1 /* 2 * Copyright IBM Corp. 2006, 2015 3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com> 4 * Harald Freudenberger <freude@de.ibm.com> 5 * Driver for the s390 pseudo random number generator 6 */ 7 8 #define KMSG_COMPONENT "prng" 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 11 #include <linux/fs.h> 12 #include <linux/fips.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/device.h> 16 #include <linux/miscdevice.h> 17 #include <linux/module.h> 18 #include <linux/moduleparam.h> 19 #include <linux/mutex.h> 20 #include <linux/random.h> 21 #include <linux/slab.h> 22 #include <asm/debug.h> 23 #include <asm/uaccess.h> 24 #include <asm/timex.h> 25 26 #include "crypt_s390.h" 27 28 MODULE_LICENSE("GPL"); 29 MODULE_AUTHOR("IBM Corporation"); 30 MODULE_DESCRIPTION("s390 PRNG interface"); 31 32 33 #define PRNG_MODE_AUTO 0 34 #define PRNG_MODE_TDES 1 35 #define PRNG_MODE_SHA512 2 36 37 static unsigned int prng_mode = PRNG_MODE_AUTO; 38 module_param_named(mode, prng_mode, int, 0); 39 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512"); 40 41 42 #define PRNG_CHUNKSIZE_TDES_MIN 8 43 #define PRNG_CHUNKSIZE_TDES_MAX (64*1024) 44 #define PRNG_CHUNKSIZE_SHA512_MIN 64 45 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024) 46 47 static unsigned int prng_chunk_size = 256; 48 module_param_named(chunksize, prng_chunk_size, int, 0); 49 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); 50 51 52 #define PRNG_RESEED_LIMIT_TDES 4096 53 #define PRNG_RESEED_LIMIT_TDES_LOWER 4096 54 #define PRNG_RESEED_LIMIT_SHA512 100000 55 #define PRNG_RESEED_LIMIT_SHA512_LOWER 10000 56 57 static unsigned int prng_reseed_limit; 58 module_param_named(reseed_limit, prng_reseed_limit, int, 0); 59 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit"); 60 61 62 /* 63 * Any one who considers arithmetical methods of producing random digits is, 64 * of course, in a state of sin. -- John von Neumann 65 */ 66 67 static int prng_errorflag; 68 69 #define PRNG_GEN_ENTROPY_FAILED 1 70 #define PRNG_SELFTEST_FAILED 2 71 #define PRNG_INSTANTIATE_FAILED 3 72 #define PRNG_SEED_FAILED 4 73 #define PRNG_RESEED_FAILED 5 74 #define PRNG_GEN_FAILED 6 75 76 struct prng_ws_s { 77 u8 parm_block[32]; 78 u32 reseed_counter; 79 u64 byte_counter; 80 }; 81 82 struct ppno_ws_s { 83 u32 res; 84 u32 reseed_counter; 85 u64 stream_bytes; 86 u8 V[112]; 87 u8 C[112]; 88 }; 89 90 struct prng_data_s { 91 struct mutex mutex; 92 union { 93 struct prng_ws_s prngws; 94 struct ppno_ws_s ppnows; 95 }; 96 u8 *buf; 97 u32 rest; 98 u8 *prev; 99 }; 100 101 static struct prng_data_s *prng_data; 102 103 /* initial parameter block for tdes mode, copied from libica */ 104 static const u8 initial_parm_block[32] __initconst = { 105 0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52, 106 0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4, 107 0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF, 108 0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 }; 109 110 111 /*** helper functions ***/ 112 113 static int generate_entropy(u8 *ebuf, size_t nbytes) 114 { 115 int n, ret = 0; 116 u8 *pg, *h, hash[32]; 117 118 pg = (u8 *) __get_free_page(GFP_KERNEL); 119 if (!pg) { 120 prng_errorflag = PRNG_GEN_ENTROPY_FAILED; 121 return -ENOMEM; 122 } 123 124 while (nbytes) { 125 /* fill page with urandom bytes */ 126 get_random_bytes(pg, PAGE_SIZE); 127 /* exor page with stckf values */ 128 for (n = 0; n < PAGE_SIZE / sizeof(u64); n++) { 129 u64 *p = ((u64 *)pg) + n; 130 *p ^= get_tod_clock_fast(); 131 } 132 n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash); 133 if (n < sizeof(hash)) 134 h = hash; 135 else 136 h = ebuf; 137 /* generate sha256 from this page */ 138 if (crypt_s390_kimd(KIMD_SHA_256, h, 139 pg, PAGE_SIZE) != PAGE_SIZE) { 140 prng_errorflag = PRNG_GEN_ENTROPY_FAILED; 141 ret = -EIO; 142 goto out; 143 } 144 if (n < sizeof(hash)) 145 memcpy(ebuf, hash, n); 146 ret += n; 147 ebuf += n; 148 nbytes -= n; 149 } 150 151 out: 152 free_page((unsigned long)pg); 153 return ret; 154 } 155 156 157 /*** tdes functions ***/ 158 159 static void prng_tdes_add_entropy(void) 160 { 161 __u64 entropy[4]; 162 unsigned int i; 163 int ret; 164 165 for (i = 0; i < 16; i++) { 166 ret = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block, 167 (char *)entropy, (char *)entropy, 168 sizeof(entropy)); 169 BUG_ON(ret < 0 || ret != sizeof(entropy)); 170 memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy)); 171 } 172 } 173 174 175 static void prng_tdes_seed(int nbytes) 176 { 177 char buf[16]; 178 int i = 0; 179 180 BUG_ON(nbytes > sizeof(buf)); 181 182 get_random_bytes(buf, nbytes); 183 184 /* Add the entropy */ 185 while (nbytes >= 8) { 186 *((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i)); 187 prng_tdes_add_entropy(); 188 i += 8; 189 nbytes -= 8; 190 } 191 prng_tdes_add_entropy(); 192 prng_data->prngws.reseed_counter = 0; 193 } 194 195 196 static int __init prng_tdes_instantiate(void) 197 { 198 int datalen; 199 200 pr_debug("prng runs in TDES mode with " 201 "chunksize=%d and reseed_limit=%u\n", 202 prng_chunk_size, prng_reseed_limit); 203 204 /* memory allocation, prng_data struct init, mutex init */ 205 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 206 prng_data = kzalloc(datalen, GFP_KERNEL); 207 if (!prng_data) { 208 prng_errorflag = PRNG_INSTANTIATE_FAILED; 209 return -ENOMEM; 210 } 211 mutex_init(&prng_data->mutex); 212 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 213 memcpy(prng_data->prngws.parm_block, initial_parm_block, 32); 214 215 /* initialize the PRNG, add 128 bits of entropy */ 216 prng_tdes_seed(16); 217 218 return 0; 219 } 220 221 222 static void prng_tdes_deinstantiate(void) 223 { 224 pr_debug("The prng module stopped " 225 "after running in triple DES mode\n"); 226 kzfree(prng_data); 227 } 228 229 230 /*** sha512 functions ***/ 231 232 static int __init prng_sha512_selftest(void) 233 { 234 /* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */ 235 static const u8 seed[] __initconst = { 236 0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a, 237 0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22, 238 0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b, 239 0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c, 240 0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa, 241 0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 }; 242 static const u8 V0[] __initconst = { 243 0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76, 244 0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22, 245 0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60, 246 0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1, 247 0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95, 248 0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b, 249 0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79, 250 0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03, 251 0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd, 252 0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36, 253 0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0, 254 0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e, 255 0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea, 256 0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 }; 257 static const u8 C0[] __initconst = { 258 0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95, 259 0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e, 260 0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94, 261 0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86, 262 0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50, 263 0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f, 264 0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9, 265 0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43, 266 0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee, 267 0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a, 268 0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9, 269 0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09, 270 0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc, 271 0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e }; 272 static const u8 random[] __initconst = { 273 0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57, 274 0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6, 275 0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d, 276 0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf, 277 0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26, 278 0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64, 279 0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55, 280 0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a, 281 0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78, 282 0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e, 283 0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb, 284 0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30, 285 0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19, 286 0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f, 287 0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d, 288 0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a, 289 0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2, 290 0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd, 291 0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd, 292 0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2, 293 0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b, 294 0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1, 295 0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99, 296 0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e, 297 0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3, 298 0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67, 299 0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3, 300 0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d, 301 0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b, 302 0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13, 303 0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c, 304 0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 }; 305 306 int ret = 0; 307 u8 buf[sizeof(random)]; 308 struct ppno_ws_s ws; 309 310 memset(&ws, 0, sizeof(ws)); 311 312 /* initial seed */ 313 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 314 &ws, NULL, 0, 315 seed, sizeof(seed)); 316 if (ret < 0) { 317 pr_err("The prng self test seed operation for the " 318 "SHA-512 mode failed with rc=%d\n", ret); 319 prng_errorflag = PRNG_SELFTEST_FAILED; 320 return -EIO; 321 } 322 323 /* check working states V and C */ 324 if (memcmp(ws.V, V0, sizeof(V0)) != 0 325 || memcmp(ws.C, C0, sizeof(C0)) != 0) { 326 pr_err("The prng self test state test " 327 "for the SHA-512 mode failed\n"); 328 prng_errorflag = PRNG_SELFTEST_FAILED; 329 return -EIO; 330 } 331 332 /* generate random bytes */ 333 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 334 &ws, buf, sizeof(buf), 335 NULL, 0); 336 if (ret < 0) { 337 pr_err("The prng self test generate operation for " 338 "the SHA-512 mode failed with rc=%d\n", ret); 339 prng_errorflag = PRNG_SELFTEST_FAILED; 340 return -EIO; 341 } 342 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 343 &ws, buf, sizeof(buf), 344 NULL, 0); 345 if (ret < 0) { 346 pr_err("The prng self test generate operation for " 347 "the SHA-512 mode failed with rc=%d\n", ret); 348 prng_errorflag = PRNG_SELFTEST_FAILED; 349 return -EIO; 350 } 351 352 /* check against expected data */ 353 if (memcmp(buf, random, sizeof(random)) != 0) { 354 pr_err("The prng self test data test " 355 "for the SHA-512 mode failed\n"); 356 prng_errorflag = PRNG_SELFTEST_FAILED; 357 return -EIO; 358 } 359 360 return 0; 361 } 362 363 364 static int __init prng_sha512_instantiate(void) 365 { 366 int ret, datalen; 367 u8 seed[64]; 368 369 pr_debug("prng runs in SHA-512 mode " 370 "with chunksize=%d and reseed_limit=%u\n", 371 prng_chunk_size, prng_reseed_limit); 372 373 /* memory allocation, prng_data struct init, mutex init */ 374 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 375 if (fips_enabled) 376 datalen += prng_chunk_size; 377 prng_data = kzalloc(datalen, GFP_KERNEL); 378 if (!prng_data) { 379 prng_errorflag = PRNG_INSTANTIATE_FAILED; 380 return -ENOMEM; 381 } 382 mutex_init(&prng_data->mutex); 383 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 384 385 /* selftest */ 386 ret = prng_sha512_selftest(); 387 if (ret) 388 goto outfree; 389 390 /* generate initial seed bytestring, first 48 bytes of entropy */ 391 ret = generate_entropy(seed, 48); 392 if (ret != 48) 393 goto outfree; 394 /* followed by 16 bytes of unique nonce */ 395 get_tod_clock_ext(seed + 48); 396 397 /* initial seed of the ppno drng */ 398 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 399 &prng_data->ppnows, NULL, 0, 400 seed, sizeof(seed)); 401 if (ret < 0) { 402 prng_errorflag = PRNG_SEED_FAILED; 403 ret = -EIO; 404 goto outfree; 405 } 406 407 /* if fips mode is enabled, generate a first block of random 408 bytes for the FIPS 140-2 Conditional Self Test */ 409 if (fips_enabled) { 410 prng_data->prev = prng_data->buf + prng_chunk_size; 411 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 412 &prng_data->ppnows, 413 prng_data->prev, 414 prng_chunk_size, 415 NULL, 0); 416 if (ret < 0 || ret != prng_chunk_size) { 417 prng_errorflag = PRNG_GEN_FAILED; 418 ret = -EIO; 419 goto outfree; 420 } 421 } 422 423 return 0; 424 425 outfree: 426 kfree(prng_data); 427 return ret; 428 } 429 430 431 static void prng_sha512_deinstantiate(void) 432 { 433 pr_debug("The prng module stopped after running in SHA-512 mode\n"); 434 kzfree(prng_data); 435 } 436 437 438 static int prng_sha512_reseed(void) 439 { 440 int ret; 441 u8 seed[32]; 442 443 /* generate 32 bytes of fresh entropy */ 444 ret = generate_entropy(seed, sizeof(seed)); 445 if (ret != sizeof(seed)) 446 return ret; 447 448 /* do a reseed of the ppno drng with this bytestring */ 449 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 450 &prng_data->ppnows, NULL, 0, 451 seed, sizeof(seed)); 452 if (ret) { 453 prng_errorflag = PRNG_RESEED_FAILED; 454 return -EIO; 455 } 456 457 return 0; 458 } 459 460 461 static int prng_sha512_generate(u8 *buf, size_t nbytes) 462 { 463 int ret; 464 465 /* reseed needed ? */ 466 if (prng_data->ppnows.reseed_counter > prng_reseed_limit) { 467 ret = prng_sha512_reseed(); 468 if (ret) 469 return ret; 470 } 471 472 /* PPNO generate */ 473 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 474 &prng_data->ppnows, buf, nbytes, 475 NULL, 0); 476 if (ret < 0 || ret != nbytes) { 477 prng_errorflag = PRNG_GEN_FAILED; 478 return -EIO; 479 } 480 481 /* FIPS 140-2 Conditional Self Test */ 482 if (fips_enabled) { 483 if (!memcmp(prng_data->prev, buf, nbytes)) { 484 prng_errorflag = PRNG_GEN_FAILED; 485 return -EILSEQ; 486 } 487 memcpy(prng_data->prev, buf, nbytes); 488 } 489 490 return ret; 491 } 492 493 494 /*** file io functions ***/ 495 496 static int prng_open(struct inode *inode, struct file *file) 497 { 498 return nonseekable_open(inode, file); 499 } 500 501 502 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf, 503 size_t nbytes, loff_t *ppos) 504 { 505 int chunk, n, tmp, ret = 0; 506 507 /* lock prng_data struct */ 508 if (mutex_lock_interruptible(&prng_data->mutex)) 509 return -ERESTARTSYS; 510 511 while (nbytes) { 512 if (need_resched()) { 513 if (signal_pending(current)) { 514 if (ret == 0) 515 ret = -ERESTARTSYS; 516 break; 517 } 518 /* give mutex free before calling schedule() */ 519 mutex_unlock(&prng_data->mutex); 520 schedule(); 521 /* occopy mutex again */ 522 if (mutex_lock_interruptible(&prng_data->mutex)) { 523 if (ret == 0) 524 ret = -ERESTARTSYS; 525 return ret; 526 } 527 } 528 529 /* 530 * we lose some random bytes if an attacker issues 531 * reads < 8 bytes, but we don't care 532 */ 533 chunk = min_t(int, nbytes, prng_chunk_size); 534 535 /* PRNG only likes multiples of 8 bytes */ 536 n = (chunk + 7) & -8; 537 538 if (prng_data->prngws.reseed_counter > prng_reseed_limit) 539 prng_tdes_seed(8); 540 541 /* if the CPU supports PRNG stckf is present too */ 542 *((unsigned long long *)prng_data->buf) = get_tod_clock_fast(); 543 544 /* 545 * Beside the STCKF the input for the TDES-EDE is the output 546 * of the last operation. We differ here from X9.17 since we 547 * only store one timestamp into the buffer. Padding the whole 548 * buffer with timestamps does not improve security, since 549 * successive stckf have nearly constant offsets. 550 * If an attacker knows the first timestamp it would be 551 * trivial to guess the additional values. One timestamp 552 * is therefore enough and still guarantees unique input values. 553 * 554 * Note: you can still get strict X9.17 conformity by setting 555 * prng_chunk_size to 8 bytes. 556 */ 557 tmp = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block, 558 prng_data->buf, prng_data->buf, n); 559 if (tmp < 0 || tmp != n) { 560 ret = -EIO; 561 break; 562 } 563 564 prng_data->prngws.byte_counter += n; 565 prng_data->prngws.reseed_counter += n; 566 567 if (copy_to_user(ubuf, prng_data->buf, chunk)) 568 return -EFAULT; 569 570 nbytes -= chunk; 571 ret += chunk; 572 ubuf += chunk; 573 } 574 575 /* unlock prng_data struct */ 576 mutex_unlock(&prng_data->mutex); 577 578 return ret; 579 } 580 581 582 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf, 583 size_t nbytes, loff_t *ppos) 584 { 585 int n, ret = 0; 586 u8 *p; 587 588 /* if errorflag is set do nothing and return 'broken pipe' */ 589 if (prng_errorflag) 590 return -EPIPE; 591 592 /* lock prng_data struct */ 593 if (mutex_lock_interruptible(&prng_data->mutex)) 594 return -ERESTARTSYS; 595 596 while (nbytes) { 597 if (need_resched()) { 598 if (signal_pending(current)) { 599 if (ret == 0) 600 ret = -ERESTARTSYS; 601 break; 602 } 603 /* give mutex free before calling schedule() */ 604 mutex_unlock(&prng_data->mutex); 605 schedule(); 606 /* occopy mutex again */ 607 if (mutex_lock_interruptible(&prng_data->mutex)) { 608 if (ret == 0) 609 ret = -ERESTARTSYS; 610 return ret; 611 } 612 } 613 if (prng_data->rest) { 614 /* push left over random bytes from the previous read */ 615 p = prng_data->buf + prng_chunk_size - prng_data->rest; 616 n = (nbytes < prng_data->rest) ? 617 nbytes : prng_data->rest; 618 prng_data->rest -= n; 619 } else { 620 /* generate one chunk of random bytes into read buf */ 621 p = prng_data->buf; 622 n = prng_sha512_generate(p, prng_chunk_size); 623 if (n < 0) { 624 ret = n; 625 break; 626 } 627 if (nbytes < prng_chunk_size) { 628 n = nbytes; 629 prng_data->rest = prng_chunk_size - n; 630 } else { 631 n = prng_chunk_size; 632 prng_data->rest = 0; 633 } 634 } 635 if (copy_to_user(ubuf, p, n)) { 636 ret = -EFAULT; 637 break; 638 } 639 ubuf += n; 640 nbytes -= n; 641 ret += n; 642 } 643 644 /* unlock prng_data struct */ 645 mutex_unlock(&prng_data->mutex); 646 647 return ret; 648 } 649 650 651 /*** sysfs stuff ***/ 652 653 static const struct file_operations prng_sha512_fops = { 654 .owner = THIS_MODULE, 655 .open = &prng_open, 656 .release = NULL, 657 .read = &prng_sha512_read, 658 .llseek = noop_llseek, 659 }; 660 static const struct file_operations prng_tdes_fops = { 661 .owner = THIS_MODULE, 662 .open = &prng_open, 663 .release = NULL, 664 .read = &prng_tdes_read, 665 .llseek = noop_llseek, 666 }; 667 668 static struct miscdevice prng_sha512_dev = { 669 .name = "prandom", 670 .minor = MISC_DYNAMIC_MINOR, 671 .fops = &prng_sha512_fops, 672 }; 673 static struct miscdevice prng_tdes_dev = { 674 .name = "prandom", 675 .minor = MISC_DYNAMIC_MINOR, 676 .fops = &prng_tdes_fops, 677 }; 678 679 680 /* chunksize attribute (ro) */ 681 static ssize_t prng_chunksize_show(struct device *dev, 682 struct device_attribute *attr, 683 char *buf) 684 { 685 return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size); 686 } 687 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL); 688 689 /* counter attribute (ro) */ 690 static ssize_t prng_counter_show(struct device *dev, 691 struct device_attribute *attr, 692 char *buf) 693 { 694 u64 counter; 695 696 if (mutex_lock_interruptible(&prng_data->mutex)) 697 return -ERESTARTSYS; 698 if (prng_mode == PRNG_MODE_SHA512) 699 counter = prng_data->ppnows.stream_bytes; 700 else 701 counter = prng_data->prngws.byte_counter; 702 mutex_unlock(&prng_data->mutex); 703 704 return snprintf(buf, PAGE_SIZE, "%llu\n", counter); 705 } 706 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL); 707 708 /* errorflag attribute (ro) */ 709 static ssize_t prng_errorflag_show(struct device *dev, 710 struct device_attribute *attr, 711 char *buf) 712 { 713 return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag); 714 } 715 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL); 716 717 /* mode attribute (ro) */ 718 static ssize_t prng_mode_show(struct device *dev, 719 struct device_attribute *attr, 720 char *buf) 721 { 722 if (prng_mode == PRNG_MODE_TDES) 723 return snprintf(buf, PAGE_SIZE, "TDES\n"); 724 else 725 return snprintf(buf, PAGE_SIZE, "SHA512\n"); 726 } 727 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL); 728 729 /* reseed attribute (w) */ 730 static ssize_t prng_reseed_store(struct device *dev, 731 struct device_attribute *attr, 732 const char *buf, size_t count) 733 { 734 if (mutex_lock_interruptible(&prng_data->mutex)) 735 return -ERESTARTSYS; 736 prng_sha512_reseed(); 737 mutex_unlock(&prng_data->mutex); 738 739 return count; 740 } 741 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store); 742 743 /* reseed limit attribute (rw) */ 744 static ssize_t prng_reseed_limit_show(struct device *dev, 745 struct device_attribute *attr, 746 char *buf) 747 { 748 return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit); 749 } 750 static ssize_t prng_reseed_limit_store(struct device *dev, 751 struct device_attribute *attr, 752 const char *buf, size_t count) 753 { 754 unsigned limit; 755 756 if (sscanf(buf, "%u\n", &limit) != 1) 757 return -EINVAL; 758 759 if (prng_mode == PRNG_MODE_SHA512) { 760 if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 761 return -EINVAL; 762 } else { 763 if (limit < PRNG_RESEED_LIMIT_TDES_LOWER) 764 return -EINVAL; 765 } 766 767 prng_reseed_limit = limit; 768 769 return count; 770 } 771 static DEVICE_ATTR(reseed_limit, 0644, 772 prng_reseed_limit_show, prng_reseed_limit_store); 773 774 /* strength attribute (ro) */ 775 static ssize_t prng_strength_show(struct device *dev, 776 struct device_attribute *attr, 777 char *buf) 778 { 779 return snprintf(buf, PAGE_SIZE, "256\n"); 780 } 781 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL); 782 783 static struct attribute *prng_sha512_dev_attrs[] = { 784 &dev_attr_errorflag.attr, 785 &dev_attr_chunksize.attr, 786 &dev_attr_byte_counter.attr, 787 &dev_attr_mode.attr, 788 &dev_attr_reseed.attr, 789 &dev_attr_reseed_limit.attr, 790 &dev_attr_strength.attr, 791 NULL 792 }; 793 static struct attribute *prng_tdes_dev_attrs[] = { 794 &dev_attr_chunksize.attr, 795 &dev_attr_byte_counter.attr, 796 &dev_attr_mode.attr, 797 NULL 798 }; 799 800 static struct attribute_group prng_sha512_dev_attr_group = { 801 .attrs = prng_sha512_dev_attrs 802 }; 803 static struct attribute_group prng_tdes_dev_attr_group = { 804 .attrs = prng_tdes_dev_attrs 805 }; 806 807 808 /*** module init and exit ***/ 809 810 static int __init prng_init(void) 811 { 812 int ret; 813 814 /* check if the CPU has a PRNG */ 815 if (!crypt_s390_func_available(KMC_PRNG, CRYPT_S390_MSA)) 816 return -EOPNOTSUPP; 817 818 /* choose prng mode */ 819 if (prng_mode != PRNG_MODE_TDES) { 820 /* check for MSA5 support for PPNO operations */ 821 if (!crypt_s390_func_available(PPNO_SHA512_DRNG_GEN, 822 CRYPT_S390_MSA5)) { 823 if (prng_mode == PRNG_MODE_SHA512) { 824 pr_err("The prng module cannot " 825 "start in SHA-512 mode\n"); 826 return -EOPNOTSUPP; 827 } 828 prng_mode = PRNG_MODE_TDES; 829 } else 830 prng_mode = PRNG_MODE_SHA512; 831 } 832 833 if (prng_mode == PRNG_MODE_SHA512) { 834 835 /* SHA512 mode */ 836 837 if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN 838 || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX) 839 return -EINVAL; 840 prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f; 841 842 if (prng_reseed_limit == 0) 843 prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512; 844 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 845 return -EINVAL; 846 847 ret = prng_sha512_instantiate(); 848 if (ret) 849 goto out; 850 851 ret = misc_register(&prng_sha512_dev); 852 if (ret) { 853 prng_sha512_deinstantiate(); 854 goto out; 855 } 856 ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj, 857 &prng_sha512_dev_attr_group); 858 if (ret) { 859 misc_deregister(&prng_sha512_dev); 860 prng_sha512_deinstantiate(); 861 goto out; 862 } 863 864 } else { 865 866 /* TDES mode */ 867 868 if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN 869 || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX) 870 return -EINVAL; 871 prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07; 872 873 if (prng_reseed_limit == 0) 874 prng_reseed_limit = PRNG_RESEED_LIMIT_TDES; 875 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER) 876 return -EINVAL; 877 878 ret = prng_tdes_instantiate(); 879 if (ret) 880 goto out; 881 882 ret = misc_register(&prng_tdes_dev); 883 if (ret) { 884 prng_tdes_deinstantiate(); 885 goto out; 886 } 887 ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj, 888 &prng_tdes_dev_attr_group); 889 if (ret) { 890 misc_deregister(&prng_tdes_dev); 891 prng_tdes_deinstantiate(); 892 goto out; 893 } 894 895 } 896 897 out: 898 return ret; 899 } 900 901 902 static void __exit prng_exit(void) 903 { 904 if (prng_mode == PRNG_MODE_SHA512) { 905 sysfs_remove_group(&prng_sha512_dev.this_device->kobj, 906 &prng_sha512_dev_attr_group); 907 misc_deregister(&prng_sha512_dev); 908 prng_sha512_deinstantiate(); 909 } else { 910 sysfs_remove_group(&prng_tdes_dev.this_device->kobj, 911 &prng_tdes_dev_attr_group); 912 misc_deregister(&prng_tdes_dev); 913 prng_tdes_deinstantiate(); 914 } 915 } 916 917 918 module_init(prng_init); 919 module_exit(prng_exit); 920