_data->mutex);
512 			schedule();
513 			/* occopy mutex again */
514 			if (mutex_lock_interruptible(&prng_data->mutex)) {
515 				if (ret == 0)
516 					ret = -ERESTARTSYS;
517 				return ret;
518 			}
519 		}
520 
521 		/*
522 		 * we lose some random bytes if an attacker issues
523 		 * reads < 8 bytes, but we don't care
524 		 */
525 		chunk = min_t(int, nbytes, prng_chunk_size);
526 
527 		/* PRNG only likes multiples of 8 bytes */
528 		n = (chunk + 7) & -8;
529 
530 		if (prng_data->prngws.reseed_counter > prng_reseed_limit)
531 			prng_tdes_seed(8);
532 
533 		/* if the CPU supports PRNG stckf is present too */
534 		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
535 
536 		/*
537 		 * Beside the STCKF the input for the TDES-EDE is the output
538 		 * of the last operation. We differ here from X9.17 since we
539 		 * only store one timestamp into the buffer. Padding the whole
540 		 * buffer with timestamps does not improve security, since
541 		 * successive stckf have nearly constant offsets.
542 		 * If an attacker knows the first timestamp it would be
543 		 * trivial to guess the additional values. One timestamp
544 		 * is therefore enough and still guarantees unique input values.
545 		 *
546 		 * Note: you can still get strict X9.17 conformity by setting
547 		 * prng_chunk_size to 8 bytes.
548 		*/
549 		tmp = cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
550 				prng_data->buf, prng_data->buf, n);
551 		if (tmp < 0 || tmp != n) {
552 			ret = -EIO;
553 			break;
554 		}
555 
556 		prng_data->prngws.byte_counter += n;
557 		prng_data->prngws.reseed_counter += n;
558 
559 		if (copy_to_user(ubuf, prng_data->buf, chunk))
560 			return -EFAULT;
561 
562 		nbytes -= chunk;
563 		ret += chunk;
564 		ubuf += chunk;
565 	}
566 
567 	/* unlock prng_data struct */
568 	mutex_unlock(&prng_data->mutex);
569 
570 	return ret;
571 }
572 
573 
574 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
575 				size_t nbytes, loff_t *ppos)
576 {
577 	int n, ret = 0;
578 	u8 *p;
579 
580 	/* if errorflag is set do nothing and return 'broken pipe' */
581 	if (prng_errorflag)
582 		return -EPIPE;
583 
584 	/* lock prng_data struct */
585 	if (mutex_lock_interruptible(&prng_data->mutex))
586 		return -ERESTARTSYS;
587 
588 	while (nbytes) {
589 		if (need_resched()) {
590 			if (signal_pending(current)) {
591 				if (ret == 0)
592 					ret = -ERESTARTSYS;
593 				break;
594 			}
595 			/* give mutex free before calling schedule() */
596 			mutex_unlock(&prng_data->mutex);
597 			schedule();
598 			/* occopy mutex again */
599 			if (mutex_lock_interruptible(&prng_data->mutex)) {
600 				if (ret == 0)
601 					ret = -ERESTARTSYS;
602 				return ret;
603 			}
604 		}
605 		if (prng_data->rest) {
606 			/* push left over random bytes from the previous read */
607 			p = prng_data->buf + prng_chunk_size - prng_data->rest;
608 			n = (nbytes < prng_data->rest) ?
609 				nbytes : prng_data->rest;
610 			prng_data->rest -= n;
611 		} else {
612 			/* generate one chunk of random bytes into read buf */
613 			p = prng_data->buf;
614 			n = prng_sha512_generate(p, prng_chunk_size);
615 			if (n < 0) {
616 				ret = n;
617 				break;
618 			}
619 			if (nbytes < prng_chunk_size) {
620 				n = nbytes;
621 				prng_data->rest = prng_chunk_size - n;
622 			} else {
623 				n = prng_chunk_size;
624 				prng_data->rest = 0;
625 			}
626 		}
627 		if (copy_to_user(ubuf, p, n)) {
628 			ret = -EFAULT;
629 			break;
630 		}
631 		ubuf += n;
632 		nbytes -= n;
633 		ret += n;
634 	}
635 
636 	/* unlock prng_data struct */
637 	mutex_unlock(&prng_data->mutex);
638 
639 	return ret;
640 }
641 
642 
643 /*** sysfs stuff ***/
644 
645 static const struct file_operations prng_sha512_fops = {
646 	.owner		= THIS_MODULE,
647 	.open		= &prng_open,
648 	.release	= NULL,
649 	.read		= &prng_sha512_read,
650 	.llseek		= noop_llseek,
651 };
652 static const struct file_operations prng_tdes_fops = {
653 	.owner		= THIS_MODULE,
654 	.open		= &prng_open,
655 	.release	= NULL,
656 	.read		= &prng_tdes_read,
657 	.llseek		= noop_llseek,
658 };
659 
660 static struct miscdevice prng_sha512_dev = {
661 	.name	= "prandom",
662 	.minor	= MISC_DYNAMIC_MINOR,
663 	.mode	= 0644,
664 	.fops	= &prng_sha512_fops,
665 };
666 static struct miscdevice prng_tdes_dev = {
667 	.name	= "prandom",
668 	.minor	= MISC_DYNAMIC_MINOR,
669 	.mode	= 0644,
670 	.fops	= &prng_tdes_fops,
671 };
672 
673 
674 /* chunksize attribute (ro) */
675 static ssize_t prng_chunksize_show(struct device *dev,
676 				   struct device_attribute *attr,
677 				   char *buf)
678 {
679 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
680 }
681 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
682 
683 /* counter attribute (ro) */
684 static ssize_t prng_counter_show(struct device *dev,
685 				 struct device_attribute *attr,
686 				 char *buf)
687 {
688 	u64 counter;
689 
690 	if (mutex_lock_interruptible(&prng_data->mutex))
691 		return -ERESTARTSYS;
692 	if (prng_mode == PRNG_MODE_SHA512)
693 		counter = prng_data->ppnows.stream_bytes;
694 	else
695 		counter = prng_data->prngws.byte_counter;
696 	mutex_unlock(&prng_data->mutex);
697 
698 	return snprintf(buf, PAGE_SIZE, "%llu\n", counter);
699 }
700 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
701 
702 /* errorflag attribute (ro) */
703 static ssize_t prng_errorflag_show(struct device *dev,
704 				   struct device_attribute *attr,
705 				   char *buf)
706 {
707 	return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
708 }
709 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
710 
711 /* mode attribute (ro) */
712 static ssize_t prng_mode_show(struct device *dev,
713 			      struct device_attribute *attr,
714 			      char *buf)
715 {
716 	if (prng_mode == PRNG_MODE_TDES)
717 		return snprintf(buf, PAGE_SIZE, "TDES\n");
718 	else
719 		return snprintf(buf, PAGE_SIZE, "SHA512\n");
720 }
721 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
722 
723 /* reseed attribute (w) */
724 static ssize_t prng_reseed_store(struct device *dev,
725 				 struct device_attribute *attr,
726 				 const char *buf, size_t count)
727 {
728 	if (mutex_lock_interruptible(&prng_data->mutex))
729 		return -ERESTARTSYS;
730 	prng_sha512_reseed();
731 	mutex_unlock(&prng_data->mutex);
732 
733 	return count;
734 }
735 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
736 
737 /* reseed limit attribute (rw) */
738 static ssize_t prng_reseed_limit_show(struct device *dev,
739 				      struct device_attribute *attr,
740 				      char *buf)
741 {
742 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
743 }
744 static ssize_t prng_reseed_limit_store(struct device *dev,
745 				       struct device_attribute *attr,
746 				       const char *buf, size_t count)
747 {
748 	unsigned limit;
749 
750 	if (sscanf(buf, "%u\n", &limit) != 1)
751 		return -EINVAL;
752 
753 	if (prng_mode == PRNG_MODE_SHA512) {
754 		if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
755 			return -EINVAL;
756 	} else {
757 		if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
758 			return -EINVAL;
759 	}
760 
761 	prng_reseed_limit = limit;
762 
763 	return count;
764 }
765 static DEVICE_ATTR(reseed_limit, 0644,
766 		   prng_reseed_limit_show, prng_reseed_limit_store);
767 
768 /* strength attribute (ro) */
769 static ssize_t prng_strength_show(struct device *dev,
770 				  struct device_attribute *attr,
771 				  char *buf)
772 {
773 	return snprintf(buf, PAGE_SIZE, "256\n");
774 }
775 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
776 
777 static struct attribute *prng_sha512_dev_attrs[] = {
778 	&dev_attr_errorflag.attr,
779 	&dev_attr_chunksize.attr,
780 	&dev_attr_byte_counter.attr,
781 	&dev_attr_mode.attr,
782 	&dev_attr_reseed.attr,
783 	&dev_attr_reseed_limit.attr,
784 	&dev_attr_strength.attr,
785 	NULL
786 };
787 static struct attribute *prng_tdes_dev_attrs[] = {
788 	&dev_attr_chunksize.attr,
789 	&dev_attr_byte_counter.attr,
790 	&dev_attr_mode.attr,
791 	NULL
792 };
793 
794 static struct attribute_group prng_sha512_dev_attr_group = {
795 	.attrs = prng_sha512_dev_attrs
796 };
797 static struct attribute_group prng_tdes_dev_attr_group = {
798 	.attrs = prng_tdes_dev_attrs
799 };
800 
801 
802 /*** module init and exit ***/
803 
804 static int __init prng_init(void)
805 {
806 	int ret;
807 
808 	/* check if the CPU has a PRNG */
809 	if (!cpacf_query(CPACF_KMC, CPACF_KMC_PRNG))
810 		return -EOPNOTSUPP;
811 
812 	/* choose prng mode */
813 	if (prng_mode != PRNG_MODE_TDES) {
814 		/* check for MSA5 support for PPNO operations */
815 		if (!cpacf_query(CPACF_PPNO, CPACF_PPNO_SHA512_DRNG_GEN)) {
816 			if (prng_mode == PRNG_MODE_SHA512) {
817 				pr_err("The prng module cannot "
818 				       "start in SHA-512 mode\n");
819 				return -EOPNOTSUPP;
820 			}
821 			prng_mode = PRNG_MODE_TDES;
822 		} else
823 			prng_mode = PRNG_MODE_SHA512;
824 	}
825 
826 	if (prng_mode == PRNG_MODE_SHA512) {
827 
828 		/* SHA512 mode */
829 
830 		if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
831 		    || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
832 			return -EINVAL;
833 		prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
834 
835 		if (prng_reseed_limit == 0)
836 			prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
837 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
838 			return -EINVAL;
839 
840 		ret = prng_sha512_instantiate();
841 		if (ret)
842 			goto out;
843 
844 		ret = misc_register(&prng_sha512_dev);
845 		if (ret) {
846 			prng_sha512_deinstantiate();
847 			goto out;
848 		}
849 		ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj,
850 					 &prng_sha512_dev_attr_group);
851 		if (ret) {
852 			misc_deregister(&prng_sha512_dev);
853 			prng_sha512_deinstantiate();
854 			goto out;
855 		}
856 
857 	} else {
858 
859 		/* TDES mode */
860 
861 		if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
862 		    || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
863 			return -EINVAL;
864 		prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
865 
866 		if (prng_reseed_limit == 0)
867 			prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
868 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
869 			return -EINVAL;
870 
871 		ret = prng_tdes_instantiate();
872 		if (ret)
873 			goto out;
874 
875 		ret = misc_register(&prng_tdes_dev);
876 		if (ret) {
877 			prng_tdes_deinstantiate();
878 			goto out;
879 		}
880 		ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj,
881 					 &prng_tdes_dev_attr_group);
882 		if (ret) {
883 			misc_deregister(&prng_tdes_dev);
884 			prng_tdes_deinstantiate();
885 			goto out;
886 		}
887 
888 	}
889 
890 out:
891 	return ret;
892 }
893 
894 
895 static void __exit prng_exit(void)
896 {
897 	if (prng_mode == PRNG_MODE_SHA512) {
898 		sysfs_remove_group(&prng_sha512_dev.this_device->kobj,
899 				   &prng_sha512_dev_attr_group);
900 		misc_deregister(&prng_sha512_dev);
901 		prng_sha512_deinstantiate();
902 	} else {
903 		sysfs_remove_group(&prng_tdes_dev.this_device->kobj,
904 				   &prng_tdes_dev_attr_group);
905 		misc_deregister(&prng_tdes_dev);
906 		prng_tdes_deinstantiate();
907 	}
908 }
909 
910 module_cpu_feature_match(MSA, prng_init);
911 module_exit(prng_exit);
912