xref: /openbmc/linux/drivers/char/random.c (revision 1fe3a33b)
1 /*
2  * random.c -- A strong random number generator
3  *
4  * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
5  *
6  * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
7  *
8  * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.  All
9  * rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, and the entire permission notice in its entirety,
16  *    including the disclaimer of warranties.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  * 3. The name of the author may not be used to endorse or promote
21  *    products derived from this software without specific prior
22  *    written permission.
23  *
24  * ALTERNATIVELY, this product may be distributed under the terms of
25  * the GNU General Public License, in which case the provisions of the GPL are
26  * required INSTEAD OF the above restrictions.  (This clause is
27  * necessary due to a potential bad interaction between the GPL and
28  * the restrictions contained in a BSD-style copyright.)
29  *
30  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
31  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
33  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
34  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
35  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
36  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
37  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
38  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
39  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
40  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
41  * DAMAGE.
42  */
43 
44 /*
45  * (now, with legal B.S. out of the way.....)
46  *
47  * This routine gathers environmental noise from device drivers, etc.,
48  * and returns good random numbers, suitable for cryptographic use.
49  * Besides the obvious cryptographic uses, these numbers are also good
50  * for seeding TCP sequence numbers, and other places where it is
51  * desirable to have numbers which are not only random, but hard to
52  * predict by an attacker.
53  *
54  * Theory of operation
55  * ===================
56  *
57  * Computers are very predictable devices.  Hence it is extremely hard
58  * to produce truly random numbers on a computer --- as opposed to
59  * pseudo-random numbers, which can easily generated by using a
60  * algorithm.  Unfortunately, it is very easy for attackers to guess
61  * the sequence of pseudo-random number generators, and for some
62  * applications this is not acceptable.  So instead, we must try to
63  * gather "environmental noise" from the computer's environment, which
64  * must be hard for outside attackers to observe, and use that to
65  * generate random numbers.  In a Unix environment, this is best done
66  * from inside the kernel.
67  *
68  * Sources of randomness from the environment include inter-keyboard
69  * timings, inter-interrupt timings from some interrupts, and other
70  * events which are both (a) non-deterministic and (b) hard for an
71  * outside observer to measure.  Randomness from these sources are
72  * added to an "entropy pool", which is mixed using a CRC-like function.
73  * This is not cryptographically strong, but it is adequate assuming
74  * the randomness is not chosen maliciously, and it is fast enough that
75  * the overhead of doing it on every interrupt is very reasonable.
76  * As random bytes are mixed into the entropy pool, the routines keep
77  * an *estimate* of how many bits of randomness have been stored into
78  * the random number generator's internal state.
79  *
80  * When random bytes are desired, they are obtained by taking the BLAKE2s
81  * hash of the contents of the "entropy pool".  The BLAKE2s hash avoids
82  * exposing the internal state of the entropy pool.  It is believed to
83  * be computationally infeasible to derive any useful information
84  * about the input of BLAKE2s from its output.  Even if it is possible to
85  * analyze BLAKE2s in some clever way, as long as the amount of data
86  * returned from the generator is less than the inherent entropy in
87  * the pool, the output data is totally unpredictable.  For this
88  * reason, the routine decreases its internal estimate of how many
89  * bits of "true randomness" are contained in the entropy pool as it
90  * outputs random numbers.
91  *
92  * If this estimate goes to zero, the routine can still generate
93  * random numbers; however, an attacker may (at least in theory) be
94  * able to infer the future output of the generator from prior
95  * outputs.  This requires successful cryptanalysis of BLAKE2s, which is
96  * not believed to be feasible, but there is a remote possibility.
97  * Nonetheless, these numbers should be useful for the vast majority
98  * of purposes.
99  *
100  * Exported interfaces ---- output
101  * ===============================
102  *
103  * There are four exported interfaces; two for use within the kernel,
104  * and two for use from userspace.
105  *
106  * Exported interfaces ---- userspace output
107  * -----------------------------------------
108  *
109  * The userspace interfaces are two character devices /dev/random and
110  * /dev/urandom.  /dev/random is suitable for use when very high
111  * quality randomness is desired (for example, for key generation or
112  * one-time pads), as it will only return a maximum of the number of
113  * bits of randomness (as estimated by the random number generator)
114  * contained in the entropy pool.
115  *
116  * The /dev/urandom device does not have this limit, and will return
117  * as many bytes as are requested.  As more and more random bytes are
118  * requested without giving time for the entropy pool to recharge,
119  * this will result in random numbers that are merely cryptographically
120  * strong.  For many applications, however, this is acceptable.
121  *
122  * Exported interfaces ---- kernel output
123  * --------------------------------------
124  *
125  * The primary kernel interface is
126  *
127  *	void get_random_bytes(void *buf, int nbytes);
128  *
129  * This interface will return the requested number of random bytes,
130  * and place it in the requested buffer.  This is equivalent to a
131  * read from /dev/urandom.
132  *
133  * For less critical applications, there are the functions:
134  *
135  *	u32 get_random_u32()
136  *	u64 get_random_u64()
137  *	unsigned int get_random_int()
138  *	unsigned long get_random_long()
139  *
140  * These are produced by a cryptographic RNG seeded from get_random_bytes,
141  * and so do not deplete the entropy pool as much.  These are recommended
142  * for most in-kernel operations *if the result is going to be stored in
143  * the kernel*.
144  *
145  * Specifically, the get_random_int() family do not attempt to do
146  * "anti-backtracking".  If you capture the state of the kernel (e.g.
147  * by snapshotting the VM), you can figure out previous get_random_int()
148  * return values.  But if the value is stored in the kernel anyway,
149  * this is not a problem.
150  *
151  * It *is* safe to expose get_random_int() output to attackers (e.g. as
152  * network cookies); given outputs 1..n, it's not feasible to predict
153  * outputs 0 or n+1.  The only concern is an attacker who breaks into
154  * the kernel later; the get_random_int() engine is not reseeded as
155  * often as the get_random_bytes() one.
156  *
157  * get_random_bytes() is needed for keys that need to stay secret after
158  * they are erased from the kernel.  For example, any key that will
159  * be wrapped and stored encrypted.  And session encryption keys: we'd
160  * like to know that after the session is closed and the keys erased,
161  * the plaintext is unrecoverable to someone who recorded the ciphertext.
162  *
163  * But for network ports/cookies, stack canaries, PRNG seeds, address
164  * space layout randomization, session *authentication* keys, or other
165  * applications where the sensitive data is stored in the kernel in
166  * plaintext for as long as it's sensitive, the get_random_int() family
167  * is just fine.
168  *
169  * Consider ASLR.  We want to keep the address space secret from an
170  * outside attacker while the process is running, but once the address
171  * space is torn down, it's of no use to an attacker any more.  And it's
172  * stored in kernel data structures as long as it's alive, so worrying
173  * about an attacker's ability to extrapolate it from the get_random_int()
174  * CRNG is silly.
175  *
176  * Even some cryptographic keys are safe to generate with get_random_int().
177  * In particular, keys for SipHash are generally fine.  Here, knowledge
178  * of the key authorizes you to do something to a kernel object (inject
179  * packets to a network connection, or flood a hash table), and the
180  * key is stored with the object being protected.  Once it goes away,
181  * we no longer care if anyone knows the key.
182  *
183  * prandom_u32()
184  * -------------
185  *
186  * For even weaker applications, see the pseudorandom generator
187  * prandom_u32(), prandom_max(), and prandom_bytes().  If the random
188  * numbers aren't security-critical at all, these are *far* cheaper.
189  * Useful for self-tests, random error simulation, randomized backoffs,
190  * and any other application where you trust that nobody is trying to
191  * maliciously mess with you by guessing the "random" numbers.
192  *
193  * Exported interfaces ---- input
194  * ==============================
195  *
196  * The current exported interfaces for gathering environmental noise
197  * from the devices are:
198  *
199  *	void add_device_randomness(const void *buf, unsigned int size);
200  *	void add_input_randomness(unsigned int type, unsigned int code,
201  *                                unsigned int value);
202  *	void add_interrupt_randomness(int irq);
203  *	void add_disk_randomness(struct gendisk *disk);
204  *	void add_hwgenerator_randomness(const char *buffer, size_t count,
205  *					size_t entropy);
206  *	void add_bootloader_randomness(const void *buf, unsigned int size);
207  *
208  * add_device_randomness() is for adding data to the random pool that
209  * is likely to differ between two devices (or possibly even per boot).
210  * This would be things like MAC addresses or serial numbers, or the
211  * read-out of the RTC. This does *not* add any actual entropy to the
212  * pool, but it initializes the pool to different values for devices
213  * that might otherwise be identical and have very little entropy
214  * available to them (particularly common in the embedded world).
215  *
216  * add_input_randomness() uses the input layer interrupt timing, as well as
217  * the event type information from the hardware.
218  *
219  * add_interrupt_randomness() uses the interrupt timing as random
220  * inputs to the entropy pool. Using the cycle counters and the irq source
221  * as inputs, it feeds the randomness roughly once a second.
222  *
223  * add_disk_randomness() uses what amounts to the seek time of block
224  * layer request events, on a per-disk_devt basis, as input to the
225  * entropy pool. Note that high-speed solid state drives with very low
226  * seek times do not make for good sources of entropy, as their seek
227  * times are usually fairly consistent.
228  *
229  * All of these routines try to estimate how many bits of randomness a
230  * particular randomness source.  They do this by keeping track of the
231  * first and second order deltas of the event timings.
232  *
233  * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
234  * entropy as specified by the caller. If the entropy pool is full it will
235  * block until more entropy is needed.
236  *
237  * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
238  * add_device_randomness(), depending on whether or not the configuration
239  * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
240  *
241  * Ensuring unpredictability at system startup
242  * ============================================
243  *
244  * When any operating system starts up, it will go through a sequence
245  * of actions that are fairly predictable by an adversary, especially
246  * if the start-up does not involve interaction with a human operator.
247  * This reduces the actual number of bits of unpredictability in the
248  * entropy pool below the value in entropy_count.  In order to
249  * counteract this effect, it helps to carry information in the
250  * entropy pool across shut-downs and start-ups.  To do this, put the
251  * following lines an appropriate script which is run during the boot
252  * sequence:
253  *
254  *	echo "Initializing random number generator..."
255  *	random_seed=/var/run/random-seed
256  *	# Carry a random seed from start-up to start-up
257  *	# Load and then save the whole entropy pool
258  *	if [ -f $random_seed ]; then
259  *		cat $random_seed >/dev/urandom
260  *	else
261  *		touch $random_seed
262  *	fi
263  *	chmod 600 $random_seed
264  *	dd if=/dev/urandom of=$random_seed count=1 bs=512
265  *
266  * and the following lines in an appropriate script which is run as
267  * the system is shutdown:
268  *
269  *	# Carry a random seed from shut-down to start-up
270  *	# Save the whole entropy pool
271  *	echo "Saving random seed..."
272  *	random_seed=/var/run/random-seed
273  *	touch $random_seed
274  *	chmod 600 $random_seed
275  *	dd if=/dev/urandom of=$random_seed count=1 bs=512
276  *
277  * For example, on most modern systems using the System V init
278  * scripts, such code fragments would be found in
279  * /etc/rc.d/init.d/random.  On older Linux systems, the correct script
280  * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
281  *
282  * Effectively, these commands cause the contents of the entropy pool
283  * to be saved at shut-down time and reloaded into the entropy pool at
284  * start-up.  (The 'dd' in the addition to the bootup script is to
285  * make sure that /etc/random-seed is different for every start-up,
286  * even if the system crashes without executing rc.0.)  Even with
287  * complete knowledge of the start-up activities, predicting the state
288  * of the entropy pool requires knowledge of the previous history of
289  * the system.
290  *
291  * Configuring the /dev/random driver under Linux
292  * ==============================================
293  *
294  * The /dev/random driver under Linux uses minor numbers 8 and 9 of
295  * the /dev/mem major number (#1).  So if your system does not have
296  * /dev/random and /dev/urandom created already, they can be created
297  * by using the commands:
298  *
299  *	mknod /dev/random c 1 8
300  *	mknod /dev/urandom c 1 9
301  *
302  * Acknowledgements:
303  * =================
304  *
305  * Ideas for constructing this random number generator were derived
306  * from Pretty Good Privacy's random number generator, and from private
307  * discussions with Phil Karn.  Colin Plumb provided a faster random
308  * number generator, which speed up the mixing function of the entropy
309  * pool, taken from PGPfone.  Dale Worley has also contributed many
310  * useful ideas and suggestions to improve this driver.
311  *
312  * Any flaws in the design are solely my responsibility, and should
313  * not be attributed to the Phil, Colin, or any of authors of PGP.
314  *
315  * Further background information on this topic may be obtained from
316  * RFC 1750, "Randomness Recommendations for Security", by Donald
317  * Eastlake, Steve Crocker, and Jeff Schiller.
318  */
319 
320 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
321 
322 #include <linux/utsname.h>
323 #include <linux/module.h>
324 #include <linux/kernel.h>
325 #include <linux/major.h>
326 #include <linux/string.h>
327 #include <linux/fcntl.h>
328 #include <linux/slab.h>
329 #include <linux/random.h>
330 #include <linux/poll.h>
331 #include <linux/init.h>
332 #include <linux/fs.h>
333 #include <linux/genhd.h>
334 #include <linux/interrupt.h>
335 #include <linux/mm.h>
336 #include <linux/nodemask.h>
337 #include <linux/spinlock.h>
338 #include <linux/kthread.h>
339 #include <linux/percpu.h>
340 #include <linux/ptrace.h>
341 #include <linux/workqueue.h>
342 #include <linux/irq.h>
343 #include <linux/ratelimit.h>
344 #include <linux/syscalls.h>
345 #include <linux/completion.h>
346 #include <linux/uuid.h>
347 #include <crypto/chacha.h>
348 #include <crypto/blake2s.h>
349 
350 #include <asm/processor.h>
351 #include <linux/uaccess.h>
352 #include <asm/irq.h>
353 #include <asm/irq_regs.h>
354 #include <asm/io.h>
355 
356 #define CREATE_TRACE_POINTS
357 #include <trace/events/random.h>
358 
359 /* #define ADD_INTERRUPT_BENCH */
360 
361 /*
362  * If the entropy count falls under this number of bits, then we
363  * should wake up processes which are selecting or polling on write
364  * access to /dev/random.
365  */
366 static int random_write_wakeup_bits = 28 * (1 << 5);
367 
368 /*
369  * Originally, we used a primitive polynomial of degree .poolwords
370  * over GF(2).  The taps for various sizes are defined below.  They
371  * were chosen to be evenly spaced except for the last tap, which is 1
372  * to get the twisting happening as fast as possible.
373  *
374  * For the purposes of better mixing, we use the CRC-32 polynomial as
375  * well to make a (modified) twisted Generalized Feedback Shift
376  * Register.  (See M. Matsumoto & Y. Kurita, 1992.  Twisted GFSR
377  * generators.  ACM Transactions on Modeling and Computer Simulation
378  * 2(3):179-194.  Also see M. Matsumoto & Y. Kurita, 1994.  Twisted
379  * GFSR generators II.  ACM Transactions on Modeling and Computer
380  * Simulation 4:254-266)
381  *
382  * Thanks to Colin Plumb for suggesting this.
383  *
384  * The mixing operation is much less sensitive than the output hash,
385  * where we use BLAKE2s.  All that we want of mixing operation is that
386  * it be a good non-cryptographic hash; i.e. it not produce collisions
387  * when fed "random" data of the sort we expect to see.  As long as
388  * the pool state differs for different inputs, we have preserved the
389  * input entropy and done a good job.  The fact that an intelligent
390  * attacker can construct inputs that will produce controlled
391  * alterations to the pool's state is not important because we don't
392  * consider such inputs to contribute any randomness.  The only
393  * property we need with respect to them is that the attacker can't
394  * increase his/her knowledge of the pool's state.  Since all
395  * additions are reversible (knowing the final state and the input,
396  * you can reconstruct the initial state), if an attacker has any
397  * uncertainty about the initial state, he/she can only shuffle that
398  * uncertainty about, but never cause any collisions (which would
399  * decrease the uncertainty).
400  *
401  * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and
402  * Videau in their paper, "The Linux Pseudorandom Number Generator
403  * Revisited" (see: http://eprint.iacr.org/2012/251.pdf).  In their
404  * paper, they point out that we are not using a true Twisted GFSR,
405  * since Matsumoto & Kurita used a trinomial feedback polynomial (that
406  * is, with only three taps, instead of the six that we are using).
407  * As a result, the resulting polynomial is neither primitive nor
408  * irreducible, and hence does not have a maximal period over
409  * GF(2**32).  They suggest a slight change to the generator
410  * polynomial which improves the resulting TGFSR polynomial to be
411  * irreducible, which we have made here.
412  */
413 enum poolinfo {
414 	POOL_WORDS = 128,
415 	POOL_WORDMASK = POOL_WORDS - 1,
416 	POOL_BYTES = POOL_WORDS * sizeof(u32),
417 	POOL_BITS = POOL_BYTES * 8,
418 	POOL_BITSHIFT = ilog2(POOL_BITS),
419 
420 	/* To allow fractional bits to be tracked, the entropy_count field is
421 	 * denominated in units of 1/8th bits. */
422 	POOL_ENTROPY_SHIFT = 3,
423 #define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
424 	POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
425 
426 	/* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
427 	POOL_TAP1 = 104,
428 	POOL_TAP2 = 76,
429 	POOL_TAP3 = 51,
430 	POOL_TAP4 = 25,
431 	POOL_TAP5 = 1,
432 
433 	EXTRACT_SIZE = BLAKE2S_HASH_SIZE / 2
434 };
435 
436 /*
437  * Static global variables
438  */
439 static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
440 static struct fasync_struct *fasync;
441 
442 static DEFINE_SPINLOCK(random_ready_list_lock);
443 static LIST_HEAD(random_ready_list);
444 
445 struct crng_state {
446 	u32 state[16];
447 	unsigned long init_time;
448 	spinlock_t lock;
449 };
450 
451 static struct crng_state primary_crng = {
452 	.lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
453 	.state[0] = CHACHA_CONSTANT_EXPA,
454 	.state[1] = CHACHA_CONSTANT_ND_3,
455 	.state[2] = CHACHA_CONSTANT_2_BY,
456 	.state[3] = CHACHA_CONSTANT_TE_K,
457 };
458 
459 /*
460  * crng_init =  0 --> Uninitialized
461  *		1 --> Initialized
462  *		2 --> Initialized from input_pool
463  *
464  * crng_init is protected by primary_crng->lock, and only increases
465  * its value (from 0->1->2).
466  */
467 static int crng_init = 0;
468 static bool crng_need_final_init = false;
469 #define crng_ready() (likely(crng_init > 1))
470 static int crng_init_cnt = 0;
471 static unsigned long crng_global_init_time = 0;
472 #define CRNG_INIT_CNT_THRESH (2 * CHACHA_KEY_SIZE)
473 static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE]);
474 static void _crng_backtrack_protect(struct crng_state *crng,
475 				    u8 tmp[CHACHA_BLOCK_SIZE], int used);
476 static void process_random_ready_list(void);
477 static void _get_random_bytes(void *buf, int nbytes);
478 
479 static struct ratelimit_state unseeded_warning =
480 	RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
481 static struct ratelimit_state urandom_warning =
482 	RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
483 
484 static int ratelimit_disable __read_mostly;
485 
486 module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
487 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
488 
489 /**********************************************************************
490  *
491  * OS independent entropy store.   Here are the functions which handle
492  * storing entropy in an entropy pool.
493  *
494  **********************************************************************/
495 
496 static u32 input_pool_data[POOL_WORDS] __latent_entropy;
497 
498 static struct {
499 	spinlock_t lock;
500 	u16 add_ptr;
501 	u16 input_rotate;
502 	int entropy_count;
503 } input_pool = {
504 	.lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
505 };
506 
507 static ssize_t extract_entropy(void *buf, size_t nbytes, int min);
508 static ssize_t _extract_entropy(void *buf, size_t nbytes);
509 
510 static void crng_reseed(struct crng_state *crng, bool use_input_pool);
511 
512 static const u32 twist_table[8] = {
513 	0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
514 	0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
515 
516 /*
517  * This function adds bytes into the entropy "pool".  It does not
518  * update the entropy estimate.  The caller should call
519  * credit_entropy_bits if this is appropriate.
520  *
521  * The pool is stirred with a primitive polynomial of the appropriate
522  * degree, and then twisted.  We twist by three bits at a time because
523  * it's cheap to do so and helps slightly in the expected case where
524  * the entropy is concentrated in the low-order bits.
525  */
526 static void _mix_pool_bytes(const void *in, int nbytes)
527 {
528 	unsigned long i;
529 	int input_rotate;
530 	const u8 *bytes = in;
531 	u32 w;
532 
533 	input_rotate = input_pool.input_rotate;
534 	i = input_pool.add_ptr;
535 
536 	/* mix one byte at a time to simplify size handling and churn faster */
537 	while (nbytes--) {
538 		w = rol32(*bytes++, input_rotate);
539 		i = (i - 1) & POOL_WORDMASK;
540 
541 		/* XOR in the various taps */
542 		w ^= input_pool_data[i];
543 		w ^= input_pool_data[(i + POOL_TAP1) & POOL_WORDMASK];
544 		w ^= input_pool_data[(i + POOL_TAP2) & POOL_WORDMASK];
545 		w ^= input_pool_data[(i + POOL_TAP3) & POOL_WORDMASK];
546 		w ^= input_pool_data[(i + POOL_TAP4) & POOL_WORDMASK];
547 		w ^= input_pool_data[(i + POOL_TAP5) & POOL_WORDMASK];
548 
549 		/* Mix the result back in with a twist */
550 		input_pool_data[i] = (w >> 3) ^ twist_table[w & 7];
551 
552 		/*
553 		 * Normally, we add 7 bits of rotation to the pool.
554 		 * At the beginning of the pool, add an extra 7 bits
555 		 * rotation, so that successive passes spread the
556 		 * input bits across the pool evenly.
557 		 */
558 		input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
559 	}
560 
561 	input_pool.input_rotate = input_rotate;
562 	input_pool.add_ptr = i;
563 }
564 
565 static void __mix_pool_bytes(const void *in, int nbytes)
566 {
567 	trace_mix_pool_bytes_nolock(nbytes, _RET_IP_);
568 	_mix_pool_bytes(in, nbytes);
569 }
570 
571 static void mix_pool_bytes(const void *in, int nbytes)
572 {
573 	unsigned long flags;
574 
575 	trace_mix_pool_bytes(nbytes, _RET_IP_);
576 	spin_lock_irqsave(&input_pool.lock, flags);
577 	_mix_pool_bytes(in, nbytes);
578 	spin_unlock_irqrestore(&input_pool.lock, flags);
579 }
580 
581 struct fast_pool {
582 	u32 pool[4];
583 	unsigned long last;
584 	u16 reg_idx;
585 	u8 count;
586 };
587 
588 /*
589  * This is a fast mixing routine used by the interrupt randomness
590  * collector.  It's hardcoded for an 128 bit pool and assumes that any
591  * locks that might be needed are taken by the caller.
592  */
593 static void fast_mix(struct fast_pool *f)
594 {
595 	u32 a = f->pool[0],	b = f->pool[1];
596 	u32 c = f->pool[2],	d = f->pool[3];
597 
598 	a += b;			c += d;
599 	b = rol32(b, 6);	d = rol32(d, 27);
600 	d ^= a;			b ^= c;
601 
602 	a += b;			c += d;
603 	b = rol32(b, 16);	d = rol32(d, 14);
604 	d ^= a;			b ^= c;
605 
606 	a += b;			c += d;
607 	b = rol32(b, 6);	d = rol32(d, 27);
608 	d ^= a;			b ^= c;
609 
610 	a += b;			c += d;
611 	b = rol32(b, 16);	d = rol32(d, 14);
612 	d ^= a;			b ^= c;
613 
614 	f->pool[0] = a;  f->pool[1] = b;
615 	f->pool[2] = c;  f->pool[3] = d;
616 	f->count++;
617 }
618 
619 static void process_random_ready_list(void)
620 {
621 	unsigned long flags;
622 	struct random_ready_callback *rdy, *tmp;
623 
624 	spin_lock_irqsave(&random_ready_list_lock, flags);
625 	list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) {
626 		struct module *owner = rdy->owner;
627 
628 		list_del_init(&rdy->list);
629 		rdy->func(rdy);
630 		module_put(owner);
631 	}
632 	spin_unlock_irqrestore(&random_ready_list_lock, flags);
633 }
634 
635 /*
636  * Credit (or debit) the entropy store with n bits of entropy.
637  * Use credit_entropy_bits_safe() if the value comes from userspace
638  * or otherwise should be checked for extreme values.
639  */
640 static void credit_entropy_bits(int nbits)
641 {
642 	int entropy_count, entropy_bits, orig;
643 	int nfrac = nbits << POOL_ENTROPY_SHIFT;
644 
645 	/* Ensure that the multiplication can avoid being 64 bits wide. */
646 	BUILD_BUG_ON(2 * (POOL_ENTROPY_SHIFT + POOL_BITSHIFT) > 31);
647 
648 	if (!nbits)
649 		return;
650 
651 retry:
652 	entropy_count = orig = READ_ONCE(input_pool.entropy_count);
653 	if (nfrac < 0) {
654 		/* Debit */
655 		entropy_count += nfrac;
656 	} else {
657 		/*
658 		 * Credit: we have to account for the possibility of
659 		 * overwriting already present entropy.	 Even in the
660 		 * ideal case of pure Shannon entropy, new contributions
661 		 * approach the full value asymptotically:
662 		 *
663 		 * entropy <- entropy + (pool_size - entropy) *
664 		 *	(1 - exp(-add_entropy/pool_size))
665 		 *
666 		 * For add_entropy <= pool_size/2 then
667 		 * (1 - exp(-add_entropy/pool_size)) >=
668 		 *    (add_entropy/pool_size)*0.7869...
669 		 * so we can approximate the exponential with
670 		 * 3/4*add_entropy/pool_size and still be on the
671 		 * safe side by adding at most pool_size/2 at a time.
672 		 *
673 		 * The use of pool_size-2 in the while statement is to
674 		 * prevent rounding artifacts from making the loop
675 		 * arbitrarily long; this limits the loop to log2(pool_size)*2
676 		 * turns no matter how large nbits is.
677 		 */
678 		int pnfrac = nfrac;
679 		const int s = POOL_BITSHIFT + POOL_ENTROPY_SHIFT + 2;
680 		/* The +2 corresponds to the /4 in the denominator */
681 
682 		do {
683 			unsigned int anfrac = min(pnfrac, POOL_FRACBITS / 2);
684 			unsigned int add =
685 				((POOL_FRACBITS - entropy_count) * anfrac * 3) >> s;
686 
687 			entropy_count += add;
688 			pnfrac -= anfrac;
689 		} while (unlikely(entropy_count < POOL_FRACBITS - 2 && pnfrac));
690 	}
691 
692 	if (WARN_ON(entropy_count < 0)) {
693 		pr_warn("negative entropy/overflow: count %d\n", entropy_count);
694 		entropy_count = 0;
695 	} else if (entropy_count > POOL_FRACBITS)
696 		entropy_count = POOL_FRACBITS;
697 	if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
698 		goto retry;
699 
700 	trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_);
701 
702 	entropy_bits = entropy_count >> POOL_ENTROPY_SHIFT;
703 	if (crng_init < 2 && entropy_bits >= 128)
704 		crng_reseed(&primary_crng, true);
705 }
706 
707 static int credit_entropy_bits_safe(int nbits)
708 {
709 	if (nbits < 0)
710 		return -EINVAL;
711 
712 	/* Cap the value to avoid overflows */
713 	nbits = min(nbits, POOL_BITS);
714 
715 	credit_entropy_bits(nbits);
716 	return 0;
717 }
718 
719 /*********************************************************************
720  *
721  * CRNG using CHACHA20
722  *
723  *********************************************************************/
724 
725 #define CRNG_RESEED_INTERVAL (300 * HZ)
726 
727 static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
728 
729 /*
730  * Hack to deal with crazy userspace progams when they are all trying
731  * to access /dev/urandom in parallel.  The programs are almost
732  * certainly doing something terribly wrong, but we'll work around
733  * their brain damage.
734  */
735 static struct crng_state **crng_node_pool __read_mostly;
736 
737 static void invalidate_batched_entropy(void);
738 static void numa_crng_init(void);
739 
740 static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
741 static int __init parse_trust_cpu(char *arg)
742 {
743 	return kstrtobool(arg, &trust_cpu);
744 }
745 early_param("random.trust_cpu", parse_trust_cpu);
746 
747 static bool crng_init_try_arch(struct crng_state *crng)
748 {
749 	int i;
750 	bool arch_init = true;
751 	unsigned long rv;
752 
753 	for (i = 4; i < 16; i++) {
754 		if (!arch_get_random_seed_long(&rv) &&
755 		    !arch_get_random_long(&rv)) {
756 			rv = random_get_entropy();
757 			arch_init = false;
758 		}
759 		crng->state[i] ^= rv;
760 	}
761 
762 	return arch_init;
763 }
764 
765 static bool __init crng_init_try_arch_early(struct crng_state *crng)
766 {
767 	int i;
768 	bool arch_init = true;
769 	unsigned long rv;
770 
771 	for (i = 4; i < 16; i++) {
772 		if (!arch_get_random_seed_long_early(&rv) &&
773 		    !arch_get_random_long_early(&rv)) {
774 			rv = random_get_entropy();
775 			arch_init = false;
776 		}
777 		crng->state[i] ^= rv;
778 	}
779 
780 	return arch_init;
781 }
782 
783 static void crng_initialize_secondary(struct crng_state *crng)
784 {
785 	chacha_init_consts(crng->state);
786 	_get_random_bytes(&crng->state[4], sizeof(u32) * 12);
787 	crng_init_try_arch(crng);
788 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
789 }
790 
791 static void __init crng_initialize_primary(struct crng_state *crng)
792 {
793 	_extract_entropy(&crng->state[4], sizeof(u32) * 12);
794 	if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
795 		invalidate_batched_entropy();
796 		numa_crng_init();
797 		crng_init = 2;
798 		pr_notice("crng init done (trusting CPU's manufacturer)\n");
799 	}
800 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
801 }
802 
803 static void crng_finalize_init(struct crng_state *crng)
804 {
805 	if (crng != &primary_crng || crng_init >= 2)
806 		return;
807 	if (!system_wq) {
808 		/* We can't call numa_crng_init until we have workqueues,
809 		 * so mark this for processing later. */
810 		crng_need_final_init = true;
811 		return;
812 	}
813 
814 	invalidate_batched_entropy();
815 	numa_crng_init();
816 	crng_init = 2;
817 	process_random_ready_list();
818 	wake_up_interruptible(&crng_init_wait);
819 	kill_fasync(&fasync, SIGIO, POLL_IN);
820 	pr_notice("crng init done\n");
821 	if (unseeded_warning.missed) {
822 		pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
823 			  unseeded_warning.missed);
824 		unseeded_warning.missed = 0;
825 	}
826 	if (urandom_warning.missed) {
827 		pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
828 			  urandom_warning.missed);
829 		urandom_warning.missed = 0;
830 	}
831 }
832 
833 static void do_numa_crng_init(struct work_struct *work)
834 {
835 	int i;
836 	struct crng_state *crng;
837 	struct crng_state **pool;
838 
839 	pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL | __GFP_NOFAIL);
840 	for_each_online_node(i) {
841 		crng = kmalloc_node(sizeof(struct crng_state),
842 				    GFP_KERNEL | __GFP_NOFAIL, i);
843 		spin_lock_init(&crng->lock);
844 		crng_initialize_secondary(crng);
845 		pool[i] = crng;
846 	}
847 	/* pairs with READ_ONCE() in select_crng() */
848 	if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
849 		for_each_node(i)
850 			kfree(pool[i]);
851 		kfree(pool);
852 	}
853 }
854 
855 static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init);
856 
857 static void numa_crng_init(void)
858 {
859 	if (IS_ENABLED(CONFIG_NUMA))
860 		schedule_work(&numa_crng_init_work);
861 }
862 
863 static struct crng_state *select_crng(void)
864 {
865 	if (IS_ENABLED(CONFIG_NUMA)) {
866 		struct crng_state **pool;
867 		int nid = numa_node_id();
868 
869 		/* pairs with cmpxchg_release() in do_numa_crng_init() */
870 		pool = READ_ONCE(crng_node_pool);
871 		if (pool && pool[nid])
872 			return pool[nid];
873 	}
874 
875 	return &primary_crng;
876 }
877 
878 /*
879  * crng_fast_load() can be called by code in the interrupt service
880  * path.  So we can't afford to dilly-dally. Returns the number of
881  * bytes processed from cp.
882  */
883 static size_t crng_fast_load(const u8 *cp, size_t len)
884 {
885 	unsigned long flags;
886 	u8 *p;
887 	size_t ret = 0;
888 
889 	if (!spin_trylock_irqsave(&primary_crng.lock, flags))
890 		return 0;
891 	if (crng_init != 0) {
892 		spin_unlock_irqrestore(&primary_crng.lock, flags);
893 		return 0;
894 	}
895 	p = (u8 *)&primary_crng.state[4];
896 	while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
897 		p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp;
898 		cp++; crng_init_cnt++; len--; ret++;
899 	}
900 	spin_unlock_irqrestore(&primary_crng.lock, flags);
901 	if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
902 		invalidate_batched_entropy();
903 		crng_init = 1;
904 		pr_notice("fast init done\n");
905 	}
906 	return ret;
907 }
908 
909 /*
910  * crng_slow_load() is called by add_device_randomness, which has two
911  * attributes.  (1) We can't trust the buffer passed to it is
912  * guaranteed to be unpredictable (so it might not have any entropy at
913  * all), and (2) it doesn't have the performance constraints of
914  * crng_fast_load().
915  *
916  * So we do something more comprehensive which is guaranteed to touch
917  * all of the primary_crng's state, and which uses a LFSR with a
918  * period of 255 as part of the mixing algorithm.  Finally, we do
919  * *not* advance crng_init_cnt since buffer we may get may be something
920  * like a fixed DMI table (for example), which might very well be
921  * unique to the machine, but is otherwise unvarying.
922  */
923 static int crng_slow_load(const u8 *cp, size_t len)
924 {
925 	unsigned long flags;
926 	static u8 lfsr = 1;
927 	u8 tmp;
928 	unsigned int i, max = CHACHA_KEY_SIZE;
929 	const u8 *src_buf = cp;
930 	u8 *dest_buf = (u8 *)&primary_crng.state[4];
931 
932 	if (!spin_trylock_irqsave(&primary_crng.lock, flags))
933 		return 0;
934 	if (crng_init != 0) {
935 		spin_unlock_irqrestore(&primary_crng.lock, flags);
936 		return 0;
937 	}
938 	if (len > max)
939 		max = len;
940 
941 	for (i = 0; i < max; i++) {
942 		tmp = lfsr;
943 		lfsr >>= 1;
944 		if (tmp & 1)
945 			lfsr ^= 0xE1;
946 		tmp = dest_buf[i % CHACHA_KEY_SIZE];
947 		dest_buf[i % CHACHA_KEY_SIZE] ^= src_buf[i % len] ^ lfsr;
948 		lfsr += (tmp << 3) | (tmp >> 5);
949 	}
950 	spin_unlock_irqrestore(&primary_crng.lock, flags);
951 	return 1;
952 }
953 
954 static void crng_reseed(struct crng_state *crng, bool use_input_pool)
955 {
956 	unsigned long flags;
957 	int i, num;
958 	union {
959 		u8 block[CHACHA_BLOCK_SIZE];
960 		u32 key[8];
961 	} buf;
962 
963 	if (use_input_pool) {
964 		num = extract_entropy(&buf, 32, 16);
965 		if (num == 0)
966 			return;
967 	} else {
968 		_extract_crng(&primary_crng, buf.block);
969 		_crng_backtrack_protect(&primary_crng, buf.block,
970 					CHACHA_KEY_SIZE);
971 	}
972 	spin_lock_irqsave(&crng->lock, flags);
973 	for (i = 0; i < 8; i++) {
974 		unsigned long rv;
975 		if (!arch_get_random_seed_long(&rv) &&
976 		    !arch_get_random_long(&rv))
977 			rv = random_get_entropy();
978 		crng->state[i + 4] ^= buf.key[i] ^ rv;
979 	}
980 	memzero_explicit(&buf, sizeof(buf));
981 	WRITE_ONCE(crng->init_time, jiffies);
982 	spin_unlock_irqrestore(&crng->lock, flags);
983 	crng_finalize_init(crng);
984 }
985 
986 static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE])
987 {
988 	unsigned long flags, init_time;
989 
990 	if (crng_ready()) {
991 		init_time = READ_ONCE(crng->init_time);
992 		if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
993 		    time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
994 			crng_reseed(crng, crng == &primary_crng);
995 	}
996 	spin_lock_irqsave(&crng->lock, flags);
997 	chacha20_block(&crng->state[0], out);
998 	if (crng->state[12] == 0)
999 		crng->state[13]++;
1000 	spin_unlock_irqrestore(&crng->lock, flags);
1001 }
1002 
1003 static void extract_crng(u8 out[CHACHA_BLOCK_SIZE])
1004 {
1005 	_extract_crng(select_crng(), out);
1006 }
1007 
1008 /*
1009  * Use the leftover bytes from the CRNG block output (if there is
1010  * enough) to mutate the CRNG key to provide backtracking protection.
1011  */
1012 static void _crng_backtrack_protect(struct crng_state *crng,
1013 				    u8 tmp[CHACHA_BLOCK_SIZE], int used)
1014 {
1015 	unsigned long flags;
1016 	u32 *s, *d;
1017 	int i;
1018 
1019 	used = round_up(used, sizeof(u32));
1020 	if (used + CHACHA_KEY_SIZE > CHACHA_BLOCK_SIZE) {
1021 		extract_crng(tmp);
1022 		used = 0;
1023 	}
1024 	spin_lock_irqsave(&crng->lock, flags);
1025 	s = (u32 *)&tmp[used];
1026 	d = &crng->state[4];
1027 	for (i = 0; i < 8; i++)
1028 		*d++ ^= *s++;
1029 	spin_unlock_irqrestore(&crng->lock, flags);
1030 }
1031 
1032 static void crng_backtrack_protect(u8 tmp[CHACHA_BLOCK_SIZE], int used)
1033 {
1034 	_crng_backtrack_protect(select_crng(), tmp, used);
1035 }
1036 
1037 static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
1038 {
1039 	ssize_t ret = 0, i = CHACHA_BLOCK_SIZE;
1040 	u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4);
1041 	int large_request = (nbytes > 256);
1042 
1043 	while (nbytes) {
1044 		if (large_request && need_resched()) {
1045 			if (signal_pending(current)) {
1046 				if (ret == 0)
1047 					ret = -ERESTARTSYS;
1048 				break;
1049 			}
1050 			schedule();
1051 		}
1052 
1053 		extract_crng(tmp);
1054 		i = min_t(int, nbytes, CHACHA_BLOCK_SIZE);
1055 		if (copy_to_user(buf, tmp, i)) {
1056 			ret = -EFAULT;
1057 			break;
1058 		}
1059 
1060 		nbytes -= i;
1061 		buf += i;
1062 		ret += i;
1063 	}
1064 	crng_backtrack_protect(tmp, i);
1065 
1066 	/* Wipe data just written to memory */
1067 	memzero_explicit(tmp, sizeof(tmp));
1068 
1069 	return ret;
1070 }
1071 
1072 /*********************************************************************
1073  *
1074  * Entropy input management
1075  *
1076  *********************************************************************/
1077 
1078 /* There is one of these per entropy source */
1079 struct timer_rand_state {
1080 	cycles_t last_time;
1081 	long last_delta, last_delta2;
1082 };
1083 
1084 #define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, };
1085 
1086 /*
1087  * Add device- or boot-specific data to the input pool to help
1088  * initialize it.
1089  *
1090  * None of this adds any entropy; it is meant to avoid the problem of
1091  * the entropy pool having similar initial state across largely
1092  * identical devices.
1093  */
1094 void add_device_randomness(const void *buf, unsigned int size)
1095 {
1096 	unsigned long time = random_get_entropy() ^ jiffies;
1097 	unsigned long flags;
1098 
1099 	if (!crng_ready() && size)
1100 		crng_slow_load(buf, size);
1101 
1102 	trace_add_device_randomness(size, _RET_IP_);
1103 	spin_lock_irqsave(&input_pool.lock, flags);
1104 	_mix_pool_bytes(buf, size);
1105 	_mix_pool_bytes(&time, sizeof(time));
1106 	spin_unlock_irqrestore(&input_pool.lock, flags);
1107 }
1108 EXPORT_SYMBOL(add_device_randomness);
1109 
1110 static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE;
1111 
1112 /*
1113  * This function adds entropy to the entropy "pool" by using timing
1114  * delays.  It uses the timer_rand_state structure to make an estimate
1115  * of how many bits of entropy this call has added to the pool.
1116  *
1117  * The number "num" is also added to the pool - it should somehow describe
1118  * the type of event which just happened.  This is currently 0-255 for
1119  * keyboard scan codes, and 256 upwards for interrupts.
1120  *
1121  */
1122 static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
1123 {
1124 	struct {
1125 		long jiffies;
1126 		unsigned int cycles;
1127 		unsigned int num;
1128 	} sample;
1129 	long delta, delta2, delta3;
1130 
1131 	sample.jiffies = jiffies;
1132 	sample.cycles = random_get_entropy();
1133 	sample.num = num;
1134 	mix_pool_bytes(&sample, sizeof(sample));
1135 
1136 	/*
1137 	 * Calculate number of bits of randomness we probably added.
1138 	 * We take into account the first, second and third-order deltas
1139 	 * in order to make our estimate.
1140 	 */
1141 	delta = sample.jiffies - READ_ONCE(state->last_time);
1142 	WRITE_ONCE(state->last_time, sample.jiffies);
1143 
1144 	delta2 = delta - READ_ONCE(state->last_delta);
1145 	WRITE_ONCE(state->last_delta, delta);
1146 
1147 	delta3 = delta2 - READ_ONCE(state->last_delta2);
1148 	WRITE_ONCE(state->last_delta2, delta2);
1149 
1150 	if (delta < 0)
1151 		delta = -delta;
1152 	if (delta2 < 0)
1153 		delta2 = -delta2;
1154 	if (delta3 < 0)
1155 		delta3 = -delta3;
1156 	if (delta > delta2)
1157 		delta = delta2;
1158 	if (delta > delta3)
1159 		delta = delta3;
1160 
1161 	/*
1162 	 * delta is now minimum absolute delta.
1163 	 * Round down by 1 bit on general principles,
1164 	 * and limit entropy estimate to 12 bits.
1165 	 */
1166 	credit_entropy_bits(min_t(int, fls(delta >> 1), 11));
1167 }
1168 
1169 void add_input_randomness(unsigned int type, unsigned int code,
1170 			  unsigned int value)
1171 {
1172 	static unsigned char last_value;
1173 
1174 	/* ignore autorepeat and the like */
1175 	if (value == last_value)
1176 		return;
1177 
1178 	last_value = value;
1179 	add_timer_randomness(&input_timer_state,
1180 			     (type << 4) ^ code ^ (code >> 4) ^ value);
1181 	trace_add_input_randomness(POOL_ENTROPY_BITS());
1182 }
1183 EXPORT_SYMBOL_GPL(add_input_randomness);
1184 
1185 static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
1186 
1187 #ifdef ADD_INTERRUPT_BENCH
1188 static unsigned long avg_cycles, avg_deviation;
1189 
1190 #define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
1191 #define FIXED_1_2 (1 << (AVG_SHIFT - 1))
1192 
1193 static void add_interrupt_bench(cycles_t start)
1194 {
1195 	long delta = random_get_entropy() - start;
1196 
1197 	/* Use a weighted moving average */
1198 	delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
1199 	avg_cycles += delta;
1200 	/* And average deviation */
1201 	delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
1202 	avg_deviation += delta;
1203 }
1204 #else
1205 #define add_interrupt_bench(x)
1206 #endif
1207 
1208 static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
1209 {
1210 	u32 *ptr = (u32 *)regs;
1211 	unsigned int idx;
1212 
1213 	if (regs == NULL)
1214 		return 0;
1215 	idx = READ_ONCE(f->reg_idx);
1216 	if (idx >= sizeof(struct pt_regs) / sizeof(u32))
1217 		idx = 0;
1218 	ptr += idx++;
1219 	WRITE_ONCE(f->reg_idx, idx);
1220 	return *ptr;
1221 }
1222 
1223 void add_interrupt_randomness(int irq)
1224 {
1225 	struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
1226 	struct pt_regs *regs = get_irq_regs();
1227 	unsigned long now = jiffies;
1228 	cycles_t cycles = random_get_entropy();
1229 	u32 c_high, j_high;
1230 	u64 ip;
1231 
1232 	if (cycles == 0)
1233 		cycles = get_reg(fast_pool, regs);
1234 	c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0;
1235 	j_high = (sizeof(now) > 4) ? now >> 32 : 0;
1236 	fast_pool->pool[0] ^= cycles ^ j_high ^ irq;
1237 	fast_pool->pool[1] ^= now ^ c_high;
1238 	ip = regs ? instruction_pointer(regs) : _RET_IP_;
1239 	fast_pool->pool[2] ^= ip;
1240 	fast_pool->pool[3] ^=
1241 		(sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
1242 
1243 	fast_mix(fast_pool);
1244 	add_interrupt_bench(cycles);
1245 
1246 	if (unlikely(crng_init == 0)) {
1247 		if ((fast_pool->count >= 64) &&
1248 		    crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
1249 			fast_pool->count = 0;
1250 			fast_pool->last = now;
1251 		}
1252 		return;
1253 	}
1254 
1255 	if ((fast_pool->count < 64) && !time_after(now, fast_pool->last + HZ))
1256 		return;
1257 
1258 	if (!spin_trylock(&input_pool.lock))
1259 		return;
1260 
1261 	fast_pool->last = now;
1262 	__mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
1263 	spin_unlock(&input_pool.lock);
1264 
1265 	fast_pool->count = 0;
1266 
1267 	/* award one bit for the contents of the fast pool */
1268 	credit_entropy_bits(1);
1269 }
1270 EXPORT_SYMBOL_GPL(add_interrupt_randomness);
1271 
1272 #ifdef CONFIG_BLOCK
1273 void add_disk_randomness(struct gendisk *disk)
1274 {
1275 	if (!disk || !disk->random)
1276 		return;
1277 	/* first major is 1, so we get >= 0x200 here */
1278 	add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
1279 	trace_add_disk_randomness(disk_devt(disk), POOL_ENTROPY_BITS());
1280 }
1281 EXPORT_SYMBOL_GPL(add_disk_randomness);
1282 #endif
1283 
1284 /*********************************************************************
1285  *
1286  * Entropy extraction routines
1287  *
1288  *********************************************************************/
1289 
1290 /*
1291  * This function decides how many bytes to actually take from the
1292  * given pool, and also debits the entropy count accordingly.
1293  */
1294 static size_t account(size_t nbytes, int min)
1295 {
1296 	int entropy_count, orig;
1297 	size_t ibytes, nfrac;
1298 
1299 	BUG_ON(input_pool.entropy_count > POOL_FRACBITS);
1300 
1301 	/* Can we pull enough? */
1302 retry:
1303 	entropy_count = orig = READ_ONCE(input_pool.entropy_count);
1304 	if (WARN_ON(entropy_count < 0)) {
1305 		pr_warn("negative entropy count: count %d\n", entropy_count);
1306 		entropy_count = 0;
1307 	}
1308 
1309 	/* never pull more than available */
1310 	ibytes = min_t(size_t, nbytes, entropy_count >> (POOL_ENTROPY_SHIFT + 3));
1311 	if (ibytes < min)
1312 		ibytes = 0;
1313 	nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
1314 	if ((size_t)entropy_count > nfrac)
1315 		entropy_count -= nfrac;
1316 	else
1317 		entropy_count = 0;
1318 
1319 	if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
1320 		goto retry;
1321 
1322 	trace_debit_entropy(8 * ibytes);
1323 	if (ibytes && POOL_ENTROPY_BITS() < random_write_wakeup_bits) {
1324 		wake_up_interruptible(&random_write_wait);
1325 		kill_fasync(&fasync, SIGIO, POLL_OUT);
1326 	}
1327 
1328 	return ibytes;
1329 }
1330 
1331 /*
1332  * This function does the actual extraction for extract_entropy.
1333  *
1334  * Note: we assume that .poolwords is a multiple of 16 words.
1335  */
1336 static void extract_buf(u8 *out)
1337 {
1338 	struct blake2s_state state __aligned(__alignof__(unsigned long));
1339 	u8 hash[BLAKE2S_HASH_SIZE];
1340 	unsigned long *salt;
1341 	unsigned long flags;
1342 
1343 	blake2s_init(&state, sizeof(hash));
1344 
1345 	/*
1346 	 * If we have an architectural hardware random number
1347 	 * generator, use it for BLAKE2's salt & personal fields.
1348 	 */
1349 	for (salt = (unsigned long *)&state.h[4];
1350 	     salt < (unsigned long *)&state.h[8]; ++salt) {
1351 		unsigned long v;
1352 		if (!arch_get_random_long(&v))
1353 			break;
1354 		*salt ^= v;
1355 	}
1356 
1357 	/* Generate a hash across the pool */
1358 	spin_lock_irqsave(&input_pool.lock, flags);
1359 	blake2s_update(&state, (const u8 *)input_pool_data, POOL_BYTES);
1360 	blake2s_final(&state, hash); /* final zeros out state */
1361 
1362 	/*
1363 	 * We mix the hash back into the pool to prevent backtracking
1364 	 * attacks (where the attacker knows the state of the pool
1365 	 * plus the current outputs, and attempts to find previous
1366 	 * outputs), unless the hash function can be inverted. By
1367 	 * mixing at least a hash worth of hash data back, we make
1368 	 * brute-forcing the feedback as hard as brute-forcing the
1369 	 * hash.
1370 	 */
1371 	__mix_pool_bytes(hash, sizeof(hash));
1372 	spin_unlock_irqrestore(&input_pool.lock, flags);
1373 
1374 	/* Note that EXTRACT_SIZE is half of hash size here, because above
1375 	 * we've dumped the full length back into mixer. By reducing the
1376 	 * amount that we emit, we retain a level of forward secrecy.
1377 	 */
1378 	memcpy(out, hash, EXTRACT_SIZE);
1379 	memzero_explicit(hash, sizeof(hash));
1380 }
1381 
1382 static ssize_t _extract_entropy(void *buf, size_t nbytes)
1383 {
1384 	ssize_t ret = 0, i;
1385 	u8 tmp[EXTRACT_SIZE];
1386 
1387 	while (nbytes) {
1388 		extract_buf(tmp);
1389 		i = min_t(int, nbytes, EXTRACT_SIZE);
1390 		memcpy(buf, tmp, i);
1391 		nbytes -= i;
1392 		buf += i;
1393 		ret += i;
1394 	}
1395 
1396 	/* Wipe data just returned from memory */
1397 	memzero_explicit(tmp, sizeof(tmp));
1398 
1399 	return ret;
1400 }
1401 
1402 /*
1403  * This function extracts randomness from the "entropy pool", and
1404  * returns it in a buffer.
1405  *
1406  * The min parameter specifies the minimum amount we can pull before
1407  * failing to avoid races that defeat catastrophic reseeding.
1408  */
1409 static ssize_t extract_entropy(void *buf, size_t nbytes, int min)
1410 {
1411 	trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_);
1412 	nbytes = account(nbytes, min);
1413 	return _extract_entropy(buf, nbytes);
1414 }
1415 
1416 #define warn_unseeded_randomness(previous) \
1417 	_warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
1418 
1419 static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
1420 {
1421 #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
1422 	const bool print_once = false;
1423 #else
1424 	static bool print_once __read_mostly;
1425 #endif
1426 
1427 	if (print_once || crng_ready() ||
1428 	    (previous && (caller == READ_ONCE(*previous))))
1429 		return;
1430 	WRITE_ONCE(*previous, caller);
1431 #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
1432 	print_once = true;
1433 #endif
1434 	if (__ratelimit(&unseeded_warning))
1435 		printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
1436 				func_name, caller, crng_init);
1437 }
1438 
1439 /*
1440  * This function is the exported kernel interface.  It returns some
1441  * number of good random numbers, suitable for key generation, seeding
1442  * TCP sequence numbers, etc.  It does not rely on the hardware random
1443  * number generator.  For random bytes direct from the hardware RNG
1444  * (when available), use get_random_bytes_arch(). In order to ensure
1445  * that the randomness provided by this function is okay, the function
1446  * wait_for_random_bytes() should be called and return 0 at least once
1447  * at any point prior.
1448  */
1449 static void _get_random_bytes(void *buf, int nbytes)
1450 {
1451 	u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4);
1452 
1453 	trace_get_random_bytes(nbytes, _RET_IP_);
1454 
1455 	while (nbytes >= CHACHA_BLOCK_SIZE) {
1456 		extract_crng(buf);
1457 		buf += CHACHA_BLOCK_SIZE;
1458 		nbytes -= CHACHA_BLOCK_SIZE;
1459 	}
1460 
1461 	if (nbytes > 0) {
1462 		extract_crng(tmp);
1463 		memcpy(buf, tmp, nbytes);
1464 		crng_backtrack_protect(tmp, nbytes);
1465 	} else
1466 		crng_backtrack_protect(tmp, CHACHA_BLOCK_SIZE);
1467 	memzero_explicit(tmp, sizeof(tmp));
1468 }
1469 
1470 void get_random_bytes(void *buf, int nbytes)
1471 {
1472 	static void *previous;
1473 
1474 	warn_unseeded_randomness(&previous);
1475 	_get_random_bytes(buf, nbytes);
1476 }
1477 EXPORT_SYMBOL(get_random_bytes);
1478 
1479 /*
1480  * Each time the timer fires, we expect that we got an unpredictable
1481  * jump in the cycle counter. Even if the timer is running on another
1482  * CPU, the timer activity will be touching the stack of the CPU that is
1483  * generating entropy..
1484  *
1485  * Note that we don't re-arm the timer in the timer itself - we are
1486  * happy to be scheduled away, since that just makes the load more
1487  * complex, but we do not want the timer to keep ticking unless the
1488  * entropy loop is running.
1489  *
1490  * So the re-arming always happens in the entropy loop itself.
1491  */
1492 static void entropy_timer(struct timer_list *t)
1493 {
1494 	credit_entropy_bits(1);
1495 }
1496 
1497 /*
1498  * If we have an actual cycle counter, see if we can
1499  * generate enough entropy with timing noise
1500  */
1501 static void try_to_generate_entropy(void)
1502 {
1503 	struct {
1504 		unsigned long now;
1505 		struct timer_list timer;
1506 	} stack;
1507 
1508 	stack.now = random_get_entropy();
1509 
1510 	/* Slow counter - or none. Don't even bother */
1511 	if (stack.now == random_get_entropy())
1512 		return;
1513 
1514 	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
1515 	while (!crng_ready()) {
1516 		if (!timer_pending(&stack.timer))
1517 			mod_timer(&stack.timer, jiffies + 1);
1518 		mix_pool_bytes(&stack.now, sizeof(stack.now));
1519 		schedule();
1520 		stack.now = random_get_entropy();
1521 	}
1522 
1523 	del_timer_sync(&stack.timer);
1524 	destroy_timer_on_stack(&stack.timer);
1525 	mix_pool_bytes(&stack.now, sizeof(stack.now));
1526 }
1527 
1528 /*
1529  * Wait for the urandom pool to be seeded and thus guaranteed to supply
1530  * cryptographically secure random numbers. This applies to: the /dev/urandom
1531  * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
1532  * family of functions. Using any of these functions without first calling
1533  * this function forfeits the guarantee of security.
1534  *
1535  * Returns: 0 if the urandom pool has been seeded.
1536  *          -ERESTARTSYS if the function was interrupted by a signal.
1537  */
1538 int wait_for_random_bytes(void)
1539 {
1540 	if (likely(crng_ready()))
1541 		return 0;
1542 
1543 	do {
1544 		int ret;
1545 		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
1546 		if (ret)
1547 			return ret > 0 ? 0 : ret;
1548 
1549 		try_to_generate_entropy();
1550 	} while (!crng_ready());
1551 
1552 	return 0;
1553 }
1554 EXPORT_SYMBOL(wait_for_random_bytes);
1555 
1556 /*
1557  * Returns whether or not the urandom pool has been seeded and thus guaranteed
1558  * to supply cryptographically secure random numbers. This applies to: the
1559  * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
1560  * ,u64,int,long} family of functions.
1561  *
1562  * Returns: true if the urandom pool has been seeded.
1563  *          false if the urandom pool has not been seeded.
1564  */
1565 bool rng_is_initialized(void)
1566 {
1567 	return crng_ready();
1568 }
1569 EXPORT_SYMBOL(rng_is_initialized);
1570 
1571 /*
1572  * Add a callback function that will be invoked when the nonblocking
1573  * pool is initialised.
1574  *
1575  * returns: 0 if callback is successfully added
1576  *	    -EALREADY if pool is already initialised (callback not called)
1577  *	    -ENOENT if module for callback is not alive
1578  */
1579 int add_random_ready_callback(struct random_ready_callback *rdy)
1580 {
1581 	struct module *owner;
1582 	unsigned long flags;
1583 	int err = -EALREADY;
1584 
1585 	if (crng_ready())
1586 		return err;
1587 
1588 	owner = rdy->owner;
1589 	if (!try_module_get(owner))
1590 		return -ENOENT;
1591 
1592 	spin_lock_irqsave(&random_ready_list_lock, flags);
1593 	if (crng_ready())
1594 		goto out;
1595 
1596 	owner = NULL;
1597 
1598 	list_add(&rdy->list, &random_ready_list);
1599 	err = 0;
1600 
1601 out:
1602 	spin_unlock_irqrestore(&random_ready_list_lock, flags);
1603 
1604 	module_put(owner);
1605 
1606 	return err;
1607 }
1608 EXPORT_SYMBOL(add_random_ready_callback);
1609 
1610 /*
1611  * Delete a previously registered readiness callback function.
1612  */
1613 void del_random_ready_callback(struct random_ready_callback *rdy)
1614 {
1615 	unsigned long flags;
1616 	struct module *owner = NULL;
1617 
1618 	spin_lock_irqsave(&random_ready_list_lock, flags);
1619 	if (!list_empty(&rdy->list)) {
1620 		list_del_init(&rdy->list);
1621 		owner = rdy->owner;
1622 	}
1623 	spin_unlock_irqrestore(&random_ready_list_lock, flags);
1624 
1625 	module_put(owner);
1626 }
1627 EXPORT_SYMBOL(del_random_ready_callback);
1628 
1629 /*
1630  * This function will use the architecture-specific hardware random
1631  * number generator if it is available.  The arch-specific hw RNG will
1632  * almost certainly be faster than what we can do in software, but it
1633  * is impossible to verify that it is implemented securely (as
1634  * opposed, to, say, the AES encryption of a sequence number using a
1635  * key known by the NSA).  So it's useful if we need the speed, but
1636  * only if we're willing to trust the hardware manufacturer not to
1637  * have put in a back door.
1638  *
1639  * Return number of bytes filled in.
1640  */
1641 int __must_check get_random_bytes_arch(void *buf, int nbytes)
1642 {
1643 	int left = nbytes;
1644 	u8 *p = buf;
1645 
1646 	trace_get_random_bytes_arch(left, _RET_IP_);
1647 	while (left) {
1648 		unsigned long v;
1649 		int chunk = min_t(int, left, sizeof(unsigned long));
1650 
1651 		if (!arch_get_random_long(&v))
1652 			break;
1653 
1654 		memcpy(p, &v, chunk);
1655 		p += chunk;
1656 		left -= chunk;
1657 	}
1658 
1659 	return nbytes - left;
1660 }
1661 EXPORT_SYMBOL(get_random_bytes_arch);
1662 
1663 /*
1664  * init_std_data - initialize pool with system data
1665  *
1666  * This function clears the pool's entropy count and mixes some system
1667  * data into the pool to prepare it for use. The pool is not cleared
1668  * as that can only decrease the entropy in the pool.
1669  */
1670 static void __init init_std_data(void)
1671 {
1672 	int i;
1673 	ktime_t now = ktime_get_real();
1674 	unsigned long rv;
1675 
1676 	mix_pool_bytes(&now, sizeof(now));
1677 	for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) {
1678 		if (!arch_get_random_seed_long(&rv) &&
1679 		    !arch_get_random_long(&rv))
1680 			rv = random_get_entropy();
1681 		mix_pool_bytes(&rv, sizeof(rv));
1682 	}
1683 	mix_pool_bytes(utsname(), sizeof(*(utsname())));
1684 }
1685 
1686 /*
1687  * Note that setup_arch() may call add_device_randomness()
1688  * long before we get here. This allows seeding of the pools
1689  * with some platform dependent data very early in the boot
1690  * process. But it limits our options here. We must use
1691  * statically allocated structures that already have all
1692  * initializations complete at compile time. We should also
1693  * take care not to overwrite the precious per platform data
1694  * we were given.
1695  */
1696 int __init rand_initialize(void)
1697 {
1698 	init_std_data();
1699 	if (crng_need_final_init)
1700 		crng_finalize_init(&primary_crng);
1701 	crng_initialize_primary(&primary_crng);
1702 	crng_global_init_time = jiffies;
1703 	if (ratelimit_disable) {
1704 		urandom_warning.interval = 0;
1705 		unseeded_warning.interval = 0;
1706 	}
1707 	return 0;
1708 }
1709 
1710 #ifdef CONFIG_BLOCK
1711 void rand_initialize_disk(struct gendisk *disk)
1712 {
1713 	struct timer_rand_state *state;
1714 
1715 	/*
1716 	 * If kzalloc returns null, we just won't use that entropy
1717 	 * source.
1718 	 */
1719 	state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
1720 	if (state) {
1721 		state->last_time = INITIAL_JIFFIES;
1722 		disk->random = state;
1723 	}
1724 }
1725 #endif
1726 
1727 static ssize_t urandom_read_nowarn(struct file *file, char __user *buf,
1728 				   size_t nbytes, loff_t *ppos)
1729 {
1730 	int ret;
1731 
1732 	nbytes = min_t(size_t, nbytes, INT_MAX >> (POOL_ENTROPY_SHIFT + 3));
1733 	ret = extract_crng_user(buf, nbytes);
1734 	trace_urandom_read(8 * nbytes, 0, POOL_ENTROPY_BITS());
1735 	return ret;
1736 }
1737 
1738 static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
1739 			    loff_t *ppos)
1740 {
1741 	static int maxwarn = 10;
1742 
1743 	if (!crng_ready() && maxwarn > 0) {
1744 		maxwarn--;
1745 		if (__ratelimit(&urandom_warning))
1746 			pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
1747 				  current->comm, nbytes);
1748 	}
1749 
1750 	return urandom_read_nowarn(file, buf, nbytes, ppos);
1751 }
1752 
1753 static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
1754 			   loff_t *ppos)
1755 {
1756 	int ret;
1757 
1758 	ret = wait_for_random_bytes();
1759 	if (ret != 0)
1760 		return ret;
1761 	return urandom_read_nowarn(file, buf, nbytes, ppos);
1762 }
1763 
1764 static __poll_t random_poll(struct file *file, poll_table *wait)
1765 {
1766 	__poll_t mask;
1767 
1768 	poll_wait(file, &crng_init_wait, wait);
1769 	poll_wait(file, &random_write_wait, wait);
1770 	mask = 0;
1771 	if (crng_ready())
1772 		mask |= EPOLLIN | EPOLLRDNORM;
1773 	if (POOL_ENTROPY_BITS() < random_write_wakeup_bits)
1774 		mask |= EPOLLOUT | EPOLLWRNORM;
1775 	return mask;
1776 }
1777 
1778 static int write_pool(const char __user *buffer, size_t count)
1779 {
1780 	size_t bytes;
1781 	u32 t, buf[16];
1782 	const char __user *p = buffer;
1783 
1784 	while (count > 0) {
1785 		int b, i = 0;
1786 
1787 		bytes = min(count, sizeof(buf));
1788 		if (copy_from_user(&buf, p, bytes))
1789 			return -EFAULT;
1790 
1791 		for (b = bytes; b > 0; b -= sizeof(u32), i++) {
1792 			if (!arch_get_random_int(&t))
1793 				break;
1794 			buf[i] ^= t;
1795 		}
1796 
1797 		count -= bytes;
1798 		p += bytes;
1799 
1800 		mix_pool_bytes(buf, bytes);
1801 		cond_resched();
1802 	}
1803 
1804 	return 0;
1805 }
1806 
1807 static ssize_t random_write(struct file *file, const char __user *buffer,
1808 			    size_t count, loff_t *ppos)
1809 {
1810 	size_t ret;
1811 
1812 	ret = write_pool(buffer, count);
1813 	if (ret)
1814 		return ret;
1815 
1816 	return (ssize_t)count;
1817 }
1818 
1819 static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
1820 {
1821 	int size, ent_count;
1822 	int __user *p = (int __user *)arg;
1823 	int retval;
1824 
1825 	switch (cmd) {
1826 	case RNDGETENTCNT:
1827 		/* inherently racy, no point locking */
1828 		ent_count = POOL_ENTROPY_BITS();
1829 		if (put_user(ent_count, p))
1830 			return -EFAULT;
1831 		return 0;
1832 	case RNDADDTOENTCNT:
1833 		if (!capable(CAP_SYS_ADMIN))
1834 			return -EPERM;
1835 		if (get_user(ent_count, p))
1836 			return -EFAULT;
1837 		return credit_entropy_bits_safe(ent_count);
1838 	case RNDADDENTROPY:
1839 		if (!capable(CAP_SYS_ADMIN))
1840 			return -EPERM;
1841 		if (get_user(ent_count, p++))
1842 			return -EFAULT;
1843 		if (ent_count < 0)
1844 			return -EINVAL;
1845 		if (get_user(size, p++))
1846 			return -EFAULT;
1847 		retval = write_pool((const char __user *)p, size);
1848 		if (retval < 0)
1849 			return retval;
1850 		return credit_entropy_bits_safe(ent_count);
1851 	case RNDZAPENTCNT:
1852 	case RNDCLEARPOOL:
1853 		/*
1854 		 * Clear the entropy pool counters. We no longer clear
1855 		 * the entropy pool, as that's silly.
1856 		 */
1857 		if (!capable(CAP_SYS_ADMIN))
1858 			return -EPERM;
1859 		input_pool.entropy_count = 0;
1860 		return 0;
1861 	case RNDRESEEDCRNG:
1862 		if (!capable(CAP_SYS_ADMIN))
1863 			return -EPERM;
1864 		if (crng_init < 2)
1865 			return -ENODATA;
1866 		crng_reseed(&primary_crng, true);
1867 		WRITE_ONCE(crng_global_init_time, jiffies - 1);
1868 		return 0;
1869 	default:
1870 		return -EINVAL;
1871 	}
1872 }
1873 
1874 static int random_fasync(int fd, struct file *filp, int on)
1875 {
1876 	return fasync_helper(fd, filp, on, &fasync);
1877 }
1878 
1879 const struct file_operations random_fops = {
1880 	.read = random_read,
1881 	.write = random_write,
1882 	.poll = random_poll,
1883 	.unlocked_ioctl = random_ioctl,
1884 	.compat_ioctl = compat_ptr_ioctl,
1885 	.fasync = random_fasync,
1886 	.llseek = noop_llseek,
1887 };
1888 
1889 const struct file_operations urandom_fops = {
1890 	.read = urandom_read,
1891 	.write = random_write,
1892 	.unlocked_ioctl = random_ioctl,
1893 	.compat_ioctl = compat_ptr_ioctl,
1894 	.fasync = random_fasync,
1895 	.llseek = noop_llseek,
1896 };
1897 
1898 SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
1899 		flags)
1900 {
1901 	int ret;
1902 
1903 	if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
1904 		return -EINVAL;
1905 
1906 	/*
1907 	 * Requesting insecure and blocking randomness at the same time makes
1908 	 * no sense.
1909 	 */
1910 	if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
1911 		return -EINVAL;
1912 
1913 	if (count > INT_MAX)
1914 		count = INT_MAX;
1915 
1916 	if (!(flags & GRND_INSECURE) && !crng_ready()) {
1917 		if (flags & GRND_NONBLOCK)
1918 			return -EAGAIN;
1919 		ret = wait_for_random_bytes();
1920 		if (unlikely(ret))
1921 			return ret;
1922 	}
1923 	return urandom_read_nowarn(NULL, buf, count, NULL);
1924 }
1925 
1926 /********************************************************************
1927  *
1928  * Sysctl interface
1929  *
1930  ********************************************************************/
1931 
1932 #ifdef CONFIG_SYSCTL
1933 
1934 #include <linux/sysctl.h>
1935 
1936 static int min_write_thresh;
1937 static int max_write_thresh = POOL_BITS;
1938 static int random_min_urandom_seed = 60;
1939 static char sysctl_bootid[16];
1940 
1941 /*
1942  * This function is used to return both the bootid UUID, and random
1943  * UUID.  The difference is in whether table->data is NULL; if it is,
1944  * then a new UUID is generated and returned to the user.
1945  *
1946  * If the user accesses this via the proc interface, the UUID will be
1947  * returned as an ASCII string in the standard UUID format; if via the
1948  * sysctl system call, as 16 bytes of binary data.
1949  */
1950 static int proc_do_uuid(struct ctl_table *table, int write, void *buffer,
1951 			size_t *lenp, loff_t *ppos)
1952 {
1953 	struct ctl_table fake_table;
1954 	unsigned char buf[64], tmp_uuid[16], *uuid;
1955 
1956 	uuid = table->data;
1957 	if (!uuid) {
1958 		uuid = tmp_uuid;
1959 		generate_random_uuid(uuid);
1960 	} else {
1961 		static DEFINE_SPINLOCK(bootid_spinlock);
1962 
1963 		spin_lock(&bootid_spinlock);
1964 		if (!uuid[8])
1965 			generate_random_uuid(uuid);
1966 		spin_unlock(&bootid_spinlock);
1967 	}
1968 
1969 	sprintf(buf, "%pU", uuid);
1970 
1971 	fake_table.data = buf;
1972 	fake_table.maxlen = sizeof(buf);
1973 
1974 	return proc_dostring(&fake_table, write, buffer, lenp, ppos);
1975 }
1976 
1977 /*
1978  * Return entropy available scaled to integral bits
1979  */
1980 static int proc_do_entropy(struct ctl_table *table, int write, void *buffer,
1981 			   size_t *lenp, loff_t *ppos)
1982 {
1983 	struct ctl_table fake_table;
1984 	int entropy_count;
1985 
1986 	entropy_count = *(int *)table->data >> POOL_ENTROPY_SHIFT;
1987 
1988 	fake_table.data = &entropy_count;
1989 	fake_table.maxlen = sizeof(entropy_count);
1990 
1991 	return proc_dointvec(&fake_table, write, buffer, lenp, ppos);
1992 }
1993 
1994 static int sysctl_poolsize = POOL_BITS;
1995 static struct ctl_table random_table[] = {
1996 	{
1997 		.procname	= "poolsize",
1998 		.data		= &sysctl_poolsize,
1999 		.maxlen		= sizeof(int),
2000 		.mode		= 0444,
2001 		.proc_handler	= proc_dointvec,
2002 	},
2003 	{
2004 		.procname	= "entropy_avail",
2005 		.maxlen		= sizeof(int),
2006 		.mode		= 0444,
2007 		.proc_handler	= proc_do_entropy,
2008 		.data		= &input_pool.entropy_count,
2009 	},
2010 	{
2011 		.procname	= "write_wakeup_threshold",
2012 		.data		= &random_write_wakeup_bits,
2013 		.maxlen		= sizeof(int),
2014 		.mode		= 0644,
2015 		.proc_handler	= proc_dointvec_minmax,
2016 		.extra1		= &min_write_thresh,
2017 		.extra2		= &max_write_thresh,
2018 	},
2019 	{
2020 		.procname	= "urandom_min_reseed_secs",
2021 		.data		= &random_min_urandom_seed,
2022 		.maxlen		= sizeof(int),
2023 		.mode		= 0644,
2024 		.proc_handler	= proc_dointvec,
2025 	},
2026 	{
2027 		.procname	= "boot_id",
2028 		.data		= &sysctl_bootid,
2029 		.maxlen		= 16,
2030 		.mode		= 0444,
2031 		.proc_handler	= proc_do_uuid,
2032 	},
2033 	{
2034 		.procname	= "uuid",
2035 		.maxlen		= 16,
2036 		.mode		= 0444,
2037 		.proc_handler	= proc_do_uuid,
2038 	},
2039 #ifdef ADD_INTERRUPT_BENCH
2040 	{
2041 		.procname	= "add_interrupt_avg_cycles",
2042 		.data		= &avg_cycles,
2043 		.maxlen		= sizeof(avg_cycles),
2044 		.mode		= 0444,
2045 		.proc_handler	= proc_doulongvec_minmax,
2046 	},
2047 	{
2048 		.procname	= "add_interrupt_avg_deviation",
2049 		.data		= &avg_deviation,
2050 		.maxlen		= sizeof(avg_deviation),
2051 		.mode		= 0444,
2052 		.proc_handler	= proc_doulongvec_minmax,
2053 	},
2054 #endif
2055 	{ }
2056 };
2057 
2058 /*
2059  * rand_initialize() is called before sysctl_init(),
2060  * so we cannot call register_sysctl_init() in rand_initialize()
2061  */
2062 static int __init random_sysctls_init(void)
2063 {
2064 	register_sysctl_init("kernel/random", random_table);
2065 	return 0;
2066 }
2067 device_initcall(random_sysctls_init);
2068 #endif	/* CONFIG_SYSCTL */
2069 
2070 struct batched_entropy {
2071 	union {
2072 		u64 entropy_u64[CHACHA_BLOCK_SIZE / sizeof(u64)];
2073 		u32 entropy_u32[CHACHA_BLOCK_SIZE / sizeof(u32)];
2074 	};
2075 	unsigned int position;
2076 	spinlock_t batch_lock;
2077 };
2078 
2079 /*
2080  * Get a random word for internal kernel use only. The quality of the random
2081  * number is good as /dev/urandom, but there is no backtrack protection, with
2082  * the goal of being quite fast and not depleting entropy. In order to ensure
2083  * that the randomness provided by this function is okay, the function
2084  * wait_for_random_bytes() should be called and return 0 at least once at any
2085  * point prior.
2086  */
2087 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
2088 	.batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
2089 };
2090 
2091 u64 get_random_u64(void)
2092 {
2093 	u64 ret;
2094 	unsigned long flags;
2095 	struct batched_entropy *batch;
2096 	static void *previous;
2097 
2098 	warn_unseeded_randomness(&previous);
2099 
2100 	batch = raw_cpu_ptr(&batched_entropy_u64);
2101 	spin_lock_irqsave(&batch->batch_lock, flags);
2102 	if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
2103 		extract_crng((u8 *)batch->entropy_u64);
2104 		batch->position = 0;
2105 	}
2106 	ret = batch->entropy_u64[batch->position++];
2107 	spin_unlock_irqrestore(&batch->batch_lock, flags);
2108 	return ret;
2109 }
2110 EXPORT_SYMBOL(get_random_u64);
2111 
2112 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
2113 	.batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
2114 };
2115 u32 get_random_u32(void)
2116 {
2117 	u32 ret;
2118 	unsigned long flags;
2119 	struct batched_entropy *batch;
2120 	static void *previous;
2121 
2122 	warn_unseeded_randomness(&previous);
2123 
2124 	batch = raw_cpu_ptr(&batched_entropy_u32);
2125 	spin_lock_irqsave(&batch->batch_lock, flags);
2126 	if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
2127 		extract_crng((u8 *)batch->entropy_u32);
2128 		batch->position = 0;
2129 	}
2130 	ret = batch->entropy_u32[batch->position++];
2131 	spin_unlock_irqrestore(&batch->batch_lock, flags);
2132 	return ret;
2133 }
2134 EXPORT_SYMBOL(get_random_u32);
2135 
2136 /* It's important to invalidate all potential batched entropy that might
2137  * be stored before the crng is initialized, which we can do lazily by
2138  * simply resetting the counter to zero so that it's re-extracted on the
2139  * next usage. */
2140 static void invalidate_batched_entropy(void)
2141 {
2142 	int cpu;
2143 	unsigned long flags;
2144 
2145 	for_each_possible_cpu(cpu) {
2146 		struct batched_entropy *batched_entropy;
2147 
2148 		batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
2149 		spin_lock_irqsave(&batched_entropy->batch_lock, flags);
2150 		batched_entropy->position = 0;
2151 		spin_unlock(&batched_entropy->batch_lock);
2152 
2153 		batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
2154 		spin_lock(&batched_entropy->batch_lock);
2155 		batched_entropy->position = 0;
2156 		spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
2157 	}
2158 }
2159 
2160 /**
2161  * randomize_page - Generate a random, page aligned address
2162  * @start:	The smallest acceptable address the caller will take.
2163  * @range:	The size of the area, starting at @start, within which the
2164  *		random address must fall.
2165  *
2166  * If @start + @range would overflow, @range is capped.
2167  *
2168  * NOTE: Historical use of randomize_range, which this replaces, presumed that
2169  * @start was already page aligned.  We now align it regardless.
2170  *
2171  * Return: A page aligned address within [start, start + range).  On error,
2172  * @start is returned.
2173  */
2174 unsigned long randomize_page(unsigned long start, unsigned long range)
2175 {
2176 	if (!PAGE_ALIGNED(start)) {
2177 		range -= PAGE_ALIGN(start) - start;
2178 		start = PAGE_ALIGN(start);
2179 	}
2180 
2181 	if (start > ULONG_MAX - range)
2182 		range = ULONG_MAX - start;
2183 
2184 	range >>= PAGE_SHIFT;
2185 
2186 	if (range == 0)
2187 		return start;
2188 
2189 	return start + (get_random_long() % range << PAGE_SHIFT);
2190 }
2191 
2192 /* Interface for in-kernel drivers of true hardware RNGs.
2193  * Those devices may produce endless random bits and will be throttled
2194  * when our pool is full.
2195  */
2196 void add_hwgenerator_randomness(const char *buffer, size_t count,
2197 				size_t entropy)
2198 {
2199 	if (unlikely(crng_init == 0)) {
2200 		size_t ret = crng_fast_load(buffer, count);
2201 		mix_pool_bytes(buffer, ret);
2202 		count -= ret;
2203 		buffer += ret;
2204 		if (!count || crng_init == 0)
2205 			return;
2206 	}
2207 
2208 	/* Suspend writing if we're above the trickle threshold.
2209 	 * We'll be woken up again once below random_write_wakeup_thresh,
2210 	 * or when the calling thread is about to terminate.
2211 	 */
2212 	wait_event_interruptible(random_write_wait,
2213 			!system_wq || kthread_should_stop() ||
2214 			POOL_ENTROPY_BITS() <= random_write_wakeup_bits);
2215 	mix_pool_bytes(buffer, count);
2216 	credit_entropy_bits(entropy);
2217 }
2218 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
2219 
2220 /* Handle random seed passed by bootloader.
2221  * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
2222  * it would be regarded as device data.
2223  * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
2224  */
2225 void add_bootloader_randomness(const void *buf, unsigned int size)
2226 {
2227 	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
2228 		add_hwgenerator_randomness(buf, size, size * 8);
2229 	else
2230 		add_device_randomness(buf, size);
2231 }
2232 EXPORT_SYMBOL_GPL(add_bootloader_randomness);
2233