nehemiah.c revision 143063 
1/*-
2 * Copyright (c) 2004 Mark R V Murray
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer
10 *    in this position and unchanged.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 *
26 */
27
28#include <sys/cdefs.h>
29__FBSDID("$FreeBSD: head/sys/dev/random/nehemiah.c 143063 2005-03-02 21:33:29Z joerg $");
30
31#include <sys/param.h>
32#include <sys/time.h>
33#include <sys/lock.h>
34#include <sys/mutex.h>
35#include <sys/selinfo.h>
36#include <sys/systm.h>
37
38#include <dev/random/randomdev.h>
39
40#define RANDOM_BLOCK_SIZE	256
41#define CIPHER_BLOCK_SIZE	16
42
43static void random_nehemiah_init(void);
44static int random_nehemiah_read(void *, int);
45
46struct random_systat random_nehemiah = {
47	.ident = "Hardware, VIA Nehemiah",
48	.init = random_nehemiah_init,
49	.deinit = (random_deinit_func_t *)random_null_func,
50	.read = random_nehemiah_read,
51	.write = (random_write_func_t *)random_null_func,
52	.reseed = (random_reseed_func_t *)random_null_func,
53	.seeded = 1,
54};
55
56union VIA_ACE_CW {
57	uint64_t raw;
58	struct {
59		u_int round_count : 4;
60		u_int algorithm_type : 3;
61		u_int key_generation_type : 1;
62		u_int intermediate : 1;
63		u_int decrypt : 1;
64		u_int key_size : 2;
65		u_int filler0 : 20;
66		u_int filler1 : 32;
67		u_int filler2 : 32;
68		u_int filler3 : 32;
69	} field;
70};
71
72/* The extra 7 is to allow an 8-byte write on the last byte of the
73 * arrays.  The ACE wants the AES data 16-byte/128-bit aligned, and
74 * it _always_ writes n*64 bits. The RNG does not care about alignment,
75 * and it always writes n*32 bits or n*64 bits.
76 */
77static uint8_t key[CIPHER_BLOCK_SIZE+7]	__aligned(16);
78static uint8_t iv[CIPHER_BLOCK_SIZE+7]	__aligned(16);
79static uint8_t in[RANDOM_BLOCK_SIZE+7]	__aligned(16);
80static uint8_t out[RANDOM_BLOCK_SIZE+7]	__aligned(16);
81
82static union VIA_ACE_CW acw		__aligned(16);
83
84/* ARGSUSED */
85static __inline size_t
86VIA_RNG_store(void *buf)
87{
88#ifdef __GNUCLIKE_ASM
89	uint32_t retval = 0;
90	uint32_t rate = 0;
91
92	/* The .byte line is really VIA C3 "xstore" instruction */
93	__asm __volatile(
94		"movl	$0,%%edx		\n\t"
95		".byte	0x0f, 0xa7, 0xc0"
96			: "=a" (retval), "+d" (rate), "+D" (buf)
97			:
98			: "memory"
99	);
100	if (rate == 0)
101		return (retval&0x1f);
102#endif
103	return (0);
104}
105
106/* ARGSUSED */
107static __inline void
108VIA_ACE_cbc(void *in, void *out, size_t count, void *key, union VIA_ACE_CW *cw, void *iv)
109{
110#ifdef __GNUCLIKE_ASM
111	/* The .byte line is really VIA C3 "xcrypt-cbc" instruction */
112	__asm __volatile(
113		"pushf				\n\t"
114		"popf				\n\t"
115		"rep				\n\t"
116		".byte	0x0f, 0xa7, 0xc8"
117			: "+a" (iv), "+c" (count), "+D" (out), "+S" (in)
118			: "b" (key), "d" (cw)
119			: "cc", "memory"
120		);
121#endif
122}
123
124static void
125random_nehemiah_init(void)
126{
127	acw.raw = 0ULL;
128	acw.field.round_count = 12;
129}
130
131static int
132random_nehemiah_read(void *buf, int c)
133{
134	int i;
135	size_t count, ret;
136	uint8_t *p;
137
138	/* Get a random AES key */
139	count = 0;
140	p = key;
141	do {
142		ret = VIA_RNG_store(p);
143		p += ret;
144		count += ret;
145	} while (count < CIPHER_BLOCK_SIZE);
146
147	/* Get a random AES IV */
148	count = 0;
149	p = iv;
150	do {
151		ret = VIA_RNG_store(p);
152		p += ret;
153		count += ret;
154	} while (count < CIPHER_BLOCK_SIZE);
155
156	/* Get a block of random bytes */
157	count = 0;
158	p = in;
159	do {
160		ret = VIA_RNG_store(p);
161		p += ret;
162		count += ret;
163	} while (count < RANDOM_BLOCK_SIZE);
164
165	/* This is a Davies-Meyer hash of the most paranoid variety; the
166	 * key, IV and the data are all read directly from the hardware RNG.
167	 * All of these are used precisely once.
168	 */
169	VIA_ACE_cbc(in, out, RANDOM_BLOCK_SIZE/CIPHER_BLOCK_SIZE,
170	    key, &acw, iv);
171	for (i = 0; i < RANDOM_BLOCK_SIZE; i++)
172		out[i] ^= in[i];
173
174	c = MIN(RANDOM_BLOCK_SIZE, c);
175	memcpy(buf, out, (size_t)c);
176
177	return (c);
178}
179