Commit | Line | Data |
---|---|---|
a07fdae3 | 1 | // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) |
1da177e4 | 2 | /* |
9f9eff85 | 3 | * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
9e95ce27 | 4 | * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005 |
5f75d9f3 JD |
5 | * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved. |
6 | * | |
7 | * This driver produces cryptographically secure pseudorandom data. It is divided | |
8 | * into roughly six sections, each with a section header: | |
9 | * | |
10 | * - Initialization and readiness waiting. | |
11 | * - Fast key erasure RNG, the "crng". | |
12 | * - Entropy accumulation and extraction routines. | |
13 | * - Entropy collection routines. | |
14 | * - Userspace reader/writer interfaces. | |
15 | * - Sysctl interface. | |
16 | * | |
17 | * The high level overview is that there is one input pool, into which | |
e85c0fc1 JD |
18 | * various pieces of data are hashed. Prior to initialization, some of that |
19 | * data is then "credited" as having a certain number of bits of entropy. | |
20 | * When enough bits of entropy are available, the hash is finalized and | |
21 | * handed as a key to a stream cipher that expands it indefinitely for | |
22 | * various consumers. This key is periodically refreshed as the various | |
23 | * entropy collectors, described below, add data to the input pool. | |
1da177e4 LT |
24 | */ |
25 | ||
12cd53af YL |
26 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
27 | ||
1da177e4 | 28 | #include <linux/utsname.h> |
1da177e4 LT |
29 | #include <linux/module.h> |
30 | #include <linux/kernel.h> | |
31 | #include <linux/major.h> | |
32 | #include <linux/string.h> | |
33 | #include <linux/fcntl.h> | |
34 | #include <linux/slab.h> | |
35 | #include <linux/random.h> | |
36 | #include <linux/poll.h> | |
37 | #include <linux/init.h> | |
38 | #include <linux/fs.h> | |
322cbb50 | 39 | #include <linux/blkdev.h> |
1da177e4 | 40 | #include <linux/interrupt.h> |
27ac792c | 41 | #include <linux/mm.h> |
dd0f0cf5 | 42 | #include <linux/nodemask.h> |
1da177e4 | 43 | #include <linux/spinlock.h> |
c84dbf61 | 44 | #include <linux/kthread.h> |
1da177e4 | 45 | #include <linux/percpu.h> |
775f4b29 | 46 | #include <linux/ptrace.h> |
6265e169 | 47 | #include <linux/workqueue.h> |
0244ad00 | 48 | #include <linux/irq.h> |
4e00b339 | 49 | #include <linux/ratelimit.h> |
c6e9d6f3 TT |
50 | #include <linux/syscalls.h> |
51 | #include <linux/completion.h> | |
8da4b8c4 | 52 | #include <linux/uuid.h> |
87e7d5ab | 53 | #include <linux/uaccess.h> |
b7b67d13 | 54 | #include <linux/suspend.h> |
e73aaae2 | 55 | #include <linux/siphash.h> |
1ca1b917 | 56 | #include <crypto/chacha.h> |
9f9eff85 | 57 | #include <crypto/blake2s.h> |
1da177e4 | 58 | #include <asm/processor.h> |
1da177e4 | 59 | #include <asm/irq.h> |
775f4b29 | 60 | #include <asm/irq_regs.h> |
1da177e4 LT |
61 | #include <asm/io.h> |
62 | ||
5f1bb112 JD |
63 | /********************************************************************* |
64 | * | |
65 | * Initialization and readiness waiting. | |
66 | * | |
67 | * Much of the RNG infrastructure is devoted to various dependencies | |
68 | * being able to wait until the RNG has collected enough entropy and | |
69 | * is ready for safe consumption. | |
70 | * | |
71 | *********************************************************************/ | |
205a525c | 72 | |
e192be9d | 73 | /* |
5f1bb112 | 74 | * crng_init is protected by base_crng->lock, and only increases |
e3d2c5e7 | 75 | * its value (from empty->early->ready). |
e192be9d | 76 | */ |
e3d2c5e7 JD |
77 | static enum { |
78 | CRNG_EMPTY = 0, /* Little to no entropy collected */ | |
79 | CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */ | |
80 | CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */ | |
f5bda35f JD |
81 | } crng_init __read_mostly = CRNG_EMPTY; |
82 | static DEFINE_STATIC_KEY_FALSE(crng_is_ready); | |
83 | #define crng_ready() (static_branch_likely(&crng_is_ready) || crng_init >= CRNG_READY) | |
e3d2c5e7 | 84 | /* Various types of waiters for crng_init->CRNG_READY transition. */ |
5f1bb112 JD |
85 | static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); |
86 | static struct fasync_struct *fasync; | |
e192be9d | 87 | |
5f1bb112 | 88 | /* Control how we warn userspace. */ |
0313bc27 LT |
89 | static struct ratelimit_state urandom_warning = |
90 | RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); | |
cc1e127b JD |
91 | static int ratelimit_disable __read_mostly = |
92 | IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM); | |
4e00b339 TT |
93 | module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); |
94 | MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); | |
95 | ||
5f1bb112 JD |
96 | /* |
97 | * Returns whether or not the input pool has been seeded and thus guaranteed | |
0313bc27 LT |
98 | * to supply cryptographically secure random numbers. This applies to: the |
99 | * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, | |
100 | * ,u64,int,long} family of functions. | |
5f1bb112 JD |
101 | * |
102 | * Returns: true if the input pool has been seeded. | |
103 | * false if the input pool has not been seeded. | |
104 | */ | |
105 | bool rng_is_initialized(void) | |
106 | { | |
107 | return crng_ready(); | |
108 | } | |
109 | EXPORT_SYMBOL(rng_is_initialized); | |
110 | ||
560181c2 | 111 | static void __cold crng_set_ready(struct work_struct *work) |
f5bda35f JD |
112 | { |
113 | static_branch_enable(&crng_is_ready); | |
114 | } | |
115 | ||
5f1bb112 JD |
116 | /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */ |
117 | static void try_to_generate_entropy(void); | |
118 | ||
119 | /* | |
120 | * Wait for the input pool to be seeded and thus guaranteed to supply | |
0313bc27 LT |
121 | * cryptographically secure random numbers. This applies to: the /dev/urandom |
122 | * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} | |
123 | * family of functions. Using any of these functions without first calling | |
124 | * this function forfeits the guarantee of security. | |
5f1bb112 JD |
125 | * |
126 | * Returns: 0 if the input pool has been seeded. | |
127 | * -ERESTARTSYS if the function was interrupted by a signal. | |
128 | */ | |
129 | int wait_for_random_bytes(void) | |
130 | { | |
a96cfe2d | 131 | while (!crng_ready()) { |
5f1bb112 | 132 | int ret; |
3e504d20 JD |
133 | |
134 | try_to_generate_entropy(); | |
5f1bb112 JD |
135 | ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); |
136 | if (ret) | |
137 | return ret > 0 ? 0 : ret; | |
a96cfe2d | 138 | } |
5f1bb112 JD |
139 | return 0; |
140 | } | |
141 | EXPORT_SYMBOL(wait_for_random_bytes); | |
142 | ||
cc1e127b | 143 | #define warn_unseeded_randomness() \ |
560181c2 JD |
144 | if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \ |
145 | printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \ | |
146 | __func__, (void *)_RET_IP_, crng_init) | |
5f1bb112 JD |
147 | |
148 | ||
3655adc7 | 149 | /********************************************************************* |
1da177e4 | 150 | * |
3655adc7 | 151 | * Fast key erasure RNG, the "crng". |
1da177e4 | 152 | * |
3655adc7 JD |
153 | * These functions expand entropy from the entropy extractor into |
154 | * long streams for external consumption using the "fast key erasure" | |
155 | * RNG described at <https://blog.cr.yp.to/20170723-random.html>. | |
e192be9d | 156 | * |
3655adc7 JD |
157 | * There are a few exported interfaces for use by other drivers: |
158 | * | |
a1940263 | 159 | * void get_random_bytes(void *buf, size_t len) |
3655adc7 JD |
160 | * u32 get_random_u32() |
161 | * u64 get_random_u64() | |
162 | * unsigned int get_random_int() | |
163 | * unsigned long get_random_long() | |
164 | * | |
165 | * These interfaces will return the requested number of random bytes | |
0313bc27 | 166 | * into the given buffer or as a return value. This is equivalent to |
dd7aa36e JD |
167 | * a read from /dev/urandom. The u32, u64, int, and long family of |
168 | * functions may be higher performance for one-off random integers, | |
169 | * because they do a bit of buffering and do not invoke reseeding | |
170 | * until the buffer is emptied. | |
e192be9d TT |
171 | * |
172 | *********************************************************************/ | |
173 | ||
e85c0fc1 JD |
174 | enum { |
175 | CRNG_RESEED_START_INTERVAL = HZ, | |
176 | CRNG_RESEED_INTERVAL = 60 * HZ | |
177 | }; | |
186873c5 JD |
178 | |
179 | static struct { | |
180 | u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long)); | |
181 | unsigned long birth; | |
182 | unsigned long generation; | |
183 | spinlock_t lock; | |
184 | } base_crng = { | |
185 | .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock) | |
186 | }; | |
187 | ||
188 | struct crng { | |
189 | u8 key[CHACHA_KEY_SIZE]; | |
190 | unsigned long generation; | |
191 | local_lock_t lock; | |
192 | }; | |
193 | ||
194 | static DEFINE_PER_CPU(struct crng, crngs) = { | |
195 | .generation = ULONG_MAX, | |
196 | .lock = INIT_LOCAL_LOCK(crngs.lock), | |
197 | }; | |
e192be9d | 198 | |
e85c0fc1 | 199 | /* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */ |
a1940263 | 200 | static void extract_entropy(void *buf, size_t len); |
e192be9d | 201 | |
e85c0fc1 JD |
202 | /* This extracts a new crng key from the input pool. */ |
203 | static void crng_reseed(void) | |
e192be9d | 204 | { |
248045b8 | 205 | unsigned long flags; |
186873c5 JD |
206 | unsigned long next_gen; |
207 | u8 key[CHACHA_KEY_SIZE]; | |
e192be9d | 208 | |
e85c0fc1 | 209 | extract_entropy(key, sizeof(key)); |
a9412d51 | 210 | |
186873c5 JD |
211 | /* |
212 | * We copy the new key into the base_crng, overwriting the old one, | |
213 | * and update the generation counter. We avoid hitting ULONG_MAX, | |
214 | * because the per-cpu crngs are initialized to ULONG_MAX, so this | |
215 | * forces new CPUs that come online to always initialize. | |
216 | */ | |
217 | spin_lock_irqsave(&base_crng.lock, flags); | |
218 | memcpy(base_crng.key, key, sizeof(base_crng.key)); | |
219 | next_gen = base_crng.generation + 1; | |
220 | if (next_gen == ULONG_MAX) | |
221 | ++next_gen; | |
222 | WRITE_ONCE(base_crng.generation, next_gen); | |
223 | WRITE_ONCE(base_crng.birth, jiffies); | |
f5bda35f | 224 | if (!static_branch_likely(&crng_is_ready)) |
e3d2c5e7 | 225 | crng_init = CRNG_READY; |
7191c628 DB |
226 | spin_unlock_irqrestore(&base_crng.lock, flags); |
227 | memzero_explicit(key, sizeof(key)); | |
e192be9d TT |
228 | } |
229 | ||
186873c5 | 230 | /* |
3655adc7 JD |
231 | * This generates a ChaCha block using the provided key, and then |
232 | * immediately overwites that key with half the block. It returns | |
233 | * the resultant ChaCha state to the user, along with the second | |
234 | * half of the block containing 32 bytes of random data that may | |
235 | * be used; random_data_len may not be greater than 32. | |
8717627d JD |
236 | * |
237 | * The returned ChaCha state contains within it a copy of the old | |
238 | * key value, at index 4, so the state should always be zeroed out | |
239 | * immediately after using in order to maintain forward secrecy. | |
240 | * If the state cannot be erased in a timely manner, then it is | |
241 | * safer to set the random_data parameter to &chacha_state[4] so | |
242 | * that this function overwrites it before returning. | |
186873c5 JD |
243 | */ |
244 | static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], | |
245 | u32 chacha_state[CHACHA_STATE_WORDS], | |
246 | u8 *random_data, size_t random_data_len) | |
e192be9d | 247 | { |
186873c5 | 248 | u8 first_block[CHACHA_BLOCK_SIZE]; |
009ba856 | 249 | |
186873c5 JD |
250 | BUG_ON(random_data_len > 32); |
251 | ||
252 | chacha_init_consts(chacha_state); | |
253 | memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE); | |
254 | memset(&chacha_state[12], 0, sizeof(u32) * 4); | |
255 | chacha20_block(chacha_state, first_block); | |
256 | ||
257 | memcpy(key, first_block, CHACHA_KEY_SIZE); | |
8717627d | 258 | memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); |
186873c5 | 259 | memzero_explicit(first_block, sizeof(first_block)); |
1e7f583a TT |
260 | } |
261 | ||
7a7ff644 | 262 | /* |
e85c0fc1 JD |
263 | * Return whether the crng seed is considered to be sufficiently old |
264 | * that a reseeding is needed. This happens if the last reseeding | |
265 | * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval | |
266 | * proportional to the uptime. | |
7a7ff644 JD |
267 | */ |
268 | static bool crng_has_old_seed(void) | |
269 | { | |
270 | static bool early_boot = true; | |
271 | unsigned long interval = CRNG_RESEED_INTERVAL; | |
272 | ||
273 | if (unlikely(READ_ONCE(early_boot))) { | |
274 | time64_t uptime = ktime_get_seconds(); | |
275 | if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2) | |
276 | WRITE_ONCE(early_boot, false); | |
277 | else | |
e85c0fc1 | 278 | interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL, |
7a7ff644 JD |
279 | (unsigned int)uptime / 2 * HZ); |
280 | } | |
8a5b8a4a | 281 | return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval); |
7a7ff644 JD |
282 | } |
283 | ||
c92e040d | 284 | /* |
186873c5 JD |
285 | * This function returns a ChaCha state that you may use for generating |
286 | * random data. It also returns up to 32 bytes on its own of random data | |
287 | * that may be used; random_data_len may not be greater than 32. | |
c92e040d | 288 | */ |
186873c5 JD |
289 | static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS], |
290 | u8 *random_data, size_t random_data_len) | |
c92e040d | 291 | { |
248045b8 | 292 | unsigned long flags; |
186873c5 | 293 | struct crng *crng; |
c92e040d | 294 | |
186873c5 JD |
295 | BUG_ON(random_data_len > 32); |
296 | ||
297 | /* | |
298 | * For the fast path, we check whether we're ready, unlocked first, and | |
299 | * then re-check once locked later. In the case where we're really not | |
5c3b747e | 300 | * ready, we do fast key erasure with the base_crng directly, extracting |
e3d2c5e7 | 301 | * when crng_init is CRNG_EMPTY. |
186873c5 | 302 | */ |
a96cfe2d | 303 | if (!crng_ready()) { |
186873c5 JD |
304 | bool ready; |
305 | ||
306 | spin_lock_irqsave(&base_crng.lock, flags); | |
307 | ready = crng_ready(); | |
5c3b747e | 308 | if (!ready) { |
e3d2c5e7 | 309 | if (crng_init == CRNG_EMPTY) |
5c3b747e | 310 | extract_entropy(base_crng.key, sizeof(base_crng.key)); |
186873c5 JD |
311 | crng_fast_key_erasure(base_crng.key, chacha_state, |
312 | random_data, random_data_len); | |
5c3b747e | 313 | } |
186873c5 JD |
314 | spin_unlock_irqrestore(&base_crng.lock, flags); |
315 | if (!ready) | |
316 | return; | |
c92e040d | 317 | } |
186873c5 JD |
318 | |
319 | /* | |
e85c0fc1 JD |
320 | * If the base_crng is old enough, we reseed, which in turn bumps the |
321 | * generation counter that we check below. | |
186873c5 | 322 | */ |
7a7ff644 | 323 | if (unlikely(crng_has_old_seed())) |
e85c0fc1 | 324 | crng_reseed(); |
186873c5 JD |
325 | |
326 | local_lock_irqsave(&crngs.lock, flags); | |
327 | crng = raw_cpu_ptr(&crngs); | |
328 | ||
329 | /* | |
330 | * If our per-cpu crng is older than the base_crng, then it means | |
331 | * somebody reseeded the base_crng. In that case, we do fast key | |
332 | * erasure on the base_crng, and use its output as the new key | |
333 | * for our per-cpu crng. This brings us up to date with base_crng. | |
334 | */ | |
335 | if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) { | |
336 | spin_lock(&base_crng.lock); | |
337 | crng_fast_key_erasure(base_crng.key, chacha_state, | |
338 | crng->key, sizeof(crng->key)); | |
339 | crng->generation = base_crng.generation; | |
340 | spin_unlock(&base_crng.lock); | |
341 | } | |
342 | ||
343 | /* | |
344 | * Finally, when we've made it this far, our per-cpu crng has an up | |
345 | * to date key, and we can do fast key erasure with it to produce | |
346 | * some random data and a ChaCha state for the caller. All other | |
347 | * branches of this function are "unlikely", so most of the time we | |
348 | * should wind up here immediately. | |
349 | */ | |
350 | crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len); | |
351 | local_unlock_irqrestore(&crngs.lock, flags); | |
c92e040d TT |
352 | } |
353 | ||
a1940263 | 354 | static void _get_random_bytes(void *buf, size_t len) |
e192be9d | 355 | { |
186873c5 | 356 | u32 chacha_state[CHACHA_STATE_WORDS]; |
3655adc7 | 357 | u8 tmp[CHACHA_BLOCK_SIZE]; |
a1940263 | 358 | size_t first_block_len; |
3655adc7 | 359 | |
a1940263 | 360 | if (!len) |
3655adc7 JD |
361 | return; |
362 | ||
a1940263 JD |
363 | first_block_len = min_t(size_t, 32, len); |
364 | crng_make_state(chacha_state, buf, first_block_len); | |
365 | len -= first_block_len; | |
366 | buf += first_block_len; | |
3655adc7 | 367 | |
a1940263 JD |
368 | while (len) { |
369 | if (len < CHACHA_BLOCK_SIZE) { | |
3655adc7 | 370 | chacha20_block(chacha_state, tmp); |
a1940263 | 371 | memcpy(buf, tmp, len); |
3655adc7 JD |
372 | memzero_explicit(tmp, sizeof(tmp)); |
373 | break; | |
374 | } | |
375 | ||
376 | chacha20_block(chacha_state, buf); | |
377 | if (unlikely(chacha_state[12] == 0)) | |
378 | ++chacha_state[13]; | |
a1940263 | 379 | len -= CHACHA_BLOCK_SIZE; |
3655adc7 JD |
380 | buf += CHACHA_BLOCK_SIZE; |
381 | } | |
382 | ||
383 | memzero_explicit(chacha_state, sizeof(chacha_state)); | |
384 | } | |
385 | ||
386 | /* | |
387 | * This function is the exported kernel interface. It returns some | |
388 | * number of good random numbers, suitable for key generation, seeding | |
248561ad JD |
389 | * TCP sequence numbers, etc. In order to ensure that the randomness |
390 | * by this function is okay, the function wait_for_random_bytes() | |
391 | * should be called and return 0 at least once at any point prior. | |
3655adc7 | 392 | */ |
a1940263 | 393 | void get_random_bytes(void *buf, size_t len) |
3655adc7 | 394 | { |
cc1e127b | 395 | warn_unseeded_randomness(); |
a1940263 | 396 | _get_random_bytes(buf, len); |
3655adc7 JD |
397 | } |
398 | EXPORT_SYMBOL(get_random_bytes); | |
399 | ||
1b388e77 | 400 | static ssize_t get_random_bytes_user(struct iov_iter *iter) |
3655adc7 | 401 | { |
3655adc7 | 402 | u32 chacha_state[CHACHA_STATE_WORDS]; |
1b388e77 JA |
403 | u8 block[CHACHA_BLOCK_SIZE]; |
404 | size_t ret = 0, copied; | |
3655adc7 | 405 | |
1b388e77 | 406 | if (unlikely(!iov_iter_count(iter))) |
3655adc7 JD |
407 | return 0; |
408 | ||
aba120cc JD |
409 | /* |
410 | * Immediately overwrite the ChaCha key at index 4 with random | |
411 | * bytes, in case userspace causes copy_to_user() below to sleep | |
412 | * forever, so that we still retain forward secrecy in that case. | |
413 | */ | |
414 | crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); | |
415 | /* | |
416 | * However, if we're doing a read of len <= 32, we don't need to | |
417 | * use chacha_state after, so we can simply return those bytes to | |
418 | * the user directly. | |
419 | */ | |
1b388e77 JA |
420 | if (iov_iter_count(iter) <= CHACHA_KEY_SIZE) { |
421 | ret = copy_to_iter(&chacha_state[4], CHACHA_KEY_SIZE, iter); | |
aba120cc JD |
422 | goto out_zero_chacha; |
423 | } | |
3655adc7 | 424 | |
5209aed5 | 425 | for (;;) { |
1b388e77 | 426 | chacha20_block(chacha_state, block); |
3655adc7 JD |
427 | if (unlikely(chacha_state[12] == 0)) |
428 | ++chacha_state[13]; | |
429 | ||
1b388e77 JA |
430 | copied = copy_to_iter(block, sizeof(block), iter); |
431 | ret += copied; | |
432 | if (!iov_iter_count(iter) || copied != sizeof(block)) | |
5209aed5 | 433 | break; |
e3c1c4fd | 434 | |
1b388e77 | 435 | BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); |
5209aed5 | 436 | if (ret % PAGE_SIZE == 0) { |
e3c1c4fd JD |
437 | if (signal_pending(current)) |
438 | break; | |
439 | cond_resched(); | |
440 | } | |
5209aed5 | 441 | } |
3655adc7 | 442 | |
1b388e77 | 443 | memzero_explicit(block, sizeof(block)); |
aba120cc JD |
444 | out_zero_chacha: |
445 | memzero_explicit(chacha_state, sizeof(chacha_state)); | |
5209aed5 | 446 | return ret ? ret : -EFAULT; |
3655adc7 JD |
447 | } |
448 | ||
449 | /* | |
450 | * Batched entropy returns random integers. The quality of the random | |
451 | * number is good as /dev/urandom. In order to ensure that the randomness | |
452 | * provided by this function is okay, the function wait_for_random_bytes() | |
453 | * should be called and return 0 at least once at any point prior. | |
454 | */ | |
3655adc7 | 455 | |
3092adce JD |
456 | #define DEFINE_BATCHED_ENTROPY(type) \ |
457 | struct batch_ ##type { \ | |
458 | /* \ | |
459 | * We make this 1.5x a ChaCha block, so that we get the \ | |
460 | * remaining 32 bytes from fast key erasure, plus one full \ | |
461 | * block from the detached ChaCha state. We can increase \ | |
462 | * the size of this later if needed so long as we keep the \ | |
463 | * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE. \ | |
464 | */ \ | |
465 | type entropy[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \ | |
466 | local_lock_t lock; \ | |
467 | unsigned long generation; \ | |
468 | unsigned int position; \ | |
469 | }; \ | |
470 | \ | |
471 | static DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \ | |
472 | .lock = INIT_LOCAL_LOCK(batched_entropy_ ##type.lock), \ | |
473 | .position = UINT_MAX \ | |
474 | }; \ | |
475 | \ | |
476 | type get_random_ ##type(void) \ | |
477 | { \ | |
478 | type ret; \ | |
479 | unsigned long flags; \ | |
480 | struct batch_ ##type *batch; \ | |
481 | unsigned long next_gen; \ | |
482 | \ | |
483 | warn_unseeded_randomness(); \ | |
484 | \ | |
485 | if (!crng_ready()) { \ | |
486 | _get_random_bytes(&ret, sizeof(ret)); \ | |
487 | return ret; \ | |
488 | } \ | |
489 | \ | |
490 | local_lock_irqsave(&batched_entropy_ ##type.lock, flags); \ | |
491 | batch = raw_cpu_ptr(&batched_entropy_##type); \ | |
492 | \ | |
493 | next_gen = READ_ONCE(base_crng.generation); \ | |
494 | if (batch->position >= ARRAY_SIZE(batch->entropy) || \ | |
495 | next_gen != batch->generation) { \ | |
496 | _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \ | |
497 | batch->position = 0; \ | |
498 | batch->generation = next_gen; \ | |
499 | } \ | |
500 | \ | |
501 | ret = batch->entropy[batch->position]; \ | |
502 | batch->entropy[batch->position] = 0; \ | |
503 | ++batch->position; \ | |
504 | local_unlock_irqrestore(&batched_entropy_ ##type.lock, flags); \ | |
505 | return ret; \ | |
506 | } \ | |
507 | EXPORT_SYMBOL(get_random_ ##type); | |
508 | ||
509 | DEFINE_BATCHED_ENTROPY(u64) | |
510 | DEFINE_BATCHED_ENTROPY(u32) | |
3655adc7 | 511 | |
3191dd5a JD |
512 | #ifdef CONFIG_SMP |
513 | /* | |
514 | * This function is called when the CPU is coming up, with entry | |
515 | * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP. | |
516 | */ | |
560181c2 | 517 | int __cold random_prepare_cpu(unsigned int cpu) |
3191dd5a JD |
518 | { |
519 | /* | |
520 | * When the cpu comes back online, immediately invalidate both | |
521 | * the per-cpu crng and all batches, so that we serve fresh | |
522 | * randomness. | |
523 | */ | |
524 | per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX; | |
525 | per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX; | |
526 | per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX; | |
527 | return 0; | |
528 | } | |
529 | #endif | |
530 | ||
a5ed7cb1 JD |
531 | |
532 | /********************************************************************** | |
533 | * | |
534 | * Entropy accumulation and extraction routines. | |
535 | * | |
536 | * Callers may add entropy via: | |
537 | * | |
a1940263 | 538 | * static void mix_pool_bytes(const void *buf, size_t len) |
a5ed7cb1 JD |
539 | * |
540 | * After which, if added entropy should be credited: | |
541 | * | |
a1940263 | 542 | * static void credit_init_bits(size_t bits) |
a5ed7cb1 | 543 | * |
e85c0fc1 | 544 | * Finally, extract entropy via: |
a5ed7cb1 | 545 | * |
a1940263 | 546 | * static void extract_entropy(void *buf, size_t len) |
a5ed7cb1 JD |
547 | * |
548 | **********************************************************************/ | |
549 | ||
3655adc7 JD |
550 | enum { |
551 | POOL_BITS = BLAKE2S_HASH_SIZE * 8, | |
e3d2c5e7 JD |
552 | POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */ |
553 | POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */ | |
3655adc7 JD |
554 | }; |
555 | ||
3655adc7 JD |
556 | static struct { |
557 | struct blake2s_state hash; | |
558 | spinlock_t lock; | |
e85c0fc1 | 559 | unsigned int init_bits; |
3655adc7 JD |
560 | } input_pool = { |
561 | .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE), | |
562 | BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4, | |
563 | BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 }, | |
564 | .hash.outlen = BLAKE2S_HASH_SIZE, | |
565 | .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), | |
566 | }; | |
567 | ||
a1940263 | 568 | static void _mix_pool_bytes(const void *buf, size_t len) |
a5ed7cb1 | 569 | { |
a1940263 | 570 | blake2s_update(&input_pool.hash, buf, len); |
a5ed7cb1 | 571 | } |
3655adc7 JD |
572 | |
573 | /* | |
e85c0fc1 JD |
574 | * This function adds bytes into the input pool. It does not |
575 | * update the initialization bit counter; the caller should call | |
576 | * credit_init_bits if this is appropriate. | |
3655adc7 | 577 | */ |
a1940263 | 578 | static void mix_pool_bytes(const void *buf, size_t len) |
3655adc7 | 579 | { |
a5ed7cb1 JD |
580 | unsigned long flags; |
581 | ||
582 | spin_lock_irqsave(&input_pool.lock, flags); | |
a1940263 | 583 | _mix_pool_bytes(buf, len); |
a5ed7cb1 | 584 | spin_unlock_irqrestore(&input_pool.lock, flags); |
3655adc7 JD |
585 | } |
586 | ||
a5ed7cb1 JD |
587 | /* |
588 | * This is an HKDF-like construction for using the hashed collected entropy | |
589 | * as a PRF key, that's then expanded block-by-block. | |
590 | */ | |
a1940263 | 591 | static void extract_entropy(void *buf, size_t len) |
3655adc7 JD |
592 | { |
593 | unsigned long flags; | |
a5ed7cb1 JD |
594 | u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE]; |
595 | struct { | |
596 | unsigned long rdseed[32 / sizeof(long)]; | |
597 | size_t counter; | |
598 | } block; | |
599 | size_t i; | |
600 | ||
601 | for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) { | |
602 | if (!arch_get_random_seed_long(&block.rdseed[i]) && | |
603 | !arch_get_random_long(&block.rdseed[i])) | |
604 | block.rdseed[i] = random_get_entropy(); | |
605 | } | |
3655adc7 JD |
606 | |
607 | spin_lock_irqsave(&input_pool.lock, flags); | |
a5ed7cb1 JD |
608 | |
609 | /* seed = HASHPRF(last_key, entropy_input) */ | |
610 | blake2s_final(&input_pool.hash, seed); | |
611 | ||
612 | /* next_key = HASHPRF(seed, RDSEED || 0) */ | |
613 | block.counter = 0; | |
614 | blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed)); | |
615 | blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key)); | |
616 | ||
3655adc7 | 617 | spin_unlock_irqrestore(&input_pool.lock, flags); |
a5ed7cb1 JD |
618 | memzero_explicit(next_key, sizeof(next_key)); |
619 | ||
a1940263 JD |
620 | while (len) { |
621 | i = min_t(size_t, len, BLAKE2S_HASH_SIZE); | |
a5ed7cb1 JD |
622 | /* output = HASHPRF(seed, RDSEED || ++counter) */ |
623 | ++block.counter; | |
624 | blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed)); | |
a1940263 | 625 | len -= i; |
a5ed7cb1 JD |
626 | buf += i; |
627 | } | |
628 | ||
629 | memzero_explicit(seed, sizeof(seed)); | |
630 | memzero_explicit(&block, sizeof(block)); | |
631 | } | |
632 | ||
560181c2 JD |
633 | #define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits) |
634 | ||
635 | static void __cold _credit_init_bits(size_t bits) | |
5c3b747e | 636 | { |
f5bda35f | 637 | static struct execute_work set_ready; |
fed7ef06 | 638 | unsigned int new, orig, add; |
5c3b747e JD |
639 | unsigned long flags; |
640 | ||
560181c2 | 641 | if (!bits) |
5c3b747e JD |
642 | return; |
643 | ||
a1940263 | 644 | add = min_t(size_t, bits, POOL_BITS); |
5c3b747e JD |
645 | |
646 | do { | |
e85c0fc1 | 647 | orig = READ_ONCE(input_pool.init_bits); |
fed7ef06 JD |
648 | new = min_t(unsigned int, POOL_BITS, orig + add); |
649 | } while (cmpxchg(&input_pool.init_bits, orig, new) != orig); | |
5c3b747e | 650 | |
68c9c8b1 JD |
651 | if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) { |
652 | crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */ | |
f5bda35f | 653 | execute_in_process_context(crng_set_ready, &set_ready); |
68c9c8b1 JD |
654 | wake_up_interruptible(&crng_init_wait); |
655 | kill_fasync(&fasync, SIGIO, POLL_IN); | |
656 | pr_notice("crng init done\n"); | |
cc1e127b | 657 | if (urandom_warning.missed) |
68c9c8b1 JD |
658 | pr_notice("%d urandom warning(s) missed due to ratelimiting\n", |
659 | urandom_warning.missed); | |
68c9c8b1 | 660 | } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) { |
5c3b747e | 661 | spin_lock_irqsave(&base_crng.lock, flags); |
68c9c8b1 | 662 | /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */ |
e3d2c5e7 | 663 | if (crng_init == CRNG_EMPTY) { |
5c3b747e | 664 | extract_entropy(base_crng.key, sizeof(base_crng.key)); |
e3d2c5e7 | 665 | crng_init = CRNG_EARLY; |
5c3b747e JD |
666 | } |
667 | spin_unlock_irqrestore(&base_crng.lock, flags); | |
668 | } | |
669 | } | |
670 | ||
92c653cf JD |
671 | |
672 | /********************************************************************** | |
673 | * | |
674 | * Entropy collection routines. | |
675 | * | |
676 | * The following exported functions are used for pushing entropy into | |
677 | * the above entropy accumulation routines: | |
678 | * | |
a1940263 JD |
679 | * void add_device_randomness(const void *buf, size_t len); |
680 | * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy); | |
681 | * void add_bootloader_randomness(const void *buf, size_t len); | |
682 | * void add_vmfork_randomness(const void *unique_vm_id, size_t len); | |
92c653cf | 683 | * void add_interrupt_randomness(int irq); |
a1940263 | 684 | * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value); |
a4b5c26b | 685 | * void add_disk_randomness(struct gendisk *disk); |
92c653cf JD |
686 | * |
687 | * add_device_randomness() adds data to the input pool that | |
688 | * is likely to differ between two devices (or possibly even per boot). | |
689 | * This would be things like MAC addresses or serial numbers, or the | |
690 | * read-out of the RTC. This does *not* credit any actual entropy to | |
691 | * the pool, but it initializes the pool to different values for devices | |
692 | * that might otherwise be identical and have very little entropy | |
693 | * available to them (particularly common in the embedded world). | |
694 | * | |
92c653cf JD |
695 | * add_hwgenerator_randomness() is for true hardware RNGs, and will credit |
696 | * entropy as specified by the caller. If the entropy pool is full it will | |
697 | * block until more entropy is needed. | |
698 | * | |
5c3b747e JD |
699 | * add_bootloader_randomness() is called by bootloader drivers, such as EFI |
700 | * and device tree, and credits its input depending on whether or not the | |
701 | * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set. | |
92c653cf | 702 | * |
ae099e8e JD |
703 | * add_vmfork_randomness() adds a unique (but not necessarily secret) ID |
704 | * representing the current instance of a VM to the pool, without crediting, | |
705 | * and then force-reseeds the crng so that it takes effect immediately. | |
706 | * | |
92c653cf JD |
707 | * add_interrupt_randomness() uses the interrupt timing as random |
708 | * inputs to the entropy pool. Using the cycle counters and the irq source | |
709 | * as inputs, it feeds the input pool roughly once a second or after 64 | |
710 | * interrupts, crediting 1 bit of entropy for whichever comes first. | |
711 | * | |
a4b5c26b JD |
712 | * add_input_randomness() uses the input layer interrupt timing, as well |
713 | * as the event type information from the hardware. | |
714 | * | |
715 | * add_disk_randomness() uses what amounts to the seek time of block | |
716 | * layer request events, on a per-disk_devt basis, as input to the | |
717 | * entropy pool. Note that high-speed solid state drives with very low | |
718 | * seek times do not make for good sources of entropy, as their seek | |
719 | * times are usually fairly consistent. | |
720 | * | |
721 | * The last two routines try to estimate how many bits of entropy | |
722 | * to credit. They do this by keeping track of the first and second | |
723 | * order deltas of the event timings. | |
724 | * | |
92c653cf JD |
725 | **********************************************************************/ |
726 | ||
248561ad | 727 | static bool used_arch_random; |
92c653cf | 728 | static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); |
d97c68d1 | 729 | static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER); |
92c653cf JD |
730 | static int __init parse_trust_cpu(char *arg) |
731 | { | |
732 | return kstrtobool(arg, &trust_cpu); | |
733 | } | |
d97c68d1 JD |
734 | static int __init parse_trust_bootloader(char *arg) |
735 | { | |
736 | return kstrtobool(arg, &trust_bootloader); | |
737 | } | |
92c653cf | 738 | early_param("random.trust_cpu", parse_trust_cpu); |
d97c68d1 | 739 | early_param("random.trust_bootloader", parse_trust_bootloader); |
3655adc7 | 740 | |
b7b67d13 JD |
741 | static int random_pm_notification(struct notifier_block *nb, unsigned long action, void *data) |
742 | { | |
743 | unsigned long flags, entropy = random_get_entropy(); | |
744 | ||
745 | /* | |
746 | * Encode a representation of how long the system has been suspended, | |
747 | * in a way that is distinct from prior system suspends. | |
748 | */ | |
749 | ktime_t stamps[] = { ktime_get(), ktime_get_boottime(), ktime_get_real() }; | |
750 | ||
751 | spin_lock_irqsave(&input_pool.lock, flags); | |
752 | _mix_pool_bytes(&action, sizeof(action)); | |
753 | _mix_pool_bytes(stamps, sizeof(stamps)); | |
754 | _mix_pool_bytes(&entropy, sizeof(entropy)); | |
755 | spin_unlock_irqrestore(&input_pool.lock, flags); | |
756 | ||
757 | if (crng_ready() && (action == PM_RESTORE_PREPARE || | |
758 | (action == PM_POST_SUSPEND && | |
759 | !IS_ENABLED(CONFIG_PM_AUTOSLEEP) && !IS_ENABLED(CONFIG_ANDROID)))) { | |
e85c0fc1 | 760 | crng_reseed(); |
b7b67d13 JD |
761 | pr_notice("crng reseeded on system resumption\n"); |
762 | } | |
763 | return 0; | |
764 | } | |
765 | ||
766 | static struct notifier_block pm_notifier = { .notifier_call = random_pm_notification }; | |
767 | ||
3655adc7 | 768 | /* |
92c653cf | 769 | * The first collection of entropy occurs at system boot while interrupts |
2f14062b JD |
770 | * are still turned off. Here we push in latent entropy, RDSEED, a timestamp, |
771 | * utsname(), and the command line. Depending on the above configuration knob, | |
772 | * RDSEED may be considered sufficient for initialization. Note that much | |
773 | * earlier setup may already have pushed entropy into the input pool by the | |
774 | * time we get here. | |
3655adc7 | 775 | */ |
2f14062b | 776 | int __init random_init(const char *command_line) |
3655adc7 | 777 | { |
92c653cf | 778 | ktime_t now = ktime_get_real(); |
12e45a2a | 779 | unsigned int i, arch_bytes; |
a1940263 | 780 | unsigned long entropy; |
186873c5 | 781 | |
1754abb3 JD |
782 | #if defined(LATENT_ENTROPY_PLUGIN) |
783 | static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; | |
784 | _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed)); | |
785 | #endif | |
786 | ||
12e45a2a | 787 | for (i = 0, arch_bytes = BLAKE2S_BLOCK_SIZE; |
a1940263 JD |
788 | i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) { |
789 | if (!arch_get_random_seed_long_early(&entropy) && | |
790 | !arch_get_random_long_early(&entropy)) { | |
791 | entropy = random_get_entropy(); | |
792 | arch_bytes -= sizeof(entropy); | |
92c653cf | 793 | } |
a1940263 | 794 | _mix_pool_bytes(&entropy, sizeof(entropy)); |
92c653cf | 795 | } |
afba0b80 JD |
796 | _mix_pool_bytes(&now, sizeof(now)); |
797 | _mix_pool_bytes(utsname(), sizeof(*(utsname()))); | |
2f14062b JD |
798 | _mix_pool_bytes(command_line, strlen(command_line)); |
799 | add_latent_entropy(); | |
186873c5 | 800 | |
e85c0fc1 JD |
801 | if (crng_ready()) |
802 | crng_reseed(); | |
12e45a2a | 803 | else if (trust_cpu) |
9b29b6b2 | 804 | _credit_init_bits(arch_bytes * 8); |
248561ad | 805 | used_arch_random = arch_bytes * 8 >= POOL_READY_BITS; |
e192be9d | 806 | |
b7b67d13 JD |
807 | WARN_ON(register_pm_notifier(&pm_notifier)); |
808 | ||
4b758eda JD |
809 | WARN(!random_get_entropy(), "Missing cycle counter and fallback timer; RNG " |
810 | "entropy collection will consequently suffer."); | |
92c653cf | 811 | return 0; |
3655adc7 | 812 | } |
e192be9d | 813 | |
248561ad JD |
814 | /* |
815 | * Returns whether arch randomness has been mixed into the initial | |
816 | * state of the RNG, regardless of whether or not that randomness | |
817 | * was credited. Knowing this is only good for a very limited set | |
818 | * of uses, such as early init printk pointer obfuscation. | |
819 | */ | |
820 | bool rng_has_arch_random(void) | |
821 | { | |
822 | return used_arch_random; | |
823 | } | |
824 | ||
a2080a67 | 825 | /* |
e192be9d TT |
826 | * Add device- or boot-specific data to the input pool to help |
827 | * initialize it. | |
a2080a67 | 828 | * |
e192be9d TT |
829 | * None of this adds any entropy; it is meant to avoid the problem of |
830 | * the entropy pool having similar initial state across largely | |
831 | * identical devices. | |
a2080a67 | 832 | */ |
a1940263 | 833 | void add_device_randomness(const void *buf, size_t len) |
a2080a67 | 834 | { |
4b758eda JD |
835 | unsigned long entropy = random_get_entropy(); |
836 | unsigned long flags; | |
a2080a67 | 837 | |
3ef4cb2d | 838 | spin_lock_irqsave(&input_pool.lock, flags); |
4b758eda | 839 | _mix_pool_bytes(&entropy, sizeof(entropy)); |
a1940263 | 840 | _mix_pool_bytes(buf, len); |
3ef4cb2d | 841 | spin_unlock_irqrestore(&input_pool.lock, flags); |
a2080a67 LT |
842 | } |
843 | EXPORT_SYMBOL(add_device_randomness); | |
844 | ||
92c653cf JD |
845 | /* |
846 | * Interface for in-kernel drivers of true hardware RNGs. | |
847 | * Those devices may produce endless random bits and will be throttled | |
848 | * when our pool is full. | |
849 | */ | |
a1940263 | 850 | void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy) |
92c653cf | 851 | { |
a1940263 | 852 | mix_pool_bytes(buf, len); |
e85c0fc1 JD |
853 | credit_init_bits(entropy); |
854 | ||
92c653cf | 855 | /* |
e85c0fc1 JD |
856 | * Throttle writing to once every CRNG_RESEED_INTERVAL, unless |
857 | * we're not yet initialized. | |
92c653cf | 858 | */ |
e85c0fc1 JD |
859 | if (!kthread_should_stop() && crng_ready()) |
860 | schedule_timeout_interruptible(CRNG_RESEED_INTERVAL); | |
92c653cf JD |
861 | } |
862 | EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); | |
863 | ||
864 | /* | |
5c3b747e JD |
865 | * Handle random seed passed by bootloader, and credit it if |
866 | * CONFIG_RANDOM_TRUST_BOOTLOADER is set. | |
92c653cf | 867 | */ |
560181c2 | 868 | void __cold add_bootloader_randomness(const void *buf, size_t len) |
92c653cf | 869 | { |
a1940263 | 870 | mix_pool_bytes(buf, len); |
d97c68d1 | 871 | if (trust_bootloader) |
a1940263 | 872 | credit_init_bits(len * 8); |
92c653cf JD |
873 | } |
874 | EXPORT_SYMBOL_GPL(add_bootloader_randomness); | |
875 | ||
a4107d34 | 876 | #if IS_ENABLED(CONFIG_VMGENID) |
f3c2682b JD |
877 | static BLOCKING_NOTIFIER_HEAD(vmfork_chain); |
878 | ||
ae099e8e JD |
879 | /* |
880 | * Handle a new unique VM ID, which is unique, not secret, so we | |
881 | * don't credit it, but we do immediately force a reseed after so | |
882 | * that it's used by the crng posthaste. | |
883 | */ | |
560181c2 | 884 | void __cold add_vmfork_randomness(const void *unique_vm_id, size_t len) |
ae099e8e | 885 | { |
a1940263 | 886 | add_device_randomness(unique_vm_id, len); |
ae099e8e | 887 | if (crng_ready()) { |
e85c0fc1 | 888 | crng_reseed(); |
ae099e8e JD |
889 | pr_notice("crng reseeded due to virtual machine fork\n"); |
890 | } | |
f3c2682b | 891 | blocking_notifier_call_chain(&vmfork_chain, 0, NULL); |
ae099e8e | 892 | } |
a4107d34 | 893 | #if IS_MODULE(CONFIG_VMGENID) |
ae099e8e | 894 | EXPORT_SYMBOL_GPL(add_vmfork_randomness); |
a4107d34 | 895 | #endif |
f3c2682b | 896 | |
560181c2 | 897 | int __cold register_random_vmfork_notifier(struct notifier_block *nb) |
f3c2682b JD |
898 | { |
899 | return blocking_notifier_chain_register(&vmfork_chain, nb); | |
900 | } | |
901 | EXPORT_SYMBOL_GPL(register_random_vmfork_notifier); | |
902 | ||
560181c2 | 903 | int __cold unregister_random_vmfork_notifier(struct notifier_block *nb) |
f3c2682b JD |
904 | { |
905 | return blocking_notifier_chain_unregister(&vmfork_chain, nb); | |
906 | } | |
907 | EXPORT_SYMBOL_GPL(unregister_random_vmfork_notifier); | |
a4107d34 | 908 | #endif |
ae099e8e | 909 | |
92c653cf | 910 | struct fast_pool { |
58340f8e | 911 | struct work_struct mix; |
f5eab0e2 | 912 | unsigned long pool[4]; |
92c653cf | 913 | unsigned long last; |
3191dd5a | 914 | unsigned int count; |
92c653cf JD |
915 | }; |
916 | ||
f5eab0e2 JD |
917 | static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = { |
918 | #ifdef CONFIG_64BIT | |
e73aaae2 JD |
919 | #define FASTMIX_PERM SIPHASH_PERMUTATION |
920 | .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 } | |
f5eab0e2 | 921 | #else |
e73aaae2 JD |
922 | #define FASTMIX_PERM HSIPHASH_PERMUTATION |
923 | .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 } | |
f5eab0e2 JD |
924 | #endif |
925 | }; | |
926 | ||
92c653cf | 927 | /* |
f5eab0e2 JD |
928 | * This is [Half]SipHash-1-x, starting from an empty key. Because |
929 | * the key is fixed, it assumes that its inputs are non-malicious, | |
930 | * and therefore this has no security on its own. s represents the | |
4b758eda | 931 | * four-word SipHash state, while v represents a two-word input. |
92c653cf | 932 | */ |
791332b3 | 933 | static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2) |
92c653cf | 934 | { |
791332b3 | 935 | s[3] ^= v1; |
e73aaae2 | 936 | FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
791332b3 JD |
937 | s[0] ^= v1; |
938 | s[3] ^= v2; | |
e73aaae2 | 939 | FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
791332b3 | 940 | s[0] ^= v2; |
92c653cf JD |
941 | } |
942 | ||
3191dd5a JD |
943 | #ifdef CONFIG_SMP |
944 | /* | |
945 | * This function is called when the CPU has just come online, with | |
946 | * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE. | |
947 | */ | |
560181c2 | 948 | int __cold random_online_cpu(unsigned int cpu) |
3191dd5a JD |
949 | { |
950 | /* | |
951 | * During CPU shutdown and before CPU onlining, add_interrupt_ | |
952 | * randomness() may schedule mix_interrupt_randomness(), and | |
953 | * set the MIX_INFLIGHT flag. However, because the worker can | |
954 | * be scheduled on a different CPU during this period, that | |
955 | * flag will never be cleared. For that reason, we zero out | |
956 | * the flag here, which runs just after workqueues are onlined | |
957 | * for the CPU again. This also has the effect of setting the | |
958 | * irq randomness count to zero so that new accumulated irqs | |
959 | * are fresh. | |
960 | */ | |
961 | per_cpu_ptr(&irq_randomness, cpu)->count = 0; | |
962 | return 0; | |
963 | } | |
964 | #endif | |
965 | ||
58340f8e JD |
966 | static void mix_interrupt_randomness(struct work_struct *work) |
967 | { | |
968 | struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix); | |
f5eab0e2 | 969 | /* |
4b758eda JD |
970 | * The size of the copied stack pool is explicitly 2 longs so that we |
971 | * only ever ingest half of the siphash output each time, retaining | |
972 | * the other half as the next "key" that carries over. The entropy is | |
973 | * supposed to be sufficiently dispersed between bits so on average | |
974 | * we don't wind up "losing" some. | |
f5eab0e2 | 975 | */ |
4b758eda | 976 | unsigned long pool[2]; |
e3e33fc2 | 977 | unsigned int count; |
58340f8e JD |
978 | |
979 | /* Check to see if we're running on the wrong CPU due to hotplug. */ | |
980 | local_irq_disable(); | |
981 | if (fast_pool != this_cpu_ptr(&irq_randomness)) { | |
982 | local_irq_enable(); | |
58340f8e JD |
983 | return; |
984 | } | |
985 | ||
986 | /* | |
987 | * Copy the pool to the stack so that the mixer always has a | |
988 | * consistent view, before we reenable irqs again. | |
989 | */ | |
f5eab0e2 | 990 | memcpy(pool, fast_pool->pool, sizeof(pool)); |
e3e33fc2 | 991 | count = fast_pool->count; |
3191dd5a | 992 | fast_pool->count = 0; |
58340f8e JD |
993 | fast_pool->last = jiffies; |
994 | local_irq_enable(); | |
995 | ||
5c3b747e | 996 | mix_pool_bytes(pool, sizeof(pool)); |
e3e33fc2 | 997 | credit_init_bits(max(1u, (count & U16_MAX) / 64)); |
c2a7de4f | 998 | |
58340f8e JD |
999 | memzero_explicit(pool, sizeof(pool)); |
1000 | } | |
1001 | ||
703f7066 | 1002 | void add_interrupt_randomness(int irq) |
1da177e4 | 1003 | { |
58340f8e | 1004 | enum { MIX_INFLIGHT = 1U << 31 }; |
4b758eda | 1005 | unsigned long entropy = random_get_entropy(); |
248045b8 JD |
1006 | struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); |
1007 | struct pt_regs *regs = get_irq_regs(); | |
58340f8e | 1008 | unsigned int new_count; |
b2f408fe | 1009 | |
791332b3 JD |
1010 | fast_mix(fast_pool->pool, entropy, |
1011 | (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)); | |
3191dd5a | 1012 | new_count = ++fast_pool->count; |
3060d6fe | 1013 | |
58340f8e | 1014 | if (new_count & MIX_INFLIGHT) |
1da177e4 LT |
1015 | return; |
1016 | ||
5c3b747e | 1017 | if (new_count < 64 && !time_is_before_jiffies(fast_pool->last + HZ)) |
91fcb532 | 1018 | return; |
83664a69 | 1019 | |
58340f8e JD |
1020 | if (unlikely(!fast_pool->mix.func)) |
1021 | INIT_WORK(&fast_pool->mix, mix_interrupt_randomness); | |
3191dd5a | 1022 | fast_pool->count |= MIX_INFLIGHT; |
58340f8e | 1023 | queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix); |
1da177e4 | 1024 | } |
4b44f2d1 | 1025 | EXPORT_SYMBOL_GPL(add_interrupt_randomness); |
1da177e4 | 1026 | |
a4b5c26b JD |
1027 | /* There is one of these per entropy source */ |
1028 | struct timer_rand_state { | |
1029 | unsigned long last_time; | |
1030 | long last_delta, last_delta2; | |
1031 | }; | |
1032 | ||
1033 | /* | |
1034 | * This function adds entropy to the entropy "pool" by using timing | |
e3e33fc2 JD |
1035 | * delays. It uses the timer_rand_state structure to make an estimate |
1036 | * of how many bits of entropy this call has added to the pool. The | |
1037 | * value "num" is also added to the pool; it should somehow describe | |
1038 | * the type of event that just happened. | |
a4b5c26b JD |
1039 | */ |
1040 | static void add_timer_randomness(struct timer_rand_state *state, unsigned int num) | |
1041 | { | |
1042 | unsigned long entropy = random_get_entropy(), now = jiffies, flags; | |
1043 | long delta, delta2, delta3; | |
e3e33fc2 | 1044 | unsigned int bits; |
a4b5c26b | 1045 | |
e3e33fc2 JD |
1046 | /* |
1047 | * If we're in a hard IRQ, add_interrupt_randomness() will be called | |
1048 | * sometime after, so mix into the fast pool. | |
1049 | */ | |
1050 | if (in_hardirq()) { | |
791332b3 | 1051 | fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num); |
e3e33fc2 JD |
1052 | } else { |
1053 | spin_lock_irqsave(&input_pool.lock, flags); | |
1054 | _mix_pool_bytes(&entropy, sizeof(entropy)); | |
1055 | _mix_pool_bytes(&num, sizeof(num)); | |
1056 | spin_unlock_irqrestore(&input_pool.lock, flags); | |
1057 | } | |
a4b5c26b JD |
1058 | |
1059 | if (crng_ready()) | |
1060 | return; | |
1061 | ||
1062 | /* | |
1063 | * Calculate number of bits of randomness we probably added. | |
1064 | * We take into account the first, second and third-order deltas | |
1065 | * in order to make our estimate. | |
1066 | */ | |
1067 | delta = now - READ_ONCE(state->last_time); | |
1068 | WRITE_ONCE(state->last_time, now); | |
1069 | ||
1070 | delta2 = delta - READ_ONCE(state->last_delta); | |
1071 | WRITE_ONCE(state->last_delta, delta); | |
1072 | ||
1073 | delta3 = delta2 - READ_ONCE(state->last_delta2); | |
1074 | WRITE_ONCE(state->last_delta2, delta2); | |
1075 | ||
1076 | if (delta < 0) | |
1077 | delta = -delta; | |
1078 | if (delta2 < 0) | |
1079 | delta2 = -delta2; | |
1080 | if (delta3 < 0) | |
1081 | delta3 = -delta3; | |
1082 | if (delta > delta2) | |
1083 | delta = delta2; | |
1084 | if (delta > delta3) | |
1085 | delta = delta3; | |
1086 | ||
1087 | /* | |
e3e33fc2 JD |
1088 | * delta is now minimum absolute delta. Round down by 1 bit |
1089 | * on general principles, and limit entropy estimate to 11 bits. | |
1090 | */ | |
1091 | bits = min(fls(delta >> 1), 11); | |
1092 | ||
1093 | /* | |
1094 | * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness() | |
1095 | * will run after this, which uses a different crediting scheme of 1 bit | |
1096 | * per every 64 interrupts. In order to let that function do accounting | |
1097 | * close to the one in this function, we credit a full 64/64 bit per bit, | |
1098 | * and then subtract one to account for the extra one added. | |
a4b5c26b | 1099 | */ |
e3e33fc2 JD |
1100 | if (in_hardirq()) |
1101 | this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1; | |
1102 | else | |
560181c2 | 1103 | _credit_init_bits(bits); |
a4b5c26b JD |
1104 | } |
1105 | ||
a1940263 | 1106 | void add_input_randomness(unsigned int type, unsigned int code, unsigned int value) |
a4b5c26b JD |
1107 | { |
1108 | static unsigned char last_value; | |
1109 | static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES }; | |
1110 | ||
1111 | /* Ignore autorepeat and the like. */ | |
1112 | if (value == last_value) | |
1113 | return; | |
1114 | ||
1115 | last_value = value; | |
1116 | add_timer_randomness(&input_timer_state, | |
1117 | (type << 4) ^ code ^ (code >> 4) ^ value); | |
1118 | } | |
1119 | EXPORT_SYMBOL_GPL(add_input_randomness); | |
1120 | ||
1121 | #ifdef CONFIG_BLOCK | |
1122 | void add_disk_randomness(struct gendisk *disk) | |
1123 | { | |
1124 | if (!disk || !disk->random) | |
1125 | return; | |
1126 | /* First major is 1, so we get >= 0x200 here. */ | |
1127 | add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); | |
1128 | } | |
1129 | EXPORT_SYMBOL_GPL(add_disk_randomness); | |
1130 | ||
560181c2 | 1131 | void __cold rand_initialize_disk(struct gendisk *disk) |
a4b5c26b JD |
1132 | { |
1133 | struct timer_rand_state *state; | |
1134 | ||
1135 | /* | |
1136 | * If kzalloc returns null, we just won't use that entropy | |
1137 | * source. | |
1138 | */ | |
1139 | state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); | |
1140 | if (state) { | |
1141 | state->last_time = INITIAL_JIFFIES; | |
1142 | disk->random = state; | |
1143 | } | |
1144 | } | |
1145 | #endif | |
1146 | ||
78c768e6 JD |
1147 | struct entropy_timer_state { |
1148 | unsigned long entropy; | |
1149 | struct timer_list timer; | |
1150 | unsigned int samples, samples_per_bit; | |
1151 | }; | |
1152 | ||
50ee7529 LT |
1153 | /* |
1154 | * Each time the timer fires, we expect that we got an unpredictable | |
1155 | * jump in the cycle counter. Even if the timer is running on another | |
1156 | * CPU, the timer activity will be touching the stack of the CPU that is | |
1157 | * generating entropy.. | |
1158 | * | |
1159 | * Note that we don't re-arm the timer in the timer itself - we are | |
1160 | * happy to be scheduled away, since that just makes the load more | |
1161 | * complex, but we do not want the timer to keep ticking unless the | |
1162 | * entropy loop is running. | |
1163 | * | |
1164 | * So the re-arming always happens in the entropy loop itself. | |
1165 | */ | |
560181c2 | 1166 | static void __cold entropy_timer(struct timer_list *timer) |
50ee7529 | 1167 | { |
78c768e6 JD |
1168 | struct entropy_timer_state *state = container_of(timer, struct entropy_timer_state, timer); |
1169 | ||
1170 | if (++state->samples == state->samples_per_bit) { | |
e85c0fc1 | 1171 | credit_init_bits(1); |
78c768e6 JD |
1172 | state->samples = 0; |
1173 | } | |
50ee7529 LT |
1174 | } |
1175 | ||
1176 | /* | |
1177 | * If we have an actual cycle counter, see if we can | |
1178 | * generate enough entropy with timing noise | |
1179 | */ | |
560181c2 | 1180 | static void __cold try_to_generate_entropy(void) |
50ee7529 | 1181 | { |
78c768e6 JD |
1182 | enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = 32 }; |
1183 | struct entropy_timer_state stack; | |
1184 | unsigned int i, num_different = 0; | |
1185 | unsigned long last = random_get_entropy(); | |
50ee7529 | 1186 | |
78c768e6 JD |
1187 | for (i = 0; i < NUM_TRIAL_SAMPLES - 1; ++i) { |
1188 | stack.entropy = random_get_entropy(); | |
1189 | if (stack.entropy != last) | |
1190 | ++num_different; | |
1191 | last = stack.entropy; | |
1192 | } | |
1193 | stack.samples_per_bit = DIV_ROUND_UP(NUM_TRIAL_SAMPLES, num_different + 1); | |
1194 | if (stack.samples_per_bit > MAX_SAMPLES_PER_BIT) | |
50ee7529 LT |
1195 | return; |
1196 | ||
78c768e6 | 1197 | stack.samples = 0; |
50ee7529 | 1198 | timer_setup_on_stack(&stack.timer, entropy_timer, 0); |
3e504d20 | 1199 | while (!crng_ready() && !signal_pending(current)) { |
50ee7529 | 1200 | if (!timer_pending(&stack.timer)) |
248045b8 | 1201 | mod_timer(&stack.timer, jiffies + 1); |
4b758eda | 1202 | mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
50ee7529 | 1203 | schedule(); |
4b758eda | 1204 | stack.entropy = random_get_entropy(); |
50ee7529 LT |
1205 | } |
1206 | ||
1207 | del_timer_sync(&stack.timer); | |
1208 | destroy_timer_on_stack(&stack.timer); | |
4b758eda | 1209 | mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
50ee7529 LT |
1210 | } |
1211 | ||
a6adf8e7 JD |
1212 | |
1213 | /********************************************************************** | |
1214 | * | |
1215 | * Userspace reader/writer interfaces. | |
1216 | * | |
1217 | * getrandom(2) is the primary modern interface into the RNG and should | |
1218 | * be used in preference to anything else. | |
1219 | * | |
0313bc27 LT |
1220 | * Reading from /dev/random has the same functionality as calling |
1221 | * getrandom(2) with flags=0. In earlier versions, however, it had | |
1222 | * vastly different semantics and should therefore be avoided, to | |
1223 | * prevent backwards compatibility issues. | |
1224 | * | |
1225 | * Reading from /dev/urandom has the same functionality as calling | |
1226 | * getrandom(2) with flags=GRND_INSECURE. Because it does not block | |
1227 | * waiting for the RNG to be ready, it should not be used. | |
a6adf8e7 JD |
1228 | * |
1229 | * Writing to either /dev/random or /dev/urandom adds entropy to | |
1230 | * the input pool but does not credit it. | |
1231 | * | |
0313bc27 LT |
1232 | * Polling on /dev/random indicates when the RNG is initialized, on |
1233 | * the read side, and when it wants new entropy, on the write side. | |
a6adf8e7 JD |
1234 | * |
1235 | * Both /dev/random and /dev/urandom have the same set of ioctls for | |
1236 | * adding entropy, getting the entropy count, zeroing the count, and | |
1237 | * reseeding the crng. | |
1238 | * | |
1239 | **********************************************************************/ | |
1240 | ||
a1940263 | 1241 | SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags) |
1da177e4 | 1242 | { |
1b388e77 JA |
1243 | struct iov_iter iter; |
1244 | struct iovec iov; | |
1245 | int ret; | |
1246 | ||
a6adf8e7 JD |
1247 | if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) |
1248 | return -EINVAL; | |
301f0595 | 1249 | |
a6adf8e7 JD |
1250 | /* |
1251 | * Requesting insecure and blocking randomness at the same time makes | |
1252 | * no sense. | |
1253 | */ | |
1254 | if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) | |
1255 | return -EINVAL; | |
c6f1deb1 | 1256 | |
f5bda35f | 1257 | if (!crng_ready() && !(flags & GRND_INSECURE)) { |
a6adf8e7 JD |
1258 | if (flags & GRND_NONBLOCK) |
1259 | return -EAGAIN; | |
1260 | ret = wait_for_random_bytes(); | |
1261 | if (unlikely(ret)) | |
1262 | return ret; | |
1263 | } | |
1b388e77 JA |
1264 | |
1265 | ret = import_single_range(READ, ubuf, len, &iov, &iter); | |
1266 | if (unlikely(ret)) | |
1267 | return ret; | |
1268 | return get_random_bytes_user(&iter); | |
30c08efe AL |
1269 | } |
1270 | ||
248045b8 | 1271 | static __poll_t random_poll(struct file *file, poll_table *wait) |
1da177e4 | 1272 | { |
30c08efe | 1273 | poll_wait(file, &crng_init_wait, wait); |
e85c0fc1 | 1274 | return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; |
1da177e4 LT |
1275 | } |
1276 | ||
1ce6c8d6 | 1277 | static ssize_t write_pool_user(struct iov_iter *iter) |
1da177e4 | 1278 | { |
04ec96b7 | 1279 | u8 block[BLAKE2S_BLOCK_SIZE]; |
22b0a222 JA |
1280 | ssize_t ret = 0; |
1281 | size_t copied; | |
1da177e4 | 1282 | |
22b0a222 JA |
1283 | if (unlikely(!iov_iter_count(iter))) |
1284 | return 0; | |
1285 | ||
1286 | for (;;) { | |
1287 | copied = copy_from_iter(block, sizeof(block), iter); | |
1288 | ret += copied; | |
1289 | mix_pool_bytes(block, copied); | |
1290 | if (!iov_iter_count(iter) || copied != sizeof(block)) | |
1291 | break; | |
1ce6c8d6 JD |
1292 | |
1293 | BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); | |
1294 | if (ret % PAGE_SIZE == 0) { | |
1295 | if (signal_pending(current)) | |
1296 | break; | |
1297 | cond_resched(); | |
1298 | } | |
1da177e4 | 1299 | } |
7f397dcd | 1300 | |
7b5164fb | 1301 | memzero_explicit(block, sizeof(block)); |
22b0a222 | 1302 | return ret ? ret : -EFAULT; |
7f397dcd MM |
1303 | } |
1304 | ||
22b0a222 | 1305 | static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter) |
7f397dcd | 1306 | { |
1ce6c8d6 | 1307 | return write_pool_user(iter); |
1da177e4 LT |
1308 | } |
1309 | ||
1b388e77 | 1310 | static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
0313bc27 LT |
1311 | { |
1312 | static int maxwarn = 10; | |
1313 | ||
48bff105 JD |
1314 | /* |
1315 | * Opportunistically attempt to initialize the RNG on platforms that | |
1316 | * have fast cycle counters, but don't (for now) require it to succeed. | |
1317 | */ | |
1318 | if (!crng_ready()) | |
1319 | try_to_generate_entropy(); | |
1320 | ||
cc1e127b JD |
1321 | if (!crng_ready()) { |
1322 | if (!ratelimit_disable && maxwarn <= 0) | |
1323 | ++urandom_warning.missed; | |
1324 | else if (ratelimit_disable || __ratelimit(&urandom_warning)) { | |
1325 | --maxwarn; | |
1b388e77 JA |
1326 | pr_notice("%s: uninitialized urandom read (%zu bytes read)\n", |
1327 | current->comm, iov_iter_count(iter)); | |
cc1e127b | 1328 | } |
0313bc27 LT |
1329 | } |
1330 | ||
1b388e77 | 1331 | return get_random_bytes_user(iter); |
0313bc27 LT |
1332 | } |
1333 | ||
1b388e77 | 1334 | static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
a6adf8e7 JD |
1335 | { |
1336 | int ret; | |
1337 | ||
1338 | ret = wait_for_random_bytes(); | |
1339 | if (ret != 0) | |
1340 | return ret; | |
1b388e77 | 1341 | return get_random_bytes_user(iter); |
a6adf8e7 JD |
1342 | } |
1343 | ||
43ae4860 | 1344 | static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) |
1da177e4 | 1345 | { |
1da177e4 | 1346 | int __user *p = (int __user *)arg; |
22b0a222 | 1347 | int ent_count; |
1da177e4 LT |
1348 | |
1349 | switch (cmd) { | |
1350 | case RNDGETENTCNT: | |
a6adf8e7 | 1351 | /* Inherently racy, no point locking. */ |
e85c0fc1 | 1352 | if (put_user(input_pool.init_bits, p)) |
1da177e4 LT |
1353 | return -EFAULT; |
1354 | return 0; | |
1355 | case RNDADDTOENTCNT: | |
1356 | if (!capable(CAP_SYS_ADMIN)) | |
1357 | return -EPERM; | |
1358 | if (get_user(ent_count, p)) | |
1359 | return -EFAULT; | |
a49c010e JD |
1360 | if (ent_count < 0) |
1361 | return -EINVAL; | |
e85c0fc1 | 1362 | credit_init_bits(ent_count); |
a49c010e | 1363 | return 0; |
22b0a222 JA |
1364 | case RNDADDENTROPY: { |
1365 | struct iov_iter iter; | |
1366 | struct iovec iov; | |
1367 | ssize_t ret; | |
1368 | int len; | |
1369 | ||
1da177e4 LT |
1370 | if (!capable(CAP_SYS_ADMIN)) |
1371 | return -EPERM; | |
1372 | if (get_user(ent_count, p++)) | |
1373 | return -EFAULT; | |
1374 | if (ent_count < 0) | |
1375 | return -EINVAL; | |
22b0a222 JA |
1376 | if (get_user(len, p++)) |
1377 | return -EFAULT; | |
1378 | ret = import_single_range(WRITE, p, len, &iov, &iter); | |
1379 | if (unlikely(ret)) | |
1380 | return ret; | |
1ce6c8d6 | 1381 | ret = write_pool_user(&iter); |
22b0a222 JA |
1382 | if (unlikely(ret < 0)) |
1383 | return ret; | |
1384 | /* Since we're crediting, enforce that it was all written into the pool. */ | |
1385 | if (unlikely(ret != len)) | |
1da177e4 | 1386 | return -EFAULT; |
e85c0fc1 | 1387 | credit_init_bits(ent_count); |
a49c010e | 1388 | return 0; |
22b0a222 | 1389 | } |
1da177e4 LT |
1390 | case RNDZAPENTCNT: |
1391 | case RNDCLEARPOOL: | |
e85c0fc1 | 1392 | /* No longer has any effect. */ |
1da177e4 LT |
1393 | if (!capable(CAP_SYS_ADMIN)) |
1394 | return -EPERM; | |
1da177e4 | 1395 | return 0; |
d848e5f8 TT |
1396 | case RNDRESEEDCRNG: |
1397 | if (!capable(CAP_SYS_ADMIN)) | |
1398 | return -EPERM; | |
a96cfe2d | 1399 | if (!crng_ready()) |
d848e5f8 | 1400 | return -ENODATA; |
e85c0fc1 | 1401 | crng_reseed(); |
d848e5f8 | 1402 | return 0; |
1da177e4 LT |
1403 | default: |
1404 | return -EINVAL; | |
1405 | } | |
1406 | } | |
1407 | ||
9a6f70bb JD |
1408 | static int random_fasync(int fd, struct file *filp, int on) |
1409 | { | |
1410 | return fasync_helper(fd, filp, on, &fasync); | |
1411 | } | |
1412 | ||
2b8693c0 | 1413 | const struct file_operations random_fops = { |
1b388e77 | 1414 | .read_iter = random_read_iter, |
22b0a222 | 1415 | .write_iter = random_write_iter, |
248045b8 | 1416 | .poll = random_poll, |
43ae4860 | 1417 | .unlocked_ioctl = random_ioctl, |
507e4e2b | 1418 | .compat_ioctl = compat_ptr_ioctl, |
9a6f70bb | 1419 | .fasync = random_fasync, |
6038f373 | 1420 | .llseek = noop_llseek, |
79025e72 JA |
1421 | .splice_read = generic_file_splice_read, |
1422 | .splice_write = iter_file_splice_write, | |
1da177e4 LT |
1423 | }; |
1424 | ||
0313bc27 | 1425 | const struct file_operations urandom_fops = { |
1b388e77 | 1426 | .read_iter = urandom_read_iter, |
22b0a222 | 1427 | .write_iter = random_write_iter, |
0313bc27 LT |
1428 | .unlocked_ioctl = random_ioctl, |
1429 | .compat_ioctl = compat_ptr_ioctl, | |
1430 | .fasync = random_fasync, | |
1431 | .llseek = noop_llseek, | |
79025e72 JA |
1432 | .splice_read = generic_file_splice_read, |
1433 | .splice_write = iter_file_splice_write, | |
0313bc27 LT |
1434 | }; |
1435 | ||
0deff3c4 | 1436 | |
1da177e4 LT |
1437 | /******************************************************************** |
1438 | * | |
0deff3c4 JD |
1439 | * Sysctl interface. |
1440 | * | |
1441 | * These are partly unused legacy knobs with dummy values to not break | |
1442 | * userspace and partly still useful things. They are usually accessible | |
1443 | * in /proc/sys/kernel/random/ and are as follows: | |
1444 | * | |
1445 | * - boot_id - a UUID representing the current boot. | |
1446 | * | |
1447 | * - uuid - a random UUID, different each time the file is read. | |
1448 | * | |
1449 | * - poolsize - the number of bits of entropy that the input pool can | |
1450 | * hold, tied to the POOL_BITS constant. | |
1451 | * | |
1452 | * - entropy_avail - the number of bits of entropy currently in the | |
1453 | * input pool. Always <= poolsize. | |
1454 | * | |
1455 | * - write_wakeup_threshold - the amount of entropy in the input pool | |
1456 | * below which write polls to /dev/random will unblock, requesting | |
e3d2c5e7 | 1457 | * more entropy, tied to the POOL_READY_BITS constant. It is writable |
0deff3c4 JD |
1458 | * to avoid breaking old userspaces, but writing to it does not |
1459 | * change any behavior of the RNG. | |
1460 | * | |
d0efdf35 | 1461 | * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL. |
0deff3c4 JD |
1462 | * It is writable to avoid breaking old userspaces, but writing |
1463 | * to it does not change any behavior of the RNG. | |
1da177e4 LT |
1464 | * |
1465 | ********************************************************************/ | |
1466 | ||
1467 | #ifdef CONFIG_SYSCTL | |
1468 | ||
1469 | #include <linux/sysctl.h> | |
1470 | ||
d0efdf35 | 1471 | static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ; |
e3d2c5e7 | 1472 | static int sysctl_random_write_wakeup_bits = POOL_READY_BITS; |
489c7fc4 | 1473 | static int sysctl_poolsize = POOL_BITS; |
64276a99 | 1474 | static u8 sysctl_bootid[UUID_SIZE]; |
1da177e4 LT |
1475 | |
1476 | /* | |
f22052b2 | 1477 | * This function is used to return both the bootid UUID, and random |
64276a99 | 1478 | * UUID. The difference is in whether table->data is NULL; if it is, |
1da177e4 | 1479 | * then a new UUID is generated and returned to the user. |
1da177e4 | 1480 | */ |
a1940263 | 1481 | static int proc_do_uuid(struct ctl_table *table, int write, void *buf, |
248045b8 | 1482 | size_t *lenp, loff_t *ppos) |
1da177e4 | 1483 | { |
64276a99 JD |
1484 | u8 tmp_uuid[UUID_SIZE], *uuid; |
1485 | char uuid_string[UUID_STRING_LEN + 1]; | |
1486 | struct ctl_table fake_table = { | |
1487 | .data = uuid_string, | |
1488 | .maxlen = UUID_STRING_LEN | |
1489 | }; | |
1490 | ||
1491 | if (write) | |
1492 | return -EPERM; | |
1da177e4 LT |
1493 | |
1494 | uuid = table->data; | |
1495 | if (!uuid) { | |
1496 | uuid = tmp_uuid; | |
1da177e4 | 1497 | generate_random_uuid(uuid); |
44e4360f MD |
1498 | } else { |
1499 | static DEFINE_SPINLOCK(bootid_spinlock); | |
1500 | ||
1501 | spin_lock(&bootid_spinlock); | |
1502 | if (!uuid[8]) | |
1503 | generate_random_uuid(uuid); | |
1504 | spin_unlock(&bootid_spinlock); | |
1505 | } | |
1da177e4 | 1506 | |
64276a99 | 1507 | snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid); |
a1940263 | 1508 | return proc_dostring(&fake_table, 0, buf, lenp, ppos); |
1da177e4 LT |
1509 | } |
1510 | ||
77553cf8 | 1511 | /* The same as proc_dointvec, but writes don't change anything. */ |
a1940263 | 1512 | static int proc_do_rointvec(struct ctl_table *table, int write, void *buf, |
77553cf8 JD |
1513 | size_t *lenp, loff_t *ppos) |
1514 | { | |
a1940263 | 1515 | return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos); |
77553cf8 JD |
1516 | } |
1517 | ||
5475e8f0 | 1518 | static struct ctl_table random_table[] = { |
1da177e4 | 1519 | { |
1da177e4 LT |
1520 | .procname = "poolsize", |
1521 | .data = &sysctl_poolsize, | |
1522 | .maxlen = sizeof(int), | |
1523 | .mode = 0444, | |
6d456111 | 1524 | .proc_handler = proc_dointvec, |
1da177e4 LT |
1525 | }, |
1526 | { | |
1da177e4 | 1527 | .procname = "entropy_avail", |
e85c0fc1 | 1528 | .data = &input_pool.init_bits, |
1da177e4 LT |
1529 | .maxlen = sizeof(int), |
1530 | .mode = 0444, | |
c5704490 | 1531 | .proc_handler = proc_dointvec, |
1da177e4 | 1532 | }, |
1da177e4 | 1533 | { |
1da177e4 | 1534 | .procname = "write_wakeup_threshold", |
0deff3c4 | 1535 | .data = &sysctl_random_write_wakeup_bits, |
1da177e4 LT |
1536 | .maxlen = sizeof(int), |
1537 | .mode = 0644, | |
77553cf8 | 1538 | .proc_handler = proc_do_rointvec, |
1da177e4 | 1539 | }, |
f5c2742c TT |
1540 | { |
1541 | .procname = "urandom_min_reseed_secs", | |
0deff3c4 | 1542 | .data = &sysctl_random_min_urandom_seed, |
f5c2742c TT |
1543 | .maxlen = sizeof(int), |
1544 | .mode = 0644, | |
77553cf8 | 1545 | .proc_handler = proc_do_rointvec, |
f5c2742c | 1546 | }, |
1da177e4 | 1547 | { |
1da177e4 LT |
1548 | .procname = "boot_id", |
1549 | .data = &sysctl_bootid, | |
1da177e4 | 1550 | .mode = 0444, |
6d456111 | 1551 | .proc_handler = proc_do_uuid, |
1da177e4 LT |
1552 | }, |
1553 | { | |
1da177e4 | 1554 | .procname = "uuid", |
1da177e4 | 1555 | .mode = 0444, |
6d456111 | 1556 | .proc_handler = proc_do_uuid, |
1da177e4 | 1557 | }, |
894d2491 | 1558 | { } |
1da177e4 | 1559 | }; |
5475e8f0 XN |
1560 | |
1561 | /* | |
2f14062b JD |
1562 | * random_init() is called before sysctl_init(), |
1563 | * so we cannot call register_sysctl_init() in random_init() | |
5475e8f0 XN |
1564 | */ |
1565 | static int __init random_sysctls_init(void) | |
1566 | { | |
1567 | register_sysctl_init("kernel/random", random_table); | |
1568 | return 0; | |
1569 | } | |
1570 | device_initcall(random_sysctls_init); | |
0deff3c4 | 1571 | #endif |