18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 48c2ecf20Sopenharmony_ci * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005 58c2ecf20Sopenharmony_ci * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved. 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * This driver produces cryptographically secure pseudorandom data. It is divided 88c2ecf20Sopenharmony_ci * into roughly six sections, each with a section header: 98c2ecf20Sopenharmony_ci * 108c2ecf20Sopenharmony_ci * - Initialization and readiness waiting. 118c2ecf20Sopenharmony_ci * - Fast key erasure RNG, the "crng". 128c2ecf20Sopenharmony_ci * - Entropy accumulation and extraction routines. 138c2ecf20Sopenharmony_ci * - Entropy collection routines. 148c2ecf20Sopenharmony_ci * - Userspace reader/writer interfaces. 158c2ecf20Sopenharmony_ci * - Sysctl interface. 168c2ecf20Sopenharmony_ci * 178c2ecf20Sopenharmony_ci * The high level overview is that there is one input pool, into which 188c2ecf20Sopenharmony_ci * various pieces of data are hashed. Prior to initialization, some of that 198c2ecf20Sopenharmony_ci * data is then "credited" as having a certain number of bits of entropy. 208c2ecf20Sopenharmony_ci * When enough bits of entropy are available, the hash is finalized and 218c2ecf20Sopenharmony_ci * handed as a key to a stream cipher that expands it indefinitely for 228c2ecf20Sopenharmony_ci * various consumers. This key is periodically refreshed as the various 238c2ecf20Sopenharmony_ci * entropy collectors, described below, add data to the input pool. 248c2ecf20Sopenharmony_ci */ 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ci#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ci#include <linux/utsname.h> 298c2ecf20Sopenharmony_ci#include <linux/module.h> 308c2ecf20Sopenharmony_ci#include <linux/kernel.h> 318c2ecf20Sopenharmony_ci#include <linux/major.h> 328c2ecf20Sopenharmony_ci#include <linux/string.h> 338c2ecf20Sopenharmony_ci#include <linux/fcntl.h> 348c2ecf20Sopenharmony_ci#include <linux/slab.h> 358c2ecf20Sopenharmony_ci#include <linux/random.h> 368c2ecf20Sopenharmony_ci#include <linux/poll.h> 378c2ecf20Sopenharmony_ci#include <linux/init.h> 388c2ecf20Sopenharmony_ci#include <linux/fs.h> 398c2ecf20Sopenharmony_ci#include <linux/genhd.h> 408c2ecf20Sopenharmony_ci#include <linux/interrupt.h> 418c2ecf20Sopenharmony_ci#include <linux/mm.h> 428c2ecf20Sopenharmony_ci#include <linux/nodemask.h> 438c2ecf20Sopenharmony_ci#include <linux/spinlock.h> 448c2ecf20Sopenharmony_ci#include <linux/kthread.h> 458c2ecf20Sopenharmony_ci#include <linux/percpu.h> 468c2ecf20Sopenharmony_ci#include <linux/ptrace.h> 478c2ecf20Sopenharmony_ci#include <linux/workqueue.h> 488c2ecf20Sopenharmony_ci#include <linux/irq.h> 498c2ecf20Sopenharmony_ci#include <linux/ratelimit.h> 508c2ecf20Sopenharmony_ci#include <linux/syscalls.h> 518c2ecf20Sopenharmony_ci#include <linux/completion.h> 528c2ecf20Sopenharmony_ci#include <linux/uuid.h> 538c2ecf20Sopenharmony_ci#include <linux/uaccess.h> 548c2ecf20Sopenharmony_ci#include <linux/siphash.h> 558c2ecf20Sopenharmony_ci#include <linux/uio.h> 568c2ecf20Sopenharmony_ci#include <crypto/chacha.h> 578c2ecf20Sopenharmony_ci#include <crypto/blake2s.h> 588c2ecf20Sopenharmony_ci#include <asm/processor.h> 598c2ecf20Sopenharmony_ci#include <asm/irq.h> 608c2ecf20Sopenharmony_ci#include <asm/irq_regs.h> 618c2ecf20Sopenharmony_ci#include <asm/io.h> 628c2ecf20Sopenharmony_ci 638c2ecf20Sopenharmony_ci/********************************************************************* 648c2ecf20Sopenharmony_ci * 658c2ecf20Sopenharmony_ci * Initialization and readiness waiting. 668c2ecf20Sopenharmony_ci * 678c2ecf20Sopenharmony_ci * Much of the RNG infrastructure is devoted to various dependencies 688c2ecf20Sopenharmony_ci * being able to wait until the RNG has collected enough entropy and 698c2ecf20Sopenharmony_ci * is ready for safe consumption. 708c2ecf20Sopenharmony_ci * 718c2ecf20Sopenharmony_ci *********************************************************************/ 728c2ecf20Sopenharmony_ci 738c2ecf20Sopenharmony_ci/* 748c2ecf20Sopenharmony_ci * crng_init is protected by base_crng->lock, and only increases 758c2ecf20Sopenharmony_ci * its value (from empty->early->ready). 768c2ecf20Sopenharmony_ci */ 778c2ecf20Sopenharmony_cistatic enum { 788c2ecf20Sopenharmony_ci CRNG_EMPTY = 0, /* Little to no entropy collected */ 798c2ecf20Sopenharmony_ci CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */ 808c2ecf20Sopenharmony_ci CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */ 818c2ecf20Sopenharmony_ci} crng_init __read_mostly = CRNG_EMPTY; 828c2ecf20Sopenharmony_ci#define crng_ready() (likely(crng_init >= CRNG_READY)) 838c2ecf20Sopenharmony_ci/* Various types of waiters for crng_init->CRNG_READY transition. */ 848c2ecf20Sopenharmony_cistatic DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); 858c2ecf20Sopenharmony_cistatic struct fasync_struct *fasync; 868c2ecf20Sopenharmony_cistatic DEFINE_SPINLOCK(random_ready_chain_lock); 878c2ecf20Sopenharmony_cistatic RAW_NOTIFIER_HEAD(random_ready_chain); 888c2ecf20Sopenharmony_ci 898c2ecf20Sopenharmony_ci/* Control how we warn userspace. */ 908c2ecf20Sopenharmony_cistatic struct ratelimit_state urandom_warning = 918c2ecf20Sopenharmony_ci RATELIMIT_STATE_INIT_FLAGS("urandom_warning", HZ, 3, RATELIMIT_MSG_ON_RELEASE); 928c2ecf20Sopenharmony_cistatic int ratelimit_disable __read_mostly = 938c2ecf20Sopenharmony_ci IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM); 948c2ecf20Sopenharmony_cimodule_param_named(ratelimit_disable, ratelimit_disable, int, 0644); 958c2ecf20Sopenharmony_ciMODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); 968c2ecf20Sopenharmony_ci 978c2ecf20Sopenharmony_ci/* 988c2ecf20Sopenharmony_ci * Returns whether or not the input pool has been seeded and thus guaranteed 998c2ecf20Sopenharmony_ci * to supply cryptographically secure random numbers. This applies to: the 1008c2ecf20Sopenharmony_ci * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, 1018c2ecf20Sopenharmony_ci * ,u64,int,long} family of functions. 1028c2ecf20Sopenharmony_ci * 1038c2ecf20Sopenharmony_ci * Returns: true if the input pool has been seeded. 1048c2ecf20Sopenharmony_ci * false if the input pool has not been seeded. 1058c2ecf20Sopenharmony_ci */ 1068c2ecf20Sopenharmony_cibool rng_is_initialized(void) 1078c2ecf20Sopenharmony_ci{ 1088c2ecf20Sopenharmony_ci return crng_ready(); 1098c2ecf20Sopenharmony_ci} 1108c2ecf20Sopenharmony_ciEXPORT_SYMBOL(rng_is_initialized); 1118c2ecf20Sopenharmony_ci 1128c2ecf20Sopenharmony_ci/* Used by wait_for_random_bytes(), and considered an entropy collector, below. */ 1138c2ecf20Sopenharmony_cistatic void try_to_generate_entropy(void); 1148c2ecf20Sopenharmony_ci 1158c2ecf20Sopenharmony_ci/* 1168c2ecf20Sopenharmony_ci * Wait for the input pool to be seeded and thus guaranteed to supply 1178c2ecf20Sopenharmony_ci * cryptographically secure random numbers. This applies to: the /dev/urandom 1188c2ecf20Sopenharmony_ci * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} 1198c2ecf20Sopenharmony_ci * family of functions. Using any of these functions without first calling 1208c2ecf20Sopenharmony_ci * this function forfeits the guarantee of security. 1218c2ecf20Sopenharmony_ci * 1228c2ecf20Sopenharmony_ci * Returns: 0 if the input pool has been seeded. 1238c2ecf20Sopenharmony_ci * -ERESTARTSYS if the function was interrupted by a signal. 1248c2ecf20Sopenharmony_ci */ 1258c2ecf20Sopenharmony_ciint wait_for_random_bytes(void) 1268c2ecf20Sopenharmony_ci{ 1278c2ecf20Sopenharmony_ci while (!crng_ready()) { 1288c2ecf20Sopenharmony_ci int ret; 1298c2ecf20Sopenharmony_ci 1308c2ecf20Sopenharmony_ci try_to_generate_entropy(); 1318c2ecf20Sopenharmony_ci ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); 1328c2ecf20Sopenharmony_ci if (ret) 1338c2ecf20Sopenharmony_ci return ret > 0 ? 0 : ret; 1348c2ecf20Sopenharmony_ci } 1358c2ecf20Sopenharmony_ci return 0; 1368c2ecf20Sopenharmony_ci} 1378c2ecf20Sopenharmony_ciEXPORT_SYMBOL(wait_for_random_bytes); 1388c2ecf20Sopenharmony_ci 1398c2ecf20Sopenharmony_ci/* 1408c2ecf20Sopenharmony_ci * Add a callback function that will be invoked when the input 1418c2ecf20Sopenharmony_ci * pool is initialised. 1428c2ecf20Sopenharmony_ci * 1438c2ecf20Sopenharmony_ci * returns: 0 if callback is successfully added 1448c2ecf20Sopenharmony_ci * -EALREADY if pool is already initialised (callback not called) 1458c2ecf20Sopenharmony_ci */ 1468c2ecf20Sopenharmony_ciint __cold register_random_ready_notifier(struct notifier_block *nb) 1478c2ecf20Sopenharmony_ci{ 1488c2ecf20Sopenharmony_ci unsigned long flags; 1498c2ecf20Sopenharmony_ci int ret = -EALREADY; 1508c2ecf20Sopenharmony_ci 1518c2ecf20Sopenharmony_ci if (crng_ready()) 1528c2ecf20Sopenharmony_ci return ret; 1538c2ecf20Sopenharmony_ci 1548c2ecf20Sopenharmony_ci spin_lock_irqsave(&random_ready_chain_lock, flags); 1558c2ecf20Sopenharmony_ci if (!crng_ready()) 1568c2ecf20Sopenharmony_ci ret = raw_notifier_chain_register(&random_ready_chain, nb); 1578c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&random_ready_chain_lock, flags); 1588c2ecf20Sopenharmony_ci return ret; 1598c2ecf20Sopenharmony_ci} 1608c2ecf20Sopenharmony_ci 1618c2ecf20Sopenharmony_ci/* 1628c2ecf20Sopenharmony_ci * Delete a previously registered readiness callback function. 1638c2ecf20Sopenharmony_ci */ 1648c2ecf20Sopenharmony_ciint __cold unregister_random_ready_notifier(struct notifier_block *nb) 1658c2ecf20Sopenharmony_ci{ 1668c2ecf20Sopenharmony_ci unsigned long flags; 1678c2ecf20Sopenharmony_ci int ret; 1688c2ecf20Sopenharmony_ci 1698c2ecf20Sopenharmony_ci spin_lock_irqsave(&random_ready_chain_lock, flags); 1708c2ecf20Sopenharmony_ci ret = raw_notifier_chain_unregister(&random_ready_chain, nb); 1718c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&random_ready_chain_lock, flags); 1728c2ecf20Sopenharmony_ci return ret; 1738c2ecf20Sopenharmony_ci} 1748c2ecf20Sopenharmony_ci 1758c2ecf20Sopenharmony_cistatic void __cold process_random_ready_list(void) 1768c2ecf20Sopenharmony_ci{ 1778c2ecf20Sopenharmony_ci unsigned long flags; 1788c2ecf20Sopenharmony_ci 1798c2ecf20Sopenharmony_ci spin_lock_irqsave(&random_ready_chain_lock, flags); 1808c2ecf20Sopenharmony_ci raw_notifier_call_chain(&random_ready_chain, 0, NULL); 1818c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&random_ready_chain_lock, flags); 1828c2ecf20Sopenharmony_ci} 1838c2ecf20Sopenharmony_ci 1848c2ecf20Sopenharmony_ci#define warn_unseeded_randomness() \ 1858c2ecf20Sopenharmony_ci if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \ 1868c2ecf20Sopenharmony_ci printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \ 1878c2ecf20Sopenharmony_ci __func__, (void *)_RET_IP_, crng_init) 1888c2ecf20Sopenharmony_ci 1898c2ecf20Sopenharmony_ci 1908c2ecf20Sopenharmony_ci/********************************************************************* 1918c2ecf20Sopenharmony_ci * 1928c2ecf20Sopenharmony_ci * Fast key erasure RNG, the "crng". 1938c2ecf20Sopenharmony_ci * 1948c2ecf20Sopenharmony_ci * These functions expand entropy from the entropy extractor into 1958c2ecf20Sopenharmony_ci * long streams for external consumption using the "fast key erasure" 1968c2ecf20Sopenharmony_ci * RNG described at <https://blog.cr.yp.to/20170723-random.html>. 1978c2ecf20Sopenharmony_ci * 1988c2ecf20Sopenharmony_ci * There are a few exported interfaces for use by other drivers: 1998c2ecf20Sopenharmony_ci * 2008c2ecf20Sopenharmony_ci * void get_random_bytes(void *buf, size_t len) 2018c2ecf20Sopenharmony_ci * u32 get_random_u32() 2028c2ecf20Sopenharmony_ci * u64 get_random_u64() 2038c2ecf20Sopenharmony_ci * unsigned int get_random_int() 2048c2ecf20Sopenharmony_ci * unsigned long get_random_long() 2058c2ecf20Sopenharmony_ci * 2068c2ecf20Sopenharmony_ci * These interfaces will return the requested number of random bytes 2078c2ecf20Sopenharmony_ci * into the given buffer or as a return value. This is equivalent to 2088c2ecf20Sopenharmony_ci * a read from /dev/urandom. The u32, u64, int, and long family of 2098c2ecf20Sopenharmony_ci * functions may be higher performance for one-off random integers, 2108c2ecf20Sopenharmony_ci * because they do a bit of buffering and do not invoke reseeding 2118c2ecf20Sopenharmony_ci * until the buffer is emptied. 2128c2ecf20Sopenharmony_ci * 2138c2ecf20Sopenharmony_ci *********************************************************************/ 2148c2ecf20Sopenharmony_ci 2158c2ecf20Sopenharmony_cienum { 2168c2ecf20Sopenharmony_ci CRNG_RESEED_START_INTERVAL = HZ, 2178c2ecf20Sopenharmony_ci CRNG_RESEED_INTERVAL = 60 * HZ 2188c2ecf20Sopenharmony_ci}; 2198c2ecf20Sopenharmony_ci 2208c2ecf20Sopenharmony_cistatic struct { 2218c2ecf20Sopenharmony_ci u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long)); 2228c2ecf20Sopenharmony_ci unsigned long birth; 2238c2ecf20Sopenharmony_ci unsigned long generation; 2248c2ecf20Sopenharmony_ci spinlock_t lock; 2258c2ecf20Sopenharmony_ci} base_crng = { 2268c2ecf20Sopenharmony_ci .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock) 2278c2ecf20Sopenharmony_ci}; 2288c2ecf20Sopenharmony_ci 2298c2ecf20Sopenharmony_cistruct crng { 2308c2ecf20Sopenharmony_ci u8 key[CHACHA_KEY_SIZE]; 2318c2ecf20Sopenharmony_ci unsigned long generation; 2328c2ecf20Sopenharmony_ci local_lock_t lock; 2338c2ecf20Sopenharmony_ci}; 2348c2ecf20Sopenharmony_ci 2358c2ecf20Sopenharmony_cistatic DEFINE_PER_CPU(struct crng, crngs) = { 2368c2ecf20Sopenharmony_ci .generation = ULONG_MAX, 2378c2ecf20Sopenharmony_ci .lock = INIT_LOCAL_LOCK(crngs.lock), 2388c2ecf20Sopenharmony_ci}; 2398c2ecf20Sopenharmony_ci 2408c2ecf20Sopenharmony_ci/* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */ 2418c2ecf20Sopenharmony_cistatic void extract_entropy(void *buf, size_t len); 2428c2ecf20Sopenharmony_ci 2438c2ecf20Sopenharmony_ci/* This extracts a new crng key from the input pool. */ 2448c2ecf20Sopenharmony_cistatic void crng_reseed(void) 2458c2ecf20Sopenharmony_ci{ 2468c2ecf20Sopenharmony_ci unsigned long flags; 2478c2ecf20Sopenharmony_ci unsigned long next_gen; 2488c2ecf20Sopenharmony_ci u8 key[CHACHA_KEY_SIZE]; 2498c2ecf20Sopenharmony_ci 2508c2ecf20Sopenharmony_ci extract_entropy(key, sizeof(key)); 2518c2ecf20Sopenharmony_ci 2528c2ecf20Sopenharmony_ci /* 2538c2ecf20Sopenharmony_ci * We copy the new key into the base_crng, overwriting the old one, 2548c2ecf20Sopenharmony_ci * and update the generation counter. We avoid hitting ULONG_MAX, 2558c2ecf20Sopenharmony_ci * because the per-cpu crngs are initialized to ULONG_MAX, so this 2568c2ecf20Sopenharmony_ci * forces new CPUs that come online to always initialize. 2578c2ecf20Sopenharmony_ci */ 2588c2ecf20Sopenharmony_ci spin_lock_irqsave(&base_crng.lock, flags); 2598c2ecf20Sopenharmony_ci memcpy(base_crng.key, key, sizeof(base_crng.key)); 2608c2ecf20Sopenharmony_ci next_gen = base_crng.generation + 1; 2618c2ecf20Sopenharmony_ci if (next_gen == ULONG_MAX) 2628c2ecf20Sopenharmony_ci ++next_gen; 2638c2ecf20Sopenharmony_ci WRITE_ONCE(base_crng.generation, next_gen); 2648c2ecf20Sopenharmony_ci WRITE_ONCE(base_crng.birth, jiffies); 2658c2ecf20Sopenharmony_ci if (!crng_ready()) 2668c2ecf20Sopenharmony_ci crng_init = CRNG_READY; 2678c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&base_crng.lock, flags); 2688c2ecf20Sopenharmony_ci memzero_explicit(key, sizeof(key)); 2698c2ecf20Sopenharmony_ci} 2708c2ecf20Sopenharmony_ci 2718c2ecf20Sopenharmony_ci/* 2728c2ecf20Sopenharmony_ci * This generates a ChaCha block using the provided key, and then 2738c2ecf20Sopenharmony_ci * immediately overwites that key with half the block. It returns 2748c2ecf20Sopenharmony_ci * the resultant ChaCha state to the user, along with the second 2758c2ecf20Sopenharmony_ci * half of the block containing 32 bytes of random data that may 2768c2ecf20Sopenharmony_ci * be used; random_data_len may not be greater than 32. 2778c2ecf20Sopenharmony_ci * 2788c2ecf20Sopenharmony_ci * The returned ChaCha state contains within it a copy of the old 2798c2ecf20Sopenharmony_ci * key value, at index 4, so the state should always be zeroed out 2808c2ecf20Sopenharmony_ci * immediately after using in order to maintain forward secrecy. 2818c2ecf20Sopenharmony_ci * If the state cannot be erased in a timely manner, then it is 2828c2ecf20Sopenharmony_ci * safer to set the random_data parameter to &chacha_state[4] so 2838c2ecf20Sopenharmony_ci * that this function overwrites it before returning. 2848c2ecf20Sopenharmony_ci */ 2858c2ecf20Sopenharmony_cistatic void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], 2868c2ecf20Sopenharmony_ci u32 chacha_state[CHACHA_STATE_WORDS], 2878c2ecf20Sopenharmony_ci u8 *random_data, size_t random_data_len) 2888c2ecf20Sopenharmony_ci{ 2898c2ecf20Sopenharmony_ci u8 first_block[CHACHA_BLOCK_SIZE]; 2908c2ecf20Sopenharmony_ci 2918c2ecf20Sopenharmony_ci BUG_ON(random_data_len > 32); 2928c2ecf20Sopenharmony_ci 2938c2ecf20Sopenharmony_ci chacha_init_consts(chacha_state); 2948c2ecf20Sopenharmony_ci memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE); 2958c2ecf20Sopenharmony_ci memset(&chacha_state[12], 0, sizeof(u32) * 4); 2968c2ecf20Sopenharmony_ci chacha20_block(chacha_state, first_block); 2978c2ecf20Sopenharmony_ci 2988c2ecf20Sopenharmony_ci memcpy(key, first_block, CHACHA_KEY_SIZE); 2998c2ecf20Sopenharmony_ci memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); 3008c2ecf20Sopenharmony_ci memzero_explicit(first_block, sizeof(first_block)); 3018c2ecf20Sopenharmony_ci} 3028c2ecf20Sopenharmony_ci 3038c2ecf20Sopenharmony_ci/* 3048c2ecf20Sopenharmony_ci * Return whether the crng seed is considered to be sufficiently old 3058c2ecf20Sopenharmony_ci * that a reseeding is needed. This happens if the last reseeding 3068c2ecf20Sopenharmony_ci * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval 3078c2ecf20Sopenharmony_ci * proportional to the uptime. 3088c2ecf20Sopenharmony_ci */ 3098c2ecf20Sopenharmony_cistatic bool crng_has_old_seed(void) 3108c2ecf20Sopenharmony_ci{ 3118c2ecf20Sopenharmony_ci static bool early_boot = true; 3128c2ecf20Sopenharmony_ci unsigned long interval = CRNG_RESEED_INTERVAL; 3138c2ecf20Sopenharmony_ci 3148c2ecf20Sopenharmony_ci if (unlikely(READ_ONCE(early_boot))) { 3158c2ecf20Sopenharmony_ci time64_t uptime = ktime_get_seconds(); 3168c2ecf20Sopenharmony_ci if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2) 3178c2ecf20Sopenharmony_ci WRITE_ONCE(early_boot, false); 3188c2ecf20Sopenharmony_ci else 3198c2ecf20Sopenharmony_ci interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL, 3208c2ecf20Sopenharmony_ci (unsigned int)uptime / 2 * HZ); 3218c2ecf20Sopenharmony_ci } 3228c2ecf20Sopenharmony_ci return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval); 3238c2ecf20Sopenharmony_ci} 3248c2ecf20Sopenharmony_ci 3258c2ecf20Sopenharmony_ci/* 3268c2ecf20Sopenharmony_ci * This function returns a ChaCha state that you may use for generating 3278c2ecf20Sopenharmony_ci * random data. It also returns up to 32 bytes on its own of random data 3288c2ecf20Sopenharmony_ci * that may be used; random_data_len may not be greater than 32. 3298c2ecf20Sopenharmony_ci */ 3308c2ecf20Sopenharmony_cistatic void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS], 3318c2ecf20Sopenharmony_ci u8 *random_data, size_t random_data_len) 3328c2ecf20Sopenharmony_ci{ 3338c2ecf20Sopenharmony_ci unsigned long flags; 3348c2ecf20Sopenharmony_ci struct crng *crng; 3358c2ecf20Sopenharmony_ci 3368c2ecf20Sopenharmony_ci BUG_ON(random_data_len > 32); 3378c2ecf20Sopenharmony_ci 3388c2ecf20Sopenharmony_ci /* 3398c2ecf20Sopenharmony_ci * For the fast path, we check whether we're ready, unlocked first, and 3408c2ecf20Sopenharmony_ci * then re-check once locked later. In the case where we're really not 3418c2ecf20Sopenharmony_ci * ready, we do fast key erasure with the base_crng directly, extracting 3428c2ecf20Sopenharmony_ci * when crng_init is CRNG_EMPTY. 3438c2ecf20Sopenharmony_ci */ 3448c2ecf20Sopenharmony_ci if (!crng_ready()) { 3458c2ecf20Sopenharmony_ci bool ready; 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci spin_lock_irqsave(&base_crng.lock, flags); 3488c2ecf20Sopenharmony_ci ready = crng_ready(); 3498c2ecf20Sopenharmony_ci if (!ready) { 3508c2ecf20Sopenharmony_ci if (crng_init == CRNG_EMPTY) 3518c2ecf20Sopenharmony_ci extract_entropy(base_crng.key, sizeof(base_crng.key)); 3528c2ecf20Sopenharmony_ci crng_fast_key_erasure(base_crng.key, chacha_state, 3538c2ecf20Sopenharmony_ci random_data, random_data_len); 3548c2ecf20Sopenharmony_ci } 3558c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&base_crng.lock, flags); 3568c2ecf20Sopenharmony_ci if (!ready) 3578c2ecf20Sopenharmony_ci return; 3588c2ecf20Sopenharmony_ci } 3598c2ecf20Sopenharmony_ci 3608c2ecf20Sopenharmony_ci /* 3618c2ecf20Sopenharmony_ci * If the base_crng is old enough, we reseed, which in turn bumps the 3628c2ecf20Sopenharmony_ci * generation counter that we check below. 3638c2ecf20Sopenharmony_ci */ 3648c2ecf20Sopenharmony_ci if (unlikely(crng_has_old_seed())) 3658c2ecf20Sopenharmony_ci crng_reseed(); 3668c2ecf20Sopenharmony_ci 3678c2ecf20Sopenharmony_ci local_lock_irqsave(&crngs.lock, flags); 3688c2ecf20Sopenharmony_ci crng = raw_cpu_ptr(&crngs); 3698c2ecf20Sopenharmony_ci 3708c2ecf20Sopenharmony_ci /* 3718c2ecf20Sopenharmony_ci * If our per-cpu crng is older than the base_crng, then it means 3728c2ecf20Sopenharmony_ci * somebody reseeded the base_crng. In that case, we do fast key 3738c2ecf20Sopenharmony_ci * erasure on the base_crng, and use its output as the new key 3748c2ecf20Sopenharmony_ci * for our per-cpu crng. This brings us up to date with base_crng. 3758c2ecf20Sopenharmony_ci */ 3768c2ecf20Sopenharmony_ci if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) { 3778c2ecf20Sopenharmony_ci spin_lock(&base_crng.lock); 3788c2ecf20Sopenharmony_ci crng_fast_key_erasure(base_crng.key, chacha_state, 3798c2ecf20Sopenharmony_ci crng->key, sizeof(crng->key)); 3808c2ecf20Sopenharmony_ci crng->generation = base_crng.generation; 3818c2ecf20Sopenharmony_ci spin_unlock(&base_crng.lock); 3828c2ecf20Sopenharmony_ci } 3838c2ecf20Sopenharmony_ci 3848c2ecf20Sopenharmony_ci /* 3858c2ecf20Sopenharmony_ci * Finally, when we've made it this far, our per-cpu crng has an up 3868c2ecf20Sopenharmony_ci * to date key, and we can do fast key erasure with it to produce 3878c2ecf20Sopenharmony_ci * some random data and a ChaCha state for the caller. All other 3888c2ecf20Sopenharmony_ci * branches of this function are "unlikely", so most of the time we 3898c2ecf20Sopenharmony_ci * should wind up here immediately. 3908c2ecf20Sopenharmony_ci */ 3918c2ecf20Sopenharmony_ci crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len); 3928c2ecf20Sopenharmony_ci local_unlock_irqrestore(&crngs.lock, flags); 3938c2ecf20Sopenharmony_ci} 3948c2ecf20Sopenharmony_ci 3958c2ecf20Sopenharmony_cistatic void _get_random_bytes(void *buf, size_t len) 3968c2ecf20Sopenharmony_ci{ 3978c2ecf20Sopenharmony_ci u32 chacha_state[CHACHA_STATE_WORDS]; 3988c2ecf20Sopenharmony_ci u8 tmp[CHACHA_BLOCK_SIZE]; 3998c2ecf20Sopenharmony_ci size_t first_block_len; 4008c2ecf20Sopenharmony_ci 4018c2ecf20Sopenharmony_ci if (!len) 4028c2ecf20Sopenharmony_ci return; 4038c2ecf20Sopenharmony_ci 4048c2ecf20Sopenharmony_ci first_block_len = min_t(size_t, 32, len); 4058c2ecf20Sopenharmony_ci crng_make_state(chacha_state, buf, first_block_len); 4068c2ecf20Sopenharmony_ci len -= first_block_len; 4078c2ecf20Sopenharmony_ci buf += first_block_len; 4088c2ecf20Sopenharmony_ci 4098c2ecf20Sopenharmony_ci while (len) { 4108c2ecf20Sopenharmony_ci if (len < CHACHA_BLOCK_SIZE) { 4118c2ecf20Sopenharmony_ci chacha20_block(chacha_state, tmp); 4128c2ecf20Sopenharmony_ci memcpy(buf, tmp, len); 4138c2ecf20Sopenharmony_ci memzero_explicit(tmp, sizeof(tmp)); 4148c2ecf20Sopenharmony_ci break; 4158c2ecf20Sopenharmony_ci } 4168c2ecf20Sopenharmony_ci 4178c2ecf20Sopenharmony_ci chacha20_block(chacha_state, buf); 4188c2ecf20Sopenharmony_ci if (unlikely(chacha_state[12] == 0)) 4198c2ecf20Sopenharmony_ci ++chacha_state[13]; 4208c2ecf20Sopenharmony_ci len -= CHACHA_BLOCK_SIZE; 4218c2ecf20Sopenharmony_ci buf += CHACHA_BLOCK_SIZE; 4228c2ecf20Sopenharmony_ci } 4238c2ecf20Sopenharmony_ci 4248c2ecf20Sopenharmony_ci memzero_explicit(chacha_state, sizeof(chacha_state)); 4258c2ecf20Sopenharmony_ci} 4268c2ecf20Sopenharmony_ci 4278c2ecf20Sopenharmony_ci/* 4288c2ecf20Sopenharmony_ci * This function is the exported kernel interface. It returns some 4298c2ecf20Sopenharmony_ci * number of good random numbers, suitable for key generation, seeding 4308c2ecf20Sopenharmony_ci * TCP sequence numbers, etc. It does not rely on the hardware random 4318c2ecf20Sopenharmony_ci * number generator. For random bytes direct from the hardware RNG 4328c2ecf20Sopenharmony_ci * (when available), use get_random_bytes_arch(). In order to ensure 4338c2ecf20Sopenharmony_ci * that the randomness provided by this function is okay, the function 4348c2ecf20Sopenharmony_ci * wait_for_random_bytes() should be called and return 0 at least once 4358c2ecf20Sopenharmony_ci * at any point prior. 4368c2ecf20Sopenharmony_ci */ 4378c2ecf20Sopenharmony_civoid get_random_bytes(void *buf, size_t len) 4388c2ecf20Sopenharmony_ci{ 4398c2ecf20Sopenharmony_ci warn_unseeded_randomness(); 4408c2ecf20Sopenharmony_ci _get_random_bytes(buf, len); 4418c2ecf20Sopenharmony_ci} 4428c2ecf20Sopenharmony_ciEXPORT_SYMBOL(get_random_bytes); 4438c2ecf20Sopenharmony_ci 4448c2ecf20Sopenharmony_cistatic ssize_t get_random_bytes_user(struct iov_iter *iter) 4458c2ecf20Sopenharmony_ci{ 4468c2ecf20Sopenharmony_ci u32 chacha_state[CHACHA_STATE_WORDS]; 4478c2ecf20Sopenharmony_ci u8 block[CHACHA_BLOCK_SIZE]; 4488c2ecf20Sopenharmony_ci size_t ret = 0, copied; 4498c2ecf20Sopenharmony_ci 4508c2ecf20Sopenharmony_ci if (unlikely(!iov_iter_count(iter))) 4518c2ecf20Sopenharmony_ci return 0; 4528c2ecf20Sopenharmony_ci 4538c2ecf20Sopenharmony_ci /* 4548c2ecf20Sopenharmony_ci * Immediately overwrite the ChaCha key at index 4 with random 4558c2ecf20Sopenharmony_ci * bytes, in case userspace causes copy_to_iter() below to sleep 4568c2ecf20Sopenharmony_ci * forever, so that we still retain forward secrecy in that case. 4578c2ecf20Sopenharmony_ci */ 4588c2ecf20Sopenharmony_ci crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); 4598c2ecf20Sopenharmony_ci /* 4608c2ecf20Sopenharmony_ci * However, if we're doing a read of len <= 32, we don't need to 4618c2ecf20Sopenharmony_ci * use chacha_state after, so we can simply return those bytes to 4628c2ecf20Sopenharmony_ci * the user directly. 4638c2ecf20Sopenharmony_ci */ 4648c2ecf20Sopenharmony_ci if (iov_iter_count(iter) <= CHACHA_KEY_SIZE) { 4658c2ecf20Sopenharmony_ci ret = copy_to_iter(&chacha_state[4], CHACHA_KEY_SIZE, iter); 4668c2ecf20Sopenharmony_ci goto out_zero_chacha; 4678c2ecf20Sopenharmony_ci } 4688c2ecf20Sopenharmony_ci 4698c2ecf20Sopenharmony_ci for (;;) { 4708c2ecf20Sopenharmony_ci chacha20_block(chacha_state, block); 4718c2ecf20Sopenharmony_ci if (unlikely(chacha_state[12] == 0)) 4728c2ecf20Sopenharmony_ci ++chacha_state[13]; 4738c2ecf20Sopenharmony_ci 4748c2ecf20Sopenharmony_ci copied = copy_to_iter(block, sizeof(block), iter); 4758c2ecf20Sopenharmony_ci ret += copied; 4768c2ecf20Sopenharmony_ci if (!iov_iter_count(iter) || copied != sizeof(block)) 4778c2ecf20Sopenharmony_ci break; 4788c2ecf20Sopenharmony_ci 4798c2ecf20Sopenharmony_ci BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); 4808c2ecf20Sopenharmony_ci if (ret % PAGE_SIZE == 0) { 4818c2ecf20Sopenharmony_ci if (signal_pending(current)) 4828c2ecf20Sopenharmony_ci break; 4838c2ecf20Sopenharmony_ci cond_resched(); 4848c2ecf20Sopenharmony_ci } 4858c2ecf20Sopenharmony_ci } 4868c2ecf20Sopenharmony_ci 4878c2ecf20Sopenharmony_ci memzero_explicit(block, sizeof(block)); 4888c2ecf20Sopenharmony_ciout_zero_chacha: 4898c2ecf20Sopenharmony_ci memzero_explicit(chacha_state, sizeof(chacha_state)); 4908c2ecf20Sopenharmony_ci return ret ? ret : -EFAULT; 4918c2ecf20Sopenharmony_ci} 4928c2ecf20Sopenharmony_ci 4938c2ecf20Sopenharmony_ci/* 4948c2ecf20Sopenharmony_ci * Batched entropy returns random integers. The quality of the random 4958c2ecf20Sopenharmony_ci * number is good as /dev/urandom. In order to ensure that the randomness 4968c2ecf20Sopenharmony_ci * provided by this function is okay, the function wait_for_random_bytes() 4978c2ecf20Sopenharmony_ci * should be called and return 0 at least once at any point prior. 4988c2ecf20Sopenharmony_ci */ 4998c2ecf20Sopenharmony_ci 5008c2ecf20Sopenharmony_ci#define DEFINE_BATCHED_ENTROPY(type) \ 5018c2ecf20Sopenharmony_cistruct batch_ ##type { \ 5028c2ecf20Sopenharmony_ci /* \ 5038c2ecf20Sopenharmony_ci * We make this 1.5x a ChaCha block, so that we get the \ 5048c2ecf20Sopenharmony_ci * remaining 32 bytes from fast key erasure, plus one full \ 5058c2ecf20Sopenharmony_ci * block from the detached ChaCha state. We can increase \ 5068c2ecf20Sopenharmony_ci * the size of this later if needed so long as we keep the \ 5078c2ecf20Sopenharmony_ci * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE. \ 5088c2ecf20Sopenharmony_ci */ \ 5098c2ecf20Sopenharmony_ci type entropy[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \ 5108c2ecf20Sopenharmony_ci local_lock_t lock; \ 5118c2ecf20Sopenharmony_ci unsigned long generation; \ 5128c2ecf20Sopenharmony_ci unsigned int position; \ 5138c2ecf20Sopenharmony_ci}; \ 5148c2ecf20Sopenharmony_ci \ 5158c2ecf20Sopenharmony_cistatic DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \ 5168c2ecf20Sopenharmony_ci .lock = INIT_LOCAL_LOCK(batched_entropy_ ##type.lock), \ 5178c2ecf20Sopenharmony_ci .position = UINT_MAX \ 5188c2ecf20Sopenharmony_ci}; \ 5198c2ecf20Sopenharmony_ci \ 5208c2ecf20Sopenharmony_citype get_random_ ##type(void) \ 5218c2ecf20Sopenharmony_ci{ \ 5228c2ecf20Sopenharmony_ci type ret; \ 5238c2ecf20Sopenharmony_ci unsigned long flags; \ 5248c2ecf20Sopenharmony_ci struct batch_ ##type *batch; \ 5258c2ecf20Sopenharmony_ci unsigned long next_gen; \ 5268c2ecf20Sopenharmony_ci \ 5278c2ecf20Sopenharmony_ci warn_unseeded_randomness(); \ 5288c2ecf20Sopenharmony_ci \ 5298c2ecf20Sopenharmony_ci if (!crng_ready()) { \ 5308c2ecf20Sopenharmony_ci _get_random_bytes(&ret, sizeof(ret)); \ 5318c2ecf20Sopenharmony_ci return ret; \ 5328c2ecf20Sopenharmony_ci } \ 5338c2ecf20Sopenharmony_ci \ 5348c2ecf20Sopenharmony_ci local_lock_irqsave(&batched_entropy_ ##type.lock, flags); \ 5358c2ecf20Sopenharmony_ci batch = raw_cpu_ptr(&batched_entropy_##type); \ 5368c2ecf20Sopenharmony_ci \ 5378c2ecf20Sopenharmony_ci next_gen = READ_ONCE(base_crng.generation); \ 5388c2ecf20Sopenharmony_ci if (batch->position >= ARRAY_SIZE(batch->entropy) || \ 5398c2ecf20Sopenharmony_ci next_gen != batch->generation) { \ 5408c2ecf20Sopenharmony_ci _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \ 5418c2ecf20Sopenharmony_ci batch->position = 0; \ 5428c2ecf20Sopenharmony_ci batch->generation = next_gen; \ 5438c2ecf20Sopenharmony_ci } \ 5448c2ecf20Sopenharmony_ci \ 5458c2ecf20Sopenharmony_ci ret = batch->entropy[batch->position]; \ 5468c2ecf20Sopenharmony_ci batch->entropy[batch->position] = 0; \ 5478c2ecf20Sopenharmony_ci ++batch->position; \ 5488c2ecf20Sopenharmony_ci local_unlock_irqrestore(&batched_entropy_ ##type.lock, flags); \ 5498c2ecf20Sopenharmony_ci return ret; \ 5508c2ecf20Sopenharmony_ci} \ 5518c2ecf20Sopenharmony_ciEXPORT_SYMBOL(get_random_ ##type); 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_ciDEFINE_BATCHED_ENTROPY(u64) 5548c2ecf20Sopenharmony_ciDEFINE_BATCHED_ENTROPY(u32) 5558c2ecf20Sopenharmony_ci 5568c2ecf20Sopenharmony_ci#ifdef CONFIG_SMP 5578c2ecf20Sopenharmony_ci/* 5588c2ecf20Sopenharmony_ci * This function is called when the CPU is coming up, with entry 5598c2ecf20Sopenharmony_ci * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP. 5608c2ecf20Sopenharmony_ci */ 5618c2ecf20Sopenharmony_ciint __cold random_prepare_cpu(unsigned int cpu) 5628c2ecf20Sopenharmony_ci{ 5638c2ecf20Sopenharmony_ci /* 5648c2ecf20Sopenharmony_ci * When the cpu comes back online, immediately invalidate both 5658c2ecf20Sopenharmony_ci * the per-cpu crng and all batches, so that we serve fresh 5668c2ecf20Sopenharmony_ci * randomness. 5678c2ecf20Sopenharmony_ci */ 5688c2ecf20Sopenharmony_ci per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX; 5698c2ecf20Sopenharmony_ci per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX; 5708c2ecf20Sopenharmony_ci per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX; 5718c2ecf20Sopenharmony_ci return 0; 5728c2ecf20Sopenharmony_ci} 5738c2ecf20Sopenharmony_ci#endif 5748c2ecf20Sopenharmony_ci 5758c2ecf20Sopenharmony_ci/* 5768c2ecf20Sopenharmony_ci * This function will use the architecture-specific hardware random 5778c2ecf20Sopenharmony_ci * number generator if it is available. It is not recommended for 5788c2ecf20Sopenharmony_ci * use. Use get_random_bytes() instead. It returns the number of 5798c2ecf20Sopenharmony_ci * bytes filled in. 5808c2ecf20Sopenharmony_ci */ 5818c2ecf20Sopenharmony_cisize_t __must_check get_random_bytes_arch(void *buf, size_t len) 5828c2ecf20Sopenharmony_ci{ 5838c2ecf20Sopenharmony_ci size_t left = len; 5848c2ecf20Sopenharmony_ci u8 *p = buf; 5858c2ecf20Sopenharmony_ci 5868c2ecf20Sopenharmony_ci while (left) { 5878c2ecf20Sopenharmony_ci unsigned long v; 5888c2ecf20Sopenharmony_ci size_t block_len = min_t(size_t, left, sizeof(unsigned long)); 5898c2ecf20Sopenharmony_ci 5908c2ecf20Sopenharmony_ci if (!arch_get_random_long(&v)) 5918c2ecf20Sopenharmony_ci break; 5928c2ecf20Sopenharmony_ci 5938c2ecf20Sopenharmony_ci memcpy(p, &v, block_len); 5948c2ecf20Sopenharmony_ci p += block_len; 5958c2ecf20Sopenharmony_ci left -= block_len; 5968c2ecf20Sopenharmony_ci } 5978c2ecf20Sopenharmony_ci 5988c2ecf20Sopenharmony_ci return len - left; 5998c2ecf20Sopenharmony_ci} 6008c2ecf20Sopenharmony_ciEXPORT_SYMBOL(get_random_bytes_arch); 6018c2ecf20Sopenharmony_ci 6028c2ecf20Sopenharmony_ci 6038c2ecf20Sopenharmony_ci/********************************************************************** 6048c2ecf20Sopenharmony_ci * 6058c2ecf20Sopenharmony_ci * Entropy accumulation and extraction routines. 6068c2ecf20Sopenharmony_ci * 6078c2ecf20Sopenharmony_ci * Callers may add entropy via: 6088c2ecf20Sopenharmony_ci * 6098c2ecf20Sopenharmony_ci * static void mix_pool_bytes(const void *buf, size_t len) 6108c2ecf20Sopenharmony_ci * 6118c2ecf20Sopenharmony_ci * After which, if added entropy should be credited: 6128c2ecf20Sopenharmony_ci * 6138c2ecf20Sopenharmony_ci * static void credit_init_bits(size_t bits) 6148c2ecf20Sopenharmony_ci * 6158c2ecf20Sopenharmony_ci * Finally, extract entropy via: 6168c2ecf20Sopenharmony_ci * 6178c2ecf20Sopenharmony_ci * static void extract_entropy(void *buf, size_t len) 6188c2ecf20Sopenharmony_ci * 6198c2ecf20Sopenharmony_ci **********************************************************************/ 6208c2ecf20Sopenharmony_ci 6218c2ecf20Sopenharmony_cienum { 6228c2ecf20Sopenharmony_ci POOL_BITS = BLAKE2S_HASH_SIZE * 8, 6238c2ecf20Sopenharmony_ci POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */ 6248c2ecf20Sopenharmony_ci POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */ 6258c2ecf20Sopenharmony_ci}; 6268c2ecf20Sopenharmony_ci 6278c2ecf20Sopenharmony_cistatic struct { 6288c2ecf20Sopenharmony_ci struct blake2s_state hash; 6298c2ecf20Sopenharmony_ci spinlock_t lock; 6308c2ecf20Sopenharmony_ci unsigned int init_bits; 6318c2ecf20Sopenharmony_ci} input_pool = { 6328c2ecf20Sopenharmony_ci .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE), 6338c2ecf20Sopenharmony_ci BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4, 6348c2ecf20Sopenharmony_ci BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 }, 6358c2ecf20Sopenharmony_ci .hash.outlen = BLAKE2S_HASH_SIZE, 6368c2ecf20Sopenharmony_ci .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), 6378c2ecf20Sopenharmony_ci}; 6388c2ecf20Sopenharmony_ci 6398c2ecf20Sopenharmony_cistatic void _mix_pool_bytes(const void *buf, size_t len) 6408c2ecf20Sopenharmony_ci{ 6418c2ecf20Sopenharmony_ci blake2s_update(&input_pool.hash, buf, len); 6428c2ecf20Sopenharmony_ci} 6438c2ecf20Sopenharmony_ci 6448c2ecf20Sopenharmony_ci/* 6458c2ecf20Sopenharmony_ci * This function adds bytes into the input pool. It does not 6468c2ecf20Sopenharmony_ci * update the initialization bit counter; the caller should call 6478c2ecf20Sopenharmony_ci * credit_init_bits if this is appropriate. 6488c2ecf20Sopenharmony_ci */ 6498c2ecf20Sopenharmony_cistatic void mix_pool_bytes(const void *buf, size_t len) 6508c2ecf20Sopenharmony_ci{ 6518c2ecf20Sopenharmony_ci unsigned long flags; 6528c2ecf20Sopenharmony_ci 6538c2ecf20Sopenharmony_ci spin_lock_irqsave(&input_pool.lock, flags); 6548c2ecf20Sopenharmony_ci _mix_pool_bytes(buf, len); 6558c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&input_pool.lock, flags); 6568c2ecf20Sopenharmony_ci} 6578c2ecf20Sopenharmony_ci 6588c2ecf20Sopenharmony_ci/* 6598c2ecf20Sopenharmony_ci * This is an HKDF-like construction for using the hashed collected entropy 6608c2ecf20Sopenharmony_ci * as a PRF key, that's then expanded block-by-block. 6618c2ecf20Sopenharmony_ci */ 6628c2ecf20Sopenharmony_cistatic void extract_entropy(void *buf, size_t len) 6638c2ecf20Sopenharmony_ci{ 6648c2ecf20Sopenharmony_ci unsigned long flags; 6658c2ecf20Sopenharmony_ci u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE]; 6668c2ecf20Sopenharmony_ci struct { 6678c2ecf20Sopenharmony_ci unsigned long rdseed[32 / sizeof(long)]; 6688c2ecf20Sopenharmony_ci size_t counter; 6698c2ecf20Sopenharmony_ci } block; 6708c2ecf20Sopenharmony_ci size_t i; 6718c2ecf20Sopenharmony_ci 6728c2ecf20Sopenharmony_ci for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) { 6738c2ecf20Sopenharmony_ci if (!arch_get_random_seed_long(&block.rdseed[i]) && 6748c2ecf20Sopenharmony_ci !arch_get_random_long(&block.rdseed[i])) 6758c2ecf20Sopenharmony_ci block.rdseed[i] = random_get_entropy(); 6768c2ecf20Sopenharmony_ci } 6778c2ecf20Sopenharmony_ci 6788c2ecf20Sopenharmony_ci spin_lock_irqsave(&input_pool.lock, flags); 6798c2ecf20Sopenharmony_ci 6808c2ecf20Sopenharmony_ci /* seed = HASHPRF(last_key, entropy_input) */ 6818c2ecf20Sopenharmony_ci blake2s_final(&input_pool.hash, seed); 6828c2ecf20Sopenharmony_ci 6838c2ecf20Sopenharmony_ci /* next_key = HASHPRF(seed, RDSEED || 0) */ 6848c2ecf20Sopenharmony_ci block.counter = 0; 6858c2ecf20Sopenharmony_ci blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed)); 6868c2ecf20Sopenharmony_ci blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key)); 6878c2ecf20Sopenharmony_ci 6888c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&input_pool.lock, flags); 6898c2ecf20Sopenharmony_ci memzero_explicit(next_key, sizeof(next_key)); 6908c2ecf20Sopenharmony_ci 6918c2ecf20Sopenharmony_ci while (len) { 6928c2ecf20Sopenharmony_ci i = min_t(size_t, len, BLAKE2S_HASH_SIZE); 6938c2ecf20Sopenharmony_ci /* output = HASHPRF(seed, RDSEED || ++counter) */ 6948c2ecf20Sopenharmony_ci ++block.counter; 6958c2ecf20Sopenharmony_ci blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed)); 6968c2ecf20Sopenharmony_ci len -= i; 6978c2ecf20Sopenharmony_ci buf += i; 6988c2ecf20Sopenharmony_ci } 6998c2ecf20Sopenharmony_ci 7008c2ecf20Sopenharmony_ci memzero_explicit(seed, sizeof(seed)); 7018c2ecf20Sopenharmony_ci memzero_explicit(&block, sizeof(block)); 7028c2ecf20Sopenharmony_ci} 7038c2ecf20Sopenharmony_ci 7048c2ecf20Sopenharmony_ci#define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits) 7058c2ecf20Sopenharmony_ci 7068c2ecf20Sopenharmony_cistatic void __cold _credit_init_bits(size_t bits) 7078c2ecf20Sopenharmony_ci{ 7088c2ecf20Sopenharmony_ci unsigned int new, orig, add; 7098c2ecf20Sopenharmony_ci unsigned long flags; 7108c2ecf20Sopenharmony_ci 7118c2ecf20Sopenharmony_ci if (!bits) 7128c2ecf20Sopenharmony_ci return; 7138c2ecf20Sopenharmony_ci 7148c2ecf20Sopenharmony_ci add = min_t(size_t, bits, POOL_BITS); 7158c2ecf20Sopenharmony_ci 7168c2ecf20Sopenharmony_ci do { 7178c2ecf20Sopenharmony_ci orig = READ_ONCE(input_pool.init_bits); 7188c2ecf20Sopenharmony_ci new = min_t(unsigned int, POOL_BITS, orig + add); 7198c2ecf20Sopenharmony_ci } while (cmpxchg(&input_pool.init_bits, orig, new) != orig); 7208c2ecf20Sopenharmony_ci 7218c2ecf20Sopenharmony_ci if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) { 7228c2ecf20Sopenharmony_ci crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */ 7238c2ecf20Sopenharmony_ci process_random_ready_list(); 7248c2ecf20Sopenharmony_ci wake_up_interruptible(&crng_init_wait); 7258c2ecf20Sopenharmony_ci kill_fasync(&fasync, SIGIO, POLL_IN); 7268c2ecf20Sopenharmony_ci pr_notice("crng init done\n"); 7278c2ecf20Sopenharmony_ci if (urandom_warning.missed) 7288c2ecf20Sopenharmony_ci pr_notice("%d urandom warning(s) missed due to ratelimiting\n", 7298c2ecf20Sopenharmony_ci urandom_warning.missed); 7308c2ecf20Sopenharmony_ci } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) { 7318c2ecf20Sopenharmony_ci spin_lock_irqsave(&base_crng.lock, flags); 7328c2ecf20Sopenharmony_ci /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */ 7338c2ecf20Sopenharmony_ci if (crng_init == CRNG_EMPTY) { 7348c2ecf20Sopenharmony_ci extract_entropy(base_crng.key, sizeof(base_crng.key)); 7358c2ecf20Sopenharmony_ci crng_init = CRNG_EARLY; 7368c2ecf20Sopenharmony_ci } 7378c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&base_crng.lock, flags); 7388c2ecf20Sopenharmony_ci } 7398c2ecf20Sopenharmony_ci} 7408c2ecf20Sopenharmony_ci 7418c2ecf20Sopenharmony_ci 7428c2ecf20Sopenharmony_ci/********************************************************************** 7438c2ecf20Sopenharmony_ci * 7448c2ecf20Sopenharmony_ci * Entropy collection routines. 7458c2ecf20Sopenharmony_ci * 7468c2ecf20Sopenharmony_ci * The following exported functions are used for pushing entropy into 7478c2ecf20Sopenharmony_ci * the above entropy accumulation routines: 7488c2ecf20Sopenharmony_ci * 7498c2ecf20Sopenharmony_ci * void add_device_randomness(const void *buf, size_t len); 7508c2ecf20Sopenharmony_ci * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy); 7518c2ecf20Sopenharmony_ci * void add_bootloader_randomness(const void *buf, size_t len); 7528c2ecf20Sopenharmony_ci * void add_interrupt_randomness(int irq); 7538c2ecf20Sopenharmony_ci * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value); 7548c2ecf20Sopenharmony_ci * void add_disk_randomness(struct gendisk *disk); 7558c2ecf20Sopenharmony_ci * 7568c2ecf20Sopenharmony_ci * add_device_randomness() adds data to the input pool that 7578c2ecf20Sopenharmony_ci * is likely to differ between two devices (or possibly even per boot). 7588c2ecf20Sopenharmony_ci * This would be things like MAC addresses or serial numbers, or the 7598c2ecf20Sopenharmony_ci * read-out of the RTC. This does *not* credit any actual entropy to 7608c2ecf20Sopenharmony_ci * the pool, but it initializes the pool to different values for devices 7618c2ecf20Sopenharmony_ci * that might otherwise be identical and have very little entropy 7628c2ecf20Sopenharmony_ci * available to them (particularly common in the embedded world). 7638c2ecf20Sopenharmony_ci * 7648c2ecf20Sopenharmony_ci * add_hwgenerator_randomness() is for true hardware RNGs, and will credit 7658c2ecf20Sopenharmony_ci * entropy as specified by the caller. If the entropy pool is full it will 7668c2ecf20Sopenharmony_ci * block until more entropy is needed. 7678c2ecf20Sopenharmony_ci * 7688c2ecf20Sopenharmony_ci * add_bootloader_randomness() is called by bootloader drivers, such as EFI 7698c2ecf20Sopenharmony_ci * and device tree, and credits its input depending on whether or not the 7708c2ecf20Sopenharmony_ci * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set. 7718c2ecf20Sopenharmony_ci * 7728c2ecf20Sopenharmony_ci * add_interrupt_randomness() uses the interrupt timing as random 7738c2ecf20Sopenharmony_ci * inputs to the entropy pool. Using the cycle counters and the irq source 7748c2ecf20Sopenharmony_ci * as inputs, it feeds the input pool roughly once a second or after 64 7758c2ecf20Sopenharmony_ci * interrupts, crediting 1 bit of entropy for whichever comes first. 7768c2ecf20Sopenharmony_ci * 7778c2ecf20Sopenharmony_ci * add_input_randomness() uses the input layer interrupt timing, as well 7788c2ecf20Sopenharmony_ci * as the event type information from the hardware. 7798c2ecf20Sopenharmony_ci * 7808c2ecf20Sopenharmony_ci * add_disk_randomness() uses what amounts to the seek time of block 7818c2ecf20Sopenharmony_ci * layer request events, on a per-disk_devt basis, as input to the 7828c2ecf20Sopenharmony_ci * entropy pool. Note that high-speed solid state drives with very low 7838c2ecf20Sopenharmony_ci * seek times do not make for good sources of entropy, as their seek 7848c2ecf20Sopenharmony_ci * times are usually fairly consistent. 7858c2ecf20Sopenharmony_ci * 7868c2ecf20Sopenharmony_ci * The last two routines try to estimate how many bits of entropy 7878c2ecf20Sopenharmony_ci * to credit. They do this by keeping track of the first and second 7888c2ecf20Sopenharmony_ci * order deltas of the event timings. 7898c2ecf20Sopenharmony_ci * 7908c2ecf20Sopenharmony_ci **********************************************************************/ 7918c2ecf20Sopenharmony_ci 7928c2ecf20Sopenharmony_cistatic bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); 7938c2ecf20Sopenharmony_cistatic bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER); 7948c2ecf20Sopenharmony_cistatic int __init parse_trust_cpu(char *arg) 7958c2ecf20Sopenharmony_ci{ 7968c2ecf20Sopenharmony_ci return kstrtobool(arg, &trust_cpu); 7978c2ecf20Sopenharmony_ci} 7988c2ecf20Sopenharmony_cistatic int __init parse_trust_bootloader(char *arg) 7998c2ecf20Sopenharmony_ci{ 8008c2ecf20Sopenharmony_ci return kstrtobool(arg, &trust_bootloader); 8018c2ecf20Sopenharmony_ci} 8028c2ecf20Sopenharmony_ciearly_param("random.trust_cpu", parse_trust_cpu); 8038c2ecf20Sopenharmony_ciearly_param("random.trust_bootloader", parse_trust_bootloader); 8048c2ecf20Sopenharmony_ci 8058c2ecf20Sopenharmony_ci/* 8068c2ecf20Sopenharmony_ci * The first collection of entropy occurs at system boot while interrupts 8078c2ecf20Sopenharmony_ci * are still turned off. Here we push in latent entropy, RDSEED, a timestamp, 8088c2ecf20Sopenharmony_ci * utsname(), and the command line. Depending on the above configuration knob, 8098c2ecf20Sopenharmony_ci * RDSEED may be considered sufficient for initialization. Note that much 8108c2ecf20Sopenharmony_ci * earlier setup may already have pushed entropy into the input pool by the 8118c2ecf20Sopenharmony_ci * time we get here. 8128c2ecf20Sopenharmony_ci */ 8138c2ecf20Sopenharmony_ciint __init random_init(const char *command_line) 8148c2ecf20Sopenharmony_ci{ 8158c2ecf20Sopenharmony_ci ktime_t now = ktime_get_real(); 8168c2ecf20Sopenharmony_ci unsigned int i, arch_bytes; 8178c2ecf20Sopenharmony_ci unsigned long entropy; 8188c2ecf20Sopenharmony_ci 8198c2ecf20Sopenharmony_ci#if defined(LATENT_ENTROPY_PLUGIN) 8208c2ecf20Sopenharmony_ci static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; 8218c2ecf20Sopenharmony_ci _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed)); 8228c2ecf20Sopenharmony_ci#endif 8238c2ecf20Sopenharmony_ci 8248c2ecf20Sopenharmony_ci for (i = 0, arch_bytes = BLAKE2S_BLOCK_SIZE; 8258c2ecf20Sopenharmony_ci i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) { 8268c2ecf20Sopenharmony_ci if (!arch_get_random_seed_long_early(&entropy) && 8278c2ecf20Sopenharmony_ci !arch_get_random_long_early(&entropy)) { 8288c2ecf20Sopenharmony_ci entropy = random_get_entropy(); 8298c2ecf20Sopenharmony_ci arch_bytes -= sizeof(entropy); 8308c2ecf20Sopenharmony_ci } 8318c2ecf20Sopenharmony_ci _mix_pool_bytes(&entropy, sizeof(entropy)); 8328c2ecf20Sopenharmony_ci } 8338c2ecf20Sopenharmony_ci _mix_pool_bytes(&now, sizeof(now)); 8348c2ecf20Sopenharmony_ci _mix_pool_bytes(utsname(), sizeof(*(utsname()))); 8358c2ecf20Sopenharmony_ci _mix_pool_bytes(command_line, strlen(command_line)); 8368c2ecf20Sopenharmony_ci add_latent_entropy(); 8378c2ecf20Sopenharmony_ci 8388c2ecf20Sopenharmony_ci if (crng_ready()) 8398c2ecf20Sopenharmony_ci crng_reseed(); 8408c2ecf20Sopenharmony_ci else if (trust_cpu) 8418c2ecf20Sopenharmony_ci credit_init_bits(arch_bytes * 8); 8428c2ecf20Sopenharmony_ci 8438c2ecf20Sopenharmony_ci return 0; 8448c2ecf20Sopenharmony_ci} 8458c2ecf20Sopenharmony_ci 8468c2ecf20Sopenharmony_ci/* 8478c2ecf20Sopenharmony_ci * Add device- or boot-specific data to the input pool to help 8488c2ecf20Sopenharmony_ci * initialize it. 8498c2ecf20Sopenharmony_ci * 8508c2ecf20Sopenharmony_ci * None of this adds any entropy; it is meant to avoid the problem of 8518c2ecf20Sopenharmony_ci * the entropy pool having similar initial state across largely 8528c2ecf20Sopenharmony_ci * identical devices. 8538c2ecf20Sopenharmony_ci */ 8548c2ecf20Sopenharmony_civoid add_device_randomness(const void *buf, size_t len) 8558c2ecf20Sopenharmony_ci{ 8568c2ecf20Sopenharmony_ci unsigned long entropy = random_get_entropy(); 8578c2ecf20Sopenharmony_ci unsigned long flags; 8588c2ecf20Sopenharmony_ci 8598c2ecf20Sopenharmony_ci spin_lock_irqsave(&input_pool.lock, flags); 8608c2ecf20Sopenharmony_ci _mix_pool_bytes(&entropy, sizeof(entropy)); 8618c2ecf20Sopenharmony_ci _mix_pool_bytes(buf, len); 8628c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&input_pool.lock, flags); 8638c2ecf20Sopenharmony_ci} 8648c2ecf20Sopenharmony_ciEXPORT_SYMBOL(add_device_randomness); 8658c2ecf20Sopenharmony_ci 8668c2ecf20Sopenharmony_ci/* 8678c2ecf20Sopenharmony_ci * Interface for in-kernel drivers of true hardware RNGs. 8688c2ecf20Sopenharmony_ci * Those devices may produce endless random bits and will be throttled 8698c2ecf20Sopenharmony_ci * when our pool is full. 8708c2ecf20Sopenharmony_ci */ 8718c2ecf20Sopenharmony_civoid add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy) 8728c2ecf20Sopenharmony_ci{ 8738c2ecf20Sopenharmony_ci mix_pool_bytes(buf, len); 8748c2ecf20Sopenharmony_ci credit_init_bits(entropy); 8758c2ecf20Sopenharmony_ci 8768c2ecf20Sopenharmony_ci /* 8778c2ecf20Sopenharmony_ci * Throttle writing to once every CRNG_RESEED_INTERVAL, unless 8788c2ecf20Sopenharmony_ci * we're not yet initialized. 8798c2ecf20Sopenharmony_ci */ 8808c2ecf20Sopenharmony_ci if (!kthread_should_stop() && crng_ready()) 8818c2ecf20Sopenharmony_ci schedule_timeout_interruptible(CRNG_RESEED_INTERVAL); 8828c2ecf20Sopenharmony_ci} 8838c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(add_hwgenerator_randomness); 8848c2ecf20Sopenharmony_ci 8858c2ecf20Sopenharmony_ci/* 8868c2ecf20Sopenharmony_ci * Handle random seed passed by bootloader, and credit it if 8878c2ecf20Sopenharmony_ci * CONFIG_RANDOM_TRUST_BOOTLOADER is set. 8888c2ecf20Sopenharmony_ci */ 8898c2ecf20Sopenharmony_civoid __cold add_bootloader_randomness(const void *buf, size_t len) 8908c2ecf20Sopenharmony_ci{ 8918c2ecf20Sopenharmony_ci mix_pool_bytes(buf, len); 8928c2ecf20Sopenharmony_ci if (trust_bootloader) 8938c2ecf20Sopenharmony_ci credit_init_bits(len * 8); 8948c2ecf20Sopenharmony_ci} 8958c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(add_bootloader_randomness); 8968c2ecf20Sopenharmony_ci 8978c2ecf20Sopenharmony_cistruct fast_pool { 8988c2ecf20Sopenharmony_ci unsigned long pool[4]; 8998c2ecf20Sopenharmony_ci unsigned long last; 9008c2ecf20Sopenharmony_ci unsigned int count; 9018c2ecf20Sopenharmony_ci struct timer_list mix; 9028c2ecf20Sopenharmony_ci}; 9038c2ecf20Sopenharmony_ci 9048c2ecf20Sopenharmony_cistatic void mix_interrupt_randomness(struct timer_list *work); 9058c2ecf20Sopenharmony_ci 9068c2ecf20Sopenharmony_cistatic DEFINE_PER_CPU(struct fast_pool, irq_randomness) = { 9078c2ecf20Sopenharmony_ci#ifdef CONFIG_64BIT 9088c2ecf20Sopenharmony_ci#define FASTMIX_PERM SIPHASH_PERMUTATION 9098c2ecf20Sopenharmony_ci .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 }, 9108c2ecf20Sopenharmony_ci#else 9118c2ecf20Sopenharmony_ci#define FASTMIX_PERM HSIPHASH_PERMUTATION 9128c2ecf20Sopenharmony_ci .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 }, 9138c2ecf20Sopenharmony_ci#endif 9148c2ecf20Sopenharmony_ci .mix = __TIMER_INITIALIZER(mix_interrupt_randomness, 0) 9158c2ecf20Sopenharmony_ci}; 9168c2ecf20Sopenharmony_ci 9178c2ecf20Sopenharmony_ci/* 9188c2ecf20Sopenharmony_ci * This is [Half]SipHash-1-x, starting from an empty key. Because 9198c2ecf20Sopenharmony_ci * the key is fixed, it assumes that its inputs are non-malicious, 9208c2ecf20Sopenharmony_ci * and therefore this has no security on its own. s represents the 9218c2ecf20Sopenharmony_ci * four-word SipHash state, while v represents a two-word input. 9228c2ecf20Sopenharmony_ci */ 9238c2ecf20Sopenharmony_cistatic void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2) 9248c2ecf20Sopenharmony_ci{ 9258c2ecf20Sopenharmony_ci s[3] ^= v1; 9268c2ecf20Sopenharmony_ci FASTMIX_PERM(s[0], s[1], s[2], s[3]); 9278c2ecf20Sopenharmony_ci s[0] ^= v1; 9288c2ecf20Sopenharmony_ci s[3] ^= v2; 9298c2ecf20Sopenharmony_ci FASTMIX_PERM(s[0], s[1], s[2], s[3]); 9308c2ecf20Sopenharmony_ci s[0] ^= v2; 9318c2ecf20Sopenharmony_ci} 9328c2ecf20Sopenharmony_ci 9338c2ecf20Sopenharmony_ci#ifdef CONFIG_SMP 9348c2ecf20Sopenharmony_ci/* 9358c2ecf20Sopenharmony_ci * This function is called when the CPU has just come online, with 9368c2ecf20Sopenharmony_ci * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE. 9378c2ecf20Sopenharmony_ci */ 9388c2ecf20Sopenharmony_ciint __cold random_online_cpu(unsigned int cpu) 9398c2ecf20Sopenharmony_ci{ 9408c2ecf20Sopenharmony_ci /* 9418c2ecf20Sopenharmony_ci * During CPU shutdown and before CPU onlining, add_interrupt_ 9428c2ecf20Sopenharmony_ci * randomness() may schedule mix_interrupt_randomness(), and 9438c2ecf20Sopenharmony_ci * set the MIX_INFLIGHT flag. However, because the worker can 9448c2ecf20Sopenharmony_ci * be scheduled on a different CPU during this period, that 9458c2ecf20Sopenharmony_ci * flag will never be cleared. For that reason, we zero out 9468c2ecf20Sopenharmony_ci * the flag here, which runs just after workqueues are onlined 9478c2ecf20Sopenharmony_ci * for the CPU again. This also has the effect of setting the 9488c2ecf20Sopenharmony_ci * irq randomness count to zero so that new accumulated irqs 9498c2ecf20Sopenharmony_ci * are fresh. 9508c2ecf20Sopenharmony_ci */ 9518c2ecf20Sopenharmony_ci per_cpu_ptr(&irq_randomness, cpu)->count = 0; 9528c2ecf20Sopenharmony_ci return 0; 9538c2ecf20Sopenharmony_ci} 9548c2ecf20Sopenharmony_ci#endif 9558c2ecf20Sopenharmony_ci 9568c2ecf20Sopenharmony_cistatic void mix_interrupt_randomness(struct timer_list *work) 9578c2ecf20Sopenharmony_ci{ 9588c2ecf20Sopenharmony_ci struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix); 9598c2ecf20Sopenharmony_ci /* 9608c2ecf20Sopenharmony_ci * The size of the copied stack pool is explicitly 2 longs so that we 9618c2ecf20Sopenharmony_ci * only ever ingest half of the siphash output each time, retaining 9628c2ecf20Sopenharmony_ci * the other half as the next "key" that carries over. The entropy is 9638c2ecf20Sopenharmony_ci * supposed to be sufficiently dispersed between bits so on average 9648c2ecf20Sopenharmony_ci * we don't wind up "losing" some. 9658c2ecf20Sopenharmony_ci */ 9668c2ecf20Sopenharmony_ci unsigned long pool[2]; 9678c2ecf20Sopenharmony_ci unsigned int count; 9688c2ecf20Sopenharmony_ci 9698c2ecf20Sopenharmony_ci /* Check to see if we're running on the wrong CPU due to hotplug. */ 9708c2ecf20Sopenharmony_ci local_irq_disable(); 9718c2ecf20Sopenharmony_ci if (fast_pool != this_cpu_ptr(&irq_randomness)) { 9728c2ecf20Sopenharmony_ci local_irq_enable(); 9738c2ecf20Sopenharmony_ci return; 9748c2ecf20Sopenharmony_ci } 9758c2ecf20Sopenharmony_ci 9768c2ecf20Sopenharmony_ci /* 9778c2ecf20Sopenharmony_ci * Copy the pool to the stack so that the mixer always has a 9788c2ecf20Sopenharmony_ci * consistent view, before we reenable irqs again. 9798c2ecf20Sopenharmony_ci */ 9808c2ecf20Sopenharmony_ci memcpy(pool, fast_pool->pool, sizeof(pool)); 9818c2ecf20Sopenharmony_ci count = fast_pool->count; 9828c2ecf20Sopenharmony_ci fast_pool->count = 0; 9838c2ecf20Sopenharmony_ci fast_pool->last = jiffies; 9848c2ecf20Sopenharmony_ci local_irq_enable(); 9858c2ecf20Sopenharmony_ci 9868c2ecf20Sopenharmony_ci mix_pool_bytes(pool, sizeof(pool)); 9878c2ecf20Sopenharmony_ci credit_init_bits(clamp_t(unsigned int, (count & U16_MAX) / 64, 1, sizeof(pool) * 8)); 9888c2ecf20Sopenharmony_ci 9898c2ecf20Sopenharmony_ci memzero_explicit(pool, sizeof(pool)); 9908c2ecf20Sopenharmony_ci} 9918c2ecf20Sopenharmony_ci 9928c2ecf20Sopenharmony_civoid add_interrupt_randomness(int irq) 9938c2ecf20Sopenharmony_ci{ 9948c2ecf20Sopenharmony_ci enum { MIX_INFLIGHT = 1U << 31 }; 9958c2ecf20Sopenharmony_ci unsigned long entropy = random_get_entropy(); 9968c2ecf20Sopenharmony_ci struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); 9978c2ecf20Sopenharmony_ci struct pt_regs *regs = get_irq_regs(); 9988c2ecf20Sopenharmony_ci unsigned int new_count; 9998c2ecf20Sopenharmony_ci 10008c2ecf20Sopenharmony_ci fast_mix(fast_pool->pool, entropy, 10018c2ecf20Sopenharmony_ci (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)); 10028c2ecf20Sopenharmony_ci new_count = ++fast_pool->count; 10038c2ecf20Sopenharmony_ci 10048c2ecf20Sopenharmony_ci if (new_count & MIX_INFLIGHT) 10058c2ecf20Sopenharmony_ci return; 10068c2ecf20Sopenharmony_ci 10078c2ecf20Sopenharmony_ci if (new_count < 1024 && !time_is_before_jiffies(fast_pool->last + HZ)) 10088c2ecf20Sopenharmony_ci return; 10098c2ecf20Sopenharmony_ci 10108c2ecf20Sopenharmony_ci fast_pool->count |= MIX_INFLIGHT; 10118c2ecf20Sopenharmony_ci if (!timer_pending(&fast_pool->mix)) { 10128c2ecf20Sopenharmony_ci fast_pool->mix.expires = jiffies; 10138c2ecf20Sopenharmony_ci add_timer_on(&fast_pool->mix, raw_smp_processor_id()); 10148c2ecf20Sopenharmony_ci } 10158c2ecf20Sopenharmony_ci} 10168c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(add_interrupt_randomness); 10178c2ecf20Sopenharmony_ci 10188c2ecf20Sopenharmony_ci/* There is one of these per entropy source */ 10198c2ecf20Sopenharmony_cistruct timer_rand_state { 10208c2ecf20Sopenharmony_ci unsigned long last_time; 10218c2ecf20Sopenharmony_ci long last_delta, last_delta2; 10228c2ecf20Sopenharmony_ci}; 10238c2ecf20Sopenharmony_ci 10248c2ecf20Sopenharmony_ci/* 10258c2ecf20Sopenharmony_ci * This function adds entropy to the entropy "pool" by using timing 10268c2ecf20Sopenharmony_ci * delays. It uses the timer_rand_state structure to make an estimate 10278c2ecf20Sopenharmony_ci * of how many bits of entropy this call has added to the pool. The 10288c2ecf20Sopenharmony_ci * value "num" is also added to the pool; it should somehow describe 10298c2ecf20Sopenharmony_ci * the type of event that just happened. 10308c2ecf20Sopenharmony_ci */ 10318c2ecf20Sopenharmony_cistatic void add_timer_randomness(struct timer_rand_state *state, unsigned int num) 10328c2ecf20Sopenharmony_ci{ 10338c2ecf20Sopenharmony_ci unsigned long entropy = random_get_entropy(), now = jiffies, flags; 10348c2ecf20Sopenharmony_ci long delta, delta2, delta3; 10358c2ecf20Sopenharmony_ci unsigned int bits; 10368c2ecf20Sopenharmony_ci 10378c2ecf20Sopenharmony_ci /* 10388c2ecf20Sopenharmony_ci * If we're in a hard IRQ, add_interrupt_randomness() will be called 10398c2ecf20Sopenharmony_ci * sometime after, so mix into the fast pool. 10408c2ecf20Sopenharmony_ci */ 10418c2ecf20Sopenharmony_ci if (in_irq()) { 10428c2ecf20Sopenharmony_ci fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num); 10438c2ecf20Sopenharmony_ci } else { 10448c2ecf20Sopenharmony_ci spin_lock_irqsave(&input_pool.lock, flags); 10458c2ecf20Sopenharmony_ci _mix_pool_bytes(&entropy, sizeof(entropy)); 10468c2ecf20Sopenharmony_ci _mix_pool_bytes(&num, sizeof(num)); 10478c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&input_pool.lock, flags); 10488c2ecf20Sopenharmony_ci } 10498c2ecf20Sopenharmony_ci 10508c2ecf20Sopenharmony_ci if (crng_ready()) 10518c2ecf20Sopenharmony_ci return; 10528c2ecf20Sopenharmony_ci 10538c2ecf20Sopenharmony_ci /* 10548c2ecf20Sopenharmony_ci * Calculate number of bits of randomness we probably added. 10558c2ecf20Sopenharmony_ci * We take into account the first, second and third-order deltas 10568c2ecf20Sopenharmony_ci * in order to make our estimate. 10578c2ecf20Sopenharmony_ci */ 10588c2ecf20Sopenharmony_ci delta = now - READ_ONCE(state->last_time); 10598c2ecf20Sopenharmony_ci WRITE_ONCE(state->last_time, now); 10608c2ecf20Sopenharmony_ci 10618c2ecf20Sopenharmony_ci delta2 = delta - READ_ONCE(state->last_delta); 10628c2ecf20Sopenharmony_ci WRITE_ONCE(state->last_delta, delta); 10638c2ecf20Sopenharmony_ci 10648c2ecf20Sopenharmony_ci delta3 = delta2 - READ_ONCE(state->last_delta2); 10658c2ecf20Sopenharmony_ci WRITE_ONCE(state->last_delta2, delta2); 10668c2ecf20Sopenharmony_ci 10678c2ecf20Sopenharmony_ci if (delta < 0) 10688c2ecf20Sopenharmony_ci delta = -delta; 10698c2ecf20Sopenharmony_ci if (delta2 < 0) 10708c2ecf20Sopenharmony_ci delta2 = -delta2; 10718c2ecf20Sopenharmony_ci if (delta3 < 0) 10728c2ecf20Sopenharmony_ci delta3 = -delta3; 10738c2ecf20Sopenharmony_ci if (delta > delta2) 10748c2ecf20Sopenharmony_ci delta = delta2; 10758c2ecf20Sopenharmony_ci if (delta > delta3) 10768c2ecf20Sopenharmony_ci delta = delta3; 10778c2ecf20Sopenharmony_ci 10788c2ecf20Sopenharmony_ci /* 10798c2ecf20Sopenharmony_ci * delta is now minimum absolute delta. Round down by 1 bit 10808c2ecf20Sopenharmony_ci * on general principles, and limit entropy estimate to 11 bits. 10818c2ecf20Sopenharmony_ci */ 10828c2ecf20Sopenharmony_ci bits = min(fls(delta >> 1), 11); 10838c2ecf20Sopenharmony_ci 10848c2ecf20Sopenharmony_ci /* 10858c2ecf20Sopenharmony_ci * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness() 10868c2ecf20Sopenharmony_ci * will run after this, which uses a different crediting scheme of 1 bit 10878c2ecf20Sopenharmony_ci * per every 64 interrupts. In order to let that function do accounting 10888c2ecf20Sopenharmony_ci * close to the one in this function, we credit a full 64/64 bit per bit, 10898c2ecf20Sopenharmony_ci * and then subtract one to account for the extra one added. 10908c2ecf20Sopenharmony_ci */ 10918c2ecf20Sopenharmony_ci if (in_irq()) 10928c2ecf20Sopenharmony_ci this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1; 10938c2ecf20Sopenharmony_ci else 10948c2ecf20Sopenharmony_ci _credit_init_bits(bits); 10958c2ecf20Sopenharmony_ci} 10968c2ecf20Sopenharmony_ci 10978c2ecf20Sopenharmony_civoid add_input_randomness(unsigned int type, unsigned int code, unsigned int value) 10988c2ecf20Sopenharmony_ci{ 10998c2ecf20Sopenharmony_ci static unsigned char last_value; 11008c2ecf20Sopenharmony_ci static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES }; 11018c2ecf20Sopenharmony_ci 11028c2ecf20Sopenharmony_ci /* Ignore autorepeat and the like. */ 11038c2ecf20Sopenharmony_ci if (value == last_value) 11048c2ecf20Sopenharmony_ci return; 11058c2ecf20Sopenharmony_ci 11068c2ecf20Sopenharmony_ci last_value = value; 11078c2ecf20Sopenharmony_ci add_timer_randomness(&input_timer_state, 11088c2ecf20Sopenharmony_ci (type << 4) ^ code ^ (code >> 4) ^ value); 11098c2ecf20Sopenharmony_ci} 11108c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(add_input_randomness); 11118c2ecf20Sopenharmony_ci 11128c2ecf20Sopenharmony_ci#ifdef CONFIG_BLOCK 11138c2ecf20Sopenharmony_civoid add_disk_randomness(struct gendisk *disk) 11148c2ecf20Sopenharmony_ci{ 11158c2ecf20Sopenharmony_ci if (!disk || !disk->random) 11168c2ecf20Sopenharmony_ci return; 11178c2ecf20Sopenharmony_ci /* First major is 1, so we get >= 0x200 here. */ 11188c2ecf20Sopenharmony_ci add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); 11198c2ecf20Sopenharmony_ci} 11208c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(add_disk_randomness); 11218c2ecf20Sopenharmony_ci 11228c2ecf20Sopenharmony_civoid __cold rand_initialize_disk(struct gendisk *disk) 11238c2ecf20Sopenharmony_ci{ 11248c2ecf20Sopenharmony_ci struct timer_rand_state *state; 11258c2ecf20Sopenharmony_ci 11268c2ecf20Sopenharmony_ci /* 11278c2ecf20Sopenharmony_ci * If kzalloc returns null, we just won't use that entropy 11288c2ecf20Sopenharmony_ci * source. 11298c2ecf20Sopenharmony_ci */ 11308c2ecf20Sopenharmony_ci state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); 11318c2ecf20Sopenharmony_ci if (state) { 11328c2ecf20Sopenharmony_ci state->last_time = INITIAL_JIFFIES; 11338c2ecf20Sopenharmony_ci disk->random = state; 11348c2ecf20Sopenharmony_ci } 11358c2ecf20Sopenharmony_ci} 11368c2ecf20Sopenharmony_ci#endif 11378c2ecf20Sopenharmony_ci 11388c2ecf20Sopenharmony_ci/* 11398c2ecf20Sopenharmony_ci * Each time the timer fires, we expect that we got an unpredictable 11408c2ecf20Sopenharmony_ci * jump in the cycle counter. Even if the timer is running on another 11418c2ecf20Sopenharmony_ci * CPU, the timer activity will be touching the stack of the CPU that is 11428c2ecf20Sopenharmony_ci * generating entropy.. 11438c2ecf20Sopenharmony_ci * 11448c2ecf20Sopenharmony_ci * Note that we don't re-arm the timer in the timer itself - we are 11458c2ecf20Sopenharmony_ci * happy to be scheduled away, since that just makes the load more 11468c2ecf20Sopenharmony_ci * complex, but we do not want the timer to keep ticking unless the 11478c2ecf20Sopenharmony_ci * entropy loop is running. 11488c2ecf20Sopenharmony_ci * 11498c2ecf20Sopenharmony_ci * So the re-arming always happens in the entropy loop itself. 11508c2ecf20Sopenharmony_ci */ 11518c2ecf20Sopenharmony_cistatic void __cold entropy_timer(struct timer_list *t) 11528c2ecf20Sopenharmony_ci{ 11538c2ecf20Sopenharmony_ci credit_init_bits(1); 11548c2ecf20Sopenharmony_ci} 11558c2ecf20Sopenharmony_ci 11568c2ecf20Sopenharmony_ci/* 11578c2ecf20Sopenharmony_ci * If we have an actual cycle counter, see if we can 11588c2ecf20Sopenharmony_ci * generate enough entropy with timing noise 11598c2ecf20Sopenharmony_ci */ 11608c2ecf20Sopenharmony_cistatic void __cold try_to_generate_entropy(void) 11618c2ecf20Sopenharmony_ci{ 11628c2ecf20Sopenharmony_ci struct { 11638c2ecf20Sopenharmony_ci unsigned long entropy; 11648c2ecf20Sopenharmony_ci struct timer_list timer; 11658c2ecf20Sopenharmony_ci } stack; 11668c2ecf20Sopenharmony_ci 11678c2ecf20Sopenharmony_ci stack.entropy = random_get_entropy(); 11688c2ecf20Sopenharmony_ci 11698c2ecf20Sopenharmony_ci /* Slow counter - or none. Don't even bother */ 11708c2ecf20Sopenharmony_ci if (stack.entropy == random_get_entropy()) 11718c2ecf20Sopenharmony_ci return; 11728c2ecf20Sopenharmony_ci 11738c2ecf20Sopenharmony_ci timer_setup_on_stack(&stack.timer, entropy_timer, 0); 11748c2ecf20Sopenharmony_ci while (!crng_ready() && !signal_pending(current)) { 11758c2ecf20Sopenharmony_ci if (!timer_pending(&stack.timer)) 11768c2ecf20Sopenharmony_ci mod_timer(&stack.timer, jiffies + 1); 11778c2ecf20Sopenharmony_ci mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); 11788c2ecf20Sopenharmony_ci schedule(); 11798c2ecf20Sopenharmony_ci stack.entropy = random_get_entropy(); 11808c2ecf20Sopenharmony_ci } 11818c2ecf20Sopenharmony_ci 11828c2ecf20Sopenharmony_ci del_timer_sync(&stack.timer); 11838c2ecf20Sopenharmony_ci destroy_timer_on_stack(&stack.timer); 11848c2ecf20Sopenharmony_ci mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); 11858c2ecf20Sopenharmony_ci} 11868c2ecf20Sopenharmony_ci 11878c2ecf20Sopenharmony_ci 11888c2ecf20Sopenharmony_ci/********************************************************************** 11898c2ecf20Sopenharmony_ci * 11908c2ecf20Sopenharmony_ci * Userspace reader/writer interfaces. 11918c2ecf20Sopenharmony_ci * 11928c2ecf20Sopenharmony_ci * getrandom(2) is the primary modern interface into the RNG and should 11938c2ecf20Sopenharmony_ci * be used in preference to anything else. 11948c2ecf20Sopenharmony_ci * 11958c2ecf20Sopenharmony_ci * Reading from /dev/random has the same functionality as calling 11968c2ecf20Sopenharmony_ci * getrandom(2) with flags=0. In earlier versions, however, it had 11978c2ecf20Sopenharmony_ci * vastly different semantics and should therefore be avoided, to 11988c2ecf20Sopenharmony_ci * prevent backwards compatibility issues. 11998c2ecf20Sopenharmony_ci * 12008c2ecf20Sopenharmony_ci * Reading from /dev/urandom has the same functionality as calling 12018c2ecf20Sopenharmony_ci * getrandom(2) with flags=GRND_INSECURE. Because it does not block 12028c2ecf20Sopenharmony_ci * waiting for the RNG to be ready, it should not be used. 12038c2ecf20Sopenharmony_ci * 12048c2ecf20Sopenharmony_ci * Writing to either /dev/random or /dev/urandom adds entropy to 12058c2ecf20Sopenharmony_ci * the input pool but does not credit it. 12068c2ecf20Sopenharmony_ci * 12078c2ecf20Sopenharmony_ci * Polling on /dev/random indicates when the RNG is initialized, on 12088c2ecf20Sopenharmony_ci * the read side, and when it wants new entropy, on the write side. 12098c2ecf20Sopenharmony_ci * 12108c2ecf20Sopenharmony_ci * Both /dev/random and /dev/urandom have the same set of ioctls for 12118c2ecf20Sopenharmony_ci * adding entropy, getting the entropy count, zeroing the count, and 12128c2ecf20Sopenharmony_ci * reseeding the crng. 12138c2ecf20Sopenharmony_ci * 12148c2ecf20Sopenharmony_ci **********************************************************************/ 12158c2ecf20Sopenharmony_ci 12168c2ecf20Sopenharmony_ciSYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags) 12178c2ecf20Sopenharmony_ci{ 12188c2ecf20Sopenharmony_ci struct iov_iter iter; 12198c2ecf20Sopenharmony_ci struct iovec iov; 12208c2ecf20Sopenharmony_ci int ret; 12218c2ecf20Sopenharmony_ci 12228c2ecf20Sopenharmony_ci if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) 12238c2ecf20Sopenharmony_ci return -EINVAL; 12248c2ecf20Sopenharmony_ci 12258c2ecf20Sopenharmony_ci /* 12268c2ecf20Sopenharmony_ci * Requesting insecure and blocking randomness at the same time makes 12278c2ecf20Sopenharmony_ci * no sense. 12288c2ecf20Sopenharmony_ci */ 12298c2ecf20Sopenharmony_ci if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) 12308c2ecf20Sopenharmony_ci return -EINVAL; 12318c2ecf20Sopenharmony_ci 12328c2ecf20Sopenharmony_ci if (!crng_ready() && !(flags & GRND_INSECURE)) { 12338c2ecf20Sopenharmony_ci if (flags & GRND_NONBLOCK) 12348c2ecf20Sopenharmony_ci return -EAGAIN; 12358c2ecf20Sopenharmony_ci ret = wait_for_random_bytes(); 12368c2ecf20Sopenharmony_ci if (unlikely(ret)) 12378c2ecf20Sopenharmony_ci return ret; 12388c2ecf20Sopenharmony_ci } 12398c2ecf20Sopenharmony_ci 12408c2ecf20Sopenharmony_ci ret = import_single_range(READ, ubuf, len, &iov, &iter); 12418c2ecf20Sopenharmony_ci if (unlikely(ret)) 12428c2ecf20Sopenharmony_ci return ret; 12438c2ecf20Sopenharmony_ci return get_random_bytes_user(&iter); 12448c2ecf20Sopenharmony_ci} 12458c2ecf20Sopenharmony_ci 12468c2ecf20Sopenharmony_cistatic __poll_t random_poll(struct file *file, poll_table *wait) 12478c2ecf20Sopenharmony_ci{ 12488c2ecf20Sopenharmony_ci poll_wait(file, &crng_init_wait, wait); 12498c2ecf20Sopenharmony_ci return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; 12508c2ecf20Sopenharmony_ci} 12518c2ecf20Sopenharmony_ci 12528c2ecf20Sopenharmony_cistatic ssize_t write_pool_user(struct iov_iter *iter) 12538c2ecf20Sopenharmony_ci{ 12548c2ecf20Sopenharmony_ci u8 block[BLAKE2S_BLOCK_SIZE]; 12558c2ecf20Sopenharmony_ci ssize_t ret = 0; 12568c2ecf20Sopenharmony_ci size_t copied; 12578c2ecf20Sopenharmony_ci 12588c2ecf20Sopenharmony_ci if (unlikely(!iov_iter_count(iter))) 12598c2ecf20Sopenharmony_ci return 0; 12608c2ecf20Sopenharmony_ci 12618c2ecf20Sopenharmony_ci for (;;) { 12628c2ecf20Sopenharmony_ci copied = copy_from_iter(block, sizeof(block), iter); 12638c2ecf20Sopenharmony_ci ret += copied; 12648c2ecf20Sopenharmony_ci mix_pool_bytes(block, copied); 12658c2ecf20Sopenharmony_ci if (!iov_iter_count(iter) || copied != sizeof(block)) 12668c2ecf20Sopenharmony_ci break; 12678c2ecf20Sopenharmony_ci 12688c2ecf20Sopenharmony_ci BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); 12698c2ecf20Sopenharmony_ci if (ret % PAGE_SIZE == 0) { 12708c2ecf20Sopenharmony_ci if (signal_pending(current)) 12718c2ecf20Sopenharmony_ci break; 12728c2ecf20Sopenharmony_ci cond_resched(); 12738c2ecf20Sopenharmony_ci } 12748c2ecf20Sopenharmony_ci } 12758c2ecf20Sopenharmony_ci 12768c2ecf20Sopenharmony_ci memzero_explicit(block, sizeof(block)); 12778c2ecf20Sopenharmony_ci return ret ? ret : -EFAULT; 12788c2ecf20Sopenharmony_ci} 12798c2ecf20Sopenharmony_ci 12808c2ecf20Sopenharmony_cistatic ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter) 12818c2ecf20Sopenharmony_ci{ 12828c2ecf20Sopenharmony_ci return write_pool_user(iter); 12838c2ecf20Sopenharmony_ci} 12848c2ecf20Sopenharmony_ci 12858c2ecf20Sopenharmony_cistatic ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter) 12868c2ecf20Sopenharmony_ci{ 12878c2ecf20Sopenharmony_ci static int maxwarn = 10; 12888c2ecf20Sopenharmony_ci 12898c2ecf20Sopenharmony_ci if (!crng_ready()) { 12908c2ecf20Sopenharmony_ci if (!ratelimit_disable && maxwarn <= 0) 12918c2ecf20Sopenharmony_ci ++urandom_warning.missed; 12928c2ecf20Sopenharmony_ci else if (ratelimit_disable || __ratelimit(&urandom_warning)) { 12938c2ecf20Sopenharmony_ci --maxwarn; 12948c2ecf20Sopenharmony_ci pr_notice("%s: uninitialized urandom read (%zu bytes read)\n", 12958c2ecf20Sopenharmony_ci current->comm, iov_iter_count(iter)); 12968c2ecf20Sopenharmony_ci } 12978c2ecf20Sopenharmony_ci } 12988c2ecf20Sopenharmony_ci 12998c2ecf20Sopenharmony_ci return get_random_bytes_user(iter); 13008c2ecf20Sopenharmony_ci} 13018c2ecf20Sopenharmony_ci 13028c2ecf20Sopenharmony_cistatic ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter) 13038c2ecf20Sopenharmony_ci{ 13048c2ecf20Sopenharmony_ci int ret; 13058c2ecf20Sopenharmony_ci 13068c2ecf20Sopenharmony_ci if (!crng_ready() && 13078c2ecf20Sopenharmony_ci ((kiocb->ki_flags & (IOCB_NOWAIT | IOCB_NOIO)) || 13088c2ecf20Sopenharmony_ci (kiocb->ki_filp->f_flags & O_NONBLOCK))) 13098c2ecf20Sopenharmony_ci return -EAGAIN; 13108c2ecf20Sopenharmony_ci 13118c2ecf20Sopenharmony_ci ret = wait_for_random_bytes(); 13128c2ecf20Sopenharmony_ci if (ret != 0) 13138c2ecf20Sopenharmony_ci return ret; 13148c2ecf20Sopenharmony_ci return get_random_bytes_user(iter); 13158c2ecf20Sopenharmony_ci} 13168c2ecf20Sopenharmony_ci 13178c2ecf20Sopenharmony_cistatic long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) 13188c2ecf20Sopenharmony_ci{ 13198c2ecf20Sopenharmony_ci int __user *p = (int __user *)arg; 13208c2ecf20Sopenharmony_ci int ent_count; 13218c2ecf20Sopenharmony_ci 13228c2ecf20Sopenharmony_ci switch (cmd) { 13238c2ecf20Sopenharmony_ci case RNDGETENTCNT: 13248c2ecf20Sopenharmony_ci /* Inherently racy, no point locking. */ 13258c2ecf20Sopenharmony_ci if (put_user(input_pool.init_bits, p)) 13268c2ecf20Sopenharmony_ci return -EFAULT; 13278c2ecf20Sopenharmony_ci return 0; 13288c2ecf20Sopenharmony_ci case RNDADDTOENTCNT: 13298c2ecf20Sopenharmony_ci if (!capable(CAP_SYS_ADMIN)) 13308c2ecf20Sopenharmony_ci return -EPERM; 13318c2ecf20Sopenharmony_ci if (get_user(ent_count, p)) 13328c2ecf20Sopenharmony_ci return -EFAULT; 13338c2ecf20Sopenharmony_ci if (ent_count < 0) 13348c2ecf20Sopenharmony_ci return -EINVAL; 13358c2ecf20Sopenharmony_ci credit_init_bits(ent_count); 13368c2ecf20Sopenharmony_ci return 0; 13378c2ecf20Sopenharmony_ci case RNDADDENTROPY: { 13388c2ecf20Sopenharmony_ci struct iov_iter iter; 13398c2ecf20Sopenharmony_ci struct iovec iov; 13408c2ecf20Sopenharmony_ci ssize_t ret; 13418c2ecf20Sopenharmony_ci int len; 13428c2ecf20Sopenharmony_ci 13438c2ecf20Sopenharmony_ci if (!capable(CAP_SYS_ADMIN)) 13448c2ecf20Sopenharmony_ci return -EPERM; 13458c2ecf20Sopenharmony_ci if (get_user(ent_count, p++)) 13468c2ecf20Sopenharmony_ci return -EFAULT; 13478c2ecf20Sopenharmony_ci if (ent_count < 0) 13488c2ecf20Sopenharmony_ci return -EINVAL; 13498c2ecf20Sopenharmony_ci if (get_user(len, p++)) 13508c2ecf20Sopenharmony_ci return -EFAULT; 13518c2ecf20Sopenharmony_ci ret = import_single_range(WRITE, p, len, &iov, &iter); 13528c2ecf20Sopenharmony_ci if (unlikely(ret)) 13538c2ecf20Sopenharmony_ci return ret; 13548c2ecf20Sopenharmony_ci ret = write_pool_user(&iter); 13558c2ecf20Sopenharmony_ci if (unlikely(ret < 0)) 13568c2ecf20Sopenharmony_ci return ret; 13578c2ecf20Sopenharmony_ci /* Since we're crediting, enforce that it was all written into the pool. */ 13588c2ecf20Sopenharmony_ci if (unlikely(ret != len)) 13598c2ecf20Sopenharmony_ci return -EFAULT; 13608c2ecf20Sopenharmony_ci credit_init_bits(ent_count); 13618c2ecf20Sopenharmony_ci return 0; 13628c2ecf20Sopenharmony_ci } 13638c2ecf20Sopenharmony_ci case RNDZAPENTCNT: 13648c2ecf20Sopenharmony_ci case RNDCLEARPOOL: 13658c2ecf20Sopenharmony_ci /* No longer has any effect. */ 13668c2ecf20Sopenharmony_ci if (!capable(CAP_SYS_ADMIN)) 13678c2ecf20Sopenharmony_ci return -EPERM; 13688c2ecf20Sopenharmony_ci return 0; 13698c2ecf20Sopenharmony_ci case RNDRESEEDCRNG: 13708c2ecf20Sopenharmony_ci if (!capable(CAP_SYS_ADMIN)) 13718c2ecf20Sopenharmony_ci return -EPERM; 13728c2ecf20Sopenharmony_ci if (!crng_ready()) 13738c2ecf20Sopenharmony_ci return -ENODATA; 13748c2ecf20Sopenharmony_ci crng_reseed(); 13758c2ecf20Sopenharmony_ci return 0; 13768c2ecf20Sopenharmony_ci default: 13778c2ecf20Sopenharmony_ci return -EINVAL; 13788c2ecf20Sopenharmony_ci } 13798c2ecf20Sopenharmony_ci} 13808c2ecf20Sopenharmony_ci 13818c2ecf20Sopenharmony_cistatic int random_fasync(int fd, struct file *filp, int on) 13828c2ecf20Sopenharmony_ci{ 13838c2ecf20Sopenharmony_ci return fasync_helper(fd, filp, on, &fasync); 13848c2ecf20Sopenharmony_ci} 13858c2ecf20Sopenharmony_ci 13868c2ecf20Sopenharmony_ciconst struct file_operations random_fops = { 13878c2ecf20Sopenharmony_ci .read_iter = random_read_iter, 13888c2ecf20Sopenharmony_ci .write_iter = random_write_iter, 13898c2ecf20Sopenharmony_ci .poll = random_poll, 13908c2ecf20Sopenharmony_ci .unlocked_ioctl = random_ioctl, 13918c2ecf20Sopenharmony_ci .compat_ioctl = compat_ptr_ioctl, 13928c2ecf20Sopenharmony_ci .fasync = random_fasync, 13938c2ecf20Sopenharmony_ci .llseek = noop_llseek, 13948c2ecf20Sopenharmony_ci .splice_read = generic_file_splice_read, 13958c2ecf20Sopenharmony_ci .splice_write = iter_file_splice_write, 13968c2ecf20Sopenharmony_ci}; 13978c2ecf20Sopenharmony_ci 13988c2ecf20Sopenharmony_ciconst struct file_operations urandom_fops = { 13998c2ecf20Sopenharmony_ci .read_iter = urandom_read_iter, 14008c2ecf20Sopenharmony_ci .write_iter = random_write_iter, 14018c2ecf20Sopenharmony_ci .unlocked_ioctl = random_ioctl, 14028c2ecf20Sopenharmony_ci .compat_ioctl = compat_ptr_ioctl, 14038c2ecf20Sopenharmony_ci .fasync = random_fasync, 14048c2ecf20Sopenharmony_ci .llseek = noop_llseek, 14058c2ecf20Sopenharmony_ci .splice_read = generic_file_splice_read, 14068c2ecf20Sopenharmony_ci .splice_write = iter_file_splice_write, 14078c2ecf20Sopenharmony_ci}; 14088c2ecf20Sopenharmony_ci 14098c2ecf20Sopenharmony_ci 14108c2ecf20Sopenharmony_ci/******************************************************************** 14118c2ecf20Sopenharmony_ci * 14128c2ecf20Sopenharmony_ci * Sysctl interface. 14138c2ecf20Sopenharmony_ci * 14148c2ecf20Sopenharmony_ci * These are partly unused legacy knobs with dummy values to not break 14158c2ecf20Sopenharmony_ci * userspace and partly still useful things. They are usually accessible 14168c2ecf20Sopenharmony_ci * in /proc/sys/kernel/random/ and are as follows: 14178c2ecf20Sopenharmony_ci * 14188c2ecf20Sopenharmony_ci * - boot_id - a UUID representing the current boot. 14198c2ecf20Sopenharmony_ci * 14208c2ecf20Sopenharmony_ci * - uuid - a random UUID, different each time the file is read. 14218c2ecf20Sopenharmony_ci * 14228c2ecf20Sopenharmony_ci * - poolsize - the number of bits of entropy that the input pool can 14238c2ecf20Sopenharmony_ci * hold, tied to the POOL_BITS constant. 14248c2ecf20Sopenharmony_ci * 14258c2ecf20Sopenharmony_ci * - entropy_avail - the number of bits of entropy currently in the 14268c2ecf20Sopenharmony_ci * input pool. Always <= poolsize. 14278c2ecf20Sopenharmony_ci * 14288c2ecf20Sopenharmony_ci * - write_wakeup_threshold - the amount of entropy in the input pool 14298c2ecf20Sopenharmony_ci * below which write polls to /dev/random will unblock, requesting 14308c2ecf20Sopenharmony_ci * more entropy, tied to the POOL_READY_BITS constant. It is writable 14318c2ecf20Sopenharmony_ci * to avoid breaking old userspaces, but writing to it does not 14328c2ecf20Sopenharmony_ci * change any behavior of the RNG. 14338c2ecf20Sopenharmony_ci * 14348c2ecf20Sopenharmony_ci * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL. 14358c2ecf20Sopenharmony_ci * It is writable to avoid breaking old userspaces, but writing 14368c2ecf20Sopenharmony_ci * to it does not change any behavior of the RNG. 14378c2ecf20Sopenharmony_ci * 14388c2ecf20Sopenharmony_ci ********************************************************************/ 14398c2ecf20Sopenharmony_ci 14408c2ecf20Sopenharmony_ci#ifdef CONFIG_SYSCTL 14418c2ecf20Sopenharmony_ci 14428c2ecf20Sopenharmony_ci#include <linux/sysctl.h> 14438c2ecf20Sopenharmony_ci 14448c2ecf20Sopenharmony_cistatic int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ; 14458c2ecf20Sopenharmony_cistatic int sysctl_random_write_wakeup_bits = POOL_READY_BITS; 14468c2ecf20Sopenharmony_cistatic int sysctl_poolsize = POOL_BITS; 14478c2ecf20Sopenharmony_cistatic u8 sysctl_bootid[UUID_SIZE]; 14488c2ecf20Sopenharmony_ci 14498c2ecf20Sopenharmony_ci/* 14508c2ecf20Sopenharmony_ci * This function is used to return both the bootid UUID, and random 14518c2ecf20Sopenharmony_ci * UUID. The difference is in whether table->data is NULL; if it is, 14528c2ecf20Sopenharmony_ci * then a new UUID is generated and returned to the user. 14538c2ecf20Sopenharmony_ci */ 14548c2ecf20Sopenharmony_cistatic int proc_do_uuid(struct ctl_table *table, int write, void *buf, 14558c2ecf20Sopenharmony_ci size_t *lenp, loff_t *ppos) 14568c2ecf20Sopenharmony_ci{ 14578c2ecf20Sopenharmony_ci u8 tmp_uuid[UUID_SIZE], *uuid; 14588c2ecf20Sopenharmony_ci char uuid_string[UUID_STRING_LEN + 1]; 14598c2ecf20Sopenharmony_ci struct ctl_table fake_table = { 14608c2ecf20Sopenharmony_ci .data = uuid_string, 14618c2ecf20Sopenharmony_ci .maxlen = UUID_STRING_LEN 14628c2ecf20Sopenharmony_ci }; 14638c2ecf20Sopenharmony_ci 14648c2ecf20Sopenharmony_ci if (write) 14658c2ecf20Sopenharmony_ci return -EPERM; 14668c2ecf20Sopenharmony_ci 14678c2ecf20Sopenharmony_ci uuid = table->data; 14688c2ecf20Sopenharmony_ci if (!uuid) { 14698c2ecf20Sopenharmony_ci uuid = tmp_uuid; 14708c2ecf20Sopenharmony_ci generate_random_uuid(uuid); 14718c2ecf20Sopenharmony_ci } else { 14728c2ecf20Sopenharmony_ci static DEFINE_SPINLOCK(bootid_spinlock); 14738c2ecf20Sopenharmony_ci 14748c2ecf20Sopenharmony_ci spin_lock(&bootid_spinlock); 14758c2ecf20Sopenharmony_ci if (!uuid[8]) 14768c2ecf20Sopenharmony_ci generate_random_uuid(uuid); 14778c2ecf20Sopenharmony_ci spin_unlock(&bootid_spinlock); 14788c2ecf20Sopenharmony_ci } 14798c2ecf20Sopenharmony_ci 14808c2ecf20Sopenharmony_ci snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid); 14818c2ecf20Sopenharmony_ci return proc_dostring(&fake_table, 0, buf, lenp, ppos); 14828c2ecf20Sopenharmony_ci} 14838c2ecf20Sopenharmony_ci 14848c2ecf20Sopenharmony_ci/* The same as proc_dointvec, but writes don't change anything. */ 14858c2ecf20Sopenharmony_cistatic int proc_do_rointvec(struct ctl_table *table, int write, void *buf, 14868c2ecf20Sopenharmony_ci size_t *lenp, loff_t *ppos) 14878c2ecf20Sopenharmony_ci{ 14888c2ecf20Sopenharmony_ci return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos); 14898c2ecf20Sopenharmony_ci} 14908c2ecf20Sopenharmony_ci 14918c2ecf20Sopenharmony_ciextern struct ctl_table random_table[]; 14928c2ecf20Sopenharmony_cistruct ctl_table random_table[] = { 14938c2ecf20Sopenharmony_ci { 14948c2ecf20Sopenharmony_ci .procname = "poolsize", 14958c2ecf20Sopenharmony_ci .data = &sysctl_poolsize, 14968c2ecf20Sopenharmony_ci .maxlen = sizeof(int), 14978c2ecf20Sopenharmony_ci .mode = 0444, 14988c2ecf20Sopenharmony_ci .proc_handler = proc_dointvec, 14998c2ecf20Sopenharmony_ci }, 15008c2ecf20Sopenharmony_ci { 15018c2ecf20Sopenharmony_ci .procname = "entropy_avail", 15028c2ecf20Sopenharmony_ci .data = &input_pool.init_bits, 15038c2ecf20Sopenharmony_ci .maxlen = sizeof(int), 15048c2ecf20Sopenharmony_ci .mode = 0444, 15058c2ecf20Sopenharmony_ci .proc_handler = proc_dointvec, 15068c2ecf20Sopenharmony_ci }, 15078c2ecf20Sopenharmony_ci { 15088c2ecf20Sopenharmony_ci .procname = "write_wakeup_threshold", 15098c2ecf20Sopenharmony_ci .data = &sysctl_random_write_wakeup_bits, 15108c2ecf20Sopenharmony_ci .maxlen = sizeof(int), 15118c2ecf20Sopenharmony_ci .mode = 0644, 15128c2ecf20Sopenharmony_ci .proc_handler = proc_do_rointvec, 15138c2ecf20Sopenharmony_ci }, 15148c2ecf20Sopenharmony_ci { 15158c2ecf20Sopenharmony_ci .procname = "urandom_min_reseed_secs", 15168c2ecf20Sopenharmony_ci .data = &sysctl_random_min_urandom_seed, 15178c2ecf20Sopenharmony_ci .maxlen = sizeof(int), 15188c2ecf20Sopenharmony_ci .mode = 0644, 15198c2ecf20Sopenharmony_ci .proc_handler = proc_do_rointvec, 15208c2ecf20Sopenharmony_ci }, 15218c2ecf20Sopenharmony_ci { 15228c2ecf20Sopenharmony_ci .procname = "boot_id", 15238c2ecf20Sopenharmony_ci .data = &sysctl_bootid, 15248c2ecf20Sopenharmony_ci .mode = 0444, 15258c2ecf20Sopenharmony_ci .proc_handler = proc_do_uuid, 15268c2ecf20Sopenharmony_ci }, 15278c2ecf20Sopenharmony_ci { 15288c2ecf20Sopenharmony_ci .procname = "uuid", 15298c2ecf20Sopenharmony_ci .mode = 0444, 15308c2ecf20Sopenharmony_ci .proc_handler = proc_do_uuid, 15318c2ecf20Sopenharmony_ci }, 15328c2ecf20Sopenharmony_ci { } 15338c2ecf20Sopenharmony_ci}; 15348c2ecf20Sopenharmony_ci#endif /* CONFIG_SYSCTL */ 1535