2007-02-05 20:18:22 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright IBM Corp. 2006,2007
|
|
|
|
|
* Author(s): Jan Glauber <jan.glauber@de.ibm.com>
|
|
|
|
|
* Driver for the s390 pseudo random number generator
|
|
|
|
|
*/
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/miscdevice.h>
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/moduleparam.h>
|
|
|
|
|
#include <linux/random.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2007-02-05 20:18:22 +00:00
|
|
|
#include <asm/debug.h>
|
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
|
|
|
|
|
#include "crypt_s390.h"
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
|
|
|
|
|
MODULE_DESCRIPTION("s390 PRNG interface");
|
|
|
|
|
|
|
|
|
|
static int prng_chunk_size = 256;
|
|
|
|
|
module_param(prng_chunk_size, int, S_IRUSR | S_IRGRP | S_IROTH);
|
|
|
|
|
MODULE_PARM_DESC(prng_chunk_size, "PRNG read chunk size in bytes");
|
|
|
|
|
|
|
|
|
|
static int prng_entropy_limit = 4096;
|
|
|
|
|
module_param(prng_entropy_limit, int, S_IRUSR | S_IRGRP | S_IROTH | S_IWUSR);
|
|
|
|
|
MODULE_PARM_DESC(prng_entropy_limit,
|
|
|
|
|
"PRNG add entropy after that much bytes were produced");
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Any one who considers arithmetical methods of producing random digits is,
|
|
|
|
|
* of course, in a state of sin. -- John von Neumann
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct s390_prng_data {
|
|
|
|
|
unsigned long count; /* how many bytes were produced */
|
|
|
|
|
char *buf;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct s390_prng_data *p;
|
|
|
|
|
|
|
|
|
|
/* copied from libica, use a non-zero initial parameter block */
|
|
|
|
|
static unsigned char parm_block[32] = {
|
|
|
|
|
0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
|
|
|
|
|
0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int prng_open(struct inode *inode, struct file *file)
|
|
|
|
|
{
|
|
|
|
|
return nonseekable_open(inode, file);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void prng_add_entropy(void)
|
|
|
|
|
{
|
|
|
|
|
__u64 entropy[4];
|
|
|
|
|
unsigned int i;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < 16; i++) {
|
|
|
|
|
ret = crypt_s390_kmc(KMC_PRNG, parm_block, (char *)entropy,
|
|
|
|
|
(char *)entropy, sizeof(entropy));
|
|
|
|
|
BUG_ON(ret < 0 || ret != sizeof(entropy));
|
|
|
|
|
memcpy(parm_block, entropy, sizeof(entropy));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void prng_seed(int nbytes)
|
|
|
|
|
{
|
|
|
|
|
char buf[16];
|
|
|
|
|
int i = 0;
|
|
|
|
|
|
|
|
|
|
BUG_ON(nbytes > 16);
|
|
|
|
|
get_random_bytes(buf, nbytes);
|
|
|
|
|
|
|
|
|
|
/* Add the entropy */
|
|
|
|
|
while (nbytes >= 8) {
|
|
|
|
|
*((__u64 *)parm_block) ^= *((__u64 *)buf+i*8);
|
|
|
|
|
prng_add_entropy();
|
|
|
|
|
i += 8;
|
|
|
|
|
nbytes -= 8;
|
|
|
|
|
}
|
|
|
|
|
prng_add_entropy();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ssize_t prng_read(struct file *file, char __user *ubuf, size_t nbytes,
|
|
|
|
|
loff_t *ppos)
|
|
|
|
|
{
|
|
|
|
|
int chunk, n;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
int tmp;
|
|
|
|
|
|
2008-01-26 13:11:18 +00:00
|
|
|
/* nbytes can be arbitrary length, we split it into chunks */
|
2007-02-05 20:18:22 +00:00
|
|
|
while (nbytes) {
|
|
|
|
|
/* same as in extract_entropy_user in random.c */
|
|
|
|
|
if (need_resched()) {
|
|
|
|
|
if (signal_pending(current)) {
|
|
|
|
|
if (ret == 0)
|
|
|
|
|
ret = -ERESTARTSYS;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
schedule();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* we lose some random bytes if an attacker issues
|
|
|
|
|
* reads < 8 bytes, but we don't care
|
|
|
|
|
*/
|
|
|
|
|
chunk = min_t(int, nbytes, prng_chunk_size);
|
|
|
|
|
|
|
|
|
|
/* PRNG only likes multiples of 8 bytes */
|
|
|
|
|
n = (chunk + 7) & -8;
|
|
|
|
|
|
|
|
|
|
if (p->count > prng_entropy_limit)
|
|
|
|
|
prng_seed(8);
|
|
|
|
|
|
|
|
|
|
/* if the CPU supports PRNG stckf is present too */
|
|
|
|
|
asm volatile(".insn s,0xb27c0000,%0"
|
|
|
|
|
: "=m" (*((unsigned long long *)p->buf)) : : "cc");
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Beside the STCKF the input for the TDES-EDE is the output
|
|
|
|
|
* of the last operation. We differ here from X9.17 since we
|
|
|
|
|
* only store one timestamp into the buffer. Padding the whole
|
|
|
|
|
* buffer with timestamps does not improve security, since
|
|
|
|
|
* successive stckf have nearly constant offsets.
|
|
|
|
|
* If an attacker knows the first timestamp it would be
|
|
|
|
|
* trivial to guess the additional values. One timestamp
|
|
|
|
|
* is therefore enough and still guarantees unique input values.
|
|
|
|
|
*
|
|
|
|
|
* Note: you can still get strict X9.17 conformity by setting
|
|
|
|
|
* prng_chunk_size to 8 bytes.
|
|
|
|
|
*/
|
|
|
|
|
tmp = crypt_s390_kmc(KMC_PRNG, parm_block, p->buf, p->buf, n);
|
|
|
|
|
BUG_ON((tmp < 0) || (tmp != n));
|
|
|
|
|
|
|
|
|
|
p->count += n;
|
|
|
|
|
|
|
|
|
|
if (copy_to_user(ubuf, p->buf, chunk))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
nbytes -= chunk;
|
|
|
|
|
ret += chunk;
|
|
|
|
|
ubuf += chunk;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-26 13:11:29 +00:00
|
|
|
static const struct file_operations prng_fops = {
|
2007-02-05 20:18:22 +00:00
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.open = &prng_open,
|
|
|
|
|
.release = NULL,
|
|
|
|
|
.read = &prng_read,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct miscdevice prng_dev = {
|
|
|
|
|
.name = "prandom",
|
|
|
|
|
.minor = MISC_DYNAMIC_MINOR,
|
|
|
|
|
.fops = &prng_fops,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int __init prng_init(void)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
/* check if the CPU has a PRNG */
|
|
|
|
|
if (!crypt_s390_func_available(KMC_PRNG))
|
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
|
|
|
|
|
if (prng_chunk_size < 8)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
p = kmalloc(sizeof(struct s390_prng_data), GFP_KERNEL);
|
|
|
|
|
if (!p)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
p->count = 0;
|
|
|
|
|
|
|
|
|
|
p->buf = kmalloc(prng_chunk_size, GFP_KERNEL);
|
|
|
|
|
if (!p->buf) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
goto out_free;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* initialize the PRNG, add 128 bits of entropy */
|
|
|
|
|
prng_seed(16);
|
|
|
|
|
|
|
|
|
|
ret = misc_register(&prng_dev);
|
2008-07-14 07:59:32 +00:00
|
|
|
if (ret)
|
2007-02-05 20:18:22 +00:00
|
|
|
goto out_buf;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
out_buf:
|
|
|
|
|
kfree(p->buf);
|
|
|
|
|
out_free:
|
|
|
|
|
kfree(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit prng_exit(void)
|
|
|
|
|
{
|
|
|
|
|
/* wipe me */
|
2009-03-26 14:24:48 +00:00
|
|
|
kzfree(p->buf);
|
2007-02-05 20:18:22 +00:00
|
|
|
kfree(p);
|
|
|
|
|
|
|
|
|
|
misc_deregister(&prng_dev);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_init(prng_init);
|
|
|
|
|
module_exit(prng_exit);
|