nehemiah.c revision 192774
10SN/A/*- 21589SN/A * Copyright (c) 2004 Mark R V Murray 30SN/A * All rights reserved. 40SN/A * 50SN/A * Redistribution and use in source and binary forms, with or without 60SN/A * modification, are permitted provided that the following conditions 7553SN/A * are met: 80SN/A * 1. Redistributions of source code must retain the above copyright 9553SN/A * notice, this list of conditions and the following disclaimer 100SN/A * in this position and unchanged. 110SN/A * 2. Redistributions in binary form must reproduce the above copyright 120SN/A * notice, this list of conditions and the following disclaimer in the 130SN/A * documentation and/or other materials provided with the distribution. 140SN/A * 150SN/A * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 160SN/A * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 170SN/A * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 180SN/A * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 190SN/A * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 200SN/A * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21553SN/A * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22553SN/A * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23553SN/A * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 240SN/A * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 250SN/A * 260SN/A */ 270SN/A 280SN/A#include <sys/cdefs.h> 290SN/A__FBSDID("$FreeBSD: head/sys/dev/random/nehemiah.c 192774 2009-05-25 22:50:11Z markm $"); 300SN/A 310SN/A#include <sys/param.h> 320SN/A#include <sys/time.h> 330SN/A#include <sys/lock.h> 340SN/A#include <sys/mutex.h> 35#include <sys/selinfo.h> 36#include <sys/systm.h> 37 38#include <dev/random/randomdev.h> 39 40#define RANDOM_BLOCK_SIZE 256 41#define CIPHER_BLOCK_SIZE 16 42 43static void random_nehemiah_init(void); 44static void random_nehemiah_deinit(void); 45static int random_nehemiah_read(void *, int); 46 47struct random_systat random_nehemiah = { 48 .ident = "Hardware, VIA Nehemiah", 49 .init = random_nehemiah_init, 50 .deinit = random_nehemiah_deinit, 51 .read = random_nehemiah_read, 52 .write = (random_write_func_t *)random_null_func, 53 .reseed = (random_reseed_func_t *)random_null_func, 54 .seeded = 1, 55}; 56 57union VIA_ACE_CW { 58 uint64_t raw; 59 struct { 60 u_int round_count : 4; 61 u_int algorithm_type : 3; 62 u_int key_generation_type : 1; 63 u_int intermediate : 1; 64 u_int decrypt : 1; 65 u_int key_size : 2; 66 u_int filler0 : 20; 67 u_int filler1 : 32; 68 u_int filler2 : 32; 69 u_int filler3 : 32; 70 } field; 71}; 72 73/* The extra 7 is to allow an 8-byte write on the last byte of the 74 * arrays. The ACE wants the AES data 16-byte/128-bit aligned, and 75 * it _always_ writes n*64 bits. The RNG does not care about alignment, 76 * and it always writes n*32 bits or n*64 bits. 77 */ 78static uint8_t key[CIPHER_BLOCK_SIZE+7] __aligned(16); 79static uint8_t iv[CIPHER_BLOCK_SIZE+7] __aligned(16); 80static uint8_t in[RANDOM_BLOCK_SIZE+7] __aligned(16); 81static uint8_t out[RANDOM_BLOCK_SIZE+7] __aligned(16); 82 83static union VIA_ACE_CW acw __aligned(16); 84 85static struct mtx random_nehemiah_mtx; 86 87/* ARGSUSED */ 88static __inline size_t 89VIA_RNG_store(void *buf) 90{ 91#ifdef __GNUCLIKE_ASM 92 uint32_t retval = 0; 93 uint32_t rate = 0; 94 95 /* The .byte line is really VIA C3 "xstore" instruction */ 96 __asm __volatile( 97 "movl $0,%%edx \n\t" 98 ".byte 0x0f, 0xa7, 0xc0" 99 : "=a" (retval), "+d" (rate), "+D" (buf) 100 : 101 : "memory" 102 ); 103 if (rate == 0) 104 return (retval&0x1f); 105#endif 106 return (0); 107} 108 109/* ARGSUSED */ 110static __inline void 111VIA_ACE_cbc(void *in, void *out, size_t count, void *key, union VIA_ACE_CW *cw, void *iv) 112{ 113#ifdef __GNUCLIKE_ASM 114 /* The .byte line is really VIA C3 "xcrypt-cbc" instruction */ 115 __asm __volatile( 116 "pushf \n\t" 117 "popf \n\t" 118 "rep \n\t" 119 ".byte 0x0f, 0xa7, 0xc8" 120 : "+a" (iv), "+c" (count), "+D" (out), "+S" (in) 121 : "b" (key), "d" (cw) 122 : "cc", "memory" 123 ); 124#endif 125} 126 127static void 128random_nehemiah_init(void) 129{ 130 acw.raw = 0ULL; 131 acw.field.round_count = 12; 132 133 mtx_init(&random_nehemiah_mtx, "random nehemiah", NULL, MTX_DEF); 134} 135 136void 137random_nehemiah_deinit(void) 138{ 139 mtx_destroy(&random_nehemiah_mtx); 140} 141 142static int 143random_nehemiah_read(void *buf, int c) 144{ 145 int i; 146 size_t count, ret; 147 uint8_t *p; 148 149 mtx_lock(&random_nehemiah_mtx); 150 151 /* Get a random AES key */ 152 count = 0; 153 p = key; 154 do { 155 ret = VIA_RNG_store(p); 156 p += ret; 157 count += ret; 158 } while (count < CIPHER_BLOCK_SIZE); 159 160 /* Get a random AES IV */ 161 count = 0; 162 p = iv; 163 do { 164 ret = VIA_RNG_store(p); 165 p += ret; 166 count += ret; 167 } while (count < CIPHER_BLOCK_SIZE); 168 169 /* Get a block of random bytes */ 170 count = 0; 171 p = in; 172 do { 173 ret = VIA_RNG_store(p); 174 p += ret; 175 count += ret; 176 } while (count < RANDOM_BLOCK_SIZE); 177 178 /* This is a Davies-Meyer hash of the most paranoid variety; the 179 * key, IV and the data are all read directly from the hardware RNG. 180 * All of these are used precisely once. 181 */ 182 VIA_ACE_cbc(in, out, RANDOM_BLOCK_SIZE/CIPHER_BLOCK_SIZE, 183 key, &acw, iv); 184 for (i = 0; i < RANDOM_BLOCK_SIZE; i++) 185 out[i] ^= in[i]; 186 187 c = MIN(RANDOM_BLOCK_SIZE, c); 188 memcpy(buf, out, (size_t)c); 189 190 mtx_unlock(&random_nehemiah_mtx); 191 return (c); 192} 193