xref: /openbmc/linux/arch/s390/crypto/prng.c (revision 92c005a1)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright IBM Corp. 2006, 2015
4  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
5  *	      Harald Freudenberger <freude@de.ibm.com>
6  * Driver for the s390 pseudo random number generator
7  */
8 
9 #define KMSG_COMPONENT "prng"
10 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
11 
12 #include <linux/fs.h>
13 #include <linux/fips.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/device.h>
17 #include <linux/miscdevice.h>
18 #include <linux/module.h>
19 #include <linux/moduleparam.h>
20 #include <linux/mutex.h>
21 #include <linux/cpufeature.h>
22 #include <linux/random.h>
23 #include <linux/slab.h>
24 #include <linux/sched/signal.h>
25 
26 #include <asm/debug.h>
27 #include <linux/uaccess.h>
28 #include <asm/timex.h>
29 #include <asm/cpacf.h>
30 
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("IBM Corporation");
33 MODULE_DESCRIPTION("s390 PRNG interface");
34 
35 
36 #define PRNG_MODE_AUTO	  0
37 #define PRNG_MODE_TDES	  1
38 #define PRNG_MODE_SHA512  2
39 
40 static unsigned int prng_mode = PRNG_MODE_AUTO;
41 module_param_named(mode, prng_mode, int, 0);
42 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
43 
44 
45 #define PRNG_CHUNKSIZE_TDES_MIN   8
46 #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
47 #define PRNG_CHUNKSIZE_SHA512_MIN 64
48 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
49 
50 static unsigned int prng_chunk_size = 256;
51 module_param_named(chunksize, prng_chunk_size, int, 0);
52 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
53 
54 
55 #define PRNG_RESEED_LIMIT_TDES		 4096
56 #define PRNG_RESEED_LIMIT_TDES_LOWER	 4096
57 #define PRNG_RESEED_LIMIT_SHA512       100000
58 #define PRNG_RESEED_LIMIT_SHA512_LOWER	10000
59 
60 static unsigned int prng_reseed_limit;
61 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
62 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
63 
64 static bool trng_available;
65 
66 /*
67  * Any one who considers arithmetical methods of producing random digits is,
68  * of course, in a state of sin. -- John von Neumann
69  */
70 
71 static int prng_errorflag;
72 
73 #define PRNG_GEN_ENTROPY_FAILED  1
74 #define PRNG_SELFTEST_FAILED	 2
75 #define PRNG_INSTANTIATE_FAILED  3
76 #define PRNG_SEED_FAILED	 4
77 #define PRNG_RESEED_FAILED	 5
78 #define PRNG_GEN_FAILED		 6
79 
80 struct prng_ws_s {
81 	u8  parm_block[32];
82 	u32 reseed_counter;
83 	u64 byte_counter;
84 };
85 
86 struct prno_ws_s {
87 	u32 res;
88 	u32 reseed_counter;
89 	u64 stream_bytes;
90 	u8  V[112];
91 	u8  C[112];
92 };
93 
94 struct prng_data_s {
95 	struct mutex mutex;
96 	union {
97 		struct prng_ws_s prngws;
98 		struct prno_ws_s prnows;
99 	};
100 	u8 *buf;
101 	u32 rest;
102 	u8 *prev;
103 };
104 
105 static struct prng_data_s *prng_data;
106 
107 /* initial parameter block for tdes mode, copied from libica */
108 static const u8 initial_parm_block[32] __initconst = {
109 	0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
110 	0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
111 	0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
112 	0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
113 
114 
115 /*** helper functions ***/
116 
117 /*
118  * generate_entropy:
119  * This function fills a given buffer with random bytes. The entropy within
120  * the random bytes given back is assumed to have at least 50% - meaning
121  * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
122  * Within the function the entropy generation is done in junks of 64 bytes.
123  * So the caller should also ask for buffer fill in multiples of 64 bytes.
124  * The generation of the entropy is based on the assumption that every stckf()
125  * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
126  * at least 512 stckf() values are needed. The entropy relevant part of the
127  * stckf value is bit 51 (counting starts at the left with bit nr 0) so
128  * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
129  * To be on the save side, if there is ever a problem with stckf() the
130  * other half of the page buffer is filled with bytes from urandom via
131  * get_random_bytes(), so this function consumes 2k of urandom for each
132  * requested 64 bytes output data. Finally the buffer page is condensed into
133  * a 64 byte value by hashing with a SHA512 hash.
134  */
135 static int generate_entropy(u8 *ebuf, size_t nbytes)
136 {
137 	int n, ret = 0;
138 	u8 *pg, pblock[80] = {
139 		/* 8 x 64 bit init values */
140 		0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
141 		0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
142 		0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
143 		0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
144 		0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
145 		0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
146 		0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
147 		0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
148 		/* 128 bit counter total message bit length */
149 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
151 
152 	/* allocate one page stckf buffer */
153 	pg = (u8 *) __get_free_page(GFP_KERNEL);
154 	if (!pg) {
155 		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
156 		return -ENOMEM;
157 	}
158 
159 	/* fill the ebuf in chunks of 64 byte each */
160 	while (nbytes) {
161 		/* fill lower 2k with urandom bytes */
162 		get_random_bytes(pg, PAGE_SIZE / 2);
163 		/* exor upper 2k with 512 stckf values, offset 4 bytes each */
164 		for (n = 0; n < 512; n++) {
165 			int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
166 			u64 *p = (u64 *)(pg + offset);
167 			*p ^= get_tod_clock_fast();
168 		}
169 		/* hash over the filled page */
170 		cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
171 		n = (nbytes < 64) ? nbytes : 64;
172 		memcpy(ebuf, pblock, n);
173 		ret += n;
174 		ebuf += n;
175 		nbytes -= n;
176 	}
177 
178 	memzero_explicit(pblock, sizeof(pblock));
179 	memzero_explicit(pg, PAGE_SIZE);
180 	free_page((unsigned long)pg);
181 	return ret;
182 }
183 
184 
185 /*** tdes functions ***/
186 
187 static void prng_tdes_add_entropy(void)
188 {
189 	__u64 entropy[4];
190 	unsigned int i;
191 
192 	for (i = 0; i < 16; i++) {
193 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
194 			  (char *) entropy, (char *) entropy,
195 			  sizeof(entropy));
196 		memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
197 	}
198 }
199 
200 
201 static void prng_tdes_seed(int nbytes)
202 {
203 	char buf[16];
204 	int i = 0;
205 
206 	BUG_ON(nbytes > sizeof(buf));
207 
208 	get_random_bytes(buf, nbytes);
209 
210 	/* Add the entropy */
211 	while (nbytes >= 8) {
212 		*((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
213 		prng_tdes_add_entropy();
214 		i += 8;
215 		nbytes -= 8;
216 	}
217 	prng_tdes_add_entropy();
218 	prng_data->prngws.reseed_counter = 0;
219 }
220 
221 
222 static int __init prng_tdes_instantiate(void)
223 {
224 	int datalen;
225 
226 	pr_debug("prng runs in TDES mode with "
227 		 "chunksize=%d and reseed_limit=%u\n",
228 		 prng_chunk_size, prng_reseed_limit);
229 
230 	/* memory allocation, prng_data struct init, mutex init */
231 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
232 	prng_data = kzalloc(datalen, GFP_KERNEL);
233 	if (!prng_data) {
234 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
235 		return -ENOMEM;
236 	}
237 	mutex_init(&prng_data->mutex);
238 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
239 	memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
240 
241 	/* initialize the PRNG, add 128 bits of entropy */
242 	prng_tdes_seed(16);
243 
244 	return 0;
245 }
246 
247 
248 static void prng_tdes_deinstantiate(void)
249 {
250 	pr_debug("The prng module stopped "
251 		 "after running in triple DES mode\n");
252 	kfree_sensitive(prng_data);
253 }
254 
255 
256 /*** sha512 functions ***/
257 
258 static int __init prng_sha512_selftest(void)
259 {
260 	/* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
261 	static const u8 seed[] __initconst = {
262 		0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
263 		0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
264 		0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
265 		0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
266 		0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
267 		0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
268 	static const u8 V0[] __initconst = {
269 		0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
270 		0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
271 		0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
272 		0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
273 		0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
274 		0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
275 		0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
276 		0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
277 		0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
278 		0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
279 		0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
280 		0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
281 		0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
282 		0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
283 	static const u8 C0[] __initconst = {
284 		0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
285 		0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
286 		0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
287 		0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
288 		0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
289 		0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
290 		0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
291 		0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
292 		0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
293 		0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
294 		0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
295 		0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
296 		0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
297 		0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
298 	static const u8 random[] __initconst = {
299 		0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
300 		0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
301 		0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
302 		0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
303 		0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
304 		0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
305 		0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
306 		0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
307 		0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
308 		0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
309 		0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
310 		0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
311 		0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
312 		0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
313 		0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
314 		0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
315 		0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
316 		0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
317 		0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
318 		0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
319 		0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
320 		0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
321 		0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
322 		0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
323 		0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
324 		0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
325 		0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
326 		0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
327 		0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
328 		0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
329 		0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
330 		0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
331 
332 	u8 buf[sizeof(random)];
333 	struct prno_ws_s ws;
334 
335 	memset(&ws, 0, sizeof(ws));
336 
337 	/* initial seed */
338 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
339 		   &ws, NULL, 0, seed, sizeof(seed));
340 
341 	/* check working states V and C */
342 	if (memcmp(ws.V, V0, sizeof(V0)) != 0
343 	    || memcmp(ws.C, C0, sizeof(C0)) != 0) {
344 		pr_err("The prng self test state test "
345 		       "for the SHA-512 mode failed\n");
346 		prng_errorflag = PRNG_SELFTEST_FAILED;
347 		return -EIO;
348 	}
349 
350 	/* generate random bytes */
351 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
352 		   &ws, buf, sizeof(buf), NULL, 0);
353 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
354 		   &ws, buf, sizeof(buf), NULL, 0);
355 
356 	/* check against expected data */
357 	if (memcmp(buf, random, sizeof(random)) != 0) {
358 		pr_err("The prng self test data test "
359 		       "for the SHA-512 mode failed\n");
360 		prng_errorflag = PRNG_SELFTEST_FAILED;
361 		return -EIO;
362 	}
363 
364 	return 0;
365 }
366 
367 
368 static int __init prng_sha512_instantiate(void)
369 {
370 	int ret, datalen, seedlen;
371 	u8 seed[128 + 16];
372 
373 	pr_debug("prng runs in SHA-512 mode "
374 		 "with chunksize=%d and reseed_limit=%u\n",
375 		 prng_chunk_size, prng_reseed_limit);
376 
377 	/* memory allocation, prng_data struct init, mutex init */
378 	datalen = sizeof(struct prng_data_s) + prng_chunk_size;
379 	if (fips_enabled)
380 		datalen += prng_chunk_size;
381 	prng_data = kzalloc(datalen, GFP_KERNEL);
382 	if (!prng_data) {
383 		prng_errorflag = PRNG_INSTANTIATE_FAILED;
384 		return -ENOMEM;
385 	}
386 	mutex_init(&prng_data->mutex);
387 	prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
388 
389 	/* selftest */
390 	ret = prng_sha512_selftest();
391 	if (ret)
392 		goto outfree;
393 
394 	/* generate initial seed, we need at least  256 + 128 bits entropy. */
395 	if (trng_available) {
396 		/*
397 		 * Trng available, so use it. The trng works in chunks of
398 		 * 32 bytes and produces 100% entropy. So we pull 64 bytes
399 		 * which gives us 512 bits entropy.
400 		 */
401 		seedlen = 2 * 32;
402 		cpacf_trng(NULL, 0, seed, seedlen);
403 	} else {
404 		/*
405 		 * No trng available, so use the generate_entropy() function.
406 		 * This function works in 64 byte junks and produces
407 		 * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
408 		 * of entropy.
409 		 */
410 		seedlen = 2 * 64;
411 		ret = generate_entropy(seed, seedlen);
412 		if (ret != seedlen)
413 			goto outfree;
414 	}
415 
416 	/* append the seed by 16 bytes of unique nonce */
417 	store_tod_clock_ext((union tod_clock *)(seed + seedlen));
418 	seedlen += 16;
419 
420 	/* now initial seed of the prno drng */
421 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
422 		   &prng_data->prnows, NULL, 0, seed, seedlen);
423 	memzero_explicit(seed, sizeof(seed));
424 
425 	/* if fips mode is enabled, generate a first block of random
426 	   bytes for the FIPS 140-2 Conditional Self Test */
427 	if (fips_enabled) {
428 		prng_data->prev = prng_data->buf + prng_chunk_size;
429 		cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
430 			   &prng_data->prnows,
431 			   prng_data->prev, prng_chunk_size, NULL, 0);
432 	}
433 
434 	return 0;
435 
436 outfree:
437 	kfree(prng_data);
438 	return ret;
439 }
440 
441 
442 static void prng_sha512_deinstantiate(void)
443 {
444 	pr_debug("The prng module stopped after running in SHA-512 mode\n");
445 	kfree_sensitive(prng_data);
446 }
447 
448 
449 static int prng_sha512_reseed(void)
450 {
451 	int ret, seedlen;
452 	u8 seed[64];
453 
454 	/* We need at least 256 bits of fresh entropy for reseeding */
455 	if (trng_available) {
456 		/* trng produces 256 bits entropy in 32 bytes */
457 		seedlen = 32;
458 		cpacf_trng(NULL, 0, seed, seedlen);
459 	} else {
460 		/* generate_entropy() produces 256 bits entropy in 64 bytes */
461 		seedlen = 64;
462 		ret = generate_entropy(seed, seedlen);
463 		if (ret != sizeof(seed))
464 			return ret;
465 	}
466 
467 	/* do a reseed of the prno drng with this bytestring */
468 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
469 		   &prng_data->prnows, NULL, 0, seed, seedlen);
470 	memzero_explicit(seed, sizeof(seed));
471 
472 	return 0;
473 }
474 
475 
476 static int prng_sha512_generate(u8 *buf, size_t nbytes)
477 {
478 	int ret;
479 
480 	/* reseed needed ? */
481 	if (prng_data->prnows.reseed_counter > prng_reseed_limit) {
482 		ret = prng_sha512_reseed();
483 		if (ret)
484 			return ret;
485 	}
486 
487 	/* PRNO generate */
488 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
489 		   &prng_data->prnows, buf, nbytes, NULL, 0);
490 
491 	/* FIPS 140-2 Conditional Self Test */
492 	if (fips_enabled) {
493 		if (!memcmp(prng_data->prev, buf, nbytes)) {
494 			prng_errorflag = PRNG_GEN_FAILED;
495 			return -EILSEQ;
496 		}
497 		memcpy(prng_data->prev, buf, nbytes);
498 	}
499 
500 	return nbytes;
501 }
502 
503 
504 /*** file io functions ***/
505 
506 static int prng_open(struct inode *inode, struct file *file)
507 {
508 	return nonseekable_open(inode, file);
509 }
510 
511 
512 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
513 			      size_t nbytes, loff_t *ppos)
514 {
515 	int chunk, n, ret = 0;
516 
517 	/* lock prng_data struct */
518 	if (mutex_lock_interruptible(&prng_data->mutex))
519 		return -ERESTARTSYS;
520 
521 	while (nbytes) {
522 		if (need_resched()) {
523 			if (signal_pending(current)) {
524 				if (ret == 0)
525 					ret = -ERESTARTSYS;
526 				break;
527 			}
528 			/* give mutex free before calling schedule() */
529 			mutex_unlock(&prng_data->mutex);
530 			schedule();
531 			/* occupy mutex again */
532 			if (mutex_lock_interruptible(&prng_data->mutex)) {
533 				if (ret == 0)
534 					ret = -ERESTARTSYS;
535 				return ret;
536 			}
537 		}
538 
539 		/*
540 		 * we lose some random bytes if an attacker issues
541 		 * reads < 8 bytes, but we don't care
542 		 */
543 		chunk = min_t(int, nbytes, prng_chunk_size);
544 
545 		/* PRNG only likes multiples of 8 bytes */
546 		n = (chunk + 7) & -8;
547 
548 		if (prng_data->prngws.reseed_counter > prng_reseed_limit)
549 			prng_tdes_seed(8);
550 
551 		/* if the CPU supports PRNG stckf is present too */
552 		*((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
553 
554 		/*
555 		 * Beside the STCKF the input for the TDES-EDE is the output
556 		 * of the last operation. We differ here from X9.17 since we
557 		 * only store one timestamp into the buffer. Padding the whole
558 		 * buffer with timestamps does not improve security, since
559 		 * successive stckf have nearly constant offsets.
560 		 * If an attacker knows the first timestamp it would be
561 		 * trivial to guess the additional values. One timestamp
562 		 * is therefore enough and still guarantees unique input values.
563 		 *
564 		 * Note: you can still get strict X9.17 conformity by setting
565 		 * prng_chunk_size to 8 bytes.
566 		 */
567 		cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
568 			  prng_data->buf, prng_data->buf, n);
569 
570 		prng_data->prngws.byte_counter += n;
571 		prng_data->prngws.reseed_counter += n;
572 
573 		if (copy_to_user(ubuf, prng_data->buf, chunk)) {
574 			ret = -EFAULT;
575 			break;
576 		}
577 
578 		nbytes -= chunk;
579 		ret += chunk;
580 		ubuf += chunk;
581 	}
582 
583 	/* unlock prng_data struct */
584 	mutex_unlock(&prng_data->mutex);
585 
586 	return ret;
587 }
588 
589 
590 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
591 				size_t nbytes, loff_t *ppos)
592 {
593 	int n, ret = 0;
594 	u8 *p;
595 
596 	/* if errorflag is set do nothing and return 'broken pipe' */
597 	if (prng_errorflag)
598 		return -EPIPE;
599 
600 	/* lock prng_data struct */
601 	if (mutex_lock_interruptible(&prng_data->mutex))
602 		return -ERESTARTSYS;
603 
604 	while (nbytes) {
605 		if (need_resched()) {
606 			if (signal_pending(current)) {
607 				if (ret == 0)
608 					ret = -ERESTARTSYS;
609 				break;
610 			}
611 			/* give mutex free before calling schedule() */
612 			mutex_unlock(&prng_data->mutex);
613 			schedule();
614 			/* occopy mutex again */
615 			if (mutex_lock_interruptible(&prng_data->mutex)) {
616 				if (ret == 0)
617 					ret = -ERESTARTSYS;
618 				return ret;
619 			}
620 		}
621 		if (prng_data->rest) {
622 			/* push left over random bytes from the previous read */
623 			p = prng_data->buf + prng_chunk_size - prng_data->rest;
624 			n = (nbytes < prng_data->rest) ?
625 				nbytes : prng_data->rest;
626 			prng_data->rest -= n;
627 		} else {
628 			/* generate one chunk of random bytes into read buf */
629 			p = prng_data->buf;
630 			n = prng_sha512_generate(p, prng_chunk_size);
631 			if (n < 0) {
632 				ret = n;
633 				break;
634 			}
635 			if (nbytes < prng_chunk_size) {
636 				n = nbytes;
637 				prng_data->rest = prng_chunk_size - n;
638 			} else {
639 				n = prng_chunk_size;
640 				prng_data->rest = 0;
641 			}
642 		}
643 		if (copy_to_user(ubuf, p, n)) {
644 			ret = -EFAULT;
645 			break;
646 		}
647 		memzero_explicit(p, n);
648 		ubuf += n;
649 		nbytes -= n;
650 		ret += n;
651 	}
652 
653 	/* unlock prng_data struct */
654 	mutex_unlock(&prng_data->mutex);
655 
656 	return ret;
657 }
658 
659 
660 /*** sysfs stuff ***/
661 
662 static const struct file_operations prng_sha512_fops = {
663 	.owner		= THIS_MODULE,
664 	.open		= &prng_open,
665 	.release	= NULL,
666 	.read		= &prng_sha512_read,
667 	.llseek		= noop_llseek,
668 };
669 static const struct file_operations prng_tdes_fops = {
670 	.owner		= THIS_MODULE,
671 	.open		= &prng_open,
672 	.release	= NULL,
673 	.read		= &prng_tdes_read,
674 	.llseek		= noop_llseek,
675 };
676 
677 /* chunksize attribute (ro) */
678 static ssize_t prng_chunksize_show(struct device *dev,
679 				   struct device_attribute *attr,
680 				   char *buf)
681 {
682 	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
683 }
684 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
685 
686 /* counter attribute (ro) */
687 static ssize_t prng_counter_show(struct device *dev,
688 				 struct device_attribute *attr,
689 				 char *buf)
690 {
691 	u64 counter;
692 
693 	if (mutex_lock_interruptible(&prng_data->mutex))
694 		return -ERESTARTSYS;
695 	if (prng_mode == PRNG_MODE_SHA512)
696 		counter = prng_data->prnows.stream_bytes;
697 	else
698 		counter = prng_data->prngws.byte_counter;
699 	mutex_unlock(&prng_data->mutex);
700 
701 	return scnprintf(buf, PAGE_SIZE, "%llu\n", counter);
702 }
703 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
704 
705 /* errorflag attribute (ro) */
706 static ssize_t prng_errorflag_show(struct device *dev,
707 				   struct device_attribute *attr,
708 				   char *buf)
709 {
710 	return scnprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
711 }
712 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
713 
714 /* mode attribute (ro) */
715 static ssize_t prng_mode_show(struct device *dev,
716 			      struct device_attribute *attr,
717 			      char *buf)
718 {
719 	if (prng_mode == PRNG_MODE_TDES)
720 		return scnprintf(buf, PAGE_SIZE, "TDES\n");
721 	else
722 		return scnprintf(buf, PAGE_SIZE, "SHA512\n");
723 }
724 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
725 
726 /* reseed attribute (w) */
727 static ssize_t prng_reseed_store(struct device *dev,
728 				 struct device_attribute *attr,
729 				 const char *buf, size_t count)
730 {
731 	if (mutex_lock_interruptible(&prng_data->mutex))
732 		return -ERESTARTSYS;
733 	prng_sha512_reseed();
734 	mutex_unlock(&prng_data->mutex);
735 
736 	return count;
737 }
738 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
739 
740 /* reseed limit attribute (rw) */
741 static ssize_t prng_reseed_limit_show(struct device *dev,
742 				      struct device_attribute *attr,
743 				      char *buf)
744 {
745 	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
746 }
747 static ssize_t prng_reseed_limit_store(struct device *dev,
748 				       struct device_attribute *attr,
749 				       const char *buf, size_t count)
750 {
751 	unsigned limit;
752 
753 	if (sscanf(buf, "%u\n", &limit) != 1)
754 		return -EINVAL;
755 
756 	if (prng_mode == PRNG_MODE_SHA512) {
757 		if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
758 			return -EINVAL;
759 	} else {
760 		if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
761 			return -EINVAL;
762 	}
763 
764 	prng_reseed_limit = limit;
765 
766 	return count;
767 }
768 static DEVICE_ATTR(reseed_limit, 0644,
769 		   prng_reseed_limit_show, prng_reseed_limit_store);
770 
771 /* strength attribute (ro) */
772 static ssize_t prng_strength_show(struct device *dev,
773 				  struct device_attribute *attr,
774 				  char *buf)
775 {
776 	return scnprintf(buf, PAGE_SIZE, "256\n");
777 }
778 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
779 
780 static struct attribute *prng_sha512_dev_attrs[] = {
781 	&dev_attr_errorflag.attr,
782 	&dev_attr_chunksize.attr,
783 	&dev_attr_byte_counter.attr,
784 	&dev_attr_mode.attr,
785 	&dev_attr_reseed.attr,
786 	&dev_attr_reseed_limit.attr,
787 	&dev_attr_strength.attr,
788 	NULL
789 };
790 ATTRIBUTE_GROUPS(prng_sha512_dev);
791 
792 static struct attribute *prng_tdes_dev_attrs[] = {
793 	&dev_attr_chunksize.attr,
794 	&dev_attr_byte_counter.attr,
795 	&dev_attr_mode.attr,
796 	NULL
797 };
798 ATTRIBUTE_GROUPS(prng_tdes_dev);
799 
800 static struct miscdevice prng_sha512_dev = {
801 	.name	= "prandom",
802 	.minor	= MISC_DYNAMIC_MINOR,
803 	.mode	= 0644,
804 	.fops	= &prng_sha512_fops,
805 	.groups = prng_sha512_dev_groups,
806 };
807 
808 static struct miscdevice prng_tdes_dev = {
809 	.name	= "prandom",
810 	.minor	= MISC_DYNAMIC_MINOR,
811 	.mode	= 0644,
812 	.fops	= &prng_tdes_fops,
813 	.groups = prng_tdes_dev_groups,
814 };
815 
816 
817 /*** module init and exit ***/
818 
819 static int __init prng_init(void)
820 {
821 	int ret;
822 
823 	/* check if the CPU has a PRNG */
824 	if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
825 		return -ENODEV;
826 
827 	/* check if TRNG subfunction is available */
828 	if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
829 		trng_available = true;
830 
831 	/* choose prng mode */
832 	if (prng_mode != PRNG_MODE_TDES) {
833 		/* check for MSA5 support for PRNO operations */
834 		if (!cpacf_query_func(CPACF_PRNO, CPACF_PRNO_SHA512_DRNG_GEN)) {
835 			if (prng_mode == PRNG_MODE_SHA512) {
836 				pr_err("The prng module cannot "
837 				       "start in SHA-512 mode\n");
838 				return -ENODEV;
839 			}
840 			prng_mode = PRNG_MODE_TDES;
841 		} else
842 			prng_mode = PRNG_MODE_SHA512;
843 	}
844 
845 	if (prng_mode == PRNG_MODE_SHA512) {
846 
847 		/* SHA512 mode */
848 
849 		if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
850 		    || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
851 			return -EINVAL;
852 		prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
853 
854 		if (prng_reseed_limit == 0)
855 			prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
856 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
857 			return -EINVAL;
858 
859 		ret = prng_sha512_instantiate();
860 		if (ret)
861 			goto out;
862 
863 		ret = misc_register(&prng_sha512_dev);
864 		if (ret) {
865 			prng_sha512_deinstantiate();
866 			goto out;
867 		}
868 
869 	} else {
870 
871 		/* TDES mode */
872 
873 		if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
874 		    || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
875 			return -EINVAL;
876 		prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
877 
878 		if (prng_reseed_limit == 0)
879 			prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
880 		else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
881 			return -EINVAL;
882 
883 		ret = prng_tdes_instantiate();
884 		if (ret)
885 			goto out;
886 
887 		ret = misc_register(&prng_tdes_dev);
888 		if (ret) {
889 			prng_tdes_deinstantiate();
890 			goto out;
891 		}
892 	}
893 
894 out:
895 	return ret;
896 }
897 
898 
899 static void __exit prng_exit(void)
900 {
901 	if (prng_mode == PRNG_MODE_SHA512) {
902 		misc_deregister(&prng_sha512_dev);
903 		prng_sha512_deinstantiate();
904 	} else {
905 		misc_deregister(&prng_tdes_dev);
906 		prng_tdes_deinstantiate();
907 	}
908 }
909 
910 module_cpu_feature_match(MSA, prng_init);
911 module_exit(prng_exit);
912