1 /* 2 * Copyright IBM Corp. 2006, 2015 3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com> 4 * Harald Freudenberger <freude@de.ibm.com> 5 * Driver for the s390 pseudo random number generator 6 */ 7 8 #define KMSG_COMPONENT "prng" 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 11 #include <linux/fs.h> 12 #include <linux/fips.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/device.h> 16 #include <linux/miscdevice.h> 17 #include <linux/module.h> 18 #include <linux/moduleparam.h> 19 #include <linux/mutex.h> 20 #include <linux/cpufeature.h> 21 #include <linux/random.h> 22 #include <linux/slab.h> 23 #include <asm/debug.h> 24 #include <linux/uaccess.h> 25 #include <asm/timex.h> 26 #include <asm/cpacf.h> 27 28 MODULE_LICENSE("GPL"); 29 MODULE_AUTHOR("IBM Corporation"); 30 MODULE_DESCRIPTION("s390 PRNG interface"); 31 32 33 #define PRNG_MODE_AUTO 0 34 #define PRNG_MODE_TDES 1 35 #define PRNG_MODE_SHA512 2 36 37 static unsigned int prng_mode = PRNG_MODE_AUTO; 38 module_param_named(mode, prng_mode, int, 0); 39 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512"); 40 41 42 #define PRNG_CHUNKSIZE_TDES_MIN 8 43 #define PRNG_CHUNKSIZE_TDES_MAX (64*1024) 44 #define PRNG_CHUNKSIZE_SHA512_MIN 64 45 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024) 46 47 static unsigned int prng_chunk_size = 256; 48 module_param_named(chunksize, prng_chunk_size, int, 0); 49 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); 50 51 52 #define PRNG_RESEED_LIMIT_TDES 4096 53 #define PRNG_RESEED_LIMIT_TDES_LOWER 4096 54 #define PRNG_RESEED_LIMIT_SHA512 100000 55 #define PRNG_RESEED_LIMIT_SHA512_LOWER 10000 56 57 static unsigned int prng_reseed_limit; 58 module_param_named(reseed_limit, prng_reseed_limit, int, 0); 59 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit"); 60 61 62 /* 63 * Any one who considers arithmetical methods of producing random digits is, 64 * of course, in a state of sin. -- John von Neumann 65 */ 66 67 static int prng_errorflag; 68 69 #define PRNG_GEN_ENTROPY_FAILED 1 70 #define PRNG_SELFTEST_FAILED 2 71 #define PRNG_INSTANTIATE_FAILED 3 72 #define PRNG_SEED_FAILED 4 73 #define PRNG_RESEED_FAILED 5 74 #define PRNG_GEN_FAILED 6 75 76 struct prng_ws_s { 77 u8 parm_block[32]; 78 u32 reseed_counter; 79 u64 byte_counter; 80 }; 81 82 struct ppno_ws_s { 83 u32 res; 84 u32 reseed_counter; 85 u64 stream_bytes; 86 u8 V[112]; 87 u8 C[112]; 88 }; 89 90 struct prng_data_s { 91 struct mutex mutex; 92 union { 93 struct prng_ws_s prngws; 94 struct ppno_ws_s ppnows; 95 }; 96 u8 *buf; 97 u32 rest; 98 u8 *prev; 99 }; 100 101 static struct prng_data_s *prng_data; 102 103 /* initial parameter block for tdes mode, copied from libica */ 104 static const u8 initial_parm_block[32] __initconst = { 105 0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52, 106 0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4, 107 0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF, 108 0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 }; 109 110 111 /*** helper functions ***/ 112 113 /* 114 * generate_entropy: 115 * This algorithm produces 64 bytes of entropy data based on 1024 116 * individual stckf() invocations assuming that each stckf() value 117 * contributes 0.25 bits of entropy. So the caller gets 256 bit 118 * entropy per 64 byte or 4 bits entropy per byte. 119 */ 120 static int generate_entropy(u8 *ebuf, size_t nbytes) 121 { 122 int n, ret = 0; 123 u8 *pg, *h, hash[64]; 124 125 /* allocate 2 pages */ 126 pg = (u8 *) __get_free_pages(GFP_KERNEL, 1); 127 if (!pg) { 128 prng_errorflag = PRNG_GEN_ENTROPY_FAILED; 129 return -ENOMEM; 130 } 131 132 while (nbytes) { 133 /* fill pages with urandom bytes */ 134 get_random_bytes(pg, 2*PAGE_SIZE); 135 /* exor pages with 1024 stckf values */ 136 for (n = 0; n < 2 * PAGE_SIZE / sizeof(u64); n++) { 137 u64 *p = ((u64 *)pg) + n; 138 *p ^= get_tod_clock_fast(); 139 } 140 n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash); 141 if (n < sizeof(hash)) 142 h = hash; 143 else 144 h = ebuf; 145 /* hash over the filled pages */ 146 cpacf_kimd(CPACF_KIMD_SHA_512, h, pg, 2*PAGE_SIZE); 147 if (n < sizeof(hash)) 148 memcpy(ebuf, hash, n); 149 ret += n; 150 ebuf += n; 151 nbytes -= n; 152 } 153 154 free_pages((unsigned long)pg, 1); 155 return ret; 156 } 157 158 159 /*** tdes functions ***/ 160 161 static void prng_tdes_add_entropy(void) 162 { 163 __u64 entropy[4]; 164 unsigned int i; 165 166 for (i = 0; i < 16; i++) { 167 cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block, 168 (char *) entropy, (char *) entropy, 169 sizeof(entropy)); 170 memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy)); 171 } 172 } 173 174 175 static void prng_tdes_seed(int nbytes) 176 { 177 char buf[16]; 178 int i = 0; 179 180 BUG_ON(nbytes > sizeof(buf)); 181 182 get_random_bytes(buf, nbytes); 183 184 /* Add the entropy */ 185 while (nbytes >= 8) { 186 *((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i)); 187 prng_tdes_add_entropy(); 188 i += 8; 189 nbytes -= 8; 190 } 191 prng_tdes_add_entropy(); 192 prng_data->prngws.reseed_counter = 0; 193 } 194 195 196 static int __init prng_tdes_instantiate(void) 197 { 198 int datalen; 199 200 pr_debug("prng runs in TDES mode with " 201 "chunksize=%d and reseed_limit=%u\n", 202 prng_chunk_size, prng_reseed_limit); 203 204 /* memory allocation, prng_data struct init, mutex init */ 205 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 206 prng_data = kzalloc(datalen, GFP_KERNEL); 207 if (!prng_data) { 208 prng_errorflag = PRNG_INSTANTIATE_FAILED; 209 return -ENOMEM; 210 } 211 mutex_init(&prng_data->mutex); 212 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 213 memcpy(prng_data->prngws.parm_block, initial_parm_block, 32); 214 215 /* initialize the PRNG, add 128 bits of entropy */ 216 prng_tdes_seed(16); 217 218 return 0; 219 } 220 221 222 static void prng_tdes_deinstantiate(void) 223 { 224 pr_debug("The prng module stopped " 225 "after running in triple DES mode\n"); 226 kzfree(prng_data); 227 } 228 229 230 /*** sha512 functions ***/ 231 232 static int __init prng_sha512_selftest(void) 233 { 234 /* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */ 235 static const u8 seed[] __initconst = { 236 0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a, 237 0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22, 238 0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b, 239 0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c, 240 0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa, 241 0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 }; 242 static const u8 V0[] __initconst = { 243 0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76, 244 0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22, 245 0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60, 246 0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1, 247 0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95, 248 0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b, 249 0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79, 250 0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03, 251 0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd, 252 0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36, 253 0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0, 254 0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e, 255 0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea, 256 0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 }; 257 static const u8 C0[] __initconst = { 258 0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95, 259 0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e, 260 0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94, 261 0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86, 262 0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50, 263 0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f, 264 0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9, 265 0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43, 266 0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee, 267 0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a, 268 0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9, 269 0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09, 270 0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc, 271 0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e }; 272 static const u8 random[] __initconst = { 273 0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57, 274 0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6, 275 0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d, 276 0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf, 277 0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26, 278 0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64, 279 0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55, 280 0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a, 281 0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78, 282 0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e, 283 0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb, 284 0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30, 285 0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19, 286 0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f, 287 0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d, 288 0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a, 289 0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2, 290 0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd, 291 0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd, 292 0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2, 293 0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b, 294 0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1, 295 0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99, 296 0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e, 297 0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3, 298 0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67, 299 0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3, 300 0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d, 301 0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b, 302 0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13, 303 0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c, 304 0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 }; 305 306 u8 buf[sizeof(random)]; 307 struct ppno_ws_s ws; 308 309 memset(&ws, 0, sizeof(ws)); 310 311 /* initial seed */ 312 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED, 313 &ws, NULL, 0, seed, sizeof(seed)); 314 315 /* check working states V and C */ 316 if (memcmp(ws.V, V0, sizeof(V0)) != 0 317 || memcmp(ws.C, C0, sizeof(C0)) != 0) { 318 pr_err("The prng self test state test " 319 "for the SHA-512 mode failed\n"); 320 prng_errorflag = PRNG_SELFTEST_FAILED; 321 return -EIO; 322 } 323 324 /* generate random bytes */ 325 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN, 326 &ws, buf, sizeof(buf), NULL, 0); 327 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN, 328 &ws, buf, sizeof(buf), NULL, 0); 329 330 /* check against expected data */ 331 if (memcmp(buf, random, sizeof(random)) != 0) { 332 pr_err("The prng self test data test " 333 "for the SHA-512 mode failed\n"); 334 prng_errorflag = PRNG_SELFTEST_FAILED; 335 return -EIO; 336 } 337 338 return 0; 339 } 340 341 342 static int __init prng_sha512_instantiate(void) 343 { 344 int ret, datalen; 345 u8 seed[64 + 32 + 16]; 346 347 pr_debug("prng runs in SHA-512 mode " 348 "with chunksize=%d and reseed_limit=%u\n", 349 prng_chunk_size, prng_reseed_limit); 350 351 /* memory allocation, prng_data struct init, mutex init */ 352 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 353 if (fips_enabled) 354 datalen += prng_chunk_size; 355 prng_data = kzalloc(datalen, GFP_KERNEL); 356 if (!prng_data) { 357 prng_errorflag = PRNG_INSTANTIATE_FAILED; 358 return -ENOMEM; 359 } 360 mutex_init(&prng_data->mutex); 361 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 362 363 /* selftest */ 364 ret = prng_sha512_selftest(); 365 if (ret) 366 goto outfree; 367 368 /* generate initial seed bytestring, with 256 + 128 bits entropy */ 369 ret = generate_entropy(seed, 64 + 32); 370 if (ret != 64 + 32) 371 goto outfree; 372 /* followed by 16 bytes of unique nonce */ 373 get_tod_clock_ext(seed + 64 + 32); 374 375 /* initial seed of the ppno drng */ 376 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED, 377 &prng_data->ppnows, NULL, 0, seed, sizeof(seed)); 378 379 /* if fips mode is enabled, generate a first block of random 380 bytes for the FIPS 140-2 Conditional Self Test */ 381 if (fips_enabled) { 382 prng_data->prev = prng_data->buf + prng_chunk_size; 383 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN, 384 &prng_data->ppnows, 385 prng_data->prev, prng_chunk_size, NULL, 0); 386 } 387 388 return 0; 389 390 outfree: 391 kfree(prng_data); 392 return ret; 393 } 394 395 396 static void prng_sha512_deinstantiate(void) 397 { 398 pr_debug("The prng module stopped after running in SHA-512 mode\n"); 399 kzfree(prng_data); 400 } 401 402 403 static int prng_sha512_reseed(void) 404 { 405 int ret; 406 u8 seed[64]; 407 408 /* fetch 256 bits of fresh entropy */ 409 ret = generate_entropy(seed, sizeof(seed)); 410 if (ret != sizeof(seed)) 411 return ret; 412 413 /* do a reseed of the ppno drng with this bytestring */ 414 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED, 415 &prng_data->ppnows, NULL, 0, seed, sizeof(seed)); 416 417 return 0; 418 } 419 420 421 static int prng_sha512_generate(u8 *buf, size_t nbytes) 422 { 423 int ret; 424 425 /* reseed needed ? */ 426 if (prng_data->ppnows.reseed_counter > prng_reseed_limit) { 427 ret = prng_sha512_reseed(); 428 if (ret) 429 return ret; 430 } 431 432 /* PPNO generate */ 433 cpacf_ppno(CPACF_PPNO_SHA512_DRNG_GEN, 434 &prng_data->ppnows, buf, nbytes, NULL, 0); 435 436 /* FIPS 140-2 Conditional Self Test */ 437 if (fips_enabled) { 438 if (!memcmp(prng_data->prev, buf, nbytes)) { 439 prng_errorflag = PRNG_GEN_FAILED; 440 return -EILSEQ; 441 } 442 memcpy(prng_data->prev, buf, nbytes); 443 } 444 445 return nbytes; 446 } 447 448 449 /*** file io functions ***/ 450 451 static int prng_open(struct inode *inode, struct file *file) 452 { 453 return nonseekable_open(inode, file); 454 } 455 456 457 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf, 458 size_t nbytes, loff_t *ppos) 459 { 460 int chunk, n, ret = 0; 461 462 /* lock prng_data struct */ 463 if (mutex_lock_interruptible(&prng_data->mutex)) 464 return -ERESTARTSYS; 465 466 while (nbytes) { 467 if (need_resched()) { 468 if (signal_pending(current)) { 469 if (ret == 0) 470 ret = -ERESTARTSYS; 471 break; 472 } 473 /* give mutex free before calling schedule() */ 474 mutex_unlock(&prng_data->mutex); 475 schedule(); 476 /* occopy mutex again */ 477 if (mutex_lock_interruptible(&prng_data->mutex)) { 478 if (ret == 0) 479 ret = -ERESTARTSYS; 480 return ret; 481 } 482 } 483 484 /* 485 * we lose some random bytes if an attacker issues 486 * reads < 8 bytes, but we don't care 487 */ 488 chunk = min_t(int, nbytes, prng_chunk_size); 489 490 /* PRNG only likes multiples of 8 bytes */ 491 n = (chunk + 7) & -8; 492 493 if (prng_data->prngws.reseed_counter > prng_reseed_limit) 494 prng_tdes_seed(8); 495 496 /* if the CPU supports PRNG stckf is present too */ 497 *((unsigned long long *)prng_data->buf) = get_tod_clock_fast(); 498 499 /* 500 * Beside the STCKF the input for the TDES-EDE is the output 501 * of the last operation. We differ here from X9.17 since we 502 * only store one timestamp into the buffer. Padding the whole 503 * buffer with timestamps does not improve security, since 504 * successive stckf have nearly constant offsets. 505 * If an attacker knows the first timestamp it would be 506 * trivial to guess the additional values. One timestamp 507 * is therefore enough and still guarantees unique input values. 508 * 509 * Note: you can still get strict X9.17 conformity by setting 510 * prng_chunk_size to 8 bytes. 511 */ 512 cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block, 513 prng_data->buf, prng_data->buf, n); 514 515 prng_data->prngws.byte_counter += n; 516 prng_data->prngws.reseed_counter += n; 517 518 if (copy_to_user(ubuf, prng_data->buf, chunk)) { 519 ret = -EFAULT; 520 break; 521 } 522 523 nbytes -= chunk; 524 ret += chunk; 525 ubuf += chunk; 526 } 527 528 /* unlock prng_data struct */ 529 mutex_unlock(&prng_data->mutex); 530 531 return ret; 532 } 533 534 535 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf, 536 size_t nbytes, loff_t *ppos) 537 { 538 int n, ret = 0; 539 u8 *p; 540 541 /* if errorflag is set do nothing and return 'broken pipe' */ 542 if (prng_errorflag) 543 return -EPIPE; 544 545 /* lock prng_data struct */ 546 if (mutex_lock_interruptible(&prng_data->mutex)) 547 return -ERESTARTSYS; 548 549 while (nbytes) { 550 if (need_resched()) { 551 if (signal_pending(current)) { 552 if (ret == 0) 553 ret = -ERESTARTSYS; 554 break; 555 } 556 /* give mutex free before calling schedule() */ 557 mutex_unlock(&prng_data->mutex); 558 schedule(); 559 /* occopy mutex again */ 560 if (mutex_lock_interruptible(&prng_data->mutex)) { 561 if (ret == 0) 562 ret = -ERESTARTSYS; 563 return ret; 564 } 565 } 566 if (prng_data->rest) { 567 /* push left over random bytes from the previous read */ 568 p = prng_data->buf + prng_chunk_size - prng_data->rest; 569 n = (nbytes < prng_data->rest) ? 570 nbytes : prng_data->rest; 571 prng_data->rest -= n; 572 } else { 573 /* generate one chunk of random bytes into read buf */ 574 p = prng_data->buf; 575 n = prng_sha512_generate(p, prng_chunk_size); 576 if (n < 0) { 577 ret = n; 578 break; 579 } 580 if (nbytes < prng_chunk_size) { 581 n = nbytes; 582 prng_data->rest = prng_chunk_size - n; 583 } else { 584 n = prng_chunk_size; 585 prng_data->rest = 0; 586 } 587 } 588 if (copy_to_user(ubuf, p, n)) { 589 ret = -EFAULT; 590 break; 591 } 592 ubuf += n; 593 nbytes -= n; 594 ret += n; 595 } 596 597 /* unlock prng_data struct */ 598 mutex_unlock(&prng_data->mutex); 599 600 return ret; 601 } 602 603 604 /*** sysfs stuff ***/ 605 606 static const struct file_operations prng_sha512_fops = { 607 .owner = THIS_MODULE, 608 .open = &prng_open, 609 .release = NULL, 610 .read = &prng_sha512_read, 611 .llseek = noop_llseek, 612 }; 613 static const struct file_operations prng_tdes_fops = { 614 .owner = THIS_MODULE, 615 .open = &prng_open, 616 .release = NULL, 617 .read = &prng_tdes_read, 618 .llseek = noop_llseek, 619 }; 620 621 static struct miscdevice prng_sha512_dev = { 622 .name = "prandom", 623 .minor = MISC_DYNAMIC_MINOR, 624 .mode = 0644, 625 .fops = &prng_sha512_fops, 626 }; 627 static struct miscdevice prng_tdes_dev = { 628 .name = "prandom", 629 .minor = MISC_DYNAMIC_MINOR, 630 .mode = 0644, 631 .fops = &prng_tdes_fops, 632 }; 633 634 635 /* chunksize attribute (ro) */ 636 static ssize_t prng_chunksize_show(struct device *dev, 637 struct device_attribute *attr, 638 char *buf) 639 { 640 return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size); 641 } 642 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL); 643 644 /* counter attribute (ro) */ 645 static ssize_t prng_counter_show(struct device *dev, 646 struct device_attribute *attr, 647 char *buf) 648 { 649 u64 counter; 650 651 if (mutex_lock_interruptible(&prng_data->mutex)) 652 return -ERESTARTSYS; 653 if (prng_mode == PRNG_MODE_SHA512) 654 counter = prng_data->ppnows.stream_bytes; 655 else 656 counter = prng_data->prngws.byte_counter; 657 mutex_unlock(&prng_data->mutex); 658 659 return snprintf(buf, PAGE_SIZE, "%llu\n", counter); 660 } 661 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL); 662 663 /* errorflag attribute (ro) */ 664 static ssize_t prng_errorflag_show(struct device *dev, 665 struct device_attribute *attr, 666 char *buf) 667 { 668 return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag); 669 } 670 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL); 671 672 /* mode attribute (ro) */ 673 static ssize_t prng_mode_show(struct device *dev, 674 struct device_attribute *attr, 675 char *buf) 676 { 677 if (prng_mode == PRNG_MODE_TDES) 678 return snprintf(buf, PAGE_SIZE, "TDES\n"); 679 else 680 return snprintf(buf, PAGE_SIZE, "SHA512\n"); 681 } 682 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL); 683 684 /* reseed attribute (w) */ 685 static ssize_t prng_reseed_store(struct device *dev, 686 struct device_attribute *attr, 687 const char *buf, size_t count) 688 { 689 if (mutex_lock_interruptible(&prng_data->mutex)) 690 return -ERESTARTSYS; 691 prng_sha512_reseed(); 692 mutex_unlock(&prng_data->mutex); 693 694 return count; 695 } 696 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store); 697 698 /* reseed limit attribute (rw) */ 699 static ssize_t prng_reseed_limit_show(struct device *dev, 700 struct device_attribute *attr, 701 char *buf) 702 { 703 return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit); 704 } 705 static ssize_t prng_reseed_limit_store(struct device *dev, 706 struct device_attribute *attr, 707 const char *buf, size_t count) 708 { 709 unsigned limit; 710 711 if (sscanf(buf, "%u\n", &limit) != 1) 712 return -EINVAL; 713 714 if (prng_mode == PRNG_MODE_SHA512) { 715 if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 716 return -EINVAL; 717 } else { 718 if (limit < PRNG_RESEED_LIMIT_TDES_LOWER) 719 return -EINVAL; 720 } 721 722 prng_reseed_limit = limit; 723 724 return count; 725 } 726 static DEVICE_ATTR(reseed_limit, 0644, 727 prng_reseed_limit_show, prng_reseed_limit_store); 728 729 /* strength attribute (ro) */ 730 static ssize_t prng_strength_show(struct device *dev, 731 struct device_attribute *attr, 732 char *buf) 733 { 734 return snprintf(buf, PAGE_SIZE, "256\n"); 735 } 736 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL); 737 738 static struct attribute *prng_sha512_dev_attrs[] = { 739 &dev_attr_errorflag.attr, 740 &dev_attr_chunksize.attr, 741 &dev_attr_byte_counter.attr, 742 &dev_attr_mode.attr, 743 &dev_attr_reseed.attr, 744 &dev_attr_reseed_limit.attr, 745 &dev_attr_strength.attr, 746 NULL 747 }; 748 static struct attribute *prng_tdes_dev_attrs[] = { 749 &dev_attr_chunksize.attr, 750 &dev_attr_byte_counter.attr, 751 &dev_attr_mode.attr, 752 NULL 753 }; 754 755 static struct attribute_group prng_sha512_dev_attr_group = { 756 .attrs = prng_sha512_dev_attrs 757 }; 758 static struct attribute_group prng_tdes_dev_attr_group = { 759 .attrs = prng_tdes_dev_attrs 760 }; 761 762 763 /*** module init and exit ***/ 764 765 static int __init prng_init(void) 766 { 767 int ret; 768 769 /* check if the CPU has a PRNG */ 770 if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG)) 771 return -EOPNOTSUPP; 772 773 /* choose prng mode */ 774 if (prng_mode != PRNG_MODE_TDES) { 775 /* check for MSA5 support for PPNO operations */ 776 if (!cpacf_query_func(CPACF_PPNO, CPACF_PPNO_SHA512_DRNG_GEN)) { 777 if (prng_mode == PRNG_MODE_SHA512) { 778 pr_err("The prng module cannot " 779 "start in SHA-512 mode\n"); 780 return -EOPNOTSUPP; 781 } 782 prng_mode = PRNG_MODE_TDES; 783 } else 784 prng_mode = PRNG_MODE_SHA512; 785 } 786 787 if (prng_mode == PRNG_MODE_SHA512) { 788 789 /* SHA512 mode */ 790 791 if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN 792 || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX) 793 return -EINVAL; 794 prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f; 795 796 if (prng_reseed_limit == 0) 797 prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512; 798 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 799 return -EINVAL; 800 801 ret = prng_sha512_instantiate(); 802 if (ret) 803 goto out; 804 805 ret = misc_register(&prng_sha512_dev); 806 if (ret) { 807 prng_sha512_deinstantiate(); 808 goto out; 809 } 810 ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj, 811 &prng_sha512_dev_attr_group); 812 if (ret) { 813 misc_deregister(&prng_sha512_dev); 814 prng_sha512_deinstantiate(); 815 goto out; 816 } 817 818 } else { 819 820 /* TDES mode */ 821 822 if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN 823 || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX) 824 return -EINVAL; 825 prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07; 826 827 if (prng_reseed_limit == 0) 828 prng_reseed_limit = PRNG_RESEED_LIMIT_TDES; 829 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER) 830 return -EINVAL; 831 832 ret = prng_tdes_instantiate(); 833 if (ret) 834 goto out; 835 836 ret = misc_register(&prng_tdes_dev); 837 if (ret) { 838 prng_tdes_deinstantiate(); 839 goto out; 840 } 841 ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj, 842 &prng_tdes_dev_attr_group); 843 if (ret) { 844 misc_deregister(&prng_tdes_dev); 845 prng_tdes_deinstantiate(); 846 goto out; 847 } 848 849 } 850 851 out: 852 return ret; 853 } 854 855 856 static void __exit prng_exit(void) 857 { 858 if (prng_mode == PRNG_MODE_SHA512) { 859 sysfs_remove_group(&prng_sha512_dev.this_device->kobj, 860 &prng_sha512_dev_attr_group); 861 misc_deregister(&prng_sha512_dev); 862 prng_sha512_deinstantiate(); 863 } else { 864 sysfs_remove_group(&prng_tdes_dev.this_device->kobj, 865 &prng_tdes_dev_attr_group); 866 misc_deregister(&prng_tdes_dev); 867 prng_tdes_deinstantiate(); 868 } 869 } 870 871 module_cpu_feature_match(MSA, prng_init); 872 module_exit(prng_exit); 873