From 0daef18945ed99a78341cb4d532638d4e6e1b2ea Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 13 Jan 2020 22:26:24 +0000 Subject: [PATCH 1/7] New system call getrandom() compatible with Linux. Three ways to call: getrandom(p, n, 0) Block; then return up to n bytes at p, guaranteeing >=256 bytes even if interrupted after blocking. Can be used as getrandom(NULL,0,0) to serve as `entropy barrier': return only after system is seeded. getrandom(p, n, GRND_INSECURE) Never block; guarantee >=256 bytes even if interrupted. Equivalent to /dev/urandom. Safe only after successful getrandom(..., 0), getrandom(..., GRND_RANDOM), or read from /dev/random. getrandom(p, n, GRND_RANDOM) Block; then return up to n bytes at p, but no guarantees about how many. Equivalent to /dev/random. Legacy. Can also use flags|GRND_NONBLOCK to fail with EWOULDBLOCK/EAGAIN instead of blocking. (GRND_INSECURE|GRND_NONBLOCK is the same as GRND_INSECURE; GRND_INSECURE|GRND_RANDOM isn't very useful but technically works to return a very short read.) --- distrib/sets/lists/comp/mi | 3 + lib/libc/sys/Makefile.inc | 7 +- lib/libc/sys/getrandom.2 | 251 ++++++++++++++++++++ sys/dev/random.c | 186 ++------------- sys/kern/files.kern | 1 + sys/kern/kern_entropy.c | 14 +- sys/kern/sys_getrandom.c | 235 ++++++++++++++++++ sys/kern/syscalls.master | 2 + sys/rump/librump/rumpkern/Makefile.rumpkern | 1 + sys/sys/Makefile | 2 +- sys/sys/entropy.h | 5 +- sys/sys/random.h | 65 +++++ 12 files changed, 601 insertions(+), 171 deletions(-) create mode 100644 lib/libc/sys/getrandom.2 create mode 100644 sys/kern/sys_getrandom.c create mode 100644 sys/sys/random.h diff --git a/distrib/sets/lists/comp/mi b/distrib/sets/lists/comp/mi index 523cd3fd7816..039edf3ffa87 100644 --- a/distrib/sets/lists/comp/mi +++ b/distrib/sets/lists/comp/mi @@ -3103,6 +3103,7 @@ ./usr/include/sys/quotactl.h comp-c-include ./usr/include/sys/radioio.h comp-c-include ./usr/include/sys/radixtree.h comp-c-include +./usr/include/sys/random.h comp-c-include ./usr/include/sys/ras.h comp-c-include ./usr/include/sys/rb.h comp-obsolete obsolete ./usr/include/sys/rbtree.h comp-c-include @@ -12453,6 +12454,7 @@ ./usr/share/man/html2/getpid.html comp-c-htmlman html ./usr/share/man/html2/getppid.html comp-c-htmlman html ./usr/share/man/html2/getpriority.html comp-c-htmlman html +./usr/share/man/html2/getrandom.html comp-c-htmlman html ./usr/share/man/html2/getrlimit.html comp-c-htmlman html ./usr/share/man/html2/getrusage.html comp-c-htmlman html ./usr/share/man/html2/getsid.html comp-c-htmlman html @@ -20352,6 +20354,7 @@ ./usr/share/man/man2/getpid.2 comp-c-man .man ./usr/share/man/man2/getppid.2 comp-c-man .man ./usr/share/man/man2/getpriority.2 comp-c-man .man +./usr/share/man/man2/getrandom.2 comp-c-man .man ./usr/share/man/man2/getrlimit.2 comp-c-man .man ./usr/share/man/man2/getrusage.2 comp-c-man .man ./usr/share/man/man2/getsid.2 comp-c-man .man diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc index 7eddf7e3fc19..d7faaefef29a 100644 --- a/lib/libc/sys/Makefile.inc +++ b/lib/libc/sys/Makefile.inc @@ -110,7 +110,7 @@ ASM= access.S acct.S \ __fstatvfs190.S fstatat.S __futimes50.S futimens.S \ __getcwd.S __getdents30.S __getfh30.S __getvfsstat90.S getgroups.S\ __getitimer50.S __getlogin.S getpeername.S getpgid.S getpgrp.S \ - getpriority.S getrlimit.S __getrusage50.S getsid.S \ + getpriority.S getrandom.S getrlimit.S __getrusage50.S getsid.S \ getsockname.S getsockopt.S getsockopt2.S __gettimeofday50.S \ ioctl.S \ kqueue.S kqueue1.S ktrace.S \ @@ -250,8 +250,9 @@ MAN+= accept.2 access.2 acct.2 adjtime.2 bind.2 brk.2 chdir.2 \ flock.2 fork.2 fsync.2 getcontext.2 getdents.2 \ getfh.2 getvfsstat.2 getgid.2 getgroups.2 \ getitimer.2 getlogin.2 getpeername.2 getpgrp.2 getpid.2 \ - getpriority.2 getrlimit.2 getrusage.2 getsid.2 getsockname.2 \ - getsockopt.2 gettimeofday.2 getuid.2 intro.2 ioctl.2 issetugid.2 \ + getpriority.2 getrandom.2 getrlimit.2 getrusage.2 getsid.2 \ + getsockname.2 getsockopt.2 gettimeofday.2 getuid.2\ + intro.2 ioctl.2 issetugid.2 \ kill.2 kqueue.2 ktrace.2 _ksem.2 \ lfs_bmapv.2 lfs_markv.2 lfs_segclean.2 lfs_segwait.2 \ link.2 listen.2 lseek.2 \ diff --git a/lib/libc/sys/getrandom.2 b/lib/libc/sys/getrandom.2 new file mode 100644 index 000000000000..e90a1100d794 --- /dev/null +++ b/lib/libc/sys/getrandom.2 @@ -0,0 +1,251 @@ +.\" $NetBSD$ +.\" +.\" Copyright (c) 2020 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Taylor R. Campbell. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd January 13, 2020 +.Dt GETRANDOM 2 +.Os +.Sh NAME +.Nm getrandom +.Nd random number generation from system entropy +.Sh LIBRARY +.Lb libc +.Sh SYNOPSIS +.In sys/random.h +.Ft ssize_t +.Fn getrandom "void *buf" "size_t buflen" "unsigned int flags" +.Sh DESCRIPTION +The +.Nm +function fills +.Fa buf +with up to +.Fa buflen +independent uniform random bytes derived from the system's entropy +pool. +.Pp +The function may block until the system has full entropy, meaning that +the system has observed enough noise from physical processes that an +adversary cannot predict what state it is in: +.Bl -bullet -compact +.It +When the system has only partial entropy, the output of +.Fn getrandom +may be predictable. +.It +When the system has full entropy, the output is fit for use as +cryptographic key material. +.El +.Pp +The +.Fa flags +argument may be: +.Bl -tag -offset abcd -width GRND_INSECURE +.It Li 0 +Block until the system entropy pool has full entropy; then generate +arbitrarily much data. +.Em Recommended . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.It Dv GRND_INSECURE +Do not block; instead fill +.Fa buf +with output derived from whatever is in the system entropy pool so +far. +Equivalent to reading from +.Pa /dev/urandom ; +see +.Xr rnd 4 . +.Pp +If interrupted by a signal, may fail with +.Er EINTR +or return a short read. +If successful, guaranteed to return at least 256 bytes even if +interrupted. +.Pp +Despite the name, this is secure as long as you only do it +.Em after +at least one successful call without +.Dv GRND_INSECURE , +such as +.Li "getrandom(..., 0)" +or +.Li "getrandom(..., GRND_RANDOM)" , +or after reading at least one byte from +.Pa /dev/random . +.Pp +.Sy WARNING : +If you use +.Dv GRND_INSECURE +.Em before +the system has full entropy. the output may enable an adversary to +search the possible states of the entropy pool by brute force, and +thereby reduce its entropy to zero. +Thus, incautious use of +.Dv GRND_INSECURE +can ruin the security of the whole system. +.It Dv GRND_RANDOM +Block until the system entropy pool has full entropy; then generate a +small amount of data. +Equivalent to reading from +.Pa /dev/random ; +see +.Xr rnd 4 . +This is provided mainly for source compatibility with Linux; there is +essentially no reason to ever use it. +.El +.Pp +The flag +.Dv GNRD_NONBLOCK +may also be included with bitwise-OR, in which case if +.Fn getrandom +would have blocked without +.Dv GRND_NONBLOCK , +it returns +.Er EAGAIN +instead. +.Pp +Adding +.Dv GRND_NONBLOCK +to +.Dv GRND_INSECURE +has no effect; the combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_NONBLOCK +is equivalent to +.Dv GRND_INSECURE , +since +.Dv GRND_INSECURE +never blocks. +The combination +.Dv GRND_INSECURE Ns Li "|" Ns Li GRND_RANDOM +is nonsensical and always returns short reads out of spite. +.Sh RETURN VALUES +If successful, +.Fn getrandom +returns the number of bytes stored in +.Fa buf . +Otherwise, +.Fn getrandom +returns \-1 and sets +.Va errno . +.Sh EXAMPLES +.Sy Recommended usage . +Generate a key for cryptography: +.Bd -literal + uint8_t secretkey[32]; + + if (getrandom(secretkey, sizeof secretkey, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.Pp +Other idioms for illustration: +.Bl -bullet +.It +Wait for entropy once, and then generate many keys without waiting: +.Bd -literal + struct { uint8_t key[32]; } user[100]; + + if (getrandom(NULL, 0, 0) == -1) + err(EXIT_FAILURE, "getrandom"); + for (i = 0; i < 100; i++) + getrandom(user[i].key, sizeof user[i].key, + GRND_INSECURE); +.Ed +.It +Twiddle thumbs while waiting for entropy: +.Bd -literal + uint8_t secretkey[32]; + + while (getrandom(secretkey, sizeof secretkey, GRND_NONBLOCK) + == -1) { + if (errno != EAGAIN) + err(EXIT_FAILURE, "getrandom"); + twiddle_thumbs(); + } + crypto_secretbox_xsalsa20poly1305(..., secretkey); +.Ed +.El +.Pp +(No examples of +.Dv GRND_RANDOM +because it is not useful.) +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EAGAIN +The +.Dv GRND_NONBLOCK +flag was specified, and the system entropy pool does not have full +entropy. +.It Bq Er EINTR +The +.Dv GRND_NONBLOCK +flag was +.Em not +specified, the system entropy pool does not have full entropy, and the +process was interrupted by a signal while waiting. +.It Bq Er EINVAL +.Fa flags +contains an unrecognized flag. +.It Bq Er EFAULT +.Fa buf +points outside the allocated address space. +.El +.Sh SEE ALSO +.Xr rnd 4 +.Sh HISTORY +The +.Nm +system call first appeared in Linux 3.17, and was added to +.Nx 10.0 . +.Sh AUTHORS +The +.Nx +implementation of +.Nm +and this man page were written by +.An Taylor R Campbell Aq Mt riastradh@NetBSD.org . +.Sh BUGS +There is no way to multiplex waiting for +.Fn getrandom +with other I/O in +.Xr select 2 , +.Xr poll 2 , +or +.Xr kqueue 2 . +Instead, you can wait for a read from +.Pa /dev/random ; +see +.Xr rnd 4 . +.Pp +.Dv GRND_RANDOM +is a little silly. diff --git a/sys/dev/random.c b/sys/dev/random.c index 0ddf031add6f..c27a3ba2275d 100644 --- a/sys/dev/random.c +++ b/sys/dev/random.c @@ -60,16 +60,15 @@ __KERNEL_RCSID(0, "$NetBSD$"); #include #include #include +#include #include #include -#include +#include #include #include #include #include -#include - #include "ioconf.h" static dev_type_open(random_open); @@ -109,7 +108,6 @@ EVCNT_ATTACH_STATIC(devrandom_open); EVCNT_ATTACH_STATIC(devurandom_open); #define RANDOM_BUFSIZE 512 /* XXX pulled from arse */ -static pool_cache_t random_buf_pc __read_mostly; /* Entropy source for writes to /dev/random and /dev/urandom */ static krndsource_t user_rndsource; @@ -118,8 +116,6 @@ void rndattach(int num) { - random_buf_pc = pool_cache_init(RANDOM_BUFSIZE, 0, 0, 0, - "randombuf", NULL, IPL_NONE, NULL, NULL, NULL); rnd_attach_source(&user_rndsource, "/dev/random", RND_TYPE_UNKNOWN, RND_FLAG_COLLECT_VALUE); } @@ -227,161 +223,30 @@ random_kqfilter(dev_t dev, struct knote *kn) static int random_read(dev_t dev, struct uio *uio, int flags) { - uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; - struct nist_hash_drbg drbg; - uint8_t *buf; - int extractflags; - bool interruptible; - int error; - - /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); - - /* - * If it's a short read from /dev/urandom, just generate the - * output directly with per-CPU cprng_strong. - */ - if (minor(dev) == RND_DEV_URANDOM && - uio->uio_resid <= RANDOM_BUFSIZE) { - /* Generate data and transfer it out. */ - cprng_strong(user_cprng, buf, uio->uio_resid, 0); - error = uiomove(buf, uio->uio_resid, uio); - goto out; - } - - /* - * If we're doing a blocking read from /dev/random, wait - * interruptibly. Otherwise, don't wait. - */ - if (minor(dev) == RND_DEV_RANDOM && !ISSET(flags, FNONBLOCK)) - extractflags = ENTROPY_WAIT|ENTROPY_SIG; - else - extractflags = 0; - - /* - * Query the entropy pool. For /dev/random, stop here if this - * fails. For /dev/urandom, go on either way -- - * entropy_extract will always fill the buffer with what we - * have from the global pool. - */ - error = entropy_extract(seed, sizeof seed, extractflags); - if (minor(dev) == RND_DEV_RANDOM && error) - goto out; - - /* Instantiate the DRBG. */ - if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, - NULL, 0)) - panic("nist_hash_drbg_instantiate"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* - * Generate data. Assume no error until failure. No - * interruption at this point until we've generated at least - * one block of output. - */ - error = 0; - interruptible = false; - while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth. */ - n = MIN(n, RANDOM_BUFSIZE); - - /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - n = MIN(n, ENTROPY_CAPACITY); - n = MIN(n, sizeof seed); - /* - * Guarantee never to return more than one - * buffer in this case to minimize bookkeeping. - */ - CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); - CTASSERT(sizeof seed <= RANDOM_BUFSIZE); - } - - /* Yield if requested. */ - if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) - preempt(); - - /* - * Allow interruption, but only after providing a - * minimum number of bytes. - */ - CTASSERT(RANDOM_BUFSIZE >= 256); - /* Check for interruption. */ - if (__predict_false(curlwp->l_flag & LW_PENDSIG) && - interruptible && sigispending(curlwp, 0)) { - error = EINTR; /* XXX ERESTART? */ - break; - } - - /* - * Try to generate a block of data, but if we've hit - * the DRBG reseed interval, reseed. - */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { - /* - * Get a fresh seed without blocking -- we have - * already generated some output so it is not - * useful to block. This can fail only if the - * request is obscenely large, so it is OK for - * either /dev/random or /dev/urandom to fail: - * we make no promises about gigabyte-sized - * reads happening all at once. - */ - error = entropy_extract(seed, sizeof seed, 0); - if (error) - break; - - /* Reseed and try again. */ - if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, - NULL, 0)) - panic("nist_hash_drbg_reseed"); - - /* Promptly zero the seed. */ - explicit_memset(seed, 0, sizeof seed); - - /* If it fails now, that's a bug. */ - if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) - panic("nist_hash_drbg_generate"); - } - - /* Transfer n bytes out. */ - error = uiomove(buf, n, uio); - if (error) - break; - - /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more - * work. - */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - minor(dev) == RND_DEV_RANDOM) { - error = 0; - break; - } + int gflags; + /* Set the appropriate GRND_* flags. */ + switch (minor(dev)) { + case RND_DEV_RANDOM: + gflags = GRND_RANDOM; + break; + case RND_DEV_URANDOM: /* - * We have generated one block of output, so it is - * reasonable to allow interruption after this point. + * Misnomer from Linux -- it's only insecure if you do + * it before reading at least one byte of /dev/random. */ - interruptible = true; + gflags = GRND_INSECURE; + break; + default: + return ENXIO; } -out: /* Zero the buffer and return it to the pool cache. */ - explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + /* Set GRND_NONBLOCK if user requested FNONBLOCK. */ + if (flags & FNONBLOCK) + gflags |= GRND_NONBLOCK; - return error; + /* Defer to getrandom. */ + return dogetrandom(uio, gflags); } /* @@ -419,14 +284,11 @@ random_write(dev_t dev, struct uio *uio, int flags) privileged = true; /* Get a buffer for transfers. */ - buf = pool_cache_get(random_buf_pc, PR_WAITOK); + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* Consume data. */ while (uio->uio_resid) { - size_t n = uio->uio_resid; - - /* No more than one buffer's worth in one step. */ - n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* Yield if requested. */ if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) @@ -446,8 +308,8 @@ random_write(dev_t dev, struct uio *uio, int flags) rnd_add_data(&user_rndsource, buf, n, privileged ? n*NBBY : 0); } - /* Zero the buffer and return it to the pool cache. */ + /* Zero the buffer and free it. */ explicit_memset(buf, 0, RANDOM_BUFSIZE); - pool_cache_put(random_buf_pc, buf); + kmem_free(buf, RANDOM_BUFSIZE); return error; } diff --git a/sys/kern/files.kern b/sys/kern/files.kern index c9ef078bc2a9..92e77f28a5aa 100644 --- a/sys/kern/files.kern +++ b/sys/kern/files.kern @@ -154,6 +154,7 @@ file kern/subr_xcall.c kern file kern/sys_aio.c aio file kern/sys_descrip.c kern file kern/sys_generic.c kern +file kern/sys_getrandom.c kern file kern/sys_module.c kern file kern/sys_mqueue.c mqueue file kern/sys_lwp.c kern diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index fa5bed45d110..deb8ff5a71d6 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -1159,6 +1159,8 @@ sysctl_entropy_consolidate(SYSCTLFN_ARGS) * * ENTROPY_WAIT Wait for entropy if not available yet. * ENTROPY_SIG Allow interruption by a signal during wait. + * ENTROPY_NOPARTIAL Either fill the buffer with full entropy, + * or fail without filling it at all. * * Return zero on success, or error on failure: * @@ -1220,9 +1222,15 @@ entropy_extract(void *buf, size_t len, int flags) } } - /* Count failure -- but fill the buffer nevertheless. */ - if (error) + /* + * Count failure -- but fill the buffer nevertheless, unless + * the caller specified ENTROPY_NOPARTIAL. + */ + if (error) { + if (ISSET(flags, ENTROPY_NOPARTIAL)) + goto out; entropy_extract_fail_evcnt.ev_count++; + } /* * Report a warning if we have never yet reached full entropy. @@ -1252,7 +1260,7 @@ entropy_extract(void *buf, size_t len, int flags) entropy_deplete_evcnt.ev_count++; } - /* Release the global lock and return the error. */ +out: /* Release the global lock and return the error. */ if (E->stage >= ENTROPY_WARM) mutex_exit(&E->lock); return error; diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c new file mode 100644 index 000000000000..1fba28faf55d --- /dev/null +++ b/sys/kern/sys_getrandom.c @@ -0,0 +1,235 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * getrandom() system call + */ + +#include +__KERNEL_RCSID(0, "$NetBSD$"); + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#define RANDOM_BUFSIZE 512 + +int +dogetrandom(struct uio *uio, unsigned int flags) +{ + uint8_t seed[NIST_HASH_DRBG_SEEDLEN_BYTES] = {0}; + struct nist_hash_drbg drbg; + void *buf; + int eflags = 0; + int error; + + KASSERT((flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) == 0); + + /* Allocate a buffer. */ + buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); + + /* + * Fast path: for short reads, if INSECURE, or if we have + * entropy and we're not doing depletion, just return it from + * the per-CPU cprng_strong. + */ + if (uio->uio_resid <= RANDOM_BUFSIZE && + (ISSET(flags, GRND_INSECURE) || + (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && + __predict_true(entropy_epoch() != (unsigned)-1)))) { + cprng_strong(user_cprng, buf, uio->uio_resid, 0); + error = uiomove(buf, uio->uio_resid, uio); + goto out; + } + + /* + * Try to get a seed from the entropy pool. Fail if we would + * block. If GRND_INSECURE, always return something even if it + * is partial entropy; if !GRND_INSECURE, set ENTROPY_NOPARTIAL + * in order to tell entropy_extract not to bother drawing + * anything from a partial pool if we can't get full entropy. + */ + if (!ISSET(flags, GRND_NONBLOCK) && !ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_WAIT|ENTROPY_SIG; + if (!ISSET(flags, GRND_INSECURE)) + eflags |= ENTROPY_NOPARTIAL; + error = entropy_extract(seed, sizeof seed, eflags); + if (error && !ISSET(flags, GRND_INSECURE)) + goto out; + + /* Instantiate the DRBG and promptly zero the seed. */ + if (nist_hash_drbg_instantiate(&drbg, seed, sizeof seed, NULL, 0, + NULL, 0)) + panic("nist_hash_drbg_instantiate"); + explicit_memset(seed, 0, sizeof seed); + + /* Generate data. */ + error = 0; + while (uio->uio_resid) { + size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); + + /* + * If we're `depleting' and this is /dev/random, clamp + * to the smaller of the entropy capacity or the seed. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + n = MIN(n, ENTROPY_CAPACITY); + n = MIN(n, sizeof seed); + /* + * Guarantee never to return more than one + * buffer in this case to minimize bookkeeping. + */ + CTASSERT(ENTROPY_CAPACITY <= RANDOM_BUFSIZE); + CTASSERT(sizeof seed <= RANDOM_BUFSIZE); + } + + /* + * Try to generate a block of data, but if we've hit + * the DRBG reseed interval, reseed. + */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) { + /* + * Get a fresh seed without blocking -- we have + * already generated some output so it is not + * useful to block. This can fail only if the + * request is obscenely large, so it is OK for + * either /dev/random or /dev/urandom to fail: + * we make no promises about gigabyte-sized + * reads happening all at once. + */ + error = entropy_extract(seed, sizeof seed, + ENTROPY_NOPARTIAL); + if (error) + break; + + /* Reseed, promptly zero seed, and try again. */ + if (nist_hash_drbg_reseed(&drbg, seed, sizeof seed, + NULL, 0)) + panic("nist_hash_drbg_reseed"); + explicit_memset(seed, 0, sizeof seed); + + /* If it fails now, that's a bug. */ + if (nist_hash_drbg_generate(&drbg, buf, n, NULL, 0)) + panic("nist_hash_drbg_generate"); + } + + /* Transfer n bytes out. */ + error = uiomove(buf, n, uio); + if (error) + break; + + /* + * If we're `depleting' and this is /dev/random, stop + * here, return what we have, and force the next read + * to reseed. Could grab more from the pool if + * possible without blocking, but that's more work. + */ + if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && + ISSET(flags, GRND_RANDOM)) { + error = 0; + break; + } + + /* Yield if requested. */ + if (curcpu()->ci_schedstate.spc_flags & SPCF_SHOULDYIELD) + preempt(); + + /* Check for interruption after at least one transfer. */ + if (__predict_false(curlwp->l_flag & LW_PENDSIG) && + sigispending(curlwp, 0)) { + error = EINTR; + break; + } + } + +out: /* Zero and free the buffer, and we're done -- return any error. */ + explicit_memset(buf, 0, RANDOM_BUFSIZE); + kmem_free(buf, RANDOM_BUFSIZE); + return error; +} + +int +sys_getrandom(struct lwp *l, const struct sys_getrandom_args *uap, + register_t *retval) +{ + /* { + syscallarg(void *) buf; + syscallarg(size_t) buflen; + syscallarg(unsigned) flags; + } */ + void *buf = SCARG(uap, buf); + size_t buflen = SCARG(uap, buflen); + int flags = SCARG(uap, flags); + int error; + + /* Set up an iov and uio to read into the user's buffer. */ + struct iovec iov = { .iov_base = buf, .iov_len = buflen }; + struct uio uio = { + .uio_iov = &iov, + .uio_iovcnt = 1, + .uio_offset = 0, + .uio_resid = buflen, + .uio_rw = UIO_READ, + .uio_vmspace = curproc->p_vmspace, + }; + + /* Validate the flags. */ + if (flags & ~(GRND_RANDOM|GRND_INSECURE|GRND_NONBLOCK)) { + error = EINVAL; + goto out; + } + + /* Do it. */ + error = dogetrandom(&uio, flags); + +out: /* + * If we transferred anything, return the number of bytes + * transferred and suppress error; otherwise return the error. + */ + *retval = buflen - uio.uio_resid; + if (*retval) + error = 0; + return error; +} diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index d950452a71fe..d0eb999b9dcc 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -1014,3 +1014,5 @@ struct statvfs *buf, int flags); } 486 STD RUMP { int|sys|90|fhstatvfs1(const void *fhp, \ size_t fh_size, struct statvfs *buf, int flags); } +487 STD RUMP { ssize_t|sys||getrandom(void *buf, size_t buflen, \ + unsigned int flags); } diff --git a/sys/rump/librump/rumpkern/Makefile.rumpkern b/sys/rump/librump/rumpkern/Makefile.rumpkern index d6d54ee7187d..7b84049d8ac9 100644 --- a/sys/rump/librump/rumpkern/Makefile.rumpkern +++ b/sys/rump/librump/rumpkern/Makefile.rumpkern @@ -129,6 +129,7 @@ SRCS+= init_sysctl_base.c \ subr_xcall.c \ sys_descrip.c \ sys_generic.c \ + sys_getrandom.c \ sys_module.c \ sys_pipe.c \ sys_select.c \ diff --git a/sys/sys/Makefile b/sys/sys/Makefile index 049fdb808acf..02da96aad0dc 100644 --- a/sys/sys/Makefile +++ b/sys/sys/Makefile @@ -33,7 +33,7 @@ INCS= acct.h agpio.h aio.h ansi.h aout_mids.h ataio.h atomic.h \ param.h pcu.h pipe.h pmf.h poll.h pool.h power.h proc.h \ protosw.h pset.h psref.h ptrace.h ptree.h \ queue.h quota.h quotactl.h \ - radixtree.h ras.h rbtree.h reboot.h radioio.h resource.h \ + radioio.h radixtree.h random.h ras.h rbtree.h reboot.h resource.h \ resourcevar.h rmd160.h rnd.h rndio.h rwlock.h \ scanio.h sched.h scsiio.h sdt.h select.h selinfo.h sem.h semaphore.h \ sha1.h sha2.h sha3.h shm.h siginfo.h signal.h signalvar.h sigtypes.h \ diff --git a/sys/sys/entropy.h b/sys/sys/entropy.h index cabff68e6394..de561bcca9a7 100644 --- a/sys/sys/entropy.h +++ b/sys/sys/entropy.h @@ -44,8 +44,9 @@ struct knote; #define ENTROPY_CAPACITY ENTPOOL_CAPACITY /* bytes */ -#define ENTROPY_WAIT 0x01 -#define ENTROPY_SIG 0x02 +#define ENTROPY_WAIT 0x01 +#define ENTROPY_SIG 0x02 +#define ENTROPY_NOPARTIAL 0x04 void entropy_bootrequest(void); unsigned entropy_epoch(void); diff --git a/sys/sys/random.h b/sys/sys/random.h new file mode 100644 index 000000000000..fae8d76b006c --- /dev/null +++ b/sys/sys/random.h @@ -0,0 +1,65 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_RANDOM_H +#define _SYS_RANDOM_H + +#define GRND_NONBLOCK (1u << 0) +#define GRND_RANDOM (1u << 1) +#define GRND_INSECURE (1u << 2) + +#ifdef _KERNEL + +struct uio; + +int dogetrandom(struct uio *, unsigned int); + +#endif /* _KERNEL */ + +#ifndef _KERNEL +__BEGIN_DECLS + +#ifdef _BSD_SIZE_T_ +typedef _BSD_SIZE_T_ size_t; +#undef _BSD_SIZE_T_ +#endif + +#ifdef _BSD_SSIZE_T_ +typedef _BSD_SSIZE_T_ ssize_t; +#undef _BSD_SSIZE_T_ +#endif + +ssize_t getrandom(void *, size_t, unsigned int); + +__END_DECLS +#endif /* !_KERNEL */ + +#endif /* _SYS_RANDOM_H */ From 9738479a81966f1cf4bb01bcef73355b430d1067 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 14 Jan 2020 02:33:12 +0000 Subject: [PATCH 2/7] Simplify /dev/random and getrandom(GRND_RANDOM) semantics. Just clamp to 32-byte reads irrespective of whether we're doing entropy depletion. You shouldn't do bulk reads out of /dev/random. --- sys/kern/sys_getrandom.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/sys/kern/sys_getrandom.c b/sys/kern/sys_getrandom.c index 1fba28faf55d..066b33155437 100644 --- a/sys/kern/sys_getrandom.c +++ b/sys/kern/sys_getrandom.c @@ -70,11 +70,12 @@ dogetrandom(struct uio *uio, unsigned int flags) buf = kmem_alloc(RANDOM_BUFSIZE, KM_SLEEP); /* - * Fast path: for short reads, if INSECURE, or if we have - * entropy and we're not doing depletion, just return it from - * the per-CPU cprng_strong. + * Fast path, for short reads other than from /dev/random: if + * INSECURE, or if we have entropy and we're not doing + * `depletion', just return it from the per-CPU cprng_strong. */ if (uio->uio_resid <= RANDOM_BUFSIZE && + !ISSET(flags, GRND_RANDOM) && (ISSET(flags, GRND_INSECURE) || (__predict_true(!atomic_load_relaxed(&entropy_depletion)) && __predict_true(entropy_epoch() != (unsigned)-1)))) { @@ -110,11 +111,10 @@ dogetrandom(struct uio *uio, unsigned int flags) size_t n = MIN(uio->uio_resid, RANDOM_BUFSIZE); /* - * If we're `depleting' and this is /dev/random, clamp - * to the smaller of the entropy capacity or the seed. + * If this is /dev/random, clamp to the smaller of the + * entropy capacity or the seed. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { n = MIN(n, ENTROPY_CAPACITY); n = MIN(n, sizeof seed); /* @@ -161,13 +161,11 @@ dogetrandom(struct uio *uio, unsigned int flags) break; /* - * If we're `depleting' and this is /dev/random, stop - * here, return what we have, and force the next read - * to reseed. Could grab more from the pool if - * possible without blocking, but that's more work. + * If this is /dev/random, stop here and return what we + * have, and force the next read to reseed. You're not + * supposed to draw lots of data from /dev/random. */ - if (__predict_false(atomic_load_relaxed(&entropy_depletion)) && - ISSET(flags, GRND_RANDOM)) { + if (ISSET(flags, GRND_RANDOM)) { error = 0; break; } From 8df28eda0006a1f808f9c0632955c7793894c4af Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 14 Jan 2020 13:58:46 +0000 Subject: [PATCH 3/7] Replace last use of rnd_initial_entropy and nix it altogether. --- sys/kern/kern_entropy.c | 3 --- sys/net/if_ethersubr.c | 5 +++-- sys/sys/rnd.h | 2 -- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index deb8ff5a71d6..3c05503b9161 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -191,8 +191,6 @@ static struct percpu *entropy_percpu __read_mostly; /* struct entropy_cpu */ static void *entropy_sih __read_mostly; /* softint handler */ static struct lwp *entropy_lwp __read_mostly; /* housekeeping thread */ -int rnd_initial_entropy __read_mostly; /* XXX legacy */ - static struct krndsource seed_rndsource __read_mostly; /* @@ -1095,7 +1093,6 @@ entropy_notify(void) printf("entropy: ready\n"); /* Set the epoch; roll over from UINTMAX-1 to 1. */ - rnd_initial_entropy = 1; /* XXX legacy */ epoch = E->epoch + 1; if (epoch == 0 || epoch == (unsigned)-1) epoch = 1; diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index f6661d8f87b9..93156c6928e0 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -85,7 +85,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.281 2020/01/16 13:16:59 kardel Ex #include #include #include -#include +#include #include #include #include @@ -603,7 +603,8 @@ ether_input(struct ifnet *ifp, struct mbuf *m) etype = ntohs(eh->ether_type); ehlen = sizeof(*eh); - if (__predict_false(earlypkts < 100 || !rnd_initial_entropy)) { + if (__predict_false(earlypkts < 100 || + entropy_epoch() == (unsigned)-1)) { rnd_add_data(NULL, eh, ehlen, 0); earlypkts++; } diff --git a/sys/sys/rnd.h b/sys/sys/rnd.h index cf23703a15a0..db5434aea247 100644 --- a/sys/sys/rnd.h +++ b/sys/sys/rnd.h @@ -46,8 +46,6 @@ void rnd_init(void); void rnd_init_softint(void); void rnd_seed(void *, size_t); -extern int rnd_initial_entropy; - #endif /* _KERNEL */ #endif /* !_SYS_RND_H_ */ From b63535d2ec295e943c49da74ea0a032855a8de7a Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 14 Jan 2020 14:29:47 +0000 Subject: [PATCH 4/7] Omit needless #include . --- sys/arch/x86/x86/cpu_rng.c | 1 - sys/compat/common/rndpseudo_50.c | 1 - sys/compat/netbsd32/netbsd32_compat_50.c | 1 - sys/compat/netbsd32/netbsd32_rndpseudo_50.c | 1 - sys/netinet/sctp_pcb.c | 1 - 5 files changed, 5 deletions(-) diff --git a/sys/arch/x86/x86/cpu_rng.c b/sys/arch/x86/x86/cpu_rng.c index b6388052f94e..e5bdca672560 100644 --- a/sys/arch/x86/x86/cpu_rng.c +++ b/sys/arch/x86/x86/cpu_rng.c @@ -48,7 +48,6 @@ #include #include #include -#include #include #include #include diff --git a/sys/compat/common/rndpseudo_50.c b/sys/compat/common/rndpseudo_50.c index b33c14b3ba28..0cc7d1deac58 100644 --- a/sys/compat/common/rndpseudo_50.c +++ b/sys/compat/common/rndpseudo_50.c @@ -41,7 +41,6 @@ __KERNEL_RCSID(0, "$NetBSD: rndpseudo_50.c,v 1.6 2019/12/12 02:15:42 pgoyette Ex #include #include #include -#include #include #include diff --git a/sys/compat/netbsd32/netbsd32_compat_50.c b/sys/compat/netbsd32/netbsd32_compat_50.c index b3b374ac9532..f34af17d6fbc 100644 --- a/sys/compat/netbsd32/netbsd32_compat_50.c +++ b/sys/compat/netbsd32/netbsd32_compat_50.c @@ -62,7 +62,6 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_50.c,v 1.44 2020/01/01 14:52:38 maxv #include #include #include -#include #include #include diff --git a/sys/compat/netbsd32/netbsd32_rndpseudo_50.c b/sys/compat/netbsd32/netbsd32_rndpseudo_50.c index e8edb51be29b..0e55b81af781 100644 --- a/sys/compat/netbsd32/netbsd32_rndpseudo_50.c +++ b/sys/compat/netbsd32/netbsd32_rndpseudo_50.c @@ -40,7 +40,6 @@ __KERNEL_RCSID(0, "$NetBSD: netbsd32_rndpseudo_50.c,v 1.4 2019/09/26 01:32:09 ch #include #include #include -#include #include #include diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 72ee446d1627..5810c0b1c06b 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -53,7 +53,6 @@ __KERNEL_RCSID(0, "$NetBSD: sctp_pcb.c,v 1.20 2020/01/19 20:51:13 riastradh Exp #include #include #include -#include #include #include From 87db1100000e2537f9fc172f3cc233f6b91ed8c4 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Thu, 5 Dec 2019 03:16:28 +0000 Subject: [PATCH 5/7] WIP: hwrng repetition count test --- sys/kern/files.kern | 1 + sys/kern/kern_entropy.c | 43 ++++++++ sys/kern/subr_rngtest.c | 212 ++++++++++++++++++++++++++++++++++++++++ sys/sys/rndsource.h | 5 + sys/sys/rngtest.h | 7 ++ 5 files changed, 268 insertions(+) create mode 100644 sys/kern/subr_rngtest.c diff --git a/sys/kern/files.kern b/sys/kern/files.kern index 92e77f28a5aa..d77d8fca9222 100644 --- a/sys/kern/files.kern +++ b/sys/kern/files.kern @@ -143,6 +143,7 @@ file kern/subr_prf.c kern file kern/subr_prof.c kern file kern/subr_pserialize.c kern file kern/subr_psref.c kern +file kern/subr_rngtest.c kern file kern/subr_specificdata.c kern file kern/subr_tftproot.c tftproot file kern/subr_time.c kern diff --git a/sys/kern/kern_entropy.c b/sys/kern/kern_entropy.c index 3c05503b9161..e7ec52ef71c4 100644 --- a/sys/kern/kern_entropy.c +++ b/sys/kern/kern_entropy.c @@ -1695,6 +1695,49 @@ rnd_add_data_sync(struct krndsource *rs, const void *buf, uint32_t len, rnd_add_data(rs, buf, len, entropybits); } +/* + * rndsource_disable(rs) + * + * Disable rs. User can re-enable it if they want. + */ +void +rndsource_disable(struct krndsource *rs) +{ + uint32_t flags; + + KASSERT(E->stage == ENTROPY_HOT); + + mutex_enter(&E->lock); + flags = rs->rs_flags; + flags &= ~RND_FLAG_COLLECT_VALUE; + atomic_store_relaxed(&rs->rs_flags, flags); + mutex_exit(&E->lock); +} + +/* + * rndsource_disabled(rs) + * + * True if rs is currently disabled. + */ +bool +rndsource_disabled(const struct krndsource *rs) +{ + + return atomic_load_relaxed(&rs->rs_flags) & RND_FLAG_NO_COLLECT; +} + +/* + * rndsource_name(rs) + * + * Return a pointer to rs's name. + */ +const char * +rndsource_name(const struct krndsource *rs) +{ + + return rs->rs_name; +} + /* * rndsource_entropybits(rs) * diff --git a/sys/kern/subr_rngtest.c b/sys/kern/subr_rngtest.c new file mode 100644 index 000000000000..07956556e50b --- /dev/null +++ b/sys/kern/subr_rngtest.c @@ -0,0 +1,212 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2019 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * NIST SP800-90B 4.4.1 repetition count test, restricted to two + * samples of output. + * + * Driver: + * + * xyz_attach(sc) + * { + * ... + * // 100 bits of data to get each bit of entropy + * sc->sc_rngtest = rngreptest_create(&sc->sc_rndsource, 100); + * rnd_attach_source(&sc->sc_rndsource, ...); + * } + * + * xyz_intr(sc) + * { + * buf = sc->sc_intrbuf; + * len = READ4(sc, XYZ_NBYTES_READY); + * + * rngreptest_feed(&sc->sc_rndsource, buf, len); + * } + */ + +#include +__KERNEL_RCSID(0, "$NetBSD$"); + +#include +#include +#include +#include +#include +#include + +#include + +struct rngreptest { + struct krndsource *rndsource; + unsigned entropyrate; /* min #bits per bit of entropy */ + unsigned m; /* division by entropyrate */ + uint8_t s1, s2; + unsigned i, N; + uint8_t buf[/*N*/]; +}; + +/* + * Arbitrarily limit us to two pages (or one page, on 8K-page + * machines). Anything more than this is getting excessive and + * suggests you should maybe reconsider the RNG or at least the test. + */ +CTASSERT(sizeof(struct rngreptest) <= 8192u); +#define MAXBUF (8192u - sizeof(struct rngreptest)) + +struct rngreptest * +rngreptest_create(struct krndsource *rndsource, unsigned entropyrate) +{ + unsigned N; + struct rngreptest *T; + + /* + * Require the entropy to be good enough that a sample MAXBUF + * bytes long has at least two samples with 256 bits of entropy + * apiece. If not, maybe you should use a different test. + */ + if (entropyrate > MAXBUF/256/2) + panic("%u bits of data per bit of entropy is too many", + entropyrate); + + N = entropyrate * 256 * 2; + T = kmem_alloc(offsetof(struct rngreptest, buf[N]), KM_SLEEP); + + T->rndsource = rndsource; + T->entropyrate = entropyrate; + fast_divide32_prepare(entropyrate, &T->m, &T->s1, &T->s2); + T->i = 0; + T->N = N; + + return T; +} + +void +rngreptest_destroy(struct rngreptest *T) +{ + + explicit_memset(T, 0, offsetof(struct rngreptest, buf[T->N])); + kmem_free(T, offsetof(struct rngreptest, buf[T->N])); +} + +static unsigned +rngreptest_entropybits(struct rngreptest *T, uint32_t nbytes) +{ + uint32_t nbits; + + if (rndsource_disabled(T->rndsource)) + return 0; + nbits = MIN(nbytes, UINT32_MAX/NBBY)*NBBY; + return fast_divide32(nbits, T->entropyrate, T->m, T->s1, T->s2); +} + +static void +rngreptest_feed_1(struct rngreptest *T, const void *buf, uint32_t len) +{ + unsigned entropybits = rngreptest_entropybits(T, len); + + rnd_add_data(T->rndsource, buf, len, entropybits); +} + +static void +rngreptest_busted(struct rngreptest *T) +{ + + rndsource_disable(T->rndsource); + printf("entropy source `%s' failed repeated-output test" + " with false alarm rate 1/2^256\n", + rndsource_name(T->rndsource)); +} + +void +rngreptest_feed(struct rngreptest *T, const void *buf, uint32_t len) +{ + const unsigned N = T->N; + const uint8_t *p = buf; + uint32_t n = len; + + /* If T->buf is partially filled, finish filling it first. */ + if (T->i) { + memcpy(T->buf + T->i, p, MIN(n, N - T->i)); + T->i += MIN(n, N - T->i); + p += MIN(n, N - T->i); + n -= MIN(n, N - T->i); + + /* If we didn't fill up T->buf, we're done. */ + if (T->i < N) { + KASSERT(n == 0); + goto out; + } + + /* + * Test the first buffered half against the second + * buffered half, and feed the first buffered half in. + */ + if (consttime_memequal(T->buf, T->buf + N/2, N/2)) + rngreptest_busted(T); + rngreptest_feed_1(T, T->buf, N/2); + + /* If we can't fill another half, save it and stop. */ + if (n < N/2) { + memcpy(T->buf, T->buf + N/2, N/2); + memcpy(T->buf + N/2, p, n); + explicit_memset(T->buf + N/2 + n, 0, N/2 - n); + T->i = N/2 + n; + goto out; + } + + /* + * Otherwise, test the second buffered half against p/n + * and then start feeding it in. + */ + if (consttime_memequal(T->buf + N/2, p, n)) + rngreptest_busted(T); + rngreptest_feed_1(T, T->buf + N/2, N/2); + explicit_memset(T->buf, 0, N); + T->i = 0; + } + + KASSERT(T->i == 0); + + /* Munch through the input one buffer's worth at a time. */ + while (n >= N) { + if (consttime_memequal(p, p + N/2, N/2)) + rngreptest_busted(T); + rngreptest_feed_1(T, p, N/2); + p += N/2; + n -= N/2; + } + + /* Save the remainder if any in the buffer. */ + memcpy(T->buf, p, n); + T->i = n; + +out: KASSERT(T->i < N); +} diff --git a/sys/sys/rndsource.h b/sys/sys/rndsource.h index eeff0604e337..345153337e57 100644 --- a/sys/sys/rndsource.h +++ b/sys/sys/rndsource.h @@ -71,4 +71,9 @@ void rnd_add_data(struct krndsource *, const void *, uint32_t, uint32_t); void rnd_add_data_sync(struct krndsource *, const void *, uint32_t, uint32_t); +void rndsource_disable(struct krndsource *); +bool rndsource_disabled(const struct krndsource *); +const char * + rndsource_name(const struct krndsource *); + #endif /* _SYS_RNDSOURCE_H */ diff --git a/sys/sys/rngtest.h b/sys/sys/rngtest.h index 1fa70fc05c85..607783e8188b 100644 --- a/sys/sys/rngtest.h +++ b/sys/sys/rngtest.h @@ -46,4 +46,11 @@ typedef struct { int rngtest(rngtest_t *const); +struct rngreptest; +struct krndsource; + +struct rngreptest *rngreptest_create(struct krndsource *, unsigned); +void rngreptest_destroy(struct rngreptest *); +void rngreptest_feed(struct rngreptest *, const void *, uint32_t); + #endif From d0e09c0e3ba0831c4ae1768f788986ef2f72d6e0 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Wed, 18 Dec 2019 01:28:13 +0000 Subject: [PATCH 6/7] Adapt meson rng to use rngreptest. --- sys/arch/arm/amlogic/meson_rng.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/arch/arm/amlogic/meson_rng.c b/sys/arch/arm/amlogic/meson_rng.c index 93c8b55c4241..b3e900a1bc4c 100644 --- a/sys/arch/arm/amlogic/meson_rng.c +++ b/sys/arch/arm/amlogic/meson_rng.c @@ -37,6 +37,7 @@ __KERNEL_RCSID(0, "$NetBSD: meson_rng.c,v 1.2 2019/04/21 14:13:55 jmcneill Exp $ #include #include #include +#include #include @@ -52,6 +53,7 @@ struct meson_rng_softc { kmutex_t sc_lock; krndsource_t sc_rndsource; + struct rngreptest *sc_rngreptest; }; static const char * const compatible[] = { @@ -104,11 +106,10 @@ meson_rng_attach(device_t parent, device_t self, void *aux) aprint_naive("\n"); aprint_normal(": Hardware RNG\n"); + sc->sc_rngreptest = rngreptest_create(&sc->sc_rndsource, 2); rndsource_setcb(&sc->sc_rndsource, meson_rng_get, sc); rnd_attach_source(&sc->sc_rndsource, device_xname(self), RND_TYPE_RNG, RND_FLAG_COLLECT_VALUE|RND_FLAG_HASCB); - - meson_rng_get(RND_POOLBITS / NBBY, sc); } static void @@ -120,8 +121,7 @@ meson_rng_get(size_t bytes_wanted, void *priv) mutex_spin_enter(&sc->sc_lock); while (bytes_wanted) { data = bus_space_read_4(sc->sc_bst, sc->sc_bsh, 0); - rnd_add_data_sync(&sc->sc_rndsource, &data, sizeof(data), - sizeof(data) * NBBY); + rngreptest_feed(sc->sc_rngreptest, &data, sizeof(data)); bytes_wanted -= MIN(bytes_wanted, sizeof(data)); } explicit_memset(&data, 0, sizeof(data)); From b6e4543e2cb779601ec796265412645cea13791c Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 20 Jan 2020 05:53:36 +0000 Subject: [PATCH 7/7] WIP: Rockchip crypto engine RNG driver. There seem to be two versions of the Rockchip crypto engine, v1 and v2; this one is for v1. Can't name a driver `rkcryptov1' so we'll clumsily call it `rk1crypto' instead to leave room for `rk2crypto' later on. --- sys/arch/arm/dts/rk3399-pinebook-pro.dts | 13 + sys/arch/arm/dts/rk3399-rockpro64.dts | 12 + sys/arch/arm/rockchip/files.rockchip | 5 + sys/arch/arm/rockchip/rk_1crypto.c | 314 +++++++++++++++++++++++ sys/arch/arm/rockchip/rk_1crypto.h | 178 +++++++++++++ sys/arch/evbarm/conf/GENERIC64 | 1 + 6 files changed, 523 insertions(+) create mode 100644 sys/arch/arm/rockchip/rk_1crypto.c create mode 100644 sys/arch/arm/rockchip/rk_1crypto.h diff --git a/sys/arch/arm/dts/rk3399-pinebook-pro.dts b/sys/arch/arm/dts/rk3399-pinebook-pro.dts index 62c7d3f4640c..60ed30a1cff2 100644 --- a/sys/arch/arm/dts/rk3399-pinebook-pro.dts +++ b/sys/arch/arm/dts/rk3399-pinebook-pro.dts @@ -344,6 +344,19 @@ compatible = "universal-charger"; extcon = <&fusb0>; }; + + // XXX Sync with rk3399-rockpro64.dts. + crypto: crypto@ff8b8000 { + compatible = "rockchip,rk3288-crypto"; + reg = <0x0 0xff8b8000 0x0 0x1000>; + clocks = <&cru HCLK_M_CRYPTO1>, <&cru HCLK_S_CRYPTO1>, + <&cru SCLK_CRYPTO1>, <&cru ACLK_DMAC1_PERILP>; + clock-names = "aclk", "hclk", "sclk", "apb_pclk"; + assigned-clocks = <&cru SCLK_CRYPTO1>, <&cru HCLK_S_CRYPTO1>; + assigned-clock-rates = <150000000>, <100000000>; + resets = <&cru SRST_CRYPTO1>; + reset-names = "crypto-rst"; + }; }; &edp { diff --git a/sys/arch/arm/dts/rk3399-rockpro64.dts b/sys/arch/arm/dts/rk3399-rockpro64.dts index 0a42d0aaea38..2e6bfc40b5ea 100644 --- a/sys/arch/arm/dts/rk3399-rockpro64.dts +++ b/sys/arch/arm/dts/rk3399-rockpro64.dts @@ -148,6 +148,18 @@ }; #endif + // XXX Sync with rk3399-rockpro64.dts. + crypto: crypto@ff8b8000 { + compatible = "rockchip,rk3288-crypto"; + reg = <0x0 0xff8b8000 0x0 0x1000>; + clocks = <&cru HCLK_M_CRYPTO1>, <&cru HCLK_S_CRYPTO1>, + <&cru SCLK_CRYPTO1>, <&cru ACLK_DMAC1_PERILP>; + clock-names = "aclk", "hclk", "sclk", "apb_pclk"; + assigned-clocks = <&cru SCLK_CRYPTO1>, <&cru HCLK_S_CRYPTO1>; + assigned-clock-rates = <150000000>, <100000000>; + resets = <&cru SRST_CRYPTO1>; + reset-names = "crypto-rst"; + }; }; &pinctrl { diff --git a/sys/arch/arm/rockchip/files.rockchip b/sys/arch/arm/rockchip/files.rockchip index c11d8e9f47bf..d76eda96ca12 100644 --- a/sys/arch/arm/rockchip/files.rockchip +++ b/sys/arch/arm/rockchip/files.rockchip @@ -112,6 +112,11 @@ device rki2s attach rki2s at fdt with rk_i2s file arch/arm/rockchip/rk_i2s.c rk_i2s +# Crypto engine +device rk1crypto +attach rk1crypto at fdt with rk_1crypto +file arch/arm/rockchip/rk_1crypto.c rk_1crypto + # SOC parameters defflag opt_soc.h SOC_ROCKCHIP defflag opt_soc.h SOC_RK3328: SOC_ROCKCHIP diff --git a/sys/arch/arm/rockchip/rk_1crypto.c b/sys/arch/arm/rockchip/rk_1crypto.c new file mode 100644 index 000000000000..fce9f150b85d --- /dev/null +++ b/sys/arch/arm/rockchip/rk_1crypto.c @@ -0,0 +1,314 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * rk_1crypto -- Rockchip crypto v1 driver + * + * This is just the RNG for now. + */ + +#include +__KERNEL_RCSID(1, "$NetBSD$"); + +#include + +#include +#include +#include +#include +#include +#include + +#include + +#include + +struct rk_1crypto_softc { + device_t sc_dev; + bus_space_tag_t sc_bst; + bus_space_handle_t sc_bsh; + kmutex_t sc_lock; + struct krndsource sc_rndsource; + struct rk_1crypto_sysctl { + struct sysctllog *cy_log; + const struct sysctlnode *cy_root_node; + const struct sysctlnode *cy_trng_node; + } sc_sysctl; +}; + +static int rk_1crypto_match(device_t, cfdata_t, void *); +static void rk_1crypto_attach(device_t, device_t, void *); +static void rk_1crypto_rndsource_attach(struct rk_1crypto_softc *); +static void rk_1crypto_rng_get(size_t, void *); +static void rk_1crypto_sysctl_attach(struct rk_1crypto_softc *); +static int rk_1crypto_sysctl_rng(SYSCTLFN_ARGS); +static int rk_1crypto_rng(struct rk_1crypto_softc *, + uint32_t[static RK_1CRYPTO_TRNG_NOUT]); + +static uint32_t +RKC_READ(struct rk_1crypto_softc *sc, bus_addr_t reg) +{ + return bus_space_read_4(sc->sc_bst, sc->sc_bsh, reg); +} + +static void +RKC_WRITE(struct rk_1crypto_softc *sc, bus_addr_t reg, uint32_t v) +{ + return bus_space_write_4(sc->sc_bst, sc->sc_bsh, reg, v); +} + +static inline void +RKC_CTRL(struct rk_1crypto_softc *sc, uint16_t m, uint16_t v) +{ + uint32_t c = 0; + + c |= __SHIFTIN(m, RK_1CRYPTO_CTRL_MASK); + c |= __SHIFTIN(v, m); + RKC_WRITE(sc, RK_1CRYPTO_CTRL, c); +} + +CFATTACH_DECL_NEW(rk_1crypto, sizeof(struct rk_1crypto_softc), + rk_1crypto_match, rk_1crypto_attach, NULL, NULL); + +static const struct of_compat_data compat_data[] = { + {"rockchip,rk3288-crypto", 0}, + {NULL} +}; + +static int +rk_1crypto_match(device_t parent, cfdata_t cf, void *aux) +{ + const struct fdt_attach_args *const faa = aux; + + return of_match_compat_data(faa->faa_phandle, compat_data); +} + +static void +rk_1crypto_attach(device_t parent, device_t self, void *aux) +{ + static const char *const clks[] = {"aclk", "hclk", "sclk", "apb_pclk"}; + struct rk_1crypto_softc *const sc = device_private(self); + const struct fdt_attach_args *const faa = aux; + bus_addr_t addr; + bus_size_t size; + const int phandle = faa->faa_phandle; + struct fdtbus_reset *rst; + unsigned i; + + fdtbus_clock_assign(phandle); + + sc->sc_dev = self; + sc->sc_bst = faa->faa_bst; + mutex_init(&sc->sc_lock, MUTEX_DEFAULT, IPL_VM); + + /* Get and map device registers. */ + if (fdtbus_get_reg(phandle, 0, &addr, &size) != 0) { + aprint_error(": couldn't get registers\n"); + return; + } + if (bus_space_map(sc->sc_bst, addr, size, 0, &sc->sc_bsh) != 0) { + aprint_error(": couldn't map registers\n"); + return; + } + + /* Enable the clocks. */ + for (i = 0; i < __arraycount(clks); i++) { + if (fdtbus_clock_enable(phandle, clks[i], true) != 0) { + aprint_error(": couldn't enable %s clock\n", clks[i]); + return; + } + } + + /* Get a reset handle if we need and try to deassert it. */ + if ((rst = fdtbus_reset_get_index(phandle, 0)) != NULL) { + if (fdtbus_reset_deassert(rst) != 0) { + aprint_error(": couldn't de-assert reset\n"); + return; + } + } + + aprint_naive("\n"); + aprint_normal(": Crypto v1\n"); + + rk_1crypto_rndsource_attach(sc); + rk_1crypto_sysctl_attach(sc); +} + +static void +rk_1crypto_rndsource_attach(struct rk_1crypto_softc *sc) +{ + device_t self = sc->sc_dev; + + rndsource_setcb(&sc->sc_rndsource, rk_1crypto_rng_get, sc); + rnd_attach_source(&sc->sc_rndsource, device_xname(self), + RND_TYPE_RNG, /* XXX */ + RND_FLAG_COLLECT_VALUE|RND_FLAG_ESTIMATE_VALUE|RND_FLAG_HASCB); +} + +static void +rk_1crypto_rng_get(size_t nbytes, void *cookie) +{ + struct rk_1crypto_softc *sc = cookie; + device_t self = sc->sc_dev; + uint32_t buf[RK_1CRYPTO_TRNG_NOUT]; + uint32_t entropybits = NBBY*sizeof(buf); + unsigned n = RK_1CRYPTO_TRNG_NOUT; + int error; + + CTASSERT((RK_1CRYPTO_TRNG_NOUT % 2) == 0); + + error = rk_1crypto_rng(sc, buf); + if (error) + entropybits = 0; + if (consttime_memequal(buf, buf + n/2, n/2)) { + device_printf(self, "failed repeated output test\n"); + entropybits = 0; + } + + rnd_add_data(&sc->sc_rndsource, buf, sizeof buf, entropybits); + explicit_memset(buf, 0, sizeof buf); +} + +static void +rk_1crypto_sysctl_attach(struct rk_1crypto_softc *sc) +{ + device_t self = sc->sc_dev; + struct rk_1crypto_sysctl *cy = &sc->sc_sysctl; + int error; + + /* hw.rk1cryptoN (node) */ + error = sysctl_createv(&cy->cy_log, 0, NULL, &cy->cy_root_node, + CTLFLAG_PERMANENT, CTLTYPE_NODE, device_xname(self), + SYSCTL_DESCR("rk crypto v1 engine knobs"), + NULL, 0, NULL, 0, + CTL_HW, CTL_CREATE, CTL_EOL); + if (error) { + aprint_error_dev(self, + "failed to set up sysctl hw.%s: %d\n", + device_xname(self), error); + return; + } + + /* hw.rk1cryptoN.rng (`struct', 32-byte array) */ + sysctl_createv(&cy->cy_log, 0, &cy->cy_trng_node, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READONLY|CTLFLAG_PRIVATE, CTLTYPE_STRUCT, + "rng", SYSCTL_DESCR("Read up to 32 bytes out of the TRNG"), + &rk_1crypto_sysctl_rng, 0, sc, 0, CTL_CREATE, CTL_EOL); + if (error) { + aprint_error_dev(self, + "failed to set up sysctl hw.%s.rng: %d\n", + device_xname(self), error); + return; + } +} + +static int +rk_1crypto_sysctl_rng(SYSCTLFN_ARGS) +{ + uint32_t buf[RK_1CRYPTO_TRNG_NOUT]; + struct sysctlnode node = *rnode; + struct rk_1crypto_softc *sc = node.sysctl_data; + size_t size; + int error; + + /* If oldp == NULL, the caller wants to learn the size. */ + if (oldp == NULL) { + *oldlenp = sizeof buf; + return 0; + } + + /* Verify the output buffer size is reasonable. */ + size = *oldlenp; + if (size > sizeof buf) /* size_t, so never negative */ + return E2BIG; + if (size == 0) + return 0; /* nothing to do */ + + /* Generate data. */ + error = rk_1crypto_rng(sc, buf); + if (error) + return error; + + /* Copy out the data. */ + node.sysctl_data = buf; + node.sysctl_size = size; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + + /* Clear the buffer. */ + explicit_memset(buf, 0, sizeof buf); + + /* Return the sysctl_lookup error, if any. */ + return error; +} + +static int +rk_1crypto_rng(struct rk_1crypto_softc *sc, + uint32_t buf[static RK_1CRYPTO_TRNG_NOUT]) +{ + uint32_t ctrl; + unsigned i, timo; + int error; + + /* Acquire lock to serialize access to TRNG. */ + mutex_enter(&sc->sc_lock); + + /* + * Enable ring oscillator to start gathering entropy for a + * sample period of 100 cycles. (XXX Why 100?) + */ + ctrl = RK_1CRYPTO_TRNG_CTRL_OSC_ENABLE; + ctrl |= __SHIFTIN(100, RK_1CRYPTO_TRNG_CTRL_CYCLES); + RKC_WRITE(sc, RK_1CRYPTO_TRNG_CTRL, ctrl); + + /* Enable TRNG and wait up to 10ms = 100*100us for it to post. */ + RKC_CTRL(sc, RK_1CRYPTO_CTRL_TRNG_START, 1); + timo = 100; + while ((RKC_READ(sc, RK_1CRYPTO_CTRL) & RK_1CRYPTO_CTRL_TRNG_START) + == 0) { + if (--timo == 0) { + error = ETIMEDOUT; + goto out; + } + DELAY(100); + } + + /* Read out the data. */ + for (i = 0; i < 8; i++) + buf[i] = RKC_READ(sc, RK_1CRYPTO_TRNG_DOUT(i)); + + /* Success! */ + error = 0; + +out: /* Disable TRNG and release lock. */ + RKC_CTRL(sc, RK_1CRYPTO_CTRL_TRNG_START, 0); + mutex_exit(&sc->sc_lock); + return error; +} diff --git a/sys/arch/arm/rockchip/rk_1crypto.h b/sys/arch/arm/rockchip/rk_1crypto.h new file mode 100644 index 000000000000..c01a5d29d38e --- /dev/null +++ b/sys/arch/arm/rockchip/rk_1crypto.h @@ -0,0 +1,178 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2020 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Taylor R. Campbell. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _ARM_ROCKCHIP_RK_1CRYPTO_H +#define _ARM_ROCKCHIP_RK_1CRYPTO_H + +#define RK_1CRYPTO_INTSTS 0x0000 /* Interrupt Status */ +#define RK_1CRYPTO_INTSTS_PKA_DONE __BIT(5) +#define RK_1CRYPTO_INTSTS_HASH_DONE __BIT(4) +#define RK_1CRYPTO_INTSTS_HRDMA_ERR __BIT(3) +#define RK_1CRYPTO_INTSTS_HRDMA_DONE __BIT(2) +#define RK_1CRYPTO_INTSTS_BCDMA_ERR __BIT(1) +#define RK_1CRYPTO_INTSTS_BCDMA_DONE __BIT(0) + +#define RK_1CRYPTO_INTENA 0x0004 /* Interrupt Enable */ +#define RK_1CRYPTO_INTENA_PKA_DONE __BIT(5) +#define RK_1CRYPTO_INTENA_HASH_DONE __BIT(4) +#define RK_1CRYPTO_INTENA_HRDMA_ERR __BIT(3) +#define RK_1CRYPTO_INTENA_HRDMA_DONE __BIT(2) +#define RK_1CRYPTO_INTENA_BCDMA_ERR __BIT(1) +#define RK_1CRYPTO_INTENA_BCDMA_DONE __BIT(0) + +#define RK_1CRYPTO_CTRL 0x0008 /* Control */ +#define RK_1CRYPTO_CTRL_MASK __BITS(31,16) +#define RK_1CRYPTO_CTRL_TRNG_FLUSH __BIT(9) +#define RK_1CRYPTO_CTRL_TRNG_START __BIT(8) +#define RK_1CRYPTO_CTRL_PKA_FLUSH __BIT(7) +#define RK_1CRYPTO_CTRL_HASH_FLUSH __BIT(6) +#define RK_1CRYPTO_CTRL_BLOCK_FLUSH __BIT(5) +#define RK_1CRYPTO_CTRL_PKA_START __BIT(4) +#define RK_1CRYPTO_CTRL_HASH_START __BIT(3) +#define RK_1CRYPTO_CTRL_BLOCK_START __BIT(2) +#define RK_1CRYPTO_CTRL_TDES_START __BIT(1) +#define RK_1CRYPTO_CTRL_AES_START __BIT(0) + +#define RK_1CRYPTO_CONF 0x000c /* ? */ +#define RK_1CRYPTO_CONF_HR_ADDR_MODE __BIT(8) +#define RK_1CRYPTO_CONF_BT_ADDR_MODE __BIT(7) +#define RK_1CRYPTO_CONF_BR_ADDR_MODE __BIT(6) +#define RK_1CRYPTO_CONF_MODE_FIX 1 +#define RK_1CRYPTO_CONF_MODE_INCR 0 +#define RK_1CRYPTO_CONF_BYTESWAP_HRFIFO __BIT(5) +#define RK_1CRYPTO_CONF_BYTESWAP_BTFIFO __BIT(4) +#define RK_1CRYPTO_CONF_BYTESWAP_BRFIFO __BIT(3) +#define RK_1CRYPTO_CONF_DESSEL __BIT(2) +#define RK_1CRYPTO_CONF_DESSEL_AES 0 +#define RK_1CRYPTO_CONF_DESSEL_DES 1 /* 3DES? */ +#define RK_1CRYPTO_CONF_HASHINSEL __BITS(1,0) +#define RK_1CRYPTO_CONF_HASHINSEL_INDEP 0 +#define RK_1CRYPTO_CONF_HASHINSEL_BLKIN 1 +#define RK_1CRYPTO_CONF_HASHINSEL_BLKOUT 2 + +#define RK_1CRYPTO_BRDMAS 0x0010 /* Block Rx DMA Start */ +#define RK_1CRYPTO_BTDMAS 0x0014 /* Block Tx DMA Start */ +#define RK_1CRYPTO_BRDMAL 0x0018 /* Block Rx DMA Length */ +#define RK_1CRYPTO_BTDMAL 0x0020 /* Block Tx DMA Length */ +#define RK_1CRYPTO_HRDMAS 0x001c /* Hash Rx DMA Start */ +#define RK_1CRYPTO_HRDMAL 0x0020 /* Hash Rx DMA Length */ + +#define RK_1CRYPTO_AES_CTRL 0x0080 /* AES Control */ +#define RK_1CRYPTO_AES_CTRL_BYTESWAP_CNT __BIT(11) +#define RK_1CRYPTO_AES_CTRL_BYTESWAP_KEY __BIT(10) +#define RK_1CRYPTO_AES_CTRL_BYTESWAP_IV __BIT(9) +#define RK_1CRYPTO_AES_CTRL_BYTESWAP_DO __BIT(8) +#define RK_1CRYPTO_AES_CTRL_BYTESWAP_DI __BIT(7) +#define RK_1CRYPTO_AES_CTRL_KEYCHANGE __BIT(6) +#define RK_1CRYPTO_AES_CTRL_MODE __BITS(5,4) +#define RK_1CRYPTO_AES_CTRL_MODE_ECB 0 +#define RK_1CRYPTO_AES_CTRL_MODE_CBC 1 +#define RK_1CRYPTO_AES_CTRL_MODE_CTR 2 +#define RK_1CRYPTO_AES_CTRL_KEYSIZE __BITS(3,2) +#define RK_1CRYPTO_AES_CTRL_KEYSIZE_128 0 +#define RK_1CRYPTO_AES_CTRL_KEYSIZE_192 1 +#define RK_1CRYPTO_AES_CTRL_KEYSIZE_256 2 +#define RK_1CRYPTO_AES_CTRL_FIFOMODE __BIT(1) +#define RK_1CRYPTO_AES_CTRL_DIR __BIT(0) +#define RK_1CRYPTO_AES_CTRL_DIR_ENC 0 +#define RK_1CRYPTO_AES_CTRL_DIR_DEC 1 + +#define RK_1CRYPTO_AES_STS 0x0084 /* AES Status */ +#define RK_1CRYPTO_AES_STS_DONE __BIT(0) + +#define RK_1CRYPTO_AES_DIN(n) (0x0088 + 4*(n)) /* AES Input */ +#define RK_1CRYPTO_AES_DOUT(n) (0x0098 + 4*(n)) /* AES Output */ +#define RK_1CRYPTO_AES_IV(n) (0x00a8 + 4*(n)) /* AES IV */ +#define RK_1CRYPTO_AES_KEY(n) (0x00b8 + 4*(n)) /* AES Key */ +#define RK_1CRYPTO_AES_CNT(n) (0x00d8 + 4*(n)) /* AES Input Counter */ + +#define RK_1CRYPTO_TDES_CTRL 0x0100 /* 3DES Control */ +#define RK_1CRYPTO_TDES_CTRL_BYTESWAP_KEY __BIT(8) +#define RK_1CRYPTO_TDES_CTRL_BYTESWAP_IV __BIT(7) +#define RK_1CRYPTO_TDES_CTRL_BYTESWAP_DO __BIT(6) +#define RK_1CRYPTO_TDES_CTRL_BYTESWAP_DI __BIT(5) +#define RK_1CRYPTO_TDES_CTRL_MODE __BIT(4) +#define RK_1CRYPTO_TDES_CTRL_MODE_ECB 0 +#define RK_1CRYPTO_TDES_CTRL_MODE_CBC 1 +#define RK_1CRYPTO_TDES_CTRL_KEYMODE __BIT(3) +#define RK_1CRYPTO_TDES_CTRL_KEYMODE_EDE 0 +#define RK_1CRYPTO_TDES_CTRL_KEYMODE_EEE 1 +#define RK_1CRYPTO_TDES_CTRL_SELECT __BIT(2) +#define RK_1CRYPTO_TDES_CTRL_SELECT_DES 0 +#define RK_1CRYPTO_TDES_CTRL_SELECT_TDES 1 +#define RK_1CRYPTO_TDES_CTRL_FIFOMODE __BIT(1) +#define RK_1CRYPTO_TDES_CTRL_DIR __BIT(0) +#define RK_1CRYPTO_TDES_CTRL_DIR_ENC 0 +#define RK_1CRYPTO_TDES_CTRL_DIR_DEC 1 + +#define RK_1CRYPTO_TDES_STS 0x0104 /* 3DES Status */ +#define RK_1CRYPTO_TDES_STS_DONE __BIT(0) + +#define RK_1CRYPTO_TDES_DIN(n) (0x0108 + 4*(n)) /* 3DES Input */ +#define RK_1CRYPTO_TDES_DOUT(n)(0x0110 + 4*(n)) /* 3DES Output */ +#define RK_1CRYPTO_TDES_IV(n) (0x0118 + 4*(n)) /* 3DES IV */ +#define RK_1CRYPTO_TDES_KEY(n) (0x0120 + 4*(n)) /* 3DES Key(1,2,3) */ + +#define RK_1CRYPTO_HASH_CTRL 0x0180 /* Hash Control */ +#define RK_1CRYPTO_HASH_SWAP_DO __BIT(3) +#define RK_1CRYPTO_HASH_SWAP_DI __BIT(2) +#define RK_1CRYPTO_HASH_SELECT __BITS(1,0) +#define RK_1CRYPTO_HASH_SELECT_SHA1 0 +#define RK_1CRYPTO_HASH_SELECT_MD5 1 +#define RK_1CRYPTO_HASH_SELECT_SHA256 2 +#define RK_1CRYPTO_HASH_SELECT_PRNG 3 /* ??? */ + +#define RK_1CRYPTO_HASH_STS 0x0184 /* Hash Status */ +#define RK_1CRYPTO_HASH_STS_DONE __BIT(0) + +#define RK_1CRYPTO_HASH_MSG_LEN 0x0188 /* Hash Message Len */ +#define RK_1CRYPTO_HASH_DOUT(n)(0x018c + 4*(n)) /* Hash Result */ +#define RK_1CRYPTO_HASH_SEED(n)(0x01ac + 4*(n)) /* HMAC/PRNG key */ + +#define RK_1CRYPTO_TRNG_CTRL 0x0200 /* TRNG Control */ +#define RK_1CRYPTO_TRNG_CTRL_OSC_ENABLE __BIT(16) +#define RK_1CRYPTO_TRNG_CTRL_CYCLES __BITS(15,0) + +#define RK_1CRYPTO_TRNG_DOUT(n)(0x0204 + 4*(n)) /* TRNG Output */ +#define RK_1CRYPTO_TRNG_NOUT 8 /* up to 8 32-bit */ + +#define RK_1CRYPTO_PKA_CTRL 0x0280 /* PKA Control (RSA?) */ +#define RK_1CRYPTO_PKA_CTRL_SIZE __BITS(1,0) +#define RK_1CRYPTO_PKA_CTRL_SIZE_512 0 +#define RK_1CRYPTO_PKA_CTRL_SIZE_1024 1 +#define RK_1CRYPTO_PKA_CTRL_SIZE_2048 2 + +#define RK_1CRYPTO_M 0x0400 /* RSA `message' */ +#define RK_1CRYPTO_C 0x0500 /* 2^(2 ceil(lg n) + 2) mod n */ +#define RK_1CRYPTO_N 0x0600 /* RSA modulus? */ +#define RK_1CRYPTO_E 0x0700 /* RSA exponent? */ + +#endif /* _ARM_ROCKCHIP_RK_1CRYPTO_H */ diff --git a/sys/arch/evbarm/conf/GENERIC64 b/sys/arch/evbarm/conf/GENERIC64 index 773abc723906..b9a4200b7465 100644 --- a/sys/arch/evbarm/conf/GENERIC64 +++ b/sys/arch/evbarm/conf/GENERIC64 @@ -411,6 +411,7 @@ amdccp* at acpi? bcmrng* at fdt? # Broadcom BCM283x RNG mesonrng* at fdt? # Amlogic Meson RNG sun8icrypto* at fdt? # Allwinner Crypto Engine +rk1crypto* at fdt? # Rockchip Crypto v1 # RTC plrtc* at fdt? # ARM PrimeCell RTC