xref: /linux/arch/s390/crypto/prng.c (revision 8fa5723aa7e053d498336b48448b292fc2e0458b) 
1 /*
2  * Copyright IBM Corp. 2006,2007
3  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
4  * Driver for the s390 pseudo random number generator
5  */
6 #include <linux/fs.h>
7 #include <linux/init.h>
8 #include <linux/kernel.h>
9 #include <linux/smp_lock.h>
10 #include <linux/miscdevice.h>
11 #include <linux/module.h>
12 #include <linux/moduleparam.h>
13 #include <linux/random.h>
14 #include <asm/debug.h>
15 #include <asm/uaccess.h>
16 
17 #include "crypt_s390.h"
18 
19 MODULE_LICENSE("GPL");
20 MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
21 MODULE_DESCRIPTION("s390 PRNG interface");
22 
23 static int prng_chunk_size = 256;
24 module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
25 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
26 
27 static int prng_entropy_limit = 4096;
28 module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
29 MODULE_PARM_DESC(prng_entropy_limit,
30 	"PRNG add entropy after that much bytes were produced");
31 
32 /*
33  * Any one who considers arithmetical methods of producing random digits is,
34  * of course, in a state of sin. -- John von Neumann
35  */
36 
37 struct s390_prng_data {
38 	unsigned long count; /* how many bytes were produced */
39 	char *buf;
40 };
41 
42 static struct s390_prng_data *p;
43 
44 /* copied from libica, use a non-zero initial parameter block */
45 static unsigned char parm_block[32] = {
46 0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
47 0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
48 };
49 
50 static int prng_open(struct inode *inode, struct file *file)
51 {
52 	cycle_kernel_lock();
53 	return nonseekable_open(inode, file);
54 }
55 
56 static void prng_add_entropy(void)
57 {
58 	__u64 entropy[4];
59 	unsigned int i;
60 	int ret;
61 
62 	for (i = 0; i < 16; i++) {
63 		ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
64 				     (char *)entropy, sizeof(entropy));
65 		BUG_ON(ret < 0 || ret != sizeof(entropy));
66 		memcpy(parm_block, entropy, sizeof(entropy));
67 	}
68 }
69 
70 static void prng_seed(int nbytes)
71 {
72 	char buf[16];
73 	int i = 0;
74 
75 	BUG_ON(nbytes > 16);
76 	get_random_bytes(buf, nbytes);
77 
78 	/* Add the entropy */
79 	while (nbytes >= 8) {
80 		*((__u64 *)parm_block) ^= *((__u64 *)buf+i*8);
81 		prng_add_entropy();
82 		i += 8;
83 		nbytes -= 8;
84 	}
85 	prng_add_entropy();
86 }
87 
88 static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
89 			 loff_t *ppos)
90 {
91 	int chunk, n;
92 	int ret = 0;
93 	int tmp;
94 
95 	/* nbytes can be arbitrary length, we split it into chunks */
96 	while (nbytes) {
97 		/* same as in extract_entropy_user in random.c */
98 		if (need_resched()) {
99 			if (signal_pending(current)) {
100 				if (ret == 0)
101 					ret = -ERESTARTSYS;
102 				break;
103 			}
104 			schedule();
105 		}
106 
107 		/*
108 		 * we lose some random bytes if an attacker issues
109 		 * reads < 8 bytes, but we don't care
110 		 */
111 		chunk = min_t(int, nbytes, prng_chunk_size);
112 
113 		/* PRNG only likes multiples of 8 bytes */
114 		n = (chunk + 7) & -8;
115 
116 		if (p->count > prng_entropy_limit)
117 			prng_seed(8);
118 
119 		/* if the CPU supports PRNG stckf is present too */
120 		asm volatile(".insn     s,0xb27c0000,%0"
121 			     : "=m" (*((unsigned long long *)p->buf)) : : "cc");
122 
123 		/*
124 		 * Beside the STCKF the input for the TDES-EDE is the output
125 		 * of the last operation. We differ here from X9.17 since we
126 		 * only store one timestamp into the buffer. Padding the whole
127 		 * buffer with timestamps does not improve security, since
128 		 * successive stckf have nearly constant offsets.
129 		 * If an attacker knows the first timestamp it would be
130 		 * trivial to guess the additional values. One timestamp
131 		 * is therefore enough and still guarantees unique input values.
132 		 *
133 		 * Note: you can still get strict X9.17 conformity by setting
134 		 * prng_chunk_size to 8 bytes.
135 		*/
136 		tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
137 		BUG_ON((tmp < 0) || (tmp != n));
138 
139 		p->count += n;
140 
141 		if (copy_to_user(ubuf, p->buf, chunk))
142 			return -EFAULT;
143 
144 		nbytes -= chunk;
145 		ret += chunk;
146 		ubuf += chunk;
147 	}
148 	return ret;
149 }
150 
151 static const struct file_operations prng_fops = {
152 	.owner		= THIS_MODULE,
153 	.open		= &prng_open,
154 	.release	= NULL,
155 	.read		= &prng_read,
156 };
157 
158 static struct miscdevice prng_dev = {
159 	.name	= "prandom",
160 	.minor	= MISC_DYNAMIC_MINOR,
161 	.fops	= &prng_fops,
162 };
163 
164 static int __init prng_init(void)
165 {
166 	int ret;
167 
168 	/* check if the CPU has a PRNG */
169 	if (!crypt_s390_func_available(KMC_PRNG))
170 		return -EOPNOTSUPP;
171 
172 	if (prng_chunk_size < 8)
173 		return -EINVAL;
174 
175 	p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
176 	if (!p)
177 		return -ENOMEM;
178 	p->count = 0;
179 
180 	p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
181 	if (!p->buf) {
182 		ret = -ENOMEM;
183 		goto out_free;
184 	}
185 
186 	/* initialize the PRNG, add 128 bits of entropy */
187 	prng_seed(16);
188 
189 	ret = misc_register(&prng_dev);
190 	if (ret)
191 		goto out_buf;
192 	return 0;
193 
194 out_buf:
195 	kfree(p->buf);
196 out_free:
197 	kfree(p);
198 	return ret;
199 }
200 
201 static void __exit prng_exit(void)
202 {
203 	/* wipe me */
204 	memset(p->buf, 0, prng_chunk_size);
205 	kfree(p->buf);
206 	kfree(p);
207 
208 	misc_deregister(&prng_dev);
209 }
210 
211 module_init(prng_init);
212 module_exit(prng_exit);
213