2  * Non-physical true random number generator based on timing jitter --
5  * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2023
21  * 2. Redistributions in binary form must reproduce the above copyright
32  * the restrictions contained in a BSD-style copyright.)
54 … be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitt…
65 	/* SHA3-256 is used as conditioner */
91 	/* Intermittent health test failure threshold of 2^-30 */
92 	/* From an SP800-90B perspective, this RCT cutoff value is equal to 31. */
94 #define JENT_RCT_CUTOFF		(31 - 1)	/* Taken from SP800-90B sec 4.4.1 */
95 #define JENT_APT_CUTOFF		325			/* Taken from SP800-90B sec 4.4.2 */
96 	/* Permanent health test failure threshold of 2^-60 */
97 	/* From an SP800-90B perspective, this RCT cutoff value is equal to 61. */
99 #define JENT_RCT_CUTOFF_PERMANENT	(61 - 1)
104 #define JENT_APT_WORD_MASK	(JENT_APT_LSB - 1)
112 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
116 /* -- error codes for init function -- */
118 #define JENT_ECOARSETIME	2 /* Timer too coarse for RNG */
121 				   * variations (2nd derivation of time is
131  * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
136  * entropy in each bit of output to at least 1-epsilon, where epsilon is
137  * required to be <= 2^(-32).
141 #include <linux/fips.h>
147  * This test complies with SP800-90B section 4.4.2.
158 	ec->apt_count = 0;  in jent_apt_reset()
159 	ec->apt_base = delta_masked;  in jent_apt_reset()
160 	ec->apt_observations = 0;  in jent_apt_reset()
172 	if (!ec->apt_base_set) {  in jent_apt_insert()
173 		ec->apt_base = delta_masked;  in jent_apt_insert()
174 		ec->apt_base_set = 1;  in jent_apt_insert()
178 	if (delta_masked == ec->apt_base)  in jent_apt_insert()
179 		ec->apt_count++;  in jent_apt_insert()
181 	ec->apt_observations++;  in jent_apt_insert()
183 	if (ec->apt_observations >= JENT_APT_WINDOW_SIZE)  in jent_apt_insert()
190 	return (ec->apt_count >= JENT_APT_CUTOFF_PERMANENT) ? 1 : 0;  in jent_apt_permanent_failure()
195 	return (ec->apt_count >= JENT_APT_CUTOFF) ? 1 : 0;  in jent_apt_failure()
202  * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical
203  * back-to-back values, the input to the RCT is the counting of the stuck
206  * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8.
209  * cut-off value of C. If that value exceeds the allowed cut-off value,
215  * Repetition Count Test as defined in SP800-90B section 4.4.1
223 		ec->rct_count++;  in jent_rct_insert()
226 		ec->rct_count = 0;  in jent_rct_insert()
233 	return (prev < next) ? (next - prev) :  in jent_delta()
234 			       (JENT_UINT64_MAX - prev + 1 + next);  in jent_delta()
240  * 	2nd derivative of the jitter measurement (delta of time deltas)
243  * All values must always be non-zero.
254 	__u64 delta2 = jent_delta(ec->last_delta, current_delta);  in jent_stuck()
255 	__u64 delta3 = jent_delta(ec->last_delta2, delta2);  in jent_stuck()
257 	ec->last_delta = current_delta;  in jent_stuck()
258 	ec->last_delta2 = delta2;  in jent_stuck()
261 	 * Insert the result of the comparison of two back-to-back time  in jent_stuck()
272 	/* RCT with a non-stuck bit */  in jent_stuck()
281 	return (ec->rct_count >= JENT_RCT_CUTOFF_PERMANENT) ? 1 : 0;  in jent_rct_permanent_failure()
286 	return (ec->rct_count >= JENT_RCT_CUTOFF) ? 1 : 0;  in jent_rct_failure()
320 	unsigned int mask = (1<<bits) - 1;  in jent_loop_shuffle()
328 	for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {  in jent_loop_shuffle()
341  * CPU Jitter noise source -- this is the noise source based on the CPU
363 		ec->rct_count,  in jent_condition_data()
364 		ec->apt_observations,  in jent_condition_data()
365 		ec->apt_count,  in jent_condition_data()
366 		ec->apt_base  in jent_condition_data()
369 	return jent_hash_time(ec->hash_state, time, (u8 *)&addtl, sizeof(addtl),  in jent_condition_data()
374  * Memory Access noise source -- this is a noise source based on variations in
388  * to reliably access either L3 or memory, the ec->mem memory must be quite
391  * @ec [in] Reference to the entropy collector with the memory access data -- if
406 	if (NULL == ec || NULL == ec->mem)  in jent_memaccess()
408 	wrap = ec->memblocksize * ec->memblocks;  in jent_memaccess()
411 	 * testing purposes -- allow test app to set the counter, not  in jent_memaccess()
417 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {  in jent_memaccess()
418 		unsigned char *tmpval = ec->mem + ec->memlocation;  in jent_memaccess()
421 		 * wrap at 255 -- memory access implies read  in jent_memaccess()
426 		 * Addition of memblocksize - 1 to pointer  in jent_memaccess()
430 		ec->memlocation = ec->memlocation + ec->memblocksize - 1;  in jent_memaccess()
431 		ec->memlocation = ec->memlocation % wrap;  in jent_memaccess()
443  * WARNING: ensure that ->prev_time is primed before using the output
465 	current_delta = jent_delta(ec->prev_time, time);  in jent_measure_jitter()
466 	ec->prev_time = time;  in jent_measure_jitter()
480  * Function fills rand_data->hash_state
491 	/* priming of the ->prev_time value */  in jent_gen_entropy()
500 		 * We multiply the loop value with ->osr to obtain the  in jent_gen_entropy()
503 		if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))  in jent_gen_entropy()
519  * @data [in] pointer to buffer for storing random data -- buffer must already
527  *	-1	entropy_collector is NULL or the generation failed
528  *	-2	Intermittent health failure
529  *	-3	Permanent health failure
537 		return -1;  in jent_read_entropy()
551 			return -3;  in jent_read_entropy()
557 			if (jent_entropy_init(ec->hash_state))  in jent_read_entropy()
558 				return -3;  in jent_read_entropy()
560 			return -2;  in jent_read_entropy()
567 		if (jent_read_random_block(ec->hash_state, p, tocopy))  in jent_read_entropy()
568 			return -1;  in jent_read_entropy()
570 		len -= tocopy;  in jent_read_entropy()
595 		entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE);  in jent_entropy_collector_alloc()
596 		if (!entropy_collector->mem) {  in jent_entropy_collector_alloc()
600 		entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;  in jent_entropy_collector_alloc()
601 		entropy_collector->memblocks = JENT_MEMORY_BLOCKS;  in jent_entropy_collector_alloc()
602 		entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;  in jent_entropy_collector_alloc()
608 	entropy_collector->osr = osr;  in jent_entropy_collector_alloc()
610 	entropy_collector->hash_state = hash_state;  in jent_entropy_collector_alloc()
612 	/* fill the data pad with non-zero values */  in jent_entropy_collector_alloc()
620 	jent_zfree(entropy_collector->mem);  in jent_entropy_collector_free()
621 	entropy_collector->mem = NULL;  in jent_entropy_collector_free()
655 	 * following sanity checks verify that we have a high-resolution  in jent_entropy_init()
662 	 * SP800-90B requires at least 1024 initial test cycles.  in jent_entropy_init()
685 		 * delta even when called shortly after each other -- this  in jent_entropy_init()
731 		lowdelta = time2 - time;  in jent_entropy_init()
737 		 * for the calculation of entropy -- perform this check  in jent_entropy_init()
742 			delta_sum += (delta - old_delta);  in jent_entropy_init()
744 			delta_sum += (old_delta - delta);  in jent_entropy_init()
768 	 * least 10% of all checks -- on some platforms, the counter increments  in jent_entropy_init()