xref: /linux/drivers/char/random.c (revision 34f7c6e7d4396090692a09789db231e12cb4762b)
1 // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2 /*
3  * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4  * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
5  * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved.
6  *
7  * This driver produces cryptographically secure pseudorandom data. It is divided
8  * into roughly six sections, each with a section header:
9  *
10  *   - Initialization and readiness waiting.
11  *   - Fast key erasure RNG, the "crng".
12  *   - Entropy accumulation and extraction routines.
13  *   - Entropy collection routines.
14  *   - Userspace reader/writer interfaces.
15  *   - Sysctl interface.
16  *
17  * The high level overview is that there is one input pool, into which
18  * various pieces of data are hashed. Some of that data is then "credited" as
19  * having a certain number of bits of entropy. When enough bits of entropy are
20  * available, the hash is finalized and handed as a key to a stream cipher that
21  * expands it indefinitely for various consumers. This key is periodically
22  * refreshed as the various entropy collectors, described below, add data to the
23  * input pool and credit it. There is currently no Fortuna-like scheduler
24  * involved, which can lead to malicious entropy sources causing a premature
25  * reseed, and the entropy estimates are, at best, conservative guesses.
26  */
27 
28 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
29 
30 #include <linux/utsname.h>
31 #include <linux/module.h>
32 #include <linux/kernel.h>
33 #include <linux/major.h>
34 #include <linux/string.h>
35 #include <linux/fcntl.h>
36 #include <linux/slab.h>
37 #include <linux/random.h>
38 #include <linux/poll.h>
39 #include <linux/init.h>
40 #include <linux/fs.h>
41 #include <linux/blkdev.h>
42 #include <linux/interrupt.h>
43 #include <linux/mm.h>
44 #include <linux/nodemask.h>
45 #include <linux/spinlock.h>
46 #include <linux/kthread.h>
47 #include <linux/percpu.h>
48 #include <linux/ptrace.h>
49 #include <linux/workqueue.h>
50 #include <linux/irq.h>
51 #include <linux/ratelimit.h>
52 #include <linux/syscalls.h>
53 #include <linux/completion.h>
54 #include <linux/uuid.h>
55 #include <linux/uaccess.h>
56 #include <crypto/chacha.h>
57 #include <crypto/blake2s.h>
58 #include <asm/processor.h>
59 #include <asm/irq.h>
60 #include <asm/irq_regs.h>
61 #include <asm/io.h>
62 
63 /*********************************************************************
64  *
65  * Initialization and readiness waiting.
66  *
67  * Much of the RNG infrastructure is devoted to various dependencies
68  * being able to wait until the RNG has collected enough entropy and
69  * is ready for safe consumption.
70  *
71  *********************************************************************/
72 
73 /*
74  * crng_init =  0 --> Uninitialized
75  *		1 --> Initialized
76  *		2 --> Initialized from input_pool
77  *
78  * crng_init is protected by base_crng->lock, and only increases
79  * its value (from 0->1->2).
80  */
81 static int crng_init = 0;
82 #define crng_ready() (likely(crng_init > 1))
83 /* Various types of waiters for crng_init->2 transition. */
84 static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
85 static struct fasync_struct *fasync;
86 static DEFINE_SPINLOCK(random_ready_chain_lock);
87 static RAW_NOTIFIER_HEAD(random_ready_chain);
88 
89 /* Control how we warn userspace. */
90 static struct ratelimit_state unseeded_warning =
91 	RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
92 static struct ratelimit_state urandom_warning =
93 	RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
94 static int ratelimit_disable __read_mostly;
95 module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
96 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
97 
98 /*
99  * Returns whether or not the input pool has been seeded and thus guaranteed
100  * to supply cryptographically secure random numbers. This applies to: the
101  * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
102  * ,u64,int,long} family of functions.
103  *
104  * Returns: true if the input pool has been seeded.
105  *          false if the input pool has not been seeded.
106  */
107 bool rng_is_initialized(void)
108 {
109 	return crng_ready();
110 }
111 EXPORT_SYMBOL(rng_is_initialized);
112 
113 /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
114 static void try_to_generate_entropy(void);
115 
116 /*
117  * Wait for the input pool to be seeded and thus guaranteed to supply
118  * cryptographically secure random numbers. This applies to: the /dev/urandom
119  * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
120  * family of functions. Using any of these functions without first calling
121  * this function forfeits the guarantee of security.
122  *
123  * Returns: 0 if the input pool has been seeded.
124  *          -ERESTARTSYS if the function was interrupted by a signal.
125  */
126 int wait_for_random_bytes(void)
127 {
128 	while (!crng_ready()) {
129 		int ret;
130 
131 		try_to_generate_entropy();
132 		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
133 		if (ret)
134 			return ret > 0 ? 0 : ret;
135 	}
136 	return 0;
137 }
138 EXPORT_SYMBOL(wait_for_random_bytes);
139 
140 /*
141  * Add a callback function that will be invoked when the input
142  * pool is initialised.
143  *
144  * returns: 0 if callback is successfully added
145  *	    -EALREADY if pool is already initialised (callback not called)
146  */
147 int register_random_ready_notifier(struct notifier_block *nb)
148 {
149 	unsigned long flags;
150 	int ret = -EALREADY;
151 
152 	if (crng_ready())
153 		return ret;
154 
155 	spin_lock_irqsave(&random_ready_chain_lock, flags);
156 	if (!crng_ready())
157 		ret = raw_notifier_chain_register(&random_ready_chain, nb);
158 	spin_unlock_irqrestore(&random_ready_chain_lock, flags);
159 	return ret;
160 }
161 
162 /*
163  * Delete a previously registered readiness callback function.
164  */
165 int unregister_random_ready_notifier(struct notifier_block *nb)
166 {
167 	unsigned long flags;
168 	int ret;
169 
170 	spin_lock_irqsave(&random_ready_chain_lock, flags);
171 	ret = raw_notifier_chain_unregister(&random_ready_chain, nb);
172 	spin_unlock_irqrestore(&random_ready_chain_lock, flags);
173 	return ret;
174 }
175 
176 static void process_random_ready_list(void)
177 {
178 	unsigned long flags;
179 
180 	spin_lock_irqsave(&random_ready_chain_lock, flags);
181 	raw_notifier_call_chain(&random_ready_chain, 0, NULL);
182 	spin_unlock_irqrestore(&random_ready_chain_lock, flags);
183 }
184 
185 #define warn_unseeded_randomness(previous) \
186 	_warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
187 
188 static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
189 {
190 #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
191 	const bool print_once = false;
192 #else
193 	static bool print_once __read_mostly;
194 #endif
195 
196 	if (print_once || crng_ready() ||
197 	    (previous && (caller == READ_ONCE(*previous))))
198 		return;
199 	WRITE_ONCE(*previous, caller);
200 #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
201 	print_once = true;
202 #endif
203 	if (__ratelimit(&unseeded_warning))
204 		printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
205 				func_name, caller, crng_init);
206 }
207 
208 
209 /*********************************************************************
210  *
211  * Fast key erasure RNG, the "crng".
212  *
213  * These functions expand entropy from the entropy extractor into
214  * long streams for external consumption using the "fast key erasure"
215  * RNG described at <https://blog.cr.yp.to/20170723-random.html>.
216  *
217  * There are a few exported interfaces for use by other drivers:
218  *
219  *	void get_random_bytes(void *buf, size_t nbytes)
220  *	u32 get_random_u32()
221  *	u64 get_random_u64()
222  *	unsigned int get_random_int()
223  *	unsigned long get_random_long()
224  *
225  * These interfaces will return the requested number of random bytes
226  * into the given buffer or as a return value. This is equivalent to
227  * a read from /dev/urandom. The u32, u64, int, and long family of
228  * functions may be higher performance for one-off random integers,
229  * because they do a bit of buffering and do not invoke reseeding
230  * until the buffer is emptied.
231  *
232  *********************************************************************/
233 
234 enum {
235 	CRNG_RESEED_INTERVAL = 300 * HZ,
236 	CRNG_INIT_CNT_THRESH = 2 * CHACHA_KEY_SIZE
237 };
238 
239 static struct {
240 	u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long));
241 	unsigned long birth;
242 	unsigned long generation;
243 	spinlock_t lock;
244 } base_crng = {
245 	.lock = __SPIN_LOCK_UNLOCKED(base_crng.lock)
246 };
247 
248 struct crng {
249 	u8 key[CHACHA_KEY_SIZE];
250 	unsigned long generation;
251 	local_lock_t lock;
252 };
253 
254 static DEFINE_PER_CPU(struct crng, crngs) = {
255 	.generation = ULONG_MAX,
256 	.lock = INIT_LOCAL_LOCK(crngs.lock),
257 };
258 
259 /* Used by crng_reseed() to extract a new seed from the input pool. */
260 static bool drain_entropy(void *buf, size_t nbytes, bool force);
261 
262 /*
263  * This extracts a new crng key from the input pool, but only if there is a
264  * sufficient amount of entropy available or force is true, in order to
265  * mitigate bruteforcing of newly added bits.
266  */
267 static void crng_reseed(bool force)
268 {
269 	unsigned long flags;
270 	unsigned long next_gen;
271 	u8 key[CHACHA_KEY_SIZE];
272 	bool finalize_init = false;
273 
274 	/* Only reseed if we can, to prevent brute forcing a small amount of new bits. */
275 	if (!drain_entropy(key, sizeof(key), force))
276 		return;
277 
278 	/*
279 	 * We copy the new key into the base_crng, overwriting the old one,
280 	 * and update the generation counter. We avoid hitting ULONG_MAX,
281 	 * because the per-cpu crngs are initialized to ULONG_MAX, so this
282 	 * forces new CPUs that come online to always initialize.
283 	 */
284 	spin_lock_irqsave(&base_crng.lock, flags);
285 	memcpy(base_crng.key, key, sizeof(base_crng.key));
286 	next_gen = base_crng.generation + 1;
287 	if (next_gen == ULONG_MAX)
288 		++next_gen;
289 	WRITE_ONCE(base_crng.generation, next_gen);
290 	WRITE_ONCE(base_crng.birth, jiffies);
291 	if (!crng_ready()) {
292 		crng_init = 2;
293 		finalize_init = true;
294 	}
295 	spin_unlock_irqrestore(&base_crng.lock, flags);
296 	memzero_explicit(key, sizeof(key));
297 	if (finalize_init) {
298 		process_random_ready_list();
299 		wake_up_interruptible(&crng_init_wait);
300 		kill_fasync(&fasync, SIGIO, POLL_IN);
301 		pr_notice("crng init done\n");
302 		if (unseeded_warning.missed) {
303 			pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
304 				  unseeded_warning.missed);
305 			unseeded_warning.missed = 0;
306 		}
307 		if (urandom_warning.missed) {
308 			pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
309 				  urandom_warning.missed);
310 			urandom_warning.missed = 0;
311 		}
312 	}
313 }
314 
315 /*
316  * This generates a ChaCha block using the provided key, and then
317  * immediately overwites that key with half the block. It returns
318  * the resultant ChaCha state to the user, along with the second
319  * half of the block containing 32 bytes of random data that may
320  * be used; random_data_len may not be greater than 32.
321  */
322 static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
323 				  u32 chacha_state[CHACHA_STATE_WORDS],
324 				  u8 *random_data, size_t random_data_len)
325 {
326 	u8 first_block[CHACHA_BLOCK_SIZE];
327 
328 	BUG_ON(random_data_len > 32);
329 
330 	chacha_init_consts(chacha_state);
331 	memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE);
332 	memset(&chacha_state[12], 0, sizeof(u32) * 4);
333 	chacha20_block(chacha_state, first_block);
334 
335 	memcpy(key, first_block, CHACHA_KEY_SIZE);
336 	memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len);
337 	memzero_explicit(first_block, sizeof(first_block));
338 }
339 
340 /*
341  * Return whether the crng seed is considered to be sufficiently
342  * old that a reseeding might be attempted. This happens if the last
343  * reseeding was CRNG_RESEED_INTERVAL ago, or during early boot, at
344  * an interval proportional to the uptime.
345  */
346 static bool crng_has_old_seed(void)
347 {
348 	static bool early_boot = true;
349 	unsigned long interval = CRNG_RESEED_INTERVAL;
350 
351 	if (unlikely(READ_ONCE(early_boot))) {
352 		time64_t uptime = ktime_get_seconds();
353 		if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2)
354 			WRITE_ONCE(early_boot, false);
355 		else
356 			interval = max_t(unsigned int, 5 * HZ,
357 					 (unsigned int)uptime / 2 * HZ);
358 	}
359 	return time_after(jiffies, READ_ONCE(base_crng.birth) + interval);
360 }
361 
362 /*
363  * This function returns a ChaCha state that you may use for generating
364  * random data. It also returns up to 32 bytes on its own of random data
365  * that may be used; random_data_len may not be greater than 32.
366  */
367 static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS],
368 			    u8 *random_data, size_t random_data_len)
369 {
370 	unsigned long flags;
371 	struct crng *crng;
372 
373 	BUG_ON(random_data_len > 32);
374 
375 	/*
376 	 * For the fast path, we check whether we're ready, unlocked first, and
377 	 * then re-check once locked later. In the case where we're really not
378 	 * ready, we do fast key erasure with the base_crng directly, because
379 	 * this is what crng_pre_init_inject() mutates during early init.
380 	 */
381 	if (!crng_ready()) {
382 		bool ready;
383 
384 		spin_lock_irqsave(&base_crng.lock, flags);
385 		ready = crng_ready();
386 		if (!ready)
387 			crng_fast_key_erasure(base_crng.key, chacha_state,
388 					      random_data, random_data_len);
389 		spin_unlock_irqrestore(&base_crng.lock, flags);
390 		if (!ready)
391 			return;
392 	}
393 
394 	/*
395 	 * If the base_crng is old enough, we try to reseed, which in turn
396 	 * bumps the generation counter that we check below.
397 	 */
398 	if (unlikely(crng_has_old_seed()))
399 		crng_reseed(false);
400 
401 	local_lock_irqsave(&crngs.lock, flags);
402 	crng = raw_cpu_ptr(&crngs);
403 
404 	/*
405 	 * If our per-cpu crng is older than the base_crng, then it means
406 	 * somebody reseeded the base_crng. In that case, we do fast key
407 	 * erasure on the base_crng, and use its output as the new key
408 	 * for our per-cpu crng. This brings us up to date with base_crng.
409 	 */
410 	if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) {
411 		spin_lock(&base_crng.lock);
412 		crng_fast_key_erasure(base_crng.key, chacha_state,
413 				      crng->key, sizeof(crng->key));
414 		crng->generation = base_crng.generation;
415 		spin_unlock(&base_crng.lock);
416 	}
417 
418 	/*
419 	 * Finally, when we've made it this far, our per-cpu crng has an up
420 	 * to date key, and we can do fast key erasure with it to produce
421 	 * some random data and a ChaCha state for the caller. All other
422 	 * branches of this function are "unlikely", so most of the time we
423 	 * should wind up here immediately.
424 	 */
425 	crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len);
426 	local_unlock_irqrestore(&crngs.lock, flags);
427 }
428 
429 /*
430  * This function is for crng_init == 0 only. It loads entropy directly
431  * into the crng's key, without going through the input pool. It is,
432  * generally speaking, not very safe, but we use this only at early
433  * boot time when it's better to have something there rather than
434  * nothing.
435  *
436  * If account is set, then the crng_init_cnt counter is incremented.
437  * This shouldn't be set by functions like add_device_randomness(),
438  * where we can't trust the buffer passed to it is guaranteed to be
439  * unpredictable (so it might not have any entropy at all).
440  *
441  * Returns the number of bytes processed from input, which is bounded
442  * by CRNG_INIT_CNT_THRESH if account is true.
443  */
444 static size_t crng_pre_init_inject(const void *input, size_t len, bool account)
445 {
446 	static int crng_init_cnt = 0;
447 	struct blake2s_state hash;
448 	unsigned long flags;
449 
450 	blake2s_init(&hash, sizeof(base_crng.key));
451 
452 	spin_lock_irqsave(&base_crng.lock, flags);
453 	if (crng_init != 0) {
454 		spin_unlock_irqrestore(&base_crng.lock, flags);
455 		return 0;
456 	}
457 
458 	if (account)
459 		len = min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
460 
461 	blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
462 	blake2s_update(&hash, input, len);
463 	blake2s_final(&hash, base_crng.key);
464 
465 	if (account) {
466 		crng_init_cnt += len;
467 		if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
468 			++base_crng.generation;
469 			crng_init = 1;
470 		}
471 	}
472 
473 	spin_unlock_irqrestore(&base_crng.lock, flags);
474 
475 	if (crng_init == 1)
476 		pr_notice("fast init done\n");
477 
478 	return len;
479 }
480 
481 static void _get_random_bytes(void *buf, size_t nbytes)
482 {
483 	u32 chacha_state[CHACHA_STATE_WORDS];
484 	u8 tmp[CHACHA_BLOCK_SIZE];
485 	size_t len;
486 
487 	if (!nbytes)
488 		return;
489 
490 	len = min_t(size_t, 32, nbytes);
491 	crng_make_state(chacha_state, buf, len);
492 	nbytes -= len;
493 	buf += len;
494 
495 	while (nbytes) {
496 		if (nbytes < CHACHA_BLOCK_SIZE) {
497 			chacha20_block(chacha_state, tmp);
498 			memcpy(buf, tmp, nbytes);
499 			memzero_explicit(tmp, sizeof(tmp));
500 			break;
501 		}
502 
503 		chacha20_block(chacha_state, buf);
504 		if (unlikely(chacha_state[12] == 0))
505 			++chacha_state[13];
506 		nbytes -= CHACHA_BLOCK_SIZE;
507 		buf += CHACHA_BLOCK_SIZE;
508 	}
509 
510 	memzero_explicit(chacha_state, sizeof(chacha_state));
511 }
512 
513 /*
514  * This function is the exported kernel interface.  It returns some
515  * number of good random numbers, suitable for key generation, seeding
516  * TCP sequence numbers, etc.  It does not rely on the hardware random
517  * number generator.  For random bytes direct from the hardware RNG
518  * (when available), use get_random_bytes_arch(). In order to ensure
519  * that the randomness provided by this function is okay, the function
520  * wait_for_random_bytes() should be called and return 0 at least once
521  * at any point prior.
522  */
523 void get_random_bytes(void *buf, size_t nbytes)
524 {
525 	static void *previous;
526 
527 	warn_unseeded_randomness(&previous);
528 	_get_random_bytes(buf, nbytes);
529 }
530 EXPORT_SYMBOL(get_random_bytes);
531 
532 static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
533 {
534 	bool large_request = nbytes > 256;
535 	ssize_t ret = 0;
536 	size_t len;
537 	u32 chacha_state[CHACHA_STATE_WORDS];
538 	u8 output[CHACHA_BLOCK_SIZE];
539 
540 	if (!nbytes)
541 		return 0;
542 
543 	len = min_t(size_t, 32, nbytes);
544 	crng_make_state(chacha_state, output, len);
545 
546 	if (copy_to_user(buf, output, len))
547 		return -EFAULT;
548 	nbytes -= len;
549 	buf += len;
550 	ret += len;
551 
552 	while (nbytes) {
553 		if (large_request && need_resched()) {
554 			if (signal_pending(current))
555 				break;
556 			schedule();
557 		}
558 
559 		chacha20_block(chacha_state, output);
560 		if (unlikely(chacha_state[12] == 0))
561 			++chacha_state[13];
562 
563 		len = min_t(size_t, nbytes, CHACHA_BLOCK_SIZE);
564 		if (copy_to_user(buf, output, len)) {
565 			ret = -EFAULT;
566 			break;
567 		}
568 
569 		nbytes -= len;
570 		buf += len;
571 		ret += len;
572 	}
573 
574 	memzero_explicit(chacha_state, sizeof(chacha_state));
575 	memzero_explicit(output, sizeof(output));
576 	return ret;
577 }
578 
579 /*
580  * Batched entropy returns random integers. The quality of the random
581  * number is good as /dev/urandom. In order to ensure that the randomness
582  * provided by this function is okay, the function wait_for_random_bytes()
583  * should be called and return 0 at least once at any point prior.
584  */
585 struct batched_entropy {
586 	union {
587 		/*
588 		 * We make this 1.5x a ChaCha block, so that we get the
589 		 * remaining 32 bytes from fast key erasure, plus one full
590 		 * block from the detached ChaCha state. We can increase
591 		 * the size of this later if needed so long as we keep the
592 		 * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE.
593 		 */
594 		u64 entropy_u64[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
595 		u32 entropy_u32[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
596 	};
597 	local_lock_t lock;
598 	unsigned long generation;
599 	unsigned int position;
600 };
601 
602 
603 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
604 	.lock = INIT_LOCAL_LOCK(batched_entropy_u64.lock),
605 	.position = UINT_MAX
606 };
607 
608 u64 get_random_u64(void)
609 {
610 	u64 ret;
611 	unsigned long flags;
612 	struct batched_entropy *batch;
613 	static void *previous;
614 	unsigned long next_gen;
615 
616 	warn_unseeded_randomness(&previous);
617 
618 	local_lock_irqsave(&batched_entropy_u64.lock, flags);
619 	batch = raw_cpu_ptr(&batched_entropy_u64);
620 
621 	next_gen = READ_ONCE(base_crng.generation);
622 	if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
623 	    next_gen != batch->generation) {
624 		_get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
625 		batch->position = 0;
626 		batch->generation = next_gen;
627 	}
628 
629 	ret = batch->entropy_u64[batch->position];
630 	batch->entropy_u64[batch->position] = 0;
631 	++batch->position;
632 	local_unlock_irqrestore(&batched_entropy_u64.lock, flags);
633 	return ret;
634 }
635 EXPORT_SYMBOL(get_random_u64);
636 
637 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
638 	.lock = INIT_LOCAL_LOCK(batched_entropy_u32.lock),
639 	.position = UINT_MAX
640 };
641 
642 u32 get_random_u32(void)
643 {
644 	u32 ret;
645 	unsigned long flags;
646 	struct batched_entropy *batch;
647 	static void *previous;
648 	unsigned long next_gen;
649 
650 	warn_unseeded_randomness(&previous);
651 
652 	local_lock_irqsave(&batched_entropy_u32.lock, flags);
653 	batch = raw_cpu_ptr(&batched_entropy_u32);
654 
655 	next_gen = READ_ONCE(base_crng.generation);
656 	if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
657 	    next_gen != batch->generation) {
658 		_get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
659 		batch->position = 0;
660 		batch->generation = next_gen;
661 	}
662 
663 	ret = batch->entropy_u32[batch->position];
664 	batch->entropy_u32[batch->position] = 0;
665 	++batch->position;
666 	local_unlock_irqrestore(&batched_entropy_u32.lock, flags);
667 	return ret;
668 }
669 EXPORT_SYMBOL(get_random_u32);
670 
671 #ifdef CONFIG_SMP
672 /*
673  * This function is called when the CPU is coming up, with entry
674  * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP.
675  */
676 int random_prepare_cpu(unsigned int cpu)
677 {
678 	/*
679 	 * When the cpu comes back online, immediately invalidate both
680 	 * the per-cpu crng and all batches, so that we serve fresh
681 	 * randomness.
682 	 */
683 	per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX;
684 	per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX;
685 	per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX;
686 	return 0;
687 }
688 #endif
689 
690 /**
691  * randomize_page - Generate a random, page aligned address
692  * @start:	The smallest acceptable address the caller will take.
693  * @range:	The size of the area, starting at @start, within which the
694  *		random address must fall.
695  *
696  * If @start + @range would overflow, @range is capped.
697  *
698  * NOTE: Historical use of randomize_range, which this replaces, presumed that
699  * @start was already page aligned.  We now align it regardless.
700  *
701  * Return: A page aligned address within [start, start + range).  On error,
702  * @start is returned.
703  */
704 unsigned long randomize_page(unsigned long start, unsigned long range)
705 {
706 	if (!PAGE_ALIGNED(start)) {
707 		range -= PAGE_ALIGN(start) - start;
708 		start = PAGE_ALIGN(start);
709 	}
710 
711 	if (start > ULONG_MAX - range)
712 		range = ULONG_MAX - start;
713 
714 	range >>= PAGE_SHIFT;
715 
716 	if (range == 0)
717 		return start;
718 
719 	return start + (get_random_long() % range << PAGE_SHIFT);
720 }
721 
722 /*
723  * This function will use the architecture-specific hardware random
724  * number generator if it is available. It is not recommended for
725  * use. Use get_random_bytes() instead. It returns the number of
726  * bytes filled in.
727  */
728 size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
729 {
730 	size_t left = nbytes;
731 	u8 *p = buf;
732 
733 	while (left) {
734 		unsigned long v;
735 		size_t chunk = min_t(size_t, left, sizeof(unsigned long));
736 
737 		if (!arch_get_random_long(&v))
738 			break;
739 
740 		memcpy(p, &v, chunk);
741 		p += chunk;
742 		left -= chunk;
743 	}
744 
745 	return nbytes - left;
746 }
747 EXPORT_SYMBOL(get_random_bytes_arch);
748 
749 
750 /**********************************************************************
751  *
752  * Entropy accumulation and extraction routines.
753  *
754  * Callers may add entropy via:
755  *
756  *     static void mix_pool_bytes(const void *in, size_t nbytes)
757  *
758  * After which, if added entropy should be credited:
759  *
760  *     static void credit_entropy_bits(size_t nbits)
761  *
762  * Finally, extract entropy via these two, with the latter one
763  * setting the entropy count to zero and extracting only if there
764  * is POOL_MIN_BITS entropy credited prior or force is true:
765  *
766  *     static void extract_entropy(void *buf, size_t nbytes)
767  *     static bool drain_entropy(void *buf, size_t nbytes, bool force)
768  *
769  **********************************************************************/
770 
771 enum {
772 	POOL_BITS = BLAKE2S_HASH_SIZE * 8,
773 	POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
774 };
775 
776 /* For notifying userspace should write into /dev/random. */
777 static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
778 
779 static struct {
780 	struct blake2s_state hash;
781 	spinlock_t lock;
782 	unsigned int entropy_count;
783 } input_pool = {
784 	.hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
785 		    BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
786 		    BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
787 	.hash.outlen = BLAKE2S_HASH_SIZE,
788 	.lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
789 };
790 
791 static void _mix_pool_bytes(const void *in, size_t nbytes)
792 {
793 	blake2s_update(&input_pool.hash, in, nbytes);
794 }
795 
796 /*
797  * This function adds bytes into the entropy "pool".  It does not
798  * update the entropy estimate.  The caller should call
799  * credit_entropy_bits if this is appropriate.
800  */
801 static void mix_pool_bytes(const void *in, size_t nbytes)
802 {
803 	unsigned long flags;
804 
805 	spin_lock_irqsave(&input_pool.lock, flags);
806 	_mix_pool_bytes(in, nbytes);
807 	spin_unlock_irqrestore(&input_pool.lock, flags);
808 }
809 
810 static void credit_entropy_bits(size_t nbits)
811 {
812 	unsigned int entropy_count, orig, add;
813 
814 	if (!nbits)
815 		return;
816 
817 	add = min_t(size_t, nbits, POOL_BITS);
818 
819 	do {
820 		orig = READ_ONCE(input_pool.entropy_count);
821 		entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
822 	} while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
823 
824 	if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
825 		crng_reseed(false);
826 }
827 
828 /*
829  * This is an HKDF-like construction for using the hashed collected entropy
830  * as a PRF key, that's then expanded block-by-block.
831  */
832 static void extract_entropy(void *buf, size_t nbytes)
833 {
834 	unsigned long flags;
835 	u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
836 	struct {
837 		unsigned long rdseed[32 / sizeof(long)];
838 		size_t counter;
839 	} block;
840 	size_t i;
841 
842 	for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
843 		if (!arch_get_random_seed_long(&block.rdseed[i]) &&
844 		    !arch_get_random_long(&block.rdseed[i]))
845 			block.rdseed[i] = random_get_entropy();
846 	}
847 
848 	spin_lock_irqsave(&input_pool.lock, flags);
849 
850 	/* seed = HASHPRF(last_key, entropy_input) */
851 	blake2s_final(&input_pool.hash, seed);
852 
853 	/* next_key = HASHPRF(seed, RDSEED || 0) */
854 	block.counter = 0;
855 	blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
856 	blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
857 
858 	spin_unlock_irqrestore(&input_pool.lock, flags);
859 	memzero_explicit(next_key, sizeof(next_key));
860 
861 	while (nbytes) {
862 		i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
863 		/* output = HASHPRF(seed, RDSEED || ++counter) */
864 		++block.counter;
865 		blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
866 		nbytes -= i;
867 		buf += i;
868 	}
869 
870 	memzero_explicit(seed, sizeof(seed));
871 	memzero_explicit(&block, sizeof(block));
872 }
873 
874 /*
875  * First we make sure we have POOL_MIN_BITS of entropy in the pool unless force
876  * is true, and then we set the entropy count to zero (but don't actually touch
877  * any data). Only then can we extract a new key with extract_entropy().
878  */
879 static bool drain_entropy(void *buf, size_t nbytes, bool force)
880 {
881 	unsigned int entropy_count;
882 	do {
883 		entropy_count = READ_ONCE(input_pool.entropy_count);
884 		if (!force && entropy_count < POOL_MIN_BITS)
885 			return false;
886 	} while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
887 	extract_entropy(buf, nbytes);
888 	wake_up_interruptible(&random_write_wait);
889 	kill_fasync(&fasync, SIGIO, POLL_OUT);
890 	return true;
891 }
892 
893 
894 /**********************************************************************
895  *
896  * Entropy collection routines.
897  *
898  * The following exported functions are used for pushing entropy into
899  * the above entropy accumulation routines:
900  *
901  *	void add_device_randomness(const void *buf, size_t size);
902  *	void add_input_randomness(unsigned int type, unsigned int code,
903  *	                          unsigned int value);
904  *	void add_disk_randomness(struct gendisk *disk);
905  *	void add_hwgenerator_randomness(const void *buffer, size_t count,
906  *					size_t entropy);
907  *	void add_bootloader_randomness(const void *buf, size_t size);
908  *	void add_vmfork_randomness(const void *unique_vm_id, size_t size);
909  *	void add_interrupt_randomness(int irq);
910  *
911  * add_device_randomness() adds data to the input pool that
912  * is likely to differ between two devices (or possibly even per boot).
913  * This would be things like MAC addresses or serial numbers, or the
914  * read-out of the RTC. This does *not* credit any actual entropy to
915  * the pool, but it initializes the pool to different values for devices
916  * that might otherwise be identical and have very little entropy
917  * available to them (particularly common in the embedded world).
918  *
919  * add_input_randomness() uses the input layer interrupt timing, as well
920  * as the event type information from the hardware.
921  *
922  * add_disk_randomness() uses what amounts to the seek time of block
923  * layer request events, on a per-disk_devt basis, as input to the
924  * entropy pool. Note that high-speed solid state drives with very low
925  * seek times do not make for good sources of entropy, as their seek
926  * times are usually fairly consistent.
927  *
928  * The above two routines try to estimate how many bits of entropy
929  * to credit. They do this by keeping track of the first and second
930  * order deltas of the event timings.
931  *
932  * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
933  * entropy as specified by the caller. If the entropy pool is full it will
934  * block until more entropy is needed.
935  *
936  * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
937  * add_device_randomness(), depending on whether or not the configuration
938  * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
939  *
940  * add_vmfork_randomness() adds a unique (but not necessarily secret) ID
941  * representing the current instance of a VM to the pool, without crediting,
942  * and then force-reseeds the crng so that it takes effect immediately.
943  *
944  * add_interrupt_randomness() uses the interrupt timing as random
945  * inputs to the entropy pool. Using the cycle counters and the irq source
946  * as inputs, it feeds the input pool roughly once a second or after 64
947  * interrupts, crediting 1 bit of entropy for whichever comes first.
948  *
949  **********************************************************************/
950 
951 static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
952 static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
953 static int __init parse_trust_cpu(char *arg)
954 {
955 	return kstrtobool(arg, &trust_cpu);
956 }
957 static int __init parse_trust_bootloader(char *arg)
958 {
959 	return kstrtobool(arg, &trust_bootloader);
960 }
961 early_param("random.trust_cpu", parse_trust_cpu);
962 early_param("random.trust_bootloader", parse_trust_bootloader);
963 
964 /*
965  * The first collection of entropy occurs at system boot while interrupts
966  * are still turned off. Here we push in RDSEED, a timestamp, and utsname().
967  * Depending on the above configuration knob, RDSEED may be considered
968  * sufficient for initialization. Note that much earlier setup may already
969  * have pushed entropy into the input pool by the time we get here.
970  */
971 int __init rand_initialize(void)
972 {
973 	size_t i;
974 	ktime_t now = ktime_get_real();
975 	bool arch_init = true;
976 	unsigned long rv;
977 
978 #if defined(LATENT_ENTROPY_PLUGIN)
979 	static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
980 	_mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
981 #endif
982 
983 	for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
984 		if (!arch_get_random_seed_long_early(&rv) &&
985 		    !arch_get_random_long_early(&rv)) {
986 			rv = random_get_entropy();
987 			arch_init = false;
988 		}
989 		_mix_pool_bytes(&rv, sizeof(rv));
990 	}
991 	_mix_pool_bytes(&now, sizeof(now));
992 	_mix_pool_bytes(utsname(), sizeof(*(utsname())));
993 
994 	extract_entropy(base_crng.key, sizeof(base_crng.key));
995 	++base_crng.generation;
996 
997 	if (arch_init && trust_cpu && !crng_ready()) {
998 		crng_init = 2;
999 		pr_notice("crng init done (trusting CPU's manufacturer)\n");
1000 	}
1001 
1002 	if (ratelimit_disable) {
1003 		urandom_warning.interval = 0;
1004 		unseeded_warning.interval = 0;
1005 	}
1006 	return 0;
1007 }
1008 
1009 /*
1010  * Add device- or boot-specific data to the input pool to help
1011  * initialize it.
1012  *
1013  * None of this adds any entropy; it is meant to avoid the problem of
1014  * the entropy pool having similar initial state across largely
1015  * identical devices.
1016  */
1017 void add_device_randomness(const void *buf, size_t size)
1018 {
1019 	cycles_t cycles = random_get_entropy();
1020 	unsigned long flags, now = jiffies;
1021 
1022 	if (crng_init == 0 && size)
1023 		crng_pre_init_inject(buf, size, false);
1024 
1025 	spin_lock_irqsave(&input_pool.lock, flags);
1026 	_mix_pool_bytes(&cycles, sizeof(cycles));
1027 	_mix_pool_bytes(&now, sizeof(now));
1028 	_mix_pool_bytes(buf, size);
1029 	spin_unlock_irqrestore(&input_pool.lock, flags);
1030 }
1031 EXPORT_SYMBOL(add_device_randomness);
1032 
1033 /* There is one of these per entropy source */
1034 struct timer_rand_state {
1035 	unsigned long last_time;
1036 	long last_delta, last_delta2;
1037 };
1038 
1039 /*
1040  * This function adds entropy to the entropy "pool" by using timing
1041  * delays.  It uses the timer_rand_state structure to make an estimate
1042  * of how many bits of entropy this call has added to the pool.
1043  *
1044  * The number "num" is also added to the pool - it should somehow describe
1045  * the type of event which just happened.  This is currently 0-255 for
1046  * keyboard scan codes, and 256 upwards for interrupts.
1047  */
1048 static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
1049 {
1050 	cycles_t cycles = random_get_entropy();
1051 	unsigned long flags, now = jiffies;
1052 	long delta, delta2, delta3;
1053 
1054 	spin_lock_irqsave(&input_pool.lock, flags);
1055 	_mix_pool_bytes(&cycles, sizeof(cycles));
1056 	_mix_pool_bytes(&now, sizeof(now));
1057 	_mix_pool_bytes(&num, sizeof(num));
1058 	spin_unlock_irqrestore(&input_pool.lock, flags);
1059 
1060 	/*
1061 	 * Calculate number of bits of randomness we probably added.
1062 	 * We take into account the first, second and third-order deltas
1063 	 * in order to make our estimate.
1064 	 */
1065 	delta = now - READ_ONCE(state->last_time);
1066 	WRITE_ONCE(state->last_time, now);
1067 
1068 	delta2 = delta - READ_ONCE(state->last_delta);
1069 	WRITE_ONCE(state->last_delta, delta);
1070 
1071 	delta3 = delta2 - READ_ONCE(state->last_delta2);
1072 	WRITE_ONCE(state->last_delta2, delta2);
1073 
1074 	if (delta < 0)
1075 		delta = -delta;
1076 	if (delta2 < 0)
1077 		delta2 = -delta2;
1078 	if (delta3 < 0)
1079 		delta3 = -delta3;
1080 	if (delta > delta2)
1081 		delta = delta2;
1082 	if (delta > delta3)
1083 		delta = delta3;
1084 
1085 	/*
1086 	 * delta is now minimum absolute delta.
1087 	 * Round down by 1 bit on general principles,
1088 	 * and limit entropy estimate to 12 bits.
1089 	 */
1090 	credit_entropy_bits(min_t(unsigned int, fls(delta >> 1), 11));
1091 }
1092 
1093 void add_input_randomness(unsigned int type, unsigned int code,
1094 			  unsigned int value)
1095 {
1096 	static unsigned char last_value;
1097 	static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
1098 
1099 	/* Ignore autorepeat and the like. */
1100 	if (value == last_value)
1101 		return;
1102 
1103 	last_value = value;
1104 	add_timer_randomness(&input_timer_state,
1105 			     (type << 4) ^ code ^ (code >> 4) ^ value);
1106 }
1107 EXPORT_SYMBOL_GPL(add_input_randomness);
1108 
1109 #ifdef CONFIG_BLOCK
1110 void add_disk_randomness(struct gendisk *disk)
1111 {
1112 	if (!disk || !disk->random)
1113 		return;
1114 	/* First major is 1, so we get >= 0x200 here. */
1115 	add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
1116 }
1117 EXPORT_SYMBOL_GPL(add_disk_randomness);
1118 
1119 void rand_initialize_disk(struct gendisk *disk)
1120 {
1121 	struct timer_rand_state *state;
1122 
1123 	/*
1124 	 * If kzalloc returns null, we just won't use that entropy
1125 	 * source.
1126 	 */
1127 	state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
1128 	if (state) {
1129 		state->last_time = INITIAL_JIFFIES;
1130 		disk->random = state;
1131 	}
1132 }
1133 #endif
1134 
1135 /*
1136  * Interface for in-kernel drivers of true hardware RNGs.
1137  * Those devices may produce endless random bits and will be throttled
1138  * when our pool is full.
1139  */
1140 void add_hwgenerator_randomness(const void *buffer, size_t count,
1141 				size_t entropy)
1142 {
1143 	if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
1144 		size_t ret = crng_pre_init_inject(buffer, count, true);
1145 		mix_pool_bytes(buffer, ret);
1146 		count -= ret;
1147 		buffer += ret;
1148 		if (!count || crng_init == 0)
1149 			return;
1150 	}
1151 
1152 	/*
1153 	 * Throttle writing if we're above the trickle threshold.
1154 	 * We'll be woken up again once below POOL_MIN_BITS, when
1155 	 * the calling thread is about to terminate, or once
1156 	 * CRNG_RESEED_INTERVAL has elapsed.
1157 	 */
1158 	wait_event_interruptible_timeout(random_write_wait,
1159 			!system_wq || kthread_should_stop() ||
1160 			input_pool.entropy_count < POOL_MIN_BITS,
1161 			CRNG_RESEED_INTERVAL);
1162 	mix_pool_bytes(buffer, count);
1163 	credit_entropy_bits(entropy);
1164 }
1165 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
1166 
1167 /*
1168  * Handle random seed passed by bootloader.
1169  * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
1170  * it would be regarded as device data.
1171  * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
1172  */
1173 void add_bootloader_randomness(const void *buf, size_t size)
1174 {
1175 	if (trust_bootloader)
1176 		add_hwgenerator_randomness(buf, size, size * 8);
1177 	else
1178 		add_device_randomness(buf, size);
1179 }
1180 EXPORT_SYMBOL_GPL(add_bootloader_randomness);
1181 
1182 #if IS_ENABLED(CONFIG_VMGENID)
1183 static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
1184 
1185 /*
1186  * Handle a new unique VM ID, which is unique, not secret, so we
1187  * don't credit it, but we do immediately force a reseed after so
1188  * that it's used by the crng posthaste.
1189  */
1190 void add_vmfork_randomness(const void *unique_vm_id, size_t size)
1191 {
1192 	add_device_randomness(unique_vm_id, size);
1193 	if (crng_ready()) {
1194 		crng_reseed(true);
1195 		pr_notice("crng reseeded due to virtual machine fork\n");
1196 	}
1197 	blocking_notifier_call_chain(&vmfork_chain, 0, NULL);
1198 }
1199 #if IS_MODULE(CONFIG_VMGENID)
1200 EXPORT_SYMBOL_GPL(add_vmfork_randomness);
1201 #endif
1202 
1203 int register_random_vmfork_notifier(struct notifier_block *nb)
1204 {
1205 	return blocking_notifier_chain_register(&vmfork_chain, nb);
1206 }
1207 EXPORT_SYMBOL_GPL(register_random_vmfork_notifier);
1208 
1209 int unregister_random_vmfork_notifier(struct notifier_block *nb)
1210 {
1211 	return blocking_notifier_chain_unregister(&vmfork_chain, nb);
1212 }
1213 EXPORT_SYMBOL_GPL(unregister_random_vmfork_notifier);
1214 #endif
1215 
1216 struct fast_pool {
1217 	struct work_struct mix;
1218 	unsigned long pool[4];
1219 	unsigned long last;
1220 	unsigned int count;
1221 	u16 reg_idx;
1222 };
1223 
1224 static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
1225 #ifdef CONFIG_64BIT
1226 	/* SipHash constants */
1227 	.pool = { 0x736f6d6570736575UL, 0x646f72616e646f6dUL,
1228 		  0x6c7967656e657261UL, 0x7465646279746573UL }
1229 #else
1230 	/* HalfSipHash constants */
1231 	.pool = { 0, 0, 0x6c796765U, 0x74656462U }
1232 #endif
1233 };
1234 
1235 /*
1236  * This is [Half]SipHash-1-x, starting from an empty key. Because
1237  * the key is fixed, it assumes that its inputs are non-malicious,
1238  * and therefore this has no security on its own. s represents the
1239  * 128 or 256-bit SipHash state, while v represents a 128-bit input.
1240  */
1241 static void fast_mix(unsigned long s[4], const unsigned long *v)
1242 {
1243 	size_t i;
1244 
1245 	for (i = 0; i < 16 / sizeof(long); ++i) {
1246 		s[3] ^= v[i];
1247 #ifdef CONFIG_64BIT
1248 		s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32);
1249 		s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2];
1250 		s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0];
1251 		s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32);
1252 #else
1253 		s[0] += s[1]; s[1] = rol32(s[1],  5); s[1] ^= s[0]; s[0] = rol32(s[0], 16);
1254 		s[2] += s[3]; s[3] = rol32(s[3],  8); s[3] ^= s[2];
1255 		s[0] += s[3]; s[3] = rol32(s[3],  7); s[3] ^= s[0];
1256 		s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16);
1257 #endif
1258 		s[0] ^= v[i];
1259 	}
1260 }
1261 
1262 #ifdef CONFIG_SMP
1263 /*
1264  * This function is called when the CPU has just come online, with
1265  * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE.
1266  */
1267 int random_online_cpu(unsigned int cpu)
1268 {
1269 	/*
1270 	 * During CPU shutdown and before CPU onlining, add_interrupt_
1271 	 * randomness() may schedule mix_interrupt_randomness(), and
1272 	 * set the MIX_INFLIGHT flag. However, because the worker can
1273 	 * be scheduled on a different CPU during this period, that
1274 	 * flag will never be cleared. For that reason, we zero out
1275 	 * the flag here, which runs just after workqueues are onlined
1276 	 * for the CPU again. This also has the effect of setting the
1277 	 * irq randomness count to zero so that new accumulated irqs
1278 	 * are fresh.
1279 	 */
1280 	per_cpu_ptr(&irq_randomness, cpu)->count = 0;
1281 	return 0;
1282 }
1283 #endif
1284 
1285 static unsigned long get_reg(struct fast_pool *f, struct pt_regs *regs)
1286 {
1287 	unsigned long *ptr = (unsigned long *)regs;
1288 	unsigned int idx;
1289 
1290 	if (regs == NULL)
1291 		return 0;
1292 	idx = READ_ONCE(f->reg_idx);
1293 	if (idx >= sizeof(struct pt_regs) / sizeof(unsigned long))
1294 		idx = 0;
1295 	ptr += idx++;
1296 	WRITE_ONCE(f->reg_idx, idx);
1297 	return *ptr;
1298 }
1299 
1300 static void mix_interrupt_randomness(struct work_struct *work)
1301 {
1302 	struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
1303 	/*
1304 	 * The size of the copied stack pool is explicitly 16 bytes so that we
1305 	 * tax mix_pool_byte()'s compression function the same amount on all
1306 	 * platforms. This means on 64-bit we copy half the pool into this,
1307 	 * while on 32-bit we copy all of it. The entropy is supposed to be
1308 	 * sufficiently dispersed between bits that in the sponge-like
1309 	 * half case, on average we don't wind up "losing" some.
1310 	 */
1311 	u8 pool[16];
1312 
1313 	/* Check to see if we're running on the wrong CPU due to hotplug. */
1314 	local_irq_disable();
1315 	if (fast_pool != this_cpu_ptr(&irq_randomness)) {
1316 		local_irq_enable();
1317 		return;
1318 	}
1319 
1320 	/*
1321 	 * Copy the pool to the stack so that the mixer always has a
1322 	 * consistent view, before we reenable irqs again.
1323 	 */
1324 	memcpy(pool, fast_pool->pool, sizeof(pool));
1325 	fast_pool->count = 0;
1326 	fast_pool->last = jiffies;
1327 	local_irq_enable();
1328 
1329 	if (unlikely(crng_init == 0)) {
1330 		crng_pre_init_inject(pool, sizeof(pool), true);
1331 		mix_pool_bytes(pool, sizeof(pool));
1332 	} else {
1333 		mix_pool_bytes(pool, sizeof(pool));
1334 		credit_entropy_bits(1);
1335 	}
1336 
1337 	memzero_explicit(pool, sizeof(pool));
1338 }
1339 
1340 void add_interrupt_randomness(int irq)
1341 {
1342 	enum { MIX_INFLIGHT = 1U << 31 };
1343 	cycles_t cycles = random_get_entropy();
1344 	unsigned long now = jiffies;
1345 	struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
1346 	struct pt_regs *regs = get_irq_regs();
1347 	unsigned int new_count;
1348 	union {
1349 		u32 u32[4];
1350 		u64 u64[2];
1351 		unsigned long longs[16 / sizeof(long)];
1352 	} irq_data;
1353 
1354 	if (cycles == 0)
1355 		cycles = get_reg(fast_pool, regs);
1356 
1357 	if (sizeof(cycles) == 8)
1358 		irq_data.u64[0] = cycles ^ rol64(now, 32) ^ irq;
1359 	else {
1360 		irq_data.u32[0] = cycles ^ irq;
1361 		irq_data.u32[1] = now;
1362 	}
1363 
1364 	if (sizeof(unsigned long) == 8)
1365 		irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
1366 	else {
1367 		irq_data.u32[2] = regs ? instruction_pointer(regs) : _RET_IP_;
1368 		irq_data.u32[3] = get_reg(fast_pool, regs);
1369 	}
1370 
1371 	fast_mix(fast_pool->pool, irq_data.longs);
1372 	new_count = ++fast_pool->count;
1373 
1374 	if (new_count & MIX_INFLIGHT)
1375 		return;
1376 
1377 	if (new_count < 64 && (!time_after(now, fast_pool->last + HZ) ||
1378 			       unlikely(crng_init == 0)))
1379 		return;
1380 
1381 	if (unlikely(!fast_pool->mix.func))
1382 		INIT_WORK(&fast_pool->mix, mix_interrupt_randomness);
1383 	fast_pool->count |= MIX_INFLIGHT;
1384 	queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix);
1385 }
1386 EXPORT_SYMBOL_GPL(add_interrupt_randomness);
1387 
1388 /*
1389  * Each time the timer fires, we expect that we got an unpredictable
1390  * jump in the cycle counter. Even if the timer is running on another
1391  * CPU, the timer activity will be touching the stack of the CPU that is
1392  * generating entropy..
1393  *
1394  * Note that we don't re-arm the timer in the timer itself - we are
1395  * happy to be scheduled away, since that just makes the load more
1396  * complex, but we do not want the timer to keep ticking unless the
1397  * entropy loop is running.
1398  *
1399  * So the re-arming always happens in the entropy loop itself.
1400  */
1401 static void entropy_timer(struct timer_list *t)
1402 {
1403 	credit_entropy_bits(1);
1404 }
1405 
1406 /*
1407  * If we have an actual cycle counter, see if we can
1408  * generate enough entropy with timing noise
1409  */
1410 static void try_to_generate_entropy(void)
1411 {
1412 	struct {
1413 		cycles_t cycles;
1414 		struct timer_list timer;
1415 	} stack;
1416 
1417 	stack.cycles = random_get_entropy();
1418 
1419 	/* Slow counter - or none. Don't even bother */
1420 	if (stack.cycles == random_get_entropy())
1421 		return;
1422 
1423 	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
1424 	while (!crng_ready() && !signal_pending(current)) {
1425 		if (!timer_pending(&stack.timer))
1426 			mod_timer(&stack.timer, jiffies + 1);
1427 		mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
1428 		schedule();
1429 		stack.cycles = random_get_entropy();
1430 	}
1431 
1432 	del_timer_sync(&stack.timer);
1433 	destroy_timer_on_stack(&stack.timer);
1434 	mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
1435 }
1436 
1437 
1438 /**********************************************************************
1439  *
1440  * Userspace reader/writer interfaces.
1441  *
1442  * getrandom(2) is the primary modern interface into the RNG and should
1443  * be used in preference to anything else.
1444  *
1445  * Reading from /dev/random has the same functionality as calling
1446  * getrandom(2) with flags=0. In earlier versions, however, it had
1447  * vastly different semantics and should therefore be avoided, to
1448  * prevent backwards compatibility issues.
1449  *
1450  * Reading from /dev/urandom has the same functionality as calling
1451  * getrandom(2) with flags=GRND_INSECURE. Because it does not block
1452  * waiting for the RNG to be ready, it should not be used.
1453  *
1454  * Writing to either /dev/random or /dev/urandom adds entropy to
1455  * the input pool but does not credit it.
1456  *
1457  * Polling on /dev/random indicates when the RNG is initialized, on
1458  * the read side, and when it wants new entropy, on the write side.
1459  *
1460  * Both /dev/random and /dev/urandom have the same set of ioctls for
1461  * adding entropy, getting the entropy count, zeroing the count, and
1462  * reseeding the crng.
1463  *
1464  **********************************************************************/
1465 
1466 SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
1467 		flags)
1468 {
1469 	if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
1470 		return -EINVAL;
1471 
1472 	/*
1473 	 * Requesting insecure and blocking randomness at the same time makes
1474 	 * no sense.
1475 	 */
1476 	if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
1477 		return -EINVAL;
1478 
1479 	if (count > INT_MAX)
1480 		count = INT_MAX;
1481 
1482 	if (!(flags & GRND_INSECURE) && !crng_ready()) {
1483 		int ret;
1484 
1485 		if (flags & GRND_NONBLOCK)
1486 			return -EAGAIN;
1487 		ret = wait_for_random_bytes();
1488 		if (unlikely(ret))
1489 			return ret;
1490 	}
1491 	return get_random_bytes_user(buf, count);
1492 }
1493 
1494 static __poll_t random_poll(struct file *file, poll_table *wait)
1495 {
1496 	__poll_t mask;
1497 
1498 	poll_wait(file, &crng_init_wait, wait);
1499 	poll_wait(file, &random_write_wait, wait);
1500 	mask = 0;
1501 	if (crng_ready())
1502 		mask |= EPOLLIN | EPOLLRDNORM;
1503 	if (input_pool.entropy_count < POOL_MIN_BITS)
1504 		mask |= EPOLLOUT | EPOLLWRNORM;
1505 	return mask;
1506 }
1507 
1508 static int write_pool(const char __user *ubuf, size_t count)
1509 {
1510 	size_t len;
1511 	int ret = 0;
1512 	u8 block[BLAKE2S_BLOCK_SIZE];
1513 
1514 	while (count) {
1515 		len = min(count, sizeof(block));
1516 		if (copy_from_user(block, ubuf, len)) {
1517 			ret = -EFAULT;
1518 			goto out;
1519 		}
1520 		count -= len;
1521 		ubuf += len;
1522 		mix_pool_bytes(block, len);
1523 		cond_resched();
1524 	}
1525 
1526 out:
1527 	memzero_explicit(block, sizeof(block));
1528 	return ret;
1529 }
1530 
1531 static ssize_t random_write(struct file *file, const char __user *buffer,
1532 			    size_t count, loff_t *ppos)
1533 {
1534 	int ret;
1535 
1536 	ret = write_pool(buffer, count);
1537 	if (ret)
1538 		return ret;
1539 
1540 	return (ssize_t)count;
1541 }
1542 
1543 static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
1544 			    loff_t *ppos)
1545 {
1546 	static int maxwarn = 10;
1547 
1548 	if (!crng_ready() && maxwarn > 0) {
1549 		maxwarn--;
1550 		if (__ratelimit(&urandom_warning))
1551 			pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
1552 				  current->comm, nbytes);
1553 	}
1554 
1555 	return get_random_bytes_user(buf, nbytes);
1556 }
1557 
1558 static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
1559 			   loff_t *ppos)
1560 {
1561 	int ret;
1562 
1563 	ret = wait_for_random_bytes();
1564 	if (ret != 0)
1565 		return ret;
1566 	return get_random_bytes_user(buf, nbytes);
1567 }
1568 
1569 static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
1570 {
1571 	int size, ent_count;
1572 	int __user *p = (int __user *)arg;
1573 	int retval;
1574 
1575 	switch (cmd) {
1576 	case RNDGETENTCNT:
1577 		/* Inherently racy, no point locking. */
1578 		if (put_user(input_pool.entropy_count, p))
1579 			return -EFAULT;
1580 		return 0;
1581 	case RNDADDTOENTCNT:
1582 		if (!capable(CAP_SYS_ADMIN))
1583 			return -EPERM;
1584 		if (get_user(ent_count, p))
1585 			return -EFAULT;
1586 		if (ent_count < 0)
1587 			return -EINVAL;
1588 		credit_entropy_bits(ent_count);
1589 		return 0;
1590 	case RNDADDENTROPY:
1591 		if (!capable(CAP_SYS_ADMIN))
1592 			return -EPERM;
1593 		if (get_user(ent_count, p++))
1594 			return -EFAULT;
1595 		if (ent_count < 0)
1596 			return -EINVAL;
1597 		if (get_user(size, p++))
1598 			return -EFAULT;
1599 		retval = write_pool((const char __user *)p, size);
1600 		if (retval < 0)
1601 			return retval;
1602 		credit_entropy_bits(ent_count);
1603 		return 0;
1604 	case RNDZAPENTCNT:
1605 	case RNDCLEARPOOL:
1606 		/*
1607 		 * Clear the entropy pool counters. We no longer clear
1608 		 * the entropy pool, as that's silly.
1609 		 */
1610 		if (!capable(CAP_SYS_ADMIN))
1611 			return -EPERM;
1612 		if (xchg(&input_pool.entropy_count, 0) >= POOL_MIN_BITS) {
1613 			wake_up_interruptible(&random_write_wait);
1614 			kill_fasync(&fasync, SIGIO, POLL_OUT);
1615 		}
1616 		return 0;
1617 	case RNDRESEEDCRNG:
1618 		if (!capable(CAP_SYS_ADMIN))
1619 			return -EPERM;
1620 		if (!crng_ready())
1621 			return -ENODATA;
1622 		crng_reseed(false);
1623 		return 0;
1624 	default:
1625 		return -EINVAL;
1626 	}
1627 }
1628 
1629 static int random_fasync(int fd, struct file *filp, int on)
1630 {
1631 	return fasync_helper(fd, filp, on, &fasync);
1632 }
1633 
1634 const struct file_operations random_fops = {
1635 	.read = random_read,
1636 	.write = random_write,
1637 	.poll = random_poll,
1638 	.unlocked_ioctl = random_ioctl,
1639 	.compat_ioctl = compat_ptr_ioctl,
1640 	.fasync = random_fasync,
1641 	.llseek = noop_llseek,
1642 };
1643 
1644 const struct file_operations urandom_fops = {
1645 	.read = urandom_read,
1646 	.write = random_write,
1647 	.unlocked_ioctl = random_ioctl,
1648 	.compat_ioctl = compat_ptr_ioctl,
1649 	.fasync = random_fasync,
1650 	.llseek = noop_llseek,
1651 };
1652 
1653 
1654 /********************************************************************
1655  *
1656  * Sysctl interface.
1657  *
1658  * These are partly unused legacy knobs with dummy values to not break
1659  * userspace and partly still useful things. They are usually accessible
1660  * in /proc/sys/kernel/random/ and are as follows:
1661  *
1662  * - boot_id - a UUID representing the current boot.
1663  *
1664  * - uuid - a random UUID, different each time the file is read.
1665  *
1666  * - poolsize - the number of bits of entropy that the input pool can
1667  *   hold, tied to the POOL_BITS constant.
1668  *
1669  * - entropy_avail - the number of bits of entropy currently in the
1670  *   input pool. Always <= poolsize.
1671  *
1672  * - write_wakeup_threshold - the amount of entropy in the input pool
1673  *   below which write polls to /dev/random will unblock, requesting
1674  *   more entropy, tied to the POOL_MIN_BITS constant. It is writable
1675  *   to avoid breaking old userspaces, but writing to it does not
1676  *   change any behavior of the RNG.
1677  *
1678  * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL.
1679  *   It is writable to avoid breaking old userspaces, but writing
1680  *   to it does not change any behavior of the RNG.
1681  *
1682  ********************************************************************/
1683 
1684 #ifdef CONFIG_SYSCTL
1685 
1686 #include <linux/sysctl.h>
1687 
1688 static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
1689 static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
1690 static int sysctl_poolsize = POOL_BITS;
1691 static u8 sysctl_bootid[UUID_SIZE];
1692 
1693 /*
1694  * This function is used to return both the bootid UUID, and random
1695  * UUID. The difference is in whether table->data is NULL; if it is,
1696  * then a new UUID is generated and returned to the user.
1697  */
1698 static int proc_do_uuid(struct ctl_table *table, int write, void *buffer,
1699 			size_t *lenp, loff_t *ppos)
1700 {
1701 	u8 tmp_uuid[UUID_SIZE], *uuid;
1702 	char uuid_string[UUID_STRING_LEN + 1];
1703 	struct ctl_table fake_table = {
1704 		.data = uuid_string,
1705 		.maxlen = UUID_STRING_LEN
1706 	};
1707 
1708 	if (write)
1709 		return -EPERM;
1710 
1711 	uuid = table->data;
1712 	if (!uuid) {
1713 		uuid = tmp_uuid;
1714 		generate_random_uuid(uuid);
1715 	} else {
1716 		static DEFINE_SPINLOCK(bootid_spinlock);
1717 
1718 		spin_lock(&bootid_spinlock);
1719 		if (!uuid[8])
1720 			generate_random_uuid(uuid);
1721 		spin_unlock(&bootid_spinlock);
1722 	}
1723 
1724 	snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid);
1725 	return proc_dostring(&fake_table, 0, buffer, lenp, ppos);
1726 }
1727 
1728 /* The same as proc_dointvec, but writes don't change anything. */
1729 static int proc_do_rointvec(struct ctl_table *table, int write, void *buffer,
1730 			    size_t *lenp, loff_t *ppos)
1731 {
1732 	return write ? 0 : proc_dointvec(table, 0, buffer, lenp, ppos);
1733 }
1734 
1735 static struct ctl_table random_table[] = {
1736 	{
1737 		.procname	= "poolsize",
1738 		.data		= &sysctl_poolsize,
1739 		.maxlen		= sizeof(int),
1740 		.mode		= 0444,
1741 		.proc_handler	= proc_dointvec,
1742 	},
1743 	{
1744 		.procname	= "entropy_avail",
1745 		.data		= &input_pool.entropy_count,
1746 		.maxlen		= sizeof(int),
1747 		.mode		= 0444,
1748 		.proc_handler	= proc_dointvec,
1749 	},
1750 	{
1751 		.procname	= "write_wakeup_threshold",
1752 		.data		= &sysctl_random_write_wakeup_bits,
1753 		.maxlen		= sizeof(int),
1754 		.mode		= 0644,
1755 		.proc_handler	= proc_do_rointvec,
1756 	},
1757 	{
1758 		.procname	= "urandom_min_reseed_secs",
1759 		.data		= &sysctl_random_min_urandom_seed,
1760 		.maxlen		= sizeof(int),
1761 		.mode		= 0644,
1762 		.proc_handler	= proc_do_rointvec,
1763 	},
1764 	{
1765 		.procname	= "boot_id",
1766 		.data		= &sysctl_bootid,
1767 		.mode		= 0444,
1768 		.proc_handler	= proc_do_uuid,
1769 	},
1770 	{
1771 		.procname	= "uuid",
1772 		.mode		= 0444,
1773 		.proc_handler	= proc_do_uuid,
1774 	},
1775 	{ }
1776 };
1777 
1778 /*
1779  * rand_initialize() is called before sysctl_init(),
1780  * so we cannot call register_sysctl_init() in rand_initialize()
1781  */
1782 static int __init random_sysctls_init(void)
1783 {
1784 	register_sysctl_init("kernel/random", random_table);
1785 	return 0;
1786 }
1787 device_initcall(random_sysctls_init);
1788 #endif
1789