1 // SPDX-License-Identifier: GPL-2.0
42 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
52 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
68  * of course, in a state of sin. -- John von Neumann
119  * This function fills a given buffer with random bytes. The entropy within
120  * the random bytes given back is assumed to have at least 50% - meaning
121  * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
122  * Within the function the entropy generation is done in junks of 64 bytes.
123  * So the caller should also ask for buffer fill in multiples of 64 bytes.
126  * at least 512 stckf() values are needed. The entropy relevant part of the
128  * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
130  * other half of the page buffer is filled with bytes from urandom via
132  * requested 64 bytes output data. Finally the buffer page is condensed into
156 		return -ENOMEM;  in generate_entropy()
161 		/* fill lower 2k with urandom bytes */  in generate_entropy()
163 		/* exor upper 2k with 512 stckf values, offset 4 bytes each */  in generate_entropy()
164 		for (n = 0; n < 512; n++) {  in generate_entropy()
165 			int offset = (PAGE_SIZE / 2) + (n * 4) - 4;  in generate_entropy()
175 		nbytes -= n;  in generate_entropy()
193 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,  in prng_tdes_add_entropy()
196 		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));  in prng_tdes_add_entropy()
212 		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));  in prng_tdes_seed()
215 		nbytes -= 8;  in prng_tdes_seed()
218 	prng_data->prngws.reseed_counter = 0;  in prng_tdes_seed()
235 		return -ENOMEM;  in prng_tdes_instantiate()
237 	mutex_init(&prng_data->mutex);  in prng_tdes_instantiate()
238 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);  in prng_tdes_instantiate()
239 	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);  in prng_tdes_instantiate()
260 	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */  in prng_sha512_selftest()
345 		       "for the SHA-512 mode failed\n");  in prng_sha512_selftest()
347 		return -EIO;  in prng_sha512_selftest()
350 	/* generate random bytes */  in prng_sha512_selftest()
359 		       "for the SHA-512 mode failed\n");  in prng_sha512_selftest()
361 		return -EIO;  in prng_sha512_selftest()
373 	pr_debug("prng runs in SHA-512 mode "  in prng_sha512_instantiate()
384 		return -ENOMEM;  in prng_sha512_instantiate()
386 	mutex_init(&prng_data->mutex);  in prng_sha512_instantiate()
387 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);  in prng_sha512_instantiate()
398 		 * 32 bytes and produces 100% entropy. So we pull 64 bytes  in prng_sha512_instantiate()
399 		 * which gives us 512 bits entropy.  in prng_sha512_instantiate()
407 		 * 50% entropy. So we pull 2*64 bytes which gives us 512 bits  in prng_sha512_instantiate()
416 	/* append the seed by 16 bytes of unique nonce */  in prng_sha512_instantiate()
422 		   &prng_data->prnows, NULL, 0, seed, seedlen);  in prng_sha512_instantiate()
426 	   bytes for the FIPS 140-2 Conditional Self Test */  in prng_sha512_instantiate()
428 		prng_data->prev = prng_data->buf + prng_chunk_size;  in prng_sha512_instantiate()
430 			   &prng_data->prnows,  in prng_sha512_instantiate()
431 			   prng_data->prev, prng_chunk_size, NULL, 0);  in prng_sha512_instantiate()
444 	pr_debug("The prng module stopped after running in SHA-512 mode\n");  in prng_sha512_deinstantiate()
456 		/* trng produces 256 bits entropy in 32 bytes */  in prng_sha512_reseed()
460 		/* generate_entropy() produces 256 bits entropy in 64 bytes */  in prng_sha512_reseed()
469 		   &prng_data->prnows, NULL, 0, seed, seedlen);  in prng_sha512_reseed()
481 	if (prng_data->prnows.reseed_counter > prng_reseed_limit) {  in prng_sha512_generate()
489 		   &prng_data->prnows, buf, nbytes, NULL, 0);  in prng_sha512_generate()
491 	/* FIPS 140-2 Conditional Self Test */  in prng_sha512_generate()
493 		if (!memcmp(prng_data->prev, buf, nbytes)) {  in prng_sha512_generate()
495 			return -EILSEQ;  in prng_sha512_generate()
497 		memcpy(prng_data->prev, buf, nbytes);  in prng_sha512_generate()
518 	if (mutex_lock_interruptible(&prng_data->mutex))  in prng_tdes_read()
519 		return -ERESTARTSYS;  in prng_tdes_read()
525 					ret = -ERESTARTSYS;  in prng_tdes_read()
529 			mutex_unlock(&prng_data->mutex);  in prng_tdes_read()
532 			if (mutex_lock_interruptible(&prng_data->mutex)) {  in prng_tdes_read()
534 					ret = -ERESTARTSYS;  in prng_tdes_read()
540 		 * we lose some random bytes if an attacker issues  in prng_tdes_read()
541 		 * reads < 8 bytes, but we don't care  in prng_tdes_read()
545 		/* PRNG only likes multiples of 8 bytes */  in prng_tdes_read()
546 		n = (chunk + 7) & -8;  in prng_tdes_read()
548 		if (prng_data->prngws.reseed_counter > prng_reseed_limit)  in prng_tdes_read()
552 		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();  in prng_tdes_read()
555 		 * Beside the STCKF the input for the TDES-EDE is the output  in prng_tdes_read()
565 		 * prng_chunk_size to 8 bytes.  in prng_tdes_read()
567 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,  in prng_tdes_read()
568 			  prng_data->buf, prng_data->buf, n);  in prng_tdes_read()
570 		prng_data->prngws.byte_counter += n;  in prng_tdes_read()
571 		prng_data->prngws.reseed_counter += n;  in prng_tdes_read()
573 		if (copy_to_user(ubuf, prng_data->buf, chunk)) {  in prng_tdes_read()
574 			ret = -EFAULT;  in prng_tdes_read()
578 		nbytes -= chunk;  in prng_tdes_read()
584 	mutex_unlock(&prng_data->mutex);  in prng_tdes_read()
598 		return -EPIPE;  in prng_sha512_read()
601 	if (mutex_lock_interruptible(&prng_data->mutex))  in prng_sha512_read()
602 		return -ERESTARTSYS;  in prng_sha512_read()
608 					ret = -ERESTARTSYS;  in prng_sha512_read()
612 			mutex_unlock(&prng_data->mutex);  in prng_sha512_read()
615 			if (mutex_lock_interruptible(&prng_data->mutex)) {  in prng_sha512_read()
617 					ret = -ERESTARTSYS;  in prng_sha512_read()
621 		if (prng_data->rest) {  in prng_sha512_read()
622 			/* push left over random bytes from the previous read */  in prng_sha512_read()
623 			p = prng_data->buf + prng_chunk_size - prng_data->rest;  in prng_sha512_read()
624 			n = (nbytes < prng_data->rest) ?  in prng_sha512_read()
625 				nbytes : prng_data->rest;  in prng_sha512_read()
626 			prng_data->rest -= n;  in prng_sha512_read()
628 			/* generate one chunk of random bytes into read buf */  in prng_sha512_read()
629 			p = prng_data->buf;  in prng_sha512_read()
637 				prng_data->rest = prng_chunk_size - n;  in prng_sha512_read()
640 				prng_data->rest = 0;  in prng_sha512_read()
644 			ret = -EFAULT;  in prng_sha512_read()
649 		nbytes -= n;  in prng_sha512_read()
654 	mutex_unlock(&prng_data->mutex);  in prng_sha512_read()
693 	if (mutex_lock_interruptible(&prng_data->mutex))  in prng_counter_show()
694 		return -ERESTARTSYS;  in prng_counter_show()
696 		counter = prng_data->prnows.stream_bytes;  in prng_counter_show()
698 		counter = prng_data->prngws.byte_counter;  in prng_counter_show()
699 	mutex_unlock(&prng_data->mutex);  in prng_counter_show()
731 	if (mutex_lock_interruptible(&prng_data->mutex))  in prng_reseed_store()
732 		return -ERESTARTSYS;  in prng_reseed_store()
734 	mutex_unlock(&prng_data->mutex);  in prng_reseed_store()
754 		return -EINVAL;  in prng_reseed_limit_store()
758 			return -EINVAL;  in prng_reseed_limit_store()
761 			return -EINVAL;  in prng_reseed_limit_store()
825 		return -ENODEV;  in prng_init()
837 				       "start in SHA-512 mode\n");  in prng_init()
838 				return -ENODEV;  in prng_init()
851 			return -EINVAL;  in prng_init()
857 			return -EINVAL;  in prng_init()
875 			return -EINVAL;  in prng_init()
881 			return -EINVAL;  in prng_init()