prng.c revision 1.2.2.2
1 1.2.2.2 jdolecek /* $NetBSD: prng.c,v 1.2.2.2 2017/12/03 11:35:48 jdolecek Exp $ */ 2 1.2.2.2 jdolecek 3 1.2.2.2 jdolecek /* 4 1.2.2.2 jdolecek * Copyright (c) 2017 The NetBSD Foundation, Inc. All rights reserved. 5 1.2.2.2 jdolecek * 6 1.2.2.2 jdolecek * This code is derived from software contributed to The NetBSD Foundation 7 1.2.2.2 jdolecek * by Maxime Villard. 8 1.2.2.2 jdolecek * 9 1.2.2.2 jdolecek * Redistribution and use in source and binary forms, with or without 10 1.2.2.2 jdolecek * modification, are permitted provided that the following conditions 11 1.2.2.2 jdolecek * are met: 12 1.2.2.2 jdolecek * 1. Redistributions of source code must retain the above copyright 13 1.2.2.2 jdolecek * notice, this list of conditions and the following disclaimer. 14 1.2.2.2 jdolecek * 2. Redistributions in binary form must reproduce the above copyright 15 1.2.2.2 jdolecek * notice, this list of conditions and the following disclaimer in the 16 1.2.2.2 jdolecek * documentation and/or other materials provided with the distribution. 17 1.2.2.2 jdolecek * 18 1.2.2.2 jdolecek * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19 1.2.2.2 jdolecek * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20 1.2.2.2 jdolecek * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21 1.2.2.2 jdolecek * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22 1.2.2.2 jdolecek * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 1.2.2.2 jdolecek * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 1.2.2.2 jdolecek * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 1.2.2.2 jdolecek * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 1.2.2.2 jdolecek * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 1.2.2.2 jdolecek * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 1.2.2.2 jdolecek * POSSIBILITY OF SUCH DAMAGE. 29 1.2.2.2 jdolecek */ 30 1.2.2.2 jdolecek 31 1.2.2.2 jdolecek #include "prekern.h" 32 1.2.2.2 jdolecek #include <sys/sha1.h> 33 1.2.2.2 jdolecek #include <sys/sha2.h> 34 1.2.2.2 jdolecek 35 1.2.2.2 jdolecek #define _KERNEL 36 1.2.2.2 jdolecek #include <machine/bootinfo.h> 37 1.2.2.2 jdolecek #undef _KERNEL 38 1.2.2.2 jdolecek 39 1.2.2.2 jdolecek #define CPUID_SEF_RDSEED __BIT(18) 40 1.2.2.2 jdolecek #define CPUID2_RDRAND 0x40000000 41 1.2.2.2 jdolecek static bool has_rdrand = false; 42 1.2.2.2 jdolecek static bool has_rdseed = false; 43 1.2.2.2 jdolecek 44 1.2.2.2 jdolecek #define RND_SAVEWORDS 128 45 1.2.2.2 jdolecek typedef struct { 46 1.2.2.2 jdolecek uint32_t entropy; 47 1.2.2.2 jdolecek uint8_t data[RND_SAVEWORDS * sizeof(uint32_t)]; 48 1.2.2.2 jdolecek uint8_t digest[SHA1_DIGEST_LENGTH]; 49 1.2.2.2 jdolecek } rndsave_t; 50 1.2.2.2 jdolecek 51 1.2.2.2 jdolecek #define RNGSTATE_SIZE (SHA512_DIGEST_LENGTH / 2) 52 1.2.2.2 jdolecek #define RNGDATA_SIZE (SHA512_DIGEST_LENGTH / 2) 53 1.2.2.2 jdolecek struct { 54 1.2.2.2 jdolecek uint8_t state[RNGSTATE_SIZE]; 55 1.2.2.2 jdolecek uint8_t data[RNGDATA_SIZE]; 56 1.2.2.2 jdolecek size_t nused; 57 1.2.2.2 jdolecek } rng; 58 1.2.2.2 jdolecek 59 1.2.2.2 jdolecek static struct btinfo_common * 60 1.2.2.2 jdolecek prng_lookup_bootinfo(int type) 61 1.2.2.2 jdolecek { 62 1.2.2.2 jdolecek extern struct bootinfo bootinfo; 63 1.2.2.2 jdolecek struct btinfo_common *bic; 64 1.2.2.2 jdolecek bool found; 65 1.2.2.2 jdolecek int i; 66 1.2.2.2 jdolecek 67 1.2.2.2 jdolecek bic = (struct btinfo_common *)(bootinfo.bi_data); 68 1.2.2.2 jdolecek found = false; 69 1.2.2.2 jdolecek for (i = 0; i < bootinfo.bi_nentries && !found; i++) { 70 1.2.2.2 jdolecek if (bic->type == type) 71 1.2.2.2 jdolecek found = true; 72 1.2.2.2 jdolecek else 73 1.2.2.2 jdolecek bic = (struct btinfo_common *) 74 1.2.2.2 jdolecek ((uint8_t *)bic + bic->len); 75 1.2.2.2 jdolecek } 76 1.2.2.2 jdolecek return found ? bic : NULL; 77 1.2.2.2 jdolecek } 78 1.2.2.2 jdolecek 79 1.2.2.2 jdolecek static void 80 1.2.2.2 jdolecek prng_get_entropy_file(SHA512_CTX *ctx) 81 1.2.2.2 jdolecek { 82 1.2.2.2 jdolecek struct bi_modulelist_entry *bi, *bimax; 83 1.2.2.2 jdolecek struct btinfo_modulelist *biml; 84 1.2.2.2 jdolecek uint8_t digest[SHA1_DIGEST_LENGTH]; 85 1.2.2.2 jdolecek rndsave_t *rndsave; 86 1.2.2.2 jdolecek SHA1_CTX sig; 87 1.2.2.2 jdolecek 88 1.2.2.2 jdolecek biml = 89 1.2.2.2 jdolecek (struct btinfo_modulelist *)prng_lookup_bootinfo(BTINFO_MODULELIST); 90 1.2.2.2 jdolecek if (biml == NULL) { 91 1.2.2.2 jdolecek return; 92 1.2.2.2 jdolecek } 93 1.2.2.2 jdolecek 94 1.2.2.2 jdolecek bi = (struct bi_modulelist_entry *)((uint8_t *)biml + sizeof(*biml)); 95 1.2.2.2 jdolecek bimax = bi + biml->num; 96 1.2.2.2 jdolecek for (; bi < bimax; bi++) { 97 1.2.2.2 jdolecek if (bi->type != BI_MODULE_RND) { 98 1.2.2.2 jdolecek continue; 99 1.2.2.2 jdolecek } 100 1.2.2.2 jdolecek if (bi->len != sizeof(rndsave_t)) { 101 1.2.2.2 jdolecek fatal("rndsave_t size mismatch"); 102 1.2.2.2 jdolecek } 103 1.2.2.2 jdolecek rndsave = (rndsave_t *)(vaddr_t)bi->base; 104 1.2.2.2 jdolecek 105 1.2.2.2 jdolecek /* check the signature */ 106 1.2.2.2 jdolecek SHA1Init(&sig); 107 1.2.2.2 jdolecek SHA1Update(&sig, (uint8_t *)&rndsave->entropy, 108 1.2.2.2 jdolecek sizeof(rndsave->entropy)); 109 1.2.2.2 jdolecek SHA1Update(&sig, rndsave->data, sizeof(rndsave->data)); 110 1.2.2.2 jdolecek SHA1Final(digest, &sig); 111 1.2.2.2 jdolecek if (memcmp(digest, rndsave->digest, sizeof(digest))) { 112 1.2.2.2 jdolecek fatal("bad SHA1 checksum"); 113 1.2.2.2 jdolecek } 114 1.2.2.2 jdolecek 115 1.2.2.2 jdolecek SHA512_Update(ctx, rndsave->data, sizeof(rndsave->data)); 116 1.2.2.2 jdolecek } 117 1.2.2.2 jdolecek } 118 1.2.2.2 jdolecek 119 1.2.2.2 jdolecek /* 120 1.2.2.2 jdolecek * Add 32 bytes of rdseed/rdrand and 8 bytes of rdtsc to the context. 121 1.2.2.2 jdolecek */ 122 1.2.2.2 jdolecek static void 123 1.2.2.2 jdolecek prng_get_entropy_data(SHA512_CTX *ctx) 124 1.2.2.2 jdolecek { 125 1.2.2.2 jdolecek uint64_t buf[8], val; 126 1.2.2.2 jdolecek size_t i; 127 1.2.2.2 jdolecek 128 1.2.2.2 jdolecek if (has_rdseed) { 129 1.2.2.2 jdolecek for (i = 0; i < 8; i++) { 130 1.2.2.2 jdolecek if (rdseed(&buf[i]) == -1) { 131 1.2.2.2 jdolecek break; 132 1.2.2.2 jdolecek } 133 1.2.2.2 jdolecek } 134 1.2.2.2 jdolecek SHA512_Update(ctx, (uint8_t *)buf, i * sizeof(uint64_t)); 135 1.2.2.2 jdolecek } else if (has_rdrand) { 136 1.2.2.2 jdolecek for (i = 0; i < 8; i++) { 137 1.2.2.2 jdolecek if (rdrand(&buf[i]) == -1) { 138 1.2.2.2 jdolecek break; 139 1.2.2.2 jdolecek } 140 1.2.2.2 jdolecek } 141 1.2.2.2 jdolecek SHA512_Update(ctx, (uint8_t *)buf, i * sizeof(uint64_t)); 142 1.2.2.2 jdolecek } 143 1.2.2.2 jdolecek 144 1.2.2.2 jdolecek val = rdtsc(); 145 1.2.2.2 jdolecek SHA512_Update(ctx, (uint8_t *)&val, sizeof(val)); 146 1.2.2.2 jdolecek } 147 1.2.2.2 jdolecek 148 1.2.2.2 jdolecek void 149 1.2.2.2 jdolecek prng_init(void) 150 1.2.2.2 jdolecek { 151 1.2.2.2 jdolecek uint8_t digest[SHA512_DIGEST_LENGTH]; 152 1.2.2.2 jdolecek SHA512_CTX ctx; 153 1.2.2.2 jdolecek u_int descs[4]; 154 1.2.2.2 jdolecek 155 1.2.2.2 jdolecek memset(&rng, 0, sizeof(rng)); 156 1.2.2.2 jdolecek 157 1.2.2.2 jdolecek /* detect cpu features */ 158 1.2.2.2 jdolecek cpuid(0x07, 0x00, descs); 159 1.2.2.2 jdolecek has_rdseed = (descs[1] & CPUID_SEF_RDSEED) != 0; 160 1.2.2.2 jdolecek cpuid(0x01, 0x00, descs); 161 1.2.2.2 jdolecek has_rdrand = (descs[2] & CPUID2_RDRAND) != 0; 162 1.2.2.2 jdolecek 163 1.2.2.2 jdolecek SHA512_Init(&ctx); 164 1.2.2.2 jdolecek prng_get_entropy_file(&ctx); 165 1.2.2.2 jdolecek prng_get_entropy_data(&ctx); 166 1.2.2.2 jdolecek SHA512_Final(digest, &ctx); 167 1.2.2.2 jdolecek 168 1.2.2.2 jdolecek memcpy(rng.state, digest, RNGSTATE_SIZE); 169 1.2.2.2 jdolecek memcpy(rng.data, digest + RNGSTATE_SIZE, RNGDATA_SIZE); 170 1.2.2.2 jdolecek } 171 1.2.2.2 jdolecek 172 1.2.2.2 jdolecek static void 173 1.2.2.2 jdolecek prng_round(void) 174 1.2.2.2 jdolecek { 175 1.2.2.2 jdolecek uint8_t digest[SHA512_DIGEST_LENGTH]; 176 1.2.2.2 jdolecek SHA512_CTX ctx; 177 1.2.2.2 jdolecek 178 1.2.2.2 jdolecek SHA512_Init(&ctx); 179 1.2.2.2 jdolecek SHA512_Update(&ctx, rng.state, RNGSTATE_SIZE); 180 1.2.2.2 jdolecek prng_get_entropy_data(&ctx); 181 1.2.2.2 jdolecek SHA512_Final(digest, &ctx); 182 1.2.2.2 jdolecek 183 1.2.2.2 jdolecek memcpy(rng.state, digest, RNGSTATE_SIZE); 184 1.2.2.2 jdolecek memcpy(rng.data, digest + RNGSTATE_SIZE, RNGDATA_SIZE); 185 1.2.2.2 jdolecek 186 1.2.2.2 jdolecek rng.nused = 0; 187 1.2.2.2 jdolecek } 188 1.2.2.2 jdolecek 189 1.2.2.2 jdolecek void 190 1.2.2.2 jdolecek prng_get_rand(void *buf, size_t sz) 191 1.2.2.2 jdolecek { 192 1.2.2.2 jdolecek uint8_t *ptr = (uint8_t *)buf; 193 1.2.2.2 jdolecek size_t consumed; 194 1.2.2.2 jdolecek 195 1.2.2.2 jdolecek ASSERT(sz <= RNGDATA_SIZE); 196 1.2.2.2 jdolecek if (rng.nused + sz > RNGDATA_SIZE) { 197 1.2.2.2 jdolecek /* Fill what can be */ 198 1.2.2.2 jdolecek consumed = RNGDATA_SIZE - rng.nused; 199 1.2.2.2 jdolecek memcpy(ptr, &rng.data[rng.nused], consumed); 200 1.2.2.2 jdolecek 201 1.2.2.2 jdolecek /* Go through another round */ 202 1.2.2.2 jdolecek prng_round(); 203 1.2.2.2 jdolecek 204 1.2.2.2 jdolecek /* Fill the rest */ 205 1.2.2.2 jdolecek memcpy(ptr + consumed, &rng.data[rng.nused], 206 1.2.2.2 jdolecek sz - consumed); 207 1.2.2.2 jdolecek 208 1.2.2.2 jdolecek rng.nused += (sz - consumed); 209 1.2.2.2 jdolecek } else { 210 1.2.2.2 jdolecek memcpy(ptr, &rng.data[rng.nused], sz); 211 1.2.2.2 jdolecek rng.nused += sz; 212 1.2.2.2 jdolecek } 213 1.2.2.2 jdolecek } 214
Indexes created Thu Oct 02 14:10:14 GMT 2025