xref: /openbmc/linux/arch/s390/crypto/prng.c (revision 4f2c0a4acffbec01079c28f839422e64ddeff004)
1  // SPDX-License-Identifier: GPL-2.0
2  /*
3   * Copyright IBM Corp. 2006, 2015
4   * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
5   *	      Harald Freudenberger <freude@de.ibm.com>
6   * Driver for the s390 pseudo random number generator
7   */
8  
9  #define KMSG_COMPONENT "prng"
10  #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
11  
12  #include <linux/fs.h>
13  #include <linux/fips.h>
14  #include <linux/init.h>
15  #include <linux/kernel.h>
16  #include <linux/device.h>
17  #include <linux/miscdevice.h>
18  #include <linux/module.h>
19  #include <linux/moduleparam.h>
20  #include <linux/mutex.h>
21  #include <linux/cpufeature.h>
22  #include <linux/random.h>
23  #include <linux/slab.h>
24  #include <linux/sched/signal.h>
25  
26  #include <asm/debug.h>
27  #include <linux/uaccess.h>
28  #include <asm/timex.h>
29  #include <asm/cpacf.h>
30  
31  MODULE_LICENSE("GPL");
32  MODULE_AUTHOR("IBM Corporation");
33  MODULE_DESCRIPTION("s390 PRNG interface");
34  
35  
36  #define PRNG_MODE_AUTO	  0
37  #define PRNG_MODE_TDES	  1
38  #define PRNG_MODE_SHA512  2
39  
40  static unsigned int prng_mode = PRNG_MODE_AUTO;
41  module_param_named(mode, prng_mode, int, 0);
42  MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
43  
44  
45  #define PRNG_CHUNKSIZE_TDES_MIN   8
46  #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
47  #define PRNG_CHUNKSIZE_SHA512_MIN 64
48  #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
49  
50  static unsigned int prng_chunk_size = 256;
51  module_param_named(chunksize, prng_chunk_size, int, 0);
52  MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
53  
54  
55  #define PRNG_RESEED_LIMIT_TDES		 4096
56  #define PRNG_RESEED_LIMIT_TDES_LOWER	 4096
57  #define PRNG_RESEED_LIMIT_SHA512       100000
58  #define PRNG_RESEED_LIMIT_SHA512_LOWER	10000
59  
60  static unsigned int prng_reseed_limit;
61  module_param_named(reseed_limit, prng_reseed_limit, int, 0);
62  MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
63  
64  static bool trng_available;
65  
66  /*
67   * Any one who considers arithmetical methods of producing random digits is,
68   * of course, in a state of sin. -- John von Neumann
69   */
70  
71  static int prng_errorflag;
72  
73  #define PRNG_GEN_ENTROPY_FAILED  1
74  #define PRNG_SELFTEST_FAILED	 2
75  #define PRNG_INSTANTIATE_FAILED  3
76  #define PRNG_SEED_FAILED	 4
77  #define PRNG_RESEED_FAILED	 5
78  #define PRNG_GEN_FAILED		 6
79  
80  struct prng_ws_s {
81  	u8  parm_block[32];
82  	u32 reseed_counter;
83  	u64 byte_counter;
84  };
85  
86  struct prno_ws_s {
87  	u32 res;
88  	u32 reseed_counter;
89  	u64 stream_bytes;
90  	u8  V[112];
91  	u8  C[112];
92  };
93  
94  struct prng_data_s {
95  	struct mutex mutex;
96  	union {
97  		struct prng_ws_s prngws;
98  		struct prno_ws_s prnows;
99  	};
100  	u8 *buf;
101  	u32 rest;
102  	u8 *prev;
103  };
104  
105  static struct prng_data_s *prng_data;
106  
107  /* initial parameter block for tdes mode, copied from libica */
108  static const u8 initial_parm_block[32] __initconst = {
109  	0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
110  	0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
111  	0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
112  	0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
113  
114  
115  /*** helper functions ***/
116  
117  /*
118   * generate_entropy:
119   * This function fills a given buffer with random bytes. The entropy within
120   * the random bytes given back is assumed to have at least 50% - meaning
121   * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
122   * Within the function the entropy generation is done in junks of 64 bytes.
123   * So the caller should also ask for buffer fill in multiples of 64 bytes.
124   * The generation of the entropy is based on the assumption that every stckf()
125   * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
126   * at least 512 stckf() values are needed. The entropy relevant part of the
127   * stckf value is bit 51 (counting starts at the left with bit nr 0) so
128   * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
129   * To be on the save side, if there is ever a problem with stckf() the
130   * other half of the page buffer is filled with bytes from urandom via
131   * get_random_bytes(), so this function consumes 2k of urandom for each
132   * requested 64 bytes output data. Finally the buffer page is condensed into
133   * a 64 byte value by hashing with a SHA512 hash.
134   */
generate_entropy(u8 * ebuf,size_t nbytes)135  static int generate_entropy(u8 *ebuf, size_t nbytes)
136  {
137  	int n, ret = 0;
138  	u8 *pg, pblock[80] = {
139  		/* 8 x 64 bit init values */
140  		0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
141  		0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
142  		0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
143  		0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
144  		0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
145  		0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
146  		0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
147  		0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
148  		/* 128 bit counter total message bit length */
149  		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150  		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
151  
152  	/* allocate one page stckf buffer */
153  	pg = (u8 *) __get_free_page(GFP_KERNEL);
154  	if (!pg) {
155  		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
156  		return -ENOMEM;
157  	}
158  
159  	/* fill the ebuf in chunks of 64 byte each */
160  	while (nbytes) {
161  		/* fill lower 2k with urandom bytes */
162  		get_random_bytes(pg, PAGE_SIZE / 2);
163  		/* exor upper 2k with 512 stckf values, offset 4 bytes each */
164  		for (n = 0; n < 512; n++) {
165  			int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
166  			u64 *p = (u64 *)(pg + offset);
167  			*p ^= get_tod_clock_fast();
168  		}
169  		/* hash over the filled page */
170  		cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
171  		n = (nbytes < 64) ? nbytes : 64;
172  		memcpy(ebuf, pblock, n);
173  		ret += n;
174  		ebuf += n;
175  		nbytes -= n;
176  	}
177  
178  	memzero_explicit(pblock, sizeof(pblock));
179  	memzero_explicit(pg, PAGE_SIZE);
180  	free_page((unsigned long)pg);
181  	return ret;
182  }
183  
184  
185  /*** tdes functions ***/
186  
prng_tdes_add_entropy(void)187  static void prng_tdes_add_entropy(void)
188  {
189  	__u64 entropy[4];
190  	unsigned int i;
191  
192  	for (i = 0; i < 16; i++) {
193  		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
194  			  (char *) entropy, (char *) entropy,
195  			  sizeof(entropy));
196  		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
197  	}
198  }
199  
200  
prng_tdes_seed(int nbytes)201  static void prng_tdes_seed(int nbytes)
202  {
203  	char buf[16];
204  	int i = 0;
205  
206  	BUG_ON(nbytes > sizeof(buf));
207  
208  	get_random_bytes(buf, nbytes);
209  
210  	/* Add the entropy */
211  	while (nbytes >= 8) {
212  		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
213  		prng_tdes_add_entropy();
214  		i += 8;
215  		nbytes -= 8;
216  	}
217  	prng_tdes_add_entropy();
218  	prng_data->prngws.reseed_counter = 0;
219  }
220  
221  
prng_tdes_instantiate(void)222  static int __init prng_tdes_instantiate(void)
223  {
224  	int datalen;
225  
226  	pr_debug("prng runs in TDES mode with "
227  		 "chunksize=%d and reseed_limit=%u\n",
228  		 prng_chunk_size, prng_reseed_limit);
229  
230  	/* memory allocation, prng_data struct init, mutex init */
231  	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
232  	prng_data = kzalloc(datalen, GFP_KERNEL);
233  	if (!prng_data) {
234  		prng_errorflag = PRNG_INSTANTIATE_FAILED;
235  		return -ENOMEM;
236  	}
237  	mutex_init(&prng_data->mutex);
238  	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
239  	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
240  
241  	/* initialize the PRNG, add 128 bits of entropy */
242  	prng_tdes_seed(16);
243  
244  	return 0;
245  }
246  
247  
prng_tdes_deinstantiate(void)248  static void prng_tdes_deinstantiate(void)
249  {
250  	pr_debug("The prng module stopped "
251  		 "after running in triple DES mode\n");
252  	kfree_sensitive(prng_data);
253  }
254  
255  
256  /*** sha512 functions ***/
257  
prng_sha512_selftest(void)258  static int __init prng_sha512_selftest(void)
259  {
260  	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
261  	static const u8 seed[] __initconst = {
262  		0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
263  		0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
264  		0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
265  		0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
266  		0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
267  		0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
268  	static const u8 V0[] __initconst = {
269  		0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
270  		0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
271  		0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
272  		0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
273  		0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
274  		0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
275  		0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
276  		0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
277  		0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
278  		0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
279  		0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
280  		0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
281  		0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
282  		0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
283  	static const u8 C0[] __initconst = {
284  		0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
285  		0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
286  		0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
287  		0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
288  		0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
289  		0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
290  		0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
291  		0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
292  		0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
293  		0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
294  		0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
295  		0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
296  		0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
297  		0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
298  	static const u8 random[] __initconst = {
299  		0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
300  		0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
301  		0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
302  		0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
303  		0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
304  		0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
305  		0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
306  		0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
307  		0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
308  		0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
309  		0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
310  		0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
311  		0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
312  		0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
313  		0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
314  		0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
315  		0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
316  		0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
317  		0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
318  		0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
319  		0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
320  		0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
321  		0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
322  		0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
323  		0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
324  		0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
325  		0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
326  		0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
327  		0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
328  		0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
329  		0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
330  		0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
331  
332  	u8 buf[sizeof(random)];
333  	struct prno_ws_s ws;
334  
335  	memset(&ws, 0, sizeof(ws));
336  
337  	/* initial seed */
338  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
339  		   &ws, NULL, 0, seed, sizeof(seed));
340  
341  	/* check working states V and C */
342  	if (memcmp(ws.V, V0, sizeof(V0)) != 0
343  	    || memcmp(ws.C, C0, sizeof(C0)) != 0) {
344  		pr_err("The prng self test state test "
345  		       "for the SHA-512 mode failed\n");
346  		prng_errorflag = PRNG_SELFTEST_FAILED;
347  		return -EIO;
348  	}
349  
350  	/* generate random bytes */
351  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
352  		   &ws, buf, sizeof(buf), NULL, 0);
353  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
354  		   &ws, buf, sizeof(buf), NULL, 0);
355  
356  	/* check against expected data */
357  	if (memcmp(buf, random, sizeof(random)) != 0) {
358  		pr_err("The prng self test data test "
359  		       "for the SHA-512 mode failed\n");
360  		prng_errorflag = PRNG_SELFTEST_FAILED;
361  		return -EIO;
362  	}
363  
364  	return 0;
365  }
366  
367  
prng_sha512_instantiate(void)368  static int __init prng_sha512_instantiate(void)
369  {
370  	int ret, datalen, seedlen;
371  	u8 seed[128 + 16];
372  
373  	pr_debug("prng runs in SHA-512 mode "
374  		 "with chunksize=%d and reseed_limit=%u\n",
375  		 prng_chunk_size, prng_reseed_limit);
376  
377  	/* memory allocation, prng_data struct init, mutex init */
378  	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
379  	if (fips_enabled)
380  		datalen += prng_chunk_size;
381  	prng_data = kzalloc(datalen, GFP_KERNEL);
382  	if (!prng_data) {
383  		prng_errorflag = PRNG_INSTANTIATE_FAILED;
384  		return -ENOMEM;
385  	}
386  	mutex_init(&prng_data->mutex);
387  	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
388  
389  	/* selftest */
390  	ret = prng_sha512_selftest();
391  	if (ret)
392  		goto outfree;
393  
394  	/* generate initial seed, we need at least  256 + 128 bits entropy. */
395  	if (trng_available) {
396  		/*
397  		 * Trng available, so use it. The trng works in chunks of
398  		 * 32 bytes and produces 100% entropy. So we pull 64 bytes
399  		 * which gives us 512 bits entropy.
400  		 */
401  		seedlen = 2 * 32;
402  		cpacf_trng(NULL, 0, seed, seedlen);
403  	} else {
404  		/*
405  		 * No trng available, so use the generate_entropy() function.
406  		 * This function works in 64 byte junks and produces
407  		 * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
408  		 * of entropy.
409  		 */
410  		seedlen = 2 * 64;
411  		ret = generate_entropy(seed, seedlen);
412  		if (ret != seedlen)
413  			goto outfree;
414  	}
415  
416  	/* append the seed by 16 bytes of unique nonce */
417  	store_tod_clock_ext((union tod_clock *)(seed + seedlen));
418  	seedlen += 16;
419  
420  	/* now initial seed of the prno drng */
421  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
422  		   &prng_data->prnows, NULL, 0, seed, seedlen);
423  	memzero_explicit(seed, sizeof(seed));
424  
425  	/* if fips mode is enabled, generate a first block of random
426  	   bytes for the FIPS 140-2 Conditional Self Test */
427  	if (fips_enabled) {
428  		prng_data->prev = prng_data->buf + prng_chunk_size;
429  		cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
430  			   &prng_data->prnows,
431  			   prng_data->prev, prng_chunk_size, NULL, 0);
432  	}
433  
434  	return 0;
435  
436  outfree:
437  	kfree(prng_data);
438  	return ret;
439  }
440  
441  
prng_sha512_deinstantiate(void)442  static void prng_sha512_deinstantiate(void)
443  {
444  	pr_debug("The prng module stopped after running in SHA-512 mode\n");
445  	kfree_sensitive(prng_data);
446  }
447  
448  
prng_sha512_reseed(void)449  static int prng_sha512_reseed(void)
450  {
451  	int ret, seedlen;
452  	u8 seed[64];
453  
454  	/* We need at least 256 bits of fresh entropy for reseeding */
455  	if (trng_available) {
456  		/* trng produces 256 bits entropy in 32 bytes */
457  		seedlen = 32;
458  		cpacf_trng(NULL, 0, seed, seedlen);
459  	} else {
460  		/* generate_entropy() produces 256 bits entropy in 64 bytes */
461  		seedlen = 64;
462  		ret = generate_entropy(seed, seedlen);
463  		if (ret != sizeof(seed))
464  			return ret;
465  	}
466  
467  	/* do a reseed of the prno drng with this bytestring */
468  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
469  		   &prng_data->prnows, NULL, 0, seed, seedlen);
470  	memzero_explicit(seed, sizeof(seed));
471  
472  	return 0;
473  }
474  
475  
prng_sha512_generate(u8 * buf,size_t nbytes)476  static int prng_sha512_generate(u8 *buf, size_t nbytes)
477  {
478  	int ret;
479  
480  	/* reseed needed ? */
481  	if (prng_data->prnows.reseed_counter > prng_reseed_limit) {
482  		ret = prng_sha512_reseed();
483  		if (ret)
484  			return ret;
485  	}
486  
487  	/* PRNO generate */
488  	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
489  		   &prng_data->prnows, buf, nbytes, NULL, 0);
490  
491  	/* FIPS 140-2 Conditional Self Test */
492  	if (fips_enabled) {
493  		if (!memcmp(prng_data->prev, buf, nbytes)) {
494  			prng_errorflag = PRNG_GEN_FAILED;
495  			return -EILSEQ;
496  		}
497  		memcpy(prng_data->prev, buf, nbytes);
498  	}
499  
500  	return nbytes;
501  }
502  
503  
504  /*** file io functions ***/
505  
prng_open(struct inode * inode,struct file * file)506  static int prng_open(struct inode *inode, struct file *file)
507  {
508  	return nonseekable_open(inode, file);
509  }
510  
511  
prng_tdes_read(struct file * file,char __user * ubuf,size_t nbytes,loff_t * ppos)512  static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
513  			      size_t nbytes, loff_t *ppos)
514  {
515  	int chunk, n, ret = 0;
516  
517  	/* lock prng_data struct */
518  	if (mutex_lock_interruptible(&prng_data->mutex))
519  		return -ERESTARTSYS;
520  
521  	while (nbytes) {
522  		if (need_resched()) {
523  			if (signal_pending(current)) {
524  				if (ret == 0)
525  					ret = -ERESTARTSYS;
526  				break;
527  			}
528  			/* give mutex free before calling schedule() */
529  			mutex_unlock(&prng_data->mutex);
530  			schedule();
531  			/* occupy mutex again */
532  			if (mutex_lock_interruptible(&prng_data->mutex)) {
533  				if (ret == 0)
534  					ret = -ERESTARTSYS;
535  				return ret;
536  			}
537  		}
538  
539  		/*
540  		 * we lose some random bytes if an attacker issues
541  		 * reads < 8 bytes, but we don't care
542  		 */
543  		chunk = min_t(int, nbytes, prng_chunk_size);
544  
545  		/* PRNG only likes multiples of 8 bytes */
546  		n = (chunk + 7) & -8;
547  
548  		if (prng_data->prngws.reseed_counter > prng_reseed_limit)
549  			prng_tdes_seed(8);
550  
551  		/* if the CPU supports PRNG stckf is present too */
552  		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
553  
554  		/*
555  		 * Beside the STCKF the input for the TDES-EDE is the output
556  		 * of the last operation. We differ here from X9.17 since we
557  		 * only store one timestamp into the buffer. Padding the whole
558  		 * buffer with timestamps does not improve security, since
559  		 * successive stckf have nearly constant offsets.
560  		 * If an attacker knows the first timestamp it would be
561  		 * trivial to guess the additional values. One timestamp
562  		 * is therefore enough and still guarantees unique input values.
563  		 *
564  		 * Note: you can still get strict X9.17 conformity by setting
565  		 * prng_chunk_size to 8 bytes.
566  		 */
567  		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
568  			  prng_data->buf, prng_data->buf, n);
569  
570  		prng_data->prngws.byte_counter += n;
571  		prng_data->prngws.reseed_counter += n;
572  
573  		if (copy_to_user(ubuf, prng_data->buf, chunk)) {
574  			ret = -EFAULT;
575  			break;
576  		}
577  
578  		nbytes -= chunk;
579  		ret += chunk;
580  		ubuf += chunk;
581  	}
582  
583  	/* unlock prng_data struct */
584  	mutex_unlock(&prng_data->mutex);
585  
586  	return ret;
587  }
588  
589  
prng_sha512_read(struct file * file,char __user * ubuf,size_t nbytes,loff_t * ppos)590  static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
591  				size_t nbytes, loff_t *ppos)
592  {
593  	int n, ret = 0;
594  	u8 *p;
595  
596  	/* if errorflag is set do nothing and return 'broken pipe' */
597  	if (prng_errorflag)
598  		return -EPIPE;
599  
600  	/* lock prng_data struct */
601  	if (mutex_lock_interruptible(&prng_data->mutex))
602  		return -ERESTARTSYS;
603  
604  	while (nbytes) {
605  		if (need_resched()) {
606  			if (signal_pending(current)) {
607  				if (ret == 0)
608  					ret = -ERESTARTSYS;
609  				break;
610  			}
611  			/* give mutex free before calling schedule() */
612  			mutex_unlock(&prng_data->mutex);
613  			schedule();
614  			/* occopy mutex again */
615  			if (mutex_lock_interruptible(&prng_data->mutex)) {
616  				if (ret == 0)
617  					ret = -ERESTARTSYS;
618  				return ret;
619  			}
620  		}
621  		if (prng_data->rest) {
622  			/* push left over random bytes from the previous read */
623  			p = prng_data->buf + prng_chunk_size - prng_data->rest;
624  			n = (nbytes < prng_data->rest) ?
625  				nbytes : prng_data->rest;
626  			prng_data->rest -= n;
627  		} else {
628  			/* generate one chunk of random bytes into read buf */
629  			p = prng_data->buf;
630  			n = prng_sha512_generate(p, prng_chunk_size);
631  			if (n < 0) {
632  				ret = n;
633  				break;
634  			}
635  			if (nbytes < prng_chunk_size) {
636  				n = nbytes;
637  				prng_data->rest = prng_chunk_size - n;
638  			} else {
639  				n = prng_chunk_size;
640  				prng_data->rest = 0;
641  			}
642  		}
643  		if (copy_to_user(ubuf, p, n)) {
644  			ret = -EFAULT;
645  			break;
646  		}
647  		memzero_explicit(p, n);
648  		ubuf += n;
649  		nbytes -= n;
650  		ret += n;
651  	}
652  
653  	/* unlock prng_data struct */
654  	mutex_unlock(&prng_data->mutex);
655  
656  	return ret;
657  }
658  
659  
660  /*** sysfs stuff ***/
661  
662  static const struct file_operations prng_sha512_fops = {
663  	.owner		= THIS_MODULE,
664  	.open		= &prng_open,
665  	.release	= NULL,
666  	.read		= &prng_sha512_read,
667  	.llseek		= noop_llseek,
668  };
669  static const struct file_operations prng_tdes_fops = {
670  	.owner		= THIS_MODULE,
671  	.open		= &prng_open,
672  	.release	= NULL,
673  	.read		= &prng_tdes_read,
674  	.llseek		= noop_llseek,
675  };
676  
677  /* chunksize attribute (ro) */
prng_chunksize_show(struct device * dev,struct device_attribute * attr,char * buf)678  static ssize_t prng_chunksize_show(struct device *dev,
679  				   struct device_attribute *attr,
680  				   char *buf)
681  {
682  	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
683  }
684  static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
685  
686  /* counter attribute (ro) */
prng_counter_show(struct device * dev,struct device_attribute * attr,char * buf)687  static ssize_t prng_counter_show(struct device *dev,
688  				 struct device_attribute *attr,
689  				 char *buf)
690  {
691  	u64 counter;
692  
693  	if (mutex_lock_interruptible(&prng_data->mutex))
694  		return -ERESTARTSYS;
695  	if (prng_mode == PRNG_MODE_SHA512)
696  		counter = prng_data->prnows.stream_bytes;
697  	else
698  		counter = prng_data->prngws.byte_counter;
699  	mutex_unlock(&prng_data->mutex);
700  
701  	return scnprintf(buf, PAGE_SIZE, "%llu\n", counter);
702  }
703  static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
704  
705  /* errorflag attribute (ro) */
prng_errorflag_show(struct device * dev,struct device_attribute * attr,char * buf)706  static ssize_t prng_errorflag_show(struct device *dev,
707  				   struct device_attribute *attr,
708  				   char *buf)
709  {
710  	return scnprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
711  }
712  static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
713  
714  /* mode attribute (ro) */
prng_mode_show(struct device * dev,struct device_attribute * attr,char * buf)715  static ssize_t prng_mode_show(struct device *dev,
716  			      struct device_attribute *attr,
717  			      char *buf)
718  {
719  	if (prng_mode == PRNG_MODE_TDES)
720  		return scnprintf(buf, PAGE_SIZE, "TDES\n");
721  	else
722  		return scnprintf(buf, PAGE_SIZE, "SHA512\n");
723  }
724  static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
725  
726  /* reseed attribute (w) */
prng_reseed_store(struct device * dev,struct device_attribute * attr,const char * buf,size_t count)727  static ssize_t prng_reseed_store(struct device *dev,
728  				 struct device_attribute *attr,
729  				 const char *buf, size_t count)
730  {
731  	if (mutex_lock_interruptible(&prng_data->mutex))
732  		return -ERESTARTSYS;
733  	prng_sha512_reseed();
734  	mutex_unlock(&prng_data->mutex);
735  
736  	return count;
737  }
738  static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
739  
740  /* reseed limit attribute (rw) */
prng_reseed_limit_show(struct device * dev,struct device_attribute * attr,char * buf)741  static ssize_t prng_reseed_limit_show(struct device *dev,
742  				      struct device_attribute *attr,
743  				      char *buf)
744  {
745  	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
746  }
prng_reseed_limit_store(struct device * dev,struct device_attribute * attr,const char * buf,size_t count)747  static ssize_t prng_reseed_limit_store(struct device *dev,
748  				       struct device_attribute *attr,
749  				       const char *buf, size_t count)
750  {
751  	unsigned limit;
752  
753  	if (sscanf(buf, "%u\n", &limit) != 1)
754  		return -EINVAL;
755  
756  	if (prng_mode == PRNG_MODE_SHA512) {
757  		if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
758  			return -EINVAL;
759  	} else {
760  		if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
761  			return -EINVAL;
762  	}
763  
764  	prng_reseed_limit = limit;
765  
766  	return count;
767  }
768  static DEVICE_ATTR(reseed_limit, 0644,
769  		   prng_reseed_limit_show, prng_reseed_limit_store);
770  
771  /* strength attribute (ro) */
prng_strength_show(struct device * dev,struct device_attribute * attr,char * buf)772  static ssize_t prng_strength_show(struct device *dev,
773  				  struct device_attribute *attr,
774  				  char *buf)
775  {
776  	return scnprintf(buf, PAGE_SIZE, "256\n");
777  }
778  static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
779  
780  static struct attribute *prng_sha512_dev_attrs[] = {
781  	&dev_attr_errorflag.attr,
782  	&dev_attr_chunksize.attr,
783  	&dev_attr_byte_counter.attr,
784  	&dev_attr_mode.attr,
785  	&dev_attr_reseed.attr,
786  	&dev_attr_reseed_limit.attr,
787  	&dev_attr_strength.attr,
788  	NULL
789  };
790  ATTRIBUTE_GROUPS(prng_sha512_dev);
791  
792  static struct attribute *prng_tdes_dev_attrs[] = {
793  	&dev_attr_chunksize.attr,
794  	&dev_attr_byte_counter.attr,
795  	&dev_attr_mode.attr,
796  	NULL
797  };
798  ATTRIBUTE_GROUPS(prng_tdes_dev);
799  
800  static struct miscdevice prng_sha512_dev = {
801  	.name	= "prandom",
802  	.minor	= MISC_DYNAMIC_MINOR,
803  	.mode	= 0644,
804  	.fops	= &prng_sha512_fops,
805  	.groups = prng_sha512_dev_groups,
806  };
807  
808  static struct miscdevice prng_tdes_dev = {
809  	.name	= "prandom",
810  	.minor	= MISC_DYNAMIC_MINOR,
811  	.mode	= 0644,
812  	.fops	= &prng_tdes_fops,
813  	.groups = prng_tdes_dev_groups,
814  };
815  
816  
817  /*** module init and exit ***/
818  
prng_init(void)819  static int __init prng_init(void)
820  {
821  	int ret;
822  
823  	/* check if the CPU has a PRNG */
824  	if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
825  		return -ENODEV;
826  
827  	/* check if TRNG subfunction is available */
828  	if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
829  		trng_available = true;
830  
831  	/* choose prng mode */
832  	if (prng_mode != PRNG_MODE_TDES) {
833  		/* check for MSA5 support for PRNO operations */
834  		if (!cpacf_query_func(CPACF_PRNO, CPACF_PRNO_SHA512_DRNG_GEN)) {
835  			if (prng_mode == PRNG_MODE_SHA512) {
836  				pr_err("The prng module cannot "
837  				       "start in SHA-512 mode\n");
838  				return -ENODEV;
839  			}
840  			prng_mode = PRNG_MODE_TDES;
841  		} else
842  			prng_mode = PRNG_MODE_SHA512;
843  	}
844  
845  	if (prng_mode == PRNG_MODE_SHA512) {
846  
847  		/* SHA512 mode */
848  
849  		if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
850  		    || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
851  			return -EINVAL;
852  		prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
853  
854  		if (prng_reseed_limit == 0)
855  			prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
856  		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
857  			return -EINVAL;
858  
859  		ret = prng_sha512_instantiate();
860  		if (ret)
861  			goto out;
862  
863  		ret = misc_register(&prng_sha512_dev);
864  		if (ret) {
865  			prng_sha512_deinstantiate();
866  			goto out;
867  		}
868  
869  	} else {
870  
871  		/* TDES mode */
872  
873  		if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
874  		    || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
875  			return -EINVAL;
876  		prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
877  
878  		if (prng_reseed_limit == 0)
879  			prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
880  		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
881  			return -EINVAL;
882  
883  		ret = prng_tdes_instantiate();
884  		if (ret)
885  			goto out;
886  
887  		ret = misc_register(&prng_tdes_dev);
888  		if (ret) {
889  			prng_tdes_deinstantiate();
890  			goto out;
891  		}
892  	}
893  
894  out:
895  	return ret;
896  }
897  
898  
prng_exit(void)899  static void __exit prng_exit(void)
900  {
901  	if (prng_mode == PRNG_MODE_SHA512) {
902  		misc_deregister(&prng_sha512_dev);
903  		prng_sha512_deinstantiate();
904  	} else {
905  		misc_deregister(&prng_tdes_dev);
906  		prng_tdes_deinstantiate();
907  	}
908  }
909  
910  module_cpu_feature_match(S390_CPU_FEATURE_MSA, prng_init);
911  module_exit(prng_exit);
912