1 /* 2 * Copyright IBM Corp. 2006,2007 3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com> 4 * Driver for the s390 pseudo random number generator 5 */ 6 #include <linux/fs.h> 7 #include <linux/init.h> 8 #include <linux/kernel.h> 9 #include <linux/miscdevice.h> 10 #include <linux/module.h> 11 #include <linux/moduleparam.h> 12 #include <linux/random.h> 13 #include <asm/debug.h> 14 #include <asm/uaccess.h> 15 16 #include "crypt_s390.h" 17 18 MODULE_LICENSE("GPL"); 19 MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>"); 20 MODULE_DESCRIPTION("s390 PRNG interface"); 21 22 static int prng_chunk_size = 256; 23 module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH); 24 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); 25 26 static int prng_entropy_limit = 4096; 27 module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR); 28 MODULE_PARM_DESC(prng_entropy_limit, 29 "PRNG add entropy after that much bytes were produced"); 30 31 /* 32 * Any one who considers arithmetical methods of producing random digits is, 33 * of course, in a state of sin. -- John von Neumann 34 */ 35 36 struct s390_prng_data { 37 unsigned long count; /* how many bytes were produced */ 38 char *buf; 39 }; 40 41 static struct s390_prng_data *p; 42 43 /* copied from libica, use a non-zero initial parameter block */ 44 static unsigned char parm_block[32] = { 45 0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4, 46 0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0, 47 }; 48 49 static int prng_open(struct inode *inode, struct file *file) 50 { 51 return nonseekable_open(inode, file); 52 } 53 54 static void prng_add_entropy(void) 55 { 56 __u64 entropy[4]; 57 unsigned int i; 58 int ret; 59 60 for (i = 0; i < 16; i++) { 61 ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy, 62 (char *)entropy, sizeof(entropy)); 63 BUG_ON(ret < 0 || ret != sizeof(entropy)); 64 memcpy(parm_block, entropy, sizeof(entropy)); 65 } 66 } 67 68 static void prng_seed(int nbytes) 69 { 70 char buf[16]; 71 int i = 0; 72 73 BUG_ON(nbytes > 16); 74 get_random_bytes(buf, nbytes); 75 76 /* Add the entropy */ 77 while (nbytes >= 8) { 78 *((__u64 *)parm_block) ^= *((__u64 *)buf+i*8); 79 prng_add_entropy(); 80 i += 8; 81 nbytes -= 8; 82 } 83 prng_add_entropy(); 84 } 85 86 static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes, 87 loff_t *ppos) 88 { 89 int chunk, n; 90 int ret = 0; 91 int tmp; 92 93 /* nbytes can be arbitrary length, we split it into chunks */ 94 while (nbytes) { 95 /* same as in extract_entropy_user in random.c */ 96 if (need_resched()) { 97 if (signal_pending(current)) { 98 if (ret == 0) 99 ret = -ERESTARTSYS; 100 break; 101 } 102 schedule(); 103 } 104 105 /* 106 * we lose some random bytes if an attacker issues 107 * reads < 8 bytes, but we don't care 108 */ 109 chunk = min_t(int, nbytes, prng_chunk_size); 110 111 /* PRNG only likes multiples of 8 bytes */ 112 n = (chunk + 7) & -8; 113 114 if (p->count > prng_entropy_limit) 115 prng_seed(8); 116 117 /* if the CPU supports PRNG stckf is present too */ 118 asm volatile(".insn s,0xb27c0000,%0" 119 : "=m" (*((unsigned long long *)p->buf)) : : "cc"); 120 121 /* 122 * Beside the STCKF the input for the TDES-EDE is the output 123 * of the last operation. We differ here from X9.17 since we 124 * only store one timestamp into the buffer. Padding the whole 125 * buffer with timestamps does not improve security, since 126 * successive stckf have nearly constant offsets. 127 * If an attacker knows the first timestamp it would be 128 * trivial to guess the additional values. One timestamp 129 * is therefore enough and still guarantees unique input values. 130 * 131 * Note: you can still get strict X9.17 conformity by setting 132 * prng_chunk_size to 8 bytes. 133 */ 134 tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n); 135 BUG_ON((tmp < 0) || (tmp != n)); 136 137 p->count += n; 138 139 if (copy_to_user(ubuf, p->buf, chunk)) 140 return -EFAULT; 141 142 nbytes -= chunk; 143 ret += chunk; 144 ubuf += chunk; 145 } 146 return ret; 147 } 148 149 static const struct file_operations prng_fops = { 150 .owner = THIS_MODULE, 151 .open = &prng_open, 152 .release = NULL, 153 .read = &prng_read, 154 }; 155 156 static struct miscdevice prng_dev = { 157 .name = "prandom", 158 .minor = MISC_DYNAMIC_MINOR, 159 .fops = &prng_fops, 160 }; 161 162 static int __init prng_init(void) 163 { 164 int ret; 165 166 /* check if the CPU has a PRNG */ 167 if (!crypt_s390_func_available(KMC_PRNG)) 168 return -EOPNOTSUPP; 169 170 if (prng_chunk_size < 8) 171 return -EINVAL; 172 173 p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL); 174 if (!p) 175 return -ENOMEM; 176 p->count = 0; 177 178 p->buf = kmalloc(prng_chunk_size, GFP_KERNEL); 179 if (!p->buf) { 180 ret = -ENOMEM; 181 goto out_free; 182 } 183 184 /* initialize the PRNG, add 128 bits of entropy */ 185 prng_seed(16); 186 187 ret = misc_register(&prng_dev); 188 if (ret) 189 goto out_buf; 190 return 0; 191 192 out_buf: 193 kfree(p->buf); 194 out_free: 195 kfree(p); 196 return ret; 197 } 198 199 static void __exit prng_exit(void) 200 { 201 /* wipe me */ 202 kzfree(p->buf); 203 kfree(p); 204 205 misc_deregister(&prng_dev); 206 } 207 208 module_init(prng_init); 209 module_exit(prng_exit); 210