1/* 2 * Copyright IBM Corp. 2006, 2015 3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com> 4 * Harald Freudenberger <freude@de.ibm.com> 5 * Driver for the s390 pseudo random number generator 6 */ 7 8#define KMSG_COMPONENT "prng" 9#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 11#include <linux/fs.h> 12#include <linux/fips.h> 13#include <linux/init.h> 14#include <linux/kernel.h> 15#include <linux/device.h> 16#include <linux/miscdevice.h> 17#include <linux/module.h> 18#include <linux/moduleparam.h> 19#include <linux/mutex.h> 20#include <linux/cpufeature.h> 21#include <linux/random.h> 22#include <linux/slab.h> 23#include <asm/debug.h> 24#include <asm/uaccess.h> 25#include <asm/timex.h> 26 27#include "crypt_s390.h" 28 29MODULE_LICENSE("GPL"); 30MODULE_AUTHOR("IBM Corporation"); 31MODULE_DESCRIPTION("s390 PRNG interface"); 32 33 34#define PRNG_MODE_AUTO 0 35#define PRNG_MODE_TDES 1 36#define PRNG_MODE_SHA512 2 37 38static unsigned int prng_mode = PRNG_MODE_AUTO; 39module_param_named(mode, prng_mode, int, 0); 40MODULE_PARM_DESC(prng_mode, "PRNG mode: 0 - auto, 1 - TDES, 2 - SHA512"); 41 42 43#define PRNG_CHUNKSIZE_TDES_MIN 8 44#define PRNG_CHUNKSIZE_TDES_MAX (64*1024) 45#define PRNG_CHUNKSIZE_SHA512_MIN 64 46#define PRNG_CHUNKSIZE_SHA512_MAX (64*1024) 47 48static unsigned int prng_chunk_size = 256; 49module_param_named(chunksize, prng_chunk_size, int, 0); 50MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes"); 51 52 53#define PRNG_RESEED_LIMIT_TDES 4096 54#define PRNG_RESEED_LIMIT_TDES_LOWER 4096 55#define PRNG_RESEED_LIMIT_SHA512 100000 56#define PRNG_RESEED_LIMIT_SHA512_LOWER 10000 57 58static unsigned int prng_reseed_limit; 59module_param_named(reseed_limit, prng_reseed_limit, int, 0); 60MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit"); 61 62 63/* 64 * Any one who considers arithmetical methods of producing random digits is, 65 * of course, in a state of sin. -- John von Neumann 66 */ 67 68static int prng_errorflag; 69 70#define PRNG_GEN_ENTROPY_FAILED 1 71#define PRNG_SELFTEST_FAILED 2 72#define PRNG_INSTANTIATE_FAILED 3 73#define PRNG_SEED_FAILED 4 74#define PRNG_RESEED_FAILED 5 75#define PRNG_GEN_FAILED 6 76 77struct prng_ws_s { 78 u8 parm_block[32]; 79 u32 reseed_counter; 80 u64 byte_counter; 81}; 82 83struct ppno_ws_s { 84 u32 res; 85 u32 reseed_counter; 86 u64 stream_bytes; 87 u8 V[112]; 88 u8 C[112]; 89}; 90 91struct prng_data_s { 92 struct mutex mutex; 93 union { 94 struct prng_ws_s prngws; 95 struct ppno_ws_s ppnows; 96 }; 97 u8 *buf; 98 u32 rest; 99 u8 *prev; 100}; 101 102static struct prng_data_s *prng_data; 103 104/* initial parameter block for tdes mode, copied from libica */ 105static const u8 initial_parm_block[32] __initconst = { 106 0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52, 107 0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4, 108 0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF, 109 0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0 }; 110 111 112/*** helper functions ***/ 113 114static int generate_entropy(u8 *ebuf, size_t nbytes) 115{ 116 int n, ret = 0; 117 u8 *pg, *h, hash[32]; 118 119 pg = (u8 *) __get_free_page(GFP_KERNEL); 120 if (!pg) { 121 prng_errorflag = PRNG_GEN_ENTROPY_FAILED; 122 return -ENOMEM; 123 } 124 125 while (nbytes) { 126 /* fill page with urandom bytes */ 127 get_random_bytes(pg, PAGE_SIZE); 128 /* exor page with stckf values */ 129 for (n = 0; n < PAGE_SIZE / sizeof(u64); n++) { 130 u64 *p = ((u64 *)pg) + n; 131 *p ^= get_tod_clock_fast(); 132 } 133 n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash); 134 if (n < sizeof(hash)) 135 h = hash; 136 else 137 h = ebuf; 138 /* generate sha256 from this page */ 139 if (crypt_s390_kimd(KIMD_SHA_256, h, 140 pg, PAGE_SIZE) != PAGE_SIZE) { 141 prng_errorflag = PRNG_GEN_ENTROPY_FAILED; 142 ret = -EIO; 143 goto out; 144 } 145 if (n < sizeof(hash)) 146 memcpy(ebuf, hash, n); 147 ret += n; 148 ebuf += n; 149 nbytes -= n; 150 } 151 152out: 153 free_page((unsigned long)pg); 154 return ret; 155} 156 157 158/*** tdes functions ***/ 159 160static void prng_tdes_add_entropy(void) 161{ 162 __u64 entropy[4]; 163 unsigned int i; 164 int ret; 165 166 for (i = 0; i < 16; i++) { 167 ret = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block, 168 (char *)entropy, (char *)entropy, 169 sizeof(entropy)); 170 BUG_ON(ret < 0 || ret != sizeof(entropy)); 171 memcpy(prng_data->prngws.parm_block, entropy, sizeof(entropy)); 172 } 173} 174 175 176static void prng_tdes_seed(int nbytes) 177{ 178 char buf[16]; 179 int i = 0; 180 181 BUG_ON(nbytes > sizeof(buf)); 182 183 get_random_bytes(buf, nbytes); 184 185 /* Add the entropy */ 186 while (nbytes >= 8) { 187 *((__u64 *)prng_data->prngws.parm_block) ^= *((__u64 *)(buf+i)); 188 prng_tdes_add_entropy(); 189 i += 8; 190 nbytes -= 8; 191 } 192 prng_tdes_add_entropy(); 193 prng_data->prngws.reseed_counter = 0; 194} 195 196 197static int __init prng_tdes_instantiate(void) 198{ 199 int datalen; 200 201 pr_debug("prng runs in TDES mode with " 202 "chunksize=%d and reseed_limit=%u\n", 203 prng_chunk_size, prng_reseed_limit); 204 205 /* memory allocation, prng_data struct init, mutex init */ 206 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 207 prng_data = kzalloc(datalen, GFP_KERNEL); 208 if (!prng_data) { 209 prng_errorflag = PRNG_INSTANTIATE_FAILED; 210 return -ENOMEM; 211 } 212 mutex_init(&prng_data->mutex); 213 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 214 memcpy(prng_data->prngws.parm_block, initial_parm_block, 32); 215 216 /* initialize the PRNG, add 128 bits of entropy */ 217 prng_tdes_seed(16); 218 219 return 0; 220} 221 222 223static void prng_tdes_deinstantiate(void) 224{ 225 pr_debug("The prng module stopped " 226 "after running in triple DES mode\n"); 227 kzfree(prng_data); 228} 229 230 231/*** sha512 functions ***/ 232 233static int __init prng_sha512_selftest(void) 234{ 235 /* NIST DRBG testvector for Hash Drbg, Sha-512, Count #0 */ 236 static const u8 seed[] __initconst = { 237 0x6b, 0x50, 0xa7, 0xd8, 0xf8, 0xa5, 0x5d, 0x7a, 238 0x3d, 0xf8, 0xbb, 0x40, 0xbc, 0xc3, 0xb7, 0x22, 239 0xd8, 0x70, 0x8d, 0xe6, 0x7f, 0xda, 0x01, 0x0b, 240 0x03, 0xc4, 0xc8, 0x4d, 0x72, 0x09, 0x6f, 0x8c, 241 0x3e, 0xc6, 0x49, 0xcc, 0x62, 0x56, 0xd9, 0xfa, 242 0x31, 0xdb, 0x7a, 0x29, 0x04, 0xaa, 0xf0, 0x25 }; 243 static const u8 V0[] __initconst = { 244 0x00, 0xad, 0xe3, 0x6f, 0x9a, 0x01, 0xc7, 0x76, 245 0x61, 0x34, 0x35, 0xf5, 0x4e, 0x24, 0x74, 0x22, 246 0x21, 0x9a, 0x29, 0x89, 0xc7, 0x93, 0x2e, 0x60, 247 0x1e, 0xe8, 0x14, 0x24, 0x8d, 0xd5, 0x03, 0xf1, 248 0x65, 0x5d, 0x08, 0x22, 0x72, 0xd5, 0xad, 0x95, 249 0xe1, 0x23, 0x1e, 0x8a, 0xa7, 0x13, 0xd9, 0x2b, 250 0x5e, 0xbc, 0xbb, 0x80, 0xab, 0x8d, 0xe5, 0x79, 251 0xab, 0x5b, 0x47, 0x4e, 0xdd, 0xee, 0x6b, 0x03, 252 0x8f, 0x0f, 0x5c, 0x5e, 0xa9, 0x1a, 0x83, 0xdd, 253 0xd3, 0x88, 0xb2, 0x75, 0x4b, 0xce, 0x83, 0x36, 254 0x57, 0x4b, 0xf1, 0x5c, 0xca, 0x7e, 0x09, 0xc0, 255 0xd3, 0x89, 0xc6, 0xe0, 0xda, 0xc4, 0x81, 0x7e, 256 0x5b, 0xf9, 0xe1, 0x01, 0xc1, 0x92, 0x05, 0xea, 257 0xf5, 0x2f, 0xc6, 0xc6, 0xc7, 0x8f, 0xbc, 0xf4 }; 258 static const u8 C0[] __initconst = { 259 0x00, 0xf4, 0xa3, 0xe5, 0xa0, 0x72, 0x63, 0x95, 260 0xc6, 0x4f, 0x48, 0xd0, 0x8b, 0x5b, 0x5f, 0x8e, 261 0x6b, 0x96, 0x1f, 0x16, 0xed, 0xbc, 0x66, 0x94, 262 0x45, 0x31, 0xd7, 0x47, 0x73, 0x22, 0xa5, 0x86, 263 0xce, 0xc0, 0x4c, 0xac, 0x63, 0xb8, 0x39, 0x50, 264 0xbf, 0xe6, 0x59, 0x6c, 0x38, 0x58, 0x99, 0x1f, 265 0x27, 0xa7, 0x9d, 0x71, 0x2a, 0xb3, 0x7b, 0xf9, 266 0xfb, 0x17, 0x86, 0xaa, 0x99, 0x81, 0xaa, 0x43, 267 0xe4, 0x37, 0xd3, 0x1e, 0x6e, 0xe5, 0xe6, 0xee, 268 0xc2, 0xed, 0x95, 0x4f, 0x53, 0x0e, 0x46, 0x8a, 269 0xcc, 0x45, 0xa5, 0xdb, 0x69, 0x0d, 0x81, 0xc9, 270 0x32, 0x92, 0xbc, 0x8f, 0x33, 0xe6, 0xf6, 0x09, 271 0x7c, 0x8e, 0x05, 0x19, 0x0d, 0xf1, 0xb6, 0xcc, 272 0xf3, 0x02, 0x21, 0x90, 0x25, 0xec, 0xed, 0x0e }; 273 static const u8 random[] __initconst = { 274 0x95, 0xb7, 0xf1, 0x7e, 0x98, 0x02, 0xd3, 0x57, 275 0x73, 0x92, 0xc6, 0xa9, 0xc0, 0x80, 0x83, 0xb6, 276 0x7d, 0xd1, 0x29, 0x22, 0x65, 0xb5, 0xf4, 0x2d, 277 0x23, 0x7f, 0x1c, 0x55, 0xbb, 0x9b, 0x10, 0xbf, 278 0xcf, 0xd8, 0x2c, 0x77, 0xa3, 0x78, 0xb8, 0x26, 279 0x6a, 0x00, 0x99, 0x14, 0x3b, 0x3c, 0x2d, 0x64, 280 0x61, 0x1e, 0xee, 0xb6, 0x9a, 0xcd, 0xc0, 0x55, 281 0x95, 0x7c, 0x13, 0x9e, 0x8b, 0x19, 0x0c, 0x7a, 282 0x06, 0x95, 0x5f, 0x2c, 0x79, 0x7c, 0x27, 0x78, 283 0xde, 0x94, 0x03, 0x96, 0xa5, 0x01, 0xf4, 0x0e, 284 0x91, 0x39, 0x6a, 0xcf, 0x8d, 0x7e, 0x45, 0xeb, 285 0xdb, 0xb5, 0x3b, 0xbf, 0x8c, 0x97, 0x52, 0x30, 286 0xd2, 0xf0, 0xff, 0x91, 0x06, 0xc7, 0x61, 0x19, 287 0xae, 0x49, 0x8e, 0x7f, 0xbc, 0x03, 0xd9, 0x0f, 288 0x8e, 0x4c, 0x51, 0x62, 0x7a, 0xed, 0x5c, 0x8d, 289 0x42, 0x63, 0xd5, 0xd2, 0xb9, 0x78, 0x87, 0x3a, 290 0x0d, 0xe5, 0x96, 0xee, 0x6d, 0xc7, 0xf7, 0xc2, 291 0x9e, 0x37, 0xee, 0xe8, 0xb3, 0x4c, 0x90, 0xdd, 292 0x1c, 0xf6, 0xa9, 0xdd, 0xb2, 0x2b, 0x4c, 0xbd, 293 0x08, 0x6b, 0x14, 0xb3, 0x5d, 0xe9, 0x3d, 0xa2, 294 0xd5, 0xcb, 0x18, 0x06, 0x69, 0x8c, 0xbd, 0x7b, 295 0xbb, 0x67, 0xbf, 0xe3, 0xd3, 0x1f, 0xd2, 0xd1, 296 0xdb, 0xd2, 0xa1, 0xe0, 0x58, 0xa3, 0xeb, 0x99, 297 0xd7, 0xe5, 0x1f, 0x1a, 0x93, 0x8e, 0xed, 0x5e, 298 0x1c, 0x1d, 0xe2, 0x3a, 0x6b, 0x43, 0x45, 0xd3, 299 0x19, 0x14, 0x09, 0xf9, 0x2f, 0x39, 0xb3, 0x67, 300 0x0d, 0x8d, 0xbf, 0xb6, 0x35, 0xd8, 0xe6, 0xa3, 301 0x69, 0x32, 0xd8, 0x10, 0x33, 0xd1, 0x44, 0x8d, 302 0x63, 0xb4, 0x03, 0xdd, 0xf8, 0x8e, 0x12, 0x1b, 303 0x6e, 0x81, 0x9a, 0xc3, 0x81, 0x22, 0x6c, 0x13, 304 0x21, 0xe4, 0xb0, 0x86, 0x44, 0xf6, 0x72, 0x7c, 305 0x36, 0x8c, 0x5a, 0x9f, 0x7a, 0x4b, 0x3e, 0xe2 }; 306 307 int ret = 0; 308 u8 buf[sizeof(random)]; 309 struct ppno_ws_s ws; 310 311 memset(&ws, 0, sizeof(ws)); 312 313 /* initial seed */ 314 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 315 &ws, NULL, 0, 316 seed, sizeof(seed)); 317 if (ret < 0) { 318 pr_err("The prng self test seed operation for the " 319 "SHA-512 mode failed with rc=%d\n", ret); 320 prng_errorflag = PRNG_SELFTEST_FAILED; 321 return -EIO; 322 } 323 324 /* check working states V and C */ 325 if (memcmp(ws.V, V0, sizeof(V0)) != 0 326 || memcmp(ws.C, C0, sizeof(C0)) != 0) { 327 pr_err("The prng self test state test " 328 "for the SHA-512 mode failed\n"); 329 prng_errorflag = PRNG_SELFTEST_FAILED; 330 return -EIO; 331 } 332 333 /* generate random bytes */ 334 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 335 &ws, buf, sizeof(buf), 336 NULL, 0); 337 if (ret < 0) { 338 pr_err("The prng self test generate operation for " 339 "the SHA-512 mode failed with rc=%d\n", ret); 340 prng_errorflag = PRNG_SELFTEST_FAILED; 341 return -EIO; 342 } 343 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 344 &ws, buf, sizeof(buf), 345 NULL, 0); 346 if (ret < 0) { 347 pr_err("The prng self test generate operation for " 348 "the SHA-512 mode failed with rc=%d\n", ret); 349 prng_errorflag = PRNG_SELFTEST_FAILED; 350 return -EIO; 351 } 352 353 /* check against expected data */ 354 if (memcmp(buf, random, sizeof(random)) != 0) { 355 pr_err("The prng self test data test " 356 "for the SHA-512 mode failed\n"); 357 prng_errorflag = PRNG_SELFTEST_FAILED; 358 return -EIO; 359 } 360 361 return 0; 362} 363 364 365static int __init prng_sha512_instantiate(void) 366{ 367 int ret, datalen; 368 u8 seed[64]; 369 370 pr_debug("prng runs in SHA-512 mode " 371 "with chunksize=%d and reseed_limit=%u\n", 372 prng_chunk_size, prng_reseed_limit); 373 374 /* memory allocation, prng_data struct init, mutex init */ 375 datalen = sizeof(struct prng_data_s) + prng_chunk_size; 376 if (fips_enabled) 377 datalen += prng_chunk_size; 378 prng_data = kzalloc(datalen, GFP_KERNEL); 379 if (!prng_data) { 380 prng_errorflag = PRNG_INSTANTIATE_FAILED; 381 return -ENOMEM; 382 } 383 mutex_init(&prng_data->mutex); 384 prng_data->buf = ((u8 *)prng_data) + sizeof(struct prng_data_s); 385 386 /* selftest */ 387 ret = prng_sha512_selftest(); 388 if (ret) 389 goto outfree; 390 391 /* generate initial seed bytestring, first 48 bytes of entropy */ 392 ret = generate_entropy(seed, 48); 393 if (ret != 48) 394 goto outfree; 395 /* followed by 16 bytes of unique nonce */ 396 get_tod_clock_ext(seed + 48); 397 398 /* initial seed of the ppno drng */ 399 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 400 &prng_data->ppnows, NULL, 0, 401 seed, sizeof(seed)); 402 if (ret < 0) { 403 prng_errorflag = PRNG_SEED_FAILED; 404 ret = -EIO; 405 goto outfree; 406 } 407 408 /* if fips mode is enabled, generate a first block of random 409 bytes for the FIPS 140-2 Conditional Self Test */ 410 if (fips_enabled) { 411 prng_data->prev = prng_data->buf + prng_chunk_size; 412 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 413 &prng_data->ppnows, 414 prng_data->prev, 415 prng_chunk_size, 416 NULL, 0); 417 if (ret < 0 || ret != prng_chunk_size) { 418 prng_errorflag = PRNG_GEN_FAILED; 419 ret = -EIO; 420 goto outfree; 421 } 422 } 423 424 return 0; 425 426outfree: 427 kfree(prng_data); 428 return ret; 429} 430 431 432static void prng_sha512_deinstantiate(void) 433{ 434 pr_debug("The prng module stopped after running in SHA-512 mode\n"); 435 kzfree(prng_data); 436} 437 438 439static int prng_sha512_reseed(void) 440{ 441 int ret; 442 u8 seed[32]; 443 444 /* generate 32 bytes of fresh entropy */ 445 ret = generate_entropy(seed, sizeof(seed)); 446 if (ret != sizeof(seed)) 447 return ret; 448 449 /* do a reseed of the ppno drng with this bytestring */ 450 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_SEED, 451 &prng_data->ppnows, NULL, 0, 452 seed, sizeof(seed)); 453 if (ret) { 454 prng_errorflag = PRNG_RESEED_FAILED; 455 return -EIO; 456 } 457 458 return 0; 459} 460 461 462static int prng_sha512_generate(u8 *buf, size_t nbytes) 463{ 464 int ret; 465 466 /* reseed needed ? */ 467 if (prng_data->ppnows.reseed_counter > prng_reseed_limit) { 468 ret = prng_sha512_reseed(); 469 if (ret) 470 return ret; 471 } 472 473 /* PPNO generate */ 474 ret = crypt_s390_ppno(PPNO_SHA512_DRNG_GEN, 475 &prng_data->ppnows, buf, nbytes, 476 NULL, 0); 477 if (ret < 0 || ret != nbytes) { 478 prng_errorflag = PRNG_GEN_FAILED; 479 return -EIO; 480 } 481 482 /* FIPS 140-2 Conditional Self Test */ 483 if (fips_enabled) { 484 if (!memcmp(prng_data->prev, buf, nbytes)) { 485 prng_errorflag = PRNG_GEN_FAILED; 486 return -EILSEQ; 487 } 488 memcpy(prng_data->prev, buf, nbytes); 489 } 490 491 return ret; 492} 493 494 495/*** file io functions ***/ 496 497static int prng_open(struct inode *inode, struct file *file) 498{ 499 return nonseekable_open(inode, file); 500} 501 502 503static ssize_t prng_tdes_read(struct file *file, char __user *ubuf, 504 size_t nbytes, loff_t *ppos) 505{ 506 int chunk, n, tmp, ret = 0; 507 508 /* lock prng_data struct */ 509 if (mutex_lock_interruptible(&prng_data->mutex)) 510 return -ERESTARTSYS; 511 512 while (nbytes) { 513 if (need_resched()) { 514 if (signal_pending(current)) { 515 if (ret == 0) 516 ret = -ERESTARTSYS; 517 break; 518 } 519 /* give mutex free before calling schedule() */ 520 mutex_unlock(&prng_data->mutex); 521 schedule(); 522 /* occopy mutex again */ 523 if (mutex_lock_interruptible(&prng_data->mutex)) { 524 if (ret == 0) 525 ret = -ERESTARTSYS; 526 return ret; 527 } 528 } 529 530 /* 531 * we lose some random bytes if an attacker issues 532 * reads < 8 bytes, but we don't care 533 */ 534 chunk = min_t(int, nbytes, prng_chunk_size); 535 536 /* PRNG only likes multiples of 8 bytes */ 537 n = (chunk + 7) & -8; 538 539 if (prng_data->prngws.reseed_counter > prng_reseed_limit) 540 prng_tdes_seed(8); 541 542 /* if the CPU supports PRNG stckf is present too */ 543 *((unsigned long long *)prng_data->buf) = get_tod_clock_fast(); 544 545 /* 546 * Beside the STCKF the input for the TDES-EDE is the output 547 * of the last operation. We differ here from X9.17 since we 548 * only store one timestamp into the buffer. Padding the whole 549 * buffer with timestamps does not improve security, since 550 * successive stckf have nearly constant offsets. 551 * If an attacker knows the first timestamp it would be 552 * trivial to guess the additional values. One timestamp 553 * is therefore enough and still guarantees unique input values. 554 * 555 * Note: you can still get strict X9.17 conformity by setting 556 * prng_chunk_size to 8 bytes. 557 */ 558 tmp = crypt_s390_kmc(KMC_PRNG, prng_data->prngws.parm_block, 559 prng_data->buf, prng_data->buf, n); 560 if (tmp < 0 || tmp != n) { 561 ret = -EIO; 562 break; 563 } 564 565 prng_data->prngws.byte_counter += n; 566 prng_data->prngws.reseed_counter += n; 567 568 if (copy_to_user(ubuf, prng_data->buf, chunk)) 569 return -EFAULT; 570 571 nbytes -= chunk; 572 ret += chunk; 573 ubuf += chunk; 574 } 575 576 /* unlock prng_data struct */ 577 mutex_unlock(&prng_data->mutex); 578 579 return ret; 580} 581 582 583static ssize_t prng_sha512_read(struct file *file, char __user *ubuf, 584 size_t nbytes, loff_t *ppos) 585{ 586 int n, ret = 0; 587 u8 *p; 588 589 /* if errorflag is set do nothing and return 'broken pipe' */ 590 if (prng_errorflag) 591 return -EPIPE; 592 593 /* lock prng_data struct */ 594 if (mutex_lock_interruptible(&prng_data->mutex)) 595 return -ERESTARTSYS; 596 597 while (nbytes) { 598 if (need_resched()) { 599 if (signal_pending(current)) { 600 if (ret == 0) 601 ret = -ERESTARTSYS; 602 break; 603 } 604 /* give mutex free before calling schedule() */ 605 mutex_unlock(&prng_data->mutex); 606 schedule(); 607 /* occopy mutex again */ 608 if (mutex_lock_interruptible(&prng_data->mutex)) { 609 if (ret == 0) 610 ret = -ERESTARTSYS; 611 return ret; 612 } 613 } 614 if (prng_data->rest) { 615 /* push left over random bytes from the previous read */ 616 p = prng_data->buf + prng_chunk_size - prng_data->rest; 617 n = (nbytes < prng_data->rest) ? 618 nbytes : prng_data->rest; 619 prng_data->rest -= n; 620 } else { 621 /* generate one chunk of random bytes into read buf */ 622 p = prng_data->buf; 623 n = prng_sha512_generate(p, prng_chunk_size); 624 if (n < 0) { 625 ret = n; 626 break; 627 } 628 if (nbytes < prng_chunk_size) { 629 n = nbytes; 630 prng_data->rest = prng_chunk_size - n; 631 } else { 632 n = prng_chunk_size; 633 prng_data->rest = 0; 634 } 635 } 636 if (copy_to_user(ubuf, p, n)) { 637 ret = -EFAULT; 638 break; 639 } 640 ubuf += n; 641 nbytes -= n; 642 ret += n; 643 } 644 645 /* unlock prng_data struct */ 646 mutex_unlock(&prng_data->mutex); 647 648 return ret; 649} 650 651 652/*** sysfs stuff ***/ 653 654static const struct file_operations prng_sha512_fops = { 655 .owner = THIS_MODULE, 656 .open = &prng_open, 657 .release = NULL, 658 .read = &prng_sha512_read, 659 .llseek = noop_llseek, 660}; 661static const struct file_operations prng_tdes_fops = { 662 .owner = THIS_MODULE, 663 .open = &prng_open, 664 .release = NULL, 665 .read = &prng_tdes_read, 666 .llseek = noop_llseek, 667}; 668 669static struct miscdevice prng_sha512_dev = { 670 .name = "prandom", 671 .minor = MISC_DYNAMIC_MINOR, 672 .fops = &prng_sha512_fops, 673}; 674static struct miscdevice prng_tdes_dev = { 675 .name = "prandom", 676 .minor = MISC_DYNAMIC_MINOR, 677 .fops = &prng_tdes_fops, 678}; 679 680 681/* chunksize attribute (ro) */ 682static ssize_t prng_chunksize_show(struct device *dev, 683 struct device_attribute *attr, 684 char *buf) 685{ 686 return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size); 687} 688static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL); 689 690/* counter attribute (ro) */ 691static ssize_t prng_counter_show(struct device *dev, 692 struct device_attribute *attr, 693 char *buf) 694{ 695 u64 counter; 696 697 if (mutex_lock_interruptible(&prng_data->mutex)) 698 return -ERESTARTSYS; 699 if (prng_mode == PRNG_MODE_SHA512) 700 counter = prng_data->ppnows.stream_bytes; 701 else 702 counter = prng_data->prngws.byte_counter; 703 mutex_unlock(&prng_data->mutex); 704 705 return snprintf(buf, PAGE_SIZE, "%llu\n", counter); 706} 707static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL); 708 709/* errorflag attribute (ro) */ 710static ssize_t prng_errorflag_show(struct device *dev, 711 struct device_attribute *attr, 712 char *buf) 713{ 714 return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag); 715} 716static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL); 717 718/* mode attribute (ro) */ 719static ssize_t prng_mode_show(struct device *dev, 720 struct device_attribute *attr, 721 char *buf) 722{ 723 if (prng_mode == PRNG_MODE_TDES) 724 return snprintf(buf, PAGE_SIZE, "TDES\n"); 725 else 726 return snprintf(buf, PAGE_SIZE, "SHA512\n"); 727} 728static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL); 729 730/* reseed attribute (w) */ 731static ssize_t prng_reseed_store(struct device *dev, 732 struct device_attribute *attr, 733 const char *buf, size_t count) 734{ 735 if (mutex_lock_interruptible(&prng_data->mutex)) 736 return -ERESTARTSYS; 737 prng_sha512_reseed(); 738 mutex_unlock(&prng_data->mutex); 739 740 return count; 741} 742static DEVICE_ATTR(reseed, 0200, NULL, prng_reseed_store); 743 744/* reseed limit attribute (rw) */ 745static ssize_t prng_reseed_limit_show(struct device *dev, 746 struct device_attribute *attr, 747 char *buf) 748{ 749 return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit); 750} 751static ssize_t prng_reseed_limit_store(struct device *dev, 752 struct device_attribute *attr, 753 const char *buf, size_t count) 754{ 755 unsigned limit; 756 757 if (sscanf(buf, "%u\n", &limit) != 1) 758 return -EINVAL; 759 760 if (prng_mode == PRNG_MODE_SHA512) { 761 if (limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 762 return -EINVAL; 763 } else { 764 if (limit < PRNG_RESEED_LIMIT_TDES_LOWER) 765 return -EINVAL; 766 } 767 768 prng_reseed_limit = limit; 769 770 return count; 771} 772static DEVICE_ATTR(reseed_limit, 0644, 773 prng_reseed_limit_show, prng_reseed_limit_store); 774 775/* strength attribute (ro) */ 776static ssize_t prng_strength_show(struct device *dev, 777 struct device_attribute *attr, 778 char *buf) 779{ 780 return snprintf(buf, PAGE_SIZE, "256\n"); 781} 782static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL); 783 784static struct attribute *prng_sha512_dev_attrs[] = { 785 &dev_attr_errorflag.attr, 786 &dev_attr_chunksize.attr, 787 &dev_attr_byte_counter.attr, 788 &dev_attr_mode.attr, 789 &dev_attr_reseed.attr, 790 &dev_attr_reseed_limit.attr, 791 &dev_attr_strength.attr, 792 NULL 793}; 794static struct attribute *prng_tdes_dev_attrs[] = { 795 &dev_attr_chunksize.attr, 796 &dev_attr_byte_counter.attr, 797 &dev_attr_mode.attr, 798 NULL 799}; 800 801static struct attribute_group prng_sha512_dev_attr_group = { 802 .attrs = prng_sha512_dev_attrs 803}; 804static struct attribute_group prng_tdes_dev_attr_group = { 805 .attrs = prng_tdes_dev_attrs 806}; 807 808 809/*** module init and exit ***/ 810 811static int __init prng_init(void) 812{ 813 int ret; 814 815 /* check if the CPU has a PRNG */ 816 if (!crypt_s390_func_available(KMC_PRNG, CRYPT_S390_MSA)) 817 return -EOPNOTSUPP; 818 819 /* choose prng mode */ 820 if (prng_mode != PRNG_MODE_TDES) { 821 /* check for MSA5 support for PPNO operations */ 822 if (!crypt_s390_func_available(PPNO_SHA512_DRNG_GEN, 823 CRYPT_S390_MSA5)) { 824 if (prng_mode == PRNG_MODE_SHA512) { 825 pr_err("The prng module cannot " 826 "start in SHA-512 mode\n"); 827 return -EOPNOTSUPP; 828 } 829 prng_mode = PRNG_MODE_TDES; 830 } else 831 prng_mode = PRNG_MODE_SHA512; 832 } 833 834 if (prng_mode == PRNG_MODE_SHA512) { 835 836 /* SHA512 mode */ 837 838 if (prng_chunk_size < PRNG_CHUNKSIZE_SHA512_MIN 839 || prng_chunk_size > PRNG_CHUNKSIZE_SHA512_MAX) 840 return -EINVAL; 841 prng_chunk_size = (prng_chunk_size + 0x3f) & ~0x3f; 842 843 if (prng_reseed_limit == 0) 844 prng_reseed_limit = PRNG_RESEED_LIMIT_SHA512; 845 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_SHA512_LOWER) 846 return -EINVAL; 847 848 ret = prng_sha512_instantiate(); 849 if (ret) 850 goto out; 851 852 ret = misc_register(&prng_sha512_dev); 853 if (ret) { 854 prng_sha512_deinstantiate(); 855 goto out; 856 } 857 ret = sysfs_create_group(&prng_sha512_dev.this_device->kobj, 858 &prng_sha512_dev_attr_group); 859 if (ret) { 860 misc_deregister(&prng_sha512_dev); 861 prng_sha512_deinstantiate(); 862 goto out; 863 } 864 865 } else { 866 867 /* TDES mode */ 868 869 if (prng_chunk_size < PRNG_CHUNKSIZE_TDES_MIN 870 || prng_chunk_size > PRNG_CHUNKSIZE_TDES_MAX) 871 return -EINVAL; 872 prng_chunk_size = (prng_chunk_size + 0x07) & ~0x07; 873 874 if (prng_reseed_limit == 0) 875 prng_reseed_limit = PRNG_RESEED_LIMIT_TDES; 876 else if (prng_reseed_limit < PRNG_RESEED_LIMIT_TDES_LOWER) 877 return -EINVAL; 878 879 ret = prng_tdes_instantiate(); 880 if (ret) 881 goto out; 882 883 ret = misc_register(&prng_tdes_dev); 884 if (ret) { 885 prng_tdes_deinstantiate(); 886 goto out; 887 } 888 ret = sysfs_create_group(&prng_tdes_dev.this_device->kobj, 889 &prng_tdes_dev_attr_group); 890 if (ret) { 891 misc_deregister(&prng_tdes_dev); 892 prng_tdes_deinstantiate(); 893 goto out; 894 } 895 896 } 897 898out: 899 return ret; 900} 901 902 903static void __exit prng_exit(void) 904{ 905 if (prng_mode == PRNG_MODE_SHA512) { 906 sysfs_remove_group(&prng_sha512_dev.this_device->kobj, 907 &prng_sha512_dev_attr_group); 908 misc_deregister(&prng_sha512_dev); 909 prng_sha512_deinstantiate(); 910 } else { 911 sysfs_remove_group(&prng_tdes_dev.this_device->kobj, 912 &prng_tdes_dev_attr_group); 913 misc_deregister(&prng_tdes_dev); 914 prng_tdes_deinstantiate(); 915 } 916} 917 918module_cpu_feature_match(MSA, prng_init); 919module_exit(prng_exit); 920