2 * Non-physical true random number generator based on timing jitter.
4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
9 * See http://www.chronox.de/jent.html
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, and the entire permission notice in its entirety,
19 * including the disclaimer of warranties.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The name of the author may not be used to endorse or promote
24 * products derived from this software without specific prior
27 * ALTERNATIVELY, this product may be distributed under the terms of
28 * the GNU General Public License, in which case the provisions of the GPL2 are
29 * required INSTEAD OF the above restrictions. (This clause is
30 * necessary due to a potential bad interaction between the GPL and
31 * the restrictions contained in a BSD-style copyright.)
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
34 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
36 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
37 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
38 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
39 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
40 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
41 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
42 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
43 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
48 * This Jitterentropy RNG is based on the jitterentropy library
49 * version 1.1.0 provided at http://www.chronox.de/jent.html
52 #include <linux/module.h>
53 #include <linux/slab.h>
54 #include <linux/module.h>
55 #include <linux/fips.h>
56 #include <linux/time.h>
57 #include <linux/crypto.h>
58 #include <crypto/internal/rng.h>
61 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
64 /* The entropy pool */
66 /* all data values that are vital to maintain the security
67 * of the RNG are marked as SENSITIVE. A user must not
68 * access that information while the RNG executes its loops to
69 * calculate the next random value. */
70 __u64 data; /* SENSITIVE Actual random number */
71 __u64 old_data; /* SENSITIVE Previous random number */
72 __u64 prev_time; /* SENSITIVE Previous time stamp */
73 #define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
74 __u64 last_delta; /* SENSITIVE stuck test */
75 __s64 last_delta2; /* SENSITIVE stuck test */
76 unsigned int stuck:1; /* Time measurement stuck */
77 unsigned int osr; /* Oversample rate */
78 unsigned int stir:1; /* Post-processing stirring */
79 unsigned int disable_unbias:1; /* Deactivate Von-Neuman unbias */
80 #define JENT_MEMORY_BLOCKS 64
81 #define JENT_MEMORY_BLOCKSIZE 32
82 #define JENT_MEMORY_ACCESSLOOPS 128
83 #define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
84 unsigned char *mem; /* Memory access location with size of
85 * memblocks * memblocksize */
86 unsigned int memlocation; /* Pointer to byte in *mem */
87 unsigned int memblocks; /* Number of memory blocks in *mem */
88 unsigned int memblocksize; /* Size of one memory block in bytes */
89 unsigned int memaccessloops; /* Number of memory accesses per random
93 /* Flags that can be used to initialize the RNG */
94 #define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
95 #define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
96 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
97 * entropy, saves MEMORY_SIZE RAM for
98 * entropy collector */
100 #define DRIVER_NAME "jitterentropy"
102 /* -- error codes for init function -- */
103 #define JENT_ENOTIME 1 /* Timer service not available */
104 #define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */
105 #define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */
106 #define JENT_EMINVARIATION 4 /* Timer variations too small for RNG */
107 #define JENT_EVARVAR 5 /* Timer does not produce variations of
108 * variations (2nd derivation of time is
110 #define JENT_EMINVARVAR 6 /* Timer variations of variations is tooi
113 /***************************************************************************
115 ***************************************************************************/
117 static inline void jent_get_nstime(__u64 *out)
122 tmp = random_get_entropy();
125 * If random_get_entropy does not return a value (which is possible on,
126 * for example, MIPS), invoke __getnstimeofday
127 * hoping that there are timers we can work with.
129 * The list of available timers can be obtained from
130 * /sys/devices/system/clocksource/clocksource0/available_clocksource
131 * and are registered with clocksource_register()
135 (0 == timekeeping_valid_for_hres()) &&
137 (0 == __getnstimeofday(&ts))) {
140 tmp = tmp | ts.tv_nsec;
148 * Update of the loop count used for the next round of
149 * an entropy collection.
152 * @ec entropy collector struct -- may be NULL
153 * @bits is the number of low bits of the timer to consider
154 * @min is the number of bits we shift the timer value to the right at
155 * the end to make sure we have a guaranteed minimum value
157 * @return Newly calculated loop counter
159 static __u64 jent_loop_shuffle(struct rand_data *ec,
160 unsigned int bits, unsigned int min)
165 unsigned int mask = (1<<bits) - 1;
167 jent_get_nstime(&time);
169 * mix the current state of the random number into the shuffle
170 * calculation to balance that shuffle a bit more
175 * we fold the time value as much as possible to ensure that as many
176 * bits of the time stamp are included as possible
178 for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) {
179 shuffle ^= time & mask;
184 * We add a lower boundary value to ensure we have a minimum
187 return (shuffle + (1<<min));
190 /***************************************************************************
192 ***************************************************************************/
195 * CPU Jitter noise source -- this is the noise source based on the CPU
196 * execution time jitter
198 * This function folds the time into one bit units by iterating
199 * through the DATA_SIZE_BITS bit time value as follows: assume our time value
201 * 1st loop, 1st shift generates 0xd000
202 * 1st loop, 2nd shift generates 0x000d
203 * 2nd loop, 1st shift generates 0xcd00
204 * 2nd loop, 2nd shift generates 0x000c
205 * 3rd loop, 1st shift generates 0xbcd0
206 * 3rd loop, 2nd shift generates 0x000b
207 * 4th loop, 1st shift generates 0xabcd
208 * 4th loop, 2nd shift generates 0x000a
209 * Now, the values at the end of the 2nd shifts are XORed together.
211 * The code is deliberately inefficient and shall stay that way. This function
212 * is the root cause why the code shall be compiled without optimization. This
213 * function not only acts as folding operation, but this function's execution
214 * is used to measure the CPU execution time jitter. Any change to the loop in
215 * this function implies that careful retesting must be done.
218 * @ec entropy collector struct -- may be NULL
219 * @time time stamp to be folded
220 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
221 * loops to perform the folding
224 * @folded result of folding operation
226 * @return Number of loops the folding operation is performed
228 static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
229 __u64 *folded, __u64 loop_cnt)
234 #define MAX_FOLD_LOOP_BIT 4
235 #define MIN_FOLD_LOOP_BIT 0
236 __u64 fold_loop_cnt =
237 jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT);
240 * testing purposes -- allow test app to set the counter, not
241 * needed during runtime
244 fold_loop_cnt = loop_cnt;
245 for (j = 0; j < fold_loop_cnt; j++) {
247 for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
248 __u64 tmp = time << (DATA_SIZE_BITS - i);
250 tmp = tmp >> (DATA_SIZE_BITS - 1);
255 return fold_loop_cnt;
259 * Memory Access noise source -- this is a noise source based on variations in
260 * memory access times
262 * This function performs memory accesses which will add to the timing
263 * variations due to an unknown amount of CPU wait states that need to be
264 * added when accessing memory. The memory size should be larger than the L1
265 * caches as outlined in the documentation and the associated testing.
267 * The L1 cache has a very high bandwidth, albeit its access rate is usually
268 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
269 * variations as the CPU has hardly to wait. Starting with L2, significant
270 * variations are added because L2 typically does not belong to the CPU any more
271 * and therefore a wider range of CPU wait states is necessary for accesses.
272 * L3 and real memory accesses have even a wider range of wait states. However,
273 * to reliably access either L3 or memory, the ec->mem memory must be quite
274 * large which is usually not desirable.
277 * @ec Reference to the entropy collector with the memory access data -- if
278 * the reference to the memory block to be accessed is NULL, this noise
280 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
281 * loops to perform the folding
283 * @return Number of memory access operations
285 static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
287 unsigned char *tmpval = NULL;
288 unsigned int wrap = 0;
290 #define MAX_ACC_LOOP_BIT 7
291 #define MIN_ACC_LOOP_BIT 0
293 jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
295 if (NULL == ec || NULL == ec->mem)
297 wrap = ec->memblocksize * ec->memblocks;
300 * testing purposes -- allow test app to set the counter, not
301 * needed during runtime
304 acc_loop_cnt = loop_cnt;
306 for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
307 tmpval = ec->mem + ec->memlocation;
309 * memory access: just add 1 to one byte,
310 * wrap at 255 -- memory access implies read
311 * from and write to memory location
313 *tmpval = (*tmpval + 1) & 0xff;
315 * Addition of memblocksize - 1 to pointer
316 * with wrap around logic to ensure that every
317 * memory location is hit evenly
319 ec->memlocation = ec->memlocation + ec->memblocksize - 1;
320 ec->memlocation = ec->memlocation % wrap;
325 /***************************************************************************
326 * Start of entropy processing logic
327 ***************************************************************************/
330 * Stuck test by checking the:
331 * 1st derivation of the jitter measurement (time delta)
332 * 2nd derivation of the jitter measurement (delta of time deltas)
333 * 3rd derivation of the jitter measurement (delta of delta of time deltas)
335 * All values must always be non-zero.
338 * @ec Reference to entropy collector
339 * @current_delta Jitter time delta
342 * 0 jitter measurement not stuck (good bit)
343 * 1 jitter measurement stuck (reject bit)
345 static void jent_stuck(struct rand_data *ec, __u64 current_delta)
347 __s64 delta2 = ec->last_delta - current_delta;
348 __s64 delta3 = delta2 - ec->last_delta2;
350 ec->last_delta = current_delta;
351 ec->last_delta2 = delta2;
353 if (!current_delta || !delta2 || !delta3)
358 * This is the heart of the entropy generation: calculate time deltas and
359 * use the CPU jitter in the time deltas. The jitter is folded into one
360 * bit. You can call this function the "random bit generator" as it
361 * produces one random bit per invocation.
363 * WARNING: ensure that ->prev_time is primed before using the output
364 * of this function! This can be done by calling this function
365 * and not using its result.
368 * @entropy_collector Reference to entropy collector
370 * @return One random bit
372 static __u64 jent_measure_jitter(struct rand_data *ec)
376 __u64 current_delta = 0;
378 /* Invoke one noise source before time measurement to add variations */
379 jent_memaccess(ec, 0);
382 * Get time stamp and calculate time delta to previous
383 * invocation to measure the timing variations
385 jent_get_nstime(&time);
386 current_delta = time - ec->prev_time;
387 ec->prev_time = time;
389 /* Now call the next noise sources which also folds the data */
390 jent_fold_time(ec, current_delta, &data, 0);
393 * Check whether we have a stuck measurement. The enforcement
394 * is performed after the stuck value has been mixed into the
397 jent_stuck(ec, current_delta);
403 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
404 * documentation of that RNG, the bits from jent_measure_jitter are considered
405 * independent which implies that the Von Neuman unbias operation is applicable.
406 * A proof of the Von-Neumann unbias operation to remove skews is given in the
407 * document "A proposal for: Functionality classes for random number
408 * generators", version 2.0 by Werner Schindler, section 5.4.1.
411 * @entropy_collector Reference to entropy collector
413 * @return One random bit
415 static __u64 jent_unbiased_bit(struct rand_data *entropy_collector)
418 __u64 a = jent_measure_jitter(entropy_collector);
419 __u64 b = jent_measure_jitter(entropy_collector);
431 * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
434 * The function generates a mixer value that depends on the bits set and the
435 * location of the set bits in the random number generated by the entropy
436 * source. Therefore, based on the generated random number, this mixer value
437 * can have 2**64 different values. That mixer value is initialized with the
438 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
441 * The mixer value is not assumed to contain any entropy. But due to the XOR
442 * operation, it can also not destroy any entropy present in the entropy pool.
445 * @entropy_collector Reference to entropy collector
447 static void jent_stir_pool(struct rand_data *entropy_collector)
450 * to shut up GCC on 32 bit, we have to initialize the 64 variable
451 * with two 32 bit variables
458 * This constant is derived from the first two 32 bit initialization
459 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
463 * The start value of the mixer variable is derived from the third
464 * and fourth 32 bit initialization vector of SHA-1 as defined in
465 * FIPS 180-4 section 5.3.1
471 * Store the SHA-1 constants in reverse order to make up the 64 bit
472 * value -- this applies to a little endian system, on a big endian
473 * system, it reverses as expected. But this really does not matter
474 * as we do not rely on the specific numbers. We just pick the SHA-1
475 * constants as they have a good mix of bit set and unset.
477 constant.u32[1] = 0x67452301;
478 constant.u32[0] = 0xefcdab89;
479 mixer.u32[1] = 0x98badcfe;
480 mixer.u32[0] = 0x10325476;
482 for (i = 0; i < DATA_SIZE_BITS; i++) {
484 * get the i-th bit of the input random number and only XOR
485 * the constant into the mixer value when that bit is set
487 if ((entropy_collector->data >> i) & 1)
488 mixer.u64 ^= constant.u64;
489 mixer.u64 = rol64(mixer.u64, 1);
491 entropy_collector->data ^= mixer.u64;
495 * Generator of one 64 bit random number
496 * Function fills rand_data->data
499 * @ec Reference to entropy collector
501 static void jent_gen_entropy(struct rand_data *ec)
505 /* priming of the ->prev_time value */
506 jent_measure_jitter(ec);
511 if (ec->disable_unbias == 1)
512 data = jent_measure_jitter(ec);
514 data = jent_unbiased_bit(ec);
516 /* enforcement of the jent_stuck test */
519 * We only mix in the bit considered not appropriate
520 * without the LSFR. The reason is that if we apply
521 * the LSFR and we do not rotate, the 2nd bit with LSFR
522 * will cancel out the first LSFR application on the
525 * And we do not rotate as we apply the next bit to the
526 * current bit location again.
534 * Fibonacci LSFR with polynom of
535 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
536 * primitive according to
537 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
538 * (the shift values are the polynom values minus one
539 * due to counting bits from 0 to 63). As the current
540 * position is always the LSB, the polynom only needs
541 * to shift data in from the left without wrap.
544 ec->data ^= ((ec->data >> 63) & 1);
545 ec->data ^= ((ec->data >> 60) & 1);
546 ec->data ^= ((ec->data >> 55) & 1);
547 ec->data ^= ((ec->data >> 30) & 1);
548 ec->data ^= ((ec->data >> 27) & 1);
549 ec->data ^= ((ec->data >> 22) & 1);
550 ec->data = rol64(ec->data, 1);
553 * We multiply the loop value with ->osr to obtain the
554 * oversampling rate requested by the caller
556 if (++k >= (DATA_SIZE_BITS * ec->osr))
564 * The continuous test required by FIPS 140-2 -- the function automatically
565 * primes the test if needed.
568 * 0 if FIPS test passed
569 * < 0 if FIPS test failed
571 static void jent_fips_test(struct rand_data *ec)
576 /* prime the FIPS test */
578 ec->old_data = ec->data;
579 jent_gen_entropy(ec);
582 if (ec->data == ec->old_data)
583 panic(DRIVER_NAME ": Duplicate output detected\n");
585 ec->old_data = ec->data;
590 * Entry function: Obtain entropy for the caller.
592 * This function invokes the entropy gathering logic as often to generate
593 * as many bytes as requested by the caller. The entropy gathering logic
594 * creates 64 bit per invocation.
596 * This function truncates the last 64 bit entropy value output to the exact
597 * size specified by the caller.
600 * @ec Reference to entropy collector
601 * @data pointer to buffer for storing random data -- buffer must already
603 * @len size of the buffer, specifying also the requested number of random
606 * @return 0 when request is fulfilled or an error
608 * The following error codes can occur:
609 * -1 entropy_collector is NULL
611 static ssize_t jent_read_entropy(struct rand_data *ec, u8 *data, size_t len)
621 jent_gen_entropy(ec);
623 if ((DATA_SIZE_BITS / 8) < len)
624 tocopy = (DATA_SIZE_BITS / 8);
627 memcpy(p, &ec->data, tocopy);
636 /***************************************************************************
637 * Initialization logic
638 ***************************************************************************/
640 static struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
643 struct rand_data *entropy_collector;
645 entropy_collector = kzalloc(sizeof(struct rand_data), GFP_KERNEL);
646 if (!entropy_collector)
649 if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
650 /* Allocate memory for adding variations based on memory
653 entropy_collector->mem = kzalloc(JENT_MEMORY_SIZE, GFP_KERNEL);
654 if (!entropy_collector->mem) {
655 kfree(entropy_collector);
658 entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;
659 entropy_collector->memblocks = JENT_MEMORY_BLOCKS;
660 entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
663 /* verify and set the oversampling rate */
665 osr = 1; /* minimum sampling rate is 1 */
666 entropy_collector->osr = osr;
668 entropy_collector->stir = 1;
669 if (flags & JENT_DISABLE_STIR)
670 entropy_collector->stir = 0;
671 if (flags & JENT_DISABLE_UNBIAS)
672 entropy_collector->disable_unbias = 1;
674 /* fill the data pad with non-zero values */
675 jent_gen_entropy(entropy_collector);
677 return entropy_collector;
680 static void jent_entropy_collector_free(struct rand_data *entropy_collector)
682 if (entropy_collector->mem)
683 kzfree(entropy_collector->mem);
684 entropy_collector->mem = NULL;
685 if (entropy_collector)
686 kzfree(entropy_collector);
687 entropy_collector = NULL;
690 static int jent_entropy_init(void)
695 int time_backwards = 0;
699 /* We could perform statistical tests here, but the problem is
700 * that we only have a few loop counts to do testing. These
701 * loop counts may show some slight skew and we produce
704 * Moreover, only old systems show potentially problematic
705 * jitter entropy that could potentially be caught here. But
706 * the RNG is intended for hardware that is available or widely
707 * used, but not old systems that are long out of favor. Thus,
708 * no statistical tests.
712 * We could add a check for system capabilities such as clock_getres or
713 * check for CONFIG_X86_TSC, but it does not make much sense as the
714 * following sanity checks verify that we have a high-resolution
718 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
719 * definitely too little.
721 #define TESTLOOPCOUNT 300
722 #define CLEARCACHE 100
723 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
728 unsigned int lowdelta = 0;
730 jent_get_nstime(&time);
731 jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT);
732 jent_get_nstime(&time2);
734 /* test whether timer works */
737 delta = time2 - time;
739 * test whether timer is fine grained enough to provide
740 * delta even when called shortly after each other -- this
741 * implies that we also have a high resolution timer
744 return JENT_ECOARSETIME;
747 * up to here we did not modify any variable that will be
748 * evaluated later, but we already performed some work. Thus we
749 * already have had an impact on the caches, branch prediction,
750 * etc. with the goal to clear it to get the worst case
756 /* test whether we have an increasing timer */
761 * Avoid modulo of 64 bit integer to allow code to compile
762 * on 32 bit architectures.
764 lowdelta = time2 - time;
765 if (!(lowdelta % 100))
769 * ensure that we have a varying delta timer which is necessary
770 * for the calculation of entropy -- perform this check
771 * only after the first loop is executed as we need to prime
775 if (delta != old_delta)
777 if (delta > old_delta)
778 delta_sum += (delta - old_delta);
780 delta_sum += (old_delta - delta);
786 * we allow up to three times the time running backwards.
787 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
788 * if such an operation just happens to interfere with our test, it
789 * should not fail. The value of 3 should cover the NTP case being
790 * performed during our test run.
792 if (3 < time_backwards)
793 return JENT_ENOMONOTONIC;
794 /* Error if the time variances are always identical */
799 * Variations of deltas of time must on average be larger
800 * than 1 to ensure the entropy estimation
801 * implied with 1 is preserved
804 return JENT_EMINVARVAR;
807 * Ensure that we have variations in the time stamp below 10 for at
808 * least 10% of all checks -- on some platforms, the counter
809 * increments in multiples of 100, but not always
811 if ((TESTLOOPCOUNT/10 * 9) < count_mod)
812 return JENT_ECOARSETIME;
817 /***************************************************************************
818 * Kernel crypto API interface
819 ***************************************************************************/
821 struct jitterentropy {
822 spinlock_t jent_lock;
823 struct rand_data *entropy_collector;
826 static int jent_kcapi_init(struct crypto_tfm *tfm)
828 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
831 rng->entropy_collector = jent_entropy_collector_alloc(1, 0);
832 if (!rng->entropy_collector)
835 spin_lock_init(&rng->jent_lock);
839 static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
841 struct jitterentropy *rng = crypto_tfm_ctx(tfm);
843 spin_lock(&rng->jent_lock);
844 if (rng->entropy_collector)
845 jent_entropy_collector_free(rng->entropy_collector);
846 rng->entropy_collector = NULL;
847 spin_unlock(&rng->jent_lock);
850 static int jent_kcapi_random(struct crypto_rng *tfm,
851 const u8 *src, unsigned int slen,
852 u8 *rdata, unsigned int dlen)
854 struct jitterentropy *rng = crypto_rng_ctx(tfm);
857 spin_lock(&rng->jent_lock);
858 ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
859 spin_unlock(&rng->jent_lock);
864 static int jent_kcapi_reset(struct crypto_rng *tfm,
865 const u8 *seed, unsigned int slen)
870 static struct rng_alg jent_alg = {
871 .generate = jent_kcapi_random,
872 .seed = jent_kcapi_reset,
875 .cra_name = "jitterentropy_rng",
876 .cra_driver_name = "jitterentropy_rng",
878 .cra_ctxsize = sizeof(struct jitterentropy),
879 .cra_module = THIS_MODULE,
880 .cra_init = jent_kcapi_init,
881 .cra_exit = jent_kcapi_cleanup,
886 static int __init jent_mod_init(void)
890 ret = jent_entropy_init();
892 pr_info(DRIVER_NAME ": Initialization failed with host not compliant with requirements: %d\n", ret);
895 return crypto_register_rng(&jent_alg);
898 static void __exit jent_mod_exit(void)
900 crypto_unregister_rng(&jent_alg);
903 module_init(jent_mod_init);
904 module_exit(jent_mod_exit);
906 MODULE_LICENSE("Dual BSD/GPL");
907 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
908 MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter");
909 MODULE_ALIAS_CRYPTO("jitterentropy_rng");