xref: /linux/arch/s390/crypto/prng.c (revision cf2f33a4e54096f90652cca3511fd6a456ea5abe)
1 /*
2  * Copyright IBM Corp. 2006, 2015
3  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
4  *	      Harald Freudenberger <freude@de.ibm.com>
5  * Driver for the s390 pseudo random number generator
6  */
7 
8 #define KMSG_COMPONENT "prng"
9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
10 
11 #include <linux/fs.h>
12 #include <linux/fips.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/device.h>
16 #include <linux/miscdevice.h>
17 #include <linux/module.h>
18 #include <linux/moduleparam.h>
19 #include <linux/mutex.h>
20 #include <linux/cpufeature.h>
21 #include <linux/random.h>
22 #include <linux/slab.h>
23 #include <asm/debug.h>
24 #include <asm/uaccess.h>
25 #include <asm/timex.h>
26 
27 #include "crypt_s390.h"
28 
29 MODULE_LICENSE("GPL");
30 MODULE_AUTHOR("IBM Corporation");
31 MODULE_DESCRIPTION("s390 PRNG interface");
32 
33 
34 #define PRNG_MODE_AUTO	  0
35 #define PRNG_MODE_TDES	  1
36 #define PRNG_MODE_SHA512  2
37 
38 static unsigned int prng_mode = PRNG_MODE_AUTO;
39 module_param_named(mode, prng_mode, int, 0);
40 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
41 
42 
43 #define PRNG_CHUNKSIZE_TDES_MIN   8
44 #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
45 #define PRNG_CHUNKSIZE_SHA512_MIN 64
46 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
47 
48 static unsigned int prng_chunk_size = 256;
49 module_param_named(chunksize, prng_chunk_size, int, 0);
50 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
51 
52 
53 #define PRNG_RESEED_LIMIT_TDES		 4096
54 #define PRNG_RESEED_LIMIT_TDES_LOWER	 4096
55 #define PRNG_RESEED_LIMIT_SHA512       100000
56 #define PRNG_RESEED_LIMIT_SHA512_LOWER	10000
57 
58 static unsigned int prng_reseed_limit;
59 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
60 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
61 
62 
63 /*
64  * Any one who considers arithmetical methods of producing random digits is,
65  * of course, in a state of sin. -- John von Neumann
66  */
67 
68 static int prng_errorflag;
69 
70 #define PRNG_GEN_ENTROPY_FAILED  1
71 #define PRNG_SELFTEST_FAILED	 2
72 #define PRNG_INSTANTIATE_FAILED  3
73 #define PRNG_SEED_FAILED	 4
74 #define PRNG_RESEED_FAILED	 5
75 #define PRNG_GEN_FAILED		 6
76 
77 struct prng_ws_s {
78 	u8  parm_block[32];
79 	u32 reseed_counter;
80 	u64 byte_counter;
81 };
82 
83 struct ppno_ws_s {
84 	u32 res;
85 	u32 reseed_counter;
86 	u64 stream_bytes;
87 	u8  V[112];
88 	u8  C[112];
89 };
90 
91 struct prng_data_s {
92 	struct mutex mutex;
93 	union {
94 		struct prng_ws_s prngws;
95 		struct ppno_ws_s ppnows;
96 	};
97 	u8 *buf;
98 	u32 rest;
99 	u8 *prev;
100 };
101 
102 static struct prng_data_s *prng_data;
103 
104 /* initial parameter block for tdes mode, copied from libica */
105 static const u8 initial_parm_block[32] __initconst = {
106 	0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
107 	0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
108 	0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
109 	0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
110 
111 
112 /*** helper functions ***/
113 
114 static int generate_entropy(u8 *ebuf, size_t nbytes)
115 {
116 	int n, ret = 0;
117 	u8 *pg, *h, hash[32];
118 
119 	pg = (u8 *) __get_free_page(GFP_KERNEL);
120 	if (!pg) {
121 		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
122 		return -ENOMEM;
123 	}
124 
125 	while (nbytes) {
126 		/* fill page with urandom bytes */
127 		get_random_bytes(pg, PAGE_SIZE);
128 		/* exor page with stckf values */
129 		for (n = 0; n < PAGE_SIZE / sizeof(u64); n++) {
130 			u64 *p = ((u64 *)pg) + n;
131 			*p ^= get_tod_clock_fast();
132 		}
133 		n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash);
134 		if (n < sizeof(hash))
135 			h = hash;
136 		else
137 			h = ebuf;
138 		/* generate sha256 from this page */
139 		if (crypt_s390_kimd(KIMD_SHA_256, h,
140 				    pg, PAGE_SIZE) != PAGE_SIZE) {
141 			prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
142 			ret = -EIO;
143 			goto out;
144 		}
145 		if (n < sizeof(hash))
146 			memcpy(ebuf, hash, n);
147 		ret += n;
148 		ebuf += n;
149 		nbytes -= n;
150 	}
151 
152 out:
153 	free_page((unsigned long)pg);
154 	return ret;
155 }
156 
157 
158 /*** tdes functions ***/
159 
160 static void prng_tdes_add_entropy(void)
161 {
162 	__u64 entropy[4];
163 	unsigned int i;
164 	int ret;
165 
166 	for (i = 0; i < 16; i++) {
167 		ret = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block,
168 				     (char *)entropy, (char *)entropy,
169 				     sizeof(entropy));
170 		BUG_ON(ret < 0 || ret != sizeof(entropy));
171 		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
172 	}
173 }
174 
175 
176 static void prng_tdes_seed(int nbytes)
177 {
178 	char buf[16];
179 	int i = 0;
180 
181 	BUG_ON(nbytes > sizeof(buf));
182 
183 	get_random_bytes(buf, nbytes);
184 
185 	/* Add the entropy */
186 	while (nbytes >= 8) {
187 		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
188 		prng_tdes_add_entropy();
189 		i += 8;
190 		nbytes -= 8;
191 	}
192 	prng_tdes_add_entropy();
193 	prng_data->prngws.reseed_counter = 0;
194 }
195 
196 
197 static int __init prng_tdes_instantiate(void)
198 {
199 	int datalen;
200 
201 	pr_debug("prng runs in TDES mode with "
202 		 "chunksize=%d and reseed_limit=%u\n",
203 		 prng_chunk_size, prng_reseed_limit);
204 
205 	/* memory allocation, prng_data struct init, mutex init */
206 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
207 	prng_data = kzalloc(datalen, GFP_KERNEL);
208 	if (!prng_data) {
209 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
210 		return -ENOMEM;
211 	}
212 	mutex_init(&prng_data->mutex);
213 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
214 	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
215 
216 	/* initialize the PRNG, add 128 bits of entropy */
217 	prng_tdes_seed(16);
218 
219 	return 0;
220 }
221 
222 
223 static void prng_tdes_deinstantiate(void)
224 {
225 	pr_debug("The prng module stopped "
226 		 "after running in triple DES mode\n");
227 	kzfree(prng_data);
228 }
229 
230 
231 /*** sha512 functions ***/
232 
233 static int __init prng_sha512_selftest(void)
234 {
235 	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
236 	static const u8 seed[] __initconst = {
237 		0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
238 		0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
239 		0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
240 		0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
241 		0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
242 		0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
243 	static const u8 V0[] __initconst = {
244 		0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
245 		0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
246 		0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
247 		0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
248 		0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
249 		0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
250 		0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
251 		0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
252 		0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
253 		0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
254 		0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
255 		0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
256 		0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
257 		0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
258 	static const u8 C0[] __initconst = {
259 		0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
260 		0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
261 		0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
262 		0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
263 		0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
264 		0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
265 		0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
266 		0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
267 		0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
268 		0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
269 		0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
270 		0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
271 		0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
272 		0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
273 	static const u8 random[] __initconst = {
274 		0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
275 		0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
276 		0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
277 		0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
278 		0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
279 		0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
280 		0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
281 		0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
282 		0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
283 		0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
284 		0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
285 		0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
286 		0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
287 		0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
288 		0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
289 		0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
290 		0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
291 		0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
292 		0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
293 		0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
294 		0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
295 		0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
296 		0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
297 		0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
298 		0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
299 		0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
300 		0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
301 		0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
302 		0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
303 		0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
304 		0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
305 		0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
306 
307 	int ret = 0;
308 	u8 buf[sizeof(random)];
309 	struct ppno_ws_s ws;
310 
311 	memset(&ws, 0, sizeof(ws));
312 
313 	/* initial seed */
314 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED,
315 			      &ws, NULL, 0,
316 			      seed, sizeof(seed));
317 	if (ret < 0) {
318 		pr_err("The prng self test seed operation for the "
319 		       "SHA-512 mode failed with rc=%d\n", ret);
320 		prng_errorflag = PRNG_SELFTEST_FAILED;
321 		return -EIO;
322 	}
323 
324 	/* check working states V and C */
325 	if (memcmp(ws.V, V0, sizeof(V0)) != 0
326 	    || memcmp(ws.C, C0, sizeof(C0)) != 0) {
327 		pr_err("The prng self test state test "
328 		       "for the SHA-512 mode failed\n");
329 		prng_errorflag = PRNG_SELFTEST_FAILED;
330 		return -EIO;
331 	}
332 
333 	/* generate random bytes */
334 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN,
335 			      &ws, buf, sizeof(buf),
336 			      NULL, 0);
337 	if (ret < 0) {
338 		pr_err("The prng self test generate operation for "
339 		       "the SHA-512 mode failed with rc=%d\n", ret);
340 		prng_errorflag = PRNG_SELFTEST_FAILED;
341 		return -EIO;
342 	}
343 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN,
344 			      &ws, buf, sizeof(buf),
345 			      NULL, 0);
346 	if (ret < 0) {
347 		pr_err("The prng self test generate operation for "
348 		       "the SHA-512 mode failed with rc=%d\n", ret);
349 		prng_errorflag = PRNG_SELFTEST_FAILED;
350 		return -EIO;
351 	}
352 
353 	/* check against expected data */
354 	if (memcmp(buf, random, sizeof(random)) != 0) {
355 		pr_err("The prng self test data test "
356 		       "for the SHA-512 mode failed\n");
357 		prng_errorflag = PRNG_SELFTEST_FAILED;
358 		return -EIO;
359 	}
360 
361 	return 0;
362 }
363 
364 
365 static int __init prng_sha512_instantiate(void)
366 {
367 	int ret, datalen;
368 	u8 seed[64];
369 
370 	pr_debug("prng runs in SHA-512 mode "
371 		 "with chunksize=%d and reseed_limit=%u\n",
372 		 prng_chunk_size, prng_reseed_limit);
373 
374 	/* memory allocation, prng_data struct init, mutex init */
375 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
376 	if (fips_enabled)
377 		datalen += prng_chunk_size;
378 	prng_data = kzalloc(datalen, GFP_KERNEL);
379 	if (!prng_data) {
380 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
381 		return -ENOMEM;
382 	}
383 	mutex_init(&prng_data->mutex);
384 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
385 
386 	/* selftest */
387 	ret = prng_sha512_selftest();
388 	if (ret)
389 		goto outfree;
390 
391 	/* generate initial seed bytestring, first 48 bytes of entropy */
392 	ret = generate_entropy(seed, 48);
393 	if (ret != 48)
394 		goto outfree;
395 	/* followed by 16 bytes of unique nonce */
396 	get_tod_clock_ext(seed + 48);
397 
398 	/* initial seed of the ppno drng */
399 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED,
400 			      &prng_data->ppnows, NULL, 0,
401 			      seed, sizeof(seed));
402 	if (ret < 0) {
403 		prng_errorflag = PRNG_SEED_FAILED;
404 		ret = -EIO;
405 		goto outfree;
406 	}
407 
408 	/* if fips mode is enabled, generate a first block of random
409 	   bytes for the FIPS 140-2 Conditional Self Test */
410 	if (fips_enabled) {
411 		prng_data->prev = prng_data->buf + prng_chunk_size;
412 		ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN,
413 				      &prng_data->ppnows,
414 				      prng_data->prev,
415 				      prng_chunk_size,
416 				      NULL, 0);
417 		if (ret < 0 || ret != prng_chunk_size) {
418 			prng_errorflag = PRNG_GEN_FAILED;
419 			ret = -EIO;
420 			goto outfree;
421 		}
422 	}
423 
424 	return 0;
425 
426 outfree:
427 	kfree(prng_data);
428 	return ret;
429 }
430 
431 
432 static void prng_sha512_deinstantiate(void)
433 {
434 	pr_debug("The prng module stopped after running in SHA-512 mode\n");
435 	kzfree(prng_data);
436 }
437 
438 
439 static int prng_sha512_reseed(void)
440 {
441 	int ret;
442 	u8 seed[32];
443 
444 	/* generate 32 bytes of fresh entropy */
445 	ret = generate_entropy(seed, sizeof(seed));
446 	if (ret != sizeof(seed))
447 		return ret;
448 
449 	/* do a reseed of the ppno drng with this bytestring */
450 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED,
451 			      &prng_data->ppnows, NULL, 0,
452 			      seed, sizeof(seed));
453 	if (ret) {
454 		prng_errorflag = PRNG_RESEED_FAILED;
455 		return -EIO;
456 	}
457 
458 	return 0;
459 }
460 
461 
462 static int prng_sha512_generate(u8 *buf, size_t nbytes)
463 {
464 	int ret;
465 
466 	/* reseed needed ? */
467 	if (prng_data->ppnows.reseed_counter > prng_reseed_limit) {
468 		ret = prng_sha512_reseed();
469 		if (ret)
470 			return ret;
471 	}
472 
473 	/* PPNO generate */
474 	ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN,
475 			      &prng_data->ppnows, buf, nbytes,
476 			      NULL, 0);
477 	if (ret < 0 || ret != nbytes) {
478 		prng_errorflag = PRNG_GEN_FAILED;
479 		return -EIO;
480 	}
481 
482 	/* FIPS 140-2 Conditional Self Test */
483 	if (fips_enabled) {
484 		if (!memcmp(prng_data->prev, buf, nbytes)) {
485 			prng_errorflag = PRNG_GEN_FAILED;
486 			return -EILSEQ;
487 		}
488 		memcpy(prng_data->prev, buf, nbytes);
489 	}
490 
491 	return ret;
492 }
493 
494 
495 /*** file io functions ***/
496 
497 static int prng_open(struct inode *inode, struct file *file)
498 {
499 	return nonseekable_open(inode, file);
500 }
501 
502 
503 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
504 			      size_t nbytes, loff_t *ppos)
505 {
506 	int chunk, n, tmp, ret = 0;
507 
508 	/* lock prng_data struct */
509 	if (mutex_lock_interruptible(&prng_data->mutex))
510 		return -ERESTARTSYS;
511 
512 	while (nbytes) {
513 		if (need_resched()) {
514 			if (signal_pending(current)) {
515 				if (ret == 0)
516 					ret = -ERESTARTSYS;
517 				break;
518 			}
519 			/* give mutex free before calling schedule() */
520 			mutex_unlock(&prng_data->mutex);
521 			schedule();
522 			/* occopy mutex again */
523 			if (mutex_lock_interruptible(&prng_data->mutex)) {
524 				if (ret == 0)
525 					ret = -ERESTARTSYS;
526 				return ret;
527 			}
528 		}
529 
530 		/*
531 		 * we lose some random bytes if an attacker issues
532 		 * reads < 8 bytes, but we don't care
533 		 */
534 		chunk = min_t(int, nbytes, prng_chunk_size);
535 
536 		/* PRNG only likes multiples of 8 bytes */
537 		n = (chunk + 7) & -8;
538 
539 		if (prng_data->prngws.reseed_counter > prng_reseed_limit)
540 			prng_tdes_seed(8);
541 
542 		/* if the CPU supports PRNG stckf is present too */
543 		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
544 
545 		/*
546 		 * Beside the STCKF the input for the TDES-EDE is the output
547 		 * of the last operation. We differ here from X9.17 since we
548 		 * only store one timestamp into the buffer. Padding the whole
549 		 * buffer with timestamps does not improve security, since
550 		 * successive stckf have nearly constant offsets.
551 		 * If an attacker knows the first timestamp it would be
552 		 * trivial to guess the additional values. One timestamp
553 		 * is therefore enough and still guarantees unique input values.
554 		 *
555 		 * Note: you can still get strict X9.17 conformity by setting
556 		 * prng_chunk_size to 8 bytes.
557 		*/
558 		tmp = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block,
559 				     prng_data->buf, prng_data->buf, n);
560 		if (tmp < 0 || tmp != n) {
561 			ret = -EIO;
562 			break;
563 		}
564 
565 		prng_data->prngws.byte_counter += n;
566 		prng_data->prngws.reseed_counter += n;
567 
568 		if (copy_to_user(ubuf, prng_data->buf, chunk))
569 			return -EFAULT;
570 
571 		nbytes -= chunk;
572 		ret += chunk;
573 		ubuf += chunk;
574 	}
575 
576 	/* unlock prng_data struct */
577 	mutex_unlock(&prng_data->mutex);
578 
579 	return ret;
580 }
581 
582 
583 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
584 				size_t nbytes, loff_t *ppos)
585 {
586 	int n, ret = 0;
587 	u8 *p;
588 
589 	/* if errorflag is set do nothing and return 'broken pipe' */
590 	if (prng_errorflag)
591 		return -EPIPE;
592 
593 	/* lock prng_data struct */
594 	if (mutex_lock_interruptible(&prng_data->mutex))
595 		return -ERESTARTSYS;
596 
597 	while (nbytes) {
598 		if (need_resched()) {
599 			if (signal_pending(current)) {
600 				if (ret == 0)
601 					ret = -ERESTARTSYS;
602 				break;
603 			}
604 			/* give mutex free before calling schedule() */
605 			mutex_unlock(&prng_data->mutex);
606 			schedule();
607 			/* occopy mutex again */
608 			if (mutex_lock_interruptible(&prng_data->mutex)) {
609 				if (ret == 0)
610 					ret = -ERESTARTSYS;
611 				return ret;
612 			}
613 		}
614 		if (prng_data->rest) {
615 			/* push left over random bytes from the previous read */
616 			p = prng_data->buf + prng_chunk_size - prng_data->rest;
617 			n = (nbytes < prng_data->rest) ?
618 				nbytes : prng_data->rest;
619 			prng_data->rest -= n;
620 		} else {
621 			/* generate one chunk of random bytes into read buf */
622 			p = prng_data->buf;
623 			n = prng_sha512_generate(p, prng_chunk_size);
624 			if (n < 0) {
625 				ret = n;
626 				break;
627 			}
628 			if (nbytes < prng_chunk_size) {
629 				n = nbytes;
630 				prng_data->rest = prng_chunk_size - n;
631 			} else {
632 				n = prng_chunk_size;
633 				prng_data->rest = 0;
634 			}
635 		}
636 		if (copy_to_user(ubuf, p, n)) {
637 			ret = -EFAULT;
638 			break;
639 		}
640 		ubuf += n;
641 		nbytes -= n;
642 		ret += n;
643 	}
644 
645 	/* unlock prng_data struct */
646 	mutex_unlock(&prng_data->mutex);
647 
648 	return ret;
649 }
650 
651 
652 /*** sysfs stuff ***/
653 
654 static const struct file_operations prng_sha512_fops = {
655 	.owner		= THIS_MODULE,
656 	.open		= &prng_open,
657 	.release	= NULL,
658 	.read		= &prng_sha512_read,
659 	.llseek		= noop_llseek,
660 };
661 static const struct file_operations prng_tdes_fops = {
662 	.owner		= THIS_MODULE,
663 	.open		= &prng_open,
664 	.release	= NULL,
665 	.read		= &prng_tdes_read,
666 	.llseek		= noop_llseek,
667 };
668 
669 static struct miscdevice prng_sha512_dev = {
670 	.name	= "prandom",
671 	.minor	= MISC_DYNAMIC_MINOR,
672 	.fops	= &prng_sha512_fops,
673 };
674 static struct miscdevice prng_tdes_dev = {
675 	.name	= "prandom",
676 	.minor	= MISC_DYNAMIC_MINOR,
677 	.fops	= &prng_tdes_fops,
678 };
679 
680 
681 /* chunksize attribute (ro) */
682 static ssize_t prng_chunksize_show(struct device *dev,
683 				   struct device_attribute *attr,
684 				   char *buf)
685 {
686 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
687 }
688 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
689 
690 /* counter attribute (ro) */
691 static ssize_t prng_counter_show(struct device *dev,
692 				 struct device_attribute *attr,
693 				 char *buf)
694 {
695 	u64 counter;
696 
697 	if (mutex_lock_interruptible(&prng_data->mutex))
698 		return -ERESTARTSYS;
699 	if (prng_mode == PRNG_MODE_SHA512)
700 		counter = prng_data->ppnows.stream_bytes;
701 	else
702 		counter = prng_data->prngws.byte_counter;
703 	mutex_unlock(&prng_data->mutex);
704 
705 	return snprintf(buf, PAGE_SIZE, "%llu\n", counter);
706 }
707 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
708 
709 /* errorflag attribute (ro) */
710 static ssize_t prng_errorflag_show(struct device *dev,
711 				   struct device_attribute *attr,
712 				   char *buf)
713 {
714 	return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
715 }
716 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
717 
718 /* mode attribute (ro) */
719 static ssize_t prng_mode_show(struct device *dev,
720 			      struct device_attribute *attr,
721 			      char *buf)
722 {
723 	if (prng_mode == PRNG_MODE_TDES)
724 		return snprintf(buf, PAGE_SIZE, "TDES\n");
725 	else
726 		return snprintf(buf, PAGE_SIZE, "SHA512\n");
727 }
728 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
729 
730 /* reseed attribute (w) */
731 static ssize_t prng_reseed_store(struct device *dev,
732 				 struct device_attribute *attr,
733 				 const char *buf, size_t count)
734 {
735 	if (mutex_lock_interruptible(&prng_data->mutex))
736 		return -ERESTARTSYS;
737 	prng_sha512_reseed();
738 	mutex_unlock(&prng_data->mutex);
739 
740 	return count;
741 }
742 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
743 
744 /* reseed limit attribute (rw) */
745 static ssize_t prng_reseed_limit_show(struct device *dev,
746 				      struct device_attribute *attr,
747 				      char *buf)
748 {
749 	return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
750 }
751 static ssize_t prng_reseed_limit_store(struct device *dev,
752 				       struct device_attribute *attr,
753 				       const char *buf, size_t count)
754 {
755 	unsigned limit;
756 
757 	if (sscanf(buf, "%u\n", &limit) != 1)
758 		return -EINVAL;
759 
760 	if (prng_mode == PRNG_MODE_SHA512) {
761 		if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
762 			return -EINVAL;
763 	} else {
764 		if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
765 			return -EINVAL;
766 	}
767 
768 	prng_reseed_limit = limit;
769 
770 	return count;
771 }
772 static DEVICE_ATTR(reseed_limit, 0644,
773 		   prng_reseed_limit_show, prng_reseed_limit_store);
774 
775 /* strength attribute (ro) */
776 static ssize_t prng_strength_show(struct device *dev,
777 				  struct device_attribute *attr,
778 				  char *buf)
779 {
780 	return snprintf(buf, PAGE_SIZE, "256\n");
781 }
782 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
783 
784 static struct attribute *prng_sha512_dev_attrs[] = {
785 	&dev_attr_errorflag.attr,
786 	&dev_attr_chunksize.attr,
787 	&dev_attr_byte_counter.attr,
788 	&dev_attr_mode.attr,
789 	&dev_attr_reseed.attr,
790 	&dev_attr_reseed_limit.attr,
791 	&dev_attr_strength.attr,
792 	NULL
793 };
794 static struct attribute *prng_tdes_dev_attrs[] = {
795 	&dev_attr_chunksize.attr,
796 	&dev_attr_byte_counter.attr,
797 	&dev_attr_mode.attr,
798 	NULL
799 };
800 
801 static struct attribute_group prng_sha512_dev_attr_group = {
802 	.attrs = prng_sha512_dev_attrs
803 };
804 static struct attribute_group prng_tdes_dev_attr_group = {
805 	.attrs = prng_tdes_dev_attrs
806 };
807 
808 
809 /*** module init and exit ***/
810 
811 static int __init prng_init(void)
812 {
813 	int ret;
814 
815 	/* check if the CPU has a PRNG */
816 	if (!crypt_s390_func_available(KMC_PRNG, CRYPT_S390_MSA))
817 		return -EOPNOTSUPP;
818 
819 	/* choose prng mode */
820 	if (prng_mode != PRNG_MODE_TDES) {
821 		/* check for MSA5 support for PPNO operations */
822 		if (!crypt_s390_func_available(PPNO_SHA512_DRNG_GEN,
823 					       CRYPT_S390_MSA5)) {
824 			if (prng_mode == PRNG_MODE_SHA512) {
825 				pr_err("The prng module cannot "
826 				       "start in SHA-512 mode\n");
827 				return -EOPNOTSUPP;
828 			}
829 			prng_mode = PRNG_MODE_TDES;
830 		} else
831 			prng_mode = PRNG_MODE_SHA512;
832 	}
833 
834 	if (prng_mode == PRNG_MODE_SHA512) {
835 
836 		/* SHA512 mode */
837 
838 		if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
839 		    || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
840 			return -EINVAL;
841 		prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
842 
843 		if (prng_reseed_limit == 0)
844 			prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
845 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
846 			return -EINVAL;
847 
848 		ret = prng_sha512_instantiate();
849 		if (ret)
850 			goto out;
851 
852 		ret = misc_register(&prng_sha512_dev);
853 		if (ret) {
854 			prng_sha512_deinstantiate();
855 			goto out;
856 		}
857 		ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj,
858 					 &prng_sha512_dev_attr_group);
859 		if (ret) {
860 			misc_deregister(&prng_sha512_dev);
861 			prng_sha512_deinstantiate();
862 			goto out;
863 		}
864 
865 	} else {
866 
867 		/* TDES mode */
868 
869 		if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
870 		    || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
871 			return -EINVAL;
872 		prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
873 
874 		if (prng_reseed_limit == 0)
875 			prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
876 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
877 			return -EINVAL;
878 
879 		ret = prng_tdes_instantiate();
880 		if (ret)
881 			goto out;
882 
883 		ret = misc_register(&prng_tdes_dev);
884 		if (ret) {
885 			prng_tdes_deinstantiate();
886 			goto out;
887 		}
888 		ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj,
889 					 &prng_tdes_dev_attr_group);
890 		if (ret) {
891 			misc_deregister(&prng_tdes_dev);
892 			prng_tdes_deinstantiate();
893 			goto out;
894 		}
895 
896 	}
897 
898 out:
899 	return ret;
900 }
901 
902 
903 static void __exit prng_exit(void)
904 {
905 	if (prng_mode == PRNG_MODE_SHA512) {
906 		sysfs_remove_group(&prng_sha512_dev.this_device->kobj,
907 				   &prng_sha512_dev_attr_group);
908 		misc_deregister(&prng_sha512_dev);
909 		prng_sha512_deinstantiate();
910 	} else {
911 		sysfs_remove_group(&prng_tdes_dev.this_device->kobj,
912 				   &prng_tdes_dev_attr_group);
913 		misc_deregister(&prng_tdes_dev);
914 		prng_tdes_deinstantiate();
915 	}
916 }
917 
918 module_cpu_feature_match(MSA, prng_init);
919 module_exit(prng_exit);
920