write in 30M

hc

2024-02-20 ea08eeccae9297f7aabd2ef7f0c2517ac4549acc

 kernel/arch/s390/crypto/prng.c
..
..
@@ -61,6 +61,7 @@
61
61
 module_param_named(reseed_limit, prng_reseed_limit, int, 0);
62
62
 MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
63
63
 
64
+static bool trng_available;
64
65
 
65
66
 /*
66
67
  * Any one who considers arithmetical methods of producing random digits is,
..
..
@@ -115,46 +116,68 @@
115
116
 
116
117
 /*
117
118
  * generate_entropy:
118
- * This algorithm produces 64 bytes of entropy data based on 1024
119
- * individual stckf() invocations assuming that each stckf() value
120
- * contributes 0.25 bits of entropy. So the caller gets 256 bit
121
- * entropy per 64 byte or 4 bits entropy per byte.
119
+ * This function fills a given buffer with random bytes. The entropy within
120
+ * the random bytes given back is assumed to have at least 50% - meaning
121
+ * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
122
+ * Within the function the entropy generation is done in junks of 64 bytes.
123
+ * So the caller should also ask for buffer fill in multiples of 64 bytes.
124
+ * The generation of the entropy is based on the assumption that every stckf()
125
+ * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
126
+ * at least 512 stckf() values are needed. The entropy relevant part of the
127
+ * stckf value is bit 51 (counting starts at the left with bit nr 0) so
128
+ * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
129
+ * To be on the save side, if there is ever a problem with stckf() the
130
+ * other half of the page buffer is filled with bytes from urandom via
131
+ * get_random_bytes(), so this function consumes 2k of urandom for each
132
+ * requested 64 bytes output data. Finally the buffer page is condensed into
133
+ * a 64 byte value by hashing with a SHA512 hash.
122
134
  */
123
135
 static int generate_entropy(u8 *ebuf, size_t nbytes)
124
136
 {
125
137
 	int n, ret = 0;
126
-	u8 *pg, *h, hash[64];
138
+	u8 *pg, pblock[80] = {
139
+		/* 8 x 64 bit init values */
140
+		0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
141
+		0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
142
+		0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
143
+		0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
144
+		0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
145
+		0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
146
+		0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
147
+		0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
148
+		/* 128 bit counter total message bit length */
149
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
127
151
 
128
-	/* allocate 2 pages */
129
-	pg = (u8 *) __get_free_pages(GFP_KERNEL, 1);
152
+	/* allocate one page stckf buffer */
153
+	pg = (u8 *) __get_free_page(GFP_KERNEL);
130
154
 	if (!pg) {
131
155
 		prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
132
156
 		return -ENOMEM;
133
157
 	}
134
158
 
159
+	/* fill the ebuf in chunks of 64 byte each */
135
160
 	while (nbytes) {
136
-		/* fill pages with urandom bytes */
137
-		get_random_bytes(pg, 2*PAGE_SIZE);
138
-		/* exor pages with 1024 stckf values */
139
-		for (n = 0; n < 2 * PAGE_SIZE / sizeof(u64); n++) {
140
-			u64 *p = ((u64 *)pg) + n;
161
+		/* fill lower 2k with urandom bytes */
162
+		get_random_bytes(pg, PAGE_SIZE / 2);
163
+		/* exor upper 2k with 512 stckf values, offset 4 bytes each */
164
+		for (n = 0; n < 512; n++) {
165
+			int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
166
+			u64 *p = (u64 *)(pg + offset);
141
167
 			*p ^= get_tod_clock_fast();
142
168
 		}
143
-		n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash);
144
-		if (n < sizeof(hash))
145
-			h = hash;
146
-		else
147
-			h = ebuf;
148
-		/* hash over the filled pages */
149
-		cpacf_kimd(CPACF_KIMD_SHA_512, h, pg, 2*PAGE_SIZE);
150
-		if (n < sizeof(hash))
151
-			memcpy(ebuf, hash, n);
169
+		/* hash over the filled page */
170
+		cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
171
+		n = (nbytes < 64) ? nbytes : 64;
172
+		memcpy(ebuf, pblock, n);
152
173
 		ret += n;
153
174
 		ebuf += n;
154
175
 		nbytes -= n;
155
176
 	}
156
177
 
157
-	free_pages((unsigned long)pg, 1);
178
+	memzero_explicit(pblock, sizeof(pblock));
179
+	memzero_explicit(pg, PAGE_SIZE);
180
+	free_page((unsigned long)pg);
158
181
 	return ret;
159
182
 }
160
183
 
..
..
@@ -226,7 +249,7 @@
226
249
 {
227
250
 	pr_debug("The prng module stopped "
228
251
 		 "after running in triple DES mode\n");
229
-	kzfree(prng_data);
252
+	kfree_sensitive(prng_data);
230
253
 }
231
254
 
232
255
 
..
..
@@ -344,8 +367,8 @@
344
367
 
345
368
 static int __init prng_sha512_instantiate(void)
346
369
 {
347
-	int ret, datalen;
348
-	u8 seed[64 + 32 + 16];
370
+	int ret, datalen, seedlen;
371
+	u8 seed[128 + 16];
349
372
 
350
373
 	pr_debug("prng runs in SHA-512 mode "
351
374
 		 "with chunksize=%d and reseed_limit=%u\n",
..
..
@@ -368,16 +391,36 @@
368
391
 	if (ret)
369
392
 		goto outfree;
370
393
 
371
-	/* generate initial seed bytestring, with 256 + 128 bits entropy */
372
-	ret = generate_entropy(seed, 64 + 32);
373
-	if (ret != 64 + 32)
374
-		goto outfree;
375
-	/* followed by 16 bytes of unique nonce */
376
-	get_tod_clock_ext(seed + 64 + 32);
394
+	/* generate initial seed, we need at least  256 + 128 bits entropy. */
395
+	if (trng_available) {
396
+		/*
397
+		 * Trng available, so use it. The trng works in chunks of
398
+		 * 32 bytes and produces 100% entropy. So we pull 64 bytes
399
+		 * which gives us 512 bits entropy.
400
+		 */
401
+		seedlen = 2 * 32;
402
+		cpacf_trng(NULL, 0, seed, seedlen);
403
+	} else {
404
+		/*
405
+		 * No trng available, so use the generate_entropy() function.
406
+		 * This function works in 64 byte junks and produces
407
+		 * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
408
+		 * of entropy.
409
+		 */
410
+		seedlen = 2 * 64;
411
+		ret = generate_entropy(seed, seedlen);
412
+		if (ret != seedlen)
413
+			goto outfree;
414
+	}
377
415
 
378
-	/* initial seed of the prno drng */
416
+	/* append the seed by 16 bytes of unique nonce */
417
+	get_tod_clock_ext(seed + seedlen);
418
+	seedlen += 16;
419
+
420
+	/* now initial seed of the prno drng */
379
421
 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
380
-		   &prng_data->prnows, NULL, 0, seed, sizeof(seed));
422
+		   &prng_data->prnows, NULL, 0, seed, seedlen);
423
+	memzero_explicit(seed, sizeof(seed));
381
424
 
382
425
 	/* if fips mode is enabled, generate a first block of random
383
426
 	   bytes for the FIPS 140-2 Conditional Self Test */
..
..
@@ -399,23 +442,32 @@
399
442
 static void prng_sha512_deinstantiate(void)
400
443
 {
401
444
 	pr_debug("The prng module stopped after running in SHA-512 mode\n");
402
-	kzfree(prng_data);
445
+	kfree_sensitive(prng_data);
403
446
 }
404
447
 
405
448
 
406
449
 static int prng_sha512_reseed(void)
407
450
 {
408
-	int ret;
451
+	int ret, seedlen;
409
452
 	u8 seed[64];
410
453
 
411
-	/* fetch 256 bits of fresh entropy */
412
-	ret = generate_entropy(seed, sizeof(seed));
413
-	if (ret != sizeof(seed))
414
-		return ret;
454
+	/* We need at least 256 bits of fresh entropy for reseeding */
455
+	if (trng_available) {
456
+		/* trng produces 256 bits entropy in 32 bytes */
457
+		seedlen = 32;
458
+		cpacf_trng(NULL, 0, seed, seedlen);
459
+	} else {
460
+		/* generate_entropy() produces 256 bits entropy in 64 bytes */
461
+		seedlen = 64;
462
+		ret = generate_entropy(seed, seedlen);
463
+		if (ret != sizeof(seed))
464
+			return ret;
465
+	}
415
466
 
416
467
 	/* do a reseed of the prno drng with this bytestring */
417
468
 	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
418
-		   &prng_data->prnows, NULL, 0, seed, sizeof(seed));
469
+		   &prng_data->prnows, NULL, 0, seed, seedlen);
470
+	memzero_explicit(seed, sizeof(seed));
419
471
 
420
472
 	return 0;
421
473
 }
..
..
@@ -592,6 +644,7 @@
592
644
 			ret = -EFAULT;
593
645
 			break;
594
646
 		}
647
+		memzero_explicit(p, n);
595
648
 		ubuf += n;
596
649
 		nbytes -= n;
597
650
 		ret += n;
..
..
@@ -640,7 +693,7 @@
640
693
 				   struct device_attribute *attr,
641
694
 				   char *buf)
642
695
 {
643
-	return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
696
+	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
644
697
 }
645
698
 static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
646
699
 
..
..
@@ -659,7 +712,7 @@
659
712
 		counter = prng_data->prngws.byte_counter;
660
713
 	mutex_unlock(&prng_data->mutex);
661
714
 
662
-	return snprintf(buf, PAGE_SIZE, "%llu\n", counter);
715
+	return scnprintf(buf, PAGE_SIZE, "%llu\n", counter);
663
716
 }
664
717
 static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
665
718
 
..
..
@@ -668,7 +721,7 @@
668
721
 				   struct device_attribute *attr,
669
722
 				   char *buf)
670
723
 {
671
-	return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
724
+	return scnprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
672
725
 }
673
726
 static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
674
727
 
..
..
@@ -678,9 +731,9 @@
678
731
 			      char *buf)
679
732
 {
680
733
 	if (prng_mode == PRNG_MODE_TDES)
681
-		return snprintf(buf, PAGE_SIZE, "TDES\n");
734
+		return scnprintf(buf, PAGE_SIZE, "TDES\n");
682
735
 	else
683
-		return snprintf(buf, PAGE_SIZE, "SHA512\n");
736
+		return scnprintf(buf, PAGE_SIZE, "SHA512\n");
684
737
 }
685
738
 static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
686
739
 
..
..
@@ -703,7 +756,7 @@
703
756
 				      struct device_attribute *attr,
704
757
 				      char *buf)
705
758
 {
706
-	return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
759
+	return scnprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
707
760
 }
708
761
 static ssize_t prng_reseed_limit_store(struct device *dev,
709
762
 				       struct device_attribute *attr,
..
..
@@ -734,7 +787,7 @@
734
787
 				  struct device_attribute *attr,
735
788
 				  char *buf)
736
789
 {
737
-	return snprintf(buf, PAGE_SIZE, "256\n");
790
+	return scnprintf(buf, PAGE_SIZE, "256\n");
738
791
 }
739
792
 static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
740
793
 
..
..
@@ -771,7 +824,11 @@
771
824
 
772
825
 	/* check if the CPU has a PRNG */
773
826
 	if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
774
-		return -EOPNOTSUPP;
827
+		return -ENODEV;
828
+
829
+	/* check if TRNG subfunction is available */
830
+	if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
831
+		trng_available = true;
775
832
 
776
833
 	/* choose prng mode */
777
834
 	if (prng_mode != PRNG_MODE_TDES) {
..
..
@@ -780,7 +837,7 @@
780
837
 			if (prng_mode == PRNG_MODE_SHA512) {
781
838
 				pr_err("The prng module cannot "
782
839
 				       "start in SHA-512 mode\n");
783
-				return -EOPNOTSUPP;
840
+				return -ENODEV;
784
841
 			}
785
842
 			prng_mode = PRNG_MODE_TDES;
786
843
 		} else