2 * Copyright IBM Corp. 2006,2007
3 * Author(s): Jan Glauber <jan.glauber@de.ibm.com>
4 * Driver for the s390 pseudo random number generator
7 #include <linux/init.h>
8 #include <linux/kernel.h>
9 #include <linux/smp_lock.h>
10 #include <linux/miscdevice.h>
11 #include <linux/module.h>
12 #include <linux/moduleparam.h>
13 #include <linux/random.h>
14 #include <asm/debug.h>
15 #include <asm/uaccess.h>
17 #include "crypt_s390.h"
19 MODULE_LICENSE("GPL");
20 MODULE_AUTHOR("Jan Glauber <jan.glauber@de.ibm.com>");
21 MODULE_DESCRIPTION("s390 PRNG interface");
23 static int prng_chunk_size
= 256;
24 module_param(prng_chunk_size
, int, S_IRUSR
| S_IRGRP
| S_IROTH
);
25 MODULE_PARM_DESC(prng_chunk_size
, "PRNG read chunk size in bytes");
27 static int prng_entropy_limit
= 4096;
28 module_param(prng_entropy_limit
, int, S_IRUSR
| S_IRGRP
| S_IROTH
| S_IWUSR
);
29 MODULE_PARM_DESC(prng_entropy_limit
,
30 "PRNG add entropy after that much bytes were produced");
33 * Any one who considers arithmetical methods of producing random digits is,
34 * of course, in a state of sin. -- John von Neumann
37 struct s390_prng_data
{
38 unsigned long count
; /* how many bytes were produced */
42 static struct s390_prng_data
*p
;
44 /* copied from libica, use a non-zero initial parameter block */
45 static unsigned char parm_block
[32] = {
46 0x0F,0x2B,0x8E,0x63,0x8C,0x8E,0xD2,0x52,0x64,0xB7,0xA0,0x7B,0x75,0x28,0xB8,0xF4,
47 0x75,0x5F,0xD2,0xA6,0x8D,0x97,0x11,0xFF,0x49,0xD8,0x23,0xF3,0x7E,0x21,0xEC,0xA0,
50 static int prng_open(struct inode
*inode
, struct file
*file
)
53 return nonseekable_open(inode
, file
);
56 static void prng_add_entropy(void)
62 for (i
= 0; i
< 16; i
++) {
63 ret
= crypt_s390_kmc(KMC_PRNG
, parm_block
, (char *)entropy
,
64 (char *)entropy
, sizeof(entropy
));
65 BUG_ON(ret
< 0 || ret
!= sizeof(entropy
));
66 memcpy(parm_block
, entropy
, sizeof(entropy
));
70 static void prng_seed(int nbytes
)
76 get_random_bytes(buf
, nbytes
);
80 *((__u64
*)parm_block
) ^= *((__u64
*)buf
+i
*8);
88 static ssize_t
prng_read(struct file
*file
, char __user
*ubuf
, size_t nbytes
,
95 /* nbytes can be arbitrary length, we split it into chunks */
97 /* same as in extract_entropy_user in random.c */
99 if (signal_pending(current
)) {
108 * we lose some random bytes if an attacker issues
109 * reads < 8 bytes, but we don't care
111 chunk
= min_t(int, nbytes
, prng_chunk_size
);
113 /* PRNG only likes multiples of 8 bytes */
114 n
= (chunk
+ 7) & -8;
116 if (p
->count
> prng_entropy_limit
)
119 /* if the CPU supports PRNG stckf is present too */
120 asm volatile(".insn s,0xb27c0000,%0"
121 : "=m" (*((unsigned long long *)p
->buf
)) : : "cc");
124 * Beside the STCKF the input for the TDES-EDE is the output
125 * of the last operation. We differ here from X9.17 since we
126 * only store one timestamp into the buffer. Padding the whole
127 * buffer with timestamps does not improve security, since
128 * successive stckf have nearly constant offsets.
129 * If an attacker knows the first timestamp it would be
130 * trivial to guess the additional values. One timestamp
131 * is therefore enough and still guarantees unique input values.
133 * Note: you can still get strict X9.17 conformity by setting
134 * prng_chunk_size to 8 bytes.
136 tmp
= crypt_s390_kmc(KMC_PRNG
, parm_block
, p
->buf
, p
->buf
, n
);
137 BUG_ON((tmp
< 0) || (tmp
!= n
));
141 if (copy_to_user(ubuf
, p
->buf
, chunk
))
151 static const struct file_operations prng_fops
= {
152 .owner
= THIS_MODULE
,
158 static struct miscdevice prng_dev
= {
160 .minor
= MISC_DYNAMIC_MINOR
,
164 static int __init
prng_init(void)
168 /* check if the CPU has a PRNG */
169 if (!crypt_s390_func_available(KMC_PRNG
))
172 if (prng_chunk_size
< 8)
175 p
= kmalloc(sizeof(struct s390_prng_data
), GFP_KERNEL
);
180 p
->buf
= kmalloc(prng_chunk_size
, GFP_KERNEL
);
186 /* initialize the PRNG, add 128 bits of entropy */
189 ret
= misc_register(&prng_dev
);
201 static void __exit
prng_exit(void)
207 misc_deregister(&prng_dev
);
210 module_init(prng_init
);
211 module_exit(prng_exit
);