1 /* 2 * random.c -- A strong random number generator 3 * 4 * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 5 * 6 * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005 7 * 8 * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All 9 * rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, and the entire permission notice in its entirety, 16 * including the disclaimer of warranties. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. The name of the author may not be used to endorse or promote 21 * products derived from this software without specific prior 22 * written permission. 23 * 24 * ALTERNATIVELY, this product may be distributed under the terms of 25 * the GNU General Public License, in which case the provisions of the GPL are 26 * required INSTEAD OF the above restrictions. (This clause is 27 * necessary due to a potential bad interaction between the GPL and 28 * the restrictions contained in a BSD-style copyright.) 29 * 30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 31 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 33 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 34 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 35 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 36 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 37 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 38 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 39 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 40 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 41 * DAMAGE. 42 */ 43 44 /* 45 * (now, with legal B.S. out of the way.....) 46 * 47 * This routine gathers environmental noise from device drivers, etc., 48 * and returns good random numbers, suitable for cryptographic use. 49 * Besides the obvious cryptographic uses, these numbers are also good 50 * for seeding TCP sequence numbers, and other places where it is 51 * desirable to have numbers which are not only random, but hard to 52 * predict by an attacker. 53 * 54 * Theory of operation 55 * =================== 56 * 57 * Computers are very predictable devices. Hence it is extremely hard 58 * to produce truly random numbers on a computer --- as opposed to 59 * pseudo-random numbers, which can easily generated by using a 60 * algorithm. Unfortunately, it is very easy for attackers to guess 61 * the sequence of pseudo-random number generators, and for some 62 * applications this is not acceptable. So instead, we must try to 63 * gather "environmental noise" from the computer's environment, which 64 * must be hard for outside attackers to observe, and use that to 65 * generate random numbers. In a Unix environment, this is best done 66 * from inside the kernel. 67 * 68 * Sources of randomness from the environment include inter-keyboard 69 * timings, inter-interrupt timings from some interrupts, and other 70 * events which are both (a) non-deterministic and (b) hard for an 71 * outside observer to measure. Randomness from these sources are 72 * added to an "entropy pool", which is mixed using a CRC-like function. 73 * This is not cryptographically strong, but it is adequate assuming 74 * the randomness is not chosen maliciously, and it is fast enough that 75 * the overhead of doing it on every interrupt is very reasonable. 76 * As random bytes are mixed into the entropy pool, the routines keep 77 * an *estimate* of how many bits of randomness have been stored into 78 * the random number generator's internal state. 79 * 80 * When random bytes are desired, they are obtained by taking the BLAKE2s 81 * hash of the contents of the "entropy pool". The BLAKE2s hash avoids 82 * exposing the internal state of the entropy pool. It is believed to 83 * be computationally infeasible to derive any useful information 84 * about the input of BLAKE2s from its output. Even if it is possible to 85 * analyze BLAKE2s in some clever way, as long as the amount of data 86 * returned from the generator is less than the inherent entropy in 87 * the pool, the output data is totally unpredictable. For this 88 * reason, the routine decreases its internal estimate of how many 89 * bits of "true randomness" are contained in the entropy pool as it 90 * outputs random numbers. 91 * 92 * If this estimate goes to zero, the routine can still generate 93 * random numbers; however, an attacker may (at least in theory) be 94 * able to infer the future output of the generator from prior 95 * outputs. This requires successful cryptanalysis of BLAKE2s, which is 96 * not believed to be feasible, but there is a remote possibility. 97 * Nonetheless, these numbers should be useful for the vast majority 98 * of purposes. 99 * 100 * Exported interfaces ---- output 101 * =============================== 102 * 103 * There are four exported interfaces; two for use within the kernel, 104 * and two for use from userspace. 105 * 106 * Exported interfaces ---- userspace output 107 * ----------------------------------------- 108 * 109 * The userspace interfaces are two character devices /dev/random and 110 * /dev/urandom. /dev/random is suitable for use when very high 111 * quality randomness is desired (for example, for key generation or 112 * one-time pads), as it will only return a maximum of the number of 113 * bits of randomness (as estimated by the random number generator) 114 * contained in the entropy pool. 115 * 116 * The /dev/urandom device does not have this limit, and will return 117 * as many bytes as are requested. As more and more random bytes are 118 * requested without giving time for the entropy pool to recharge, 119 * this will result in random numbers that are merely cryptographically 120 * strong. For many applications, however, this is acceptable. 121 * 122 * Exported interfaces ---- kernel output 123 * -------------------------------------- 124 * 125 * The primary kernel interface is 126 * 127 * void get_random_bytes(void *buf, int nbytes); 128 * 129 * This interface will return the requested number of random bytes, 130 * and place it in the requested buffer. This is equivalent to a 131 * read from /dev/urandom. 132 * 133 * For less critical applications, there are the functions: 134 * 135 * u32 get_random_u32() 136 * u64 get_random_u64() 137 * unsigned int get_random_int() 138 * unsigned long get_random_long() 139 * 140 * These are produced by a cryptographic RNG seeded from get_random_bytes, 141 * and so do not deplete the entropy pool as much. These are recommended 142 * for most in-kernel operations *if the result is going to be stored in 143 * the kernel*. 144 * 145 * Specifically, the get_random_int() family do not attempt to do 146 * "anti-backtracking". If you capture the state of the kernel (e.g. 147 * by snapshotting the VM), you can figure out previous get_random_int() 148 * return values. But if the value is stored in the kernel anyway, 149 * this is not a problem. 150 * 151 * It *is* safe to expose get_random_int() output to attackers (e.g. as 152 * network cookies); given outputs 1..n, it's not feasible to predict 153 * outputs 0 or n+1. The only concern is an attacker who breaks into 154 * the kernel later; the get_random_int() engine is not reseeded as 155 * often as the get_random_bytes() one. 156 * 157 * get_random_bytes() is needed for keys that need to stay secret after 158 * they are erased from the kernel. For example, any key that will 159 * be wrapped and stored encrypted. And session encryption keys: we'd 160 * like to know that after the session is closed and the keys erased, 161 * the plaintext is unrecoverable to someone who recorded the ciphertext. 162 * 163 * But for network ports/cookies, stack canaries, PRNG seeds, address 164 * space layout randomization, session *authentication* keys, or other 165 * applications where the sensitive data is stored in the kernel in 166 * plaintext for as long as it's sensitive, the get_random_int() family 167 * is just fine. 168 * 169 * Consider ASLR. We want to keep the address space secret from an 170 * outside attacker while the process is running, but once the address 171 * space is torn down, it's of no use to an attacker any more. And it's 172 * stored in kernel data structures as long as it's alive, so worrying 173 * about an attacker's ability to extrapolate it from the get_random_int() 174 * CRNG is silly. 175 * 176 * Even some cryptographic keys are safe to generate with get_random_int(). 177 * In particular, keys for SipHash are generally fine. Here, knowledge 178 * of the key authorizes you to do something to a kernel object (inject 179 * packets to a network connection, or flood a hash table), and the 180 * key is stored with the object being protected. Once it goes away, 181 * we no longer care if anyone knows the key. 182 * 183 * prandom_u32() 184 * ------------- 185 * 186 * For even weaker applications, see the pseudorandom generator 187 * prandom_u32(), prandom_max(), and prandom_bytes(). If the random 188 * numbers aren't security-critical at all, these are *far* cheaper. 189 * Useful for self-tests, random error simulation, randomized backoffs, 190 * and any other application where you trust that nobody is trying to 191 * maliciously mess with you by guessing the "random" numbers. 192 * 193 * Exported interfaces ---- input 194 * ============================== 195 * 196 * The current exported interfaces for gathering environmental noise 197 * from the devices are: 198 * 199 * void add_device_randomness(const void *buf, unsigned int size); 200 * void add_input_randomness(unsigned int type, unsigned int code, 201 * unsigned int value); 202 * void add_interrupt_randomness(int irq); 203 * void add_disk_randomness(struct gendisk *disk); 204 * void add_hwgenerator_randomness(const char *buffer, size_t count, 205 * size_t entropy); 206 * void add_bootloader_randomness(const void *buf, unsigned int size); 207 * 208 * add_device_randomness() is for adding data to the random pool that 209 * is likely to differ between two devices (or possibly even per boot). 210 * This would be things like MAC addresses or serial numbers, or the 211 * read-out of the RTC. This does *not* add any actual entropy to the 212 * pool, but it initializes the pool to different values for devices 213 * that might otherwise be identical and have very little entropy 214 * available to them (particularly common in the embedded world). 215 * 216 * add_input_randomness() uses the input layer interrupt timing, as well as 217 * the event type information from the hardware. 218 * 219 * add_interrupt_randomness() uses the interrupt timing as random 220 * inputs to the entropy pool. Using the cycle counters and the irq source 221 * as inputs, it feeds the randomness roughly once a second. 222 * 223 * add_disk_randomness() uses what amounts to the seek time of block 224 * layer request events, on a per-disk_devt basis, as input to the 225 * entropy pool. Note that high-speed solid state drives with very low 226 * seek times do not make for good sources of entropy, as their seek 227 * times are usually fairly consistent. 228 * 229 * All of these routines try to estimate how many bits of randomness a 230 * particular randomness source. They do this by keeping track of the 231 * first and second order deltas of the event timings. 232 * 233 * add_hwgenerator_randomness() is for true hardware RNGs, and will credit 234 * entropy as specified by the caller. If the entropy pool is full it will 235 * block until more entropy is needed. 236 * 237 * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or 238 * add_device_randomness(), depending on whether or not the configuration 239 * option CONFIG_RANDOM_TRUST_BOOTLOADER is set. 240 * 241 * Ensuring unpredictability at system startup 242 * ============================================ 243 * 244 * When any operating system starts up, it will go through a sequence 245 * of actions that are fairly predictable by an adversary, especially 246 * if the start-up does not involve interaction with a human operator. 247 * This reduces the actual number of bits of unpredictability in the 248 * entropy pool below the value in entropy_count. In order to 249 * counteract this effect, it helps to carry information in the 250 * entropy pool across shut-downs and start-ups. To do this, put the 251 * following lines an appropriate script which is run during the boot 252 * sequence: 253 * 254 * echo "Initializing random number generator..." 255 * random_seed=/var/run/random-seed 256 * # Carry a random seed from start-up to start-up 257 * # Load and then save the whole entropy pool 258 * if [ -f $random_seed ]; then 259 * cat $random_seed >/dev/urandom 260 * else 261 * touch $random_seed 262 * fi 263 * chmod 600 $random_seed 264 * dd if=/dev/urandom of=$random_seed count=1 bs=512 265 * 266 * and the following lines in an appropriate script which is run as 267 * the system is shutdown: 268 * 269 * # Carry a random seed from shut-down to start-up 270 * # Save the whole entropy pool 271 * echo "Saving random seed..." 272 * random_seed=/var/run/random-seed 273 * touch $random_seed 274 * chmod 600 $random_seed 275 * dd if=/dev/urandom of=$random_seed count=1 bs=512 276 * 277 * For example, on most modern systems using the System V init 278 * scripts, such code fragments would be found in 279 * /etc/rc.d/init.d/random. On older Linux systems, the correct script 280 * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0. 281 * 282 * Effectively, these commands cause the contents of the entropy pool 283 * to be saved at shut-down time and reloaded into the entropy pool at 284 * start-up. (The 'dd' in the addition to the bootup script is to 285 * make sure that /etc/random-seed is different for every start-up, 286 * even if the system crashes without executing rc.0.) Even with 287 * complete knowledge of the start-up activities, predicting the state 288 * of the entropy pool requires knowledge of the previous history of 289 * the system. 290 * 291 * Configuring the /dev/random driver under Linux 292 * ============================================== 293 * 294 * The /dev/random driver under Linux uses minor numbers 8 and 9 of 295 * the /dev/mem major number (#1). So if your system does not have 296 * /dev/random and /dev/urandom created already, they can be created 297 * by using the commands: 298 * 299 * mknod /dev/random c 1 8 300 * mknod /dev/urandom c 1 9 301 * 302 * Acknowledgements: 303 * ================= 304 * 305 * Ideas for constructing this random number generator were derived 306 * from Pretty Good Privacy's random number generator, and from private 307 * discussions with Phil Karn. Colin Plumb provided a faster random 308 * number generator, which speed up the mixing function of the entropy 309 * pool, taken from PGPfone. Dale Worley has also contributed many 310 * useful ideas and suggestions to improve this driver. 311 * 312 * Any flaws in the design are solely my responsibility, and should 313 * not be attributed to the Phil, Colin, or any of authors of PGP. 314 * 315 * Further background information on this topic may be obtained from 316 * RFC 1750, "Randomness Recommendations for Security", by Donald 317 * Eastlake, Steve Crocker, and Jeff Schiller. 318 */ 319 320 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 321 322 #include <linux/utsname.h> 323 #include <linux/module.h> 324 #include <linux/kernel.h> 325 #include <linux/major.h> 326 #include <linux/string.h> 327 #include <linux/fcntl.h> 328 #include <linux/slab.h> 329 #include <linux/random.h> 330 #include <linux/poll.h> 331 #include <linux/init.h> 332 #include <linux/fs.h> 333 #include <linux/genhd.h> 334 #include <linux/interrupt.h> 335 #include <linux/mm.h> 336 #include <linux/nodemask.h> 337 #include <linux/spinlock.h> 338 #include <linux/kthread.h> 339 #include <linux/percpu.h> 340 #include <linux/ptrace.h> 341 #include <linux/workqueue.h> 342 #include <linux/irq.h> 343 #include <linux/ratelimit.h> 344 #include <linux/syscalls.h> 345 #include <linux/completion.h> 346 #include <linux/uuid.h> 347 #include <crypto/chacha.h> 348 #include <crypto/blake2s.h> 349 350 #include <asm/processor.h> 351 #include <linux/uaccess.h> 352 #include <asm/irq.h> 353 #include <asm/irq_regs.h> 354 #include <asm/io.h> 355 356 #define CREATE_TRACE_POINTS 357 #include <trace/events/random.h> 358 359 /* #define ADD_INTERRUPT_BENCH */ 360 361 /* 362 * If the entropy count falls under this number of bits, then we 363 * should wake up processes which are selecting or polling on write 364 * access to /dev/random. 365 */ 366 static int random_write_wakeup_bits = 28 * (1 << 5); 367 368 /* 369 * Originally, we used a primitive polynomial of degree .poolwords 370 * over GF(2). The taps for various sizes are defined below. They 371 * were chosen to be evenly spaced except for the last tap, which is 1 372 * to get the twisting happening as fast as possible. 373 * 374 * For the purposes of better mixing, we use the CRC-32 polynomial as 375 * well to make a (modified) twisted Generalized Feedback Shift 376 * Register. (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR 377 * generators. ACM Transactions on Modeling and Computer Simulation 378 * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted 379 * GFSR generators II. ACM Transactions on Modeling and Computer 380 * Simulation 4:254-266) 381 * 382 * Thanks to Colin Plumb for suggesting this. 383 * 384 * The mixing operation is much less sensitive than the output hash, 385 * where we use BLAKE2s. All that we want of mixing operation is that 386 * it be a good non-cryptographic hash; i.e. it not produce collisions 387 * when fed "random" data of the sort we expect to see. As long as 388 * the pool state differs for different inputs, we have preserved the 389 * input entropy and done a good job. The fact that an intelligent 390 * attacker can construct inputs that will produce controlled 391 * alterations to the pool's state is not important because we don't 392 * consider such inputs to contribute any randomness. The only 393 * property we need with respect to them is that the attacker can't 394 * increase his/her knowledge of the pool's state. Since all 395 * additions are reversible (knowing the final state and the input, 396 * you can reconstruct the initial state), if an attacker has any 397 * uncertainty about the initial state, he/she can only shuffle that 398 * uncertainty about, but never cause any collisions (which would 399 * decrease the uncertainty). 400 * 401 * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and 402 * Videau in their paper, "The Linux Pseudorandom Number Generator 403 * Revisited" (see: http://eprint.iacr.org/2012/251.pdf). In their 404 * paper, they point out that we are not using a true Twisted GFSR, 405 * since Matsumoto & Kurita used a trinomial feedback polynomial (that 406 * is, with only three taps, instead of the six that we are using). 407 * As a result, the resulting polynomial is neither primitive nor 408 * irreducible, and hence does not have a maximal period over 409 * GF(2**32). They suggest a slight change to the generator 410 * polynomial which improves the resulting TGFSR polynomial to be 411 * irreducible, which we have made here. 412 */ 413 enum poolinfo { 414 POOL_WORDS = 128, 415 POOL_WORDMASK = POOL_WORDS - 1, 416 POOL_BYTES = POOL_WORDS * sizeof(u32), 417 POOL_BITS = POOL_BYTES * 8, 418 POOL_BITSHIFT = ilog2(POOL_BITS), 419 420 /* To allow fractional bits to be tracked, the entropy_count field is 421 * denominated in units of 1/8th bits. */ 422 POOL_ENTROPY_SHIFT = 3, 423 #define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT) 424 POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT, 425 426 /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ 427 POOL_TAP1 = 104, 428 POOL_TAP2 = 76, 429 POOL_TAP3 = 51, 430 POOL_TAP4 = 25, 431 POOL_TAP5 = 1, 432 433 EXTRACT_SIZE = BLAKE2S_HASH_SIZE / 2 434 }; 435 436 /* 437 * Static global variables 438 */ 439 static DECLARE_WAIT_QUEUE_HEAD(random_write_wait); 440 static struct fasync_struct *fasync; 441 442 static DEFINE_SPINLOCK(random_ready_list_lock); 443 static LIST_HEAD(random_ready_list); 444 445 struct crng_state { 446 u32 state[16]; 447 unsigned long init_time; 448 spinlock_t lock; 449 }; 450 451 static struct crng_state primary_crng = { 452 .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock), 453 .state[0] = CHACHA_CONSTANT_EXPA, 454 .state[1] = CHACHA_CONSTANT_ND_3, 455 .state[2] = CHACHA_CONSTANT_2_BY, 456 .state[3] = CHACHA_CONSTANT_TE_K, 457 }; 458 459 /* 460 * crng_init = 0 --> Uninitialized 461 * 1 --> Initialized 462 * 2 --> Initialized from input_pool 463 * 464 * crng_init is protected by primary_crng->lock, and only increases 465 * its value (from 0->1->2). 466 */ 467 static int crng_init = 0; 468 static bool crng_need_final_init = false; 469 #define crng_ready() (likely(crng_init > 1)) 470 static int crng_init_cnt = 0; 471 static unsigned long crng_global_init_time = 0; 472 #define CRNG_INIT_CNT_THRESH (2 * CHACHA_KEY_SIZE) 473 static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE]); 474 static void _crng_backtrack_protect(struct crng_state *crng, 475 u8 tmp[CHACHA_BLOCK_SIZE], int used); 476 static void process_random_ready_list(void); 477 static void _get_random_bytes(void *buf, int nbytes); 478 479 static struct ratelimit_state unseeded_warning = 480 RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3); 481 static struct ratelimit_state urandom_warning = 482 RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); 483 484 static int ratelimit_disable __read_mostly; 485 486 module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); 487 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); 488 489 /********************************************************************** 490 * 491 * OS independent entropy store. Here are the functions which handle 492 * storing entropy in an entropy pool. 493 * 494 **********************************************************************/ 495 496 static u32 input_pool_data[POOL_WORDS] __latent_entropy; 497 498 static struct { 499 spinlock_t lock; 500 u16 add_ptr; 501 u16 input_rotate; 502 int entropy_count; 503 } input_pool = { 504 .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), 505 }; 506 507 static ssize_t extract_entropy(void *buf, size_t nbytes, int min); 508 static ssize_t _extract_entropy(void *buf, size_t nbytes); 509 510 static void crng_reseed(struct crng_state *crng, bool use_input_pool); 511 512 static const u32 twist_table[8] = { 513 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158, 514 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 }; 515 516 /* 517 * This function adds bytes into the entropy "pool". It does not 518 * update the entropy estimate. The caller should call 519 * credit_entropy_bits if this is appropriate. 520 * 521 * The pool is stirred with a primitive polynomial of the appropriate 522 * degree, and then twisted. We twist by three bits at a time because 523 * it's cheap to do so and helps slightly in the expected case where 524 * the entropy is concentrated in the low-order bits. 525 */ 526 static void _mix_pool_bytes(const void *in, int nbytes) 527 { 528 unsigned long i; 529 int input_rotate; 530 const u8 *bytes = in; 531 u32 w; 532 533 input_rotate = input_pool.input_rotate; 534 i = input_pool.add_ptr; 535 536 /* mix one byte at a time to simplify size handling and churn faster */ 537 while (nbytes--) { 538 w = rol32(*bytes++, input_rotate); 539 i = (i - 1) & POOL_WORDMASK; 540 541 /* XOR in the various taps */ 542 w ^= input_pool_data[i]; 543 w ^= input_pool_data[(i + POOL_TAP1) & POOL_WORDMASK]; 544 w ^= input_pool_data[(i + POOL_TAP2) & POOL_WORDMASK]; 545 w ^= input_pool_data[(i + POOL_TAP3) & POOL_WORDMASK]; 546 w ^= input_pool_data[(i + POOL_TAP4) & POOL_WORDMASK]; 547 w ^= input_pool_data[(i + POOL_TAP5) & POOL_WORDMASK]; 548 549 /* Mix the result back in with a twist */ 550 input_pool_data[i] = (w >> 3) ^ twist_table[w & 7]; 551 552 /* 553 * Normally, we add 7 bits of rotation to the pool. 554 * At the beginning of the pool, add an extra 7 bits 555 * rotation, so that successive passes spread the 556 * input bits across the pool evenly. 557 */ 558 input_rotate = (input_rotate + (i ? 7 : 14)) & 31; 559 } 560 561 input_pool.input_rotate = input_rotate; 562 input_pool.add_ptr = i; 563 } 564 565 static void __mix_pool_bytes(const void *in, int nbytes) 566 { 567 trace_mix_pool_bytes_nolock(nbytes, _RET_IP_); 568 _mix_pool_bytes(in, nbytes); 569 } 570 571 static void mix_pool_bytes(const void *in, int nbytes) 572 { 573 unsigned long flags; 574 575 trace_mix_pool_bytes(nbytes, _RET_IP_); 576 spin_lock_irqsave(&input_pool.lock, flags); 577 _mix_pool_bytes(in, nbytes); 578 spin_unlock_irqrestore(&input_pool.lock, flags); 579 } 580 581 struct fast_pool { 582 u32 pool[4]; 583 unsigned long last; 584 u16 reg_idx; 585 u8 count; 586 }; 587 588 /* 589 * This is a fast mixing routine used by the interrupt randomness 590 * collector. It's hardcoded for an 128 bit pool and assumes that any 591 * locks that might be needed are taken by the caller. 592 */ 593 static void fast_mix(struct fast_pool *f) 594 { 595 u32 a = f->pool[0], b = f->pool[1]; 596 u32 c = f->pool[2], d = f->pool[3]; 597 598 a += b; c += d; 599 b = rol32(b, 6); d = rol32(d, 27); 600 d ^= a; b ^= c; 601 602 a += b; c += d; 603 b = rol32(b, 16); d = rol32(d, 14); 604 d ^= a; b ^= c; 605 606 a += b; c += d; 607 b = rol32(b, 6); d = rol32(d, 27); 608 d ^= a; b ^= c; 609 610 a += b; c += d; 611 b = rol32(b, 16); d = rol32(d, 14); 612 d ^= a; b ^= c; 613 614 f->pool[0] = a; f->pool[1] = b; 615 f->pool[2] = c; f->pool[3] = d; 616 f->count++; 617 } 618 619 static void process_random_ready_list(void) 620 { 621 unsigned long flags; 622 struct random_ready_callback *rdy, *tmp; 623 624 spin_lock_irqsave(&random_ready_list_lock, flags); 625 list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) { 626 struct module *owner = rdy->owner; 627 628 list_del_init(&rdy->list); 629 rdy->func(rdy); 630 module_put(owner); 631 } 632 spin_unlock_irqrestore(&random_ready_list_lock, flags); 633 } 634 635 /* 636 * Credit (or debit) the entropy store with n bits of entropy. 637 * Use credit_entropy_bits_safe() if the value comes from userspace 638 * or otherwise should be checked for extreme values. 639 */ 640 static void credit_entropy_bits(int nbits) 641 { 642 int entropy_count, entropy_bits, orig; 643 int nfrac = nbits << POOL_ENTROPY_SHIFT; 644 645 /* Ensure that the multiplication can avoid being 64 bits wide. */ 646 BUILD_BUG_ON(2 * (POOL_ENTROPY_SHIFT + POOL_BITSHIFT) > 31); 647 648 if (!nbits) 649 return; 650 651 retry: 652 entropy_count = orig = READ_ONCE(input_pool.entropy_count); 653 if (nfrac < 0) { 654 /* Debit */ 655 entropy_count += nfrac; 656 } else { 657 /* 658 * Credit: we have to account for the possibility of 659 * overwriting already present entropy. Even in the 660 * ideal case of pure Shannon entropy, new contributions 661 * approach the full value asymptotically: 662 * 663 * entropy <- entropy + (pool_size - entropy) * 664 * (1 - exp(-add_entropy/pool_size)) 665 * 666 * For add_entropy <= pool_size/2 then 667 * (1 - exp(-add_entropy/pool_size)) >= 668 * (add_entropy/pool_size)*0.7869... 669 * so we can approximate the exponential with 670 * 3/4*add_entropy/pool_size and still be on the 671 * safe side by adding at most pool_size/2 at a time. 672 * 673 * The use of pool_size-2 in the while statement is to 674 * prevent rounding artifacts from making the loop 675 * arbitrarily long; this limits the loop to log2(pool_size)*2 676 * turns no matter how large nbits is. 677 */ 678 int pnfrac = nfrac; 679 const int s = POOL_BITSHIFT + POOL_ENTROPY_SHIFT + 2; 680 /* The +2 corresponds to the /4 in the denominator */ 681 682 do { 683 unsigned int anfrac = min(pnfrac, POOL_FRACBITS / 2); 684 unsigned int add = 685 ((POOL_FRACBITS - entropy_count) * anfrac * 3) >> s; 686 687 entropy_count += add; 688 pnfrac -= anfrac; 689 } while (unlikely(entropy_count < POOL_FRACBITS - 2 && pnfrac)); 690 } 691 692 if (WARN_ON(entropy_count < 0)) { 693 pr_warn("negative entropy/overflow: count %d\n", entropy_count); 694 entropy_count = 0; 695 } else if (entropy_count > POOL_FRACBITS) 696 entropy_count = POOL_FRACBITS; 697 if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig) 698 goto retry; 699 700 trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_); 701 702 entropy_bits = entropy_count >> POOL_ENTROPY_SHIFT; 703 if (crng_init < 2 && entropy_bits >= 128) 704 crng_reseed(&primary_crng, true); 705 } 706 707 static int credit_entropy_bits_safe(int nbits) 708 { 709 if (nbits < 0) 710 return -EINVAL; 711 712 /* Cap the value to avoid overflows */ 713 nbits = min(nbits, POOL_BITS); 714 715 credit_entropy_bits(nbits); 716 return 0; 717 } 718 719 /********************************************************************* 720 * 721 * CRNG using CHACHA20 722 * 723 *********************************************************************/ 724 725 #define CRNG_RESEED_INTERVAL (300 * HZ) 726 727 static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); 728 729 /* 730 * Hack to deal with crazy userspace progams when they are all trying 731 * to access /dev/urandom in parallel. The programs are almost 732 * certainly doing something terribly wrong, but we'll work around 733 * their brain damage. 734 */ 735 static struct crng_state **crng_node_pool __read_mostly; 736 737 static void invalidate_batched_entropy(void); 738 static void numa_crng_init(void); 739 740 static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); 741 static int __init parse_trust_cpu(char *arg) 742 { 743 return kstrtobool(arg, &trust_cpu); 744 } 745 early_param("random.trust_cpu", parse_trust_cpu); 746 747 static bool crng_init_try_arch(struct crng_state *crng) 748 { 749 int i; 750 bool arch_init = true; 751 unsigned long rv; 752 753 for (i = 4; i < 16; i++) { 754 if (!arch_get_random_seed_long(&rv) && 755 !arch_get_random_long(&rv)) { 756 rv = random_get_entropy(); 757 arch_init = false; 758 } 759 crng->state[i] ^= rv; 760 } 761 762 return arch_init; 763 } 764 765 static bool __init crng_init_try_arch_early(struct crng_state *crng) 766 { 767 int i; 768 bool arch_init = true; 769 unsigned long rv; 770 771 for (i = 4; i < 16; i++) { 772 if (!arch_get_random_seed_long_early(&rv) && 773 !arch_get_random_long_early(&rv)) { 774 rv = random_get_entropy(); 775 arch_init = false; 776 } 777 crng->state[i] ^= rv; 778 } 779 780 return arch_init; 781 } 782 783 static void crng_initialize_secondary(struct crng_state *crng) 784 { 785 chacha_init_consts(crng->state); 786 _get_random_bytes(&crng->state[4], sizeof(u32) * 12); 787 crng_init_try_arch(crng); 788 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; 789 } 790 791 static void __init crng_initialize_primary(struct crng_state *crng) 792 { 793 _extract_entropy(&crng->state[4], sizeof(u32) * 12); 794 if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) { 795 invalidate_batched_entropy(); 796 numa_crng_init(); 797 crng_init = 2; 798 pr_notice("crng init done (trusting CPU's manufacturer)\n"); 799 } 800 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; 801 } 802 803 static void crng_finalize_init(struct crng_state *crng) 804 { 805 if (crng != &primary_crng || crng_init >= 2) 806 return; 807 if (!system_wq) { 808 /* We can't call numa_crng_init until we have workqueues, 809 * so mark this for processing later. */ 810 crng_need_final_init = true; 811 return; 812 } 813 814 invalidate_batched_entropy(); 815 numa_crng_init(); 816 crng_init = 2; 817 process_random_ready_list(); 818 wake_up_interruptible(&crng_init_wait); 819 kill_fasync(&fasync, SIGIO, POLL_IN); 820 pr_notice("crng init done\n"); 821 if (unseeded_warning.missed) { 822 pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n", 823 unseeded_warning.missed); 824 unseeded_warning.missed = 0; 825 } 826 if (urandom_warning.missed) { 827 pr_notice("%d urandom warning(s) missed due to ratelimiting\n", 828 urandom_warning.missed); 829 urandom_warning.missed = 0; 830 } 831 } 832 833 static void do_numa_crng_init(struct work_struct *work) 834 { 835 int i; 836 struct crng_state *crng; 837 struct crng_state **pool; 838 839 pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL | __GFP_NOFAIL); 840 for_each_online_node(i) { 841 crng = kmalloc_node(sizeof(struct crng_state), 842 GFP_KERNEL | __GFP_NOFAIL, i); 843 spin_lock_init(&crng->lock); 844 crng_initialize_secondary(crng); 845 pool[i] = crng; 846 } 847 /* pairs with READ_ONCE() in select_crng() */ 848 if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { 849 for_each_node(i) 850 kfree(pool[i]); 851 kfree(pool); 852 } 853 } 854 855 static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init); 856 857 static void numa_crng_init(void) 858 { 859 if (IS_ENABLED(CONFIG_NUMA)) 860 schedule_work(&numa_crng_init_work); 861 } 862 863 static struct crng_state *select_crng(void) 864 { 865 if (IS_ENABLED(CONFIG_NUMA)) { 866 struct crng_state **pool; 867 int nid = numa_node_id(); 868 869 /* pairs with cmpxchg_release() in do_numa_crng_init() */ 870 pool = READ_ONCE(crng_node_pool); 871 if (pool && pool[nid]) 872 return pool[nid]; 873 } 874 875 return &primary_crng; 876 } 877 878 /* 879 * crng_fast_load() can be called by code in the interrupt service 880 * path. So we can't afford to dilly-dally. Returns the number of 881 * bytes processed from cp. 882 */ 883 static size_t crng_fast_load(const u8 *cp, size_t len) 884 { 885 unsigned long flags; 886 u8 *p; 887 size_t ret = 0; 888 889 if (!spin_trylock_irqsave(&primary_crng.lock, flags)) 890 return 0; 891 if (crng_init != 0) { 892 spin_unlock_irqrestore(&primary_crng.lock, flags); 893 return 0; 894 } 895 p = (u8 *)&primary_crng.state[4]; 896 while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) { 897 p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp; 898 cp++; crng_init_cnt++; len--; ret++; 899 } 900 spin_unlock_irqrestore(&primary_crng.lock, flags); 901 if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { 902 invalidate_batched_entropy(); 903 crng_init = 1; 904 pr_notice("fast init done\n"); 905 } 906 return ret; 907 } 908 909 /* 910 * crng_slow_load() is called by add_device_randomness, which has two 911 * attributes. (1) We can't trust the buffer passed to it is 912 * guaranteed to be unpredictable (so it might not have any entropy at 913 * all), and (2) it doesn't have the performance constraints of 914 * crng_fast_load(). 915 * 916 * So we do something more comprehensive which is guaranteed to touch 917 * all of the primary_crng's state, and which uses a LFSR with a 918 * period of 255 as part of the mixing algorithm. Finally, we do 919 * *not* advance crng_init_cnt since buffer we may get may be something 920 * like a fixed DMI table (for example), which might very well be 921 * unique to the machine, but is otherwise unvarying. 922 */ 923 static int crng_slow_load(const u8 *cp, size_t len) 924 { 925 unsigned long flags; 926 static u8 lfsr = 1; 927 u8 tmp; 928 unsigned int i, max = CHACHA_KEY_SIZE; 929 const u8 *src_buf = cp; 930 u8 *dest_buf = (u8 *)&primary_crng.state[4]; 931 932 if (!spin_trylock_irqsave(&primary_crng.lock, flags)) 933 return 0; 934 if (crng_init != 0) { 935 spin_unlock_irqrestore(&primary_crng.lock, flags); 936 return 0; 937 } 938 if (len > max) 939 max = len; 940 941 for (i = 0; i < max; i++) { 942 tmp = lfsr; 943 lfsr >>= 1; 944 if (tmp & 1) 945 lfsr ^= 0xE1; 946 tmp = dest_buf[i % CHACHA_KEY_SIZE]; 947 dest_buf[i % CHACHA_KEY_SIZE] ^= src_buf[i % len] ^ lfsr; 948 lfsr += (tmp << 3) | (tmp >> 5); 949 } 950 spin_unlock_irqrestore(&primary_crng.lock, flags); 951 return 1; 952 } 953 954 static void crng_reseed(struct crng_state *crng, bool use_input_pool) 955 { 956 unsigned long flags; 957 int i, num; 958 union { 959 u8 block[CHACHA_BLOCK_SIZE]; 960 u32 key[8]; 961 } buf; 962 963 if (use_input_pool) { 964 num = extract_entropy(&buf, 32, 16); 965 if (num == 0) 966 return; 967 } else { 968 _extract_crng(&primary_crng, buf.block); 969 _crng_backtrack_protect(&primary_crng, buf.block, 970 CHACHA_KEY_SIZE); 971 } 972 spin_lock_irqsave(&crng->lock, flags); 973 for (i = 0; i < 8; i++) { 974 unsigned long rv; 975 if (!arch_get_random_seed_long(&rv) && 976 !arch_get_random_long(&rv)) 977 rv = random_get_entropy(); 978 crng->state[i + 4] ^= buf.key[i] ^ rv; 979 } 980 memzero_explicit(&buf, sizeof(buf)); 981 WRITE_ONCE(crng->init_time, jiffies); 982 spin_unlock_irqrestore(&crng->lock, flags); 983 crng_finalize_init(crng); 984 } 985 986 static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE]) 987 { 988 unsigned long flags, init_time; 989 990 if (crng_ready()) { 991 init_time = READ_ONCE(crng->init_time); 992 if (time_after(READ_ONCE(crng_global_init_time), init_time) || 993 time_after(jiffies, init_time + CRNG_RESEED_INTERVAL)) 994 crng_reseed(crng, crng == &primary_crng); 995 } 996 spin_lock_irqsave(&crng->lock, flags); 997 chacha20_block(&crng->state[0], out); 998 if (crng->state[12] == 0) 999 crng->state[13]++; 1000 spin_unlock_irqrestore(&crng->lock, flags); 1001 } 1002 1003 static void extract_crng(u8 out[CHACHA_BLOCK_SIZE]) 1004 { 1005 _extract_crng(select_crng(), out); 1006 } 1007 1008 /* 1009 * Use the leftover bytes from the CRNG block output (if there is 1010 * enough) to mutate the CRNG key to provide backtracking protection. 1011 */ 1012 static void _crng_backtrack_protect(struct crng_state *crng, 1013 u8 tmp[CHACHA_BLOCK_SIZE], int used) 1014 { 1015 unsigned long flags; 1016 u32 *s, *d; 1017 int i; 1018 1019 used = round_up(used, sizeof(u32)); 1020 if (used + CHACHA_KEY_SIZE > CHACHA_BLOCK_SIZE) { 1021 extract_crng(tmp); 1022 used = 0; 1023 } 1024 spin_lock_irqsave(&crng->lock, flags); 1025 s = (u32 *)&tmp[used]; 1026 d = &crng->state[4]; 1027 for (i = 0; i < 8; i++) 1028 *d++ ^= *s++; 1029 spin_unlock_irqrestore(&crng->lock, flags); 1030 } 1031 1032 static void crng_backtrack_protect(u8 tmp[CHACHA_BLOCK_SIZE], int used) 1033 { 1034 _crng_backtrack_protect(select_crng(), tmp, used); 1035 } 1036 1037 static ssize_t extract_crng_user(void __user *buf, size_t nbytes) 1038 { 1039 ssize_t ret = 0, i = CHACHA_BLOCK_SIZE; 1040 u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4); 1041 int large_request = (nbytes > 256); 1042 1043 while (nbytes) { 1044 if (large_request && need_resched()) { 1045 if (signal_pending(current)) { 1046 if (ret == 0) 1047 ret = -ERESTARTSYS; 1048 break; 1049 } 1050 schedule(); 1051 } 1052 1053 extract_crng(tmp); 1054 i = min_t(int, nbytes, CHACHA_BLOCK_SIZE); 1055 if (copy_to_user(buf, tmp, i)) { 1056 ret = -EFAULT; 1057 break; 1058 } 1059 1060 nbytes -= i; 1061 buf += i; 1062 ret += i; 1063 } 1064 crng_backtrack_protect(tmp, i); 1065 1066 /* Wipe data just written to memory */ 1067 memzero_explicit(tmp, sizeof(tmp)); 1068 1069 return ret; 1070 } 1071 1072 /********************************************************************* 1073 * 1074 * Entropy input management 1075 * 1076 *********************************************************************/ 1077 1078 /* There is one of these per entropy source */ 1079 struct timer_rand_state { 1080 cycles_t last_time; 1081 long last_delta, last_delta2; 1082 }; 1083 1084 #define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, }; 1085 1086 /* 1087 * Add device- or boot-specific data to the input pool to help 1088 * initialize it. 1089 * 1090 * None of this adds any entropy; it is meant to avoid the problem of 1091 * the entropy pool having similar initial state across largely 1092 * identical devices. 1093 */ 1094 void add_device_randomness(const void *buf, unsigned int size) 1095 { 1096 unsigned long time = random_get_entropy() ^ jiffies; 1097 unsigned long flags; 1098 1099 if (!crng_ready() && size) 1100 crng_slow_load(buf, size); 1101 1102 trace_add_device_randomness(size, _RET_IP_); 1103 spin_lock_irqsave(&input_pool.lock, flags); 1104 _mix_pool_bytes(buf, size); 1105 _mix_pool_bytes(&time, sizeof(time)); 1106 spin_unlock_irqrestore(&input_pool.lock, flags); 1107 } 1108 EXPORT_SYMBOL(add_device_randomness); 1109 1110 static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE; 1111 1112 /* 1113 * This function adds entropy to the entropy "pool" by using timing 1114 * delays. It uses the timer_rand_state structure to make an estimate 1115 * of how many bits of entropy this call has added to the pool. 1116 * 1117 * The number "num" is also added to the pool - it should somehow describe 1118 * the type of event which just happened. This is currently 0-255 for 1119 * keyboard scan codes, and 256 upwards for interrupts. 1120 * 1121 */ 1122 static void add_timer_randomness(struct timer_rand_state *state, unsigned num) 1123 { 1124 struct { 1125 long jiffies; 1126 unsigned int cycles; 1127 unsigned int num; 1128 } sample; 1129 long delta, delta2, delta3; 1130 1131 sample.jiffies = jiffies; 1132 sample.cycles = random_get_entropy(); 1133 sample.num = num; 1134 mix_pool_bytes(&sample, sizeof(sample)); 1135 1136 /* 1137 * Calculate number of bits of randomness we probably added. 1138 * We take into account the first, second and third-order deltas 1139 * in order to make our estimate. 1140 */ 1141 delta = sample.jiffies - READ_ONCE(state->last_time); 1142 WRITE_ONCE(state->last_time, sample.jiffies); 1143 1144 delta2 = delta - READ_ONCE(state->last_delta); 1145 WRITE_ONCE(state->last_delta, delta); 1146 1147 delta3 = delta2 - READ_ONCE(state->last_delta2); 1148 WRITE_ONCE(state->last_delta2, delta2); 1149 1150 if (delta < 0) 1151 delta = -delta; 1152 if (delta2 < 0) 1153 delta2 = -delta2; 1154 if (delta3 < 0) 1155 delta3 = -delta3; 1156 if (delta > delta2) 1157 delta = delta2; 1158 if (delta > delta3) 1159 delta = delta3; 1160 1161 /* 1162 * delta is now minimum absolute delta. 1163 * Round down by 1 bit on general principles, 1164 * and limit entropy estimate to 12 bits. 1165 */ 1166 credit_entropy_bits(min_t(int, fls(delta >> 1), 11)); 1167 } 1168 1169 void add_input_randomness(unsigned int type, unsigned int code, 1170 unsigned int value) 1171 { 1172 static unsigned char last_value; 1173 1174 /* ignore autorepeat and the like */ 1175 if (value == last_value) 1176 return; 1177 1178 last_value = value; 1179 add_timer_randomness(&input_timer_state, 1180 (type << 4) ^ code ^ (code >> 4) ^ value); 1181 trace_add_input_randomness(POOL_ENTROPY_BITS()); 1182 } 1183 EXPORT_SYMBOL_GPL(add_input_randomness); 1184 1185 static DEFINE_PER_CPU(struct fast_pool, irq_randomness); 1186 1187 #ifdef ADD_INTERRUPT_BENCH 1188 static unsigned long avg_cycles, avg_deviation; 1189 1190 #define AVG_SHIFT 8 /* Exponential average factor k=1/256 */ 1191 #define FIXED_1_2 (1 << (AVG_SHIFT - 1)) 1192 1193 static void add_interrupt_bench(cycles_t start) 1194 { 1195 long delta = random_get_entropy() - start; 1196 1197 /* Use a weighted moving average */ 1198 delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT); 1199 avg_cycles += delta; 1200 /* And average deviation */ 1201 delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT); 1202 avg_deviation += delta; 1203 } 1204 #else 1205 #define add_interrupt_bench(x) 1206 #endif 1207 1208 static u32 get_reg(struct fast_pool *f, struct pt_regs *regs) 1209 { 1210 u32 *ptr = (u32 *)regs; 1211 unsigned int idx; 1212 1213 if (regs == NULL) 1214 return 0; 1215 idx = READ_ONCE(f->reg_idx); 1216 if (idx >= sizeof(struct pt_regs) / sizeof(u32)) 1217 idx = 0; 1218 ptr += idx++; 1219 WRITE_ONCE(f->reg_idx, idx); 1220 return *ptr; 1221 } 1222 1223 void add_interrupt_randomness(int irq) 1224 { 1225 struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); 1226 struct pt_regs *regs = get_irq_regs(); 1227 unsigned long now = jiffies; 1228 cycles_t cycles = random_get_entropy(); 1229 u32 c_high, j_high; 1230 u64 ip; 1231 1232 if (cycles == 0) 1233 cycles = get_reg(fast_pool, regs); 1234 c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0; 1235 j_high = (sizeof(now) > 4) ? now >> 32 : 0; 1236 fast_pool->pool[0] ^= cycles ^ j_high ^ irq; 1237 fast_pool->pool[1] ^= now ^ c_high; 1238 ip = regs ? instruction_pointer(regs) : _RET_IP_; 1239 fast_pool->pool[2] ^= ip; 1240 fast_pool->pool[3] ^= 1241 (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs); 1242 1243 fast_mix(fast_pool); 1244 add_interrupt_bench(cycles); 1245 1246 if (unlikely(crng_init == 0)) { 1247 if ((fast_pool->count >= 64) && 1248 crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) { 1249 fast_pool->count = 0; 1250 fast_pool->last = now; 1251 } 1252 return; 1253 } 1254 1255 if ((fast_pool->count < 64) && !time_after(now, fast_pool->last + HZ)) 1256 return; 1257 1258 if (!spin_trylock(&input_pool.lock)) 1259 return; 1260 1261 fast_pool->last = now; 1262 __mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool)); 1263 spin_unlock(&input_pool.lock); 1264 1265 fast_pool->count = 0; 1266 1267 /* award one bit for the contents of the fast pool */ 1268 credit_entropy_bits(1); 1269 } 1270 EXPORT_SYMBOL_GPL(add_interrupt_randomness); 1271 1272 #ifdef CONFIG_BLOCK 1273 void add_disk_randomness(struct gendisk *disk) 1274 { 1275 if (!disk || !disk->random) 1276 return; 1277 /* first major is 1, so we get >= 0x200 here */ 1278 add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); 1279 trace_add_disk_randomness(disk_devt(disk), POOL_ENTROPY_BITS()); 1280 } 1281 EXPORT_SYMBOL_GPL(add_disk_randomness); 1282 #endif 1283 1284 /********************************************************************* 1285 * 1286 * Entropy extraction routines 1287 * 1288 *********************************************************************/ 1289 1290 /* 1291 * This function decides how many bytes to actually take from the 1292 * given pool, and also debits the entropy count accordingly. 1293 */ 1294 static size_t account(size_t nbytes, int min) 1295 { 1296 int entropy_count, orig; 1297 size_t ibytes, nfrac; 1298 1299 BUG_ON(input_pool.entropy_count > POOL_FRACBITS); 1300 1301 /* Can we pull enough? */ 1302 retry: 1303 entropy_count = orig = READ_ONCE(input_pool.entropy_count); 1304 if (WARN_ON(entropy_count < 0)) { 1305 pr_warn("negative entropy count: count %d\n", entropy_count); 1306 entropy_count = 0; 1307 } 1308 1309 /* never pull more than available */ 1310 ibytes = min_t(size_t, nbytes, entropy_count >> (POOL_ENTROPY_SHIFT + 3)); 1311 if (ibytes < min) 1312 ibytes = 0; 1313 nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3); 1314 if ((size_t)entropy_count > nfrac) 1315 entropy_count -= nfrac; 1316 else 1317 entropy_count = 0; 1318 1319 if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig) 1320 goto retry; 1321 1322 trace_debit_entropy(8 * ibytes); 1323 if (ibytes && POOL_ENTROPY_BITS() < random_write_wakeup_bits) { 1324 wake_up_interruptible(&random_write_wait); 1325 kill_fasync(&fasync, SIGIO, POLL_OUT); 1326 } 1327 1328 return ibytes; 1329 } 1330 1331 /* 1332 * This function does the actual extraction for extract_entropy. 1333 * 1334 * Note: we assume that .poolwords is a multiple of 16 words. 1335 */ 1336 static void extract_buf(u8 *out) 1337 { 1338 struct blake2s_state state __aligned(__alignof__(unsigned long)); 1339 u8 hash[BLAKE2S_HASH_SIZE]; 1340 unsigned long *salt; 1341 unsigned long flags; 1342 1343 blake2s_init(&state, sizeof(hash)); 1344 1345 /* 1346 * If we have an architectural hardware random number 1347 * generator, use it for BLAKE2's salt & personal fields. 1348 */ 1349 for (salt = (unsigned long *)&state.h[4]; 1350 salt < (unsigned long *)&state.h[8]; ++salt) { 1351 unsigned long v; 1352 if (!arch_get_random_long(&v)) 1353 break; 1354 *salt ^= v; 1355 } 1356 1357 /* Generate a hash across the pool */ 1358 spin_lock_irqsave(&input_pool.lock, flags); 1359 blake2s_update(&state, (const u8 *)input_pool_data, POOL_BYTES); 1360 blake2s_final(&state, hash); /* final zeros out state */ 1361 1362 /* 1363 * We mix the hash back into the pool to prevent backtracking 1364 * attacks (where the attacker knows the state of the pool 1365 * plus the current outputs, and attempts to find previous 1366 * outputs), unless the hash function can be inverted. By 1367 * mixing at least a hash worth of hash data back, we make 1368 * brute-forcing the feedback as hard as brute-forcing the 1369 * hash. 1370 */ 1371 __mix_pool_bytes(hash, sizeof(hash)); 1372 spin_unlock_irqrestore(&input_pool.lock, flags); 1373 1374 /* Note that EXTRACT_SIZE is half of hash size here, because above 1375 * we've dumped the full length back into mixer. By reducing the 1376 * amount that we emit, we retain a level of forward secrecy. 1377 */ 1378 memcpy(out, hash, EXTRACT_SIZE); 1379 memzero_explicit(hash, sizeof(hash)); 1380 } 1381 1382 static ssize_t _extract_entropy(void *buf, size_t nbytes) 1383 { 1384 ssize_t ret = 0, i; 1385 u8 tmp[EXTRACT_SIZE]; 1386 1387 while (nbytes) { 1388 extract_buf(tmp); 1389 i = min_t(int, nbytes, EXTRACT_SIZE); 1390 memcpy(buf, tmp, i); 1391 nbytes -= i; 1392 buf += i; 1393 ret += i; 1394 } 1395 1396 /* Wipe data just returned from memory */ 1397 memzero_explicit(tmp, sizeof(tmp)); 1398 1399 return ret; 1400 } 1401 1402 /* 1403 * This function extracts randomness from the "entropy pool", and 1404 * returns it in a buffer. 1405 * 1406 * The min parameter specifies the minimum amount we can pull before 1407 * failing to avoid races that defeat catastrophic reseeding. 1408 */ 1409 static ssize_t extract_entropy(void *buf, size_t nbytes, int min) 1410 { 1411 trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_); 1412 nbytes = account(nbytes, min); 1413 return _extract_entropy(buf, nbytes); 1414 } 1415 1416 #define warn_unseeded_randomness(previous) \ 1417 _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous)) 1418 1419 static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous) 1420 { 1421 #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM 1422 const bool print_once = false; 1423 #else 1424 static bool print_once __read_mostly; 1425 #endif 1426 1427 if (print_once || crng_ready() || 1428 (previous && (caller == READ_ONCE(*previous)))) 1429 return; 1430 WRITE_ONCE(*previous, caller); 1431 #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM 1432 print_once = true; 1433 #endif 1434 if (__ratelimit(&unseeded_warning)) 1435 printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", 1436 func_name, caller, crng_init); 1437 } 1438 1439 /* 1440 * This function is the exported kernel interface. It returns some 1441 * number of good random numbers, suitable for key generation, seeding 1442 * TCP sequence numbers, etc. It does not rely on the hardware random 1443 * number generator. For random bytes direct from the hardware RNG 1444 * (when available), use get_random_bytes_arch(). In order to ensure 1445 * that the randomness provided by this function is okay, the function 1446 * wait_for_random_bytes() should be called and return 0 at least once 1447 * at any point prior. 1448 */ 1449 static void _get_random_bytes(void *buf, int nbytes) 1450 { 1451 u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4); 1452 1453 trace_get_random_bytes(nbytes, _RET_IP_); 1454 1455 while (nbytes >= CHACHA_BLOCK_SIZE) { 1456 extract_crng(buf); 1457 buf += CHACHA_BLOCK_SIZE; 1458 nbytes -= CHACHA_BLOCK_SIZE; 1459 } 1460 1461 if (nbytes > 0) { 1462 extract_crng(tmp); 1463 memcpy(buf, tmp, nbytes); 1464 crng_backtrack_protect(tmp, nbytes); 1465 } else 1466 crng_backtrack_protect(tmp, CHACHA_BLOCK_SIZE); 1467 memzero_explicit(tmp, sizeof(tmp)); 1468 } 1469 1470 void get_random_bytes(void *buf, int nbytes) 1471 { 1472 static void *previous; 1473 1474 warn_unseeded_randomness(&previous); 1475 _get_random_bytes(buf, nbytes); 1476 } 1477 EXPORT_SYMBOL(get_random_bytes); 1478 1479 /* 1480 * Each time the timer fires, we expect that we got an unpredictable 1481 * jump in the cycle counter. Even if the timer is running on another 1482 * CPU, the timer activity will be touching the stack of the CPU that is 1483 * generating entropy.. 1484 * 1485 * Note that we don't re-arm the timer in the timer itself - we are 1486 * happy to be scheduled away, since that just makes the load more 1487 * complex, but we do not want the timer to keep ticking unless the 1488 * entropy loop is running. 1489 * 1490 * So the re-arming always happens in the entropy loop itself. 1491 */ 1492 static void entropy_timer(struct timer_list *t) 1493 { 1494 credit_entropy_bits(1); 1495 } 1496 1497 /* 1498 * If we have an actual cycle counter, see if we can 1499 * generate enough entropy with timing noise 1500 */ 1501 static void try_to_generate_entropy(void) 1502 { 1503 struct { 1504 unsigned long now; 1505 struct timer_list timer; 1506 } stack; 1507 1508 stack.now = random_get_entropy(); 1509 1510 /* Slow counter - or none. Don't even bother */ 1511 if (stack.now == random_get_entropy()) 1512 return; 1513 1514 timer_setup_on_stack(&stack.timer, entropy_timer, 0); 1515 while (!crng_ready()) { 1516 if (!timer_pending(&stack.timer)) 1517 mod_timer(&stack.timer, jiffies + 1); 1518 mix_pool_bytes(&stack.now, sizeof(stack.now)); 1519 schedule(); 1520 stack.now = random_get_entropy(); 1521 } 1522 1523 del_timer_sync(&stack.timer); 1524 destroy_timer_on_stack(&stack.timer); 1525 mix_pool_bytes(&stack.now, sizeof(stack.now)); 1526 } 1527 1528 /* 1529 * Wait for the urandom pool to be seeded and thus guaranteed to supply 1530 * cryptographically secure random numbers. This applies to: the /dev/urandom 1531 * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} 1532 * family of functions. Using any of these functions without first calling 1533 * this function forfeits the guarantee of security. 1534 * 1535 * Returns: 0 if the urandom pool has been seeded. 1536 * -ERESTARTSYS if the function was interrupted by a signal. 1537 */ 1538 int wait_for_random_bytes(void) 1539 { 1540 if (likely(crng_ready())) 1541 return 0; 1542 1543 do { 1544 int ret; 1545 ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); 1546 if (ret) 1547 return ret > 0 ? 0 : ret; 1548 1549 try_to_generate_entropy(); 1550 } while (!crng_ready()); 1551 1552 return 0; 1553 } 1554 EXPORT_SYMBOL(wait_for_random_bytes); 1555 1556 /* 1557 * Returns whether or not the urandom pool has been seeded and thus guaranteed 1558 * to supply cryptographically secure random numbers. This applies to: the 1559 * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, 1560 * ,u64,int,long} family of functions. 1561 * 1562 * Returns: true if the urandom pool has been seeded. 1563 * false if the urandom pool has not been seeded. 1564 */ 1565 bool rng_is_initialized(void) 1566 { 1567 return crng_ready(); 1568 } 1569 EXPORT_SYMBOL(rng_is_initialized); 1570 1571 /* 1572 * Add a callback function that will be invoked when the nonblocking 1573 * pool is initialised. 1574 * 1575 * returns: 0 if callback is successfully added 1576 * -EALREADY if pool is already initialised (callback not called) 1577 * -ENOENT if module for callback is not alive 1578 */ 1579 int add_random_ready_callback(struct random_ready_callback *rdy) 1580 { 1581 struct module *owner; 1582 unsigned long flags; 1583 int err = -EALREADY; 1584 1585 if (crng_ready()) 1586 return err; 1587 1588 owner = rdy->owner; 1589 if (!try_module_get(owner)) 1590 return -ENOENT; 1591 1592 spin_lock_irqsave(&random_ready_list_lock, flags); 1593 if (crng_ready()) 1594 goto out; 1595 1596 owner = NULL; 1597 1598 list_add(&rdy->list, &random_ready_list); 1599 err = 0; 1600 1601 out: 1602 spin_unlock_irqrestore(&random_ready_list_lock, flags); 1603 1604 module_put(owner); 1605 1606 return err; 1607 } 1608 EXPORT_SYMBOL(add_random_ready_callback); 1609 1610 /* 1611 * Delete a previously registered readiness callback function. 1612 */ 1613 void del_random_ready_callback(struct random_ready_callback *rdy) 1614 { 1615 unsigned long flags; 1616 struct module *owner = NULL; 1617 1618 spin_lock_irqsave(&random_ready_list_lock, flags); 1619 if (!list_empty(&rdy->list)) { 1620 list_del_init(&rdy->list); 1621 owner = rdy->owner; 1622 } 1623 spin_unlock_irqrestore(&random_ready_list_lock, flags); 1624 1625 module_put(owner); 1626 } 1627 EXPORT_SYMBOL(del_random_ready_callback); 1628 1629 /* 1630 * This function will use the architecture-specific hardware random 1631 * number generator if it is available. The arch-specific hw RNG will 1632 * almost certainly be faster than what we can do in software, but it 1633 * is impossible to verify that it is implemented securely (as 1634 * opposed, to, say, the AES encryption of a sequence number using a 1635 * key known by the NSA). So it's useful if we need the speed, but 1636 * only if we're willing to trust the hardware manufacturer not to 1637 * have put in a back door. 1638 * 1639 * Return number of bytes filled in. 1640 */ 1641 int __must_check get_random_bytes_arch(void *buf, int nbytes) 1642 { 1643 int left = nbytes; 1644 u8 *p = buf; 1645 1646 trace_get_random_bytes_arch(left, _RET_IP_); 1647 while (left) { 1648 unsigned long v; 1649 int chunk = min_t(int, left, sizeof(unsigned long)); 1650 1651 if (!arch_get_random_long(&v)) 1652 break; 1653 1654 memcpy(p, &v, chunk); 1655 p += chunk; 1656 left -= chunk; 1657 } 1658 1659 return nbytes - left; 1660 } 1661 EXPORT_SYMBOL(get_random_bytes_arch); 1662 1663 /* 1664 * init_std_data - initialize pool with system data 1665 * 1666 * This function clears the pool's entropy count and mixes some system 1667 * data into the pool to prepare it for use. The pool is not cleared 1668 * as that can only decrease the entropy in the pool. 1669 */ 1670 static void __init init_std_data(void) 1671 { 1672 int i; 1673 ktime_t now = ktime_get_real(); 1674 unsigned long rv; 1675 1676 mix_pool_bytes(&now, sizeof(now)); 1677 for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) { 1678 if (!arch_get_random_seed_long(&rv) && 1679 !arch_get_random_long(&rv)) 1680 rv = random_get_entropy(); 1681 mix_pool_bytes(&rv, sizeof(rv)); 1682 } 1683 mix_pool_bytes(utsname(), sizeof(*(utsname()))); 1684 } 1685 1686 /* 1687 * Note that setup_arch() may call add_device_randomness() 1688 * long before we get here. This allows seeding of the pools 1689 * with some platform dependent data very early in the boot 1690 * process. But it limits our options here. We must use 1691 * statically allocated structures that already have all 1692 * initializations complete at compile time. We should also 1693 * take care not to overwrite the precious per platform data 1694 * we were given. 1695 */ 1696 int __init rand_initialize(void) 1697 { 1698 init_std_data(); 1699 if (crng_need_final_init) 1700 crng_finalize_init(&primary_crng); 1701 crng_initialize_primary(&primary_crng); 1702 crng_global_init_time = jiffies; 1703 if (ratelimit_disable) { 1704 urandom_warning.interval = 0; 1705 unseeded_warning.interval = 0; 1706 } 1707 return 0; 1708 } 1709 1710 #ifdef CONFIG_BLOCK 1711 void rand_initialize_disk(struct gendisk *disk) 1712 { 1713 struct timer_rand_state *state; 1714 1715 /* 1716 * If kzalloc returns null, we just won't use that entropy 1717 * source. 1718 */ 1719 state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); 1720 if (state) { 1721 state->last_time = INITIAL_JIFFIES; 1722 disk->random = state; 1723 } 1724 } 1725 #endif 1726 1727 static ssize_t urandom_read_nowarn(struct file *file, char __user *buf, 1728 size_t nbytes, loff_t *ppos) 1729 { 1730 int ret; 1731 1732 nbytes = min_t(size_t, nbytes, INT_MAX >> (POOL_ENTROPY_SHIFT + 3)); 1733 ret = extract_crng_user(buf, nbytes); 1734 trace_urandom_read(8 * nbytes, 0, POOL_ENTROPY_BITS()); 1735 return ret; 1736 } 1737 1738 static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes, 1739 loff_t *ppos) 1740 { 1741 static int maxwarn = 10; 1742 1743 if (!crng_ready() && maxwarn > 0) { 1744 maxwarn--; 1745 if (__ratelimit(&urandom_warning)) 1746 pr_notice("%s: uninitialized urandom read (%zd bytes read)\n", 1747 current->comm, nbytes); 1748 } 1749 1750 return urandom_read_nowarn(file, buf, nbytes, ppos); 1751 } 1752 1753 static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes, 1754 loff_t *ppos) 1755 { 1756 int ret; 1757 1758 ret = wait_for_random_bytes(); 1759 if (ret != 0) 1760 return ret; 1761 return urandom_read_nowarn(file, buf, nbytes, ppos); 1762 } 1763 1764 static __poll_t random_poll(struct file *file, poll_table *wait) 1765 { 1766 __poll_t mask; 1767 1768 poll_wait(file, &crng_init_wait, wait); 1769 poll_wait(file, &random_write_wait, wait); 1770 mask = 0; 1771 if (crng_ready()) 1772 mask |= EPOLLIN | EPOLLRDNORM; 1773 if (POOL_ENTROPY_BITS() < random_write_wakeup_bits) 1774 mask |= EPOLLOUT | EPOLLWRNORM; 1775 return mask; 1776 } 1777 1778 static int write_pool(const char __user *buffer, size_t count) 1779 { 1780 size_t bytes; 1781 u32 t, buf[16]; 1782 const char __user *p = buffer; 1783 1784 while (count > 0) { 1785 int b, i = 0; 1786 1787 bytes = min(count, sizeof(buf)); 1788 if (copy_from_user(&buf, p, bytes)) 1789 return -EFAULT; 1790 1791 for (b = bytes; b > 0; b -= sizeof(u32), i++) { 1792 if (!arch_get_random_int(&t)) 1793 break; 1794 buf[i] ^= t; 1795 } 1796 1797 count -= bytes; 1798 p += bytes; 1799 1800 mix_pool_bytes(buf, bytes); 1801 cond_resched(); 1802 } 1803 1804 return 0; 1805 } 1806 1807 static ssize_t random_write(struct file *file, const char __user *buffer, 1808 size_t count, loff_t *ppos) 1809 { 1810 size_t ret; 1811 1812 ret = write_pool(buffer, count); 1813 if (ret) 1814 return ret; 1815 1816 return (ssize_t)count; 1817 } 1818 1819 static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) 1820 { 1821 int size, ent_count; 1822 int __user *p = (int __user *)arg; 1823 int retval; 1824 1825 switch (cmd) { 1826 case RNDGETENTCNT: 1827 /* inherently racy, no point locking */ 1828 ent_count = POOL_ENTROPY_BITS(); 1829 if (put_user(ent_count, p)) 1830 return -EFAULT; 1831 return 0; 1832 case RNDADDTOENTCNT: 1833 if (!capable(CAP_SYS_ADMIN)) 1834 return -EPERM; 1835 if (get_user(ent_count, p)) 1836 return -EFAULT; 1837 return credit_entropy_bits_safe(ent_count); 1838 case RNDADDENTROPY: 1839 if (!capable(CAP_SYS_ADMIN)) 1840 return -EPERM; 1841 if (get_user(ent_count, p++)) 1842 return -EFAULT; 1843 if (ent_count < 0) 1844 return -EINVAL; 1845 if (get_user(size, p++)) 1846 return -EFAULT; 1847 retval = write_pool((const char __user *)p, size); 1848 if (retval < 0) 1849 return retval; 1850 return credit_entropy_bits_safe(ent_count); 1851 case RNDZAPENTCNT: 1852 case RNDCLEARPOOL: 1853 /* 1854 * Clear the entropy pool counters. We no longer clear 1855 * the entropy pool, as that's silly. 1856 */ 1857 if (!capable(CAP_SYS_ADMIN)) 1858 return -EPERM; 1859 input_pool.entropy_count = 0; 1860 return 0; 1861 case RNDRESEEDCRNG: 1862 if (!capable(CAP_SYS_ADMIN)) 1863 return -EPERM; 1864 if (crng_init < 2) 1865 return -ENODATA; 1866 crng_reseed(&primary_crng, true); 1867 WRITE_ONCE(crng_global_init_time, jiffies - 1); 1868 return 0; 1869 default: 1870 return -EINVAL; 1871 } 1872 } 1873 1874 static int random_fasync(int fd, struct file *filp, int on) 1875 { 1876 return fasync_helper(fd, filp, on, &fasync); 1877 } 1878 1879 const struct file_operations random_fops = { 1880 .read = random_read, 1881 .write = random_write, 1882 .poll = random_poll, 1883 .unlocked_ioctl = random_ioctl, 1884 .compat_ioctl = compat_ptr_ioctl, 1885 .fasync = random_fasync, 1886 .llseek = noop_llseek, 1887 }; 1888 1889 const struct file_operations urandom_fops = { 1890 .read = urandom_read, 1891 .write = random_write, 1892 .unlocked_ioctl = random_ioctl, 1893 .compat_ioctl = compat_ptr_ioctl, 1894 .fasync = random_fasync, 1895 .llseek = noop_llseek, 1896 }; 1897 1898 SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int, 1899 flags) 1900 { 1901 int ret; 1902 1903 if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) 1904 return -EINVAL; 1905 1906 /* 1907 * Requesting insecure and blocking randomness at the same time makes 1908 * no sense. 1909 */ 1910 if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) 1911 return -EINVAL; 1912 1913 if (count > INT_MAX) 1914 count = INT_MAX; 1915 1916 if (!(flags & GRND_INSECURE) && !crng_ready()) { 1917 if (flags & GRND_NONBLOCK) 1918 return -EAGAIN; 1919 ret = wait_for_random_bytes(); 1920 if (unlikely(ret)) 1921 return ret; 1922 } 1923 return urandom_read_nowarn(NULL, buf, count, NULL); 1924 } 1925 1926 /******************************************************************** 1927 * 1928 * Sysctl interface 1929 * 1930 ********************************************************************/ 1931 1932 #ifdef CONFIG_SYSCTL 1933 1934 #include <linux/sysctl.h> 1935 1936 static int min_write_thresh; 1937 static int max_write_thresh = POOL_BITS; 1938 static int random_min_urandom_seed = 60; 1939 static char sysctl_bootid[16]; 1940 1941 /* 1942 * This function is used to return both the bootid UUID, and random 1943 * UUID. The difference is in whether table->data is NULL; if it is, 1944 * then a new UUID is generated and returned to the user. 1945 * 1946 * If the user accesses this via the proc interface, the UUID will be 1947 * returned as an ASCII string in the standard UUID format; if via the 1948 * sysctl system call, as 16 bytes of binary data. 1949 */ 1950 static int proc_do_uuid(struct ctl_table *table, int write, void *buffer, 1951 size_t *lenp, loff_t *ppos) 1952 { 1953 struct ctl_table fake_table; 1954 unsigned char buf[64], tmp_uuid[16], *uuid; 1955 1956 uuid = table->data; 1957 if (!uuid) { 1958 uuid = tmp_uuid; 1959 generate_random_uuid(uuid); 1960 } else { 1961 static DEFINE_SPINLOCK(bootid_spinlock); 1962 1963 spin_lock(&bootid_spinlock); 1964 if (!uuid[8]) 1965 generate_random_uuid(uuid); 1966 spin_unlock(&bootid_spinlock); 1967 } 1968 1969 sprintf(buf, "%pU", uuid); 1970 1971 fake_table.data = buf; 1972 fake_table.maxlen = sizeof(buf); 1973 1974 return proc_dostring(&fake_table, write, buffer, lenp, ppos); 1975 } 1976 1977 /* 1978 * Return entropy available scaled to integral bits 1979 */ 1980 static int proc_do_entropy(struct ctl_table *table, int write, void *buffer, 1981 size_t *lenp, loff_t *ppos) 1982 { 1983 struct ctl_table fake_table; 1984 int entropy_count; 1985 1986 entropy_count = *(int *)table->data >> POOL_ENTROPY_SHIFT; 1987 1988 fake_table.data = &entropy_count; 1989 fake_table.maxlen = sizeof(entropy_count); 1990 1991 return proc_dointvec(&fake_table, write, buffer, lenp, ppos); 1992 } 1993 1994 static int sysctl_poolsize = POOL_BITS; 1995 static struct ctl_table random_table[] = { 1996 { 1997 .procname = "poolsize", 1998 .data = &sysctl_poolsize, 1999 .maxlen = sizeof(int), 2000 .mode = 0444, 2001 .proc_handler = proc_dointvec, 2002 }, 2003 { 2004 .procname = "entropy_avail", 2005 .maxlen = sizeof(int), 2006 .mode = 0444, 2007 .proc_handler = proc_do_entropy, 2008 .data = &input_pool.entropy_count, 2009 }, 2010 { 2011 .procname = "write_wakeup_threshold", 2012 .data = &random_write_wakeup_bits, 2013 .maxlen = sizeof(int), 2014 .mode = 0644, 2015 .proc_handler = proc_dointvec_minmax, 2016 .extra1 = &min_write_thresh, 2017 .extra2 = &max_write_thresh, 2018 }, 2019 { 2020 .procname = "urandom_min_reseed_secs", 2021 .data = &random_min_urandom_seed, 2022 .maxlen = sizeof(int), 2023 .mode = 0644, 2024 .proc_handler = proc_dointvec, 2025 }, 2026 { 2027 .procname = "boot_id", 2028 .data = &sysctl_bootid, 2029 .maxlen = 16, 2030 .mode = 0444, 2031 .proc_handler = proc_do_uuid, 2032 }, 2033 { 2034 .procname = "uuid", 2035 .maxlen = 16, 2036 .mode = 0444, 2037 .proc_handler = proc_do_uuid, 2038 }, 2039 #ifdef ADD_INTERRUPT_BENCH 2040 { 2041 .procname = "add_interrupt_avg_cycles", 2042 .data = &avg_cycles, 2043 .maxlen = sizeof(avg_cycles), 2044 .mode = 0444, 2045 .proc_handler = proc_doulongvec_minmax, 2046 }, 2047 { 2048 .procname = "add_interrupt_avg_deviation", 2049 .data = &avg_deviation, 2050 .maxlen = sizeof(avg_deviation), 2051 .mode = 0444, 2052 .proc_handler = proc_doulongvec_minmax, 2053 }, 2054 #endif 2055 { } 2056 }; 2057 2058 /* 2059 * rand_initialize() is called before sysctl_init(), 2060 * so we cannot call register_sysctl_init() in rand_initialize() 2061 */ 2062 static int __init random_sysctls_init(void) 2063 { 2064 register_sysctl_init("kernel/random", random_table); 2065 return 0; 2066 } 2067 device_initcall(random_sysctls_init); 2068 #endif /* CONFIG_SYSCTL */ 2069 2070 struct batched_entropy { 2071 union { 2072 u64 entropy_u64[CHACHA_BLOCK_SIZE / sizeof(u64)]; 2073 u32 entropy_u32[CHACHA_BLOCK_SIZE / sizeof(u32)]; 2074 }; 2075 unsigned int position; 2076 spinlock_t batch_lock; 2077 }; 2078 2079 /* 2080 * Get a random word for internal kernel use only. The quality of the random 2081 * number is good as /dev/urandom, but there is no backtrack protection, with 2082 * the goal of being quite fast and not depleting entropy. In order to ensure 2083 * that the randomness provided by this function is okay, the function 2084 * wait_for_random_bytes() should be called and return 0 at least once at any 2085 * point prior. 2086 */ 2087 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = { 2088 .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock), 2089 }; 2090 2091 u64 get_random_u64(void) 2092 { 2093 u64 ret; 2094 unsigned long flags; 2095 struct batched_entropy *batch; 2096 static void *previous; 2097 2098 warn_unseeded_randomness(&previous); 2099 2100 batch = raw_cpu_ptr(&batched_entropy_u64); 2101 spin_lock_irqsave(&batch->batch_lock, flags); 2102 if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) { 2103 extract_crng((u8 *)batch->entropy_u64); 2104 batch->position = 0; 2105 } 2106 ret = batch->entropy_u64[batch->position++]; 2107 spin_unlock_irqrestore(&batch->batch_lock, flags); 2108 return ret; 2109 } 2110 EXPORT_SYMBOL(get_random_u64); 2111 2112 static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = { 2113 .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock), 2114 }; 2115 u32 get_random_u32(void) 2116 { 2117 u32 ret; 2118 unsigned long flags; 2119 struct batched_entropy *batch; 2120 static void *previous; 2121 2122 warn_unseeded_randomness(&previous); 2123 2124 batch = raw_cpu_ptr(&batched_entropy_u32); 2125 spin_lock_irqsave(&batch->batch_lock, flags); 2126 if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) { 2127 extract_crng((u8 *)batch->entropy_u32); 2128 batch->position = 0; 2129 } 2130 ret = batch->entropy_u32[batch->position++]; 2131 spin_unlock_irqrestore(&batch->batch_lock, flags); 2132 return ret; 2133 } 2134 EXPORT_SYMBOL(get_random_u32); 2135 2136 /* It's important to invalidate all potential batched entropy that might 2137 * be stored before the crng is initialized, which we can do lazily by 2138 * simply resetting the counter to zero so that it's re-extracted on the 2139 * next usage. */ 2140 static void invalidate_batched_entropy(void) 2141 { 2142 int cpu; 2143 unsigned long flags; 2144 2145 for_each_possible_cpu(cpu) { 2146 struct batched_entropy *batched_entropy; 2147 2148 batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu); 2149 spin_lock_irqsave(&batched_entropy->batch_lock, flags); 2150 batched_entropy->position = 0; 2151 spin_unlock(&batched_entropy->batch_lock); 2152 2153 batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu); 2154 spin_lock(&batched_entropy->batch_lock); 2155 batched_entropy->position = 0; 2156 spin_unlock_irqrestore(&batched_entropy->batch_lock, flags); 2157 } 2158 } 2159 2160 /** 2161 * randomize_page - Generate a random, page aligned address 2162 * @start: The smallest acceptable address the caller will take. 2163 * @range: The size of the area, starting at @start, within which the 2164 * random address must fall. 2165 * 2166 * If @start + @range would overflow, @range is capped. 2167 * 2168 * NOTE: Historical use of randomize_range, which this replaces, presumed that 2169 * @start was already page aligned. We now align it regardless. 2170 * 2171 * Return: A page aligned address within [start, start + range). On error, 2172 * @start is returned. 2173 */ 2174 unsigned long randomize_page(unsigned long start, unsigned long range) 2175 { 2176 if (!PAGE_ALIGNED(start)) { 2177 range -= PAGE_ALIGN(start) - start; 2178 start = PAGE_ALIGN(start); 2179 } 2180 2181 if (start > ULONG_MAX - range) 2182 range = ULONG_MAX - start; 2183 2184 range >>= PAGE_SHIFT; 2185 2186 if (range == 0) 2187 return start; 2188 2189 return start + (get_random_long() % range << PAGE_SHIFT); 2190 } 2191 2192 /* Interface for in-kernel drivers of true hardware RNGs. 2193 * Those devices may produce endless random bits and will be throttled 2194 * when our pool is full. 2195 */ 2196 void add_hwgenerator_randomness(const char *buffer, size_t count, 2197 size_t entropy) 2198 { 2199 if (unlikely(crng_init == 0)) { 2200 size_t ret = crng_fast_load(buffer, count); 2201 mix_pool_bytes(buffer, ret); 2202 count -= ret; 2203 buffer += ret; 2204 if (!count || crng_init == 0) 2205 return; 2206 } 2207 2208 /* Suspend writing if we're above the trickle threshold. 2209 * We'll be woken up again once below random_write_wakeup_thresh, 2210 * or when the calling thread is about to terminate. 2211 */ 2212 wait_event_interruptible(random_write_wait, 2213 !system_wq || kthread_should_stop() || 2214 POOL_ENTROPY_BITS() <= random_write_wakeup_bits); 2215 mix_pool_bytes(buffer, count); 2216 credit_entropy_bits(entropy); 2217 } 2218 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); 2219 2220 /* Handle random seed passed by bootloader. 2221 * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise 2222 * it would be regarded as device data. 2223 * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER. 2224 */ 2225 void add_bootloader_randomness(const void *buf, unsigned int size) 2226 { 2227 if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER)) 2228 add_hwgenerator_randomness(buf, size, size * 8); 2229 else 2230 add_device_randomness(buf, size); 2231 } 2232 EXPORT_SYMBOL_GPL(add_bootloader_randomness); 2233