OSCL-LXR |
|
|
|
|||
0001 /* 0002 * Non-physical true random number generator based on timing jitter -- 0003 * Jitter RNG standalone code. 0004 * 0005 * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2020 0006 * 0007 * Design 0008 * ====== 0009 * 0010 * See https://www.chronox.de/jent.html 0011 * 0012 * License 0013 * ======= 0014 * 0015 * Redistribution and use in source and binary forms, with or without 0016 * modification, are permitted provided that the following conditions 0017 * are met: 0018 * 1. Redistributions of source code must retain the above copyright 0019 * notice, and the entire permission notice in its entirety, 0020 * including the disclaimer of warranties. 0021 * 2. Redistributions in binary form must reproduce the above copyright 0022 * notice, this list of conditions and the following disclaimer in the 0023 * documentation and/or other materials provided with the distribution. 0024 * 3. The name of the author may not be used to endorse or promote 0025 * products derived from this software without specific prior 0026 * written permission. 0027 * 0028 * ALTERNATIVELY, this product may be distributed under the terms of 0029 * the GNU General Public License, in which case the provisions of the GPL2 are 0030 * required INSTEAD OF the above restrictions. (This clause is 0031 * necessary due to a potential bad interaction between the GPL and 0032 * the restrictions contained in a BSD-style copyright.) 0033 * 0034 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 0035 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 0036 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 0037 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 0038 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 0039 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 0040 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 0041 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 0042 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 0043 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 0044 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 0045 * DAMAGE. 0046 */ 0047 0048 /* 0049 * This Jitterentropy RNG is based on the jitterentropy library 0050 * version 2.2.0 provided at https://www.chronox.de/jent.html 0051 */ 0052 0053 #ifdef __OPTIMIZE__ 0054 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c." 0055 #endif 0056 0057 typedef unsigned long long __u64; 0058 typedef long long __s64; 0059 typedef unsigned int __u32; 0060 #define NULL ((void *) 0) 0061 0062 /* The entropy pool */ 0063 struct rand_data { 0064 /* all data values that are vital to maintain the security 0065 * of the RNG are marked as SENSITIVE. A user must not 0066 * access that information while the RNG executes its loops to 0067 * calculate the next random value. */ 0068 __u64 data; /* SENSITIVE Actual random number */ 0069 __u64 old_data; /* SENSITIVE Previous random number */ 0070 __u64 prev_time; /* SENSITIVE Previous time stamp */ 0071 #define DATA_SIZE_BITS ((sizeof(__u64)) * 8) 0072 __u64 last_delta; /* SENSITIVE stuck test */ 0073 __s64 last_delta2; /* SENSITIVE stuck test */ 0074 unsigned int osr; /* Oversample rate */ 0075 #define JENT_MEMORY_BLOCKS 64 0076 #define JENT_MEMORY_BLOCKSIZE 32 0077 #define JENT_MEMORY_ACCESSLOOPS 128 0078 #define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE) 0079 unsigned char *mem; /* Memory access location with size of 0080 * memblocks * memblocksize */ 0081 unsigned int memlocation; /* Pointer to byte in *mem */ 0082 unsigned int memblocks; /* Number of memory blocks in *mem */ 0083 unsigned int memblocksize; /* Size of one memory block in bytes */ 0084 unsigned int memaccessloops; /* Number of memory accesses per random 0085 * bit generation */ 0086 0087 /* Repetition Count Test */ 0088 int rct_count; /* Number of stuck values */ 0089 0090 /* Adaptive Proportion Test for a significance level of 2^-30 */ 0091 #define JENT_APT_CUTOFF 325 /* Taken from SP800-90B sec 4.4.2 */ 0092 #define JENT_APT_WINDOW_SIZE 512 /* Data window size */ 0093 /* LSB of time stamp to process */ 0094 #define JENT_APT_LSB 16 0095 #define JENT_APT_WORD_MASK (JENT_APT_LSB - 1) 0096 unsigned int apt_observations; /* Number of collected observations */ 0097 unsigned int apt_count; /* APT counter */ 0098 unsigned int apt_base; /* APT base reference */ 0099 unsigned int apt_base_set:1; /* APT base reference set? */ 0100 0101 unsigned int health_failure:1; /* Permanent health failure */ 0102 }; 0103 0104 /* Flags that can be used to initialize the RNG */ 0105 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more 0106 * entropy, saves MEMORY_SIZE RAM for 0107 * entropy collector */ 0108 0109 /* -- error codes for init function -- */ 0110 #define JENT_ENOTIME 1 /* Timer service not available */ 0111 #define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */ 0112 #define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */ 0113 #define JENT_EVARVAR 5 /* Timer does not produce variations of 0114 * variations (2nd derivation of time is 0115 * zero). */ 0116 #define JENT_ESTUCK 8 /* Too many stuck results during init. */ 0117 #define JENT_EHEALTH 9 /* Health test failed during initialization */ 0118 #define JENT_ERCT 10 /* RCT failed during initialization */ 0119 0120 /* 0121 * The output n bits can receive more than n bits of min entropy, of course, 0122 * but the fixed output of the conditioning function can only asymptotically 0123 * approach the output size bits of min entropy, not attain that bound. Random 0124 * maps will tend to have output collisions, which reduces the creditable 0125 * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound). 0126 * 0127 * The value "64" is justified in Appendix A.4 of the current 90C draft, 0128 * and aligns with NIST's in "epsilon" definition in this document, which is 0129 * that a string can be considered "full entropy" if you can bound the min 0130 * entropy in each bit of output to at least 1-epsilon, where epsilon is 0131 * required to be <= 2^(-32). 0132 */ 0133 #define JENT_ENTROPY_SAFETY_FACTOR 64 0134 0135 #include <linux/fips.h> 0136 #include "jitterentropy.h" 0137 0138 /*************************************************************************** 0139 * Adaptive Proportion Test 0140 * 0141 * This test complies with SP800-90B section 4.4.2. 0142 ***************************************************************************/ 0143 0144 /* 0145 * Reset the APT counter 0146 * 0147 * @ec [in] Reference to entropy collector 0148 */ 0149 static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked) 0150 { 0151 /* Reset APT counter */ 0152 ec->apt_count = 0; 0153 ec->apt_base = delta_masked; 0154 ec->apt_observations = 0; 0155 } 0156 0157 /* 0158 * Insert a new entropy event into APT 0159 * 0160 * @ec [in] Reference to entropy collector 0161 * @delta_masked [in] Masked time delta to process 0162 */ 0163 static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked) 0164 { 0165 /* Initialize the base reference */ 0166 if (!ec->apt_base_set) { 0167 ec->apt_base = delta_masked; 0168 ec->apt_base_set = 1; 0169 return; 0170 } 0171 0172 if (delta_masked == ec->apt_base) { 0173 ec->apt_count++; 0174 0175 if (ec->apt_count >= JENT_APT_CUTOFF) 0176 ec->health_failure = 1; 0177 } 0178 0179 ec->apt_observations++; 0180 0181 if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) 0182 jent_apt_reset(ec, delta_masked); 0183 } 0184 0185 /*************************************************************************** 0186 * Stuck Test and its use as Repetition Count Test 0187 * 0188 * The Jitter RNG uses an enhanced version of the Repetition Count Test 0189 * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical 0190 * back-to-back values, the input to the RCT is the counting of the stuck 0191 * values during the generation of one Jitter RNG output block. 0192 * 0193 * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8. 0194 * 0195 * During the counting operation, the Jitter RNG always calculates the RCT 0196 * cut-off value of C. If that value exceeds the allowed cut-off value, 0197 * the Jitter RNG output block will be calculated completely but discarded at 0198 * the end. The caller of the Jitter RNG is informed with an error code. 0199 ***************************************************************************/ 0200 0201 /* 0202 * Repetition Count Test as defined in SP800-90B section 4.4.1 0203 * 0204 * @ec [in] Reference to entropy collector 0205 * @stuck [in] Indicator whether the value is stuck 0206 */ 0207 static void jent_rct_insert(struct rand_data *ec, int stuck) 0208 { 0209 /* 0210 * If we have a count less than zero, a previous RCT round identified 0211 * a failure. We will not overwrite it. 0212 */ 0213 if (ec->rct_count < 0) 0214 return; 0215 0216 if (stuck) { 0217 ec->rct_count++; 0218 0219 /* 0220 * The cutoff value is based on the following consideration: 0221 * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8. 0222 * In addition, we require an entropy value H of 1/OSR as this 0223 * is the minimum entropy required to provide full entropy. 0224 * Note, we collect 64 * OSR deltas for inserting them into 0225 * the entropy pool which should then have (close to) 64 bits 0226 * of entropy. 0227 * 0228 * Note, ec->rct_count (which equals to value B in the pseudo 0229 * code of SP800-90B section 4.4.1) starts with zero. Hence 0230 * we need to subtract one from the cutoff value as calculated 0231 * following SP800-90B. 0232 */ 0233 if ((unsigned int)ec->rct_count >= (31 * ec->osr)) { 0234 ec->rct_count = -1; 0235 ec->health_failure = 1; 0236 } 0237 } else { 0238 ec->rct_count = 0; 0239 } 0240 } 0241 0242 /* 0243 * Is there an RCT health test failure? 0244 * 0245 * @ec [in] Reference to entropy collector 0246 * 0247 * @return 0248 * 0 No health test failure 0249 * 1 Permanent health test failure 0250 */ 0251 static int jent_rct_failure(struct rand_data *ec) 0252 { 0253 if (ec->rct_count < 0) 0254 return 1; 0255 return 0; 0256 } 0257 0258 static inline __u64 jent_delta(__u64 prev, __u64 next) 0259 { 0260 #define JENT_UINT64_MAX (__u64)(~((__u64) 0)) 0261 return (prev < next) ? (next - prev) : 0262 (JENT_UINT64_MAX - prev + 1 + next); 0263 } 0264 0265 /* 0266 * Stuck test by checking the: 0267 * 1st derivative of the jitter measurement (time delta) 0268 * 2nd derivative of the jitter measurement (delta of time deltas) 0269 * 3rd derivative of the jitter measurement (delta of delta of time deltas) 0270 * 0271 * All values must always be non-zero. 0272 * 0273 * @ec [in] Reference to entropy collector 0274 * @current_delta [in] Jitter time delta 0275 * 0276 * @return 0277 * 0 jitter measurement not stuck (good bit) 0278 * 1 jitter measurement stuck (reject bit) 0279 */ 0280 static int jent_stuck(struct rand_data *ec, __u64 current_delta) 0281 { 0282 __u64 delta2 = jent_delta(ec->last_delta, current_delta); 0283 __u64 delta3 = jent_delta(ec->last_delta2, delta2); 0284 0285 ec->last_delta = current_delta; 0286 ec->last_delta2 = delta2; 0287 0288 /* 0289 * Insert the result of the comparison of two back-to-back time 0290 * deltas. 0291 */ 0292 jent_apt_insert(ec, current_delta); 0293 0294 if (!current_delta || !delta2 || !delta3) { 0295 /* RCT with a stuck bit */ 0296 jent_rct_insert(ec, 1); 0297 return 1; 0298 } 0299 0300 /* RCT with a non-stuck bit */ 0301 jent_rct_insert(ec, 0); 0302 0303 return 0; 0304 } 0305 0306 /* 0307 * Report any health test failures 0308 * 0309 * @ec [in] Reference to entropy collector 0310 * 0311 * @return 0312 * 0 No health test failure 0313 * 1 Permanent health test failure 0314 */ 0315 static int jent_health_failure(struct rand_data *ec) 0316 { 0317 return ec->health_failure; 0318 } 0319 0320 /*************************************************************************** 0321 * Noise sources 0322 ***************************************************************************/ 0323 0324 /* 0325 * Update of the loop count used for the next round of 0326 * an entropy collection. 0327 * 0328 * Input: 0329 * @ec entropy collector struct -- may be NULL 0330 * @bits is the number of low bits of the timer to consider 0331 * @min is the number of bits we shift the timer value to the right at 0332 * the end to make sure we have a guaranteed minimum value 0333 * 0334 * @return Newly calculated loop counter 0335 */ 0336 static __u64 jent_loop_shuffle(struct rand_data *ec, 0337 unsigned int bits, unsigned int min) 0338 { 0339 __u64 time = 0; 0340 __u64 shuffle = 0; 0341 unsigned int i = 0; 0342 unsigned int mask = (1<<bits) - 1; 0343 0344 jent_get_nstime(&time); 0345 /* 0346 * Mix the current state of the random number into the shuffle 0347 * calculation to balance that shuffle a bit more. 0348 */ 0349 if (ec) 0350 time ^= ec->data; 0351 /* 0352 * We fold the time value as much as possible to ensure that as many 0353 * bits of the time stamp are included as possible. 0354 */ 0355 for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { 0356 shuffle ^= time & mask; 0357 time = time >> bits; 0358 } 0359 0360 /* 0361 * We add a lower boundary value to ensure we have a minimum 0362 * RNG loop count. 0363 */ 0364 return (shuffle + (1<<min)); 0365 } 0366 0367 /* 0368 * CPU Jitter noise source -- this is the noise source based on the CPU 0369 * execution time jitter 0370 * 0371 * This function injects the individual bits of the time value into the 0372 * entropy pool using an LFSR. 0373 * 0374 * The code is deliberately inefficient with respect to the bit shifting 0375 * and shall stay that way. This function is the root cause why the code 0376 * shall be compiled without optimization. This function not only acts as 0377 * folding operation, but this function's execution is used to measure 0378 * the CPU execution time jitter. Any change to the loop in this function 0379 * implies that careful retesting must be done. 0380 * 0381 * @ec [in] entropy collector struct 0382 * @time [in] time stamp to be injected 0383 * @loop_cnt [in] if a value not equal to 0 is set, use the given value as 0384 * number of loops to perform the folding 0385 * @stuck [in] Is the time stamp identified as stuck? 0386 * 0387 * Output: 0388 * updated ec->data 0389 * 0390 * @return Number of loops the folding operation is performed 0391 */ 0392 static void jent_lfsr_time(struct rand_data *ec, __u64 time, __u64 loop_cnt, 0393 int stuck) 0394 { 0395 unsigned int i; 0396 __u64 j = 0; 0397 __u64 new = 0; 0398 #define MAX_FOLD_LOOP_BIT 4 0399 #define MIN_FOLD_LOOP_BIT 0 0400 __u64 fold_loop_cnt = 0401 jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT); 0402 0403 /* 0404 * testing purposes -- allow test app to set the counter, not 0405 * needed during runtime 0406 */ 0407 if (loop_cnt) 0408 fold_loop_cnt = loop_cnt; 0409 for (j = 0; j < fold_loop_cnt; j++) { 0410 new = ec->data; 0411 for (i = 1; (DATA_SIZE_BITS) >= i; i++) { 0412 __u64 tmp = time << (DATA_SIZE_BITS - i); 0413 0414 tmp = tmp >> (DATA_SIZE_BITS - 1); 0415 0416 /* 0417 * Fibonacci LSFR with polynomial of 0418 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is 0419 * primitive according to 0420 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf 0421 * (the shift values are the polynomial values minus one 0422 * due to counting bits from 0 to 63). As the current 0423 * position is always the LSB, the polynomial only needs 0424 * to shift data in from the left without wrap. 0425 */ 0426 tmp ^= ((new >> 63) & 1); 0427 tmp ^= ((new >> 60) & 1); 0428 tmp ^= ((new >> 55) & 1); 0429 tmp ^= ((new >> 30) & 1); 0430 tmp ^= ((new >> 27) & 1); 0431 tmp ^= ((new >> 22) & 1); 0432 new <<= 1; 0433 new ^= tmp; 0434 } 0435 } 0436 0437 /* 0438 * If the time stamp is stuck, do not finally insert the value into 0439 * the entropy pool. Although this operation should not do any harm 0440 * even when the time stamp has no entropy, SP800-90B requires that 0441 * any conditioning operation (SP800-90B considers the LFSR to be a 0442 * conditioning operation) to have an identical amount of input 0443 * data according to section 3.1.5. 0444 */ 0445 if (!stuck) 0446 ec->data = new; 0447 } 0448 0449 /* 0450 * Memory Access noise source -- this is a noise source based on variations in 0451 * memory access times 0452 * 0453 * This function performs memory accesses which will add to the timing 0454 * variations due to an unknown amount of CPU wait states that need to be 0455 * added when accessing memory. The memory size should be larger than the L1 0456 * caches as outlined in the documentation and the associated testing. 0457 * 0458 * The L1 cache has a very high bandwidth, albeit its access rate is usually 0459 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal 0460 * variations as the CPU has hardly to wait. Starting with L2, significant 0461 * variations are added because L2 typically does not belong to the CPU any more 0462 * and therefore a wider range of CPU wait states is necessary for accesses. 0463 * L3 and real memory accesses have even a wider range of wait states. However, 0464 * to reliably access either L3 or memory, the ec->mem memory must be quite 0465 * large which is usually not desirable. 0466 * 0467 * @ec [in] Reference to the entropy collector with the memory access data -- if 0468 * the reference to the memory block to be accessed is NULL, this noise 0469 * source is disabled 0470 * @loop_cnt [in] if a value not equal to 0 is set, use the given value 0471 * number of loops to perform the LFSR 0472 */ 0473 static void jent_memaccess(struct rand_data *ec, __u64 loop_cnt) 0474 { 0475 unsigned int wrap = 0; 0476 __u64 i = 0; 0477 #define MAX_ACC_LOOP_BIT 7 0478 #define MIN_ACC_LOOP_BIT 0 0479 __u64 acc_loop_cnt = 0480 jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); 0481 0482 if (NULL == ec || NULL == ec->mem) 0483 return; 0484 wrap = ec->memblocksize * ec->memblocks; 0485 0486 /* 0487 * testing purposes -- allow test app to set the counter, not 0488 * needed during runtime 0489 */ 0490 if (loop_cnt) 0491 acc_loop_cnt = loop_cnt; 0492 0493 for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { 0494 unsigned char *tmpval = ec->mem + ec->memlocation; 0495 /* 0496 * memory access: just add 1 to one byte, 0497 * wrap at 255 -- memory access implies read 0498 * from and write to memory location 0499 */ 0500 *tmpval = (*tmpval + 1) & 0xff; 0501 /* 0502 * Addition of memblocksize - 1 to pointer 0503 * with wrap around logic to ensure that every 0504 * memory location is hit evenly 0505 */ 0506 ec->memlocation = ec->memlocation + ec->memblocksize - 1; 0507 ec->memlocation = ec->memlocation % wrap; 0508 } 0509 } 0510 0511 /*************************************************************************** 0512 * Start of entropy processing logic 0513 ***************************************************************************/ 0514 /* 0515 * This is the heart of the entropy generation: calculate time deltas and 0516 * use the CPU jitter in the time deltas. The jitter is injected into the 0517 * entropy pool. 0518 * 0519 * WARNING: ensure that ->prev_time is primed before using the output 0520 * of this function! This can be done by calling this function 0521 * and not using its result. 0522 * 0523 * @ec [in] Reference to entropy collector 0524 * 0525 * @return result of stuck test 0526 */ 0527 static int jent_measure_jitter(struct rand_data *ec) 0528 { 0529 __u64 time = 0; 0530 __u64 current_delta = 0; 0531 int stuck; 0532 0533 /* Invoke one noise source before time measurement to add variations */ 0534 jent_memaccess(ec, 0); 0535 0536 /* 0537 * Get time stamp and calculate time delta to previous 0538 * invocation to measure the timing variations 0539 */ 0540 jent_get_nstime(&time); 0541 current_delta = jent_delta(ec->prev_time, time); 0542 ec->prev_time = time; 0543 0544 /* Check whether we have a stuck measurement. */ 0545 stuck = jent_stuck(ec, current_delta); 0546 0547 /* Now call the next noise sources which also injects the data */ 0548 jent_lfsr_time(ec, current_delta, 0, stuck); 0549 0550 return stuck; 0551 } 0552 0553 /* 0554 * Generator of one 64 bit random number 0555 * Function fills rand_data->data 0556 * 0557 * @ec [in] Reference to entropy collector 0558 */ 0559 static void jent_gen_entropy(struct rand_data *ec) 0560 { 0561 unsigned int k = 0, safety_factor = 0; 0562 0563 if (fips_enabled) 0564 safety_factor = JENT_ENTROPY_SAFETY_FACTOR; 0565 0566 /* priming of the ->prev_time value */ 0567 jent_measure_jitter(ec); 0568 0569 while (!jent_health_failure(ec)) { 0570 /* If a stuck measurement is received, repeat measurement */ 0571 if (jent_measure_jitter(ec)) 0572 continue; 0573 0574 /* 0575 * We multiply the loop value with ->osr to obtain the 0576 * oversampling rate requested by the caller 0577 */ 0578 if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr)) 0579 break; 0580 } 0581 } 0582 0583 /* 0584 * Entry function: Obtain entropy for the caller. 0585 * 0586 * This function invokes the entropy gathering logic as often to generate 0587 * as many bytes as requested by the caller. The entropy gathering logic 0588 * creates 64 bit per invocation. 0589 * 0590 * This function truncates the last 64 bit entropy value output to the exact 0591 * size specified by the caller. 0592 * 0593 * @ec [in] Reference to entropy collector 0594 * @data [in] pointer to buffer for storing random data -- buffer must already 0595 * exist 0596 * @len [in] size of the buffer, specifying also the requested number of random 0597 * in bytes 0598 * 0599 * @return 0 when request is fulfilled or an error 0600 * 0601 * The following error codes can occur: 0602 * -1 entropy_collector is NULL 0603 * -2 RCT failed 0604 * -3 APT test failed 0605 */ 0606 int jent_read_entropy(struct rand_data *ec, unsigned char *data, 0607 unsigned int len) 0608 { 0609 unsigned char *p = data; 0610 0611 if (!ec) 0612 return -1; 0613 0614 while (len > 0) { 0615 unsigned int tocopy; 0616 0617 jent_gen_entropy(ec); 0618 0619 if (jent_health_failure(ec)) { 0620 int ret; 0621 0622 if (jent_rct_failure(ec)) 0623 ret = -2; 0624 else 0625 ret = -3; 0626 0627 /* 0628 * Re-initialize the noise source 0629 * 0630 * If the health test fails, the Jitter RNG remains 0631 * in failure state and will return a health failure 0632 * during next invocation. 0633 */ 0634 if (jent_entropy_init()) 0635 return ret; 0636 0637 /* Set APT to initial state */ 0638 jent_apt_reset(ec, 0); 0639 ec->apt_base_set = 0; 0640 0641 /* Set RCT to initial state */ 0642 ec->rct_count = 0; 0643 0644 /* Re-enable Jitter RNG */ 0645 ec->health_failure = 0; 0646 0647 /* 0648 * Return the health test failure status to the 0649 * caller as the generated value is not appropriate. 0650 */ 0651 return ret; 0652 } 0653 0654 if ((DATA_SIZE_BITS / 8) < len) 0655 tocopy = (DATA_SIZE_BITS / 8); 0656 else 0657 tocopy = len; 0658 jent_memcpy(p, &ec->data, tocopy); 0659 0660 len -= tocopy; 0661 p += tocopy; 0662 } 0663 0664 return 0; 0665 } 0666 0667 /*************************************************************************** 0668 * Initialization logic 0669 ***************************************************************************/ 0670 0671 struct rand_data *jent_entropy_collector_alloc(unsigned int osr, 0672 unsigned int flags) 0673 { 0674 struct rand_data *entropy_collector; 0675 0676 entropy_collector = jent_zalloc(sizeof(struct rand_data)); 0677 if (!entropy_collector) 0678 return NULL; 0679 0680 if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { 0681 /* Allocate memory for adding variations based on memory 0682 * access 0683 */ 0684 entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE); 0685 if (!entropy_collector->mem) { 0686 jent_zfree(entropy_collector); 0687 return NULL; 0688 } 0689 entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; 0690 entropy_collector->memblocks = JENT_MEMORY_BLOCKS; 0691 entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; 0692 } 0693 0694 /* verify and set the oversampling rate */ 0695 if (osr == 0) 0696 osr = 1; /* minimum sampling rate is 1 */ 0697 entropy_collector->osr = osr; 0698 0699 /* fill the data pad with non-zero values */ 0700 jent_gen_entropy(entropy_collector); 0701 0702 return entropy_collector; 0703 } 0704 0705 void jent_entropy_collector_free(struct rand_data *entropy_collector) 0706 { 0707 jent_zfree(entropy_collector->mem); 0708 entropy_collector->mem = NULL; 0709 jent_zfree(entropy_collector); 0710 } 0711 0712 int jent_entropy_init(void) 0713 { 0714 int i; 0715 __u64 delta_sum = 0; 0716 __u64 old_delta = 0; 0717 unsigned int nonstuck = 0; 0718 int time_backwards = 0; 0719 int count_mod = 0; 0720 int count_stuck = 0; 0721 struct rand_data ec = { 0 }; 0722 0723 /* Required for RCT */ 0724 ec.osr = 1; 0725 0726 /* We could perform statistical tests here, but the problem is 0727 * that we only have a few loop counts to do testing. These 0728 * loop counts may show some slight skew and we produce 0729 * false positives. 0730 * 0731 * Moreover, only old systems show potentially problematic 0732 * jitter entropy that could potentially be caught here. But 0733 * the RNG is intended for hardware that is available or widely 0734 * used, but not old systems that are long out of favor. Thus, 0735 * no statistical tests. 0736 */ 0737 0738 /* 0739 * We could add a check for system capabilities such as clock_getres or 0740 * check for CONFIG_X86_TSC, but it does not make much sense as the 0741 * following sanity checks verify that we have a high-resolution 0742 * timer. 0743 */ 0744 /* 0745 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is 0746 * definitely too little. 0747 * 0748 * SP800-90B requires at least 1024 initial test cycles. 0749 */ 0750 #define TESTLOOPCOUNT 1024 0751 #define CLEARCACHE 100 0752 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { 0753 __u64 time = 0; 0754 __u64 time2 = 0; 0755 __u64 delta = 0; 0756 unsigned int lowdelta = 0; 0757 int stuck; 0758 0759 /* Invoke core entropy collection logic */ 0760 jent_get_nstime(&time); 0761 ec.prev_time = time; 0762 jent_lfsr_time(&ec, time, 0, 0); 0763 jent_get_nstime(&time2); 0764 0765 /* test whether timer works */ 0766 if (!time || !time2) 0767 return JENT_ENOTIME; 0768 delta = jent_delta(time, time2); 0769 /* 0770 * test whether timer is fine grained enough to provide 0771 * delta even when called shortly after each other -- this 0772 * implies that we also have a high resolution timer 0773 */ 0774 if (!delta) 0775 return JENT_ECOARSETIME; 0776 0777 stuck = jent_stuck(&ec, delta); 0778 0779 /* 0780 * up to here we did not modify any variable that will be 0781 * evaluated later, but we already performed some work. Thus we 0782 * already have had an impact on the caches, branch prediction, 0783 * etc. with the goal to clear it to get the worst case 0784 * measurements. 0785 */ 0786 if (i < CLEARCACHE) 0787 continue; 0788 0789 if (stuck) 0790 count_stuck++; 0791 else { 0792 nonstuck++; 0793 0794 /* 0795 * Ensure that the APT succeeded. 0796 * 0797 * With the check below that count_stuck must be less 0798 * than 10% of the overall generated raw entropy values 0799 * it is guaranteed that the APT is invoked at 0800 * floor((TESTLOOPCOUNT * 0.9) / 64) == 14 times. 0801 */ 0802 if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) { 0803 jent_apt_reset(&ec, 0804 delta & JENT_APT_WORD_MASK); 0805 if (jent_health_failure(&ec)) 0806 return JENT_EHEALTH; 0807 } 0808 } 0809 0810 /* Validate RCT */ 0811 if (jent_rct_failure(&ec)) 0812 return JENT_ERCT; 0813 0814 /* test whether we have an increasing timer */ 0815 if (!(time2 > time)) 0816 time_backwards++; 0817 0818 /* use 32 bit value to ensure compilation on 32 bit arches */ 0819 lowdelta = time2 - time; 0820 if (!(lowdelta % 100)) 0821 count_mod++; 0822 0823 /* 0824 * ensure that we have a varying delta timer which is necessary 0825 * for the calculation of entropy -- perform this check 0826 * only after the first loop is executed as we need to prime 0827 * the old_data value 0828 */ 0829 if (delta > old_delta) 0830 delta_sum += (delta - old_delta); 0831 else 0832 delta_sum += (old_delta - delta); 0833 old_delta = delta; 0834 } 0835 0836 /* 0837 * we allow up to three times the time running backwards. 0838 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, 0839 * if such an operation just happens to interfere with our test, it 0840 * should not fail. The value of 3 should cover the NTP case being 0841 * performed during our test run. 0842 */ 0843 if (time_backwards > 3) 0844 return JENT_ENOMONOTONIC; 0845 0846 /* 0847 * Variations of deltas of time must on average be larger 0848 * than 1 to ensure the entropy estimation 0849 * implied with 1 is preserved 0850 */ 0851 if ((delta_sum) <= 1) 0852 return JENT_EVARVAR; 0853 0854 /* 0855 * Ensure that we have variations in the time stamp below 10 for at 0856 * least 10% of all checks -- on some platforms, the counter increments 0857 * in multiples of 100, but not always 0858 */ 0859 if ((TESTLOOPCOUNT/10 * 9) < count_mod) 0860 return JENT_ECOARSETIME; 0861 0862 /* 0863 * If we have more than 90% stuck results, then this Jitter RNG is 0864 * likely to not work well. 0865 */ 0866 if ((TESTLOOPCOUNT/10 * 9) < count_stuck) 0867 return JENT_ESTUCK; 0868 0869 return 0; 0870 }
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.1.0 LXR engine. The LXR team |
|