s390/crypto/prng.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Copyright IBM Corp. 2006, 2015
0004  * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
0005  *        Harald Freudenberger <freude@de.ibm.com>
0006  * Driver for the s390 pseudo random number generator
0007  */
0008
0009 #define KMSG_COMPONENT "prng"
0010 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
0011
0012 #include <linux/fs.h>
0013 #include <linux/fips.h>
0014 #include <linux/init.h>
0015 #include <linux/kernel.h>
0016 #include <linux/device.h>
0017 #include <linux/miscdevice.h>
0018 #include <linux/module.h>
0019 #include <linux/moduleparam.h>
0020 #include <linux/mutex.h>
0021 #include <linux/cpufeature.h>
0022 #include <linux/random.h>
0023 #include <linux/slab.h>
0024 #include <linux/sched/signal.h>
0025
0026 #include <asm/debug.h>
0027 #include <linux/uaccess.h>
0028 #include <asm/timex.h>
0029 #include <asm/cpacf.h>
0030
0031 MODULE_LICENSE("GPL");
0032 MODULE_AUTHOR("IBM Corporation");
0033 MODULE_DESCRIPTION("s390 PRNG interface");
0034
0035
0036 #define PRNG_MODE_AUTO    0
0037 #define PRNG_MODE_TDES    1
0038 #define PRNG_MODE_SHA512  2
0039
0040 static unsigned int prng_mode = PRNG_MODE_AUTO;
0041 module_param_named(mode, prng_mode, int, 0);
0042 MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512");
0043
0044
0045 #define PRNG_CHUNKSIZE_TDES_MIN   8
0046 #define PRNG_CHUNKSIZE_TDES_MAX   (64*1024)
0047 #define PRNG_CHUNKSIZE_SHA512_MIN 64
0048 #define PRNG_CHUNKSIZE_SHA512_MAX (64*1024)
0049
0050 static unsigned int prng_chunk_size = 256;
0051 module_param_named(chunksize, prng_chunk_size, int, 0);
0052 MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
0053
0054
0055 #define PRNG_RESEED_LIMIT_TDES       4096
0056 #define PRNG_RESEED_LIMIT_TDES_LOWER     4096
0057 #define PRNG_RESEED_LIMIT_SHA512       100000
0058 #define PRNG_RESEED_LIMIT_SHA512_LOWER  10000
0059
0060 static unsigned int prng_reseed_limit;
0061 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
0062 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
0063
0064 static bool trng_available;
0065
0066 /*
0067  * Any one who considers arithmetical methods of producing random digits is,
0068  * of course, in a state of sin. -- John von Neumann
0069  */
0070
0071 static int prng_errorflag;
0072
0073 #define PRNG_GEN_ENTROPY_FAILED  1
0074 #define PRNG_SELFTEST_FAILED     2
0075 #define PRNG_INSTANTIATE_FAILED  3
0076 #define PRNG_SEED_FAILED     4
0077 #define PRNG_RESEED_FAILED   5
0078 #define PRNG_GEN_FAILED      6
0079
0080 struct prng_ws_s {
0081     u8  parm_block[32];
0082     u32 reseed_counter;
0083     u64 byte_counter;
0084 };
0085
0086 struct prno_ws_s {
0087     u32 res;
0088     u32 reseed_counter;
0089     u64 stream_bytes;
0090     u8  V[112];
0091     u8  C[112];
0092 };
0093
0094 struct prng_data_s {
0095     struct mutex mutex;
0096     union {
0097         struct prng_ws_s prngws;
0098         struct prno_ws_s prnows;
0099     };
0100     u8 *buf;
0101     u32 rest;
0102     u8 *prev;
0103 };
0104
0105 static struct prng_data_s *prng_data;
0106
0107 /* initial parameter block for tdes mode, copied from libica */
0108 static const u8 initial_parm_block[32] __initconst = {
0109     0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
0110     0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
0111     0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
0112     0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 };
0113
0114
0115 /*** helper functions ***/
0116
0117 /*
0118  * generate_entropy:
0119  * This function fills a given buffer with random bytes. The entropy within
0120  * the random bytes given back is assumed to have at least 50% - meaning
0121  * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
0122  * Within the function the entropy generation is done in junks of 64 bytes.
0123  * So the caller should also ask for buffer fill in multiples of 64 bytes.
0124  * The generation of the entropy is based on the assumption that every stckf()
0125  * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
0126  * at least 512 stckf() values are needed. The entropy relevant part of the
0127  * stckf value is bit 51 (counting starts at the left with bit nr 0) so
0128  * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
0129  * To be on the save side, if there is ever a problem with stckf() the
0130  * other half of the page buffer is filled with bytes from urandom via
0131  * get_random_bytes(), so this function consumes 2k of urandom for each
0132  * requested 64 bytes output data. Finally the buffer page is condensed into
0133  * a 64 byte value by hashing with a SHA512 hash.
0134  */
0135 static int generate_entropy(u8 *ebuf, size_t nbytes)
0136 {
0137     int n, ret = 0;
0138     u8 *pg, pblock[80] = {
0139         /* 8 x 64 bit init values */
0140         0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
0141         0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
0142         0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
0143         0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
0144         0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
0145         0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
0146         0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
0147         0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
0148         /* 128 bit counter total message bit length */
0149         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0150         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
0151
0152     /* allocate one page stckf buffer */
0153     pg = (u8 *) __get_free_page(GFP_KERNEL);
0154     if (!pg) {
0155         prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
0156         return -ENOMEM;
0157     }
0158
0159     /* fill the ebuf in chunks of 64 byte each */
0160     while (nbytes) {
0161         /* fill lower 2k with urandom bytes */
0162         get_random_bytes(pg, PAGE_SIZE / 2);
0163         /* exor upper 2k with 512 stckf values, offset 4 bytes each */
0164         for (n = 0; n < 512; n++) {
0165             int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
0166             u64 *p = (u64 *)(pg + offset);
0167             *p ^= get_tod_clock_fast();
0168         }
0169         /* hash over the filled page */
0170         cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
0171         n = (nbytes < 64) ? nbytes : 64;
0172         memcpy(ebuf, pblock, n);
0173         ret += n;
0174         ebuf += n;
0175         nbytes -= n;
0176     }
0177
0178     memzero_explicit(pblock, sizeof(pblock));
0179     memzero_explicit(pg, PAGE_SIZE);
0180     free_page((unsigned long)pg);
0181     return ret;
0182 }
0183
0184
0185 /*** tdes functions ***/
0186
0187 static void prng_tdes_add_entropy(void)
0188 {
0189     __u64 entropy[4];
0190     unsigned int i;
0191
0192     for (i = 0; i < 16; i++) {
0193         cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
0194               (char *) entropy, (char *) entropy,
0195               sizeof(entropy));
0196         memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy));
0197     }
0198 }
0199
0200
0201 static void prng_tdes_seed(int nbytes)
0202 {
0203     char buf[16];
0204     int i = 0;
0205
0206     BUG_ON(nbytes > sizeof(buf));
0207
0208     get_random_bytes(buf, nbytes);
0209
0210     /* Add the entropy */
0211     while (nbytes >= 8) {
0212         *((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i));
0213         prng_tdes_add_entropy();
0214         i += 8;
0215         nbytes -= 8;
0216     }
0217     prng_tdes_add_entropy();
0218     prng_data->prngws.reseed_counter = 0;
0219 }
0220
0221
0222 static int __init prng_tdes_instantiate(void)
0223 {
0224     int datalen;
0225
0226     pr_debug("prng runs in TDES mode with "
0227          "chunksize=%d and reseed_limit=%u\n",
0228          prng_chunk_size, prng_reseed_limit);
0229
0230     /* memory allocation, prng_data struct init, mutex init */
0231     datalen = sizeof(struct prng_data_s) + prng_chunk_size;
0232     prng_data = kzalloc(datalen, GFP_KERNEL);
0233     if (!prng_data) {
0234         prng_errorflag = PRNG_INSTANTIATE_FAILED;
0235         return -ENOMEM;
0236     }
0237     mutex_init(&prng_data->mutex);
0238     prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
0239     memcpy(prng_data->prngws.parm_block, initial_parm_block, 32);
0240
0241     /* initialize the PRNG, add 128 bits of entropy */
0242     prng_tdes_seed(16);
0243
0244     return 0;
0245 }
0246
0247
0248 static void prng_tdes_deinstantiate(void)
0249 {
0250     pr_debug("The prng module stopped "
0251          "after running in triple DES mode\n");
0252     kfree_sensitive(prng_data);
0253 }
0254
0255
0256 /*** sha512 functions ***/
0257
0258 static int __init prng_sha512_selftest(void)
0259 {
0260     /* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */
0261     static const u8 seed[] __initconst = {
0262         0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a,
0263         0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22,
0264         0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b,
0265         0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c,
0266         0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa,
0267         0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 };
0268     static const u8 V0[] __initconst = {
0269         0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76,
0270         0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22,
0271         0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60,
0272         0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1,
0273         0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95,
0274         0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b,
0275         0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79,
0276         0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03,
0277         0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd,
0278         0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36,
0279         0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0,
0280         0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e,
0281         0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea,
0282         0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 };
0283     static const u8 C0[] __initconst = {
0284         0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95,
0285         0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e,
0286         0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94,
0287         0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86,
0288         0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50,
0289         0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f,
0290         0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9,
0291         0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43,
0292         0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee,
0293         0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a,
0294         0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9,
0295         0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09,
0296         0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc,
0297         0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e };
0298     static const u8 random[] __initconst = {
0299         0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57,
0300         0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6,
0301         0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d,
0302         0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf,
0303         0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26,
0304         0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64,
0305         0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55,
0306         0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a,
0307         0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78,
0308         0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e,
0309         0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb,
0310         0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30,
0311         0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19,
0312         0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f,
0313         0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d,
0314         0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a,
0315         0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2,
0316         0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd,
0317         0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd,
0318         0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2,
0319         0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b,
0320         0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1,
0321         0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99,
0322         0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e,
0323         0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3,
0324         0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67,
0325         0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3,
0326         0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d,
0327         0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b,
0328         0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13,
0329         0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c,
0330         0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 };
0331
0332     u8 buf[sizeof(random)];
0333     struct prno_ws_s ws;
0334
0335     memset(&ws, 0, sizeof(ws));
0336
0337     /* initial seed */
0338     cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
0339            &ws, NULL, 0, seed, sizeof(seed));
0340
0341     /* check working states V and C */
0342     if (memcmp(ws.V, V0, sizeof(V0)) != 0
0343         || memcmp(ws.C, C0, sizeof(C0)) != 0) {
0344         pr_err("The prng self test state test "
0345                "for the SHA-512 mode failed\n");
0346         prng_errorflag = PRNG_SELFTEST_FAILED;
0347         return -EIO;
0348     }
0349
0350     /* generate random bytes */
0351     cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
0352            &ws, buf, sizeof(buf), NULL, 0);
0353     cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
0354            &ws, buf, sizeof(buf), NULL, 0);
0355
0356     /* check against expected data */
0357     if (memcmp(buf, random, sizeof(random)) != 0) {
0358         pr_err("The prng self test data test "
0359                "for the SHA-512 mode failed\n");
0360         prng_errorflag = PRNG_SELFTEST_FAILED;
0361         return -EIO;
0362     }
0363
0364     return 0;
0365 }
0366
0367
0368 static int __init prng_sha512_instantiate(void)
0369 {
0370     int ret, datalen, seedlen;
0371     u8 seed[128 + 16];
0372
0373     pr_debug("prng runs in SHA-512 mode "
0374          "with chunksize=%d and reseed_limit=%u\n",
0375          prng_chunk_size, prng_reseed_limit);
0376
0377     /* memory allocation, prng_data struct init, mutex init */
0378     datalen = sizeof(struct prng_data_s) + prng_chunk_size;
0379     if (fips_enabled)
0380         datalen += prng_chunk_size;
0381     prng_data = kzalloc(datalen, GFP_KERNEL);
0382     if (!prng_data) {
0383         prng_errorflag = PRNG_INSTANTIATE_FAILED;
0384         return -ENOMEM;
0385     }
0386     mutex_init(&prng_data->mutex);
0387     prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s);
0388
0389     /* selftest */
0390     ret = prng_sha512_selftest();
0391     if (ret)
0392         goto outfree;
0393
0394     /* generate initial seed, we need at least  256 + 128 bits entropy. */
0395     if (trng_available) {
0396         /*
0397          * Trng available, so use it. The trng works in chunks of
0398          * 32 bytes and produces 100% entropy. So we pull 64 bytes
0399          * which gives us 512 bits entropy.
0400          */
0401         seedlen = 2 * 32;
0402         cpacf_trng(NULL, 0, seed, seedlen);
0403     } else {
0404         /*
0405          * No trng available, so use the generate_entropy() function.
0406          * This function works in 64 byte junks and produces
0407          * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
0408          * of entropy.
0409          */
0410         seedlen = 2 * 64;
0411         ret = generate_entropy(seed, seedlen);
0412         if (ret != seedlen)
0413             goto outfree;
0414     }
0415
0416     /* append the seed by 16 bytes of unique nonce */
0417     store_tod_clock_ext((union tod_clock *)(seed + seedlen));
0418     seedlen += 16;
0419
0420     /* now initial seed of the prno drng */
0421     cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
0422            &prng_data->prnows, NULL, 0, seed, seedlen);
0423     memzero_explicit(seed, sizeof(seed));
0424
0425     /* if fips mode is enabled, generate a first block of random
0426        bytes for the FIPS 140-2 Conditional Self Test */
0427     if (fips_enabled) {
0428         prng_data->prev = prng_data->buf + prng_chunk_size;
0429         cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
0430                &prng_data->prnows,
0431                prng_data->prev, prng_chunk_size, NULL, 0);
0432     }
0433
0434     return 0;
0435
0436 outfree:
0437     kfree(prng_data);
0438     return ret;
0439 }
0440
0441
0442 static void prng_sha512_deinstantiate(void)
0443 {
0444     pr_debug("The prng module stopped after running in SHA-512 mode\n");
0445     kfree_sensitive(prng_data);
0446 }
0447
0448
0449 static int prng_sha512_reseed(void)
0450 {
0451     int ret, seedlen;
0452     u8 seed[64];
0453
0454     /* We need at least 256 bits of fresh entropy for reseeding */
0455     if (trng_available) {
0456         /* trng produces 256 bits entropy in 32 bytes */
0457         seedlen = 32;
0458         cpacf_trng(NULL, 0, seed, seedlen);
0459     } else {
0460         /* generate_entropy() produces 256 bits entropy in 64 bytes */
0461         seedlen = 64;
0462         ret = generate_entropy(seed, seedlen);
0463         if (ret != sizeof(seed))
0464             return ret;
0465     }
0466
0467     /* do a reseed of the prno drng with this bytestring */
0468     cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
0469            &prng_data->prnows, NULL, 0, seed, seedlen);
0470     memzero_explicit(seed, sizeof(seed));
0471
0472     return 0;
0473 }
0474
0475
0476 static int prng_sha512_generate(u8 *buf, size_t nbytes)
0477 {
0478     int ret;
0479
0480     /* reseed needed ? */
0481     if (prng_data->prnows.reseed_counter > prng_reseed_limit) {
0482         ret = prng_sha512_reseed();
0483         if (ret)
0484             return ret;
0485     }
0486
0487     /* PRNO generate */
0488     cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN,
0489            &prng_data->prnows, buf, nbytes, NULL, 0);
0490
0491     /* FIPS 140-2 Conditional Self Test */
0492     if (fips_enabled) {
0493         if (!memcmp(prng_data->prev, buf, nbytes)) {
0494             prng_errorflag = PRNG_GEN_FAILED;
0495             return -EILSEQ;
0496         }
0497         memcpy(prng_data->prev, buf, nbytes);
0498     }
0499
0500     return nbytes;
0501 }
0502
0503
0504 /*** file io functions ***/
0505
0506 static int prng_open(struct inode *inode, struct file *file)
0507 {
0508     return nonseekable_open(inode, file);
0509 }
0510
0511
0512 static ssize_t prng_tdes_read(struct file *file, char __user *ubuf,
0513                   size_t nbytes, loff_t *ppos)
0514 {
0515     int chunk, n, ret = 0;
0516
0517     /* lock prng_data struct */
0518     if (mutex_lock_interruptible(&prng_data->mutex))
0519         return -ERESTARTSYS;
0520
0521     while (nbytes) {
0522         if (need_resched()) {
0523             if (signal_pending(current)) {
0524                 if (ret == 0)
0525                     ret = -ERESTARTSYS;
0526                 break;
0527             }
0528             /* give mutex free before calling schedule() */
0529             mutex_unlock(&prng_data->mutex);
0530             schedule();
0531             /* occupy mutex again */
0532             if (mutex_lock_interruptible(&prng_data->mutex)) {
0533                 if (ret == 0)
0534                     ret = -ERESTARTSYS;
0535                 return ret;
0536             }
0537         }
0538
0539         /*
0540          * we lose some random bytes if an attacker issues
0541          * reads < 8 bytes, but we don't care
0542          */
0543         chunk = min_t(int, nbytes, prng_chunk_size);
0544
0545         /* PRNG only likes multiples of 8 bytes */
0546         n = (chunk + 7) & -8;
0547
0548         if (prng_data->prngws.reseed_counter > prng_reseed_limit)
0549             prng_tdes_seed(8);
0550
0551         /* if the CPU supports PRNG stckf is present too */
0552         *((unsigned long long *)prng_data->buf) = get_tod_clock_fast();
0553
0554         /*
0555          * Beside the STCKF the input for the TDES-EDE is the output
0556          * of the last operation. We differ here from X9.17 since we
0557          * only store one timestamp into the buffer. Padding the whole
0558          * buffer with timestamps does not improve security, since
0559          * successive stckf have nearly constant offsets.
0560          * If an attacker knows the first timestamp it would be
0561          * trivial to guess the additional values. One timestamp
0562          * is therefore enough and still guarantees unique input values.
0563          *
0564          * Note: you can still get strict X9.17 conformity by setting
0565          * prng_chunk_size to 8 bytes.
0566          */
0567         cpacf_kmc(CPACF_KMC_PRNG, prng_data->prngws.parm_block,
0568               prng_data->buf, prng_data->buf, n);
0569
0570         prng_data->prngws.byte_counter += n;
0571         prng_data->prngws.reseed_counter += n;
0572
0573         if (copy_to_user(ubuf, prng_data->buf, chunk)) {
0574             ret = -EFAULT;
0575             break;
0576         }
0577
0578         nbytes -= chunk;
0579         ret += chunk;
0580         ubuf += chunk;
0581     }
0582
0583     /* unlock prng_data struct */
0584     mutex_unlock(&prng_data->mutex);
0585
0586     return ret;
0587 }
0588
0589
0590 static ssize_t prng_sha512_read(struct file *file, char __user *ubuf,
0591                 size_t nbytes, loff_t *ppos)
0592 {
0593     int n, ret = 0;
0594     u8 *p;
0595
0596     /* if errorflag is set do nothing and return 'broken pipe' */
0597     if (prng_errorflag)
0598         return -EPIPE;
0599
0600     /* lock prng_data struct */
0601     if (mutex_lock_interruptible(&prng_data->mutex))
0602         return -ERESTARTSYS;
0603
0604     while (nbytes) {
0605         if (need_resched()) {
0606             if (signal_pending(current)) {
0607                 if (ret == 0)
0608                     ret = -ERESTARTSYS;
0609                 break;
0610             }
0611             /* give mutex free before calling schedule() */
0612             mutex_unlock(&prng_data->mutex);
0613             schedule();
0614             /* occopy mutex again */
0615             if (mutex_lock_interruptible(&prng_data->mutex)) {
0616                 if (ret == 0)
0617                     ret = -ERESTARTSYS;
0618                 return ret;
0619             }
0620         }
0621         if (prng_data->rest) {
0622             /* push left over random bytes from the previous read */
0623             p = prng_data->buf + prng_chunk_size - prng_data->rest;
0624             n = (nbytes < prng_data->rest) ?
0625                 nbytes : prng_data->rest;
0626             prng_data->rest -= n;
0627         } else {
0628             /* generate one chunk of random bytes into read buf */
0629             p = prng_data->buf;
0630             n = prng_sha512_generate(p, prng_chunk_size);
0631             if (n < 0) {
0632                 ret = n;
0633                 break;
0634             }
0635             if (nbytes < prng_chunk_size) {
0636                 n = nbytes;
0637                 prng_data->rest = prng_chunk_size - n;
0638             } else {
0639                 n = prng_chunk_size;
0640                 prng_data->rest = 0;
0641             }
0642         }
0643         if (copy_to_user(ubuf, p, n)) {
0644             ret = -EFAULT;
0645             break;
0646         }
0647         memzero_explicit(p, n);
0648         ubuf += n;
0649         nbytes -= n;
0650         ret += n;
0651     }
0652
0653     /* unlock prng_data struct */
0654     mutex_unlock(&prng_data->mutex);
0655
0656     return ret;
0657 }
0658
0659
0660 /*** sysfs stuff ***/
0661
0662 static const struct file_operations prng_sha512_fops = {
0663     .owner      = THIS_MODULE,
0664     .open       = &prng_open,
0665     .release    = NULL,
0666     .read       = &prng_sha512_read,
0667     .llseek     = noop_llseek,
0668 };
0669 static const struct file_operations prng_tdes_fops = {
0670     .owner      = THIS_MODULE,
0671     .open       = &prng_open,
0672     .release    = NULL,
0673     .read       = &prng_tdes_read,
0674     .llseek     = noop_llseek,
0675 };
0676
0677 /* chunksize attribute (ro) */
0678 static ssize_t prng_chunksize_show(struct device *dev,
0679                    struct device_attribute *attr,
0680                    char *buf)
0681 {
0682     return scnprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
0683 }
0684 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
0685
0686 /* counter attribute (ro) */
0687 static ssize_t prng_counter_show(struct device *dev,
0688                  struct device_attribute *attr,
0689                  char *buf)
0690 {
0691     u64 counter;
0692
0693     if (mutex_lock_interruptible(&prng_data->mutex))
0694         return -ERESTARTSYS;
0695     if (prng_mode == PRNG_MODE_SHA512)
0696         counter = prng_data->prnows.stream_bytes;
0697     else
0698         counter = prng_data->prngws.byte_counter;
0699     mutex_unlock(&prng_data->mutex);
0700
0701     return scnprintf(buf, PAGE_SIZE, "%llu\n", counter);
0702 }
0703 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
0704
0705 /* errorflag attribute (ro) */
0706 static ssize_t prng_errorflag_show(struct device *dev,
0707                    struct device_attribute *attr,
0708                    char *buf)
0709 {
0710     return scnprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
0711 }
0712 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
0713
0714 /* mode attribute (ro) */
0715 static ssize_t prng_mode_show(struct device *dev,
0716                   struct device_attribute *attr,
0717                   char *buf)
0718 {
0719     if (prng_mode == PRNG_MODE_TDES)
0720         return scnprintf(buf, PAGE_SIZE, "TDES\n");
0721     else
0722         return scnprintf(buf, PAGE_SIZE, "SHA512\n");
0723 }
0724 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
0725
0726 /* reseed attribute (w) */
0727 static ssize_t prng_reseed_store(struct device *dev,
0728                  struct device_attribute *attr,
0729                  const char *buf, size_t count)
0730 {
0731     if (mutex_lock_interruptible(&prng_data->mutex))
0732         return -ERESTARTSYS;
0733     prng_sha512_reseed();
0734     mutex_unlock(&prng_data->mutex);
0735
0736     return count;
0737 }
0738 static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store);
0739
0740 /* reseed limit attribute (rw) */
0741 static ssize_t prng_reseed_limit_show(struct device *dev,
0742                       struct device_attribute *attr,
0743                       char *buf)
0744 {
0745     return scnprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
0746 }
0747 static ssize_t prng_reseed_limit_store(struct device *dev,
0748                        struct device_attribute *attr,
0749                        const char *buf, size_t count)
0750 {
0751     unsigned limit;
0752
0753     if (sscanf(buf, "%u\n", &limit) != 1)
0754         return -EINVAL;
0755
0756     if (prng_mode == PRNG_MODE_SHA512) {
0757         if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
0758             return -EINVAL;
0759     } else {
0760         if (limit < PRNG_RESEED_LIMIT_TDES_LOWER)
0761             return -EINVAL;
0762     }
0763
0764     prng_reseed_limit = limit;
0765
0766     return count;
0767 }
0768 static DEVICE_ATTR(reseed_limit, 0644,
0769            prng_reseed_limit_show, prng_reseed_limit_store);
0770
0771 /* strength attribute (ro) */
0772 static ssize_t prng_strength_show(struct device *dev,
0773                   struct device_attribute *attr,
0774                   char *buf)
0775 {
0776     return scnprintf(buf, PAGE_SIZE, "256\n");
0777 }
0778 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
0779
0780 static struct attribute *prng_sha512_dev_attrs[] = {
0781     &dev_attr_errorflag.attr,
0782     &dev_attr_chunksize.attr,
0783     &dev_attr_byte_counter.attr,
0784     &dev_attr_mode.attr,
0785     &dev_attr_reseed.attr,
0786     &dev_attr_reseed_limit.attr,
0787     &dev_attr_strength.attr,
0788     NULL
0789 };
0790 ATTRIBUTE_GROUPS(prng_sha512_dev);
0791
0792 static struct attribute *prng_tdes_dev_attrs[] = {
0793     &dev_attr_chunksize.attr,
0794     &dev_attr_byte_counter.attr,
0795     &dev_attr_mode.attr,
0796     NULL
0797 };
0798 ATTRIBUTE_GROUPS(prng_tdes_dev);
0799
0800 static struct miscdevice prng_sha512_dev = {
0801     .name   = "prandom",
0802     .minor  = MISC_DYNAMIC_MINOR,
0803     .mode   = 0644,
0804     .fops   = &prng_sha512_fops,
0805     .groups = prng_sha512_dev_groups,
0806 };
0807
0808 static struct miscdevice prng_tdes_dev = {
0809     .name   = "prandom",
0810     .minor  = MISC_DYNAMIC_MINOR,
0811     .mode   = 0644,
0812     .fops   = &prng_tdes_fops,
0813     .groups = prng_tdes_dev_groups,
0814 };
0815
0816
0817 /*** module init and exit ***/
0818
0819 static int __init prng_init(void)
0820 {
0821     int ret;
0822
0823     /* check if the CPU has a PRNG */
0824     if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
0825         return -ENODEV;
0826
0827     /* check if TRNG subfunction is available */
0828     if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
0829         trng_available = true;
0830
0831     /* choose prng mode */
0832     if (prng_mode != PRNG_MODE_TDES) {
0833         /* check for MSA5 support for PRNO operations */
0834         if (!cpacf_query_func(CPACF_PRNO, CPACF_PRNO_SHA512_DRNG_GEN)) {
0835             if (prng_mode == PRNG_MODE_SHA512) {
0836                 pr_err("The prng module cannot "
0837                        "start in SHA-512 mode\n");
0838                 return -ENODEV;
0839             }
0840             prng_mode = PRNG_MODE_TDES;
0841         } else
0842             prng_mode = PRNG_MODE_SHA512;
0843     }
0844
0845     if (prng_mode == PRNG_MODE_SHA512) {
0846
0847         /* SHA512 mode */
0848
0849         if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN
0850             || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX)
0851             return -EINVAL;
0852         prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f;
0853
0854         if (prng_reseed_limit == 0)
0855             prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512;
0856         else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER)
0857             return -EINVAL;
0858
0859         ret = prng_sha512_instantiate();
0860         if (ret)
0861             goto out;
0862
0863         ret = misc_register(&prng_sha512_dev);
0864         if (ret) {
0865             prng_sha512_deinstantiate();
0866             goto out;
0867         }
0868
0869     } else {
0870
0871         /* TDES mode */
0872
0873         if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN
0874             || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX)
0875             return -EINVAL;
0876         prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07;
0877
0878         if (prng_reseed_limit == 0)
0879             prng_reseed_limit = PRNG_RESEED_LIMIT_TDES;
0880         else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER)
0881             return -EINVAL;
0882
0883         ret = prng_tdes_instantiate();
0884         if (ret)
0885             goto out;
0886
0887         ret = misc_register(&prng_tdes_dev);
0888         if (ret) {
0889             prng_tdes_deinstantiate();
0890             goto out;
0891         }
0892     }
0893
0894 out:
0895     return ret;
0896 }
0897
0898
0899 static void __exit prng_exit(void)
0900 {
0901     if (prng_mode == PRNG_MODE_SHA512) {
0902         misc_deregister(&prng_sha512_dev);
0903         prng_sha512_deinstantiate();
0904     } else {
0905         misc_deregister(&prng_tdes_dev);
0906         prng_tdes_deinstantiate();
0907     }
0908 }
0909
0910 module_cpu_feature_match(S390_CPU_FEATURE_MSA, prng_init);
0911 module_exit(prng_exit);