1
/*
2
 * Copyright IBM Corp. 2006,2007
3
 * Author(s): Jan Glauber <[email protected]>
4
 * Driver for the s390 pseudo random number generator
5
 */
6
#include <linux/fs.h>
7
#include <linux/init.h>
8
#include <linux/kernel.h>
9
#include <linux/miscdevice.h>
10
#include <linux/module.h>
11
#include <linux/moduleparam.h>
12
#include <linux/random.h>
13
#include <linux/slab.h>
14
#include <asm/debug.h>
15
#include <asm/uaccess.h>
16

17
#include "crypt_s390.h"
18

19
MODULE_LICENSE("GPL");
20
MODULE_AUTHOR("Jan Glauber <[email protected]>");
21
MODULE_DESCRIPTION("s390 PRNG interface");
22

23
static int prng_chunk_size = 256;
24
module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
25
MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
26

27
static int prng_entropy_limit = 4096;
28
module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
29
MODULE_PARM_DESC(prng_entropy_limit,
30
	"PRNG add entropy after that much bytes were produced");
31

32
/*
33
 * Any one who considers arithmetical methods of producing random digits is,
34
 * of course, in a state of sin. -- John von Neumann
35
 */
36

37
struct s390_prng_data {
38
	unsigned long count; /* how many bytes were produced */
39
	char *buf;
40
};
41

42
static struct s390_prng_data *p;
43

44
/* copied from libica, use a non-zero initial parameter block */
45
static unsigned char parm_block[32] = {
46
0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
47
0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
48
};
49

50
static int prng_open(struct inode *inode, struct file *file)
51
{
52
	return nonseekable_open(inode, file);
53
}
54

55
static void prng_add_entropy(void)
56
{
57
	__u64 entropy[4];
58
	unsigned int i;
59
	int ret;
60

61
	for (i = 0; i < 16; i++) {
62
		ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
63
				     (char *)entropy, sizeof(entropy));
64
		BUG_ON(ret < 0 || ret != sizeof(entropy));
65
		memcpy(parm_block, entropy, sizeof(entropy));
66
	}
67
}
68

69
static void prng_seed(int nbytes)
70
{
71
	char buf[16];
72
	int i = 0;
73

74
	BUG_ON(nbytes > 16);
75
	get_random_bytes(buf, nbytes);
76

77
	/* Add the entropy */
78
	while (nbytes >= 8) {
79
		*((__u64 *)parm_block) ^= *((__u64 *)(buf+i));
80
		prng_add_entropy();
81
		i += 8;
82
		nbytes -= 8;
83
	}
84
	prng_add_entropy();
85
}
86

87
static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
88
			 loff_t *ppos)
89
{
90
	int chunk, n;
91
	int ret = 0;
92
	int tmp;
93

94
	/* nbytes can be arbitrary length, we split it into chunks */
95
	while (nbytes) {
96
		/* same as in extract_entropy_user in random.c */
97
		if (need_resched()) {
98
			if (signal_pending(current)) {
99
				if (ret == 0)
100
					ret = -ERESTARTSYS;
101
				break;
102
			}
103
			schedule();
104
		}
105

106
		/*
107
		 * we lose some random bytes if an attacker issues
108
		 * reads < 8 bytes, but we don't care
109
		 */
110
		chunk = min_t(int, nbytes, prng_chunk_size);
111

112
		/* PRNG only likes multiples of 8 bytes */
113
		n = (chunk + 7) & -8;
114

115
		if (p->count > prng_entropy_limit)
116
			prng_seed(8);
117

118
		/* if the CPU supports PRNG stckf is present too */
119
		asm volatile(".insn     s,0xb27c0000,%0"
120
			     : "=m" (*((unsigned long long *)p->buf)) : : "cc");
121

122
		/*
123
		 * Beside the STCKF the input for the TDES-EDE is the output
124
		 * of the last operation. We differ here from X9.17 since we
125
		 * only store one timestamp into the buffer. Padding the whole
126
		 * buffer with timestamps does not improve security, since
127
		 * successive stckf have nearly constant offsets.
128
		 * If an attacker knows the first timestamp it would be
129
		 * trivial to guess the additional values. One timestamp
130
		 * is therefore enough and still guarantees unique input values.
131
		 *
132
		 * Note: you can still get strict X9.17 conformity by setting
133
		 * prng_chunk_size to 8 bytes.
134
		*/
135
		tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
136
		BUG_ON((tmp < 0) || (tmp != n));
137

138
		p->count += n;
139

140
		if (copy_to_user(ubuf, p->buf, chunk))
141
			return -EFAULT;
142

143
		nbytes -= chunk;
144
		ret += chunk;
145
		ubuf += chunk;
146
	}
147
	return ret;
148
}
149

150
static const struct file_operations prng_fops = {
151
	.owner		= THIS_MODULE,
152
	.open		= &prng_open,
153
	.release	= NULL,
154
	.read		= &prng_read,
155
	.llseek		= noop_llseek,
156
};
157

158
static struct miscdevice prng_dev = {
159
	.name	= "prandom",
160
	.minor	= MISC_DYNAMIC_MINOR,
161
	.fops	= &prng_fops,
162
};
163

164
static int __init prng_init(void)
165
{
166
	int ret;
167

168
	/* check if the CPU has a PRNG */
169
	if (!crypt_s390_func_available(KMC_PRNG, CRYPT_S390_MSA))
170
		return -EOPNOTSUPP;
171

172
	if (prng_chunk_size < 8)
173
		return -EINVAL;
174

175
	p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
176
	if (!p)
177
		return -ENOMEM;
178
	p->count = 0;
179

180
	p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
181
	if (!p->buf) {
182
		ret = -ENOMEM;
183
		goto out_free;
184
	}
185

186
	/* initialize the PRNG, add 128 bits of entropy */
187
	prng_seed(16);
188

189
	ret = misc_register(&prng_dev);
190
	if (ret)
191
		goto out_buf;
192
	return 0;
193

194
out_buf:
195
	kfree(p->buf);
196
out_free:
197
	kfree(p);
198
	return ret;
199
}
200

201
static void __exit prng_exit(void)
202
{
203
	/* wipe me */
204
	kzfree(p->buf);
205
	kfree(p);
206

207
	misc_deregister(&prng_dev);
208
}
209

210
module_init(prng_init);
211
module_exit(prng_exit);
212

213