Commit | Line | Data |
---|---|---|
dfc9fa91 SM |
1 | /* |
2 | * Non-physical true random number generator based on timing jitter -- | |
3 | * Linux Kernel Crypto API specific code | |
4 | * | |
bb897c55 | 5 | * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2023 |
dfc9fa91 SM |
6 | * |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, and the entire permission notice in its entirety, | |
12 | * including the disclaimer of warranties. | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in the | |
15 | * documentation and/or other materials provided with the distribution. | |
16 | * 3. The name of the author may not be used to endorse or promote | |
17 | * products derived from this software without specific prior | |
18 | * written permission. | |
19 | * | |
20 | * ALTERNATIVELY, this product may be distributed under the terms of | |
21 | * the GNU General Public License, in which case the provisions of the GPL2 are | |
22 | * required INSTEAD OF the above restrictions. (This clause is | |
23 | * necessary due to a potential bad interaction between the GPL and | |
24 | * the restrictions contained in a BSD-style copyright.) | |
25 | * | |
26 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
27 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
28 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |
29 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |
30 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
31 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
32 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
33 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
34 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
35 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |
36 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |
37 | * DAMAGE. | |
38 | */ | |
39 | ||
bb897c55 SM |
40 | #include <crypto/hash.h> |
41 | #include <crypto/sha3.h> | |
3fde2fe9 | 42 | #include <linux/fips.h> |
0c3dc787 | 43 | #include <linux/kernel.h> |
dfc9fa91 SM |
44 | #include <linux/module.h> |
45 | #include <linux/slab.h> | |
dfc9fa91 | 46 | #include <linux/time.h> |
dfc9fa91 SM |
47 | #include <crypto/internal/rng.h> |
48 | ||
965d7286 | 49 | #include "jitterentropy.h" |
dfc9fa91 | 50 | |
bb897c55 SM |
51 | #define JENT_CONDITIONING_HASH "sha3-256-generic" |
52 | ||
dfc9fa91 SM |
53 | /*************************************************************************** |
54 | * Helper function | |
55 | ***************************************************************************/ | |
56 | ||
59bcfd78 SM |
57 | void *jent_kvzalloc(unsigned int len) |
58 | { | |
59 | return kvzalloc(len, GFP_KERNEL); | |
60 | } | |
61 | ||
62 | void jent_kvzfree(void *ptr, unsigned int len) | |
63 | { | |
6e61ee1c | 64 | kvfree_sensitive(ptr, len); |
59bcfd78 SM |
65 | } |
66 | ||
dfc9fa91 SM |
67 | void *jent_zalloc(unsigned int len) |
68 | { | |
69 | return kzalloc(len, GFP_KERNEL); | |
70 | } | |
71 | ||
72 | void jent_zfree(void *ptr) | |
73 | { | |
453431a5 | 74 | kfree_sensitive(ptr); |
dfc9fa91 SM |
75 | } |
76 | ||
b578456c SM |
77 | /* |
78 | * Obtain a high-resolution time stamp value. The time stamp is used to measure | |
79 | * the execution time of a given code path and its variations. Hence, the time | |
80 | * stamp must have a sufficiently high resolution. | |
81 | * | |
82 | * Note, if the function returns zero because a given architecture does not | |
83 | * implement a high-resolution time stamp, the RNG code's runtime test | |
84 | * will detect it and will not produce output. | |
85 | */ | |
dfc9fa91 SM |
86 | void jent_get_nstime(__u64 *out) |
87 | { | |
dfc9fa91 SM |
88 | __u64 tmp = 0; |
89 | ||
90 | tmp = random_get_entropy(); | |
91 | ||
92 | /* | |
b578456c SM |
93 | * If random_get_entropy does not return a value, i.e. it is not |
94 | * implemented for a given architecture, use a clock source. | |
dfc9fa91 | 95 | * hoping that there are timers we can work with. |
dfc9fa91 | 96 | */ |
b578456c SM |
97 | if (tmp == 0) |
98 | tmp = ktime_get_ns(); | |
dfc9fa91 SM |
99 | |
100 | *out = tmp; | |
69f1c387 | 101 | jent_raw_hires_entropy_store(tmp); |
dfc9fa91 SM |
102 | } |
103 | ||
bb897c55 SM |
104 | int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, |
105 | unsigned int addtl_len, __u64 hash_loop_cnt, | |
106 | unsigned int stuck) | |
107 | { | |
108 | struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; | |
109 | SHASH_DESC_ON_STACK(desc, hash_state_desc->tfm); | |
110 | u8 intermediary[SHA3_256_DIGEST_SIZE]; | |
111 | __u64 j = 0; | |
112 | int ret; | |
113 | ||
114 | desc->tfm = hash_state_desc->tfm; | |
115 | ||
116 | if (sizeof(intermediary) != crypto_shash_digestsize(desc->tfm)) { | |
117 | pr_warn_ratelimited("Unexpected digest size\n"); | |
118 | return -EINVAL; | |
119 | } | |
120 | ||
121 | /* | |
122 | * This loop fills a buffer which is injected into the entropy pool. | |
123 | * The main reason for this loop is to execute something over which we | |
124 | * can perform a timing measurement. The injection of the resulting | |
125 | * data into the pool is performed to ensure the result is used and | |
126 | * the compiler cannot optimize the loop away in case the result is not | |
127 | * used at all. Yet that data is considered "additional information" | |
128 | * considering the terminology from SP800-90A without any entropy. | |
129 | * | |
130 | * Note, it does not matter which or how much data you inject, we are | |
131 | * interested in one Keccack1600 compression operation performed with | |
132 | * the crypto_shash_final. | |
133 | */ | |
134 | for (j = 0; j < hash_loop_cnt; j++) { | |
135 | ret = crypto_shash_init(desc) ?: | |
136 | crypto_shash_update(desc, intermediary, | |
137 | sizeof(intermediary)) ?: | |
138 | crypto_shash_finup(desc, addtl, addtl_len, intermediary); | |
139 | if (ret) | |
140 | goto err; | |
141 | } | |
142 | ||
143 | /* | |
144 | * Inject the data from the previous loop into the pool. This data is | |
145 | * not considered to contain any entropy, but it stirs the pool a bit. | |
146 | */ | |
147 | ret = crypto_shash_update(desc, intermediary, sizeof(intermediary)); | |
148 | if (ret) | |
149 | goto err; | |
150 | ||
151 | /* | |
152 | * Insert the time stamp into the hash context representing the pool. | |
153 | * | |
154 | * If the time stamp is stuck, do not finally insert the value into the | |
155 | * entropy pool. Although this operation should not do any harm even | |
156 | * when the time stamp has no entropy, SP800-90B requires that any | |
157 | * conditioning operation to have an identical amount of input data | |
158 | * according to section 3.1.5. | |
159 | */ | |
160 | if (!stuck) { | |
161 | ret = crypto_shash_update(hash_state_desc, (u8 *)&time, | |
162 | sizeof(__u64)); | |
163 | } | |
164 | ||
165 | err: | |
166 | shash_desc_zero(desc); | |
167 | memzero_explicit(intermediary, sizeof(intermediary)); | |
168 | ||
169 | return ret; | |
170 | } | |
171 | ||
172 | int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len) | |
173 | { | |
174 | struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; | |
175 | u8 jent_block[SHA3_256_DIGEST_SIZE]; | |
176 | /* Obtain data from entropy pool and re-initialize it */ | |
177 | int ret = crypto_shash_final(hash_state_desc, jent_block) ?: | |
178 | crypto_shash_init(hash_state_desc) ?: | |
179 | crypto_shash_update(hash_state_desc, jent_block, | |
180 | sizeof(jent_block)); | |
181 | ||
182 | if (!ret && dst_len) | |
183 | memcpy(dst, jent_block, dst_len); | |
184 | ||
185 | memzero_explicit(jent_block, sizeof(jent_block)); | |
186 | return ret; | |
187 | } | |
188 | ||
dfc9fa91 SM |
189 | /*************************************************************************** |
190 | * Kernel crypto API interface | |
191 | ***************************************************************************/ | |
192 | ||
193 | struct jitterentropy { | |
194 | spinlock_t jent_lock; | |
195 | struct rand_data *entropy_collector; | |
bb897c55 SM |
196 | struct crypto_shash *tfm; |
197 | struct shash_desc *sdesc; | |
dfc9fa91 SM |
198 | }; |
199 | ||
bb897c55 | 200 | static void jent_kcapi_cleanup(struct crypto_tfm *tfm) |
dfc9fa91 SM |
201 | { |
202 | struct jitterentropy *rng = crypto_tfm_ctx(tfm); | |
dfc9fa91 | 203 | |
bb897c55 | 204 | spin_lock(&rng->jent_lock); |
dfc9fa91 | 205 | |
bb897c55 SM |
206 | if (rng->sdesc) { |
207 | shash_desc_zero(rng->sdesc); | |
208 | kfree(rng->sdesc); | |
209 | } | |
210 | rng->sdesc = NULL; | |
dfc9fa91 | 211 | |
bb897c55 SM |
212 | if (rng->tfm) |
213 | crypto_free_shash(rng->tfm); | |
214 | rng->tfm = NULL; | |
dfc9fa91 | 215 | |
dfc9fa91 SM |
216 | if (rng->entropy_collector) |
217 | jent_entropy_collector_free(rng->entropy_collector); | |
218 | rng->entropy_collector = NULL; | |
219 | spin_unlock(&rng->jent_lock); | |
220 | } | |
221 | ||
bb897c55 SM |
222 | static int jent_kcapi_init(struct crypto_tfm *tfm) |
223 | { | |
224 | struct jitterentropy *rng = crypto_tfm_ctx(tfm); | |
225 | struct crypto_shash *hash; | |
226 | struct shash_desc *sdesc; | |
227 | int size, ret = 0; | |
228 | ||
229 | spin_lock_init(&rng->jent_lock); | |
230 | ||
231 | /* | |
232 | * Use SHA3-256 as conditioner. We allocate only the generic | |
233 | * implementation as we are not interested in high-performance. The | |
234 | * execution time of the SHA3 operation is measured and adds to the | |
235 | * Jitter RNG's unpredictable behavior. If we have a slower hash | |
236 | * implementation, the execution timing variations are larger. When | |
237 | * using a fast implementation, we would need to call it more often | |
238 | * as its variations are lower. | |
239 | */ | |
240 | hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); | |
241 | if (IS_ERR(hash)) { | |
242 | pr_err("Cannot allocate conditioning digest\n"); | |
243 | return PTR_ERR(hash); | |
244 | } | |
245 | rng->tfm = hash; | |
246 | ||
247 | size = sizeof(struct shash_desc) + crypto_shash_descsize(hash); | |
248 | sdesc = kmalloc(size, GFP_KERNEL); | |
249 | if (!sdesc) { | |
250 | ret = -ENOMEM; | |
251 | goto err; | |
252 | } | |
253 | ||
254 | sdesc->tfm = hash; | |
255 | crypto_shash_init(sdesc); | |
256 | rng->sdesc = sdesc; | |
257 | ||
0baa8fab SM |
258 | rng->entropy_collector = |
259 | jent_entropy_collector_alloc(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, | |
260 | sdesc); | |
bb897c55 SM |
261 | if (!rng->entropy_collector) { |
262 | ret = -ENOMEM; | |
263 | goto err; | |
264 | } | |
265 | ||
266 | spin_lock_init(&rng->jent_lock); | |
267 | return 0; | |
268 | ||
269 | err: | |
270 | jent_kcapi_cleanup(tfm); | |
271 | return ret; | |
272 | } | |
273 | ||
dfc9fa91 SM |
274 | static int jent_kcapi_random(struct crypto_rng *tfm, |
275 | const u8 *src, unsigned int slen, | |
276 | u8 *rdata, unsigned int dlen) | |
277 | { | |
278 | struct jitterentropy *rng = crypto_rng_ctx(tfm); | |
279 | int ret = 0; | |
280 | ||
281 | spin_lock(&rng->jent_lock); | |
764428fe | 282 | |
dfc9fa91 | 283 | ret = jent_read_entropy(rng->entropy_collector, rdata, dlen); |
764428fe | 284 | |
3fde2fe9 SM |
285 | if (ret == -3) { |
286 | /* Handle permanent health test error */ | |
287 | /* | |
288 | * If the kernel was booted with fips=1, it implies that | |
289 | * the entire kernel acts as a FIPS 140 module. In this case | |
290 | * an SP800-90B permanent health test error is treated as | |
291 | * a FIPS module error. | |
292 | */ | |
293 | if (fips_enabled) | |
294 | panic("Jitter RNG permanent health test failure\n"); | |
295 | ||
296 | pr_err("Jitter RNG permanent health test failure\n"); | |
297 | ret = -EFAULT; | |
298 | } else if (ret == -2) { | |
299 | /* Handle intermittent health test error */ | |
300 | pr_warn_ratelimited("Reset Jitter RNG due to intermittent health test failure\n"); | |
764428fe | 301 | ret = -EAGAIN; |
3fde2fe9 SM |
302 | } else if (ret == -1) { |
303 | /* Handle other errors */ | |
304 | ret = -EINVAL; | |
764428fe SM |
305 | } |
306 | ||
dfc9fa91 SM |
307 | spin_unlock(&rng->jent_lock); |
308 | ||
309 | return ret; | |
310 | } | |
311 | ||
312 | static int jent_kcapi_reset(struct crypto_rng *tfm, | |
313 | const u8 *seed, unsigned int slen) | |
314 | { | |
315 | return 0; | |
316 | } | |
317 | ||
318 | static struct rng_alg jent_alg = { | |
319 | .generate = jent_kcapi_random, | |
320 | .seed = jent_kcapi_reset, | |
321 | .seedsize = 0, | |
322 | .base = { | |
323 | .cra_name = "jitterentropy_rng", | |
324 | .cra_driver_name = "jitterentropy_rng", | |
325 | .cra_priority = 100, | |
326 | .cra_ctxsize = sizeof(struct jitterentropy), | |
327 | .cra_module = THIS_MODULE, | |
328 | .cra_init = jent_kcapi_init, | |
329 | .cra_exit = jent_kcapi_cleanup, | |
dfc9fa91 SM |
330 | } |
331 | }; | |
332 | ||
333 | static int __init jent_mod_init(void) | |
334 | { | |
bb897c55 SM |
335 | SHASH_DESC_ON_STACK(desc, tfm); |
336 | struct crypto_shash *tfm; | |
dfc9fa91 SM |
337 | int ret = 0; |
338 | ||
69f1c387 SM |
339 | jent_testing_init(); |
340 | ||
bb897c55 | 341 | tfm = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); |
69f1c387 SM |
342 | if (IS_ERR(tfm)) { |
343 | jent_testing_exit(); | |
bb897c55 | 344 | return PTR_ERR(tfm); |
69f1c387 | 345 | } |
bb897c55 SM |
346 | |
347 | desc->tfm = tfm; | |
348 | crypto_shash_init(desc); | |
8405ec8e | 349 | ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc, NULL); |
bb897c55 SM |
350 | shash_desc_zero(desc); |
351 | crypto_free_shash(tfm); | |
dfc9fa91 | 352 | if (ret) { |
3fde2fe9 SM |
353 | /* Handle permanent health test error */ |
354 | if (fips_enabled) | |
355 | panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); | |
356 | ||
69f1c387 | 357 | jent_testing_exit(); |
dfc9fa91 SM |
358 | pr_info("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); |
359 | return -EFAULT; | |
360 | } | |
361 | return crypto_register_rng(&jent_alg); | |
362 | } | |
363 | ||
364 | static void __exit jent_mod_exit(void) | |
365 | { | |
69f1c387 | 366 | jent_testing_exit(); |
dfc9fa91 SM |
367 | crypto_unregister_rng(&jent_alg); |
368 | } | |
369 | ||
9c5b34c2 | 370 | module_init(jent_mod_init); |
dfc9fa91 SM |
371 | module_exit(jent_mod_exit); |
372 | ||
373 | MODULE_LICENSE("Dual BSD/GPL"); | |
374 | MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); | |
375 | MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter"); | |
376 | MODULE_ALIAS_CRYPTO("jitterentropy_rng"); |