change system file

hc

2024-10-09 244b2c5ca8b14627e4a17755e5922221e121c771

 kernel/crypto/jitterentropy.c
..
..
@@ -2,12 +2,12 @@
2
2
  * Non-physical true random number generator based on timing jitter --
3
3
  * Jitter RNG standalone code.
4
4
  *
5
- * Copyright Stephan Mueller <smueller@chronox.de>, 2015
5
+ * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2020
6
6
  *
7
7
  * Design
8
8
  * ======
9
9
  *
10
- * See http://www.chronox.de/jent.html
10
+ * See https://www.chronox.de/jent.html
11
11
  *
12
12
  * License
13
13
  * =======
..
..
@@ -47,7 +47,7 @@
47
47
 
48
48
 /*
49
49
  * This Jitterentropy RNG is based on the jitterentropy library
50
- * version 1.1.0 provided at http://www.chronox.de/jent.html
50
+ * version 2.2.0 provided at https://www.chronox.de/jent.html
51
51
  */
52
52
 
53
53
 #ifdef __OPTIMIZE__
..
..
@@ -71,10 +71,7 @@
71
71
 #define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
72
72
 	__u64 last_delta;	/* SENSITIVE stuck test */
73
73
 	__s64 last_delta2;	/* SENSITIVE stuck test */
74
-	unsigned int stuck:1;	/* Time measurement stuck */
75
74
 	unsigned int osr;	/* Oversample rate */
76
-	unsigned int stir:1;		/* Post-processing stirring */
77
-	unsigned int disable_unbias:1;	/* Deactivate Von-Neuman unbias */
78
75
 #define JENT_MEMORY_BLOCKS 64
79
76
 #define JENT_MEMORY_BLOCKSIZE 32
80
77
 #define JENT_MEMORY_ACCESSLOOPS 128
..
..
@@ -86,11 +83,25 @@
86
83
 	unsigned int memblocksize; /* Size of one memory block in bytes */
87
84
 	unsigned int memaccessloops; /* Number of memory accesses per random
88
85
 				      * bit generation */
86
+
87
+	/* Repetition Count Test */
88
+	int rct_count;			/* Number of stuck values */
89
+
90
+	/* Adaptive Proportion Test for a significance level of 2^-30 */
91
+#define JENT_APT_CUTOFF		325	/* Taken from SP800-90B sec 4.4.2 */
92
+#define JENT_APT_WINDOW_SIZE	512	/* Data window size */
93
+	/* LSB of time stamp to process */
94
+#define JENT_APT_LSB		16
95
+#define JENT_APT_WORD_MASK	(JENT_APT_LSB - 1)
96
+	unsigned int apt_observations;	/* Number of collected observations */
97
+	unsigned int apt_count;		/* APT counter */
98
+	unsigned int apt_base;		/* APT base reference */
99
+	unsigned int apt_base_set:1;	/* APT base reference set? */
100
+
101
+	unsigned int health_failure:1;	/* Permanent health failure */
89
102
 };
90
103
 
91
104
 /* Flags that can be used to initialize the RNG */
92
-#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
93
-#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
94
105
 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
95
106
 					   * entropy, saves MEMORY_SIZE RAM for
96
107
 					   * entropy collector */
..
..
@@ -99,24 +110,220 @@
99
110
 #define JENT_ENOTIME		1 /* Timer service not available */
100
111
 #define JENT_ECOARSETIME	2 /* Timer too coarse for RNG */
101
112
 #define JENT_ENOMONOTONIC	3 /* Timer is not monotonic increasing */
102
-#define JENT_EMINVARIATION	4 /* Timer variations too small for RNG */
103
113
 #define JENT_EVARVAR		5 /* Timer does not produce variations of
104
114
 				   * variations (2nd derivation of time is
105
115
 				   * zero). */
106
-#define JENT_EMINVARVAR		6 /* Timer variations of variations is tooi
107
-				   * small. */
116
+#define JENT_ESTUCK		8 /* Too many stuck results during init. */
117
+#define JENT_EHEALTH		9 /* Health test failed during initialization */
118
+#define JENT_ERCT		10 /* RCT failed during initialization */
119
+
120
+/*
121
+ * The output n bits can receive more than n bits of min entropy, of course,
122
+ * but the fixed output of the conditioning function can only asymptotically
123
+ * approach the output size bits of min entropy, not attain that bound. Random
124
+ * maps will tend to have output collisions, which reduces the creditable
125
+ * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
126
+ *
127
+ * The value "64" is justified in Appendix A.4 of the current 90C draft,
128
+ * and aligns with NIST's in "epsilon" definition in this document, which is
129
+ * that a string can be considered "full entropy" if you can bound the min
130
+ * entropy in each bit of output to at least 1-epsilon, where epsilon is
131
+ * required to be <= 2^(-32).
132
+ */
133
+#define JENT_ENTROPY_SAFETY_FACTOR	64
134
+
135
+#include <linux/fips.h>
136
+#include "jitterentropy.h"
108
137
 
109
138
 /***************************************************************************
110
- * Helper functions
139
+ * Adaptive Proportion Test
140
+ *
141
+ * This test complies with SP800-90B section 4.4.2.
111
142
  ***************************************************************************/
112
143
 
113
-void jent_get_nstime(__u64 *out);
114
-__u64 jent_rol64(__u64 word, unsigned int shift);
115
-void *jent_zalloc(unsigned int len);
116
-void jent_zfree(void *ptr);
117
-int jent_fips_enabled(void);
118
-void jent_panic(char *s);
119
-void jent_memcpy(void *dest, const void *src, unsigned int n);
144
+/**
145
+ * Reset the APT counter
146
+ *
147
+ * @ec [in] Reference to entropy collector
148
+ */
149
+static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked)
150
+{
151
+	/* Reset APT counter */
152
+	ec->apt_count = 0;
153
+	ec->apt_base = delta_masked;
154
+	ec->apt_observations = 0;
155
+}
156
+
157
+/**
158
+ * Insert a new entropy event into APT
159
+ *
160
+ * @ec [in] Reference to entropy collector
161
+ * @delta_masked [in] Masked time delta to process
162
+ */
163
+static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked)
164
+{
165
+	/* Initialize the base reference */
166
+	if (!ec->apt_base_set) {
167
+		ec->apt_base = delta_masked;
168
+		ec->apt_base_set = 1;
169
+		return;
170
+	}
171
+
172
+	if (delta_masked == ec->apt_base) {
173
+		ec->apt_count++;
174
+
175
+		if (ec->apt_count >= JENT_APT_CUTOFF)
176
+			ec->health_failure = 1;
177
+	}
178
+
179
+	ec->apt_observations++;
180
+
181
+	if (ec->apt_observations >= JENT_APT_WINDOW_SIZE)
182
+		jent_apt_reset(ec, delta_masked);
183
+}
184
+
185
+/***************************************************************************
186
+ * Stuck Test and its use as Repetition Count Test
187
+ *
188
+ * The Jitter RNG uses an enhanced version of the Repetition Count Test
189
+ * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical
190
+ * back-to-back values, the input to the RCT is the counting of the stuck
191
+ * values during the generation of one Jitter RNG output block.
192
+ *
193
+ * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8.
194
+ *
195
+ * During the counting operation, the Jitter RNG always calculates the RCT
196
+ * cut-off value of C. If that value exceeds the allowed cut-off value,
197
+ * the Jitter RNG output block will be calculated completely but discarded at
198
+ * the end. The caller of the Jitter RNG is informed with an error code.
199
+ ***************************************************************************/
200
+
201
+/**
202
+ * Repetition Count Test as defined in SP800-90B section 4.4.1
203
+ *
204
+ * @ec [in] Reference to entropy collector
205
+ * @stuck [in] Indicator whether the value is stuck
206
+ */
207
+static void jent_rct_insert(struct rand_data *ec, int stuck)
208
+{
209
+	/*
210
+	 * If we have a count less than zero, a previous RCT round identified
211
+	 * a failure. We will not overwrite it.
212
+	 */
213
+	if (ec->rct_count < 0)
214
+		return;
215
+
216
+	if (stuck) {
217
+		ec->rct_count++;
218
+
219
+		/*
220
+		 * The cutoff value is based on the following consideration:
221
+		 * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8.
222
+		 * In addition, we require an entropy value H of 1/OSR as this
223
+		 * is the minimum entropy required to provide full entropy.
224
+		 * Note, we collect 64 * OSR deltas for inserting them into
225
+		 * the entropy pool which should then have (close to) 64 bits
226
+		 * of entropy.
227
+		 *
228
+		 * Note, ec->rct_count (which equals to value B in the pseudo
229
+		 * code of SP800-90B section 4.4.1) starts with zero. Hence
230
+		 * we need to subtract one from the cutoff value as calculated
231
+		 * following SP800-90B.
232
+		 */
233
+		if ((unsigned int)ec->rct_count >= (31 * ec->osr)) {
234
+			ec->rct_count = -1;
235
+			ec->health_failure = 1;
236
+		}
237
+	} else {
238
+		ec->rct_count = 0;
239
+	}
240
+}
241
+
242
+/**
243
+ * Is there an RCT health test failure?
244
+ *
245
+ * @ec [in] Reference to entropy collector
246
+ *
247
+ * @return
248
+ * 	0 No health test failure
249
+ * 	1 Permanent health test failure
250
+ */
251
+static int jent_rct_failure(struct rand_data *ec)
252
+{
253
+	if (ec->rct_count < 0)
254
+		return 1;
255
+	return 0;
256
+}
257
+
258
+static inline __u64 jent_delta(__u64 prev, __u64 next)
259
+{
260
+#define JENT_UINT64_MAX		(__u64)(~((__u64) 0))
261
+	return (prev < next) ? (next - prev) :
262
+			       (JENT_UINT64_MAX - prev + 1 + next);
263
+}
264
+
265
+/**
266
+ * Stuck test by checking the:
267
+ * 	1st derivative of the jitter measurement (time delta)
268
+ * 	2nd derivative of the jitter measurement (delta of time deltas)
269
+ * 	3rd derivative of the jitter measurement (delta of delta of time deltas)
270
+ *
271
+ * All values must always be non-zero.
272
+ *
273
+ * @ec [in] Reference to entropy collector
274
+ * @current_delta [in] Jitter time delta
275
+ *
276
+ * @return
277
+ * 	0 jitter measurement not stuck (good bit)
278
+ * 	1 jitter measurement stuck (reject bit)
279
+ */
280
+static int jent_stuck(struct rand_data *ec, __u64 current_delta)
281
+{
282
+	__u64 delta2 = jent_delta(ec->last_delta, current_delta);
283
+	__u64 delta3 = jent_delta(ec->last_delta2, delta2);
284
+
285
+	ec->last_delta = current_delta;
286
+	ec->last_delta2 = delta2;
287
+
288
+	/*
289
+	 * Insert the result of the comparison of two back-to-back time
290
+	 * deltas.
291
+	 */
292
+	jent_apt_insert(ec, current_delta);
293
+
294
+	if (!current_delta || !delta2 || !delta3) {
295
+		/* RCT with a stuck bit */
296
+		jent_rct_insert(ec, 1);
297
+		return 1;
298
+	}
299
+
300
+	/* RCT with a non-stuck bit */
301
+	jent_rct_insert(ec, 0);
302
+
303
+	return 0;
304
+}
305
+
306
+/**
307
+ * Report any health test failures
308
+ *
309
+ * @ec [in] Reference to entropy collector
310
+ *
311
+ * @return
312
+ * 	0 No health test failure
313
+ * 	1 Permanent health test failure
314
+ */
315
+static int jent_health_failure(struct rand_data *ec)
316
+{
317
+	/* Test is only enabled in FIPS mode */
318
+	if (!jent_fips_enabled())
319
+		return 0;
320
+
321
+	return ec->health_failure;
322
+}
323
+
324
+/***************************************************************************
325
+ * Noise sources
326
+ ***************************************************************************/
120
327
 
121
328
 /**
122
329
  * Update of the loop count used for the next round of
..
..
@@ -140,16 +347,16 @@
140
347
 
141
348
 	jent_get_nstime(&time);
142
349
 	/*
143
-	 * mix the current state of the random number into the shuffle
144
-	 * calculation to balance that shuffle a bit more
350
+	 * Mix the current state of the random number into the shuffle
351
+	 * calculation to balance that shuffle a bit more.
145
352
 	 */
146
353
 	if (ec)
147
354
 		time ^= ec->data;
148
355
 	/*
149
-	 * we fold the time value as much as possible to ensure that as many
150
-	 * bits of the time stamp are included as possible
356
+	 * We fold the time value as much as possible to ensure that as many
357
+	 * bits of the time stamp are included as possible.
151
358
 	 */
152
-	for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) {
359
+	for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {
153
360
 		shuffle ^= time & mask;
154
361
 		time = time >> bits;
155
362
 	}
..
..
@@ -161,46 +368,33 @@
161
368
 	return (shuffle + (1<<min));
162
369
 }
163
370
 
164
-/***************************************************************************
165
- * Noise sources
166
- ***************************************************************************/
167
-
168
371
 /**
169
372
  * CPU Jitter noise source -- this is the noise source based on the CPU
170
373
  *			      execution time jitter
171
374
  *
172
- * This function folds the time into one bit units by iterating
173
- * through the DATA_SIZE_BITS bit time value as follows: assume our time value
174
- * is 0xabcd
175
- * 1st loop, 1st shift generates 0xd000
176
- * 1st loop, 2nd shift generates 0x000d
177
- * 2nd loop, 1st shift generates 0xcd00
178
- * 2nd loop, 2nd shift generates 0x000c
179
- * 3rd loop, 1st shift generates 0xbcd0
180
- * 3rd loop, 2nd shift generates 0x000b
181
- * 4th loop, 1st shift generates 0xabcd
182
- * 4th loop, 2nd shift generates 0x000a
183
- * Now, the values at the end of the 2nd shifts are XORed together.
375
+ * This function injects the individual bits of the time value into the
376
+ * entropy pool using an LFSR.
184
377
  *
185
- * The code is deliberately inefficient and shall stay that way. This function
186
- * is the root cause why the code shall be compiled without optimization. This
187
- * function not only acts as folding operation, but this function's execution
188
- * is used to measure the CPU execution time jitter. Any change to the loop in
189
- * this function implies that careful retesting must be done.
378
+ * The code is deliberately inefficient with respect to the bit shifting
379
+ * and shall stay that way. This function is the root cause why the code
380
+ * shall be compiled without optimization. This function not only acts as
381
+ * folding operation, but this function's execution is used to measure
382
+ * the CPU execution time jitter. Any change to the loop in this function
383
+ * implies that careful retesting must be done.
190
384
  *
191
- * Input:
192
- * @ec entropy collector struct -- may be NULL
193
- * @time time stamp to be folded
194
- * @loop_cnt if a value not equal to 0 is set, use the given value as number of
195
- *	     loops to perform the folding
385
+ * @ec [in] entropy collector struct
386
+ * @time [in] time stamp to be injected
387
+ * @loop_cnt [in] if a value not equal to 0 is set, use the given value as
388
+ *		  number of loops to perform the folding
389
+ * @stuck [in] Is the time stamp identified as stuck?
196
390
  *
197
391
  * Output:
198
- * @folded result of folding operation
392
+ * updated ec->data
199
393
  *
200
394
  * @return Number of loops the folding operation is performed
201
395
  */
202
-static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
203
-			    __u64 *folded, __u64 loop_cnt)
396
+static void jent_lfsr_time(struct rand_data *ec, __u64 time, __u64 loop_cnt,
397
+			   int stuck)
204
398
 {
205
399
 	unsigned int i;
206
400
 	__u64 j = 0;
..
..
@@ -217,16 +411,43 @@
217
411
 	if (loop_cnt)
218
412
 		fold_loop_cnt = loop_cnt;
219
413
 	for (j = 0; j < fold_loop_cnt; j++) {
220
-		new = 0;
414
+		new = ec->data;
221
415
 		for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
222
416
 			__u64 tmp = time << (DATA_SIZE_BITS - i);
223
417
 
224
418
 			tmp = tmp >> (DATA_SIZE_BITS - 1);
419
+
420
+			/*
421
+			* Fibonacci LSFR with polynomial of
422
+			*  x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
423
+			*  primitive according to
424
+			*   http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
425
+			* (the shift values are the polynomial values minus one
426
+			* due to counting bits from 0 to 63). As the current
427
+			* position is always the LSB, the polynomial only needs
428
+			* to shift data in from the left without wrap.
429
+			*/
430
+			tmp ^= ((new >> 63) & 1);
431
+			tmp ^= ((new >> 60) & 1);
432
+			tmp ^= ((new >> 55) & 1);
433
+			tmp ^= ((new >> 30) & 1);
434
+			tmp ^= ((new >> 27) & 1);
435
+			tmp ^= ((new >> 22) & 1);
436
+			new <<= 1;
225
437
 			new ^= tmp;
226
438
 		}
227
439
 	}
228
-	*folded = new;
229
-	return fold_loop_cnt;
440
+
441
+	/*
442
+	 * If the time stamp is stuck, do not finally insert the value into
443
+	 * the entropy pool. Although this operation should not do any harm
444
+	 * even when the time stamp has no entropy, SP800-90B requires that
445
+	 * any conditioning operation (SP800-90B considers the LFSR to be a
446
+	 * conditioning operation) to have an identical amount of input
447
+	 * data according to section 3.1.5.
448
+	 */
449
+	if (!stuck)
450
+		ec->data = new;
230
451
 }
231
452
 
232
453
 /**
..
..
@@ -247,18 +468,14 @@
247
468
  * to reliably access either L3 or memory, the ec->mem memory must be quite
248
469
  * large which is usually not desirable.
249
470
  *
250
- * Input:
251
- * @ec Reference to the entropy collector with the memory access data -- if
252
- *     the reference to the memory block to be accessed is NULL, this noise
253
- *     source is disabled
254
- * @loop_cnt if a value not equal to 0 is set, use the given value as number of
255
- *	     loops to perform the folding
256
- *
257
- * @return Number of memory access operations
471
+ * @ec [in] Reference to the entropy collector with the memory access data -- if
472
+ *	    the reference to the memory block to be accessed is NULL, this noise
473
+ *	    source is disabled
474
+ * @loop_cnt [in] if a value not equal to 0 is set, use the given value
475
+ *		  number of loops to perform the LFSR
258
476
  */
259
-static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
477
+static void jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
260
478
 {
261
-	unsigned char *tmpval = NULL;
262
479
 	unsigned int wrap = 0;
263
480
 	__u64 i = 0;
264
481
 #define MAX_ACC_LOOP_BIT 7
..
..
@@ -267,7 +484,7 @@
267
484
 		jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
268
485
 
269
486
 	if (NULL == ec || NULL == ec->mem)
270
-		return 0;
487
+		return;
271
488
 	wrap = ec->memblocksize * ec->memblocks;
272
489
 
273
490
 	/*
..
..
@@ -278,7 +495,7 @@
278
495
 		acc_loop_cnt = loop_cnt;
279
496
 
280
497
 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
281
-		tmpval = ec->mem + ec->memlocation;
498
+		unsigned char *tmpval = ec->mem + ec->memlocation;
282
499
 		/*
283
500
 		 * memory access: just add 1 to one byte,
284
501
 		 * wrap at 255 -- memory access implies read
..
..
@@ -293,61 +510,29 @@
293
510
 		ec->memlocation = ec->memlocation + ec->memblocksize - 1;
294
511
 		ec->memlocation = ec->memlocation % wrap;
295
512
 	}
296
-	return i;
297
513
 }
298
514
 
299
515
 /***************************************************************************
300
516
  * Start of entropy processing logic
301
517
  ***************************************************************************/
302
-
303
-/**
304
- * Stuck test by checking the:
305
- *	1st derivation of the jitter measurement (time delta)
306
- *	2nd derivation of the jitter measurement (delta of time deltas)
307
- *	3rd derivation of the jitter measurement (delta of delta of time deltas)
308
- *
309
- * All values must always be non-zero.
310
- *
311
- * Input:
312
- * @ec Reference to entropy collector
313
- * @current_delta Jitter time delta
314
- *
315
- * @return
316
- *	0 jitter measurement not stuck (good bit)
317
- *	1 jitter measurement stuck (reject bit)
318
- */
319
-static void jent_stuck(struct rand_data *ec, __u64 current_delta)
320
-{
321
-	__s64 delta2 = ec->last_delta - current_delta;
322
-	__s64 delta3 = delta2 - ec->last_delta2;
323
-
324
-	ec->last_delta = current_delta;
325
-	ec->last_delta2 = delta2;
326
-
327
-	if (!current_delta || !delta2 || !delta3)
328
-		ec->stuck = 1;
329
-}
330
-
331
518
 /**
332
519
  * This is the heart of the entropy generation: calculate time deltas and
333
- * use the CPU jitter in the time deltas. The jitter is folded into one
334
- * bit. You can call this function the "random bit generator" as it
335
- * produces one random bit per invocation.
520
+ * use the CPU jitter in the time deltas. The jitter is injected into the
521
+ * entropy pool.
336
522
  *
337
523
  * WARNING: ensure that ->prev_time is primed before using the output
338
524
  *	    of this function! This can be done by calling this function
339
525
  *	    and not using its result.
340
526
  *
341
- * Input:
342
- * @entropy_collector Reference to entropy collector
527
+ * @ec [in] Reference to entropy collector
343
528
  *
344
- * @return One random bit
529
+ * @return result of stuck test
345
530
  */
346
-static __u64 jent_measure_jitter(struct rand_data *ec)
531
+static int jent_measure_jitter(struct rand_data *ec)
347
532
 {
348
533
 	__u64 time = 0;
349
-	__u64 data = 0;
350
534
 	__u64 current_delta = 0;
535
+	int stuck;
351
536
 
352
537
 	/* Invoke one noise source before time measurement to add variations */
353
538
 	jent_memaccess(ec, 0);
..
..
@@ -357,206 +542,46 @@
357
542
 	 * invocation to measure the timing variations
358
543
 	 */
359
544
 	jent_get_nstime(&time);
360
-	current_delta = time - ec->prev_time;
545
+	current_delta = jent_delta(ec->prev_time, time);
361
546
 	ec->prev_time = time;
362
547
 
363
-	/* Now call the next noise sources which also folds the data */
364
-	jent_fold_time(ec, current_delta, &data, 0);
548
+	/* Check whether we have a stuck measurement. */
549
+	stuck = jent_stuck(ec, current_delta);
365
550
 
366
-	/*
367
-	 * Check whether we have a stuck measurement. The enforcement
368
-	 * is performed after the stuck value has been mixed into the
369
-	 * entropy pool.
370
-	 */
371
-	jent_stuck(ec, current_delta);
551
+	/* Now call the next noise sources which also injects the data */
552
+	jent_lfsr_time(ec, current_delta, 0, stuck);
372
553
 
373
-	return data;
374
-}
375
-
376
-/**
377
- * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
378
- * documentation of that RNG, the bits from jent_measure_jitter are considered
379
- * independent which implies that the Von Neuman unbias operation is applicable.
380
- * A proof of the Von-Neumann unbias operation to remove skews is given in the
381
- * document "A proposal for: Functionality classes for random number
382
- * generators", version 2.0 by Werner Schindler, section 5.4.1.
383
- *
384
- * Input:
385
- * @entropy_collector Reference to entropy collector
386
- *
387
- * @return One random bit
388
- */
389
-static __u64 jent_unbiased_bit(struct rand_data *entropy_collector)
390
-{
391
-	do {
392
-		__u64 a = jent_measure_jitter(entropy_collector);
393
-		__u64 b = jent_measure_jitter(entropy_collector);
394
-
395
-		if (a == b)
396
-			continue;
397
-		if (1 == a)
398
-			return 1;
399
-		else
400
-			return 0;
401
-	} while (1);
402
-}
403
-
404
-/**
405
- * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
406
- * into the pool.
407
- *
408
- * The function generates a mixer value that depends on the bits set and the
409
- * location of the set bits in the random number generated by the entropy
410
- * source. Therefore, based on the generated random number, this mixer value
411
- * can have 2**64 different values. That mixer value is initialized with the
412
- * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
413
- * the random number.
414
- *
415
- * The mixer value is not assumed to contain any entropy. But due to the XOR
416
- * operation, it can also not destroy any entropy present in the entropy pool.
417
- *
418
- * Input:
419
- * @entropy_collector Reference to entropy collector
420
- */
421
-static void jent_stir_pool(struct rand_data *entropy_collector)
422
-{
423
-	/*
424
-	 * to shut up GCC on 32 bit, we have to initialize the 64 variable
425
-	 * with two 32 bit variables
426
-	 */
427
-	union c {
428
-		__u64 u64;
429
-		__u32 u32[2];
430
-	};
431
-	/*
432
-	 * This constant is derived from the first two 32 bit initialization
433
-	 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
434
-	 */
435
-	union c constant;
436
-	/*
437
-	 * The start value of the mixer variable is derived from the third
438
-	 * and fourth 32 bit initialization vector of SHA-1 as defined in
439
-	 * FIPS 180-4 section 5.3.1
440
-	 */
441
-	union c mixer;
442
-	unsigned int i = 0;
443
-
444
-	/*
445
-	 * Store the SHA-1 constants in reverse order to make up the 64 bit
446
-	 * value -- this applies to a little endian system, on a big endian
447
-	 * system, it reverses as expected. But this really does not matter
448
-	 * as we do not rely on the specific numbers. We just pick the SHA-1
449
-	 * constants as they have a good mix of bit set and unset.
450
-	 */
451
-	constant.u32[1] = 0x67452301;
452
-	constant.u32[0] = 0xefcdab89;
453
-	mixer.u32[1] = 0x98badcfe;
454
-	mixer.u32[0] = 0x10325476;
455
-
456
-	for (i = 0; i < DATA_SIZE_BITS; i++) {
457
-		/*
458
-		 * get the i-th bit of the input random number and only XOR
459
-		 * the constant into the mixer value when that bit is set
460
-		 */
461
-		if ((entropy_collector->data >> i) & 1)
462
-			mixer.u64 ^= constant.u64;
463
-		mixer.u64 = jent_rol64(mixer.u64, 1);
464
-	}
465
-	entropy_collector->data ^= mixer.u64;
554
+	return stuck;
466
555
 }
467
556
 
468
557
 /**
469
558
  * Generator of one 64 bit random number
470
559
  * Function fills rand_data->data
471
560
  *
472
- * Input:
473
- * @ec Reference to entropy collector
561
+ * @ec [in] Reference to entropy collector
474
562
  */
475
563
 static void jent_gen_entropy(struct rand_data *ec)
476
564
 {
477
-	unsigned int k = 0;
565
+	unsigned int k = 0, safety_factor = 0;
566
+
567
+	if (fips_enabled)
568
+		safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
478
569
 
479
570
 	/* priming of the ->prev_time value */
480
571
 	jent_measure_jitter(ec);
481
572
 
482
573
 	while (1) {
483
-		__u64 data = 0;
484
-
485
-		if (ec->disable_unbias == 1)
486
-			data = jent_measure_jitter(ec);
487
-		else
488
-			data = jent_unbiased_bit(ec);
489
-
490
-		/* enforcement of the jent_stuck test */
491
-		if (ec->stuck) {
492
-			/*
493
-			 * We only mix in the bit considered not appropriate
494
-			 * without the LSFR. The reason is that if we apply
495
-			 * the LSFR and we do not rotate, the 2nd bit with LSFR
496
-			 * will cancel out the first LSFR application on the
497
-			 * bad bit.
498
-			 *
499
-			 * And we do not rotate as we apply the next bit to the
500
-			 * current bit location again.
501
-			 */
502
-			ec->data ^= data;
503
-			ec->stuck = 0;
574
+		/* If a stuck measurement is received, repeat measurement */
575
+		if (jent_measure_jitter(ec))
504
576
 			continue;
505
-		}
506
-
507
-		/*
508
-		 * Fibonacci LSFR with polynom of
509
-		 *  x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
510
-		 *  primitive according to
511
-		 *   http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
512
-		 * (the shift values are the polynom values minus one
513
-		 * due to counting bits from 0 to 63). As the current
514
-		 * position is always the LSB, the polynom only needs
515
-		 * to shift data in from the left without wrap.
516
-		 */
517
-		ec->data ^= data;
518
-		ec->data ^= ((ec->data >> 63) & 1);
519
-		ec->data ^= ((ec->data >> 60) & 1);
520
-		ec->data ^= ((ec->data >> 55) & 1);
521
-		ec->data ^= ((ec->data >> 30) & 1);
522
-		ec->data ^= ((ec->data >> 27) & 1);
523
-		ec->data ^= ((ec->data >> 22) & 1);
524
-		ec->data = jent_rol64(ec->data, 1);
525
577
 
526
578
 		/*
527
579
 		 * We multiply the loop value with ->osr to obtain the
528
580
 		 * oversampling rate requested by the caller
529
581
 		 */
530
-		if (++k >= (DATA_SIZE_BITS * ec->osr))
582
+		if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
531
583
 			break;
532
584
 	}
533
-	if (ec->stir)
534
-		jent_stir_pool(ec);
535
-}
536
-
537
-/**
538
- * The continuous test required by FIPS 140-2 -- the function automatically
539
- * primes the test if needed.
540
- *
541
- * Return:
542
- * 0 if FIPS test passed
543
- * < 0 if FIPS test failed
544
- */
545
-static void jent_fips_test(struct rand_data *ec)
546
-{
547
-	if (!jent_fips_enabled())
548
-		return;
549
-
550
-	/* prime the FIPS test */
551
-	if (!ec->old_data) {
552
-		ec->old_data = ec->data;
553
-		jent_gen_entropy(ec);
554
-	}
555
-
556
-	if (ec->data == ec->old_data)
557
-		jent_panic("jitterentropy: Duplicate output detected\n");
558
-
559
-	ec->old_data = ec->data;
560
585
 }
561
586
 
562
587
 /**
..
..
@@ -569,17 +594,18 @@
569
594
  * This function truncates the last 64 bit entropy value output to the exact
570
595
  * size specified by the caller.
571
596
  *
572
- * Input:
573
- * @ec Reference to entropy collector
574
- * @data pointer to buffer for storing random data -- buffer must already
575
- *	 exist
576
- * @len size of the buffer, specifying also the requested number of random
577
- *	in bytes
597
+ * @ec [in] Reference to entropy collector
598
+ * @data [in] pointer to buffer for storing random data -- buffer must already
599
+ *	      exist
600
+ * @len [in] size of the buffer, specifying also the requested number of random
601
+ *	     in bytes
578
602
  *
579
603
  * @return 0 when request is fulfilled or an error
580
604
  *
581
605
  * The following error codes can occur:
582
606
  *	-1	entropy_collector is NULL
607
+ *	-2	RCT failed
608
+ *	-3	APT test failed
583
609
  */
584
610
 int jent_read_entropy(struct rand_data *ec, unsigned char *data,
585
611
 		      unsigned int len)
..
..
@@ -593,7 +619,42 @@
593
619
 		unsigned int tocopy;
594
620
 
595
621
 		jent_gen_entropy(ec);
596
-		jent_fips_test(ec);
622
+
623
+		if (jent_health_failure(ec)) {
624
+			int ret;
625
+
626
+			if (jent_rct_failure(ec))
627
+				ret = -2;
628
+			else
629
+				ret = -3;
630
+
631
+			/*
632
+			 * Re-initialize the noise source
633
+			 *
634
+			 * If the health test fails, the Jitter RNG remains
635
+			 * in failure state and will return a health failure
636
+			 * during next invocation.
637
+			 */
638
+			if (jent_entropy_init())
639
+				return ret;
640
+
641
+			/* Set APT to initial state */
642
+			jent_apt_reset(ec, 0);
643
+			ec->apt_base_set = 0;
644
+
645
+			/* Set RCT to initial state */
646
+			ec->rct_count = 0;
647
+
648
+			/* Re-enable Jitter RNG */
649
+			ec->health_failure = 0;
650
+
651
+			/*
652
+			 * Return the health test failure status to the
653
+			 * caller as the generated value is not appropriate.
654
+			 */
655
+			return ret;
656
+		}
657
+
597
658
 		if ((DATA_SIZE_BITS / 8) < len)
598
659
 			tocopy = (DATA_SIZE_BITS / 8);
599
660
 		else
..
..
@@ -639,12 +700,6 @@
639
700
 		osr = 1; /* minimum sampling rate is 1 */
640
701
 	entropy_collector->osr = osr;
641
702
 
642
-	entropy_collector->stir = 1;
643
-	if (flags & JENT_DISABLE_STIR)
644
-		entropy_collector->stir = 0;
645
-	if (flags & JENT_DISABLE_UNBIAS)
646
-		entropy_collector->disable_unbias = 1;
647
-
648
703
 	/* fill the data pad with non-zero values */
649
704
 	jent_gen_entropy(entropy_collector);
650
705
 
..
..
@@ -656,7 +711,6 @@
656
711
 	jent_zfree(entropy_collector->mem);
657
712
 	entropy_collector->mem = NULL;
658
713
 	jent_zfree(entropy_collector);
659
-	entropy_collector = NULL;
660
714
 }
661
715
 
662
716
 int jent_entropy_init(void)
..
..
@@ -664,9 +718,14 @@
664
718
 	int i;
665
719
 	__u64 delta_sum = 0;
666
720
 	__u64 old_delta = 0;
721
+	unsigned int nonstuck = 0;
667
722
 	int time_backwards = 0;
668
-	int count_var = 0;
669
723
 	int count_mod = 0;
724
+	int count_stuck = 0;
725
+	struct rand_data ec = { 0 };
726
+
727
+	/* Required for RCT */
728
+	ec.osr = 1;
670
729
 
671
730
 	/* We could perform statistical tests here, but the problem is
672
731
 	 * that we only have a few loop counts to do testing. These
..
..
@@ -689,24 +748,28 @@
689
748
 	/*
690
749
 	 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
691
750
 	 * definitely too little.
751
+	 *
752
+	 * SP800-90B requires at least 1024 initial test cycles.
692
753
 	 */
693
-#define TESTLOOPCOUNT 300
754
+#define TESTLOOPCOUNT 1024
694
755
 #define CLEARCACHE 100
695
756
 	for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
696
757
 		__u64 time = 0;
697
758
 		__u64 time2 = 0;
698
-		__u64 folded = 0;
699
759
 		__u64 delta = 0;
700
760
 		unsigned int lowdelta = 0;
761
+		int stuck;
701
762
 
763
+		/* Invoke core entropy collection logic */
702
764
 		jent_get_nstime(&time);
703
-		jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT);
765
+		ec.prev_time = time;
766
+		jent_lfsr_time(&ec, time, 0, 0);
704
767
 		jent_get_nstime(&time2);
705
768
 
706
769
 		/* test whether timer works */
707
770
 		if (!time || !time2)
708
771
 			return JENT_ENOTIME;
709
-		delta = time2 - time;
772
+		delta = jent_delta(time, time2);
710
773
 		/*
711
774
 		 * test whether timer is fine grained enough to provide
712
775
 		 * delta even when called shortly after each other -- this
..
..
@@ -714,6 +777,8 @@
714
777
 		 */
715
778
 		if (!delta)
716
779
 			return JENT_ECOARSETIME;
780
+
781
+		stuck = jent_stuck(&ec, delta);
717
782
 
718
783
 		/*
719
784
 		 * up to here we did not modify any variable that will be
..
..
@@ -725,14 +790,36 @@
725
790
 		if (CLEARCACHE > i)
726
791
 			continue;
727
792
 
793
+		if (stuck)
794
+			count_stuck++;
795
+		else {
796
+			nonstuck++;
797
+
798
+			/*
799
+			 * Ensure that the APT succeeded.
800
+			 *
801
+			 * With the check below that count_stuck must be less
802
+			 * than 10% of the overall generated raw entropy values
803
+			 * it is guaranteed that the APT is invoked at
804
+			 * floor((TESTLOOPCOUNT * 0.9) / 64) == 14 times.
805
+			 */
806
+			if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) {
807
+				jent_apt_reset(&ec,
808
+					       delta & JENT_APT_WORD_MASK);
809
+				if (jent_health_failure(&ec))
810
+					return JENT_EHEALTH;
811
+			}
812
+		}
813
+
814
+		/* Validate RCT */
815
+		if (jent_rct_failure(&ec))
816
+			return JENT_ERCT;
817
+
728
818
 		/* test whether we have an increasing timer */
729
819
 		if (!(time2 > time))
730
820
 			time_backwards++;
731
821
 
732
-		/*
733
-		 * Avoid modulo of 64 bit integer to allow code to compile
734
-		 * on 32 bit architectures.
735
-		 */
822
+		/* use 32 bit value to ensure compilation on 32 bit arches */
736
823
 		lowdelta = time2 - time;
737
824
 		if (!(lowdelta % 100))
738
825
 			count_mod++;
..
..
@@ -743,14 +830,10 @@
743
830
 		 * only after the first loop is executed as we need to prime
744
831
 		 * the old_data value
745
832
 		 */
746
-		if (i) {
747
-			if (delta != old_delta)
748
-				count_var++;
749
-			if (delta > old_delta)
750
-				delta_sum += (delta - old_delta);
751
-			else
752
-				delta_sum += (old_delta - delta);
753
-		}
833
+		if (delta > old_delta)
834
+			delta_sum += (delta - old_delta);
835
+		else
836
+			delta_sum += (old_delta - delta);
754
837
 		old_delta = delta;
755
838
 	}
756
839
 
..
..
@@ -763,25 +846,29 @@
763
846
 	 */
764
847
 	if (3 < time_backwards)
765
848
 		return JENT_ENOMONOTONIC;
766
-	/* Error if the time variances are always identical */
767
-	if (!delta_sum)
768
-		return JENT_EVARVAR;
769
849
 
770
850
 	/*
771
851
 	 * Variations of deltas of time must on average be larger
772
852
 	 * than 1 to ensure the entropy estimation
773
853
 	 * implied with 1 is preserved
774
854
 	 */
775
-	if (delta_sum <= 1)
776
-		return JENT_EMINVARVAR;
855
+	if ((delta_sum) <= 1)
856
+		return JENT_EVARVAR;
777
857
 
778
858
 	/*
779
859
 	 * Ensure that we have variations in the time stamp below 10 for at
780
-	 * least 10% of all checks -- on some platforms, the counter
781
-	 * increments in multiples of 100, but not always
860
+	 * least 10% of all checks -- on some platforms, the counter increments
861
+	 * in multiples of 100, but not always
782
862
 	 */
783
863
 	if ((TESTLOOPCOUNT/10 * 9) < count_mod)
784
864
 		return JENT_ECOARSETIME;
785
865
 
866
+	/*
867
+	 * If we have more than 90% stuck results, then this Jitter RNG is
868
+	 * likely to not work well.
869
+	 */
870
+	if ((TESTLOOPCOUNT/10 * 9) < count_stuck)
871
+		return JENT_ESTUCK;
872
+
786
873
 	return 0;
787
874
 }