blob: 94a35a4c1b486c02200f6be510ecafd8a59701c6 [file] [log] [blame]
Jan Glauber1b278292007-02-05 21:18:22 +01001/*
Heiko Carstensa53c8fa2012-07-20 11:15:04 +02002 * Copyright IBM Corp. 2006, 2007
Jan Glauber1b278292007-02-05 21:18:22 +01003 * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
4 * Driver for the s390 pseudo random number generator
5 */
6#include <linux/fs.h>
7#include <linux/init.h>
8#include <linux/kernel.h>
9#include <linux/miscdevice.h>
10#include <linux/module.h>
11#include <linux/moduleparam.h>
12#include <linux/random.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +090013#include <linux/slab.h>
Jan Glauber1b278292007-02-05 21:18:22 +010014#include <asm/debug.h>
15#include <asm/uaccess.h>
16
17#include "crypt_s390.h"
18
19MODULE_LICENSE("GPL");
20MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
21MODULE_DESCRIPTION("s390 PRNG interface");
22
23static int prng_chunk_size = 256;
24module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
25MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
26
27static int prng_entropy_limit = 4096;
28module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
29MODULE_PARM_DESC(prng_entropy_limit,
30 "PRNG add entropy after that much bytes were produced");
31
32/*
33 * Any one who considers arithmetical methods of producing random digits is,
34 * of course, in a state of sin. -- John von Neumann
35 */
36
37struct s390_prng_data {
38 unsigned long count; /* how many bytes were produced */
39 char *buf;
40};
41
42static struct s390_prng_data *p;
43
44/* copied from libica, use a non-zero initial parameter block */
45static unsigned char parm_block[32] = {
460x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
470x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
48};
49
50static int prng_open(struct inode *inode, struct file *file)
51{
52 return nonseekable_open(inode, file);
53}
54
55static void prng_add_entropy(void)
56{
57 __u64 entropy[4];
58 unsigned int i;
59 int ret;
60
61 for (i = 0; i < 16; i++) {
62 ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
63 (char *)entropy, sizeof(entropy));
64 BUG_ON(ret < 0 || ret != sizeof(entropy));
65 memcpy(parm_block, entropy, sizeof(entropy));
66 }
67}
68
69static void prng_seed(int nbytes)
70{
71 char buf[16];
72 int i = 0;
73
74 BUG_ON(nbytes > 16);
75 get_random_bytes(buf, nbytes);
76
77 /* Add the entropy */
78 while (nbytes >= 8) {
Martin Schwidefskyed961582011-04-27 09:34:33 +020079 *((__u64 *)parm_block) ^= *((__u64 *)(buf+i));
Jan Glauber1b278292007-02-05 21:18:22 +010080 prng_add_entropy();
81 i += 8;
82 nbytes -= 8;
83 }
84 prng_add_entropy();
85}
86
87static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
88 loff_t *ppos)
89{
90 int chunk, n;
91 int ret = 0;
92 int tmp;
93
Joe Perchesc2e3bba2008-01-26 14:11:18 +010094 /* nbytes can be arbitrary length, we split it into chunks */
Jan Glauber1b278292007-02-05 21:18:22 +010095 while (nbytes) {
96 /* same as in extract_entropy_user in random.c */
97 if (need_resched()) {
98 if (signal_pending(current)) {
99 if (ret == 0)
100 ret = -ERESTARTSYS;
101 break;
102 }
103 schedule();
104 }
105
106 /*
107 * we lose some random bytes if an attacker issues
108 * reads < 8 bytes, but we don't care
109 */
110 chunk = min_t(int, nbytes, prng_chunk_size);
111
112 /* PRNG only likes multiples of 8 bytes */
113 n = (chunk + 7) & -8;
114
115 if (p->count > prng_entropy_limit)
116 prng_seed(8);
117
118 /* if the CPU supports PRNG stckf is present too */
119 asm volatile(".insn s,0xb27c0000,%0"
120 : "=m" (*((unsigned long long *)p->buf)) : : "cc");
121
122 /*
123 * Beside the STCKF the input for the TDES-EDE is the output
124 * of the last operation. We differ here from X9.17 since we
125 * only store one timestamp into the buffer. Padding the whole
126 * buffer with timestamps does not improve security, since
127 * successive stckf have nearly constant offsets.
128 * If an attacker knows the first timestamp it would be
129 * trivial to guess the additional values. One timestamp
130 * is therefore enough and still guarantees unique input values.
131 *
132 * Note: you can still get strict X9.17 conformity by setting
133 * prng_chunk_size to 8 bytes.
134 */
135 tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
136 BUG_ON((tmp < 0) || (tmp != n));
137
138 p->count += n;
139
140 if (copy_to_user(ubuf, p->buf, chunk))
141 return -EFAULT;
142
143 nbytes -= chunk;
144 ret += chunk;
145 ubuf += chunk;
146 }
147 return ret;
148}
149
Jan Engelhardt5c81cdb2008-01-26 14:11:29 +0100150static const struct file_operations prng_fops = {
Jan Glauber1b278292007-02-05 21:18:22 +0100151 .owner = THIS_MODULE,
152 .open = &prng_open,
153 .release = NULL,
154 .read = &prng_read,
Arnd Bergmann6038f372010-08-15 18:52:59 +0200155 .llseek = noop_llseek,
Jan Glauber1b278292007-02-05 21:18:22 +0100156};
157
158static struct miscdevice prng_dev = {
159 .name = "prandom",
160 .minor = MISC_DYNAMIC_MINOR,
161 .fops = &prng_fops,
162};
163
164static int __init prng_init(void)
165{
166 int ret;
167
168 /* check if the CPU has a PRNG */
Jan Glauber1822bc92011-04-19 21:29:14 +0200169 if (!crypt_s390_func_available(KMC_PRNG, CRYPT_S390_MSA))
Jan Glauber1b278292007-02-05 21:18:22 +0100170 return -EOPNOTSUPP;
171
172 if (prng_chunk_size < 8)
173 return -EINVAL;
174
175 p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
176 if (!p)
177 return -ENOMEM;
178 p->count = 0;
179
180 p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
181 if (!p->buf) {
182 ret = -ENOMEM;
183 goto out_free;
184 }
185
186 /* initialize the PRNG, add 128 bits of entropy */
187 prng_seed(16);
188
189 ret = misc_register(&prng_dev);
Jan Glauberd4ebabe2008-07-14 09:59:32 +0200190 if (ret)
Jan Glauber1b278292007-02-05 21:18:22 +0100191 goto out_buf;
Jan Glauber1b278292007-02-05 21:18:22 +0100192 return 0;
193
194out_buf:
195 kfree(p->buf);
196out_free:
197 kfree(p);
198 return ret;
199}
200
201static void __exit prng_exit(void)
202{
203 /* wipe me */
Johannes Weiner3e75a902009-03-26 15:24:48 +0100204 kzfree(p->buf);
Jan Glauber1b278292007-02-05 21:18:22 +0100205 kfree(p);
206
207 misc_deregister(&prng_dev);
208}
209
210module_init(prng_init);
211module_exit(prng_exit);