linux/crypto/jitterentropy.c
<<
>>
Prefs
   1/*
   2 * Non-physical true random number generator based on timing jitter --
   3 * Jitter RNG standalone code.
   4 *
   5 * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2020
   6 *
   7 * Design
   8 * ======
   9 *
  10 * See https://www.chronox.de/jent.html
  11 *
  12 * License
  13 * =======
  14 *
  15 * Redistribution and use in source and binary forms, with or without
  16 * modification, are permitted provided that the following conditions
  17 * are met:
  18 * 1. Redistributions of source code must retain the above copyright
  19 *    notice, and the entire permission notice in its entirety,
  20 *    including the disclaimer of warranties.
  21 * 2. Redistributions in binary form must reproduce the above copyright
  22 *    notice, this list of conditions and the following disclaimer in the
  23 *    documentation and/or other materials provided with the distribution.
  24 * 3. The name of the author may not be used to endorse or promote
  25 *    products derived from this software without specific prior
  26 *    written permission.
  27 *
  28 * ALTERNATIVELY, this product may be distributed under the terms of
  29 * the GNU General Public License, in which case the provisions of the GPL2 are
  30 * required INSTEAD OF the above restrictions.  (This clause is
  31 * necessary due to a potential bad interaction between the GPL and
  32 * the restrictions contained in a BSD-style copyright.)
  33 *
  34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  36 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  37 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
  38 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  40 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  43 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  44 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  45 * DAMAGE.
  46 */
  47
  48/*
  49 * This Jitterentropy RNG is based on the jitterentropy library
  50 * version 2.2.0 provided at https://www.chronox.de/jent.html
  51 */
  52
  53#ifdef __OPTIMIZE__
  54 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
  55#endif
  56
  57typedef unsigned long long      __u64;
  58typedef long long               __s64;
  59typedef unsigned int            __u32;
  60#define NULL    ((void *) 0)
  61
  62/* The entropy pool */
  63struct rand_data {
  64        /* all data values that are vital to maintain the security
  65         * of the RNG are marked as SENSITIVE. A user must not
  66         * access that information while the RNG executes its loops to
  67         * calculate the next random value. */
  68        __u64 data;             /* SENSITIVE Actual random number */
  69        __u64 old_data;         /* SENSITIVE Previous random number */
  70        __u64 prev_time;        /* SENSITIVE Previous time stamp */
  71#define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
  72        __u64 last_delta;       /* SENSITIVE stuck test */
  73        __s64 last_delta2;      /* SENSITIVE stuck test */
  74        unsigned int osr;       /* Oversample rate */
  75#define JENT_MEMORY_BLOCKS 64
  76#define JENT_MEMORY_BLOCKSIZE 32
  77#define JENT_MEMORY_ACCESSLOOPS 128
  78#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
  79        unsigned char *mem;     /* Memory access location with size of
  80                                 * memblocks * memblocksize */
  81        unsigned int memlocation; /* Pointer to byte in *mem */
  82        unsigned int memblocks; /* Number of memory blocks in *mem */
  83        unsigned int memblocksize; /* Size of one memory block in bytes */
  84        unsigned int memaccessloops; /* Number of memory accesses per random
  85                                      * bit generation */
  86
  87        /* Repetition Count Test */
  88        int rct_count;                  /* Number of stuck values */
  89
  90        /* Adaptive Proportion Test for a significance level of 2^-30 */
  91#define JENT_APT_CUTOFF         325     /* Taken from SP800-90B sec 4.4.2 */
  92#define JENT_APT_WINDOW_SIZE    512     /* Data window size */
  93        /* LSB of time stamp to process */
  94#define JENT_APT_LSB            16
  95#define JENT_APT_WORD_MASK      (JENT_APT_LSB - 1)
  96        unsigned int apt_observations;  /* Number of collected observations */
  97        unsigned int apt_count;         /* APT counter */
  98        unsigned int apt_base;          /* APT base reference */
  99        unsigned int apt_base_set:1;    /* APT base reference set? */
 100
 101        unsigned int health_failure:1;  /* Permanent health failure */
 102};
 103
 104/* Flags that can be used to initialize the RNG */
 105#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
 106                                           * entropy, saves MEMORY_SIZE RAM for
 107                                           * entropy collector */
 108
 109/* -- error codes for init function -- */
 110#define JENT_ENOTIME            1 /* Timer service not available */
 111#define JENT_ECOARSETIME        2 /* Timer too coarse for RNG */
 112#define JENT_ENOMONOTONIC       3 /* Timer is not monotonic increasing */
 113#define JENT_EVARVAR            5 /* Timer does not produce variations of
 114                                   * variations (2nd derivation of time is
 115                                   * zero). */
 116#define JENT_ESTUCK             8 /* Too many stuck results during init. */
 117#define JENT_EHEALTH            9 /* Health test failed during initialization */
 118#define JENT_ERCT               10 /* RCT failed during initialization */
 119
 120#include "jitterentropy.h"
 121
 122/***************************************************************************
 123 * Adaptive Proportion Test
 124 *
 125 * This test complies with SP800-90B section 4.4.2.
 126 ***************************************************************************/
 127
 128/**
 129 * Reset the APT counter
 130 *
 131 * @ec [in] Reference to entropy collector
 132 */
 133static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked)
 134{
 135        /* Reset APT counter */
 136        ec->apt_count = 0;
 137        ec->apt_base = delta_masked;
 138        ec->apt_observations = 0;
 139}
 140
 141/**
 142 * Insert a new entropy event into APT
 143 *
 144 * @ec [in] Reference to entropy collector
 145 * @delta_masked [in] Masked time delta to process
 146 */
 147static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked)
 148{
 149        /* Initialize the base reference */
 150        if (!ec->apt_base_set) {
 151                ec->apt_base = delta_masked;
 152                ec->apt_base_set = 1;
 153                return;
 154        }
 155
 156        if (delta_masked == ec->apt_base) {
 157                ec->apt_count++;
 158
 159                if (ec->apt_count >= JENT_APT_CUTOFF)
 160                        ec->health_failure = 1;
 161        }
 162
 163        ec->apt_observations++;
 164
 165        if (ec->apt_observations >= JENT_APT_WINDOW_SIZE)
 166                jent_apt_reset(ec, delta_masked);
 167}
 168
 169/***************************************************************************
 170 * Stuck Test and its use as Repetition Count Test
 171 *
 172 * The Jitter RNG uses an enhanced version of the Repetition Count Test
 173 * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical
 174 * back-to-back values, the input to the RCT is the counting of the stuck
 175 * values during the generation of one Jitter RNG output block.
 176 *
 177 * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8.
 178 *
 179 * During the counting operation, the Jitter RNG always calculates the RCT
 180 * cut-off value of C. If that value exceeds the allowed cut-off value,
 181 * the Jitter RNG output block will be calculated completely but discarded at
 182 * the end. The caller of the Jitter RNG is informed with an error code.
 183 ***************************************************************************/
 184
 185/**
 186 * Repetition Count Test as defined in SP800-90B section 4.4.1
 187 *
 188 * @ec [in] Reference to entropy collector
 189 * @stuck [in] Indicator whether the value is stuck
 190 */
 191static void jent_rct_insert(struct rand_data *ec, int stuck)
 192{
 193        /*
 194         * If we have a count less than zero, a previous RCT round identified
 195         * a failure. We will not overwrite it.
 196         */
 197        if (ec->rct_count < 0)
 198                return;
 199
 200        if (stuck) {
 201                ec->rct_count++;
 202
 203                /*
 204                 * The cutoff value is based on the following consideration:
 205                 * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8.
 206                 * In addition, we require an entropy value H of 1/OSR as this
 207                 * is the minimum entropy required to provide full entropy.
 208                 * Note, we collect 64 * OSR deltas for inserting them into
 209                 * the entropy pool which should then have (close to) 64 bits
 210                 * of entropy.
 211                 *
 212                 * Note, ec->rct_count (which equals to value B in the pseudo
 213                 * code of SP800-90B section 4.4.1) starts with zero. Hence
 214                 * we need to subtract one from the cutoff value as calculated
 215                 * following SP800-90B.
 216                 */
 217                if ((unsigned int)ec->rct_count >= (31 * ec->osr)) {
 218                        ec->rct_count = -1;
 219                        ec->health_failure = 1;
 220                }
 221        } else {
 222                ec->rct_count = 0;
 223        }
 224}
 225
 226/**
 227 * Is there an RCT health test failure?
 228 *
 229 * @ec [in] Reference to entropy collector
 230 *
 231 * @return
 232 *      0 No health test failure
 233 *      1 Permanent health test failure
 234 */
 235static int jent_rct_failure(struct rand_data *ec)
 236{
 237        if (ec->rct_count < 0)
 238                return 1;
 239        return 0;
 240}
 241
 242static inline __u64 jent_delta(__u64 prev, __u64 next)
 243{
 244#define JENT_UINT64_MAX         (__u64)(~((__u64) 0))
 245        return (prev < next) ? (next - prev) :
 246                               (JENT_UINT64_MAX - prev + 1 + next);
 247}
 248
 249/**
 250 * Stuck test by checking the:
 251 *      1st derivative of the jitter measurement (time delta)
 252 *      2nd derivative of the jitter measurement (delta of time deltas)
 253 *      3rd derivative of the jitter measurement (delta of delta of time deltas)
 254 *
 255 * All values must always be non-zero.
 256 *
 257 * @ec [in] Reference to entropy collector
 258 * @current_delta [in] Jitter time delta
 259 *
 260 * @return
 261 *      0 jitter measurement not stuck (good bit)
 262 *      1 jitter measurement stuck (reject bit)
 263 */
 264static int jent_stuck(struct rand_data *ec, __u64 current_delta)
 265{
 266        __u64 delta2 = jent_delta(ec->last_delta, current_delta);
 267        __u64 delta3 = jent_delta(ec->last_delta2, delta2);
 268        unsigned int delta_masked = current_delta & JENT_APT_WORD_MASK;
 269
 270        ec->last_delta = current_delta;
 271        ec->last_delta2 = delta2;
 272
 273        /*
 274         * Insert the result of the comparison of two back-to-back time
 275         * deltas.
 276         */
 277        jent_apt_insert(ec, delta_masked);
 278
 279        if (!current_delta || !delta2 || !delta3) {
 280                /* RCT with a stuck bit */
 281                jent_rct_insert(ec, 1);
 282                return 1;
 283        }
 284
 285        /* RCT with a non-stuck bit */
 286        jent_rct_insert(ec, 0);
 287
 288        return 0;
 289}
 290
 291/**
 292 * Report any health test failures
 293 *
 294 * @ec [in] Reference to entropy collector
 295 *
 296 * @return
 297 *      0 No health test failure
 298 *      1 Permanent health test failure
 299 */
 300static int jent_health_failure(struct rand_data *ec)
 301{
 302        /* Test is only enabled in FIPS mode */
 303        if (!jent_fips_enabled())
 304                return 0;
 305
 306        return ec->health_failure;
 307}
 308
 309/***************************************************************************
 310 * Noise sources
 311 ***************************************************************************/
 312
 313/**
 314 * Update of the loop count used for the next round of
 315 * an entropy collection.
 316 *
 317 * Input:
 318 * @ec entropy collector struct -- may be NULL
 319 * @bits is the number of low bits of the timer to consider
 320 * @min is the number of bits we shift the timer value to the right at
 321 *      the end to make sure we have a guaranteed minimum value
 322 *
 323 * @return Newly calculated loop counter
 324 */
 325static __u64 jent_loop_shuffle(struct rand_data *ec,
 326                               unsigned int bits, unsigned int min)
 327{
 328        __u64 time = 0;
 329        __u64 shuffle = 0;
 330        unsigned int i = 0;
 331        unsigned int mask = (1<<bits) - 1;
 332
 333        jent_get_nstime(&time);
 334        /*
 335         * Mix the current state of the random number into the shuffle
 336         * calculation to balance that shuffle a bit more.
 337         */
 338        if (ec)
 339                time ^= ec->data;
 340        /*
 341         * We fold the time value as much as possible to ensure that as many
 342         * bits of the time stamp are included as possible.
 343         */
 344        for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {
 345                shuffle ^= time & mask;
 346                time = time >> bits;
 347        }
 348
 349        /*
 350         * We add a lower boundary value to ensure we have a minimum
 351         * RNG loop count.
 352         */
 353        return (shuffle + (1<<min));
 354}
 355
 356/**
 357 * CPU Jitter noise source -- this is the noise source based on the CPU
 358 *                            execution time jitter
 359 *
 360 * This function injects the individual bits of the time value into the
 361 * entropy pool using an LFSR.
 362 *
 363 * The code is deliberately inefficient with respect to the bit shifting
 364 * and shall stay that way. This function is the root cause why the code
 365 * shall be compiled without optimization. This function not only acts as
 366 * folding operation, but this function's execution is used to measure
 367 * the CPU execution time jitter. Any change to the loop in this function
 368 * implies that careful retesting must be done.
 369 *
 370 * @ec [in] entropy collector struct
 371 * @time [in] time stamp to be injected
 372 * @loop_cnt [in] if a value not equal to 0 is set, use the given value as
 373 *                number of loops to perform the folding
 374 * @stuck [in] Is the time stamp identified as stuck?
 375 *
 376 * Output:
 377 * updated ec->data
 378 *
 379 * @return Number of loops the folding operation is performed
 380 */
 381static void jent_lfsr_time(struct rand_data *ec, __u64 time, __u64 loop_cnt,
 382                           int stuck)
 383{
 384        unsigned int i;
 385        __u64 j = 0;
 386        __u64 new = 0;
 387#define MAX_FOLD_LOOP_BIT 4
 388#define MIN_FOLD_LOOP_BIT 0
 389        __u64 fold_loop_cnt =
 390                jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT);
 391
 392        /*
 393         * testing purposes -- allow test app to set the counter, not
 394         * needed during runtime
 395         */
 396        if (loop_cnt)
 397                fold_loop_cnt = loop_cnt;
 398        for (j = 0; j < fold_loop_cnt; j++) {
 399                new = ec->data;
 400                for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
 401                        __u64 tmp = time << (DATA_SIZE_BITS - i);
 402
 403                        tmp = tmp >> (DATA_SIZE_BITS - 1);
 404
 405                        /*
 406                        * Fibonacci LSFR with polynomial of
 407                        *  x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
 408                        *  primitive according to
 409                        *   http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
 410                        * (the shift values are the polynomial values minus one
 411                        * due to counting bits from 0 to 63). As the current
 412                        * position is always the LSB, the polynomial only needs
 413                        * to shift data in from the left without wrap.
 414                        */
 415                        tmp ^= ((new >> 63) & 1);
 416                        tmp ^= ((new >> 60) & 1);
 417                        tmp ^= ((new >> 55) & 1);
 418                        tmp ^= ((new >> 30) & 1);
 419                        tmp ^= ((new >> 27) & 1);
 420                        tmp ^= ((new >> 22) & 1);
 421                        new <<= 1;
 422                        new ^= tmp;
 423                }
 424        }
 425
 426        /*
 427         * If the time stamp is stuck, do not finally insert the value into
 428         * the entropy pool. Although this operation should not do any harm
 429         * even when the time stamp has no entropy, SP800-90B requires that
 430         * any conditioning operation (SP800-90B considers the LFSR to be a
 431         * conditioning operation) to have an identical amount of input
 432         * data according to section 3.1.5.
 433         */
 434        if (!stuck)
 435                ec->data = new;
 436}
 437
 438/**
 439 * Memory Access noise source -- this is a noise source based on variations in
 440 *                               memory access times
 441 *
 442 * This function performs memory accesses which will add to the timing
 443 * variations due to an unknown amount of CPU wait states that need to be
 444 * added when accessing memory. The memory size should be larger than the L1
 445 * caches as outlined in the documentation and the associated testing.
 446 *
 447 * The L1 cache has a very high bandwidth, albeit its access rate is  usually
 448 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
 449 * variations as the CPU has hardly to wait. Starting with L2, significant
 450 * variations are added because L2 typically does not belong to the CPU any more
 451 * and therefore a wider range of CPU wait states is necessary for accesses.
 452 * L3 and real memory accesses have even a wider range of wait states. However,
 453 * to reliably access either L3 or memory, the ec->mem memory must be quite
 454 * large which is usually not desirable.
 455 *
 456 * @ec [in] Reference to the entropy collector with the memory access data -- if
 457 *          the reference to the memory block to be accessed is NULL, this noise
 458 *          source is disabled
 459 * @loop_cnt [in] if a value not equal to 0 is set, use the given value
 460 *                number of loops to perform the LFSR
 461 */
 462static void jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
 463{
 464        unsigned int wrap = 0;
 465        __u64 i = 0;
 466#define MAX_ACC_LOOP_BIT 7
 467#define MIN_ACC_LOOP_BIT 0
 468        __u64 acc_loop_cnt =
 469                jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
 470
 471        if (NULL == ec || NULL == ec->mem)
 472                return;
 473        wrap = ec->memblocksize * ec->memblocks;
 474
 475        /*
 476         * testing purposes -- allow test app to set the counter, not
 477         * needed during runtime
 478         */
 479        if (loop_cnt)
 480                acc_loop_cnt = loop_cnt;
 481
 482        for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
 483                unsigned char *tmpval = ec->mem + ec->memlocation;
 484                /*
 485                 * memory access: just add 1 to one byte,
 486                 * wrap at 255 -- memory access implies read
 487                 * from and write to memory location
 488                 */
 489                *tmpval = (*tmpval + 1) & 0xff;
 490                /*
 491                 * Addition of memblocksize - 1 to pointer
 492                 * with wrap around logic to ensure that every
 493                 * memory location is hit evenly
 494                 */
 495                ec->memlocation = ec->memlocation + ec->memblocksize - 1;
 496                ec->memlocation = ec->memlocation % wrap;
 497        }
 498}
 499
 500/***************************************************************************
 501 * Start of entropy processing logic
 502 ***************************************************************************/
 503/**
 504 * This is the heart of the entropy generation: calculate time deltas and
 505 * use the CPU jitter in the time deltas. The jitter is injected into the
 506 * entropy pool.
 507 *
 508 * WARNING: ensure that ->prev_time is primed before using the output
 509 *          of this function! This can be done by calling this function
 510 *          and not using its result.
 511 *
 512 * @ec [in] Reference to entropy collector
 513 *
 514 * @return result of stuck test
 515 */
 516static int jent_measure_jitter(struct rand_data *ec)
 517{
 518        __u64 time = 0;
 519        __u64 current_delta = 0;
 520        int stuck;
 521
 522        /* Invoke one noise source before time measurement to add variations */
 523        jent_memaccess(ec, 0);
 524
 525        /*
 526         * Get time stamp and calculate time delta to previous
 527         * invocation to measure the timing variations
 528         */
 529        jent_get_nstime(&time);
 530        current_delta = jent_delta(ec->prev_time, time);
 531        ec->prev_time = time;
 532
 533        /* Check whether we have a stuck measurement. */
 534        stuck = jent_stuck(ec, current_delta);
 535
 536        /* Now call the next noise sources which also injects the data */
 537        jent_lfsr_time(ec, current_delta, 0, stuck);
 538
 539        return stuck;
 540}
 541
 542/**
 543 * Generator of one 64 bit random number
 544 * Function fills rand_data->data
 545 *
 546 * @ec [in] Reference to entropy collector
 547 */
 548static void jent_gen_entropy(struct rand_data *ec)
 549{
 550        unsigned int k = 0;
 551
 552        /* priming of the ->prev_time value */
 553        jent_measure_jitter(ec);
 554
 555        while (1) {
 556                /* If a stuck measurement is received, repeat measurement */
 557                if (jent_measure_jitter(ec))
 558                        continue;
 559
 560                /*
 561                 * We multiply the loop value with ->osr to obtain the
 562                 * oversampling rate requested by the caller
 563                 */
 564                if (++k >= (DATA_SIZE_BITS * ec->osr))
 565                        break;
 566        }
 567}
 568
 569/**
 570 * Entry function: Obtain entropy for the caller.
 571 *
 572 * This function invokes the entropy gathering logic as often to generate
 573 * as many bytes as requested by the caller. The entropy gathering logic
 574 * creates 64 bit per invocation.
 575 *
 576 * This function truncates the last 64 bit entropy value output to the exact
 577 * size specified by the caller.
 578 *
 579 * @ec [in] Reference to entropy collector
 580 * @data [in] pointer to buffer for storing random data -- buffer must already
 581 *            exist
 582 * @len [in] size of the buffer, specifying also the requested number of random
 583 *           in bytes
 584 *
 585 * @return 0 when request is fulfilled or an error
 586 *
 587 * The following error codes can occur:
 588 *      -1      entropy_collector is NULL
 589 *      -2      RCT failed
 590 *      -3      APT test failed
 591 */
 592int jent_read_entropy(struct rand_data *ec, unsigned char *data,
 593                      unsigned int len)
 594{
 595        unsigned char *p = data;
 596
 597        if (!ec)
 598                return -1;
 599
 600        while (len > 0) {
 601                unsigned int tocopy;
 602
 603                jent_gen_entropy(ec);
 604
 605                if (jent_health_failure(ec)) {
 606                        int ret;
 607
 608                        if (jent_rct_failure(ec))
 609                                ret = -2;
 610                        else
 611                                ret = -3;
 612
 613                        /*
 614                         * Re-initialize the noise source
 615                         *
 616                         * If the health test fails, the Jitter RNG remains
 617                         * in failure state and will return a health failure
 618                         * during next invocation.
 619                         */
 620                        if (jent_entropy_init())
 621                                return ret;
 622
 623                        /* Set APT to initial state */
 624                        jent_apt_reset(ec, 0);
 625                        ec->apt_base_set = 0;
 626
 627                        /* Set RCT to initial state */
 628                        ec->rct_count = 0;
 629
 630                        /* Re-enable Jitter RNG */
 631                        ec->health_failure = 0;
 632
 633                        /*
 634                         * Return the health test failure status to the
 635                         * caller as the generated value is not appropriate.
 636                         */
 637                        return ret;
 638                }
 639
 640                if ((DATA_SIZE_BITS / 8) < len)
 641                        tocopy = (DATA_SIZE_BITS / 8);
 642                else
 643                        tocopy = len;
 644                jent_memcpy(p, &ec->data, tocopy);
 645
 646                len -= tocopy;
 647                p += tocopy;
 648        }
 649
 650        return 0;
 651}
 652
 653/***************************************************************************
 654 * Initialization logic
 655 ***************************************************************************/
 656
 657struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
 658                                               unsigned int flags)
 659{
 660        struct rand_data *entropy_collector;
 661
 662        entropy_collector = jent_zalloc(sizeof(struct rand_data));
 663        if (!entropy_collector)
 664                return NULL;
 665
 666        if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
 667                /* Allocate memory for adding variations based on memory
 668                 * access
 669                 */
 670                entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE);
 671                if (!entropy_collector->mem) {
 672                        jent_zfree(entropy_collector);
 673                        return NULL;
 674                }
 675                entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;
 676                entropy_collector->memblocks = JENT_MEMORY_BLOCKS;
 677                entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
 678        }
 679
 680        /* verify and set the oversampling rate */
 681        if (osr == 0)
 682                osr = 1; /* minimum sampling rate is 1 */
 683        entropy_collector->osr = osr;
 684
 685        /* fill the data pad with non-zero values */
 686        jent_gen_entropy(entropy_collector);
 687
 688        return entropy_collector;
 689}
 690
 691void jent_entropy_collector_free(struct rand_data *entropy_collector)
 692{
 693        jent_zfree(entropy_collector->mem);
 694        entropy_collector->mem = NULL;
 695        jent_zfree(entropy_collector);
 696}
 697
 698int jent_entropy_init(void)
 699{
 700        int i;
 701        __u64 delta_sum = 0;
 702        __u64 old_delta = 0;
 703        unsigned int nonstuck = 0;
 704        int time_backwards = 0;
 705        int count_mod = 0;
 706        int count_stuck = 0;
 707        struct rand_data ec = { 0 };
 708
 709        /* Required for RCT */
 710        ec.osr = 1;
 711
 712        /* We could perform statistical tests here, but the problem is
 713         * that we only have a few loop counts to do testing. These
 714         * loop counts may show some slight skew and we produce
 715         * false positives.
 716         *
 717         * Moreover, only old systems show potentially problematic
 718         * jitter entropy that could potentially be caught here. But
 719         * the RNG is intended for hardware that is available or widely
 720         * used, but not old systems that are long out of favor. Thus,
 721         * no statistical tests.
 722         */
 723
 724        /*
 725         * We could add a check for system capabilities such as clock_getres or
 726         * check for CONFIG_X86_TSC, but it does not make much sense as the
 727         * following sanity checks verify that we have a high-resolution
 728         * timer.
 729         */
 730        /*
 731         * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
 732         * definitely too little.
 733         *
 734         * SP800-90B requires at least 1024 initial test cycles.
 735         */
 736#define TESTLOOPCOUNT 1024
 737#define CLEARCACHE 100
 738        for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
 739                __u64 time = 0;
 740                __u64 time2 = 0;
 741                __u64 delta = 0;
 742                unsigned int lowdelta = 0;
 743                int stuck;
 744
 745                /* Invoke core entropy collection logic */
 746                jent_get_nstime(&time);
 747                ec.prev_time = time;
 748                jent_lfsr_time(&ec, time, 0, 0);
 749                jent_get_nstime(&time2);
 750
 751                /* test whether timer works */
 752                if (!time || !time2)
 753                        return JENT_ENOTIME;
 754                delta = jent_delta(time, time2);
 755                /*
 756                 * test whether timer is fine grained enough to provide
 757                 * delta even when called shortly after each other -- this
 758                 * implies that we also have a high resolution timer
 759                 */
 760                if (!delta)
 761                        return JENT_ECOARSETIME;
 762
 763                stuck = jent_stuck(&ec, delta);
 764
 765                /*
 766                 * up to here we did not modify any variable that will be
 767                 * evaluated later, but we already performed some work. Thus we
 768                 * already have had an impact on the caches, branch prediction,
 769                 * etc. with the goal to clear it to get the worst case
 770                 * measurements.
 771                 */
 772                if (i < CLEARCACHE)
 773                        continue;
 774
 775                if (stuck)
 776                        count_stuck++;
 777                else {
 778                        nonstuck++;
 779
 780                        /*
 781                         * Ensure that the APT succeeded.
 782                         *
 783                         * With the check below that count_stuck must be less
 784                         * than 10% of the overall generated raw entropy values
 785                         * it is guaranteed that the APT is invoked at
 786                         * floor((TESTLOOPCOUNT * 0.9) / 64) == 14 times.
 787                         */
 788                        if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) {
 789                                jent_apt_reset(&ec,
 790                                               delta & JENT_APT_WORD_MASK);
 791                                if (jent_health_failure(&ec))
 792                                        return JENT_EHEALTH;
 793                        }
 794                }
 795
 796                /* Validate RCT */
 797                if (jent_rct_failure(&ec))
 798                        return JENT_ERCT;
 799
 800                /* test whether we have an increasing timer */
 801                if (!(time2 > time))
 802                        time_backwards++;
 803
 804                /* use 32 bit value to ensure compilation on 32 bit arches */
 805                lowdelta = time2 - time;
 806                if (!(lowdelta % 100))
 807                        count_mod++;
 808
 809                /*
 810                 * ensure that we have a varying delta timer which is necessary
 811                 * for the calculation of entropy -- perform this check
 812                 * only after the first loop is executed as we need to prime
 813                 * the old_data value
 814                 */
 815                if (delta > old_delta)
 816                        delta_sum += (delta - old_delta);
 817                else
 818                        delta_sum += (old_delta - delta);
 819                old_delta = delta;
 820        }
 821
 822        /*
 823         * we allow up to three times the time running backwards.
 824         * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
 825         * if such an operation just happens to interfere with our test, it
 826         * should not fail. The value of 3 should cover the NTP case being
 827         * performed during our test run.
 828         */
 829        if (time_backwards > 3)
 830                return JENT_ENOMONOTONIC;
 831
 832        /*
 833         * Variations of deltas of time must on average be larger
 834         * than 1 to ensure the entropy estimation
 835         * implied with 1 is preserved
 836         */
 837        if ((delta_sum) <= 1)
 838                return JENT_EVARVAR;
 839
 840        /*
 841         * Ensure that we have variations in the time stamp below 10 for at
 842         * least 10% of all checks -- on some platforms, the counter increments
 843         * in multiples of 100, but not always
 844         */
 845        if ((TESTLOOPCOUNT/10 * 9) < count_mod)
 846                return JENT_ECOARSETIME;
 847
 848        /*
 849         * If we have more than 90% stuck results, then this Jitter RNG is
 850         * likely to not work well.
 851         */
 852        if ((TESTLOOPCOUNT/10 * 9) < count_stuck)
 853                return JENT_ESTUCK;
 854
 855        return 0;
 856}
 857
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.