xref: /linux/arch/s390/crypto/prng.c (revision 2dbc0838bcf24ca59cabc3130cf3b1d6809cdcd4)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright IBM Corp. 2006, 2015
4  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
5  *	      Harald Freudenberger <freude@de.ibm.com>
6  * Driver for the s390 pseudo random number generator
7  */
8 
9 #define KMSG_COMPONENT "prng"
10 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
11 
12 #include <linux/fs.h>
13 #include <linux/fips.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/device.h>
17 #include <linux/miscdevice.h>
18 #include <linux/module.h>
19 #include <linux/moduleparam.h>
20 #include <linux/mutex.h>
21 #include <linux/cpufeature.h>
22 #include <linux/random.h>
23 #include <linux/slab.h>
24 #include <linux/sched/signal.h>
25 
26 #include <asm/debug.h>
27 #include <linux/uaccess.h>
28 #include <asm/timex.h>
29 #include <asm/cpacf.h>
30 
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("IBM Corporation");
33 MODULE_DESCRIPTION("s390 PRNG interface");
34 
35 
36 #define PRNG_MODE_AUTO	  0
37 #define PRNG_MODE_TDES	  1
38 #define PRNG_MODE_SHA512  2
39 
40 static unsigned int prng_mode = PRNG_MODE_AUTO;
41 module_param_named(mode, prng_mode, int, 0);
42 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
43 
44 
45 #define PRNG_CHUNKSIZE_TDES_MIN   8
46 #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
47 #define PRNG_CHUNKSIZE_SHA512_MIN 64
48 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
49 
50 static unsigned int prng_chunk_size = 256;
51 module_param_named(chunksize, prng_chunk_size, int, 0);
52 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
53 
54 
55 #define PRNG_RESEED_LIMIT_TDES		 4096
56 #define PRNG_RESEED_LIMIT_TDES_LOWER	 4096
57 #define PRNG_RESEED_LIMIT_SHA512       100000
58 #define PRNG_RESEED_LIMIT_SHA512_LOWER	10000
59 
60 static unsigned int prng_reseed_limit;
61 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
62 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
63 
64 static bool trng_available;
65 
66 /*
67  * Any one who considers arithmetical methods of producing random digits is,
68  * of course, in a state of sin. -- John von Neumann
69  */
70 
71 static int prng_errorflag;
72 
73 #define PRNG_GEN_ENTROPY_FAILED  1
74 #define PRNG_SELFTEST_FAILED	 2
75 #define PRNG_INSTANTIATE_FAILED  3
76 #define PRNG_SEED_FAILED	 4
77 #define PRNG_RESEED_FAILED	 5
78 #define PRNG_GEN_FAILED		 6
79 
80 struct prng_ws_s {
81 	u8  parm_block[32];
82 	u32 reseed_counter;
83 	u64 byte_counter;
84 };
85 
86 struct prno_ws_s {
87 	u32 res;
88 	u32 reseed_counter;
89 	u64 stream_bytes;
90 	u8  V[112];
91 	u8  C[112];
92 };
93 
94 struct prng_data_s {
95 	struct mutex mutex;
96 	union {
97 		struct prng_ws_s prngws;
98 		struct prno_ws_s prnows;
99 	};
100 	u8 *buf;
101 	u32 rest;
102 	u8 *prev;
103 };
104 
105 static struct prng_data_s *prng_data;
106 
107 /* initial parameter block for tdes mode, copied from libica */
108 static const u8 initial_parm_block[32] __initconst = {
109 	0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
110 	0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
111 	0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
112 	0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
113 
114 
115 /*** helper functions ***/
116 
117 /*
118  * generate_entropy:
119  * This function fills a given buffer with random bytes. The entropy within
120  * the random bytes given back is assumed to have at least 50% - meaning
121  * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
122  * Within the function the entropy generation is done in junks of 64 bytes.
123  * So the caller should also ask for buffer fill in multiples of 64 bytes.
124  * The generation of the entropy is based on the assumption that every stckf()
125  * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
126  * at least 512 stckf() values are needed. The entropy relevant part of the
127  * stckf value is bit 51 (counting starts at the left with bit nr 0) so
128  * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
129  * To be on the save side, if there is ever a problem with stckf() the
130  * other half of the page buffer is filled with bytes from urandom via
131  * get_random_bytes(), so this function consumes 2k of urandom for each
132  * requested 64 bytes output data. Finally the buffer page is condensed into
133  * a 64 byte value by hashing with a SHA512 hash.
134  */
135 static int generate_entropy(u8 *ebuf, size_t nbytes)
136 {
137 	int n, ret = 0;
138 	u8 *pg, pblock[80] = {
139 		/* 8 x 64 bit init values */
140 		0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
141 		0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
142 		0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
143 		0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
144 		0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
145 		0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
146 		0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
147 		0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
148 		/* 128 bit counter total message bit length */
149 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
151 
152 	/* allocate one page stckf buffer */
153 	pg = (u8 *) __get_free_page(GFP_KERNEL);
154 	if (!pg) {
155 		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
156 		return -ENOMEM;
157 	}
158 
159 	/* fill the ebuf in chunks of 64 byte each */
160 	while (nbytes) {
161 		/* fill lower 2k with urandom bytes */
162 		get_random_bytes(pg, PAGE_SIZE / 2);
163 		/* exor upper 2k with 512 stckf values, offset 4 bytes each */
164 		for (n = 0; n < 512; n++) {
165 			int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
166 			u64 *p = (u64 *)(pg + offset);
167 			*p ^= get_tod_clock_fast();
168 		}
169 		/* hash over the filled page */
170 		cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
171 		n = (nbytes < 64) ? nbytes : 64;
172 		memcpy(ebuf, pblock, n);
173 		ret += n;
174 		ebuf += n;
175 		nbytes -= n;
176 	}
177 
178 	memzero_explicit(pblock, sizeof(pblock));
179 	memzero_explicit(pg, PAGE_SIZE);
180 	free_page((unsigned long)pg);
181 	return ret;
182 }
183 
184 
185 /*** tdes functions ***/
186 
187 static void prng_tdes_add_entropy(void)
188 {
189 	__u64 entropy[4];
190 	unsigned int i;
191 
192 	for (i = 0; i < 16; i++) {
193 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
194 			  (char *) entropy, (char *) entropy,
195 			  sizeof(entropy));
196 		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
197 	}
198 }
199 
200 
201 static void prng_tdes_seed(int nbytes)
202 {
203 	char buf[16];
204 	int i = 0;
205 
206 	BUG_ON(nbytes > sizeof(buf));
207 
208 	get_random_bytes(buf, nbytes);
209 
210 	/* Add the entropy */
211 	while (nbytes >= 8) {
212 		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
213 		prng_tdes_add_entropy();
214 		i += 8;
215 		nbytes -= 8;
216 	}
217 	prng_tdes_add_entropy();
218 	prng_data->prngws.reseed_counter = 0;
219 }
220 
221 
222 static int __init prng_tdes_instantiate(void)
223 {
224 	int datalen;
225 
226 	pr_debug("prng runs in TDES mode with "
227 		 "chunksize=%d and reseed_limit=%u\n",
228 		 prng_chunk_size, prng_reseed_limit);
229 
230 	/* memory allocation, prng_data struct init, mutex init */
231 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
232 	prng_data = kzalloc(datalen, GFP_KERNEL);
233 	if (!prng_data) {
234 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
235 		return -ENOMEM;
236 	}
237 	mutex_init(&prng_data->mutex);
238 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
239 	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
240 
241 	/* initialize the PRNG, add 128 bits of entropy */
242 	prng_tdes_seed(16);
243 
244 	return 0;
245 }
246 
247 
248 static void prng_tdes_deinstantiate(void)
249 {
250 	pr_debug("The prng module stopped "
251 		 "after running in triple DES mode\n");
252 	kzfree(prng_data);
253 }
254 
255 
256 /*** sha512 functions ***/
257 
258 static int __init prng_sha512_selftest(void)
259 {
260 	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
261 	static const u8 seed[] __initconst = {
262 		0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
263 		0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
264 		0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
265 		0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
266 		0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
267 		0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
268 	static const u8 V0[] __initconst = {
269 		0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
270 		0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
271 		0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
272 		0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
273 		0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
274 		0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
275 		0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
276 		0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
277 		0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
278 		0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
279 		0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
280 		0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
281 		0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
282 		0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
283 	static const u8 C0[] __initconst = {
284 		0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
285 		0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
286 		0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
287 		0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
288 		0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
289 		0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
290 		0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
291 		0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
292 		0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
293 		0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
294 		0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
295 		0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
296 		0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
297 		0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
298 	static const u8 random[] __initconst = {
299 		0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
300 		0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
301 		0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
302 		0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
303 		0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
304 		0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
305 		0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
306 		0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
307 		0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
308 		0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
309 		0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
310 		0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
311 		0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
312 		0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
313 		0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
314 		0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
315 		0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
316 		0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
317 		0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
318 		0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
319 		0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
320 		0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
321 		0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
322 		0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
323 		0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
324 		0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
325 		0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
326 		0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
327 		0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
328 		0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
329 		0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
330 		0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
331 
332 	u8 buf[sizeof(random)];
333 	struct prno_ws_s ws;
334 
335 	memset(&ws, 0, sizeof(ws));
336 
337 	/* initial seed */
338 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
339 		   &ws, NULL, 0, seed, sizeof(seed));
340 
341 	/* check working states V and C */
342 	if (memcmp(ws.V, V0, sizeof(V0)) != 0
343 	    || memcmp(ws.C, C0, sizeof(C0)) != 0) {
344 		pr_err("The prng self test state test "
345 		       "for the SHA-512 mode failed\n");
346 		prng_errorflag = PRNG_SELFTEST_FAILED;
347 		return -EIO;
348 	}
349 
350 	/* generate random bytes */
351 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
352 		   &ws, buf, sizeof(buf), NULL, 0);
353 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
354 		   &ws, buf, sizeof(buf), NULL, 0);
355 
356 	/* check against expected data */
357 	if (memcmp(buf, random, sizeof(random)) != 0) {
358 		pr_err("The prng self test data test "
359 		       "for the SHA-512 mode failed\n");
360 		prng_errorflag = PRNG_SELFTEST_FAILED;
361 		return -EIO;
362 	}
363 
364 	return 0;
365 }
366 
367 
368 static int __init prng_sha512_instantiate(void)
369 {
370 	int ret, datalen, seedlen;
371 	u8 seed[128 + 16];
372 
373 	pr_debug("prng runs in SHA-512 mode "
374 		 "with chunksize=%d and reseed_limit=%u\n",
375 		 prng_chunk_size, prng_reseed_limit);
376 
377 	/* memory allocation, prng_data struct init, mutex init */
378 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
379 	if (fips_enabled)
380 		datalen += prng_chunk_size;
381 	prng_data = kzalloc(datalen, GFP_KERNEL);
382 	if (!prng_data) {
383 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
384 		return -ENOMEM;
385 	}
386 	mutex_init(&prng_data->mutex);
387 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
388 
389 	/* selftest */
390 	ret = prng_sha512_selftest();
391 	if (ret)
392 		goto outfree;
393 
394 	/* generate initial seed, we need at least  256 + 128 bits entropy. */
395 	if (trng_available) {
396 		/*
397 		 * Trng available, so use it. The trng works in chunks of
398 		 * 32 bytes and produces 100% entropy. So we pull 64 bytes
399 		 * which gives us 512 bits entropy.
400 		 */
401 		seedlen = 2 * 32;
402 		cpacf_trng(NULL, 0, seed, seedlen);
403 	} else {
404 		/*
405 		 * No trng available, so use the generate_entropy() function.
406 		 * This function works in 64 byte junks and produces
407 		 * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
408 		 * of entropy.
409 		 */
410 		seedlen = 2 * 64;
411 		ret = generate_entropy(seed, seedlen);
412 		if (ret != seedlen)
413 			goto outfree;
414 	}
415 
416 	/* append the seed by 16 bytes of unique nonce */
417 	get_tod_clock_ext(seed + seedlen);
418 	seedlen += 16;
419 
420 	/* now initial seed of the prno drng */
421 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
422 		   &prng_data->prnows, NULL, 0, seed, seedlen);
423 	memzero_explicit(seed, sizeof(seed));
424 
425 	/* if fips mode is enabled, generate a first block of random
426 	   bytes for the FIPS 140-2 Conditional Self Test */
427 	if (fips_enabled) {
428 		prng_data->prev = prng_data->buf + prng_chunk_size;
429 		cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
430 			   &prng_data->prnows,
431 			   prng_data->prev, prng_chunk_size, NULL, 0);
432 	}
433 
434 	return 0;
435 
436 outfree:
437 	kfree(prng_data);
438 	return ret;
439 }
440 
441 
442 static void prng_sha512_deinstantiate(void)
443 {
444 	pr_debug("The prng module stopped after running in SHA-512 mode\n");
445 	kzfree(prng_data);
446 }
447 
448 
449 static int prng_sha512_reseed(void)
450 {
451 	int ret, seedlen;
452 	u8 seed[64];
453 
454 	/* We need at least 256 bits of fresh entropy for reseeding */
455 	if (trng_available) {
456 		/* trng produces 256 bits entropy in 32 bytes */
457 		seedlen = 32;
458 		cpacf_trng(NULL, 0, seed, seedlen);
459 	} else {
460 		/* generate_entropy() produces 256 bits entropy in 64 bytes */
461 		seedlen = 64;
462 		ret = generate_entropy(seed, seedlen);
463 		if (ret != sizeof(seed))
464 			return ret;
465 	}
466 
467 	/* do a reseed of the prno drng with this bytestring */
468 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
469 		   &prng_data->prnows, NULL, 0, seed, seedlen);
470 	memzero_explicit(seed, sizeof(seed));
471 
472 	return 0;
473 }
474 
475 
476 static int prng_sha512_generate(u8 *buf, size_t nbytes)
477 {
478 	int ret;
479 
480 	/* reseed needed ? */
481 	if (prng_data->prnows.reseed_counter > prng_reseed_limit) {
482 		ret = prng_sha512_reseed();
483 		if (ret)
484 			return ret;
485 	}
486 
487 	/* PRNO generate */
488 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
489 		   &prng_data->prnows, buf, nbytes, NULL, 0);
490 
491 	/* FIPS 140-2 Conditional Self Test */
492 	if (fips_enabled) {
493 		if (!memcmp(prng_data->prev, buf, nbytes)) {
494 			prng_errorflag = PRNG_GEN_FAILED;
495 			return -EILSEQ;
496 		}
497 		memcpy(prng_data->prev, buf, nbytes);
498 	}
499 
500 	return nbytes;
501 }
502 
503 
504 /*** file io functions ***/
505 
506 static int prng_open(struct inode *inode, struct file *file)
507 {
508 	return nonseekable_open(inode, file);
509 }
510 
511 
512 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
513 			      size_t nbytes, loff_t *ppos)
514 {
515 	int chunk, n, ret = 0;
516 
517 	/* lock prng_data struct */
518 	if (mutex_lock_interruptible(&prng_data->mutex))
519 		return -ERESTARTSYS;
520 
521 	while (nbytes) {
522 		if (need_resched()) {
523 			if (signal_pending(current)) {
524 				if (ret == 0)
525 					ret = -ERESTARTSYS;
526 				break;
527 			}
528 			/* give mutex free before calling schedule() */
529 			mutex_unlock(&prng_data->mutex);
530 			schedule();
531 			/* occopy mutex again */
532 			if (mutex_lock_interruptible(&prng_data->mutex)) {
533 				if (ret == 0)
534 					ret = -ERESTARTSYS;
535 				return ret;
536 			}
537 		}
538 
539 		/*
540 		 * we lose some random bytes if an attacker issues
541 		 * reads < 8 bytes, but we don't care
542 		 */
543 		chunk = min_t(int, nbytes, prng_chunk_size);
544 
545 		/* PRNG only likes multiples of 8 bytes */
546 		n = (chunk + 7) & -8;
547 
548 		if (prng_data->prngws.reseed_counter > prng_reseed_limit)
549 			prng_tdes_seed(8);
550 
551 		/* if the CPU supports PRNG stckf is present too */
552 		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
553 
554 		/*
555 		 * Beside the STCKF the input for the TDES-EDE is the output
556 		 * of the last operation. We differ here from X9.17 since we
557 		 * only store one timestamp into the buffer. Padding the whole
558 		 * buffer with timestamps does not improve security, since
559 		 * successive stckf have nearly constant offsets.
560 		 * If an attacker knows the first timestamp it would be
561 		 * trivial to guess the additional values. One timestamp
562 		 * is therefore enough and still guarantees unique input values.
563 		 *
564 		 * Note: you can still get strict X9.17 conformity by setting
565 		 * prng_chunk_size to 8 bytes.
566 		 */
567 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
568 			  prng_data->buf, prng_data->buf, n);
569 
570 		prng_data->prngws.byte_counter += n;
571 		prng_data->prngws.reseed_counter += n;
572 
573 		if (copy_to_user(ubuf, prng_data->buf, chunk)) {
574 			ret = -EFAULT;
575 			break;
576 		}
577 
578 		nbytes -= chunk;
579 		ret += chunk;
580 		ubuf += chunk;
581 	}
582 
583 	/* unlock prng_data struct */
584 	mutex_unlock(&prng_data->mutex);
585 
586 	return ret;
587 }
588 
589 
590 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
591 				size_t nbytes, loff_t *ppos)
592 {
593 	int n, ret = 0;
594 	u8 *p;
595 
596 	/* if errorflag is set do nothing and return 'broken pipe' */
597 	if (prng_errorflag)
598 		return -EPIPE;
599 
600 	/* lock prng_data struct */
601 	if (mutex_lock_interruptible(&prng_data->mutex))
602 		return -ERESTARTSYS;
603 
604 	while (nbytes) {
605 		if (need_resched()) {
606 			if (signal_pending(current)) {
607 				if (ret == 0)
608 					ret = -ERESTARTSYS;
609 				break;
610 			}
611 			/* give mutex free before calling schedule() */
612 			mutex_unlock(&prng_data->mutex);
613 			schedule();
614 			/* occopy mutex again */
615 			if (mutex_lock_interruptible(&prng_data->mutex)) {
616 				if (ret == 0)
617 					ret = -ERESTARTSYS;
618 				return ret;
619 			}
620 		}
621 		if (prng_data->rest) {
622 			/* push left over random bytes from the previous read */
623 			p = prng_data->buf + prng_chunk_size - prng_data->rest;
624 			n = (nbytes < prng_data->rest) ?
625 				nbytes : prng_data->rest;
626 			prng_data->rest -= n;
627 		} else {
628 			/* generate one chunk of random bytes into read buf */
629 			p = prng_data->buf;
630 			n = prng_sha512_generate(p, prng_chunk_size);
631 			if (n < 0) {
632 				ret = n;
633 				break;
634 			}
635 			if (nbytes < prng_chunk_size) {
636 				n = nbytes;
637 				prng_data->rest = prng_chunk_size - n;
638 			} else {
639 				n = prng_chunk_size;
640 				prng_data->rest = 0;
641 			}
642 		}
643 		if (copy_to_user(ubuf, p, n)) {
644 			ret = -EFAULT;
645 			break;
646 		}
647 		memzero_explicit(p, n);
648 		ubuf += n;
649 		nbytes -= n;
650 		ret += n;
651 	}
652 
653 	/* unlock prng_data struct */
654 	mutex_unlock(&prng_data->mutex);
655 
656 	return ret;
657 }
658 
659 
660 /*** sysfs stuff ***/
661 
662 static const struct file_operations prng_sha512_fops = {
663 	.owner		= THIS_MODULE,
664 	.open		= &prng_open,
665 	.release	= NULL,
666 	.read		= &prng_sha512_read,
667 	.llseek		= noop_llseek,
668 };
669 static const struct file_operations prng_tdes_fops = {
670 	.owner		= THIS_MODULE,
671 	.open		= &prng_open,
672 	.release	= NULL,
673 	.read		= &prng_tdes_read,
674 	.llseek		= noop_llseek,
675 };
676 
677 static struct miscdevice prng_sha512_dev = {
678 	.name	= "prandom",
679 	.minor	= MISC_DYNAMIC_MINOR,
680 	.mode	= 0644,
681 	.fops	= &prng_sha512_fops,
682 };
683 static struct miscdevice prng_tdes_dev = {
684 	.name	= "prandom",
685 	.minor	= MISC_DYNAMIC_MINOR,
686 	.mode	= 0644,
687 	.fops	= &prng_tdes_fops,
688 };
689 
690 
691 /* chunksize attribute (ro) */
692 static ssize_t prng_chunksize_show(struct device *dev,
693 				   struct device_attribute *attr,
694 				   char *buf)
695 {
696 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
697 }
698 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
699 
700 /* counter attribute (ro) */
701 static ssize_t prng_counter_show(struct device *dev,
702 				 struct device_attribute *attr,
703 				 char *buf)
704 {
705 	u64 counter;
706 
707 	if (mutex_lock_interruptible(&prng_data->mutex))
708 		return -ERESTARTSYS;
709 	if (prng_mode == PRNG_MODE_SHA512)
710 		counter = prng_data->prnows.stream_bytes;
711 	else
712 		counter = prng_data->prngws.byte_counter;
713 	mutex_unlock(&prng_data->mutex);
714 
715 	return snprintf(buf, PAGE_SIZE, "%llu\n", counter);
716 }
717 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
718 
719 /* errorflag attribute (ro) */
720 static ssize_t prng_errorflag_show(struct device *dev,
721 				   struct device_attribute *attr,
722 				   char *buf)
723 {
724 	return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
725 }
726 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
727 
728 /* mode attribute (ro) */
729 static ssize_t prng_mode_show(struct device *dev,
730 			      struct device_attribute *attr,
731 			      char *buf)
732 {
733 	if (prng_mode == PRNG_MODE_TDES)
734 		return snprintf(buf, PAGE_SIZE, "TDES\n");
735 	else
736 		return snprintf(buf, PAGE_SIZE, "SHA512\n");
737 }
738 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
739 
740 /* reseed attribute (w) */
741 static ssize_t prng_reseed_store(struct device *dev,
742 				 struct device_attribute *attr,
743 				 const char *buf, size_t count)
744 {
745 	if (mutex_lock_interruptible(&prng_data->mutex))
746 		return -ERESTARTSYS;
747 	prng_sha512_reseed();
748 	mutex_unlock(&prng_data->mutex);
749 
750 	return count;
751 }
752 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
753 
754 /* reseed limit attribute (rw) */
755 static ssize_t prng_reseed_limit_show(struct device *dev,
756 				      struct device_attribute *attr,
757 				      char *buf)
758 {
759 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
760 }
761 static ssize_t prng_reseed_limit_store(struct device *dev,
762 				       struct device_attribute *attr,
763 				       const char *buf, size_t count)
764 {
765 	unsigned limit;
766 
767 	if (sscanf(buf, "%u\n", &limit) != 1)
768 		return -EINVAL;
769 
770 	if (prng_mode == PRNG_MODE_SHA512) {
771 		if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
772 			return -EINVAL;
773 	} else {
774 		if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
775 			return -EINVAL;
776 	}
777 
778 	prng_reseed_limit = limit;
779 
780 	return count;
781 }
782 static DEVICE_ATTR(reseed_limit, 0644,
783 		   prng_reseed_limit_show, prng_reseed_limit_store);
784 
785 /* strength attribute (ro) */
786 static ssize_t prng_strength_show(struct device *dev,
787 				  struct device_attribute *attr,
788 				  char *buf)
789 {
790 	return snprintf(buf, PAGE_SIZE, "256\n");
791 }
792 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
793 
794 static struct attribute *prng_sha512_dev_attrs[] = {
795 	&dev_attr_errorflag.attr,
796 	&dev_attr_chunksize.attr,
797 	&dev_attr_byte_counter.attr,
798 	&dev_attr_mode.attr,
799 	&dev_attr_reseed.attr,
800 	&dev_attr_reseed_limit.attr,
801 	&dev_attr_strength.attr,
802 	NULL
803 };
804 static struct attribute *prng_tdes_dev_attrs[] = {
805 	&dev_attr_chunksize.attr,
806 	&dev_attr_byte_counter.attr,
807 	&dev_attr_mode.attr,
808 	NULL
809 };
810 
811 static struct attribute_group prng_sha512_dev_attr_group = {
812 	.attrs = prng_sha512_dev_attrs
813 };
814 static struct attribute_group prng_tdes_dev_attr_group = {
815 	.attrs = prng_tdes_dev_attrs
816 };
817 
818 
819 /*** module init and exit ***/
820 
821 static int __init prng_init(void)
822 {
823 	int ret;
824 
825 	/* check if the CPU has a PRNG */
826 	if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
827 		return -ENODEV;
828 
829 	/* check if TRNG subfunction is available */
830 	if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
831 		trng_available = true;
832 
833 	/* choose prng mode */
834 	if (prng_mode != PRNG_MODE_TDES) {
835 		/* check for MSA5 support for PRNO operations */
836 		if (!cpacf_query_func(CPACF_PRNO, CPACF_PRNO_SHA512_DRNG_GEN)) {
837 			if (prng_mode == PRNG_MODE_SHA512) {
838 				pr_err("The prng module cannot "
839 				       "start in SHA-512 mode\n");
840 				return -ENODEV;
841 			}
842 			prng_mode = PRNG_MODE_TDES;
843 		} else
844 			prng_mode = PRNG_MODE_SHA512;
845 	}
846 
847 	if (prng_mode == PRNG_MODE_SHA512) {
848 
849 		/* SHA512 mode */
850 
851 		if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
852 		    || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
853 			return -EINVAL;
854 		prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
855 
856 		if (prng_reseed_limit == 0)
857 			prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
858 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
859 			return -EINVAL;
860 
861 		ret = prng_sha512_instantiate();
862 		if (ret)
863 			goto out;
864 
865 		ret = misc_register(&prng_sha512_dev);
866 		if (ret) {
867 			prng_sha512_deinstantiate();
868 			goto out;
869 		}
870 		ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj,
871 					 &prng_sha512_dev_attr_group);
872 		if (ret) {
873 			misc_deregister(&prng_sha512_dev);
874 			prng_sha512_deinstantiate();
875 			goto out;
876 		}
877 
878 	} else {
879 
880 		/* TDES mode */
881 
882 		if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
883 		    || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
884 			return -EINVAL;
885 		prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
886 
887 		if (prng_reseed_limit == 0)
888 			prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
889 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
890 			return -EINVAL;
891 
892 		ret = prng_tdes_instantiate();
893 		if (ret)
894 			goto out;
895 
896 		ret = misc_register(&prng_tdes_dev);
897 		if (ret) {
898 			prng_tdes_deinstantiate();
899 			goto out;
900 		}
901 		ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj,
902 					 &prng_tdes_dev_attr_group);
903 		if (ret) {
904 			misc_deregister(&prng_tdes_dev);
905 			prng_tdes_deinstantiate();
906 			goto out;
907 		}
908 
909 	}
910 
911 out:
912 	return ret;
913 }
914 
915 
916 static void __exit prng_exit(void)
917 {
918 	if (prng_mode == PRNG_MODE_SHA512) {
919 		sysfs_remove_group(&prng_sha512_dev.this_device->kobj,
920 				   &prng_sha512_dev_attr_group);
921 		misc_deregister(&prng_sha512_dev);
922 		prng_sha512_deinstantiate();
923 	} else {
924 		sysfs_remove_group(&prng_tdes_dev.this_device->kobj,
925 				   &prng_tdes_dev_attr_group);
926 		misc_deregister(&prng_tdes_dev);
927 		prng_tdes_deinstantiate();
928 	}
929 }
930 
931 module_cpu_feature_match(MSA, prng_init);
932 module_exit(prng_exit);
933