jitterentropy-kcapi.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370
  1. /*
  2. * Non-physical true random number generator based on timing jitter --
  3. * Linux Kernel Crypto API specific code
  4. *
  5. * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2023
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. * 1. Redistributions of source code must retain the above copyright
  11. * notice, and the entire permission notice in its entirety,
  12. * including the disclaimer of warranties.
  13. * 2. Redistributions in binary form must reproduce the above copyright
  14. * notice, this list of conditions and the following disclaimer in the
  15. * documentation and/or other materials provided with the distribution.
  16. * 3. The name of the author may not be used to endorse or promote
  17. * products derived from this software without specific prior
  18. * written permission.
  19. *
  20. * ALTERNATIVELY, this product may be distributed under the terms of
  21. * the GNU General Public License, in which case the provisions of the GPL2 are
  22. * required INSTEAD OF the above restrictions. (This clause is
  23. * necessary due to a potential bad interaction between the GPL and
  24. * the restrictions contained in a BSD-style copyright.)
  25. *
  26. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  27. * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  28. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  29. * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
  30. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  31. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  32. * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  33. * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  34. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  35. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  36. * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  37. * DAMAGE.
  38. */
  39. #include <crypto/hash.h>
  40. #include <crypto/sha3.h>
  41. #include <linux/fips.h>
  42. #include <linux/kernel.h>
  43. #include <linux/module.h>
  44. #include <linux/slab.h>
  45. #include <linux/time.h>
  46. #include <crypto/internal/rng.h>
  47. #include "jitterentropy.h"
  48. #define JENT_CONDITIONING_HASH "sha3-256"
  49. /***************************************************************************
  50. * Helper function
  51. ***************************************************************************/
  52. void *jent_kvzalloc(unsigned int len)
  53. {
  54. return kvzalloc(len, GFP_KERNEL);
  55. }
  56. void jent_kvzfree(void *ptr, unsigned int len)
  57. {
  58. kvfree_sensitive(ptr, len);
  59. }
  60. void *jent_zalloc(unsigned int len)
  61. {
  62. return kzalloc(len, GFP_KERNEL);
  63. }
  64. void jent_zfree(void *ptr)
  65. {
  66. kfree_sensitive(ptr);
  67. }
  68. /*
  69. * Obtain a high-resolution time stamp value. The time stamp is used to measure
  70. * the execution time of a given code path and its variations. Hence, the time
  71. * stamp must have a sufficiently high resolution.
  72. *
  73. * Note, if the function returns zero because a given architecture does not
  74. * implement a high-resolution time stamp, the RNG code's runtime test
  75. * will detect it and will not produce output.
  76. */
  77. void jent_get_nstime(__u64 *out)
  78. {
  79. __u64 tmp = 0;
  80. tmp = random_get_entropy();
  81. /*
  82. * If random_get_entropy does not return a value, i.e. it is not
  83. * implemented for a given architecture, use a clock source.
  84. * hoping that there are timers we can work with.
  85. */
  86. if (tmp == 0)
  87. tmp = ktime_get_ns();
  88. *out = tmp;
  89. jent_raw_hires_entropy_store(tmp);
  90. }
  91. int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
  92. unsigned int addtl_len, __u64 hash_loop_cnt,
  93. unsigned int stuck)
  94. {
  95. struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state;
  96. SHASH_DESC_ON_STACK(desc, hash_state_desc->tfm);
  97. u8 intermediary[SHA3_256_DIGEST_SIZE];
  98. __u64 j = 0;
  99. int ret;
  100. desc->tfm = hash_state_desc->tfm;
  101. if (sizeof(intermediary) != crypto_shash_digestsize(desc->tfm)) {
  102. pr_warn_ratelimited("Unexpected digest size\n");
  103. return -EINVAL;
  104. }
  105. kmsan_unpoison_memory(intermediary, sizeof(intermediary));
  106. /*
  107. * This loop fills a buffer which is injected into the entropy pool.
  108. * The main reason for this loop is to execute something over which we
  109. * can perform a timing measurement. The injection of the resulting
  110. * data into the pool is performed to ensure the result is used and
  111. * the compiler cannot optimize the loop away in case the result is not
  112. * used at all. Yet that data is considered "additional information"
  113. * considering the terminology from SP800-90A without any entropy.
  114. *
  115. * Note, it does not matter which or how much data you inject, we are
  116. * interested in one Keccack1600 compression operation performed with
  117. * the crypto_shash_final.
  118. */
  119. for (j = 0; j < hash_loop_cnt; j++) {
  120. ret = crypto_shash_init(desc) ?:
  121. crypto_shash_update(desc, intermediary,
  122. sizeof(intermediary)) ?:
  123. crypto_shash_finup(desc, addtl, addtl_len, intermediary);
  124. if (ret)
  125. goto err;
  126. }
  127. /*
  128. * Inject the data from the previous loop into the pool. This data is
  129. * not considered to contain any entropy, but it stirs the pool a bit.
  130. */
  131. ret = crypto_shash_update(hash_state_desc, intermediary, sizeof(intermediary));
  132. if (ret)
  133. goto err;
  134. /*
  135. * Insert the time stamp into the hash context representing the pool.
  136. *
  137. * If the time stamp is stuck, do not finally insert the value into the
  138. * entropy pool. Although this operation should not do any harm even
  139. * when the time stamp has no entropy, SP800-90B requires that any
  140. * conditioning operation to have an identical amount of input data
  141. * according to section 3.1.5.
  142. */
  143. if (stuck) {
  144. time = 0;
  145. }
  146. ret = crypto_shash_update(hash_state_desc, (u8 *)&time, sizeof(__u64));
  147. err:
  148. shash_desc_zero(desc);
  149. memzero_explicit(intermediary, sizeof(intermediary));
  150. return ret;
  151. }
  152. int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len)
  153. {
  154. struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state;
  155. u8 jent_block[SHA3_256_DIGEST_SIZE];
  156. /* Obtain data from entropy pool and re-initialize it */
  157. int ret = crypto_shash_final(hash_state_desc, jent_block) ?:
  158. crypto_shash_init(hash_state_desc) ?:
  159. crypto_shash_update(hash_state_desc, jent_block,
  160. sizeof(jent_block));
  161. if (!ret && dst_len)
  162. memcpy(dst, jent_block, dst_len);
  163. memzero_explicit(jent_block, sizeof(jent_block));
  164. return ret;
  165. }
  166. /***************************************************************************
  167. * Kernel crypto API interface
  168. ***************************************************************************/
  169. struct jitterentropy {
  170. spinlock_t jent_lock;
  171. struct rand_data *entropy_collector;
  172. struct crypto_shash *tfm;
  173. struct shash_desc *sdesc;
  174. };
  175. static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
  176. {
  177. struct jitterentropy *rng = crypto_tfm_ctx(tfm);
  178. spin_lock(&rng->jent_lock);
  179. if (rng->sdesc) {
  180. shash_desc_zero(rng->sdesc);
  181. kfree(rng->sdesc);
  182. }
  183. rng->sdesc = NULL;
  184. if (rng->tfm)
  185. crypto_free_shash(rng->tfm);
  186. rng->tfm = NULL;
  187. if (rng->entropy_collector)
  188. jent_entropy_collector_free(rng->entropy_collector);
  189. rng->entropy_collector = NULL;
  190. spin_unlock(&rng->jent_lock);
  191. }
  192. static int jent_kcapi_init(struct crypto_tfm *tfm)
  193. {
  194. struct jitterentropy *rng = crypto_tfm_ctx(tfm);
  195. struct crypto_shash *hash;
  196. struct shash_desc *sdesc;
  197. int size, ret = 0;
  198. spin_lock_init(&rng->jent_lock);
  199. /* Use SHA3-256 as conditioner */
  200. hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0);
  201. if (IS_ERR(hash)) {
  202. pr_err("Cannot allocate conditioning digest\n");
  203. return PTR_ERR(hash);
  204. }
  205. rng->tfm = hash;
  206. size = sizeof(struct shash_desc) + crypto_shash_descsize(hash);
  207. sdesc = kmalloc(size, GFP_KERNEL);
  208. if (!sdesc) {
  209. ret = -ENOMEM;
  210. goto err;
  211. }
  212. sdesc->tfm = hash;
  213. crypto_shash_init(sdesc);
  214. rng->sdesc = sdesc;
  215. rng->entropy_collector =
  216. jent_entropy_collector_alloc(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0,
  217. sdesc);
  218. if (!rng->entropy_collector) {
  219. ret = -ENOMEM;
  220. goto err;
  221. }
  222. spin_lock_init(&rng->jent_lock);
  223. return 0;
  224. err:
  225. jent_kcapi_cleanup(tfm);
  226. return ret;
  227. }
  228. static int jent_kcapi_random(struct crypto_rng *tfm,
  229. const u8 *src, unsigned int slen,
  230. u8 *rdata, unsigned int dlen)
  231. {
  232. struct jitterentropy *rng = crypto_rng_ctx(tfm);
  233. int ret = 0;
  234. spin_lock(&rng->jent_lock);
  235. ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
  236. if (ret == -3) {
  237. /* Handle permanent health test error */
  238. /*
  239. * If the kernel was booted with fips=1, it implies that
  240. * the entire kernel acts as a FIPS 140 module. In this case
  241. * an SP800-90B permanent health test error is treated as
  242. * a FIPS module error.
  243. */
  244. if (fips_enabled)
  245. panic("Jitter RNG permanent health test failure\n");
  246. pr_err("Jitter RNG permanent health test failure\n");
  247. ret = -EFAULT;
  248. } else if (ret == -2) {
  249. /* Handle intermittent health test error */
  250. pr_warn_ratelimited("Reset Jitter RNG due to intermittent health test failure\n");
  251. ret = -EAGAIN;
  252. } else if (ret == -1) {
  253. /* Handle other errors */
  254. ret = -EINVAL;
  255. }
  256. spin_unlock(&rng->jent_lock);
  257. return ret;
  258. }
  259. static int jent_kcapi_reset(struct crypto_rng *tfm,
  260. const u8 *seed, unsigned int slen)
  261. {
  262. return 0;
  263. }
  264. static struct rng_alg jent_alg = {
  265. .generate = jent_kcapi_random,
  266. .seed = jent_kcapi_reset,
  267. .seedsize = 0,
  268. .base = {
  269. .cra_name = "jitterentropy_rng",
  270. .cra_driver_name = "jitterentropy_rng",
  271. .cra_priority = 100,
  272. .cra_ctxsize = sizeof(struct jitterentropy),
  273. .cra_module = THIS_MODULE,
  274. .cra_init = jent_kcapi_init,
  275. .cra_exit = jent_kcapi_cleanup,
  276. }
  277. };
  278. static int __init jent_mod_init(void)
  279. {
  280. SHASH_DESC_ON_STACK(desc, tfm);
  281. struct crypto_shash *tfm;
  282. int ret = 0;
  283. jent_testing_init();
  284. tfm = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0);
  285. if (IS_ERR(tfm)) {
  286. jent_testing_exit();
  287. return PTR_ERR(tfm);
  288. }
  289. desc->tfm = tfm;
  290. crypto_shash_init(desc);
  291. ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc, NULL);
  292. shash_desc_zero(desc);
  293. crypto_free_shash(tfm);
  294. if (ret) {
  295. /* Handle permanent health test error */
  296. if (fips_enabled)
  297. panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret);
  298. jent_testing_exit();
  299. pr_info("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret);
  300. return -EFAULT;
  301. }
  302. return crypto_register_rng(&jent_alg);
  303. }
  304. static void __exit jent_mod_exit(void)
  305. {
  306. jent_testing_exit();
  307. crypto_unregister_rng(&jent_alg);
  308. }
  309. module_init(jent_mod_init);
  310. module_exit(jent_mod_exit);
  311. MODULE_LICENSE("Dual BSD/GPL");
  312. MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
  313. MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter");
  314. MODULE_ALIAS_CRYPTO("jitterentropy_rng");