~hc/RK356X_SDK_RELEASE.git

..	..	@@ -61,6 +61,7 @@
61	61	module_param_named(reseed_limit, prng_reseed_limit, int, 0);
62	62	MODULE_PARM_DESC(prng_reseed_limit, "PRNG reseed limit");
63	63
	64	+static bool trng_available;
64	65
65	66	/*
66	67	* Any one who considers arithmetical methods of producing random digits is,
..	..	@@ -115,46 +116,68 @@
115	116
116	117	/*
117	118	* generate_entropy:
118		- * This algorithm produces 64 bytes of entropy data based on 1024
119		- * individual stckf() invocations assuming that each stckf() value
120		- * contributes 0.25 bits of entropy. So the caller gets 256 bit
121		- * entropy per 64 byte or 4 bits entropy per byte.
	119	+ * This function fills a given buffer with random bytes. The entropy within
	120	+ * the random bytes given back is assumed to have at least 50% - meaning
	121	+ * a 64 bytes buffer has at least 64 * 8 / 2 = 256 bits of entropy.
	122	+ * Within the function the entropy generation is done in junks of 64 bytes.
	123	+ * So the caller should also ask for buffer fill in multiples of 64 bytes.
	124	+ * The generation of the entropy is based on the assumption that every stckf()
	125	+ * invocation produces 0.5 bits of entropy. To accumulate 256 bits of entropy
	126	+ * at least 512 stckf() values are needed. The entropy relevant part of the
	127	+ * stckf value is bit 51 (counting starts at the left with bit nr 0) so
	128	+ * here we use the lower 4 bytes and exor the values into 2k of bufferspace.
	129	+ * To be on the save side, if there is ever a problem with stckf() the
	130	+ * other half of the page buffer is filled with bytes from urandom via
	131	+ * get_random_bytes(), so this function consumes 2k of urandom for each
	132	+ * requested 64 bytes output data. Finally the buffer page is condensed into
	133	+ * a 64 byte value by hashing with a SHA512 hash.
122	134	*/
123	135	static int generate_entropy(u8 *ebuf, size_t nbytes)
124	136	{
125	137	int n, ret = 0;
126		- u8 pg, h, hash[64];
	138	+ u8 *pg, pblock[80] = {
	139	+ /* 8 x 64 bit init values */
	140	+ 0x6A, 0x09, 0xE6, 0x67, 0xF3, 0xBC, 0xC9, 0x08,
	141	+ 0xBB, 0x67, 0xAE, 0x85, 0x84, 0xCA, 0xA7, 0x3B,
	142	+ 0x3C, 0x6E, 0xF3, 0x72, 0xFE, 0x94, 0xF8, 0x2B,
	143	+ 0xA5, 0x4F, 0xF5, 0x3A, 0x5F, 0x1D, 0x36, 0xF1,
	144	+ 0x51, 0x0E, 0x52, 0x7F, 0xAD, 0xE6, 0x82, 0xD1,
	145	+ 0x9B, 0x05, 0x68, 0x8C, 0x2B, 0x3E, 0x6C, 0x1F,
	146	+ 0x1F, 0x83, 0xD9, 0xAB, 0xFB, 0x41, 0xBD, 0x6B,
	147	+ 0x5B, 0xE0, 0xCD, 0x19, 0x13, 0x7E, 0x21, 0x79,
	148	+ /* 128 bit counter total message bit length */
	149	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	150	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 };
127	151
128		- /* allocate 2 pages */
129		- pg = (u8 *) __get_free_pages(GFP_KERNEL, 1);
	152	+ /* allocate one page stckf buffer */
	153	+ pg = (u8 *) __get_free_page(GFP_KERNEL);
130	154	if (!pg) {
131	155	prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
132	156	return -ENOMEM;
133	157	}
134	158
	159	+ /* fill the ebuf in chunks of 64 byte each */
135	160	while (nbytes) {
136		- /* fill pages with urandom bytes */
137		- get_random_bytes(pg, 2*PAGE_SIZE);
138		- /* exor pages with 1024 stckf values */
139		- for (n = 0; n < 2 * PAGE_SIZE / sizeof(u64); n++) {
140		- u64 p = ((u64 )pg) + n;
	161	+ /* fill lower 2k with urandom bytes */
	162	+ get_random_bytes(pg, PAGE_SIZE / 2);
	163	+ /* exor upper 2k with 512 stckf values, offset 4 bytes each */
	164	+ for (n = 0; n < 512; n++) {
	165	+ int offset = (PAGE_SIZE / 2) + (n * 4) - 4;
	166	+ u64 p = (u64 )(pg + offset);
141	167	*p ^= get_tod_clock_fast();
142	168	}
143		- n = (nbytes < sizeof(hash)) ? nbytes : sizeof(hash);
144		- if (n < sizeof(hash))
145		- h = hash;
146		- else
147		- h = ebuf;
148		- /* hash over the filled pages */
149		- cpacf_kimd(CPACF_KIMD_SHA_512, h, pg, 2*PAGE_SIZE);
150		- if (n < sizeof(hash))
151		- memcpy(ebuf, hash, n);
	169	+ /* hash over the filled page */
	170	+ cpacf_klmd(CPACF_KLMD_SHA_512, pblock, pg, PAGE_SIZE);
	171	+ n = (nbytes < 64) ? nbytes : 64;
	172	+ memcpy(ebuf, pblock, n);
152	173	ret += n;
153	174	ebuf += n;
154	175	nbytes -= n;
155	176	}
156	177
157		- free_pages((unsigned long)pg, 1);
	178	+ memzero_explicit(pblock, sizeof(pblock));
	179	+ memzero_explicit(pg, PAGE_SIZE);
	180	+ free_page((unsigned long)pg);
158	181	return ret;
159	182	}
160	183
..	..	@@ -226,7 +249,7 @@
226	249	{
227	250	pr_debug("The prng module stopped "
228	251	"after running in triple DES mode\n");
229		- kzfree(prng_data);
	252	+ kfree_sensitive(prng_data);
230	253	}
231	254
232	255
..	..	@@ -344,8 +367,8 @@
344	367
345	368	static int __init prng_sha512_instantiate(void)
346	369	{
347		- int ret, datalen;
348		- u8 seed[64 + 32 + 16];
	370	+ int ret, datalen, seedlen;
	371	+ u8 seed[128 + 16];
349	372
350	373	pr_debug("prng runs in SHA-512 mode "
351	374	"with chunksize=%d and reseed_limit=%u\n",
..	..	@@ -368,16 +391,36 @@
368	391	if (ret)
369	392	goto outfree;
370	393
371		- /* generate initial seed bytestring, with 256 + 128 bits entropy */
372		- ret = generate_entropy(seed, 64 + 32);
373		- if (ret != 64 + 32)
374		- goto outfree;
375		- /* followed by 16 bytes of unique nonce */
376		- get_tod_clock_ext(seed + 64 + 32);
	394	+ /* generate initial seed, we need at least 256 + 128 bits entropy. */
	395	+ if (trng_available) {
	396	+ /*
	397	+ * Trng available, so use it. The trng works in chunks of
	398	+ * 32 bytes and produces 100% entropy. So we pull 64 bytes
	399	+ * which gives us 512 bits entropy.
	400	+ */
	401	+ seedlen = 2 * 32;
	402	+ cpacf_trng(NULL, 0, seed, seedlen);
	403	+ } else {
	404	+ /*
	405	+ * No trng available, so use the generate_entropy() function.
	406	+ * This function works in 64 byte junks and produces
	407	+ * 50% entropy. So we pull 2*64 bytes which gives us 512 bits
	408	+ * of entropy.
	409	+ */
	410	+ seedlen = 2 * 64;
	411	+ ret = generate_entropy(seed, seedlen);
	412	+ if (ret != seedlen)
	413	+ goto outfree;
	414	+ }
377	415
378		- /* initial seed of the prno drng */
	416	+ /* append the seed by 16 bytes of unique nonce */
	417	+ get_tod_clock_ext(seed + seedlen);
	418	+ seedlen += 16;
	419	+
	420	+ /* now initial seed of the prno drng */
379	421	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
380		- &prng_data->prnows, NULL, 0, seed, sizeof(seed));
	422	+ &prng_data->prnows, NULL, 0, seed, seedlen);
	423	+ memzero_explicit(seed, sizeof(seed));
381	424
382	425	/* if fips mode is enabled, generate a first block of random
383	426	bytes for the FIPS 140-2 Conditional Self Test */
..	..	@@ -399,23 +442,32 @@
399	442	static void prng_sha512_deinstantiate(void)
400	443	{
401	444	pr_debug("The prng module stopped after running in SHA-512 mode\n");
402		- kzfree(prng_data);
	445	+ kfree_sensitive(prng_data);
403	446	}
404	447
405	448
406	449	static int prng_sha512_reseed(void)
407	450	{
408		- int ret;
	451	+ int ret, seedlen;
409	452	u8 seed[64];
410	453
411		- /* fetch 256 bits of fresh entropy */
412		- ret = generate_entropy(seed, sizeof(seed));
413		- if (ret != sizeof(seed))
414		- return ret;
	454	+ /* We need at least 256 bits of fresh entropy for reseeding */
	455	+ if (trng_available) {
	456	+ /* trng produces 256 bits entropy in 32 bytes */
	457	+ seedlen = 32;
	458	+ cpacf_trng(NULL, 0, seed, seedlen);
	459	+ } else {
	460	+ /* generate_entropy() produces 256 bits entropy in 64 bytes */
	461	+ seedlen = 64;
	462	+ ret = generate_entropy(seed, seedlen);
	463	+ if (ret != sizeof(seed))
	464	+ return ret;
	465	+ }
415	466
416	467	/* do a reseed of the prno drng with this bytestring */
417	468	cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED,
418		- &prng_data->prnows, NULL, 0, seed, sizeof(seed));
	469	+ &prng_data->prnows, NULL, 0, seed, seedlen);
	470	+ memzero_explicit(seed, sizeof(seed));
419	471
420	472	return 0;
421	473	}
..	..	@@ -592,6 +644,7 @@
592	644	ret = -EFAULT;
593	645	break;
594	646	}
	647	+ memzero_explicit(p, n);
595	648	ubuf += n;
596	649	nbytes -= n;
597	650	ret += n;
..	..	@@ -640,7 +693,7 @@
640	693	struct device_attribute *attr,
641	694	char *buf)
642	695	{
643		- return snprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
	696	+ return scnprintf(buf, PAGE_SIZE, "%u\n", prng_chunk_size);
644	697	}
645	698	static DEVICE_ATTR(chunksize, 0444, prng_chunksize_show, NULL);
646	699
..	..	@@ -659,7 +712,7 @@
659	712	counter = prng_data->prngws.byte_counter;
660	713	mutex_unlock(&prng_data->mutex);
661	714
662		- return snprintf(buf, PAGE_SIZE, "%llu\n", counter);
	715	+ return scnprintf(buf, PAGE_SIZE, "%llu\n", counter);
663	716	}
664	717	static DEVICE_ATTR(byte_counter, 0444, prng_counter_show, NULL);
665	718
..	..	@@ -668,7 +721,7 @@
668	721	struct device_attribute *attr,
669	722	char *buf)
670	723	{
671		- return snprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
	724	+ return scnprintf(buf, PAGE_SIZE, "%d\n", prng_errorflag);
672	725	}
673	726	static DEVICE_ATTR(errorflag, 0444, prng_errorflag_show, NULL);
674	727
..	..	@@ -678,9 +731,9 @@
678	731	char *buf)
679	732	{
680	733	if (prng_mode == PRNG_MODE_TDES)
681		- return snprintf(buf, PAGE_SIZE, "TDES\n");
	734	+ return scnprintf(buf, PAGE_SIZE, "TDES\n");
682	735	else
683		- return snprintf(buf, PAGE_SIZE, "SHA512\n");
	736	+ return scnprintf(buf, PAGE_SIZE, "SHA512\n");
684	737	}
685	738	static DEVICE_ATTR(mode, 0444, prng_mode_show, NULL);
686	739
..	..	@@ -703,7 +756,7 @@
703	756	struct device_attribute *attr,
704	757	char *buf)
705	758	{
706		- return snprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
	759	+ return scnprintf(buf, PAGE_SIZE, "%u\n", prng_reseed_limit);
707	760	}
708	761	static ssize_t prng_reseed_limit_store(struct device *dev,
709	762	struct device_attribute *attr,
..	..	@@ -734,7 +787,7 @@
734	787	struct device_attribute *attr,
735	788	char *buf)
736	789	{
737		- return snprintf(buf, PAGE_SIZE, "256\n");
	790	+ return scnprintf(buf, PAGE_SIZE, "256\n");
738	791	}
739	792	static DEVICE_ATTR(strength, 0444, prng_strength_show, NULL);
740	793
..	..	@@ -771,7 +824,11 @@
771	824
772	825	/* check if the CPU has a PRNG */
773	826	if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG))
774		- return -EOPNOTSUPP;
	827	+ return -ENODEV;
	828	+
	829	+ /* check if TRNG subfunction is available */
	830	+ if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
	831	+ trng_available = true;
775	832
776	833	/* choose prng mode */
777	834	if (prng_mode != PRNG_MODE_TDES) {
..	..	@@ -780,7 +837,7 @@
780	837	if (prng_mode == PRNG_MODE_SHA512) {
781	838	pr_err("The prng module cannot "
782	839	"start in SHA-512 mode\n");
783		- return -EOPNOTSUPP;
	840	+ return -ENODEV;
784	841	}
785	842	prng_mode = PRNG_MODE_TDES;
786	843	} else