LXR linux/arch/s390/crypto/prng.c

   1/*
   2 * Copyright IBM Corp. 2006,2007
   3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
   4 * Driver for the s390 pseudo random number generator
   5 */
   6#include <linux/fs.h>
   7#include <linux/init.h>
   8#include <linux/kernel.h>
   9#include <linux/smp_lock.h>
  10#include <linux/miscdevice.h>
  11#include <linux/module.h>
  12#include <linux/moduleparam.h>
  13#include <linux/random.h>
  14#include <asm/debug.h>
  15#include <asm/uaccess.h>
  16
  17#include "crypt_s390.h"
  18
  19MODULE_LICENSE("GPL");
  20MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
  21MODULE_DESCRIPTION("s390 PRNG interface");
  22
  23static int prng_chunk_size = 256;
  24module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
  25MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
  26
  27static int prng_entropy_limit = 4096;
  28module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
  29MODULE_PARM_DESC(prng_entropy_limit,
  30        "PRNG add entropy after that much bytes were produced");
  31
  32/*
  33 * Any one who considers arithmetical methods of producing random digits is,
  34 * of course, in a state of sin. -- John von Neumann
  35 */
  36
  37struct s390_prng_data {
  38        unsigned long count; /* how many bytes were produced */
  39        char *buf;
  40};
  41
  42static struct s390_prng_data *p;
  43
  44/* copied from libica, use a non-zero initial parameter block */
  45static unsigned char parm_block[32] = {
  460x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
  470x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
  48};
  49
  50static int prng_open(struct inode *inode, struct file *file)
  51{
  52        cycle_kernel_lock();
  53        return nonseekable_open(inode, file);
  54}
  55
  56static void prng_add_entropy(void)
  57{
  58        __u64 entropy[4];
  59        unsigned int i;
  60        int ret;
  61
  62        for (i = 0; i < 16; i++) {
  63                ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
  64                                     (char *)entropy, sizeof(entropy));
  65                BUG_ON(ret < 0 || ret != sizeof(entropy));
  66                memcpy(parm_block, entropy, sizeof(entropy));
  67        }
  68}
  69
  70static void prng_seed(int nbytes)
  71{
  72        char buf[16];
  73        int i = 0;
  74
  75        BUG_ON(nbytes > 16);
  76        get_random_bytes(buf, nbytes);
  77
  78        /* Add the entropy */
  79        while (nbytes >= 8) {
  80                *((__u64 *)parm_block) ^= *((__u64 *)buf+i*8);
  81                prng_add_entropy();
  82                i += 8;
  83                nbytes -= 8;
  84        }
  85        prng_add_entropy();
  86}
  87
  88static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
  89                         loff_t *ppos)
  90{
  91        int chunk, n;
  92        int ret = 0;
  93        int tmp;
  94
  95        /* nbytes can be arbitrary length, we split it into chunks */
  96        while (nbytes) {
  97                /* same as in extract_entropy_user in random.c */
  98                if (need_resched()) {
  99                        if (signal_pending(current)) {
 100                                if (ret == 0)
 101                                        ret = -ERESTARTSYS;
 102                                break;
 103                        }
 104                        schedule();
 105                }
 106
 107                /*
 108                 * we lose some random bytes if an attacker issues
 109                 * reads < 8 bytes, but we don't care
 110                 */
 111                chunk = min_t(int, nbytes, prng_chunk_size);
 112
 113                /* PRNG only likes multiples of 8 bytes */
 114                n = (chunk + 7) & -8;
 115
 116                if (p->count > prng_entropy_limit)
 117                        prng_seed(8);
 118
 119                /* if the CPU supports PRNG stckf is present too */
 120                asm volatile(".insn     s,0xb27c0000,%0"
 121                             : "=m" (*((unsigned long long *)p->buf)) : : "cc");
 122
 123                /*
 124                 * Beside the STCKF the input for the TDES-EDE is the output
 125                 * of the last operation. We differ here from X9.17 since we
 126                 * only store one timestamp into the buffer. Padding the whole
 127                 * buffer with timestamps does not improve security, since
 128                 * successive stckf have nearly constant offsets.
 129                 * If an attacker knows the first timestamp it would be
 130                 * trivial to guess the additional values. One timestamp
 131                 * is therefore enough and still guarantees unique input values.
 132                 *
 133                 * Note: you can still get strict X9.17 conformity by setting
 134                 * prng_chunk_size to 8 bytes.
 135                */
 136                tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
 137                BUG_ON((tmp < 0) || (tmp != n));
 138
 139                p->count += n;
 140
 141                if (copy_to_user(ubuf, p->buf, chunk))
 142                        return -EFAULT;
 143
 144                nbytes -= chunk;
 145                ret += chunk;
 146                ubuf += chunk;
 147        }
 148        return ret;
 149}
 150
 151static const struct file_operations prng_fops = {
 152        .owner          = THIS_MODULE,
 153        .open           = &prng_open,
 154        .release        = NULL,
 155        .read           = &prng_read,
 156};
 157
 158static struct miscdevice prng_dev = {
 159        .name   = "prandom",
 160        .minor  = MISC_DYNAMIC_MINOR,
 161        .fops   = &prng_fops,
 162};
 163
 164static int __init prng_init(void)
 165{
 166        int ret;
 167
 168        /* check if the CPU has a PRNG */
 169        if (!crypt_s390_func_available(KMC_PRNG))
 170                return -EOPNOTSUPP;
 171
 172        if (prng_chunk_size < 8)
 173                return -EINVAL;
 174
 175        p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
 176        if (!p)
 177                return -ENOMEM;
 178        p->count = 0;
 179
 180        p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
 181        if (!p->buf) {
 182                ret = -ENOMEM;
 183                goto out_free;
 184        }
 185
 186        /* initialize the PRNG, add 128 bits of entropy */
 187        prng_seed(16);
 188
 189        ret = misc_register(&prng_dev);
 190        if (ret)
 191                goto out_buf;
 192        return 0;
 193
 194out_buf:
 195        kfree(p->buf);
 196out_free:
 197        kfree(p);
 198        return ret;
 199}
 200
 201static void __exit prng_exit(void)
 202{
 203        /* wipe me */
 204        kzfree(p->buf);
 205        kfree(p);
 206
 207        misc_deregister(&prng_dev);
 208}
 209
 210module_init(prng_init);
 211module_exit(prng_exit);
 212