randomdev.c revision 338923
1/*- 2 * Copyright (c) 2000-2015 Mark R V Murray 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer 10 * in this position and unchanged. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD: stable/11/sys/dev/random/randomdev.c 338923 2018-09-25 05:18:20Z delphij $"); 30 31#include <sys/param.h> 32#include <sys/systm.h> 33#include <sys/bus.h> 34#include <sys/conf.h> 35#include <sys/fcntl.h> 36#include <sys/filio.h> 37#include <sys/kernel.h> 38#include <sys/kthread.h> 39#include <sys/lock.h> 40#include <sys/module.h> 41#include <sys/malloc.h> 42#include <sys/poll.h> 43#include <sys/proc.h> 44#include <sys/random.h> 45#include <sys/sbuf.h> 46#include <sys/selinfo.h> 47#include <sys/sysctl.h> 48#include <sys/systm.h> 49#include <sys/uio.h> 50#include <sys/unistd.h> 51 52#include <crypto/rijndael/rijndael-api-fst.h> 53#include <crypto/sha2/sha256.h> 54 55#include <dev/random/hash.h> 56#include <dev/random/randomdev.h> 57#include <dev/random/random_harvestq.h> 58 59#define RANDOM_UNIT 0 60 61#if defined(RANDOM_LOADABLE) 62#define READ_RANDOM_UIO _read_random_uio 63#define READ_RANDOM _read_random 64static int READ_RANDOM_UIO(struct uio *, bool); 65static u_int READ_RANDOM(void *, u_int); 66#else 67#define READ_RANDOM_UIO read_random_uio 68#define READ_RANDOM read_random 69#endif 70 71static d_read_t randomdev_read; 72static d_write_t randomdev_write; 73static d_poll_t randomdev_poll; 74static d_ioctl_t randomdev_ioctl; 75 76static struct cdevsw random_cdevsw = { 77 .d_name = "random", 78 .d_version = D_VERSION, 79 .d_read = randomdev_read, 80 .d_write = randomdev_write, 81 .d_poll = randomdev_poll, 82 .d_ioctl = randomdev_ioctl, 83}; 84 85/* For use with make_dev(9)/destroy_dev(9). */ 86static struct cdev *random_dev; 87 88static void 89random_alg_context_ra_init_alg(void *data) 90{ 91 92 p_random_alg_context = &random_alg_context; 93 p_random_alg_context->ra_init_alg(data); 94#if defined(RANDOM_LOADABLE) 95 random_infra_init(READ_RANDOM_UIO, READ_RANDOM); 96#endif 97} 98 99static void 100random_alg_context_ra_deinit_alg(void *data) 101{ 102 103#if defined(RANDOM_LOADABLE) 104 random_infra_uninit(); 105#endif 106 p_random_alg_context->ra_deinit_alg(data); 107 p_random_alg_context = NULL; 108} 109 110SYSINIT(random_device, SI_SUB_RANDOM, SI_ORDER_THIRD, random_alg_context_ra_init_alg, NULL); 111SYSUNINIT(random_device, SI_SUB_RANDOM, SI_ORDER_THIRD, random_alg_context_ra_deinit_alg, NULL); 112 113static struct selinfo rsel; 114 115/* 116 * This is the read uio(9) interface for random(4). 117 */ 118/* ARGSUSED */ 119static int 120randomdev_read(struct cdev *dev __unused, struct uio *uio, int flags) 121{ 122 123 return (READ_RANDOM_UIO(uio, (flags & O_NONBLOCK) != 0)); 124} 125 126int 127READ_RANDOM_UIO(struct uio *uio, bool nonblock) 128{ 129 uint8_t *random_buf; 130 int error, spamcount; 131 ssize_t read_len, total_read, c; 132 133 random_buf = malloc(PAGE_SIZE, M_ENTROPY, M_WAITOK); 134 p_random_alg_context->ra_pre_read(); 135 error = 0; 136 spamcount = 0; 137 /* (Un)Blocking logic */ 138 while (!p_random_alg_context->ra_seeded()) { 139 if (nonblock) { 140 error = EWOULDBLOCK; 141 break; 142 } 143 /* keep tapping away at the pre-read until we seed/unblock. */ 144 p_random_alg_context->ra_pre_read(); 145 /* Only bother the console every 10 seconds or so */ 146 if (spamcount == 0) 147 printf("random: %s unblock wait\n", __func__); 148 spamcount = (spamcount + 1)%100; 149 error = tsleep(&random_alg_context, PCATCH, "randseed", hz/10); 150 if (error == ERESTART || error == EINTR) 151 break; 152 /* Squash tsleep timeout condition */ 153 if (error == EWOULDBLOCK) 154 error = 0; 155 KASSERT(error == 0, ("unexpected tsleep error %d", error)); 156 } 157 if (error == 0) { 158 read_rate_increment((uio->uio_resid + sizeof(uint32_t))/sizeof(uint32_t)); 159 total_read = 0; 160 while (uio->uio_resid && !error) { 161 read_len = uio->uio_resid; 162 /* 163 * Belt-and-braces. 164 * Round up the read length to a crypto block size multiple, 165 * which is what the underlying generator is expecting. 166 * See the random_buf size requirements in the Yarrow/Fortuna code. 167 */ 168 read_len = roundup(read_len, RANDOM_BLOCKSIZE); 169 /* Work in chunks page-sized or less */ 170 read_len = MIN(read_len, PAGE_SIZE); 171 p_random_alg_context->ra_read(random_buf, read_len); 172 c = MIN(uio->uio_resid, read_len); 173 error = uiomove(random_buf, c, uio); 174 total_read += c; 175 } 176 if (total_read != uio->uio_resid && (error == ERESTART || error == EINTR)) 177 /* Return partial read, not error. */ 178 error = 0; 179 } 180 free(random_buf, M_ENTROPY); 181 return (error); 182} 183 184/*- 185 * Kernel API version of read_random(). 186 * This is similar to random_alg_read(), 187 * except it doesn't interface with uio(9). 188 * It cannot assumed that random_buf is a multiple of 189 * RANDOM_BLOCKSIZE bytes. 190 */ 191u_int 192READ_RANDOM(void *random_buf, u_int len) 193{ 194 u_int read_len; 195 uint8_t local_buf[len + RANDOM_BLOCKSIZE]; 196 197 KASSERT(random_buf != NULL, ("No suitable random buffer in %s", __func__)); 198 p_random_alg_context->ra_pre_read(); 199 /* (Un)Blocking logic; if not seeded, return nothing. */ 200 if (p_random_alg_context->ra_seeded()) { 201 read_rate_increment((len + sizeof(uint32_t))/sizeof(uint32_t)); 202 if (len > 0) { 203 /* 204 * Belt-and-braces. 205 * Round up the read length to a crypto block size multiple, 206 * which is what the underlying generator is expecting. 207 */ 208 read_len = roundup(len, RANDOM_BLOCKSIZE); 209 p_random_alg_context->ra_read(local_buf, read_len); 210 memcpy(random_buf, local_buf, len); 211 } 212 } else 213 len = 0; 214 return (len); 215} 216 217static __inline void 218randomdev_accumulate(uint8_t *buf, u_int count) 219{ 220 static u_int destination = 0; 221 static struct harvest_event event; 222 static struct randomdev_hash hash; 223 static uint32_t entropy_data[RANDOM_KEYSIZE_WORDS]; 224 uint32_t timestamp; 225 int i; 226 227 /* Extra timing here is helpful to scrape scheduler jitter entropy */ 228 randomdev_hash_init(&hash); 229 timestamp = (uint32_t)get_cyclecount(); 230 randomdev_hash_iterate(&hash, ×tamp, sizeof(timestamp)); 231 randomdev_hash_iterate(&hash, buf, count); 232 timestamp = (uint32_t)get_cyclecount(); 233 randomdev_hash_iterate(&hash, ×tamp, sizeof(timestamp)); 234 randomdev_hash_finish(&hash, entropy_data); 235 explicit_bzero(&hash, sizeof(hash)); 236 for (i = 0; i < RANDOM_KEYSIZE_WORDS; i += sizeof(event.he_entropy)/sizeof(event.he_entropy[0])) { 237 event.he_somecounter = (uint32_t)get_cyclecount(); 238 event.he_size = sizeof(event.he_entropy); 239 event.he_bits = event.he_size/8; 240 event.he_source = RANDOM_CACHED; 241 event.he_destination = destination++; /* Harmless cheating */ 242 memcpy(event.he_entropy, entropy_data + i, sizeof(event.he_entropy)); 243 p_random_alg_context->ra_event_processor(&event); 244 } 245 explicit_bzero(entropy_data, sizeof(entropy_data)); 246} 247 248/* ARGSUSED */ 249static int 250randomdev_write(struct cdev *dev __unused, struct uio *uio, int flags __unused) 251{ 252 uint8_t *random_buf; 253 int c, error = 0; 254 ssize_t nbytes; 255 256 random_buf = malloc(PAGE_SIZE, M_ENTROPY, M_WAITOK); 257 nbytes = uio->uio_resid; 258 while (uio->uio_resid > 0 && error == 0) { 259 c = MIN(uio->uio_resid, PAGE_SIZE); 260 error = uiomove(random_buf, c, uio); 261 if (error) 262 break; 263 randomdev_accumulate(random_buf, c); 264 tsleep(&random_alg_context, 0, "randwr", hz/10); 265 } 266 if (nbytes != uio->uio_resid && (error == ERESTART || error == EINTR)) 267 /* Partial write, not error. */ 268 error = 0; 269 free(random_buf, M_ENTROPY); 270 return (error); 271} 272 273/* ARGSUSED */ 274static int 275randomdev_poll(struct cdev *dev __unused, int events, struct thread *td __unused) 276{ 277 278 if (events & (POLLIN | POLLRDNORM)) { 279 if (p_random_alg_context->ra_seeded()) 280 events &= (POLLIN | POLLRDNORM); 281 else 282 selrecord(td, &rsel); 283 } 284 return (events); 285} 286 287/* This will be called by the entropy processor when it seeds itself and becomes secure */ 288void 289randomdev_unblock(void) 290{ 291 292 selwakeuppri(&rsel, PUSER); 293 wakeup(&random_alg_context); 294 printf("random: unblocking device.\n"); 295 /* Do random(9) a favour while we are about it. */ 296 (void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE, ARC4_ENTR_HAVE); 297} 298 299/* ARGSUSED */ 300static int 301randomdev_ioctl(struct cdev *dev __unused, u_long cmd, caddr_t addr __unused, 302 int flags __unused, struct thread *td __unused) 303{ 304 int error = 0; 305 306 switch (cmd) { 307 /* Really handled in upper layer */ 308 case FIOASYNC: 309 case FIONBIO: 310 break; 311 default: 312 error = ENOTTY; 313 } 314 315 return (error); 316} 317 318void 319random_source_register(struct random_source *rsource) 320{ 321 struct random_sources *rrs; 322 323 KASSERT(rsource != NULL, ("invalid input to %s", __func__)); 324 325 rrs = malloc(sizeof(*rrs), M_ENTROPY, M_WAITOK); 326 rrs->rrs_source = rsource; 327 328 printf("random: registering fast source %s\n", rsource->rs_ident); 329 LIST_INSERT_HEAD(&source_list, rrs, rrs_entries); 330} 331 332void 333random_source_deregister(struct random_source *rsource) 334{ 335 struct random_sources *rrs = NULL; 336 337 KASSERT(rsource != NULL, ("invalid input to %s", __func__)); 338 LIST_FOREACH(rrs, &source_list, rrs_entries) 339 if (rrs->rrs_source == rsource) { 340 LIST_REMOVE(rrs, rrs_entries); 341 break; 342 } 343 if (rrs != NULL) 344 free(rrs, M_ENTROPY); 345} 346 347static int 348random_source_handler(SYSCTL_HANDLER_ARGS) 349{ 350 struct random_sources *rrs; 351 struct sbuf sbuf; 352 int error, count; 353 354 sbuf_new_for_sysctl(&sbuf, NULL, 64, req); 355 count = 0; 356 LIST_FOREACH(rrs, &source_list, rrs_entries) { 357 sbuf_cat(&sbuf, (count++ ? ",'" : "'")); 358 sbuf_cat(&sbuf, rrs->rrs_source->rs_ident); 359 sbuf_cat(&sbuf, "'"); 360 } 361 error = sbuf_finish(&sbuf); 362 sbuf_delete(&sbuf); 363 return (error); 364} 365SYSCTL_PROC(_kern_random, OID_AUTO, random_sources, CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, 366 NULL, 0, random_source_handler, "A", 367 "List of active fast entropy sources."); 368 369/* ARGSUSED */ 370static int 371randomdev_modevent(module_t mod __unused, int type, void *data __unused) 372{ 373 int error = 0; 374 375 switch (type) { 376 case MOD_LOAD: 377 printf("random: entropy device external interface\n"); 378 random_dev = make_dev_credf(MAKEDEV_ETERNAL_KLD, &random_cdevsw, 379 RANDOM_UNIT, NULL, UID_ROOT, GID_WHEEL, 0644, "random"); 380 make_dev_alias(random_dev, "urandom"); /* compatibility */ 381 break; 382 case MOD_UNLOAD: 383 destroy_dev(random_dev); 384 break; 385 case MOD_SHUTDOWN: 386 break; 387 default: 388 error = EOPNOTSUPP; 389 break; 390 } 391 return (error); 392} 393 394static moduledata_t randomdev_mod = { 395 "random_device", 396 randomdev_modevent, 397 0 398}; 399 400DECLARE_MODULE(random_device, randomdev_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST); 401MODULE_VERSION(random_device, 1); 402MODULE_DEPEND(random_device, crypto, 1, 1, 1); 403MODULE_DEPEND(random_device, random_harvestq, 1, 1, 1); 404