Commit | Line | Data |
---|---|---|
a07fdae3 | 1 | // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) |
1da177e4 | 2 | /* |
9f9eff85 | 3 | * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
9e95ce27 | 4 | * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005 |
5f75d9f3 JD |
5 | * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved. |
6 | * | |
7 | * This driver produces cryptographically secure pseudorandom data. It is divided | |
8 | * into roughly six sections, each with a section header: | |
9 | * | |
10 | * - Initialization and readiness waiting. | |
11 | * - Fast key erasure RNG, the "crng". | |
12 | * - Entropy accumulation and extraction routines. | |
13 | * - Entropy collection routines. | |
14 | * - Userspace reader/writer interfaces. | |
15 | * - Sysctl interface. | |
16 | * | |
17 | * The high level overview is that there is one input pool, into which | |
e85c0fc1 JD |
18 | * various pieces of data are hashed. Prior to initialization, some of that |
19 | * data is then "credited" as having a certain number of bits of entropy. | |
20 | * When enough bits of entropy are available, the hash is finalized and | |
21 | * handed as a key to a stream cipher that expands it indefinitely for | |
22 | * various consumers. This key is periodically refreshed as the various | |
23 | * entropy collectors, described below, add data to the input pool. | |
1da177e4 LT |
24 | */ |
25 | ||
12cd53af YL |
26 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
27 | ||
1da177e4 | 28 | #include <linux/utsname.h> |
1da177e4 LT |
29 | #include <linux/module.h> |
30 | #include <linux/kernel.h> | |
31 | #include <linux/major.h> | |
32 | #include <linux/string.h> | |
33 | #include <linux/fcntl.h> | |
34 | #include <linux/slab.h> | |
35 | #include <linux/random.h> | |
36 | #include <linux/poll.h> | |
37 | #include <linux/init.h> | |
38 | #include <linux/fs.h> | |
322cbb50 | 39 | #include <linux/blkdev.h> |
1da177e4 | 40 | #include <linux/interrupt.h> |
27ac792c | 41 | #include <linux/mm.h> |
dd0f0cf5 | 42 | #include <linux/nodemask.h> |
1da177e4 | 43 | #include <linux/spinlock.h> |
c84dbf61 | 44 | #include <linux/kthread.h> |
1da177e4 | 45 | #include <linux/percpu.h> |
775f4b29 | 46 | #include <linux/ptrace.h> |
6265e169 | 47 | #include <linux/workqueue.h> |
0244ad00 | 48 | #include <linux/irq.h> |
4e00b339 | 49 | #include <linux/ratelimit.h> |
c6e9d6f3 TT |
50 | #include <linux/syscalls.h> |
51 | #include <linux/completion.h> | |
8da4b8c4 | 52 | #include <linux/uuid.h> |
87e7d5ab | 53 | #include <linux/uaccess.h> |
b7b67d13 | 54 | #include <linux/suspend.h> |
e73aaae2 | 55 | #include <linux/siphash.h> |
1ca1b917 | 56 | #include <crypto/chacha.h> |
9f9eff85 | 57 | #include <crypto/blake2s.h> |
1da177e4 | 58 | #include <asm/processor.h> |
1da177e4 | 59 | #include <asm/irq.h> |
775f4b29 | 60 | #include <asm/irq_regs.h> |
1da177e4 LT |
61 | #include <asm/io.h> |
62 | ||
5f1bb112 JD |
63 | /********************************************************************* |
64 | * | |
65 | * Initialization and readiness waiting. | |
66 | * | |
67 | * Much of the RNG infrastructure is devoted to various dependencies | |
68 | * being able to wait until the RNG has collected enough entropy and | |
69 | * is ready for safe consumption. | |
70 | * | |
71 | *********************************************************************/ | |
205a525c | 72 | |
e192be9d | 73 | /* |
5f1bb112 | 74 | * crng_init is protected by base_crng->lock, and only increases |
e3d2c5e7 | 75 | * its value (from empty->early->ready). |
e192be9d | 76 | */ |
e3d2c5e7 JD |
77 | static enum { |
78 | CRNG_EMPTY = 0, /* Little to no entropy collected */ | |
79 | CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */ | |
80 | CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */ | |
f5bda35f JD |
81 | } crng_init __read_mostly = CRNG_EMPTY; |
82 | static DEFINE_STATIC_KEY_FALSE(crng_is_ready); | |
83 | #define crng_ready() (static_branch_likely(&crng_is_ready) || crng_init >= CRNG_READY) | |
e3d2c5e7 | 84 | /* Various types of waiters for crng_init->CRNG_READY transition. */ |
5f1bb112 JD |
85 | static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); |
86 | static struct fasync_struct *fasync; | |
e192be9d | 87 | |
5f1bb112 | 88 | /* Control how we warn userspace. */ |
0313bc27 | 89 | static struct ratelimit_state urandom_warning = |
c01d4d0a | 90 | RATELIMIT_STATE_INIT_FLAGS("urandom_warning", HZ, 3, RATELIMIT_MSG_ON_RELEASE); |
cc1e127b JD |
91 | static int ratelimit_disable __read_mostly = |
92 | IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM); | |
4e00b339 TT |
93 | module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); |
94 | MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); | |
95 | ||
5f1bb112 JD |
96 | /* |
97 | * Returns whether or not the input pool has been seeded and thus guaranteed | |
0313bc27 LT |
98 | * to supply cryptographically secure random numbers. This applies to: the |
99 | * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, | |
100 | * ,u64,int,long} family of functions. | |
5f1bb112 JD |
101 | * |
102 | * Returns: true if the input pool has been seeded. | |
103 | * false if the input pool has not been seeded. | |
104 | */ | |
105 | bool rng_is_initialized(void) | |
106 | { | |
107 | return crng_ready(); | |
108 | } | |
109 | EXPORT_SYMBOL(rng_is_initialized); | |
110 | ||
560181c2 | 111 | static void __cold crng_set_ready(struct work_struct *work) |
f5bda35f JD |
112 | { |
113 | static_branch_enable(&crng_is_ready); | |
114 | } | |
115 | ||
5f1bb112 JD |
116 | /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */ |
117 | static void try_to_generate_entropy(void); | |
118 | ||
119 | /* | |
120 | * Wait for the input pool to be seeded and thus guaranteed to supply | |
0313bc27 LT |
121 | * cryptographically secure random numbers. This applies to: the /dev/urandom |
122 | * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} | |
123 | * family of functions. Using any of these functions without first calling | |
124 | * this function forfeits the guarantee of security. | |
5f1bb112 JD |
125 | * |
126 | * Returns: 0 if the input pool has been seeded. | |
127 | * -ERESTARTSYS if the function was interrupted by a signal. | |
128 | */ | |
129 | int wait_for_random_bytes(void) | |
130 | { | |
a96cfe2d | 131 | while (!crng_ready()) { |
5f1bb112 | 132 | int ret; |
3e504d20 JD |
133 | |
134 | try_to_generate_entropy(); | |
5f1bb112 JD |
135 | ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); |
136 | if (ret) | |
137 | return ret > 0 ? 0 : ret; | |
a96cfe2d | 138 | } |
5f1bb112 JD |
139 | return 0; |
140 | } | |
141 | EXPORT_SYMBOL(wait_for_random_bytes); | |
142 | ||
cc1e127b | 143 | #define warn_unseeded_randomness() \ |
560181c2 JD |
144 | if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \ |
145 | printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \ | |
146 | __func__, (void *)_RET_IP_, crng_init) | |
5f1bb112 JD |
147 | |
148 | ||
3655adc7 | 149 | /********************************************************************* |
1da177e4 | 150 | * |
3655adc7 | 151 | * Fast key erasure RNG, the "crng". |
1da177e4 | 152 | * |
3655adc7 JD |
153 | * These functions expand entropy from the entropy extractor into |
154 | * long streams for external consumption using the "fast key erasure" | |
155 | * RNG described at <https://blog.cr.yp.to/20170723-random.html>. | |
e192be9d | 156 | * |
3655adc7 JD |
157 | * There are a few exported interfaces for use by other drivers: |
158 | * | |
a1940263 | 159 | * void get_random_bytes(void *buf, size_t len) |
3655adc7 JD |
160 | * u32 get_random_u32() |
161 | * u64 get_random_u64() | |
162 | * unsigned int get_random_int() | |
163 | * unsigned long get_random_long() | |
164 | * | |
165 | * These interfaces will return the requested number of random bytes | |
0313bc27 | 166 | * into the given buffer or as a return value. This is equivalent to |
dd7aa36e JD |
167 | * a read from /dev/urandom. The u32, u64, int, and long family of |
168 | * functions may be higher performance for one-off random integers, | |
169 | * because they do a bit of buffering and do not invoke reseeding | |
170 | * until the buffer is emptied. | |
e192be9d TT |
171 | * |
172 | *********************************************************************/ | |
173 | ||
e85c0fc1 JD |
174 | enum { |
175 | CRNG_RESEED_START_INTERVAL = HZ, | |
176 | CRNG_RESEED_INTERVAL = 60 * HZ | |
177 | }; | |
186873c5 JD |
178 | |
179 | static struct { | |
180 | u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long)); | |
181 | unsigned long birth; | |
182 | unsigned long generation; | |
183 | spinlock_t lock; | |
184 | } base_crng = { | |
185 | .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock) | |
186 | }; | |
187 | ||
188 | struct crng { | |
189 | u8 key[CHACHA_KEY_SIZE]; | |
190 | unsigned long generation; | |
191 | local_lock_t lock; | |
192 | }; | |
193 | ||
194 | static DEFINE_PER_CPU(struct crng, crngs) = { | |
195 | .generation = ULONG_MAX, | |
196 | .lock = INIT_LOCAL_LOCK(crngs.lock), | |
197 | }; | |
e192be9d | 198 | |
e85c0fc1 | 199 | /* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */ |
a1940263 | 200 | static void extract_entropy(void *buf, size_t len); |
e192be9d | 201 | |
e85c0fc1 JD |
202 | /* This extracts a new crng key from the input pool. */ |
203 | static void crng_reseed(void) | |
e192be9d | 204 | { |
248045b8 | 205 | unsigned long flags; |
186873c5 JD |
206 | unsigned long next_gen; |
207 | u8 key[CHACHA_KEY_SIZE]; | |
e192be9d | 208 | |
e85c0fc1 | 209 | extract_entropy(key, sizeof(key)); |
a9412d51 | 210 | |
186873c5 JD |
211 | /* |
212 | * We copy the new key into the base_crng, overwriting the old one, | |
213 | * and update the generation counter. We avoid hitting ULONG_MAX, | |
214 | * because the per-cpu crngs are initialized to ULONG_MAX, so this | |
215 | * forces new CPUs that come online to always initialize. | |
216 | */ | |
217 | spin_lock_irqsave(&base_crng.lock, flags); | |
218 | memcpy(base_crng.key, key, sizeof(base_crng.key)); | |
219 | next_gen = base_crng.generation + 1; | |
220 | if (next_gen == ULONG_MAX) | |
221 | ++next_gen; | |
222 | WRITE_ONCE(base_crng.generation, next_gen); | |
223 | WRITE_ONCE(base_crng.birth, jiffies); | |
f5bda35f | 224 | if (!static_branch_likely(&crng_is_ready)) |
e3d2c5e7 | 225 | crng_init = CRNG_READY; |
7191c628 DB |
226 | spin_unlock_irqrestore(&base_crng.lock, flags); |
227 | memzero_explicit(key, sizeof(key)); | |
e192be9d TT |
228 | } |
229 | ||
186873c5 | 230 | /* |
3655adc7 | 231 | * This generates a ChaCha block using the provided key, and then |
7f637be4 | 232 | * immediately overwrites that key with half the block. It returns |
3655adc7 JD |
233 | * the resultant ChaCha state to the user, along with the second |
234 | * half of the block containing 32 bytes of random data that may | |
235 | * be used; random_data_len may not be greater than 32. | |
8717627d JD |
236 | * |
237 | * The returned ChaCha state contains within it a copy of the old | |
238 | * key value, at index 4, so the state should always be zeroed out | |
239 | * immediately after using in order to maintain forward secrecy. | |
240 | * If the state cannot be erased in a timely manner, then it is | |
241 | * safer to set the random_data parameter to &chacha_state[4] so | |
242 | * that this function overwrites it before returning. | |
186873c5 JD |
243 | */ |
244 | static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], | |
245 | u32 chacha_state[CHACHA_STATE_WORDS], | |
246 | u8 *random_data, size_t random_data_len) | |
e192be9d | 247 | { |
186873c5 | 248 | u8 first_block[CHACHA_BLOCK_SIZE]; |
009ba856 | 249 | |
186873c5 JD |
250 | BUG_ON(random_data_len > 32); |
251 | ||
252 | chacha_init_consts(chacha_state); | |
253 | memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE); | |
254 | memset(&chacha_state[12], 0, sizeof(u32) * 4); | |
255 | chacha20_block(chacha_state, first_block); | |
256 | ||
257 | memcpy(key, first_block, CHACHA_KEY_SIZE); | |
8717627d | 258 | memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); |
186873c5 | 259 | memzero_explicit(first_block, sizeof(first_block)); |
1e7f583a TT |
260 | } |
261 | ||
7a7ff644 | 262 | /* |
e85c0fc1 JD |
263 | * Return whether the crng seed is considered to be sufficiently old |
264 | * that a reseeding is needed. This happens if the last reseeding | |
265 | * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval | |
266 | * proportional to the uptime. | |
7a7ff644 JD |
267 | */ |
268 | static bool crng_has_old_seed(void) | |
269 | { | |
270 | static bool early_boot = true; | |
271 | unsigned long interval = CRNG_RESEED_INTERVAL; | |
272 | ||
273 | if (unlikely(READ_ONCE(early_boot))) { | |
274 | time64_t uptime = ktime_get_seconds(); | |
275 | if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2) | |
276 | WRITE_ONCE(early_boot, false); | |
277 | else | |
e85c0fc1 | 278 | interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL, |
7a7ff644 JD |
279 | (unsigned int)uptime / 2 * HZ); |
280 | } | |
8a5b8a4a | 281 | return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval); |
7a7ff644 JD |
282 | } |
283 | ||
c92e040d | 284 | /* |
186873c5 JD |
285 | * This function returns a ChaCha state that you may use for generating |
286 | * random data. It also returns up to 32 bytes on its own of random data | |
287 | * that may be used; random_data_len may not be greater than 32. | |
c92e040d | 288 | */ |
186873c5 JD |
289 | static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS], |
290 | u8 *random_data, size_t random_data_len) | |
c92e040d | 291 | { |
248045b8 | 292 | unsigned long flags; |
186873c5 | 293 | struct crng *crng; |
c92e040d | 294 | |
186873c5 JD |
295 | BUG_ON(random_data_len > 32); |
296 | ||
297 | /* | |
298 | * For the fast path, we check whether we're ready, unlocked first, and | |
299 | * then re-check once locked later. In the case where we're really not | |
5c3b747e | 300 | * ready, we do fast key erasure with the base_crng directly, extracting |
e3d2c5e7 | 301 | * when crng_init is CRNG_EMPTY. |
186873c5 | 302 | */ |
a96cfe2d | 303 | if (!crng_ready()) { |
186873c5 JD |
304 | bool ready; |
305 | ||
306 | spin_lock_irqsave(&base_crng.lock, flags); | |
307 | ready = crng_ready(); | |
5c3b747e | 308 | if (!ready) { |
e3d2c5e7 | 309 | if (crng_init == CRNG_EMPTY) |
5c3b747e | 310 | extract_entropy(base_crng.key, sizeof(base_crng.key)); |
186873c5 JD |
311 | crng_fast_key_erasure(base_crng.key, chacha_state, |
312 | random_data, random_data_len); | |
5c3b747e | 313 | } |
186873c5 JD |
314 | spin_unlock_irqrestore(&base_crng.lock, flags); |
315 | if (!ready) | |
316 | return; | |
c92e040d | 317 | } |
186873c5 JD |
318 | |
319 | /* | |
e85c0fc1 JD |
320 | * If the base_crng is old enough, we reseed, which in turn bumps the |
321 | * generation counter that we check below. | |
186873c5 | 322 | */ |
7a7ff644 | 323 | if (unlikely(crng_has_old_seed())) |
e85c0fc1 | 324 | crng_reseed(); |
186873c5 JD |
325 | |
326 | local_lock_irqsave(&crngs.lock, flags); | |
327 | crng = raw_cpu_ptr(&crngs); | |
328 | ||
329 | /* | |
330 | * If our per-cpu crng is older than the base_crng, then it means | |
331 | * somebody reseeded the base_crng. In that case, we do fast key | |
332 | * erasure on the base_crng, and use its output as the new key | |
333 | * for our per-cpu crng. This brings us up to date with base_crng. | |
334 | */ | |
335 | if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) { | |
336 | spin_lock(&base_crng.lock); | |
337 | crng_fast_key_erasure(base_crng.key, chacha_state, | |
338 | crng->key, sizeof(crng->key)); | |
339 | crng->generation = base_crng.generation; | |
340 | spin_unlock(&base_crng.lock); | |
341 | } | |
342 | ||
343 | /* | |
344 | * Finally, when we've made it this far, our per-cpu crng has an up | |
345 | * to date key, and we can do fast key erasure with it to produce | |
346 | * some random data and a ChaCha state for the caller. All other | |
347 | * branches of this function are "unlikely", so most of the time we | |
348 | * should wind up here immediately. | |
349 | */ | |
350 | crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len); | |
351 | local_unlock_irqrestore(&crngs.lock, flags); | |
c92e040d TT |
352 | } |
353 | ||
a1940263 | 354 | static void _get_random_bytes(void *buf, size_t len) |
e192be9d | 355 | { |
186873c5 | 356 | u32 chacha_state[CHACHA_STATE_WORDS]; |
3655adc7 | 357 | u8 tmp[CHACHA_BLOCK_SIZE]; |
a1940263 | 358 | size_t first_block_len; |
3655adc7 | 359 | |
a1940263 | 360 | if (!len) |
3655adc7 JD |
361 | return; |
362 | ||
a1940263 JD |
363 | first_block_len = min_t(size_t, 32, len); |
364 | crng_make_state(chacha_state, buf, first_block_len); | |
365 | len -= first_block_len; | |
366 | buf += first_block_len; | |
3655adc7 | 367 | |
a1940263 JD |
368 | while (len) { |
369 | if (len < CHACHA_BLOCK_SIZE) { | |
3655adc7 | 370 | chacha20_block(chacha_state, tmp); |
a1940263 | 371 | memcpy(buf, tmp, len); |
3655adc7 JD |
372 | memzero_explicit(tmp, sizeof(tmp)); |
373 | break; | |
374 | } | |
375 | ||
376 | chacha20_block(chacha_state, buf); | |
377 | if (unlikely(chacha_state[12] == 0)) | |
378 | ++chacha_state[13]; | |
a1940263 | 379 | len -= CHACHA_BLOCK_SIZE; |
3655adc7 JD |
380 | buf += CHACHA_BLOCK_SIZE; |
381 | } | |
382 | ||
383 | memzero_explicit(chacha_state, sizeof(chacha_state)); | |
384 | } | |
385 | ||
386 | /* | |
387 | * This function is the exported kernel interface. It returns some | |
388 | * number of good random numbers, suitable for key generation, seeding | |
248561ad JD |
389 | * TCP sequence numbers, etc. In order to ensure that the randomness |
390 | * by this function is okay, the function wait_for_random_bytes() | |
391 | * should be called and return 0 at least once at any point prior. | |
3655adc7 | 392 | */ |
a1940263 | 393 | void get_random_bytes(void *buf, size_t len) |
3655adc7 | 394 | { |
cc1e127b | 395 | warn_unseeded_randomness(); |
a1940263 | 396 | _get_random_bytes(buf, len); |
3655adc7 JD |
397 | } |
398 | EXPORT_SYMBOL(get_random_bytes); | |
399 | ||
1b388e77 | 400 | static ssize_t get_random_bytes_user(struct iov_iter *iter) |
3655adc7 | 401 | { |
3655adc7 | 402 | u32 chacha_state[CHACHA_STATE_WORDS]; |
1b388e77 JA |
403 | u8 block[CHACHA_BLOCK_SIZE]; |
404 | size_t ret = 0, copied; | |
3655adc7 | 405 | |
1b388e77 | 406 | if (unlikely(!iov_iter_count(iter))) |
3655adc7 JD |
407 | return 0; |
408 | ||
aba120cc JD |
409 | /* |
410 | * Immediately overwrite the ChaCha key at index 4 with random | |
63b8ea5e | 411 | * bytes, in case userspace causes copy_to_iter() below to sleep |
aba120cc JD |
412 | * forever, so that we still retain forward secrecy in that case. |
413 | */ | |
414 | crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); | |
415 | /* | |
416 | * However, if we're doing a read of len <= 32, we don't need to | |
417 | * use chacha_state after, so we can simply return those bytes to | |
418 | * the user directly. | |
419 | */ | |
1b388e77 JA |
420 | if (iov_iter_count(iter) <= CHACHA_KEY_SIZE) { |
421 | ret = copy_to_iter(&chacha_state[4], CHACHA_KEY_SIZE, iter); | |
aba120cc JD |
422 | goto out_zero_chacha; |
423 | } | |
3655adc7 | 424 | |
5209aed5 | 425 | for (;;) { |
1b388e77 | 426 | chacha20_block(chacha_state, block); |
3655adc7 JD |
427 | if (unlikely(chacha_state[12] == 0)) |
428 | ++chacha_state[13]; | |
429 | ||
1b388e77 JA |
430 | copied = copy_to_iter(block, sizeof(block), iter); |
431 | ret += copied; | |
432 | if (!iov_iter_count(iter) || copied != sizeof(block)) | |
5209aed5 | 433 | break; |
e3c1c4fd | 434 | |
1b388e77 | 435 | BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); |
5209aed5 | 436 | if (ret % PAGE_SIZE == 0) { |
e3c1c4fd JD |
437 | if (signal_pending(current)) |
438 | break; | |
439 | cond_resched(); | |
440 | } | |
5209aed5 | 441 | } |
3655adc7 | 442 | |
1b388e77 | 443 | memzero_explicit(block, sizeof(block)); |
aba120cc JD |
444 | out_zero_chacha: |
445 | memzero_explicit(chacha_state, sizeof(chacha_state)); | |
5209aed5 | 446 | return ret ? ret : -EFAULT; |
3655adc7 JD |
447 | } |
448 | ||
449 | /* | |
450 | * Batched entropy returns random integers. The quality of the random | |
451 | * number is good as /dev/urandom. In order to ensure that the randomness | |
452 | * provided by this function is okay, the function wait_for_random_bytes() | |
453 | * should be called and return 0 at least once at any point prior. | |
454 | */ | |
3655adc7 | 455 | |
3092adce JD |
456 | #define DEFINE_BATCHED_ENTROPY(type) \ |
457 | struct batch_ ##type { \ | |
458 | /* \ | |
459 | * We make this 1.5x a ChaCha block, so that we get the \ | |
460 | * remaining 32 bytes from fast key erasure, plus one full \ | |
461 | * block from the detached ChaCha state. We can increase \ | |
462 | * the size of this later if needed so long as we keep the \ | |
463 | * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE. \ | |
464 | */ \ | |
465 | type entropy[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \ | |
466 | local_lock_t lock; \ | |
467 | unsigned long generation; \ | |
468 | unsigned int position; \ | |
469 | }; \ | |
470 | \ | |
471 | static DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \ | |
472 | .lock = INIT_LOCAL_LOCK(batched_entropy_ ##type.lock), \ | |
473 | .position = UINT_MAX \ | |
474 | }; \ | |
475 | \ | |
476 | type get_random_ ##type(void) \ | |
477 | { \ | |
478 | type ret; \ | |
479 | unsigned long flags; \ | |
480 | struct batch_ ##type *batch; \ | |
481 | unsigned long next_gen; \ | |
482 | \ | |
483 | warn_unseeded_randomness(); \ | |
484 | \ | |
485 | if (!crng_ready()) { \ | |
486 | _get_random_bytes(&ret, sizeof(ret)); \ | |
487 | return ret; \ | |
488 | } \ | |
489 | \ | |
490 | local_lock_irqsave(&batched_entropy_ ##type.lock, flags); \ | |
491 | batch = raw_cpu_ptr(&batched_entropy_##type); \ | |
492 | \ | |
493 | next_gen = READ_ONCE(base_crng.generation); \ | |
494 | if (batch->position >= ARRAY_SIZE(batch->entropy) || \ | |
495 | next_gen != batch->generation) { \ | |
496 | _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \ | |
497 | batch->position = 0; \ | |
498 | batch->generation = next_gen; \ | |
499 | } \ | |
500 | \ | |
501 | ret = batch->entropy[batch->position]; \ | |
502 | batch->entropy[batch->position] = 0; \ | |
503 | ++batch->position; \ | |
504 | local_unlock_irqrestore(&batched_entropy_ ##type.lock, flags); \ | |
505 | return ret; \ | |
506 | } \ | |
507 | EXPORT_SYMBOL(get_random_ ##type); | |
508 | ||
509 | DEFINE_BATCHED_ENTROPY(u64) | |
510 | DEFINE_BATCHED_ENTROPY(u32) | |
3655adc7 | 511 | |
3191dd5a JD |
512 | #ifdef CONFIG_SMP |
513 | /* | |
514 | * This function is called when the CPU is coming up, with entry | |
515 | * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP. | |
516 | */ | |
560181c2 | 517 | int __cold random_prepare_cpu(unsigned int cpu) |
3191dd5a JD |
518 | { |
519 | /* | |
520 | * When the cpu comes back online, immediately invalidate both | |
521 | * the per-cpu crng and all batches, so that we serve fresh | |
522 | * randomness. | |
523 | */ | |
524 | per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX; | |
525 | per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX; | |
526 | per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX; | |
527 | return 0; | |
528 | } | |
529 | #endif | |
530 | ||
a5ed7cb1 JD |
531 | |
532 | /********************************************************************** | |
533 | * | |
534 | * Entropy accumulation and extraction routines. | |
535 | * | |
536 | * Callers may add entropy via: | |
537 | * | |
a1940263 | 538 | * static void mix_pool_bytes(const void *buf, size_t len) |
a5ed7cb1 JD |
539 | * |
540 | * After which, if added entropy should be credited: | |
541 | * | |
a1940263 | 542 | * static void credit_init_bits(size_t bits) |
a5ed7cb1 | 543 | * |
e85c0fc1 | 544 | * Finally, extract entropy via: |
a5ed7cb1 | 545 | * |
a1940263 | 546 | * static void extract_entropy(void *buf, size_t len) |
a5ed7cb1 JD |
547 | * |
548 | **********************************************************************/ | |
549 | ||
3655adc7 JD |
550 | enum { |
551 | POOL_BITS = BLAKE2S_HASH_SIZE * 8, | |
e3d2c5e7 JD |
552 | POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */ |
553 | POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */ | |
3655adc7 JD |
554 | }; |
555 | ||
3655adc7 JD |
556 | static struct { |
557 | struct blake2s_state hash; | |
558 | spinlock_t lock; | |
e85c0fc1 | 559 | unsigned int init_bits; |
3655adc7 JD |
560 | } input_pool = { |
561 | .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE), | |
562 | BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4, | |
563 | BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 }, | |
564 | .hash.outlen = BLAKE2S_HASH_SIZE, | |
565 | .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), | |
566 | }; | |
567 | ||
a1940263 | 568 | static void _mix_pool_bytes(const void *buf, size_t len) |
a5ed7cb1 | 569 | { |
a1940263 | 570 | blake2s_update(&input_pool.hash, buf, len); |
a5ed7cb1 | 571 | } |
3655adc7 JD |
572 | |
573 | /* | |
e85c0fc1 JD |
574 | * This function adds bytes into the input pool. It does not |
575 | * update the initialization bit counter; the caller should call | |
576 | * credit_init_bits if this is appropriate. | |
3655adc7 | 577 | */ |
a1940263 | 578 | static void mix_pool_bytes(const void *buf, size_t len) |
3655adc7 | 579 | { |
a5ed7cb1 JD |
580 | unsigned long flags; |
581 | ||
582 | spin_lock_irqsave(&input_pool.lock, flags); | |
a1940263 | 583 | _mix_pool_bytes(buf, len); |
a5ed7cb1 | 584 | spin_unlock_irqrestore(&input_pool.lock, flags); |
3655adc7 JD |
585 | } |
586 | ||
a5ed7cb1 JD |
587 | /* |
588 | * This is an HKDF-like construction for using the hashed collected entropy | |
589 | * as a PRF key, that's then expanded block-by-block. | |
590 | */ | |
a1940263 | 591 | static void extract_entropy(void *buf, size_t len) |
3655adc7 JD |
592 | { |
593 | unsigned long flags; | |
a5ed7cb1 JD |
594 | u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE]; |
595 | struct { | |
596 | unsigned long rdseed[32 / sizeof(long)]; | |
597 | size_t counter; | |
598 | } block; | |
d349ab99 | 599 | size_t i, longs; |
a5ed7cb1 | 600 | |
d349ab99 JD |
601 | for (i = 0; i < ARRAY_SIZE(block.rdseed);) { |
602 | longs = arch_get_random_seed_longs(&block.rdseed[i], ARRAY_SIZE(block.rdseed) - i); | |
603 | if (longs) { | |
604 | i += longs; | |
605 | continue; | |
606 | } | |
607 | longs = arch_get_random_longs(&block.rdseed[i], ARRAY_SIZE(block.rdseed) - i); | |
608 | if (longs) { | |
609 | i += longs; | |
610 | continue; | |
611 | } | |
612 | block.rdseed[i++] = random_get_entropy(); | |
a5ed7cb1 | 613 | } |
3655adc7 JD |
614 | |
615 | spin_lock_irqsave(&input_pool.lock, flags); | |
a5ed7cb1 JD |
616 | |
617 | /* seed = HASHPRF(last_key, entropy_input) */ | |
618 | blake2s_final(&input_pool.hash, seed); | |
619 | ||
620 | /* next_key = HASHPRF(seed, RDSEED || 0) */ | |
621 | block.counter = 0; | |
622 | blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed)); | |
623 | blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key)); | |
624 | ||
3655adc7 | 625 | spin_unlock_irqrestore(&input_pool.lock, flags); |
a5ed7cb1 JD |
626 | memzero_explicit(next_key, sizeof(next_key)); |
627 | ||
a1940263 JD |
628 | while (len) { |
629 | i = min_t(size_t, len, BLAKE2S_HASH_SIZE); | |
a5ed7cb1 JD |
630 | /* output = HASHPRF(seed, RDSEED || ++counter) */ |
631 | ++block.counter; | |
632 | blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed)); | |
a1940263 | 633 | len -= i; |
a5ed7cb1 JD |
634 | buf += i; |
635 | } | |
636 | ||
637 | memzero_explicit(seed, sizeof(seed)); | |
638 | memzero_explicit(&block, sizeof(block)); | |
639 | } | |
640 | ||
560181c2 JD |
641 | #define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits) |
642 | ||
643 | static void __cold _credit_init_bits(size_t bits) | |
5c3b747e | 644 | { |
f5bda35f | 645 | static struct execute_work set_ready; |
fed7ef06 | 646 | unsigned int new, orig, add; |
5c3b747e JD |
647 | unsigned long flags; |
648 | ||
560181c2 | 649 | if (!bits) |
5c3b747e JD |
650 | return; |
651 | ||
a1940263 | 652 | add = min_t(size_t, bits, POOL_BITS); |
5c3b747e | 653 | |
b7a68f67 | 654 | orig = READ_ONCE(input_pool.init_bits); |
5c3b747e | 655 | do { |
fed7ef06 | 656 | new = min_t(unsigned int, POOL_BITS, orig + add); |
b7a68f67 | 657 | } while (!try_cmpxchg(&input_pool.init_bits, &orig, new)); |
5c3b747e | 658 | |
68c9c8b1 JD |
659 | if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) { |
660 | crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */ | |
60e5b288 JD |
661 | if (static_key_initialized) |
662 | execute_in_process_context(crng_set_ready, &set_ready); | |
68c9c8b1 JD |
663 | wake_up_interruptible(&crng_init_wait); |
664 | kill_fasync(&fasync, SIGIO, POLL_IN); | |
665 | pr_notice("crng init done\n"); | |
cc1e127b | 666 | if (urandom_warning.missed) |
68c9c8b1 JD |
667 | pr_notice("%d urandom warning(s) missed due to ratelimiting\n", |
668 | urandom_warning.missed); | |
68c9c8b1 | 669 | } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) { |
5c3b747e | 670 | spin_lock_irqsave(&base_crng.lock, flags); |
68c9c8b1 | 671 | /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */ |
e3d2c5e7 | 672 | if (crng_init == CRNG_EMPTY) { |
5c3b747e | 673 | extract_entropy(base_crng.key, sizeof(base_crng.key)); |
e3d2c5e7 | 674 | crng_init = CRNG_EARLY; |
5c3b747e JD |
675 | } |
676 | spin_unlock_irqrestore(&base_crng.lock, flags); | |
677 | } | |
678 | } | |
679 | ||
92c653cf JD |
680 | |
681 | /********************************************************************** | |
682 | * | |
683 | * Entropy collection routines. | |
684 | * | |
685 | * The following exported functions are used for pushing entropy into | |
686 | * the above entropy accumulation routines: | |
687 | * | |
a1940263 JD |
688 | * void add_device_randomness(const void *buf, size_t len); |
689 | * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy); | |
690 | * void add_bootloader_randomness(const void *buf, size_t len); | |
691 | * void add_vmfork_randomness(const void *unique_vm_id, size_t len); | |
92c653cf | 692 | * void add_interrupt_randomness(int irq); |
a1940263 | 693 | * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value); |
a4b5c26b | 694 | * void add_disk_randomness(struct gendisk *disk); |
92c653cf JD |
695 | * |
696 | * add_device_randomness() adds data to the input pool that | |
697 | * is likely to differ between two devices (or possibly even per boot). | |
698 | * This would be things like MAC addresses or serial numbers, or the | |
699 | * read-out of the RTC. This does *not* credit any actual entropy to | |
700 | * the pool, but it initializes the pool to different values for devices | |
701 | * that might otherwise be identical and have very little entropy | |
702 | * available to them (particularly common in the embedded world). | |
703 | * | |
92c653cf JD |
704 | * add_hwgenerator_randomness() is for true hardware RNGs, and will credit |
705 | * entropy as specified by the caller. If the entropy pool is full it will | |
706 | * block until more entropy is needed. | |
707 | * | |
5c3b747e JD |
708 | * add_bootloader_randomness() is called by bootloader drivers, such as EFI |
709 | * and device tree, and credits its input depending on whether or not the | |
710 | * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set. | |
92c653cf | 711 | * |
ae099e8e JD |
712 | * add_vmfork_randomness() adds a unique (but not necessarily secret) ID |
713 | * representing the current instance of a VM to the pool, without crediting, | |
714 | * and then force-reseeds the crng so that it takes effect immediately. | |
715 | * | |
92c653cf JD |
716 | * add_interrupt_randomness() uses the interrupt timing as random |
717 | * inputs to the entropy pool. Using the cycle counters and the irq source | |
718 | * as inputs, it feeds the input pool roughly once a second or after 64 | |
719 | * interrupts, crediting 1 bit of entropy for whichever comes first. | |
720 | * | |
a4b5c26b JD |
721 | * add_input_randomness() uses the input layer interrupt timing, as well |
722 | * as the event type information from the hardware. | |
723 | * | |
724 | * add_disk_randomness() uses what amounts to the seek time of block | |
725 | * layer request events, on a per-disk_devt basis, as input to the | |
726 | * entropy pool. Note that high-speed solid state drives with very low | |
727 | * seek times do not make for good sources of entropy, as their seek | |
728 | * times are usually fairly consistent. | |
729 | * | |
730 | * The last two routines try to estimate how many bits of entropy | |
731 | * to credit. They do this by keeping track of the first and second | |
732 | * order deltas of the event timings. | |
733 | * | |
92c653cf JD |
734 | **********************************************************************/ |
735 | ||
39e0f991 JD |
736 | static bool trust_cpu __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); |
737 | static bool trust_bootloader __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER); | |
92c653cf JD |
738 | static int __init parse_trust_cpu(char *arg) |
739 | { | |
740 | return kstrtobool(arg, &trust_cpu); | |
741 | } | |
d97c68d1 JD |
742 | static int __init parse_trust_bootloader(char *arg) |
743 | { | |
744 | return kstrtobool(arg, &trust_bootloader); | |
745 | } | |
92c653cf | 746 | early_param("random.trust_cpu", parse_trust_cpu); |
d97c68d1 | 747 | early_param("random.trust_bootloader", parse_trust_bootloader); |
3655adc7 | 748 | |
b7b67d13 JD |
749 | static int random_pm_notification(struct notifier_block *nb, unsigned long action, void *data) |
750 | { | |
751 | unsigned long flags, entropy = random_get_entropy(); | |
752 | ||
753 | /* | |
754 | * Encode a representation of how long the system has been suspended, | |
755 | * in a way that is distinct from prior system suspends. | |
756 | */ | |
757 | ktime_t stamps[] = { ktime_get(), ktime_get_boottime(), ktime_get_real() }; | |
758 | ||
759 | spin_lock_irqsave(&input_pool.lock, flags); | |
760 | _mix_pool_bytes(&action, sizeof(action)); | |
761 | _mix_pool_bytes(stamps, sizeof(stamps)); | |
762 | _mix_pool_bytes(&entropy, sizeof(entropy)); | |
763 | spin_unlock_irqrestore(&input_pool.lock, flags); | |
764 | ||
765 | if (crng_ready() && (action == PM_RESTORE_PREPARE || | |
261e224d KS |
766 | (action == PM_POST_SUSPEND && !IS_ENABLED(CONFIG_PM_AUTOSLEEP) && |
767 | !IS_ENABLED(CONFIG_PM_USERSPACE_AUTOSLEEP)))) { | |
e85c0fc1 | 768 | crng_reseed(); |
b7b67d13 JD |
769 | pr_notice("crng reseeded on system resumption\n"); |
770 | } | |
771 | return 0; | |
772 | } | |
773 | ||
774 | static struct notifier_block pm_notifier = { .notifier_call = random_pm_notification }; | |
775 | ||
3655adc7 | 776 | /* |
92c653cf | 777 | * The first collection of entropy occurs at system boot while interrupts |
2f14062b JD |
778 | * are still turned off. Here we push in latent entropy, RDSEED, a timestamp, |
779 | * utsname(), and the command line. Depending on the above configuration knob, | |
780 | * RDSEED may be considered sufficient for initialization. Note that much | |
781 | * earlier setup may already have pushed entropy into the input pool by the | |
782 | * time we get here. | |
3655adc7 | 783 | */ |
2f14062b | 784 | int __init random_init(const char *command_line) |
3655adc7 | 785 | { |
92c653cf | 786 | ktime_t now = ktime_get_real(); |
d349ab99 JD |
787 | size_t i, longs, arch_bits; |
788 | unsigned long entropy[BLAKE2S_BLOCK_SIZE / sizeof(long)]; | |
186873c5 | 789 | |
1754abb3 JD |
790 | #if defined(LATENT_ENTROPY_PLUGIN) |
791 | static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; | |
792 | _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed)); | |
793 | #endif | |
794 | ||
d349ab99 JD |
795 | for (i = 0, arch_bits = sizeof(entropy) * 8; i < ARRAY_SIZE(entropy);) { |
796 | longs = arch_get_random_seed_longs(entropy, ARRAY_SIZE(entropy) - i); | |
797 | if (longs) { | |
798 | _mix_pool_bytes(entropy, sizeof(*entropy) * longs); | |
799 | i += longs; | |
800 | continue; | |
801 | } | |
802 | longs = arch_get_random_longs(entropy, ARRAY_SIZE(entropy) - i); | |
803 | if (longs) { | |
804 | _mix_pool_bytes(entropy, sizeof(*entropy) * longs); | |
805 | i += longs; | |
806 | continue; | |
92c653cf | 807 | } |
d349ab99 JD |
808 | entropy[0] = random_get_entropy(); |
809 | _mix_pool_bytes(entropy, sizeof(*entropy)); | |
810 | arch_bits -= sizeof(*entropy) * 8; | |
811 | ++i; | |
92c653cf | 812 | } |
afba0b80 JD |
813 | _mix_pool_bytes(&now, sizeof(now)); |
814 | _mix_pool_bytes(utsname(), sizeof(*(utsname()))); | |
2f14062b JD |
815 | _mix_pool_bytes(command_line, strlen(command_line)); |
816 | add_latent_entropy(); | |
186873c5 | 817 | |
60e5b288 JD |
818 | /* |
819 | * If we were initialized by the bootloader before jump labels are | |
820 | * initialized, then we should enable the static branch here, where | |
821 | * it's guaranteed that jump labels have been initialized. | |
822 | */ | |
823 | if (!static_branch_likely(&crng_is_ready) && crng_init >= CRNG_READY) | |
824 | crng_set_ready(NULL); | |
825 | ||
e85c0fc1 JD |
826 | if (crng_ready()) |
827 | crng_reseed(); | |
12e45a2a | 828 | else if (trust_cpu) |
77fc95f8 | 829 | _credit_init_bits(arch_bits); |
e192be9d | 830 | |
b7b67d13 JD |
831 | WARN_ON(register_pm_notifier(&pm_notifier)); |
832 | ||
4b758eda JD |
833 | WARN(!random_get_entropy(), "Missing cycle counter and fallback timer; RNG " |
834 | "entropy collection will consequently suffer."); | |
92c653cf | 835 | return 0; |
3655adc7 | 836 | } |
e192be9d | 837 | |
a2080a67 | 838 | /* |
e192be9d TT |
839 | * Add device- or boot-specific data to the input pool to help |
840 | * initialize it. | |
a2080a67 | 841 | * |
e192be9d TT |
842 | * None of this adds any entropy; it is meant to avoid the problem of |
843 | * the entropy pool having similar initial state across largely | |
844 | * identical devices. | |
a2080a67 | 845 | */ |
a1940263 | 846 | void add_device_randomness(const void *buf, size_t len) |
a2080a67 | 847 | { |
4b758eda JD |
848 | unsigned long entropy = random_get_entropy(); |
849 | unsigned long flags; | |
a2080a67 | 850 | |
3ef4cb2d | 851 | spin_lock_irqsave(&input_pool.lock, flags); |
4b758eda | 852 | _mix_pool_bytes(&entropy, sizeof(entropy)); |
a1940263 | 853 | _mix_pool_bytes(buf, len); |
3ef4cb2d | 854 | spin_unlock_irqrestore(&input_pool.lock, flags); |
a2080a67 LT |
855 | } |
856 | EXPORT_SYMBOL(add_device_randomness); | |
857 | ||
92c653cf JD |
858 | /* |
859 | * Interface for in-kernel drivers of true hardware RNGs. | |
860 | * Those devices may produce endless random bits and will be throttled | |
861 | * when our pool is full. | |
862 | */ | |
a1940263 | 863 | void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy) |
92c653cf | 864 | { |
a1940263 | 865 | mix_pool_bytes(buf, len); |
e85c0fc1 JD |
866 | credit_init_bits(entropy); |
867 | ||
92c653cf | 868 | /* |
e85c0fc1 JD |
869 | * Throttle writing to once every CRNG_RESEED_INTERVAL, unless |
870 | * we're not yet initialized. | |
92c653cf | 871 | */ |
e85c0fc1 JD |
872 | if (!kthread_should_stop() && crng_ready()) |
873 | schedule_timeout_interruptible(CRNG_RESEED_INTERVAL); | |
92c653cf JD |
874 | } |
875 | EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); | |
876 | ||
877 | /* | |
5c3b747e JD |
878 | * Handle random seed passed by bootloader, and credit it if |
879 | * CONFIG_RANDOM_TRUST_BOOTLOADER is set. | |
92c653cf | 880 | */ |
39e0f991 | 881 | void __init add_bootloader_randomness(const void *buf, size_t len) |
92c653cf | 882 | { |
a1940263 | 883 | mix_pool_bytes(buf, len); |
d97c68d1 | 884 | if (trust_bootloader) |
a1940263 | 885 | credit_init_bits(len * 8); |
92c653cf | 886 | } |
92c653cf | 887 | |
a4107d34 | 888 | #if IS_ENABLED(CONFIG_VMGENID) |
f3c2682b JD |
889 | static BLOCKING_NOTIFIER_HEAD(vmfork_chain); |
890 | ||
ae099e8e JD |
891 | /* |
892 | * Handle a new unique VM ID, which is unique, not secret, so we | |
893 | * don't credit it, but we do immediately force a reseed after so | |
894 | * that it's used by the crng posthaste. | |
895 | */ | |
560181c2 | 896 | void __cold add_vmfork_randomness(const void *unique_vm_id, size_t len) |
ae099e8e | 897 | { |
a1940263 | 898 | add_device_randomness(unique_vm_id, len); |
ae099e8e | 899 | if (crng_ready()) { |
e85c0fc1 | 900 | crng_reseed(); |
ae099e8e JD |
901 | pr_notice("crng reseeded due to virtual machine fork\n"); |
902 | } | |
f3c2682b | 903 | blocking_notifier_call_chain(&vmfork_chain, 0, NULL); |
ae099e8e | 904 | } |
a4107d34 | 905 | #if IS_MODULE(CONFIG_VMGENID) |
ae099e8e | 906 | EXPORT_SYMBOL_GPL(add_vmfork_randomness); |
a4107d34 | 907 | #endif |
f3c2682b | 908 | |
560181c2 | 909 | int __cold register_random_vmfork_notifier(struct notifier_block *nb) |
f3c2682b JD |
910 | { |
911 | return blocking_notifier_chain_register(&vmfork_chain, nb); | |
912 | } | |
913 | EXPORT_SYMBOL_GPL(register_random_vmfork_notifier); | |
914 | ||
560181c2 | 915 | int __cold unregister_random_vmfork_notifier(struct notifier_block *nb) |
f3c2682b JD |
916 | { |
917 | return blocking_notifier_chain_unregister(&vmfork_chain, nb); | |
918 | } | |
919 | EXPORT_SYMBOL_GPL(unregister_random_vmfork_notifier); | |
a4107d34 | 920 | #endif |
ae099e8e | 921 | |
92c653cf | 922 | struct fast_pool { |
58340f8e | 923 | struct work_struct mix; |
f5eab0e2 | 924 | unsigned long pool[4]; |
92c653cf | 925 | unsigned long last; |
3191dd5a | 926 | unsigned int count; |
92c653cf JD |
927 | }; |
928 | ||
f5eab0e2 JD |
929 | static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = { |
930 | #ifdef CONFIG_64BIT | |
e73aaae2 JD |
931 | #define FASTMIX_PERM SIPHASH_PERMUTATION |
932 | .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 } | |
f5eab0e2 | 933 | #else |
e73aaae2 JD |
934 | #define FASTMIX_PERM HSIPHASH_PERMUTATION |
935 | .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 } | |
f5eab0e2 JD |
936 | #endif |
937 | }; | |
938 | ||
92c653cf | 939 | /* |
f5eab0e2 JD |
940 | * This is [Half]SipHash-1-x, starting from an empty key. Because |
941 | * the key is fixed, it assumes that its inputs are non-malicious, | |
942 | * and therefore this has no security on its own. s represents the | |
4b758eda | 943 | * four-word SipHash state, while v represents a two-word input. |
92c653cf | 944 | */ |
791332b3 | 945 | static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2) |
92c653cf | 946 | { |
791332b3 | 947 | s[3] ^= v1; |
e73aaae2 | 948 | FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
791332b3 JD |
949 | s[0] ^= v1; |
950 | s[3] ^= v2; | |
e73aaae2 | 951 | FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
791332b3 | 952 | s[0] ^= v2; |
92c653cf JD |
953 | } |
954 | ||
3191dd5a JD |
955 | #ifdef CONFIG_SMP |
956 | /* | |
957 | * This function is called when the CPU has just come online, with | |
958 | * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE. | |
959 | */ | |
560181c2 | 960 | int __cold random_online_cpu(unsigned int cpu) |
3191dd5a JD |
961 | { |
962 | /* | |
963 | * During CPU shutdown and before CPU onlining, add_interrupt_ | |
964 | * randomness() may schedule mix_interrupt_randomness(), and | |
965 | * set the MIX_INFLIGHT flag. However, because the worker can | |
966 | * be scheduled on a different CPU during this period, that | |
967 | * flag will never be cleared. For that reason, we zero out | |
968 | * the flag here, which runs just after workqueues are onlined | |
969 | * for the CPU again. This also has the effect of setting the | |
970 | * irq randomness count to zero so that new accumulated irqs | |
971 | * are fresh. | |
972 | */ | |
973 | per_cpu_ptr(&irq_randomness, cpu)->count = 0; | |
974 | return 0; | |
975 | } | |
976 | #endif | |
977 | ||
58340f8e JD |
978 | static void mix_interrupt_randomness(struct work_struct *work) |
979 | { | |
980 | struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix); | |
f5eab0e2 | 981 | /* |
4b758eda JD |
982 | * The size of the copied stack pool is explicitly 2 longs so that we |
983 | * only ever ingest half of the siphash output each time, retaining | |
984 | * the other half as the next "key" that carries over. The entropy is | |
985 | * supposed to be sufficiently dispersed between bits so on average | |
986 | * we don't wind up "losing" some. | |
f5eab0e2 | 987 | */ |
4b758eda | 988 | unsigned long pool[2]; |
e3e33fc2 | 989 | unsigned int count; |
58340f8e JD |
990 | |
991 | /* Check to see if we're running on the wrong CPU due to hotplug. */ | |
992 | local_irq_disable(); | |
993 | if (fast_pool != this_cpu_ptr(&irq_randomness)) { | |
994 | local_irq_enable(); | |
58340f8e JD |
995 | return; |
996 | } | |
997 | ||
998 | /* | |
999 | * Copy the pool to the stack so that the mixer always has a | |
1000 | * consistent view, before we reenable irqs again. | |
1001 | */ | |
f5eab0e2 | 1002 | memcpy(pool, fast_pool->pool, sizeof(pool)); |
e3e33fc2 | 1003 | count = fast_pool->count; |
3191dd5a | 1004 | fast_pool->count = 0; |
58340f8e JD |
1005 | fast_pool->last = jiffies; |
1006 | local_irq_enable(); | |
1007 | ||
5c3b747e | 1008 | mix_pool_bytes(pool, sizeof(pool)); |
e3e33fc2 | 1009 | credit_init_bits(max(1u, (count & U16_MAX) / 64)); |
c2a7de4f | 1010 | |
58340f8e JD |
1011 | memzero_explicit(pool, sizeof(pool)); |
1012 | } | |
1013 | ||
703f7066 | 1014 | void add_interrupt_randomness(int irq) |
1da177e4 | 1015 | { |
58340f8e | 1016 | enum { MIX_INFLIGHT = 1U << 31 }; |
4b758eda | 1017 | unsigned long entropy = random_get_entropy(); |
248045b8 JD |
1018 | struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); |
1019 | struct pt_regs *regs = get_irq_regs(); | |
58340f8e | 1020 | unsigned int new_count; |
b2f408fe | 1021 | |
791332b3 JD |
1022 | fast_mix(fast_pool->pool, entropy, |
1023 | (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)); | |
3191dd5a | 1024 | new_count = ++fast_pool->count; |
3060d6fe | 1025 | |
58340f8e | 1026 | if (new_count & MIX_INFLIGHT) |
1da177e4 LT |
1027 | return; |
1028 | ||
534d2eaf | 1029 | if (new_count < 1024 && !time_is_before_jiffies(fast_pool->last + HZ)) |
91fcb532 | 1030 | return; |
83664a69 | 1031 | |
58340f8e JD |
1032 | if (unlikely(!fast_pool->mix.func)) |
1033 | INIT_WORK(&fast_pool->mix, mix_interrupt_randomness); | |
3191dd5a | 1034 | fast_pool->count |= MIX_INFLIGHT; |
58340f8e | 1035 | queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix); |
1da177e4 | 1036 | } |
4b44f2d1 | 1037 | EXPORT_SYMBOL_GPL(add_interrupt_randomness); |
1da177e4 | 1038 | |
a4b5c26b JD |
1039 | /* There is one of these per entropy source */ |
1040 | struct timer_rand_state { | |
1041 | unsigned long last_time; | |
1042 | long last_delta, last_delta2; | |
1043 | }; | |
1044 | ||
1045 | /* | |
1046 | * This function adds entropy to the entropy "pool" by using timing | |
e3e33fc2 JD |
1047 | * delays. It uses the timer_rand_state structure to make an estimate |
1048 | * of how many bits of entropy this call has added to the pool. The | |
1049 | * value "num" is also added to the pool; it should somehow describe | |
1050 | * the type of event that just happened. | |
a4b5c26b JD |
1051 | */ |
1052 | static void add_timer_randomness(struct timer_rand_state *state, unsigned int num) | |
1053 | { | |
1054 | unsigned long entropy = random_get_entropy(), now = jiffies, flags; | |
1055 | long delta, delta2, delta3; | |
e3e33fc2 | 1056 | unsigned int bits; |
a4b5c26b | 1057 | |
e3e33fc2 JD |
1058 | /* |
1059 | * If we're in a hard IRQ, add_interrupt_randomness() will be called | |
1060 | * sometime after, so mix into the fast pool. | |
1061 | */ | |
1062 | if (in_hardirq()) { | |
791332b3 | 1063 | fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num); |
e3e33fc2 JD |
1064 | } else { |
1065 | spin_lock_irqsave(&input_pool.lock, flags); | |
1066 | _mix_pool_bytes(&entropy, sizeof(entropy)); | |
1067 | _mix_pool_bytes(&num, sizeof(num)); | |
1068 | spin_unlock_irqrestore(&input_pool.lock, flags); | |
1069 | } | |
a4b5c26b JD |
1070 | |
1071 | if (crng_ready()) | |
1072 | return; | |
1073 | ||
1074 | /* | |
1075 | * Calculate number of bits of randomness we probably added. | |
1076 | * We take into account the first, second and third-order deltas | |
1077 | * in order to make our estimate. | |
1078 | */ | |
1079 | delta = now - READ_ONCE(state->last_time); | |
1080 | WRITE_ONCE(state->last_time, now); | |
1081 | ||
1082 | delta2 = delta - READ_ONCE(state->last_delta); | |
1083 | WRITE_ONCE(state->last_delta, delta); | |
1084 | ||
1085 | delta3 = delta2 - READ_ONCE(state->last_delta2); | |
1086 | WRITE_ONCE(state->last_delta2, delta2); | |
1087 | ||
1088 | if (delta < 0) | |
1089 | delta = -delta; | |
1090 | if (delta2 < 0) | |
1091 | delta2 = -delta2; | |
1092 | if (delta3 < 0) | |
1093 | delta3 = -delta3; | |
1094 | if (delta > delta2) | |
1095 | delta = delta2; | |
1096 | if (delta > delta3) | |
1097 | delta = delta3; | |
1098 | ||
1099 | /* | |
e3e33fc2 JD |
1100 | * delta is now minimum absolute delta. Round down by 1 bit |
1101 | * on general principles, and limit entropy estimate to 11 bits. | |
1102 | */ | |
1103 | bits = min(fls(delta >> 1), 11); | |
1104 | ||
1105 | /* | |
1106 | * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness() | |
1107 | * will run after this, which uses a different crediting scheme of 1 bit | |
1108 | * per every 64 interrupts. In order to let that function do accounting | |
1109 | * close to the one in this function, we credit a full 64/64 bit per bit, | |
1110 | * and then subtract one to account for the extra one added. | |
a4b5c26b | 1111 | */ |
e3e33fc2 JD |
1112 | if (in_hardirq()) |
1113 | this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1; | |
1114 | else | |
560181c2 | 1115 | _credit_init_bits(bits); |
a4b5c26b JD |
1116 | } |
1117 | ||
a1940263 | 1118 | void add_input_randomness(unsigned int type, unsigned int code, unsigned int value) |
a4b5c26b JD |
1119 | { |
1120 | static unsigned char last_value; | |
1121 | static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES }; | |
1122 | ||
1123 | /* Ignore autorepeat and the like. */ | |
1124 | if (value == last_value) | |
1125 | return; | |
1126 | ||
1127 | last_value = value; | |
1128 | add_timer_randomness(&input_timer_state, | |
1129 | (type << 4) ^ code ^ (code >> 4) ^ value); | |
1130 | } | |
1131 | EXPORT_SYMBOL_GPL(add_input_randomness); | |
1132 | ||
1133 | #ifdef CONFIG_BLOCK | |
1134 | void add_disk_randomness(struct gendisk *disk) | |
1135 | { | |
1136 | if (!disk || !disk->random) | |
1137 | return; | |
1138 | /* First major is 1, so we get >= 0x200 here. */ | |
1139 | add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); | |
1140 | } | |
1141 | EXPORT_SYMBOL_GPL(add_disk_randomness); | |
1142 | ||
560181c2 | 1143 | void __cold rand_initialize_disk(struct gendisk *disk) |
a4b5c26b JD |
1144 | { |
1145 | struct timer_rand_state *state; | |
1146 | ||
1147 | /* | |
1148 | * If kzalloc returns null, we just won't use that entropy | |
1149 | * source. | |
1150 | */ | |
1151 | state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); | |
1152 | if (state) { | |
1153 | state->last_time = INITIAL_JIFFIES; | |
1154 | disk->random = state; | |
1155 | } | |
1156 | } | |
1157 | #endif | |
1158 | ||
78c768e6 JD |
1159 | struct entropy_timer_state { |
1160 | unsigned long entropy; | |
1161 | struct timer_list timer; | |
1162 | unsigned int samples, samples_per_bit; | |
1163 | }; | |
1164 | ||
50ee7529 LT |
1165 | /* |
1166 | * Each time the timer fires, we expect that we got an unpredictable | |
1167 | * jump in the cycle counter. Even if the timer is running on another | |
1168 | * CPU, the timer activity will be touching the stack of the CPU that is | |
1169 | * generating entropy.. | |
1170 | * | |
1171 | * Note that we don't re-arm the timer in the timer itself - we are | |
1172 | * happy to be scheduled away, since that just makes the load more | |
1173 | * complex, but we do not want the timer to keep ticking unless the | |
1174 | * entropy loop is running. | |
1175 | * | |
1176 | * So the re-arming always happens in the entropy loop itself. | |
1177 | */ | |
560181c2 | 1178 | static void __cold entropy_timer(struct timer_list *timer) |
50ee7529 | 1179 | { |
78c768e6 JD |
1180 | struct entropy_timer_state *state = container_of(timer, struct entropy_timer_state, timer); |
1181 | ||
1182 | if (++state->samples == state->samples_per_bit) { | |
e85c0fc1 | 1183 | credit_init_bits(1); |
78c768e6 JD |
1184 | state->samples = 0; |
1185 | } | |
50ee7529 LT |
1186 | } |
1187 | ||
1188 | /* | |
1189 | * If we have an actual cycle counter, see if we can | |
1190 | * generate enough entropy with timing noise | |
1191 | */ | |
560181c2 | 1192 | static void __cold try_to_generate_entropy(void) |
50ee7529 | 1193 | { |
829d680e | 1194 | enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = HZ / 30 }; |
78c768e6 JD |
1195 | struct entropy_timer_state stack; |
1196 | unsigned int i, num_different = 0; | |
1197 | unsigned long last = random_get_entropy(); | |
50ee7529 | 1198 | |
78c768e6 JD |
1199 | for (i = 0; i < NUM_TRIAL_SAMPLES - 1; ++i) { |
1200 | stack.entropy = random_get_entropy(); | |
1201 | if (stack.entropy != last) | |
1202 | ++num_different; | |
1203 | last = stack.entropy; | |
1204 | } | |
1205 | stack.samples_per_bit = DIV_ROUND_UP(NUM_TRIAL_SAMPLES, num_different + 1); | |
1206 | if (stack.samples_per_bit > MAX_SAMPLES_PER_BIT) | |
50ee7529 LT |
1207 | return; |
1208 | ||
78c768e6 | 1209 | stack.samples = 0; |
50ee7529 | 1210 | timer_setup_on_stack(&stack.timer, entropy_timer, 0); |
3e504d20 | 1211 | while (!crng_ready() && !signal_pending(current)) { |
50ee7529 | 1212 | if (!timer_pending(&stack.timer)) |
248045b8 | 1213 | mod_timer(&stack.timer, jiffies + 1); |
4b758eda | 1214 | mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
50ee7529 | 1215 | schedule(); |
4b758eda | 1216 | stack.entropy = random_get_entropy(); |
50ee7529 LT |
1217 | } |
1218 | ||
1219 | del_timer_sync(&stack.timer); | |
1220 | destroy_timer_on_stack(&stack.timer); | |
4b758eda | 1221 | mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
50ee7529 LT |
1222 | } |
1223 | ||
a6adf8e7 JD |
1224 | |
1225 | /********************************************************************** | |
1226 | * | |
1227 | * Userspace reader/writer interfaces. | |
1228 | * | |
1229 | * getrandom(2) is the primary modern interface into the RNG and should | |
1230 | * be used in preference to anything else. | |
1231 | * | |
0313bc27 LT |
1232 | * Reading from /dev/random has the same functionality as calling |
1233 | * getrandom(2) with flags=0. In earlier versions, however, it had | |
1234 | * vastly different semantics and should therefore be avoided, to | |
1235 | * prevent backwards compatibility issues. | |
1236 | * | |
1237 | * Reading from /dev/urandom has the same functionality as calling | |
1238 | * getrandom(2) with flags=GRND_INSECURE. Because it does not block | |
1239 | * waiting for the RNG to be ready, it should not be used. | |
a6adf8e7 JD |
1240 | * |
1241 | * Writing to either /dev/random or /dev/urandom adds entropy to | |
1242 | * the input pool but does not credit it. | |
1243 | * | |
0313bc27 LT |
1244 | * Polling on /dev/random indicates when the RNG is initialized, on |
1245 | * the read side, and when it wants new entropy, on the write side. | |
a6adf8e7 JD |
1246 | * |
1247 | * Both /dev/random and /dev/urandom have the same set of ioctls for | |
1248 | * adding entropy, getting the entropy count, zeroing the count, and | |
1249 | * reseeding the crng. | |
1250 | * | |
1251 | **********************************************************************/ | |
1252 | ||
a1940263 | 1253 | SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags) |
1da177e4 | 1254 | { |
1b388e77 JA |
1255 | struct iov_iter iter; |
1256 | struct iovec iov; | |
1257 | int ret; | |
1258 | ||
a6adf8e7 JD |
1259 | if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) |
1260 | return -EINVAL; | |
301f0595 | 1261 | |
a6adf8e7 JD |
1262 | /* |
1263 | * Requesting insecure and blocking randomness at the same time makes | |
1264 | * no sense. | |
1265 | */ | |
1266 | if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) | |
1267 | return -EINVAL; | |
c6f1deb1 | 1268 | |
f5bda35f | 1269 | if (!crng_ready() && !(flags & GRND_INSECURE)) { |
a6adf8e7 JD |
1270 | if (flags & GRND_NONBLOCK) |
1271 | return -EAGAIN; | |
1272 | ret = wait_for_random_bytes(); | |
1273 | if (unlikely(ret)) | |
1274 | return ret; | |
1275 | } | |
1b388e77 JA |
1276 | |
1277 | ret = import_single_range(READ, ubuf, len, &iov, &iter); | |
1278 | if (unlikely(ret)) | |
1279 | return ret; | |
1280 | return get_random_bytes_user(&iter); | |
30c08efe AL |
1281 | } |
1282 | ||
248045b8 | 1283 | static __poll_t random_poll(struct file *file, poll_table *wait) |
1da177e4 | 1284 | { |
30c08efe | 1285 | poll_wait(file, &crng_init_wait, wait); |
e85c0fc1 | 1286 | return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; |
1da177e4 LT |
1287 | } |
1288 | ||
1ce6c8d6 | 1289 | static ssize_t write_pool_user(struct iov_iter *iter) |
1da177e4 | 1290 | { |
04ec96b7 | 1291 | u8 block[BLAKE2S_BLOCK_SIZE]; |
22b0a222 JA |
1292 | ssize_t ret = 0; |
1293 | size_t copied; | |
1da177e4 | 1294 | |
22b0a222 JA |
1295 | if (unlikely(!iov_iter_count(iter))) |
1296 | return 0; | |
1297 | ||
1298 | for (;;) { | |
1299 | copied = copy_from_iter(block, sizeof(block), iter); | |
1300 | ret += copied; | |
1301 | mix_pool_bytes(block, copied); | |
1302 | if (!iov_iter_count(iter) || copied != sizeof(block)) | |
1303 | break; | |
1ce6c8d6 JD |
1304 | |
1305 | BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); | |
1306 | if (ret % PAGE_SIZE == 0) { | |
1307 | if (signal_pending(current)) | |
1308 | break; | |
1309 | cond_resched(); | |
1310 | } | |
1da177e4 | 1311 | } |
7f397dcd | 1312 | |
7b5164fb | 1313 | memzero_explicit(block, sizeof(block)); |
22b0a222 | 1314 | return ret ? ret : -EFAULT; |
7f397dcd MM |
1315 | } |
1316 | ||
22b0a222 | 1317 | static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter) |
7f397dcd | 1318 | { |
1ce6c8d6 | 1319 | return write_pool_user(iter); |
1da177e4 LT |
1320 | } |
1321 | ||
1b388e77 | 1322 | static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
0313bc27 LT |
1323 | { |
1324 | static int maxwarn = 10; | |
1325 | ||
48bff105 JD |
1326 | /* |
1327 | * Opportunistically attempt to initialize the RNG on platforms that | |
1328 | * have fast cycle counters, but don't (for now) require it to succeed. | |
1329 | */ | |
1330 | if (!crng_ready()) | |
1331 | try_to_generate_entropy(); | |
1332 | ||
cc1e127b JD |
1333 | if (!crng_ready()) { |
1334 | if (!ratelimit_disable && maxwarn <= 0) | |
1335 | ++urandom_warning.missed; | |
1336 | else if (ratelimit_disable || __ratelimit(&urandom_warning)) { | |
1337 | --maxwarn; | |
1b388e77 JA |
1338 | pr_notice("%s: uninitialized urandom read (%zu bytes read)\n", |
1339 | current->comm, iov_iter_count(iter)); | |
cc1e127b | 1340 | } |
0313bc27 LT |
1341 | } |
1342 | ||
1b388e77 | 1343 | return get_random_bytes_user(iter); |
0313bc27 LT |
1344 | } |
1345 | ||
1b388e77 | 1346 | static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
a6adf8e7 JD |
1347 | { |
1348 | int ret; | |
1349 | ||
cd4f24ae JD |
1350 | if (!crng_ready() && |
1351 | ((kiocb->ki_flags & (IOCB_NOWAIT | IOCB_NOIO)) || | |
1352 | (kiocb->ki_filp->f_flags & O_NONBLOCK))) | |
1353 | return -EAGAIN; | |
1354 | ||
a6adf8e7 JD |
1355 | ret = wait_for_random_bytes(); |
1356 | if (ret != 0) | |
1357 | return ret; | |
1b388e77 | 1358 | return get_random_bytes_user(iter); |
a6adf8e7 JD |
1359 | } |
1360 | ||
43ae4860 | 1361 | static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) |
1da177e4 | 1362 | { |
1da177e4 | 1363 | int __user *p = (int __user *)arg; |
22b0a222 | 1364 | int ent_count; |
1da177e4 LT |
1365 | |
1366 | switch (cmd) { | |
1367 | case RNDGETENTCNT: | |
a6adf8e7 | 1368 | /* Inherently racy, no point locking. */ |
e85c0fc1 | 1369 | if (put_user(input_pool.init_bits, p)) |
1da177e4 LT |
1370 | return -EFAULT; |
1371 | return 0; | |
1372 | case RNDADDTOENTCNT: | |
1373 | if (!capable(CAP_SYS_ADMIN)) | |
1374 | return -EPERM; | |
1375 | if (get_user(ent_count, p)) | |
1376 | return -EFAULT; | |
a49c010e JD |
1377 | if (ent_count < 0) |
1378 | return -EINVAL; | |
e85c0fc1 | 1379 | credit_init_bits(ent_count); |
a49c010e | 1380 | return 0; |
22b0a222 JA |
1381 | case RNDADDENTROPY: { |
1382 | struct iov_iter iter; | |
1383 | struct iovec iov; | |
1384 | ssize_t ret; | |
1385 | int len; | |
1386 | ||
1da177e4 LT |
1387 | if (!capable(CAP_SYS_ADMIN)) |
1388 | return -EPERM; | |
1389 | if (get_user(ent_count, p++)) | |
1390 | return -EFAULT; | |
1391 | if (ent_count < 0) | |
1392 | return -EINVAL; | |
22b0a222 JA |
1393 | if (get_user(len, p++)) |
1394 | return -EFAULT; | |
1395 | ret = import_single_range(WRITE, p, len, &iov, &iter); | |
1396 | if (unlikely(ret)) | |
1397 | return ret; | |
1ce6c8d6 | 1398 | ret = write_pool_user(&iter); |
22b0a222 JA |
1399 | if (unlikely(ret < 0)) |
1400 | return ret; | |
1401 | /* Since we're crediting, enforce that it was all written into the pool. */ | |
1402 | if (unlikely(ret != len)) | |
1da177e4 | 1403 | return -EFAULT; |
e85c0fc1 | 1404 | credit_init_bits(ent_count); |
a49c010e | 1405 | return 0; |
22b0a222 | 1406 | } |
1da177e4 LT |
1407 | case RNDZAPENTCNT: |
1408 | case RNDCLEARPOOL: | |
e85c0fc1 | 1409 | /* No longer has any effect. */ |
1da177e4 LT |
1410 | if (!capable(CAP_SYS_ADMIN)) |
1411 | return -EPERM; | |
1da177e4 | 1412 | return 0; |
d848e5f8 TT |
1413 | case RNDRESEEDCRNG: |
1414 | if (!capable(CAP_SYS_ADMIN)) | |
1415 | return -EPERM; | |
a96cfe2d | 1416 | if (!crng_ready()) |
d848e5f8 | 1417 | return -ENODATA; |
e85c0fc1 | 1418 | crng_reseed(); |
d848e5f8 | 1419 | return 0; |
1da177e4 LT |
1420 | default: |
1421 | return -EINVAL; | |
1422 | } | |
1423 | } | |
1424 | ||
9a6f70bb JD |
1425 | static int random_fasync(int fd, struct file *filp, int on) |
1426 | { | |
1427 | return fasync_helper(fd, filp, on, &fasync); | |
1428 | } | |
1429 | ||
2b8693c0 | 1430 | const struct file_operations random_fops = { |
1b388e77 | 1431 | .read_iter = random_read_iter, |
22b0a222 | 1432 | .write_iter = random_write_iter, |
248045b8 | 1433 | .poll = random_poll, |
43ae4860 | 1434 | .unlocked_ioctl = random_ioctl, |
507e4e2b | 1435 | .compat_ioctl = compat_ptr_ioctl, |
9a6f70bb | 1436 | .fasync = random_fasync, |
6038f373 | 1437 | .llseek = noop_llseek, |
79025e72 JA |
1438 | .splice_read = generic_file_splice_read, |
1439 | .splice_write = iter_file_splice_write, | |
1da177e4 LT |
1440 | }; |
1441 | ||
0313bc27 | 1442 | const struct file_operations urandom_fops = { |
1b388e77 | 1443 | .read_iter = urandom_read_iter, |
22b0a222 | 1444 | .write_iter = random_write_iter, |
0313bc27 LT |
1445 | .unlocked_ioctl = random_ioctl, |
1446 | .compat_ioctl = compat_ptr_ioctl, | |
1447 | .fasync = random_fasync, | |
1448 | .llseek = noop_llseek, | |
79025e72 JA |
1449 | .splice_read = generic_file_splice_read, |
1450 | .splice_write = iter_file_splice_write, | |
0313bc27 LT |
1451 | }; |
1452 | ||
0deff3c4 | 1453 | |
1da177e4 LT |
1454 | /******************************************************************** |
1455 | * | |
0deff3c4 JD |
1456 | * Sysctl interface. |
1457 | * | |
1458 | * These are partly unused legacy knobs with dummy values to not break | |
1459 | * userspace and partly still useful things. They are usually accessible | |
1460 | * in /proc/sys/kernel/random/ and are as follows: | |
1461 | * | |
1462 | * - boot_id - a UUID representing the current boot. | |
1463 | * | |
1464 | * - uuid - a random UUID, different each time the file is read. | |
1465 | * | |
1466 | * - poolsize - the number of bits of entropy that the input pool can | |
1467 | * hold, tied to the POOL_BITS constant. | |
1468 | * | |
1469 | * - entropy_avail - the number of bits of entropy currently in the | |
1470 | * input pool. Always <= poolsize. | |
1471 | * | |
1472 | * - write_wakeup_threshold - the amount of entropy in the input pool | |
1473 | * below which write polls to /dev/random will unblock, requesting | |
e3d2c5e7 | 1474 | * more entropy, tied to the POOL_READY_BITS constant. It is writable |
0deff3c4 JD |
1475 | * to avoid breaking old userspaces, but writing to it does not |
1476 | * change any behavior of the RNG. | |
1477 | * | |
d0efdf35 | 1478 | * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL. |
0deff3c4 JD |
1479 | * It is writable to avoid breaking old userspaces, but writing |
1480 | * to it does not change any behavior of the RNG. | |
1da177e4 LT |
1481 | * |
1482 | ********************************************************************/ | |
1483 | ||
1484 | #ifdef CONFIG_SYSCTL | |
1485 | ||
1486 | #include <linux/sysctl.h> | |
1487 | ||
d0efdf35 | 1488 | static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ; |
e3d2c5e7 | 1489 | static int sysctl_random_write_wakeup_bits = POOL_READY_BITS; |
489c7fc4 | 1490 | static int sysctl_poolsize = POOL_BITS; |
64276a99 | 1491 | static u8 sysctl_bootid[UUID_SIZE]; |
1da177e4 LT |
1492 | |
1493 | /* | |
f22052b2 | 1494 | * This function is used to return both the bootid UUID, and random |
64276a99 | 1495 | * UUID. The difference is in whether table->data is NULL; if it is, |
1da177e4 | 1496 | * then a new UUID is generated and returned to the user. |
1da177e4 | 1497 | */ |
a1940263 | 1498 | static int proc_do_uuid(struct ctl_table *table, int write, void *buf, |
248045b8 | 1499 | size_t *lenp, loff_t *ppos) |
1da177e4 | 1500 | { |
64276a99 JD |
1501 | u8 tmp_uuid[UUID_SIZE], *uuid; |
1502 | char uuid_string[UUID_STRING_LEN + 1]; | |
1503 | struct ctl_table fake_table = { | |
1504 | .data = uuid_string, | |
1505 | .maxlen = UUID_STRING_LEN | |
1506 | }; | |
1507 | ||
1508 | if (write) | |
1509 | return -EPERM; | |
1da177e4 LT |
1510 | |
1511 | uuid = table->data; | |
1512 | if (!uuid) { | |
1513 | uuid = tmp_uuid; | |
1da177e4 | 1514 | generate_random_uuid(uuid); |
44e4360f MD |
1515 | } else { |
1516 | static DEFINE_SPINLOCK(bootid_spinlock); | |
1517 | ||
1518 | spin_lock(&bootid_spinlock); | |
1519 | if (!uuid[8]) | |
1520 | generate_random_uuid(uuid); | |
1521 | spin_unlock(&bootid_spinlock); | |
1522 | } | |
1da177e4 | 1523 | |
64276a99 | 1524 | snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid); |
a1940263 | 1525 | return proc_dostring(&fake_table, 0, buf, lenp, ppos); |
1da177e4 LT |
1526 | } |
1527 | ||
77553cf8 | 1528 | /* The same as proc_dointvec, but writes don't change anything. */ |
a1940263 | 1529 | static int proc_do_rointvec(struct ctl_table *table, int write, void *buf, |
77553cf8 JD |
1530 | size_t *lenp, loff_t *ppos) |
1531 | { | |
a1940263 | 1532 | return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos); |
77553cf8 JD |
1533 | } |
1534 | ||
5475e8f0 | 1535 | static struct ctl_table random_table[] = { |
1da177e4 | 1536 | { |
1da177e4 LT |
1537 | .procname = "poolsize", |
1538 | .data = &sysctl_poolsize, | |
1539 | .maxlen = sizeof(int), | |
1540 | .mode = 0444, | |
6d456111 | 1541 | .proc_handler = proc_dointvec, |
1da177e4 LT |
1542 | }, |
1543 | { | |
1da177e4 | 1544 | .procname = "entropy_avail", |
e85c0fc1 | 1545 | .data = &input_pool.init_bits, |
1da177e4 LT |
1546 | .maxlen = sizeof(int), |
1547 | .mode = 0444, | |
c5704490 | 1548 | .proc_handler = proc_dointvec, |
1da177e4 | 1549 | }, |
1da177e4 | 1550 | { |
1da177e4 | 1551 | .procname = "write_wakeup_threshold", |
0deff3c4 | 1552 | .data = &sysctl_random_write_wakeup_bits, |
1da177e4 LT |
1553 | .maxlen = sizeof(int), |
1554 | .mode = 0644, | |
77553cf8 | 1555 | .proc_handler = proc_do_rointvec, |
1da177e4 | 1556 | }, |
f5c2742c TT |
1557 | { |
1558 | .procname = "urandom_min_reseed_secs", | |
0deff3c4 | 1559 | .data = &sysctl_random_min_urandom_seed, |
f5c2742c TT |
1560 | .maxlen = sizeof(int), |
1561 | .mode = 0644, | |
77553cf8 | 1562 | .proc_handler = proc_do_rointvec, |
f5c2742c | 1563 | }, |
1da177e4 | 1564 | { |
1da177e4 LT |
1565 | .procname = "boot_id", |
1566 | .data = &sysctl_bootid, | |
1da177e4 | 1567 | .mode = 0444, |
6d456111 | 1568 | .proc_handler = proc_do_uuid, |
1da177e4 LT |
1569 | }, |
1570 | { | |
1da177e4 | 1571 | .procname = "uuid", |
1da177e4 | 1572 | .mode = 0444, |
6d456111 | 1573 | .proc_handler = proc_do_uuid, |
1da177e4 | 1574 | }, |
894d2491 | 1575 | { } |
1da177e4 | 1576 | }; |
5475e8f0 XN |
1577 | |
1578 | /* | |
2f14062b JD |
1579 | * random_init() is called before sysctl_init(), |
1580 | * so we cannot call register_sysctl_init() in random_init() | |
5475e8f0 XN |
1581 | */ |
1582 | static int __init random_sysctls_init(void) | |
1583 | { | |
1584 | register_sysctl_init("kernel/random", random_table); | |
1585 | return 0; | |
1586 | } | |
1587 | device_initcall(random_sysctls_init); | |
0deff3c4 | 1588 | #endif |