nehemiah.c revision 192774 
10SN/A/*-
21589SN/A * Copyright (c) 2004 Mark R V Murray
30SN/A * All rights reserved.
40SN/A *
50SN/A * Redistribution and use in source and binary forms, with or without
60SN/A * modification, are permitted provided that the following conditions
7553SN/A * are met:
80SN/A * 1. Redistributions of source code must retain the above copyright
9553SN/A *    notice, this list of conditions and the following disclaimer
100SN/A *    in this position and unchanged.
110SN/A * 2. Redistributions in binary form must reproduce the above copyright
120SN/A *    notice, this list of conditions and the following disclaimer in the
130SN/A *    documentation and/or other materials provided with the distribution.
140SN/A *
150SN/A * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
160SN/A * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
170SN/A * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
180SN/A * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
190SN/A * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
200SN/A * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21553SN/A * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22553SN/A * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23553SN/A * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
240SN/A * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
250SN/A *
260SN/A */
270SN/A
280SN/A#include <sys/cdefs.h>
290SN/A__FBSDID("$FreeBSD: head/sys/dev/random/nehemiah.c 192774 2009-05-25 22:50:11Z markm $");
300SN/A
310SN/A#include <sys/param.h>
320SN/A#include <sys/time.h>
330SN/A#include <sys/lock.h>
340SN/A#include <sys/mutex.h>
35#include <sys/selinfo.h>
36#include <sys/systm.h>
37
38#include <dev/random/randomdev.h>
39
40#define RANDOM_BLOCK_SIZE	256
41#define CIPHER_BLOCK_SIZE	16
42
43static void random_nehemiah_init(void);
44static void random_nehemiah_deinit(void);
45static int random_nehemiah_read(void *, int);
46
47struct random_systat random_nehemiah = {
48	.ident = "Hardware, VIA Nehemiah",
49	.init = random_nehemiah_init,
50	.deinit = random_nehemiah_deinit,
51	.read = random_nehemiah_read,
52	.write = (random_write_func_t *)random_null_func,
53	.reseed = (random_reseed_func_t *)random_null_func,
54	.seeded = 1,
55};
56
57union VIA_ACE_CW {
58	uint64_t raw;
59	struct {
60		u_int round_count : 4;
61		u_int algorithm_type : 3;
62		u_int key_generation_type : 1;
63		u_int intermediate : 1;
64		u_int decrypt : 1;
65		u_int key_size : 2;
66		u_int filler0 : 20;
67		u_int filler1 : 32;
68		u_int filler2 : 32;
69		u_int filler3 : 32;
70	} field;
71};
72
73/* The extra 7 is to allow an 8-byte write on the last byte of the
74 * arrays.  The ACE wants the AES data 16-byte/128-bit aligned, and
75 * it _always_ writes n*64 bits. The RNG does not care about alignment,
76 * and it always writes n*32 bits or n*64 bits.
77 */
78static uint8_t key[CIPHER_BLOCK_SIZE+7]	__aligned(16);
79static uint8_t iv[CIPHER_BLOCK_SIZE+7]	__aligned(16);
80static uint8_t in[RANDOM_BLOCK_SIZE+7]	__aligned(16);
81static uint8_t out[RANDOM_BLOCK_SIZE+7]	__aligned(16);
82
83static union VIA_ACE_CW acw		__aligned(16);
84
85static struct mtx random_nehemiah_mtx;
86
87/* ARGSUSED */
88static __inline size_t
89VIA_RNG_store(void *buf)
90{
91#ifdef __GNUCLIKE_ASM
92	uint32_t retval = 0;
93	uint32_t rate = 0;
94
95	/* The .byte line is really VIA C3 "xstore" instruction */
96	__asm __volatile(
97		"movl	$0,%%edx		\n\t"
98		".byte	0x0f, 0xa7, 0xc0"
99			: "=a" (retval), "+d" (rate), "+D" (buf)
100			:
101			: "memory"
102	);
103	if (rate == 0)
104		return (retval&0x1f);
105#endif
106	return (0);
107}
108
109/* ARGSUSED */
110static __inline void
111VIA_ACE_cbc(void *in, void *out, size_t count, void *key, union VIA_ACE_CW *cw, void *iv)
112{
113#ifdef __GNUCLIKE_ASM
114	/* The .byte line is really VIA C3 "xcrypt-cbc" instruction */
115	__asm __volatile(
116		"pushf				\n\t"
117		"popf				\n\t"
118		"rep				\n\t"
119		".byte	0x0f, 0xa7, 0xc8"
120			: "+a" (iv), "+c" (count), "+D" (out), "+S" (in)
121			: "b" (key), "d" (cw)
122			: "cc", "memory"
123		);
124#endif
125}
126
127static void
128random_nehemiah_init(void)
129{
130	acw.raw = 0ULL;
131	acw.field.round_count = 12;
132
133	mtx_init(&random_nehemiah_mtx, "random nehemiah", NULL, MTX_DEF);
134}
135
136void
137random_nehemiah_deinit(void)
138{
139	mtx_destroy(&random_nehemiah_mtx);
140}
141
142static int
143random_nehemiah_read(void *buf, int c)
144{
145	int i;
146	size_t count, ret;
147	uint8_t *p;
148
149	mtx_lock(&random_nehemiah_mtx);
150
151	/* Get a random AES key */
152	count = 0;
153	p = key;
154	do {
155		ret = VIA_RNG_store(p);
156		p += ret;
157		count += ret;
158	} while (count < CIPHER_BLOCK_SIZE);
159
160	/* Get a random AES IV */
161	count = 0;
162	p = iv;
163	do {
164		ret = VIA_RNG_store(p);
165		p += ret;
166		count += ret;
167	} while (count < CIPHER_BLOCK_SIZE);
168
169	/* Get a block of random bytes */
170	count = 0;
171	p = in;
172	do {
173		ret = VIA_RNG_store(p);
174		p += ret;
175		count += ret;
176	} while (count < RANDOM_BLOCK_SIZE);
177
178	/* This is a Davies-Meyer hash of the most paranoid variety; the
179	 * key, IV and the data are all read directly from the hardware RNG.
180	 * All of these are used precisely once.
181	 */
182	VIA_ACE_cbc(in, out, RANDOM_BLOCK_SIZE/CIPHER_BLOCK_SIZE,
183	    key, &acw, iv);
184	for (i = 0; i < RANDOM_BLOCK_SIZE; i++)
185		out[i] ^= in[i];
186
187	c = MIN(RANDOM_BLOCK_SIZE, c);
188	memcpy(buf, out, (size_t)c);
189
190	mtx_unlock(&random_nehemiah_mtx);
191	return (c);
192}
193