drivers/char/random.c at v5.17-rc2 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / drivers / char / random.c
at v5.17-rc2 2232 lines 67 kB view raw
   1/*
   2 * random.c -- A strong random number generator
   3 *
   4 * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
   5 *
   6 * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
   7 *
   8 * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.  All
   9 * rights reserved.
  10 *
  11 * Redistribution and use in source and binary forms, with or without
  12 * modification, are permitted provided that the following conditions
  13 * are met:
  14 * 1. Redistributions of source code must retain the above copyright
  15 *    notice, and the entire permission notice in its entirety,
  16 *    including the disclaimer of warranties.
  17 * 2. Redistributions in binary form must reproduce the above copyright
  18 *    notice, this list of conditions and the following disclaimer in the
  19 *    documentation and/or other materials provided with the distribution.
  20 * 3. The name of the author may not be used to endorse or promote
  21 *    products derived from this software without specific prior
  22 *    written permission.
  23 *
  24 * ALTERNATIVELY, this product may be distributed under the terms of
  25 * the GNU General Public License, in which case the provisions of the GPL are
  26 * required INSTEAD OF the above restrictions.  (This clause is
  27 * necessary due to a potential bad interaction between the GPL and
  28 * the restrictions contained in a BSD-style copyright.)
  29 *
  30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  31 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  33 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
  34 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  35 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  36 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  37 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  38 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  39 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  40 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  41 * DAMAGE.
  42 */
  43
  44/*
  45 * (now, with legal B.S. out of the way.....)
  46 *
  47 * This routine gathers environmental noise from device drivers, etc.,
  48 * and returns good random numbers, suitable for cryptographic use.
  49 * Besides the obvious cryptographic uses, these numbers are also good
  50 * for seeding TCP sequence numbers, and other places where it is
  51 * desirable to have numbers which are not only random, but hard to
  52 * predict by an attacker.
  53 *
  54 * Theory of operation
  55 * ===================
  56 *
  57 * Computers are very predictable devices.  Hence it is extremely hard
  58 * to produce truly random numbers on a computer --- as opposed to
  59 * pseudo-random numbers, which can easily generated by using a
  60 * algorithm.  Unfortunately, it is very easy for attackers to guess
  61 * the sequence of pseudo-random number generators, and for some
  62 * applications this is not acceptable.  So instead, we must try to
  63 * gather "environmental noise" from the computer's environment, which
  64 * must be hard for outside attackers to observe, and use that to
  65 * generate random numbers.  In a Unix environment, this is best done
  66 * from inside the kernel.
  67 *
  68 * Sources of randomness from the environment include inter-keyboard
  69 * timings, inter-interrupt timings from some interrupts, and other
  70 * events which are both (a) non-deterministic and (b) hard for an
  71 * outside observer to measure.  Randomness from these sources are
  72 * added to an "entropy pool", which is mixed using a CRC-like function.
  73 * This is not cryptographically strong, but it is adequate assuming
  74 * the randomness is not chosen maliciously, and it is fast enough that
  75 * the overhead of doing it on every interrupt is very reasonable.
  76 * As random bytes are mixed into the entropy pool, the routines keep
  77 * an *estimate* of how many bits of randomness have been stored into
  78 * the random number generator's internal state.
  79 *
  80 * When random bytes are desired, they are obtained by taking the BLAKE2s
  81 * hash of the contents of the "entropy pool".  The BLAKE2s hash avoids
  82 * exposing the internal state of the entropy pool.  It is believed to
  83 * be computationally infeasible to derive any useful information
  84 * about the input of BLAKE2s from its output.  Even if it is possible to
  85 * analyze BLAKE2s in some clever way, as long as the amount of data
  86 * returned from the generator is less than the inherent entropy in
  87 * the pool, the output data is totally unpredictable.  For this
  88 * reason, the routine decreases its internal estimate of how many
  89 * bits of "true randomness" are contained in the entropy pool as it
  90 * outputs random numbers.
  91 *
  92 * If this estimate goes to zero, the routine can still generate
  93 * random numbers; however, an attacker may (at least in theory) be
  94 * able to infer the future output of the generator from prior
  95 * outputs.  This requires successful cryptanalysis of BLAKE2s, which is
  96 * not believed to be feasible, but there is a remote possibility.
  97 * Nonetheless, these numbers should be useful for the vast majority
  98 * of purposes.
  99 *
 100 * Exported interfaces ---- output
 101 * ===============================
 102 *
 103 * There are four exported interfaces; two for use within the kernel,
 104 * and two for use from userspace.
 105 *
 106 * Exported interfaces ---- userspace output
 107 * -----------------------------------------
 108 *
 109 * The userspace interfaces are two character devices /dev/random and
 110 * /dev/urandom.  /dev/random is suitable for use when very high
 111 * quality randomness is desired (for example, for key generation or
 112 * one-time pads), as it will only return a maximum of the number of
 113 * bits of randomness (as estimated by the random number generator)
 114 * contained in the entropy pool.
 115 *
 116 * The /dev/urandom device does not have this limit, and will return
 117 * as many bytes as are requested.  As more and more random bytes are
 118 * requested without giving time for the entropy pool to recharge,
 119 * this will result in random numbers that are merely cryptographically
 120 * strong.  For many applications, however, this is acceptable.
 121 *
 122 * Exported interfaces ---- kernel output
 123 * --------------------------------------
 124 *
 125 * The primary kernel interface is
 126 *
 127 *	void get_random_bytes(void *buf, int nbytes);
 128 *
 129 * This interface will return the requested number of random bytes,
 130 * and place it in the requested buffer.  This is equivalent to a
 131 * read from /dev/urandom.
 132 *
 133 * For less critical applications, there are the functions:
 134 *
 135 *	u32 get_random_u32()
 136 *	u64 get_random_u64()
 137 *	unsigned int get_random_int()
 138 *	unsigned long get_random_long()
 139 *
 140 * These are produced by a cryptographic RNG seeded from get_random_bytes,
 141 * and so do not deplete the entropy pool as much.  These are recommended
 142 * for most in-kernel operations *if the result is going to be stored in
 143 * the kernel*.
 144 *
 145 * Specifically, the get_random_int() family do not attempt to do
 146 * "anti-backtracking".  If you capture the state of the kernel (e.g.
 147 * by snapshotting the VM), you can figure out previous get_random_int()
 148 * return values.  But if the value is stored in the kernel anyway,
 149 * this is not a problem.
 150 *
 151 * It *is* safe to expose get_random_int() output to attackers (e.g. as
 152 * network cookies); given outputs 1..n, it's not feasible to predict
 153 * outputs 0 or n+1.  The only concern is an attacker who breaks into
 154 * the kernel later; the get_random_int() engine is not reseeded as
 155 * often as the get_random_bytes() one.
 156 *
 157 * get_random_bytes() is needed for keys that need to stay secret after
 158 * they are erased from the kernel.  For example, any key that will
 159 * be wrapped and stored encrypted.  And session encryption keys: we'd
 160 * like to know that after the session is closed and the keys erased,
 161 * the plaintext is unrecoverable to someone who recorded the ciphertext.
 162 *
 163 * But for network ports/cookies, stack canaries, PRNG seeds, address
 164 * space layout randomization, session *authentication* keys, or other
 165 * applications where the sensitive data is stored in the kernel in
 166 * plaintext for as long as it's sensitive, the get_random_int() family
 167 * is just fine.
 168 *
 169 * Consider ASLR.  We want to keep the address space secret from an
 170 * outside attacker while the process is running, but once the address
 171 * space is torn down, it's of no use to an attacker any more.  And it's
 172 * stored in kernel data structures as long as it's alive, so worrying
 173 * about an attacker's ability to extrapolate it from the get_random_int()
 174 * CRNG is silly.
 175 *
 176 * Even some cryptographic keys are safe to generate with get_random_int().
 177 * In particular, keys for SipHash are generally fine.  Here, knowledge
 178 * of the key authorizes you to do something to a kernel object (inject
 179 * packets to a network connection, or flood a hash table), and the
 180 * key is stored with the object being protected.  Once it goes away,
 181 * we no longer care if anyone knows the key.
 182 *
 183 * prandom_u32()
 184 * -------------
 185 *
 186 * For even weaker applications, see the pseudorandom generator
 187 * prandom_u32(), prandom_max(), and prandom_bytes().  If the random
 188 * numbers aren't security-critical at all, these are *far* cheaper.
 189 * Useful for self-tests, random error simulation, randomized backoffs,
 190 * and any other application where you trust that nobody is trying to
 191 * maliciously mess with you by guessing the "random" numbers.
 192 *
 193 * Exported interfaces ---- input
 194 * ==============================
 195 *
 196 * The current exported interfaces for gathering environmental noise
 197 * from the devices are:
 198 *
 199 *	void add_device_randomness(const void *buf, unsigned int size);
 200 *	void add_input_randomness(unsigned int type, unsigned int code,
 201 *                                unsigned int value);
 202 *	void add_interrupt_randomness(int irq);
 203 *	void add_disk_randomness(struct gendisk *disk);
 204 *	void add_hwgenerator_randomness(const char *buffer, size_t count,
 205 *					size_t entropy);
 206 *	void add_bootloader_randomness(const void *buf, unsigned int size);
 207 *
 208 * add_device_randomness() is for adding data to the random pool that
 209 * is likely to differ between two devices (or possibly even per boot).
 210 * This would be things like MAC addresses or serial numbers, or the
 211 * read-out of the RTC. This does *not* add any actual entropy to the
 212 * pool, but it initializes the pool to different values for devices
 213 * that might otherwise be identical and have very little entropy
 214 * available to them (particularly common in the embedded world).
 215 *
 216 * add_input_randomness() uses the input layer interrupt timing, as well as
 217 * the event type information from the hardware.
 218 *
 219 * add_interrupt_randomness() uses the interrupt timing as random
 220 * inputs to the entropy pool. Using the cycle counters and the irq source
 221 * as inputs, it feeds the randomness roughly once a second.
 222 *
 223 * add_disk_randomness() uses what amounts to the seek time of block
 224 * layer request events, on a per-disk_devt basis, as input to the
 225 * entropy pool. Note that high-speed solid state drives with very low
 226 * seek times do not make for good sources of entropy, as their seek
 227 * times are usually fairly consistent.
 228 *
 229 * All of these routines try to estimate how many bits of randomness a
 230 * particular randomness source.  They do this by keeping track of the
 231 * first and second order deltas of the event timings.
 232 *
 233 * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
 234 * entropy as specified by the caller. If the entropy pool is full it will
 235 * block until more entropy is needed.
 236 *
 237 * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
 238 * add_device_randomness(), depending on whether or not the configuration
 239 * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
 240 *
 241 * Ensuring unpredictability at system startup
 242 * ============================================
 243 *
 244 * When any operating system starts up, it will go through a sequence
 245 * of actions that are fairly predictable by an adversary, especially
 246 * if the start-up does not involve interaction with a human operator.
 247 * This reduces the actual number of bits of unpredictability in the
 248 * entropy pool below the value in entropy_count.  In order to
 249 * counteract this effect, it helps to carry information in the
 250 * entropy pool across shut-downs and start-ups.  To do this, put the
 251 * following lines an appropriate script which is run during the boot
 252 * sequence:
 253 *
 254 *	echo "Initializing random number generator..."
 255 *	random_seed=/var/run/random-seed
 256 *	# Carry a random seed from start-up to start-up
 257 *	# Load and then save the whole entropy pool
 258 *	if [ -f $random_seed ]; then
 259 *		cat $random_seed >/dev/urandom
 260 *	else
 261 *		touch $random_seed
 262 *	fi
 263 *	chmod 600 $random_seed
 264 *	dd if=/dev/urandom of=$random_seed count=1 bs=512
 265 *
 266 * and the following lines in an appropriate script which is run as
 267 * the system is shutdown:
 268 *
 269 *	# Carry a random seed from shut-down to start-up
 270 *	# Save the whole entropy pool
 271 *	echo "Saving random seed..."
 272 *	random_seed=/var/run/random-seed
 273 *	touch $random_seed
 274 *	chmod 600 $random_seed
 275 *	dd if=/dev/urandom of=$random_seed count=1 bs=512
 276 *
 277 * For example, on most modern systems using the System V init
 278 * scripts, such code fragments would be found in
 279 * /etc/rc.d/init.d/random.  On older Linux systems, the correct script
 280 * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
 281 *
 282 * Effectively, these commands cause the contents of the entropy pool
 283 * to be saved at shut-down time and reloaded into the entropy pool at
 284 * start-up.  (The 'dd' in the addition to the bootup script is to
 285 * make sure that /etc/random-seed is different for every start-up,
 286 * even if the system crashes without executing rc.0.)  Even with
 287 * complete knowledge of the start-up activities, predicting the state
 288 * of the entropy pool requires knowledge of the previous history of
 289 * the system.
 290 *
 291 * Configuring the /dev/random driver under Linux
 292 * ==============================================
 293 *
 294 * The /dev/random driver under Linux uses minor numbers 8 and 9 of
 295 * the /dev/mem major number (#1).  So if your system does not have
 296 * /dev/random and /dev/urandom created already, they can be created
 297 * by using the commands:
 298 *
 299 *	mknod /dev/random c 1 8
 300 *	mknod /dev/urandom c 1 9
 301 *
 302 * Acknowledgements:
 303 * =================
 304 *
 305 * Ideas for constructing this random number generator were derived
 306 * from Pretty Good Privacy's random number generator, and from private
 307 * discussions with Phil Karn.  Colin Plumb provided a faster random
 308 * number generator, which speed up the mixing function of the entropy
 309 * pool, taken from PGPfone.  Dale Worley has also contributed many
 310 * useful ideas and suggestions to improve this driver.
 311 *
 312 * Any flaws in the design are solely my responsibility, and should
 313 * not be attributed to the Phil, Colin, or any of authors of PGP.
 314 *
 315 * Further background information on this topic may be obtained from
 316 * RFC 1750, "Randomness Recommendations for Security", by Donald
 317 * Eastlake, Steve Crocker, and Jeff Schiller.
 318 */
 319
 320#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 321
 322#include <linux/utsname.h>
 323#include <linux/module.h>
 324#include <linux/kernel.h>
 325#include <linux/major.h>
 326#include <linux/string.h>
 327#include <linux/fcntl.h>
 328#include <linux/slab.h>
 329#include <linux/random.h>
 330#include <linux/poll.h>
 331#include <linux/init.h>
 332#include <linux/fs.h>
 333#include <linux/genhd.h>
 334#include <linux/interrupt.h>
 335#include <linux/mm.h>
 336#include <linux/nodemask.h>
 337#include <linux/spinlock.h>
 338#include <linux/kthread.h>
 339#include <linux/percpu.h>
 340#include <linux/ptrace.h>
 341#include <linux/workqueue.h>
 342#include <linux/irq.h>
 343#include <linux/ratelimit.h>
 344#include <linux/syscalls.h>
 345#include <linux/completion.h>
 346#include <linux/uuid.h>
 347#include <crypto/chacha.h>
 348#include <crypto/blake2s.h>
 349
 350#include <asm/processor.h>
 351#include <linux/uaccess.h>
 352#include <asm/irq.h>
 353#include <asm/irq_regs.h>
 354#include <asm/io.h>
 355
 356#define CREATE_TRACE_POINTS
 357#include <trace/events/random.h>
 358
 359/* #define ADD_INTERRUPT_BENCH */
 360
 361/*
 362 * If the entropy count falls under this number of bits, then we
 363 * should wake up processes which are selecting or polling on write
 364 * access to /dev/random.
 365 */
 366static int random_write_wakeup_bits = 28 * (1 << 5);
 367
 368/*
 369 * Originally, we used a primitive polynomial of degree .poolwords
 370 * over GF(2).  The taps for various sizes are defined below.  They
 371 * were chosen to be evenly spaced except for the last tap, which is 1
 372 * to get the twisting happening as fast as possible.
 373 *
 374 * For the purposes of better mixing, we use the CRC-32 polynomial as
 375 * well to make a (modified) twisted Generalized Feedback Shift
 376 * Register.  (See M. Matsumoto & Y. Kurita, 1992.  Twisted GFSR
 377 * generators.  ACM Transactions on Modeling and Computer Simulation
 378 * 2(3):179-194.  Also see M. Matsumoto & Y. Kurita, 1994.  Twisted
 379 * GFSR generators II.  ACM Transactions on Modeling and Computer
 380 * Simulation 4:254-266)
 381 *
 382 * Thanks to Colin Plumb for suggesting this.
 383 *
 384 * The mixing operation is much less sensitive than the output hash,
 385 * where we use BLAKE2s.  All that we want of mixing operation is that
 386 * it be a good non-cryptographic hash; i.e. it not produce collisions
 387 * when fed "random" data of the sort we expect to see.  As long as
 388 * the pool state differs for different inputs, we have preserved the
 389 * input entropy and done a good job.  The fact that an intelligent
 390 * attacker can construct inputs that will produce controlled
 391 * alterations to the pool's state is not important because we don't
 392 * consider such inputs to contribute any randomness.  The only
 393 * property we need with respect to them is that the attacker can't
 394 * increase his/her knowledge of the pool's state.  Since all
 395 * additions are reversible (knowing the final state and the input,
 396 * you can reconstruct the initial state), if an attacker has any
 397 * uncertainty about the initial state, he/she can only shuffle that
 398 * uncertainty about, but never cause any collisions (which would
 399 * decrease the uncertainty).
 400 *
 401 * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and
 402 * Videau in their paper, "The Linux Pseudorandom Number Generator
 403 * Revisited" (see: http://eprint.iacr.org/2012/251.pdf).  In their
 404 * paper, they point out that we are not using a true Twisted GFSR,
 405 * since Matsumoto & Kurita used a trinomial feedback polynomial (that
 406 * is, with only three taps, instead of the six that we are using).
 407 * As a result, the resulting polynomial is neither primitive nor
 408 * irreducible, and hence does not have a maximal period over
 409 * GF(2**32).  They suggest a slight change to the generator
 410 * polynomial which improves the resulting TGFSR polynomial to be
 411 * irreducible, which we have made here.
 412 */
 413enum poolinfo {
 414	POOL_WORDS = 128,
 415	POOL_WORDMASK = POOL_WORDS - 1,
 416	POOL_BYTES = POOL_WORDS * sizeof(u32),
 417	POOL_BITS = POOL_BYTES * 8,
 418	POOL_BITSHIFT = ilog2(POOL_BITS),
 419
 420	/* To allow fractional bits to be tracked, the entropy_count field is
 421	 * denominated in units of 1/8th bits. */
 422	POOL_ENTROPY_SHIFT = 3,
 423#define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
 424	POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
 425
 426	/* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
 427	POOL_TAP1 = 104,
 428	POOL_TAP2 = 76,
 429	POOL_TAP3 = 51,
 430	POOL_TAP4 = 25,
 431	POOL_TAP5 = 1,
 432
 433	EXTRACT_SIZE = BLAKE2S_HASH_SIZE / 2
 434};
 435
 436/*
 437 * Static global variables
 438 */
 439static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
 440static struct fasync_struct *fasync;
 441
 442static DEFINE_SPINLOCK(random_ready_list_lock);
 443static LIST_HEAD(random_ready_list);
 444
 445struct crng_state {
 446	u32 state[16];
 447	unsigned long init_time;
 448	spinlock_t lock;
 449};
 450
 451static struct crng_state primary_crng = {
 452	.lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
 453	.state[0] = CHACHA_CONSTANT_EXPA,
 454	.state[1] = CHACHA_CONSTANT_ND_3,
 455	.state[2] = CHACHA_CONSTANT_2_BY,
 456	.state[3] = CHACHA_CONSTANT_TE_K,
 457};
 458
 459/*
 460 * crng_init =  0 --> Uninitialized
 461 *		1 --> Initialized
 462 *		2 --> Initialized from input_pool
 463 *
 464 * crng_init is protected by primary_crng->lock, and only increases
 465 * its value (from 0->1->2).
 466 */
 467static int crng_init = 0;
 468static bool crng_need_final_init = false;
 469#define crng_ready() (likely(crng_init > 1))
 470static int crng_init_cnt = 0;
 471static unsigned long crng_global_init_time = 0;
 472#define CRNG_INIT_CNT_THRESH (2 * CHACHA_KEY_SIZE)
 473static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE]);
 474static void _crng_backtrack_protect(struct crng_state *crng,
 475				    u8 tmp[CHACHA_BLOCK_SIZE], int used);
 476static void process_random_ready_list(void);
 477static void _get_random_bytes(void *buf, int nbytes);
 478
 479static struct ratelimit_state unseeded_warning =
 480	RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
 481static struct ratelimit_state urandom_warning =
 482	RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
 483
 484static int ratelimit_disable __read_mostly;
 485
 486module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
 487MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
 488
 489/**********************************************************************
 490 *
 491 * OS independent entropy store.   Here are the functions which handle
 492 * storing entropy in an entropy pool.
 493 *
 494 **********************************************************************/
 495
 496static u32 input_pool_data[POOL_WORDS] __latent_entropy;
 497
 498static struct {
 499	spinlock_t lock;
 500	u16 add_ptr;
 501	u16 input_rotate;
 502	int entropy_count;
 503} input_pool = {
 504	.lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
 505};
 506
 507static ssize_t extract_entropy(void *buf, size_t nbytes, int min);
 508static ssize_t _extract_entropy(void *buf, size_t nbytes);
 509
 510static void crng_reseed(struct crng_state *crng, bool use_input_pool);
 511
 512static const u32 twist_table[8] = {
 513	0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
 514	0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
 515
 516/*
 517 * This function adds bytes into the entropy "pool".  It does not
 518 * update the entropy estimate.  The caller should call
 519 * credit_entropy_bits if this is appropriate.
 520 *
 521 * The pool is stirred with a primitive polynomial of the appropriate
 522 * degree, and then twisted.  We twist by three bits at a time because
 523 * it's cheap to do so and helps slightly in the expected case where
 524 * the entropy is concentrated in the low-order bits.
 525 */
 526static void _mix_pool_bytes(const void *in, int nbytes)
 527{
 528	unsigned long i;
 529	int input_rotate;
 530	const u8 *bytes = in;
 531	u32 w;
 532
 533	input_rotate = input_pool.input_rotate;
 534	i = input_pool.add_ptr;
 535
 536	/* mix one byte at a time to simplify size handling and churn faster */
 537	while (nbytes--) {
 538		w = rol32(*bytes++, input_rotate);
 539		i = (i - 1) & POOL_WORDMASK;
 540
 541		/* XOR in the various taps */
 542		w ^= input_pool_data[i];
 543		w ^= input_pool_data[(i + POOL_TAP1) & POOL_WORDMASK];
 544		w ^= input_pool_data[(i + POOL_TAP2) & POOL_WORDMASK];
 545		w ^= input_pool_data[(i + POOL_TAP3) & POOL_WORDMASK];
 546		w ^= input_pool_data[(i + POOL_TAP4) & POOL_WORDMASK];
 547		w ^= input_pool_data[(i + POOL_TAP5) & POOL_WORDMASK];
 548
 549		/* Mix the result back in with a twist */
 550		input_pool_data[i] = (w >> 3) ^ twist_table[w & 7];
 551
 552		/*
 553		 * Normally, we add 7 bits of rotation to the pool.
 554		 * At the beginning of the pool, add an extra 7 bits
 555		 * rotation, so that successive passes spread the
 556		 * input bits across the pool evenly.
 557		 */
 558		input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
 559	}
 560
 561	input_pool.input_rotate = input_rotate;
 562	input_pool.add_ptr = i;
 563}
 564
 565static void __mix_pool_bytes(const void *in, int nbytes)
 566{
 567	trace_mix_pool_bytes_nolock(nbytes, _RET_IP_);
 568	_mix_pool_bytes(in, nbytes);
 569}
 570
 571static void mix_pool_bytes(const void *in, int nbytes)
 572{
 573	unsigned long flags;
 574
 575	trace_mix_pool_bytes(nbytes, _RET_IP_);
 576	spin_lock_irqsave(&input_pool.lock, flags);
 577	_mix_pool_bytes(in, nbytes);
 578	spin_unlock_irqrestore(&input_pool.lock, flags);
 579}
 580
 581struct fast_pool {
 582	u32 pool[4];
 583	unsigned long last;
 584	u16 reg_idx;
 585	u8 count;
 586};
 587
 588/*
 589 * This is a fast mixing routine used by the interrupt randomness
 590 * collector.  It's hardcoded for an 128 bit pool and assumes that any
 591 * locks that might be needed are taken by the caller.
 592 */
 593static void fast_mix(struct fast_pool *f)
 594{
 595	u32 a = f->pool[0],	b = f->pool[1];
 596	u32 c = f->pool[2],	d = f->pool[3];
 597
 598	a += b;			c += d;
 599	b = rol32(b, 6);	d = rol32(d, 27);
 600	d ^= a;			b ^= c;
 601
 602	a += b;			c += d;
 603	b = rol32(b, 16);	d = rol32(d, 14);
 604	d ^= a;			b ^= c;
 605
 606	a += b;			c += d;
 607	b = rol32(b, 6);	d = rol32(d, 27);
 608	d ^= a;			b ^= c;
 609
 610	a += b;			c += d;
 611	b = rol32(b, 16);	d = rol32(d, 14);
 612	d ^= a;			b ^= c;
 613
 614	f->pool[0] = a;  f->pool[1] = b;
 615	f->pool[2] = c;  f->pool[3] = d;
 616	f->count++;
 617}
 618
 619static void process_random_ready_list(void)
 620{
 621	unsigned long flags;
 622	struct random_ready_callback *rdy, *tmp;
 623
 624	spin_lock_irqsave(&random_ready_list_lock, flags);
 625	list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) {
 626		struct module *owner = rdy->owner;
 627
 628		list_del_init(&rdy->list);
 629		rdy->func(rdy);
 630		module_put(owner);
 631	}
 632	spin_unlock_irqrestore(&random_ready_list_lock, flags);
 633}
 634
 635/*
 636 * Credit (or debit) the entropy store with n bits of entropy.
 637 * Use credit_entropy_bits_safe() if the value comes from userspace
 638 * or otherwise should be checked for extreme values.
 639 */
 640static void credit_entropy_bits(int nbits)
 641{
 642	int entropy_count, entropy_bits, orig;
 643	int nfrac = nbits << POOL_ENTROPY_SHIFT;
 644
 645	/* Ensure that the multiplication can avoid being 64 bits wide. */
 646	BUILD_BUG_ON(2 * (POOL_ENTROPY_SHIFT + POOL_BITSHIFT) > 31);
 647
 648	if (!nbits)
 649		return;
 650
 651retry:
 652	entropy_count = orig = READ_ONCE(input_pool.entropy_count);
 653	if (nfrac < 0) {
 654		/* Debit */
 655		entropy_count += nfrac;
 656	} else {
 657		/*
 658		 * Credit: we have to account for the possibility of
 659		 * overwriting already present entropy.	 Even in the
 660		 * ideal case of pure Shannon entropy, new contributions
 661		 * approach the full value asymptotically:
 662		 *
 663		 * entropy <- entropy + (pool_size - entropy) *
 664		 *	(1 - exp(-add_entropy/pool_size))
 665		 *
 666		 * For add_entropy <= pool_size/2 then
 667		 * (1 - exp(-add_entropy/pool_size)) >=
 668		 *    (add_entropy/pool_size)*0.7869...
 669		 * so we can approximate the exponential with
 670		 * 3/4*add_entropy/pool_size and still be on the
 671		 * safe side by adding at most pool_size/2 at a time.
 672		 *
 673		 * The use of pool_size-2 in the while statement is to
 674		 * prevent rounding artifacts from making the loop
 675		 * arbitrarily long; this limits the loop to log2(pool_size)*2
 676		 * turns no matter how large nbits is.
 677		 */
 678		int pnfrac = nfrac;
 679		const int s = POOL_BITSHIFT + POOL_ENTROPY_SHIFT + 2;
 680		/* The +2 corresponds to the /4 in the denominator */
 681
 682		do {
 683			unsigned int anfrac = min(pnfrac, POOL_FRACBITS / 2);
 684			unsigned int add =
 685				((POOL_FRACBITS - entropy_count) * anfrac * 3) >> s;
 686
 687			entropy_count += add;
 688			pnfrac -= anfrac;
 689		} while (unlikely(entropy_count < POOL_FRACBITS - 2 && pnfrac));
 690	}
 691
 692	if (WARN_ON(entropy_count < 0)) {
 693		pr_warn("negative entropy/overflow: count %d\n", entropy_count);
 694		entropy_count = 0;
 695	} else if (entropy_count > POOL_FRACBITS)
 696		entropy_count = POOL_FRACBITS;
 697	if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
 698		goto retry;
 699
 700	trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_);
 701
 702	entropy_bits = entropy_count >> POOL_ENTROPY_SHIFT;
 703	if (crng_init < 2 && entropy_bits >= 128)
 704		crng_reseed(&primary_crng, true);
 705}
 706
 707static int credit_entropy_bits_safe(int nbits)
 708{
 709	if (nbits < 0)
 710		return -EINVAL;
 711
 712	/* Cap the value to avoid overflows */
 713	nbits = min(nbits, POOL_BITS);
 714
 715	credit_entropy_bits(nbits);
 716	return 0;
 717}
 718
 719/*********************************************************************
 720 *
 721 * CRNG using CHACHA20
 722 *
 723 *********************************************************************/
 724
 725#define CRNG_RESEED_INTERVAL (300 * HZ)
 726
 727static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
 728
 729/*
 730 * Hack to deal with crazy userspace progams when they are all trying
 731 * to access /dev/urandom in parallel.  The programs are almost
 732 * certainly doing something terribly wrong, but we'll work around
 733 * their brain damage.
 734 */
 735static struct crng_state **crng_node_pool __read_mostly;
 736
 737static void invalidate_batched_entropy(void);
 738static void numa_crng_init(void);
 739
 740static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
 741static int __init parse_trust_cpu(char *arg)
 742{
 743	return kstrtobool(arg, &trust_cpu);
 744}
 745early_param("random.trust_cpu", parse_trust_cpu);
 746
 747static bool crng_init_try_arch(struct crng_state *crng)
 748{
 749	int i;
 750	bool arch_init = true;
 751	unsigned long rv;
 752
 753	for (i = 4; i < 16; i++) {
 754		if (!arch_get_random_seed_long(&rv) &&
 755		    !arch_get_random_long(&rv)) {
 756			rv = random_get_entropy();
 757			arch_init = false;
 758		}
 759		crng->state[i] ^= rv;
 760	}
 761
 762	return arch_init;
 763}
 764
 765static bool __init crng_init_try_arch_early(struct crng_state *crng)
 766{
 767	int i;
 768	bool arch_init = true;
 769	unsigned long rv;
 770
 771	for (i = 4; i < 16; i++) {
 772		if (!arch_get_random_seed_long_early(&rv) &&
 773		    !arch_get_random_long_early(&rv)) {
 774			rv = random_get_entropy();
 775			arch_init = false;
 776		}
 777		crng->state[i] ^= rv;
 778	}
 779
 780	return arch_init;
 781}
 782
 783static void crng_initialize_secondary(struct crng_state *crng)
 784{
 785	chacha_init_consts(crng->state);
 786	_get_random_bytes(&crng->state[4], sizeof(u32) * 12);
 787	crng_init_try_arch(crng);
 788	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
 789}
 790
 791static void __init crng_initialize_primary(struct crng_state *crng)
 792{
 793	_extract_entropy(&crng->state[4], sizeof(u32) * 12);
 794	if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
 795		invalidate_batched_entropy();
 796		numa_crng_init();
 797		crng_init = 2;
 798		pr_notice("crng init done (trusting CPU's manufacturer)\n");
 799	}
 800	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
 801}
 802
 803static void crng_finalize_init(struct crng_state *crng)
 804{
 805	if (crng != &primary_crng || crng_init >= 2)
 806		return;
 807	if (!system_wq) {
 808		/* We can't call numa_crng_init until we have workqueues,
 809		 * so mark this for processing later. */
 810		crng_need_final_init = true;
 811		return;
 812	}
 813
 814	invalidate_batched_entropy();
 815	numa_crng_init();
 816	crng_init = 2;
 817	process_random_ready_list();
 818	wake_up_interruptible(&crng_init_wait);
 819	kill_fasync(&fasync, SIGIO, POLL_IN);
 820	pr_notice("crng init done\n");
 821	if (unseeded_warning.missed) {
 822		pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
 823			  unseeded_warning.missed);
 824		unseeded_warning.missed = 0;
 825	}
 826	if (urandom_warning.missed) {
 827		pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
 828			  urandom_warning.missed);
 829		urandom_warning.missed = 0;
 830	}
 831}
 832
 833static void do_numa_crng_init(struct work_struct *work)
 834{
 835	int i;
 836	struct crng_state *crng;
 837	struct crng_state **pool;
 838
 839	pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL | __GFP_NOFAIL);
 840	for_each_online_node(i) {
 841		crng = kmalloc_node(sizeof(struct crng_state),
 842				    GFP_KERNEL | __GFP_NOFAIL, i);
 843		spin_lock_init(&crng->lock);
 844		crng_initialize_secondary(crng);
 845		pool[i] = crng;
 846	}
 847	/* pairs with READ_ONCE() in select_crng() */
 848	if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
 849		for_each_node(i)
 850			kfree(pool[i]);
 851		kfree(pool);
 852	}
 853}
 854
 855static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init);
 856
 857static void numa_crng_init(void)
 858{
 859	if (IS_ENABLED(CONFIG_NUMA))
 860		schedule_work(&numa_crng_init_work);
 861}
 862
 863static struct crng_state *select_crng(void)
 864{
 865	if (IS_ENABLED(CONFIG_NUMA)) {
 866		struct crng_state **pool;
 867		int nid = numa_node_id();
 868
 869		/* pairs with cmpxchg_release() in do_numa_crng_init() */
 870		pool = READ_ONCE(crng_node_pool);
 871		if (pool && pool[nid])
 872			return pool[nid];
 873	}
 874
 875	return &primary_crng;
 876}
 877
 878/*
 879 * crng_fast_load() can be called by code in the interrupt service
 880 * path.  So we can't afford to dilly-dally. Returns the number of
 881 * bytes processed from cp.
 882 */
 883static size_t crng_fast_load(const u8 *cp, size_t len)
 884{
 885	unsigned long flags;
 886	u8 *p;
 887	size_t ret = 0;
 888
 889	if (!spin_trylock_irqsave(&primary_crng.lock, flags))
 890		return 0;
 891	if (crng_init != 0) {
 892		spin_unlock_irqrestore(&primary_crng.lock, flags);
 893		return 0;
 894	}
 895	p = (u8 *)&primary_crng.state[4];
 896	while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
 897		p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp;
 898		cp++; crng_init_cnt++; len--; ret++;
 899	}
 900	spin_unlock_irqrestore(&primary_crng.lock, flags);
 901	if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
 902		invalidate_batched_entropy();
 903		crng_init = 1;
 904		pr_notice("fast init done\n");
 905	}
 906	return ret;
 907}
 908
 909/*
 910 * crng_slow_load() is called by add_device_randomness, which has two
 911 * attributes.  (1) We can't trust the buffer passed to it is
 912 * guaranteed to be unpredictable (so it might not have any entropy at
 913 * all), and (2) it doesn't have the performance constraints of
 914 * crng_fast_load().
 915 *
 916 * So we do something more comprehensive which is guaranteed to touch
 917 * all of the primary_crng's state, and which uses a LFSR with a
 918 * period of 255 as part of the mixing algorithm.  Finally, we do
 919 * *not* advance crng_init_cnt since buffer we may get may be something
 920 * like a fixed DMI table (for example), which might very well be
 921 * unique to the machine, but is otherwise unvarying.
 922 */
 923static int crng_slow_load(const u8 *cp, size_t len)
 924{
 925	unsigned long flags;
 926	static u8 lfsr = 1;
 927	u8 tmp;
 928	unsigned int i, max = CHACHA_KEY_SIZE;
 929	const u8 *src_buf = cp;
 930	u8 *dest_buf = (u8 *)&primary_crng.state[4];
 931
 932	if (!spin_trylock_irqsave(&primary_crng.lock, flags))
 933		return 0;
 934	if (crng_init != 0) {
 935		spin_unlock_irqrestore(&primary_crng.lock, flags);
 936		return 0;
 937	}
 938	if (len > max)
 939		max = len;
 940
 941	for (i = 0; i < max; i++) {
 942		tmp = lfsr;
 943		lfsr >>= 1;
 944		if (tmp & 1)
 945			lfsr ^= 0xE1;
 946		tmp = dest_buf[i % CHACHA_KEY_SIZE];
 947		dest_buf[i % CHACHA_KEY_SIZE] ^= src_buf[i % len] ^ lfsr;
 948		lfsr += (tmp << 3) | (tmp >> 5);
 949	}
 950	spin_unlock_irqrestore(&primary_crng.lock, flags);
 951	return 1;
 952}
 953
 954static void crng_reseed(struct crng_state *crng, bool use_input_pool)
 955{
 956	unsigned long flags;
 957	int i, num;
 958	union {
 959		u8 block[CHACHA_BLOCK_SIZE];
 960		u32 key[8];
 961	} buf;
 962
 963	if (use_input_pool) {
 964		num = extract_entropy(&buf, 32, 16);
 965		if (num == 0)
 966			return;
 967	} else {
 968		_extract_crng(&primary_crng, buf.block);
 969		_crng_backtrack_protect(&primary_crng, buf.block,
 970					CHACHA_KEY_SIZE);
 971	}
 972	spin_lock_irqsave(&crng->lock, flags);
 973	for (i = 0; i < 8; i++) {
 974		unsigned long rv;
 975		if (!arch_get_random_seed_long(&rv) &&
 976		    !arch_get_random_long(&rv))
 977			rv = random_get_entropy();
 978		crng->state[i + 4] ^= buf.key[i] ^ rv;
 979	}
 980	memzero_explicit(&buf, sizeof(buf));
 981	WRITE_ONCE(crng->init_time, jiffies);
 982	spin_unlock_irqrestore(&crng->lock, flags);
 983	crng_finalize_init(crng);
 984}
 985
 986static void _extract_crng(struct crng_state *crng, u8 out[CHACHA_BLOCK_SIZE])
 987{
 988	unsigned long flags, init_time;
 989
 990	if (crng_ready()) {
 991		init_time = READ_ONCE(crng->init_time);
 992		if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
 993		    time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
 994			crng_reseed(crng, crng == &primary_crng);
 995	}
 996	spin_lock_irqsave(&crng->lock, flags);
 997	chacha20_block(&crng->state[0], out);
 998	if (crng->state[12] == 0)
 999		crng->state[13]++;
1000	spin_unlock_irqrestore(&crng->lock, flags);
1001}
1002
1003static void extract_crng(u8 out[CHACHA_BLOCK_SIZE])
1004{
1005	_extract_crng(select_crng(), out);
1006}
1007
1008/*
1009 * Use the leftover bytes from the CRNG block output (if there is
1010 * enough) to mutate the CRNG key to provide backtracking protection.
1011 */
1012static void _crng_backtrack_protect(struct crng_state *crng,
1013				    u8 tmp[CHACHA_BLOCK_SIZE], int used)
1014{
1015	unsigned long flags;
1016	u32 *s, *d;
1017	int i;
1018
1019	used = round_up(used, sizeof(u32));
1020	if (used + CHACHA_KEY_SIZE > CHACHA_BLOCK_SIZE) {
1021		extract_crng(tmp);
1022		used = 0;
1023	}
1024	spin_lock_irqsave(&crng->lock, flags);
1025	s = (u32 *)&tmp[used];
1026	d = &crng->state[4];
1027	for (i = 0; i < 8; i++)
1028		*d++ ^= *s++;
1029	spin_unlock_irqrestore(&crng->lock, flags);
1030}
1031
1032static void crng_backtrack_protect(u8 tmp[CHACHA_BLOCK_SIZE], int used)
1033{
1034	_crng_backtrack_protect(select_crng(), tmp, used);
1035}
1036
1037static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
1038{
1039	ssize_t ret = 0, i = CHACHA_BLOCK_SIZE;
1040	u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4);
1041	int large_request = (nbytes > 256);
1042
1043	while (nbytes) {
1044		if (large_request && need_resched()) {
1045			if (signal_pending(current)) {
1046				if (ret == 0)
1047					ret = -ERESTARTSYS;
1048				break;
1049			}
1050			schedule();
1051		}
1052
1053		extract_crng(tmp);
1054		i = min_t(int, nbytes, CHACHA_BLOCK_SIZE);
1055		if (copy_to_user(buf, tmp, i)) {
1056			ret = -EFAULT;
1057			break;
1058		}
1059
1060		nbytes -= i;
1061		buf += i;
1062		ret += i;
1063	}
1064	crng_backtrack_protect(tmp, i);
1065
1066	/* Wipe data just written to memory */
1067	memzero_explicit(tmp, sizeof(tmp));
1068
1069	return ret;
1070}
1071
1072/*********************************************************************
1073 *
1074 * Entropy input management
1075 *
1076 *********************************************************************/
1077
1078/* There is one of these per entropy source */
1079struct timer_rand_state {
1080	cycles_t last_time;
1081	long last_delta, last_delta2;
1082};
1083
1084#define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, };
1085
1086/*
1087 * Add device- or boot-specific data to the input pool to help
1088 * initialize it.
1089 *
1090 * None of this adds any entropy; it is meant to avoid the problem of
1091 * the entropy pool having similar initial state across largely
1092 * identical devices.
1093 */
1094void add_device_randomness(const void *buf, unsigned int size)
1095{
1096	unsigned long time = random_get_entropy() ^ jiffies;
1097	unsigned long flags;
1098
1099	if (!crng_ready() && size)
1100		crng_slow_load(buf, size);
1101
1102	trace_add_device_randomness(size, _RET_IP_);
1103	spin_lock_irqsave(&input_pool.lock, flags);
1104	_mix_pool_bytes(buf, size);
1105	_mix_pool_bytes(&time, sizeof(time));
1106	spin_unlock_irqrestore(&input_pool.lock, flags);
1107}
1108EXPORT_SYMBOL(add_device_randomness);
1109
1110static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE;
1111
1112/*
1113 * This function adds entropy to the entropy "pool" by using timing
1114 * delays.  It uses the timer_rand_state structure to make an estimate
1115 * of how many bits of entropy this call has added to the pool.
1116 *
1117 * The number "num" is also added to the pool - it should somehow describe
1118 * the type of event which just happened.  This is currently 0-255 for
1119 * keyboard scan codes, and 256 upwards for interrupts.
1120 *
1121 */
1122static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
1123{
1124	struct {
1125		long jiffies;
1126		unsigned int cycles;
1127		unsigned int num;
1128	} sample;
1129	long delta, delta2, delta3;
1130
1131	sample.jiffies = jiffies;
1132	sample.cycles = random_get_entropy();
1133	sample.num = num;
1134	mix_pool_bytes(&sample, sizeof(sample));
1135
1136	/*
1137	 * Calculate number of bits of randomness we probably added.
1138	 * We take into account the first, second and third-order deltas
1139	 * in order to make our estimate.
1140	 */
1141	delta = sample.jiffies - READ_ONCE(state->last_time);
1142	WRITE_ONCE(state->last_time, sample.jiffies);
1143
1144	delta2 = delta - READ_ONCE(state->last_delta);
1145	WRITE_ONCE(state->last_delta, delta);
1146
1147	delta3 = delta2 - READ_ONCE(state->last_delta2);
1148	WRITE_ONCE(state->last_delta2, delta2);
1149
1150	if (delta < 0)
1151		delta = -delta;
1152	if (delta2 < 0)
1153		delta2 = -delta2;
1154	if (delta3 < 0)
1155		delta3 = -delta3;
1156	if (delta > delta2)
1157		delta = delta2;
1158	if (delta > delta3)
1159		delta = delta3;
1160
1161	/*
1162	 * delta is now minimum absolute delta.
1163	 * Round down by 1 bit on general principles,
1164	 * and limit entropy estimate to 12 bits.
1165	 */
1166	credit_entropy_bits(min_t(int, fls(delta >> 1), 11));
1167}
1168
1169void add_input_randomness(unsigned int type, unsigned int code,
1170			  unsigned int value)
1171{
1172	static unsigned char last_value;
1173
1174	/* ignore autorepeat and the like */
1175	if (value == last_value)
1176		return;
1177
1178	last_value = value;
1179	add_timer_randomness(&input_timer_state,
1180			     (type << 4) ^ code ^ (code >> 4) ^ value);
1181	trace_add_input_randomness(POOL_ENTROPY_BITS());
1182}
1183EXPORT_SYMBOL_GPL(add_input_randomness);
1184
1185static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
1186
1187#ifdef ADD_INTERRUPT_BENCH
1188static unsigned long avg_cycles, avg_deviation;
1189
1190#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
1191#define FIXED_1_2 (1 << (AVG_SHIFT - 1))
1192
1193static void add_interrupt_bench(cycles_t start)
1194{
1195	long delta = random_get_entropy() - start;
1196
1197	/* Use a weighted moving average */
1198	delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
1199	avg_cycles += delta;
1200	/* And average deviation */
1201	delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
1202	avg_deviation += delta;
1203}
1204#else
1205#define add_interrupt_bench(x)
1206#endif
1207
1208static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
1209{
1210	u32 *ptr = (u32 *)regs;
1211	unsigned int idx;
1212
1213	if (regs == NULL)
1214		return 0;
1215	idx = READ_ONCE(f->reg_idx);
1216	if (idx >= sizeof(struct pt_regs) / sizeof(u32))
1217		idx = 0;
1218	ptr += idx++;
1219	WRITE_ONCE(f->reg_idx, idx);
1220	return *ptr;
1221}
1222
1223void add_interrupt_randomness(int irq)
1224{
1225	struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
1226	struct pt_regs *regs = get_irq_regs();
1227	unsigned long now = jiffies;
1228	cycles_t cycles = random_get_entropy();
1229	u32 c_high, j_high;
1230	u64 ip;
1231
1232	if (cycles == 0)
1233		cycles = get_reg(fast_pool, regs);
1234	c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0;
1235	j_high = (sizeof(now) > 4) ? now >> 32 : 0;
1236	fast_pool->pool[0] ^= cycles ^ j_high ^ irq;
1237	fast_pool->pool[1] ^= now ^ c_high;
1238	ip = regs ? instruction_pointer(regs) : _RET_IP_;
1239	fast_pool->pool[2] ^= ip;
1240	fast_pool->pool[3] ^=
1241		(sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
1242
1243	fast_mix(fast_pool);
1244	add_interrupt_bench(cycles);
1245
1246	if (unlikely(crng_init == 0)) {
1247		if ((fast_pool->count >= 64) &&
1248		    crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
1249			fast_pool->count = 0;
1250			fast_pool->last = now;
1251		}
1252		return;
1253	}
1254
1255	if ((fast_pool->count < 64) && !time_after(now, fast_pool->last + HZ))
1256		return;
1257
1258	if (!spin_trylock(&input_pool.lock))
1259		return;
1260
1261	fast_pool->last = now;
1262	__mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
1263	spin_unlock(&input_pool.lock);
1264
1265	fast_pool->count = 0;
1266
1267	/* award one bit for the contents of the fast pool */
1268	credit_entropy_bits(1);
1269}
1270EXPORT_SYMBOL_GPL(add_interrupt_randomness);
1271
1272#ifdef CONFIG_BLOCK
1273void add_disk_randomness(struct gendisk *disk)
1274{
1275	if (!disk || !disk->random)
1276		return;
1277	/* first major is 1, so we get >= 0x200 here */
1278	add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
1279	trace_add_disk_randomness(disk_devt(disk), POOL_ENTROPY_BITS());
1280}
1281EXPORT_SYMBOL_GPL(add_disk_randomness);
1282#endif
1283
1284/*********************************************************************
1285 *
1286 * Entropy extraction routines
1287 *
1288 *********************************************************************/
1289
1290/*
1291 * This function decides how many bytes to actually take from the
1292 * given pool, and also debits the entropy count accordingly.
1293 */
1294static size_t account(size_t nbytes, int min)
1295{
1296	int entropy_count, orig;
1297	size_t ibytes, nfrac;
1298
1299	BUG_ON(input_pool.entropy_count > POOL_FRACBITS);
1300
1301	/* Can we pull enough? */
1302retry:
1303	entropy_count = orig = READ_ONCE(input_pool.entropy_count);
1304	if (WARN_ON(entropy_count < 0)) {
1305		pr_warn("negative entropy count: count %d\n", entropy_count);
1306		entropy_count = 0;
1307	}
1308
1309	/* never pull more than available */
1310	ibytes = min_t(size_t, nbytes, entropy_count >> (POOL_ENTROPY_SHIFT + 3));
1311	if (ibytes < min)
1312		ibytes = 0;
1313	nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
1314	if ((size_t)entropy_count > nfrac)
1315		entropy_count -= nfrac;
1316	else
1317		entropy_count = 0;
1318
1319	if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
1320		goto retry;
1321
1322	trace_debit_entropy(8 * ibytes);
1323	if (ibytes && POOL_ENTROPY_BITS() < random_write_wakeup_bits) {
1324		wake_up_interruptible(&random_write_wait);
1325		kill_fasync(&fasync, SIGIO, POLL_OUT);
1326	}
1327
1328	return ibytes;
1329}
1330
1331/*
1332 * This function does the actual extraction for extract_entropy.
1333 *
1334 * Note: we assume that .poolwords is a multiple of 16 words.
1335 */
1336static void extract_buf(u8 *out)
1337{
1338	struct blake2s_state state __aligned(__alignof__(unsigned long));
1339	u8 hash[BLAKE2S_HASH_SIZE];
1340	unsigned long *salt;
1341	unsigned long flags;
1342
1343	blake2s_init(&state, sizeof(hash));
1344
1345	/*
1346	 * If we have an architectural hardware random number
1347	 * generator, use it for BLAKE2's salt & personal fields.
1348	 */
1349	for (salt = (unsigned long *)&state.h[4];
1350	     salt < (unsigned long *)&state.h[8]; ++salt) {
1351		unsigned long v;
1352		if (!arch_get_random_long(&v))
1353			break;
1354		*salt ^= v;
1355	}
1356
1357	/* Generate a hash across the pool */
1358	spin_lock_irqsave(&input_pool.lock, flags);
1359	blake2s_update(&state, (const u8 *)input_pool_data, POOL_BYTES);
1360	blake2s_final(&state, hash); /* final zeros out state */
1361
1362	/*
1363	 * We mix the hash back into the pool to prevent backtracking
1364	 * attacks (where the attacker knows the state of the pool
1365	 * plus the current outputs, and attempts to find previous
1366	 * outputs), unless the hash function can be inverted. By
1367	 * mixing at least a hash worth of hash data back, we make
1368	 * brute-forcing the feedback as hard as brute-forcing the
1369	 * hash.
1370	 */
1371	__mix_pool_bytes(hash, sizeof(hash));
1372	spin_unlock_irqrestore(&input_pool.lock, flags);
1373
1374	/* Note that EXTRACT_SIZE is half of hash size here, because above
1375	 * we've dumped the full length back into mixer. By reducing the
1376	 * amount that we emit, we retain a level of forward secrecy.
1377	 */
1378	memcpy(out, hash, EXTRACT_SIZE);
1379	memzero_explicit(hash, sizeof(hash));
1380}
1381
1382static ssize_t _extract_entropy(void *buf, size_t nbytes)
1383{
1384	ssize_t ret = 0, i;
1385	u8 tmp[EXTRACT_SIZE];
1386
1387	while (nbytes) {
1388		extract_buf(tmp);
1389		i = min_t(int, nbytes, EXTRACT_SIZE);
1390		memcpy(buf, tmp, i);
1391		nbytes -= i;
1392		buf += i;
1393		ret += i;
1394	}
1395
1396	/* Wipe data just returned from memory */
1397	memzero_explicit(tmp, sizeof(tmp));
1398
1399	return ret;
1400}
1401
1402/*
1403 * This function extracts randomness from the "entropy pool", and
1404 * returns it in a buffer.
1405 *
1406 * The min parameter specifies the minimum amount we can pull before
1407 * failing to avoid races that defeat catastrophic reseeding.
1408 */
1409static ssize_t extract_entropy(void *buf, size_t nbytes, int min)
1410{
1411	trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_);
1412	nbytes = account(nbytes, min);
1413	return _extract_entropy(buf, nbytes);
1414}
1415
1416#define warn_unseeded_randomness(previous) \
1417	_warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
1418
1419static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
1420{
1421#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
1422	const bool print_once = false;
1423#else
1424	static bool print_once __read_mostly;
1425#endif
1426
1427	if (print_once || crng_ready() ||
1428	    (previous && (caller == READ_ONCE(*previous))))
1429		return;
1430	WRITE_ONCE(*previous, caller);
1431#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
1432	print_once = true;
1433#endif
1434	if (__ratelimit(&unseeded_warning))
1435		printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
1436				func_name, caller, crng_init);
1437}
1438
1439/*
1440 * This function is the exported kernel interface.  It returns some
1441 * number of good random numbers, suitable for key generation, seeding
1442 * TCP sequence numbers, etc.  It does not rely on the hardware random
1443 * number generator.  For random bytes direct from the hardware RNG
1444 * (when available), use get_random_bytes_arch(). In order to ensure
1445 * that the randomness provided by this function is okay, the function
1446 * wait_for_random_bytes() should be called and return 0 at least once
1447 * at any point prior.
1448 */
1449static void _get_random_bytes(void *buf, int nbytes)
1450{
1451	u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4);
1452
1453	trace_get_random_bytes(nbytes, _RET_IP_);
1454
1455	while (nbytes >= CHACHA_BLOCK_SIZE) {
1456		extract_crng(buf);
1457		buf += CHACHA_BLOCK_SIZE;
1458		nbytes -= CHACHA_BLOCK_SIZE;
1459	}
1460
1461	if (nbytes > 0) {
1462		extract_crng(tmp);
1463		memcpy(buf, tmp, nbytes);
1464		crng_backtrack_protect(tmp, nbytes);
1465	} else
1466		crng_backtrack_protect(tmp, CHACHA_BLOCK_SIZE);
1467	memzero_explicit(tmp, sizeof(tmp));
1468}
1469
1470void get_random_bytes(void *buf, int nbytes)
1471{
1472	static void *previous;
1473
1474	warn_unseeded_randomness(&previous);
1475	_get_random_bytes(buf, nbytes);
1476}
1477EXPORT_SYMBOL(get_random_bytes);
1478
1479/*
1480 * Each time the timer fires, we expect that we got an unpredictable
1481 * jump in the cycle counter. Even if the timer is running on another
1482 * CPU, the timer activity will be touching the stack of the CPU that is
1483 * generating entropy..
1484 *
1485 * Note that we don't re-arm the timer in the timer itself - we are
1486 * happy to be scheduled away, since that just makes the load more
1487 * complex, but we do not want the timer to keep ticking unless the
1488 * entropy loop is running.
1489 *
1490 * So the re-arming always happens in the entropy loop itself.
1491 */
1492static void entropy_timer(struct timer_list *t)
1493{
1494	credit_entropy_bits(1);
1495}
1496
1497/*
1498 * If we have an actual cycle counter, see if we can
1499 * generate enough entropy with timing noise
1500 */
1501static void try_to_generate_entropy(void)
1502{
1503	struct {
1504		unsigned long now;
1505		struct timer_list timer;
1506	} stack;
1507
1508	stack.now = random_get_entropy();
1509
1510	/* Slow counter - or none. Don't even bother */
1511	if (stack.now == random_get_entropy())
1512		return;
1513
1514	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
1515	while (!crng_ready()) {
1516		if (!timer_pending(&stack.timer))
1517			mod_timer(&stack.timer, jiffies + 1);
1518		mix_pool_bytes(&stack.now, sizeof(stack.now));
1519		schedule();
1520		stack.now = random_get_entropy();
1521	}
1522
1523	del_timer_sync(&stack.timer);
1524	destroy_timer_on_stack(&stack.timer);
1525	mix_pool_bytes(&stack.now, sizeof(stack.now));
1526}
1527
1528/*
1529 * Wait for the urandom pool to be seeded and thus guaranteed to supply
1530 * cryptographically secure random numbers. This applies to: the /dev/urandom
1531 * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
1532 * family of functions. Using any of these functions without first calling
1533 * this function forfeits the guarantee of security.
1534 *
1535 * Returns: 0 if the urandom pool has been seeded.
1536 *          -ERESTARTSYS if the function was interrupted by a signal.
1537 */
1538int wait_for_random_bytes(void)
1539{
1540	if (likely(crng_ready()))
1541		return 0;
1542
1543	do {
1544		int ret;
1545		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
1546		if (ret)
1547			return ret > 0 ? 0 : ret;
1548
1549		try_to_generate_entropy();
1550	} while (!crng_ready());
1551
1552	return 0;
1553}
1554EXPORT_SYMBOL(wait_for_random_bytes);
1555
1556/*
1557 * Returns whether or not the urandom pool has been seeded and thus guaranteed
1558 * to supply cryptographically secure random numbers. This applies to: the
1559 * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
1560 * ,u64,int,long} family of functions.
1561 *
1562 * Returns: true if the urandom pool has been seeded.
1563 *          false if the urandom pool has not been seeded.
1564 */
1565bool rng_is_initialized(void)
1566{
1567	return crng_ready();
1568}
1569EXPORT_SYMBOL(rng_is_initialized);
1570
1571/*
1572 * Add a callback function that will be invoked when the nonblocking
1573 * pool is initialised.
1574 *
1575 * returns: 0 if callback is successfully added
1576 *	    -EALREADY if pool is already initialised (callback not called)
1577 *	    -ENOENT if module for callback is not alive
1578 */
1579int add_random_ready_callback(struct random_ready_callback *rdy)
1580{
1581	struct module *owner;
1582	unsigned long flags;
1583	int err = -EALREADY;
1584
1585	if (crng_ready())
1586		return err;
1587
1588	owner = rdy->owner;
1589	if (!try_module_get(owner))
1590		return -ENOENT;
1591
1592	spin_lock_irqsave(&random_ready_list_lock, flags);
1593	if (crng_ready())
1594		goto out;
1595
1596	owner = NULL;
1597
1598	list_add(&rdy->list, &random_ready_list);
1599	err = 0;
1600
1601out:
1602	spin_unlock_irqrestore(&random_ready_list_lock, flags);
1603
1604	module_put(owner);
1605
1606	return err;
1607}
1608EXPORT_SYMBOL(add_random_ready_callback);
1609
1610/*
1611 * Delete a previously registered readiness callback function.
1612 */
1613void del_random_ready_callback(struct random_ready_callback *rdy)
1614{
1615	unsigned long flags;
1616	struct module *owner = NULL;
1617
1618	spin_lock_irqsave(&random_ready_list_lock, flags);
1619	if (!list_empty(&rdy->list)) {
1620		list_del_init(&rdy->list);
1621		owner = rdy->owner;
1622	}
1623	spin_unlock_irqrestore(&random_ready_list_lock, flags);
1624
1625	module_put(owner);
1626}
1627EXPORT_SYMBOL(del_random_ready_callback);
1628
1629/*
1630 * This function will use the architecture-specific hardware random
1631 * number generator if it is available.  The arch-specific hw RNG will
1632 * almost certainly be faster than what we can do in software, but it
1633 * is impossible to verify that it is implemented securely (as
1634 * opposed, to, say, the AES encryption of a sequence number using a
1635 * key known by the NSA).  So it's useful if we need the speed, but
1636 * only if we're willing to trust the hardware manufacturer not to
1637 * have put in a back door.
1638 *
1639 * Return number of bytes filled in.
1640 */
1641int __must_check get_random_bytes_arch(void *buf, int nbytes)
1642{
1643	int left = nbytes;
1644	u8 *p = buf;
1645
1646	trace_get_random_bytes_arch(left, _RET_IP_);
1647	while (left) {
1648		unsigned long v;
1649		int chunk = min_t(int, left, sizeof(unsigned long));
1650
1651		if (!arch_get_random_long(&v))
1652			break;
1653
1654		memcpy(p, &v, chunk);
1655		p += chunk;
1656		left -= chunk;
1657	}
1658
1659	return nbytes - left;
1660}
1661EXPORT_SYMBOL(get_random_bytes_arch);
1662
1663/*
1664 * init_std_data - initialize pool with system data
1665 *
1666 * This function clears the pool's entropy count and mixes some system
1667 * data into the pool to prepare it for use. The pool is not cleared
1668 * as that can only decrease the entropy in the pool.
1669 */
1670static void __init init_std_data(void)
1671{
1672	int i;
1673	ktime_t now = ktime_get_real();
1674	unsigned long rv;
1675
1676	mix_pool_bytes(&now, sizeof(now));
1677	for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) {
1678		if (!arch_get_random_seed_long(&rv) &&
1679		    !arch_get_random_long(&rv))
1680			rv = random_get_entropy();
1681		mix_pool_bytes(&rv, sizeof(rv));
1682	}
1683	mix_pool_bytes(utsname(), sizeof(*(utsname())));
1684}
1685
1686/*
1687 * Note that setup_arch() may call add_device_randomness()
1688 * long before we get here. This allows seeding of the pools
1689 * with some platform dependent data very early in the boot
1690 * process. But it limits our options here. We must use
1691 * statically allocated structures that already have all
1692 * initializations complete at compile time. We should also
1693 * take care not to overwrite the precious per platform data
1694 * we were given.
1695 */
1696int __init rand_initialize(void)
1697{
1698	init_std_data();
1699	if (crng_need_final_init)
1700		crng_finalize_init(&primary_crng);
1701	crng_initialize_primary(&primary_crng);
1702	crng_global_init_time = jiffies;
1703	if (ratelimit_disable) {
1704		urandom_warning.interval = 0;
1705		unseeded_warning.interval = 0;
1706	}
1707	return 0;
1708}
1709
1710#ifdef CONFIG_BLOCK
1711void rand_initialize_disk(struct gendisk *disk)
1712{
1713	struct timer_rand_state *state;
1714
1715	/*
1716	 * If kzalloc returns null, we just won't use that entropy
1717	 * source.
1718	 */
1719	state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
1720	if (state) {
1721		state->last_time = INITIAL_JIFFIES;
1722		disk->random = state;
1723	}
1724}
1725#endif
1726
1727static ssize_t urandom_read_nowarn(struct file *file, char __user *buf,
1728				   size_t nbytes, loff_t *ppos)
1729{
1730	int ret;
1731
1732	nbytes = min_t(size_t, nbytes, INT_MAX >> (POOL_ENTROPY_SHIFT + 3));
1733	ret = extract_crng_user(buf, nbytes);
1734	trace_urandom_read(8 * nbytes, 0, POOL_ENTROPY_BITS());
1735	return ret;
1736}
1737
1738static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
1739			    loff_t *ppos)
1740{
1741	static int maxwarn = 10;
1742
1743	if (!crng_ready() && maxwarn > 0) {
1744		maxwarn--;
1745		if (__ratelimit(&urandom_warning))
1746			pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
1747				  current->comm, nbytes);
1748	}
1749
1750	return urandom_read_nowarn(file, buf, nbytes, ppos);
1751}
1752
1753static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
1754			   loff_t *ppos)
1755{
1756	int ret;
1757
1758	ret = wait_for_random_bytes();
1759	if (ret != 0)
1760		return ret;
1761	return urandom_read_nowarn(file, buf, nbytes, ppos);
1762}
1763
1764static __poll_t random_poll(struct file *file, poll_table *wait)
1765{
1766	__poll_t mask;
1767
1768	poll_wait(file, &crng_init_wait, wait);
1769	poll_wait(file, &random_write_wait, wait);
1770	mask = 0;
1771	if (crng_ready())
1772		mask |= EPOLLIN | EPOLLRDNORM;
1773	if (POOL_ENTROPY_BITS() < random_write_wakeup_bits)
1774		mask |= EPOLLOUT | EPOLLWRNORM;
1775	return mask;
1776}
1777
1778static int write_pool(const char __user *buffer, size_t count)
1779{
1780	size_t bytes;
1781	u32 t, buf[16];
1782	const char __user *p = buffer;
1783
1784	while (count > 0) {
1785		int b, i = 0;
1786
1787		bytes = min(count, sizeof(buf));
1788		if (copy_from_user(&buf, p, bytes))
1789			return -EFAULT;
1790
1791		for (b = bytes; b > 0; b -= sizeof(u32), i++) {
1792			if (!arch_get_random_int(&t))
1793				break;
1794			buf[i] ^= t;
1795		}
1796
1797		count -= bytes;
1798		p += bytes;
1799
1800		mix_pool_bytes(buf, bytes);
1801		cond_resched();
1802	}
1803
1804	return 0;
1805}
1806
1807static ssize_t random_write(struct file *file, const char __user *buffer,
1808			    size_t count, loff_t *ppos)
1809{
1810	size_t ret;
1811
1812	ret = write_pool(buffer, count);
1813	if (ret)
1814		return ret;
1815
1816	return (ssize_t)count;
1817}
1818
1819static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
1820{
1821	int size, ent_count;
1822	int __user *p = (int __user *)arg;
1823	int retval;
1824
1825	switch (cmd) {
1826	case RNDGETENTCNT:
1827		/* inherently racy, no point locking */
1828		ent_count = POOL_ENTROPY_BITS();
1829		if (put_user(ent_count, p))
1830			return -EFAULT;
1831		return 0;
1832	case RNDADDTOENTCNT:
1833		if (!capable(CAP_SYS_ADMIN))
1834			return -EPERM;
1835		if (get_user(ent_count, p))
1836			return -EFAULT;
1837		return credit_entropy_bits_safe(ent_count);
1838	case RNDADDENTROPY:
1839		if (!capable(CAP_SYS_ADMIN))
1840			return -EPERM;
1841		if (get_user(ent_count, p++))
1842			return -EFAULT;
1843		if (ent_count < 0)
1844			return -EINVAL;
1845		if (get_user(size, p++))
1846			return -EFAULT;
1847		retval = write_pool((const char __user *)p, size);
1848		if (retval < 0)
1849			return retval;
1850		return credit_entropy_bits_safe(ent_count);
1851	case RNDZAPENTCNT:
1852	case RNDCLEARPOOL:
1853		/*
1854		 * Clear the entropy pool counters. We no longer clear
1855		 * the entropy pool, as that's silly.
1856		 */
1857		if (!capable(CAP_SYS_ADMIN))
1858			return -EPERM;
1859		input_pool.entropy_count = 0;
1860		return 0;
1861	case RNDRESEEDCRNG:
1862		if (!capable(CAP_SYS_ADMIN))
1863			return -EPERM;
1864		if (crng_init < 2)
1865			return -ENODATA;
1866		crng_reseed(&primary_crng, true);
1867		WRITE_ONCE(crng_global_init_time, jiffies - 1);
1868		return 0;
1869	default:
1870		return -EINVAL;
1871	}
1872}
1873
1874static int random_fasync(int fd, struct file *filp, int on)
1875{
1876	return fasync_helper(fd, filp, on, &fasync);
1877}
1878
1879const struct file_operations random_fops = {
1880	.read = random_read,
1881	.write = random_write,
1882	.poll = random_poll,
1883	.unlocked_ioctl = random_ioctl,
1884	.compat_ioctl = compat_ptr_ioctl,
1885	.fasync = random_fasync,
1886	.llseek = noop_llseek,
1887};
1888
1889const struct file_operations urandom_fops = {
1890	.read = urandom_read,
1891	.write = random_write,
1892	.unlocked_ioctl = random_ioctl,
1893	.compat_ioctl = compat_ptr_ioctl,
1894	.fasync = random_fasync,
1895	.llseek = noop_llseek,
1896};
1897
1898SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
1899		flags)
1900{
1901	int ret;
1902
1903	if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
1904		return -EINVAL;
1905
1906	/*
1907	 * Requesting insecure and blocking randomness at the same time makes
1908	 * no sense.
1909	 */
1910	if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
1911		return -EINVAL;
1912
1913	if (count > INT_MAX)
1914		count = INT_MAX;
1915
1916	if (!(flags & GRND_INSECURE) && !crng_ready()) {
1917		if (flags & GRND_NONBLOCK)
1918			return -EAGAIN;
1919		ret = wait_for_random_bytes();
1920		if (unlikely(ret))
1921			return ret;
1922	}
1923	return urandom_read_nowarn(NULL, buf, count, NULL);
1924}
1925
1926/********************************************************************
1927 *
1928 * Sysctl interface
1929 *
1930 ********************************************************************/
1931
1932#ifdef CONFIG_SYSCTL
1933
1934#include <linux/sysctl.h>
1935
1936static int min_write_thresh;
1937static int max_write_thresh = POOL_BITS;
1938static int random_min_urandom_seed = 60;
1939static char sysctl_bootid[16];
1940
1941/*
1942 * This function is used to return both the bootid UUID, and random
1943 * UUID.  The difference is in whether table->data is NULL; if it is,
1944 * then a new UUID is generated and returned to the user.
1945 *
1946 * If the user accesses this via the proc interface, the UUID will be
1947 * returned as an ASCII string in the standard UUID format; if via the
1948 * sysctl system call, as 16 bytes of binary data.
1949 */
1950static int proc_do_uuid(struct ctl_table *table, int write, void *buffer,
1951			size_t *lenp, loff_t *ppos)
1952{
1953	struct ctl_table fake_table;
1954	unsigned char buf[64], tmp_uuid[16], *uuid;
1955
1956	uuid = table->data;
1957	if (!uuid) {
1958		uuid = tmp_uuid;
1959		generate_random_uuid(uuid);
1960	} else {
1961		static DEFINE_SPINLOCK(bootid_spinlock);
1962
1963		spin_lock(&bootid_spinlock);
1964		if (!uuid[8])
1965			generate_random_uuid(uuid);
1966		spin_unlock(&bootid_spinlock);
1967	}
1968
1969	sprintf(buf, "%pU", uuid);
1970
1971	fake_table.data = buf;
1972	fake_table.maxlen = sizeof(buf);
1973
1974	return proc_dostring(&fake_table, write, buffer, lenp, ppos);
1975}
1976
1977/*
1978 * Return entropy available scaled to integral bits
1979 */
1980static int proc_do_entropy(struct ctl_table *table, int write, void *buffer,
1981			   size_t *lenp, loff_t *ppos)
1982{
1983	struct ctl_table fake_table;
1984	int entropy_count;
1985
1986	entropy_count = *(int *)table->data >> POOL_ENTROPY_SHIFT;
1987
1988	fake_table.data = &entropy_count;
1989	fake_table.maxlen = sizeof(entropy_count);
1990
1991	return proc_dointvec(&fake_table, write, buffer, lenp, ppos);
1992}
1993
1994static int sysctl_poolsize = POOL_BITS;
1995static struct ctl_table random_table[] = {
1996	{
1997		.procname	= "poolsize",
1998		.data		= &sysctl_poolsize,
1999		.maxlen		= sizeof(int),
2000		.mode		= 0444,
2001		.proc_handler	= proc_dointvec,
2002	},
2003	{
2004		.procname	= "entropy_avail",
2005		.maxlen		= sizeof(int),
2006		.mode		= 0444,
2007		.proc_handler	= proc_do_entropy,
2008		.data		= &input_pool.entropy_count,
2009	},
2010	{
2011		.procname	= "write_wakeup_threshold",
2012		.data		= &random_write_wakeup_bits,
2013		.maxlen		= sizeof(int),
2014		.mode		= 0644,
2015		.proc_handler	= proc_dointvec_minmax,
2016		.extra1		= &min_write_thresh,
2017		.extra2		= &max_write_thresh,
2018	},
2019	{
2020		.procname	= "urandom_min_reseed_secs",
2021		.data		= &random_min_urandom_seed,
2022		.maxlen		= sizeof(int),
2023		.mode		= 0644,
2024		.proc_handler	= proc_dointvec,
2025	},
2026	{
2027		.procname	= "boot_id",
2028		.data		= &sysctl_bootid,
2029		.maxlen		= 16,
2030		.mode		= 0444,
2031		.proc_handler	= proc_do_uuid,
2032	},
2033	{
2034		.procname	= "uuid",
2035		.maxlen		= 16,
2036		.mode		= 0444,
2037		.proc_handler	= proc_do_uuid,
2038	},
2039#ifdef ADD_INTERRUPT_BENCH
2040	{
2041		.procname	= "add_interrupt_avg_cycles",
2042		.data		= &avg_cycles,
2043		.maxlen		= sizeof(avg_cycles),
2044		.mode		= 0444,
2045		.proc_handler	= proc_doulongvec_minmax,
2046	},
2047	{
2048		.procname	= "add_interrupt_avg_deviation",
2049		.data		= &avg_deviation,
2050		.maxlen		= sizeof(avg_deviation),
2051		.mode		= 0444,
2052		.proc_handler	= proc_doulongvec_minmax,
2053	},
2054#endif
2055	{ }
2056};
2057
2058/*
2059 * rand_initialize() is called before sysctl_init(),
2060 * so we cannot call register_sysctl_init() in rand_initialize()
2061 */
2062static int __init random_sysctls_init(void)
2063{
2064	register_sysctl_init("kernel/random", random_table);
2065	return 0;
2066}
2067device_initcall(random_sysctls_init);
2068#endif	/* CONFIG_SYSCTL */
2069
2070struct batched_entropy {
2071	union {
2072		u64 entropy_u64[CHACHA_BLOCK_SIZE / sizeof(u64)];
2073		u32 entropy_u32[CHACHA_BLOCK_SIZE / sizeof(u32)];
2074	};
2075	unsigned int position;
2076	spinlock_t batch_lock;
2077};
2078
2079/*
2080 * Get a random word for internal kernel use only. The quality of the random
2081 * number is good as /dev/urandom, but there is no backtrack protection, with
2082 * the goal of being quite fast and not depleting entropy. In order to ensure
2083 * that the randomness provided by this function is okay, the function
2084 * wait_for_random_bytes() should be called and return 0 at least once at any
2085 * point prior.
2086 */
2087static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
2088	.batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
2089};
2090
2091u64 get_random_u64(void)
2092{
2093	u64 ret;
2094	unsigned long flags;
2095	struct batched_entropy *batch;
2096	static void *previous;
2097
2098	warn_unseeded_randomness(&previous);
2099
2100	batch = raw_cpu_ptr(&batched_entropy_u64);
2101	spin_lock_irqsave(&batch->batch_lock, flags);
2102	if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
2103		extract_crng((u8 *)batch->entropy_u64);
2104		batch->position = 0;
2105	}
2106	ret = batch->entropy_u64[batch->position++];
2107	spin_unlock_irqrestore(&batch->batch_lock, flags);
2108	return ret;
2109}
2110EXPORT_SYMBOL(get_random_u64);
2111
2112static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
2113	.batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
2114};
2115u32 get_random_u32(void)
2116{
2117	u32 ret;
2118	unsigned long flags;
2119	struct batched_entropy *batch;
2120	static void *previous;
2121
2122	warn_unseeded_randomness(&previous);
2123
2124	batch = raw_cpu_ptr(&batched_entropy_u32);
2125	spin_lock_irqsave(&batch->batch_lock, flags);
2126	if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
2127		extract_crng((u8 *)batch->entropy_u32);
2128		batch->position = 0;
2129	}
2130	ret = batch->entropy_u32[batch->position++];
2131	spin_unlock_irqrestore(&batch->batch_lock, flags);
2132	return ret;
2133}
2134EXPORT_SYMBOL(get_random_u32);
2135
2136/* It's important to invalidate all potential batched entropy that might
2137 * be stored before the crng is initialized, which we can do lazily by
2138 * simply resetting the counter to zero so that it's re-extracted on the
2139 * next usage. */
2140static void invalidate_batched_entropy(void)
2141{
2142	int cpu;
2143	unsigned long flags;
2144
2145	for_each_possible_cpu(cpu) {
2146		struct batched_entropy *batched_entropy;
2147
2148		batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
2149		spin_lock_irqsave(&batched_entropy->batch_lock, flags);
2150		batched_entropy->position = 0;
2151		spin_unlock(&batched_entropy->batch_lock);
2152
2153		batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
2154		spin_lock(&batched_entropy->batch_lock);
2155		batched_entropy->position = 0;
2156		spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
2157	}
2158}
2159
2160/**
2161 * randomize_page - Generate a random, page aligned address
2162 * @start:	The smallest acceptable address the caller will take.
2163 * @range:	The size of the area, starting at @start, within which the
2164 *		random address must fall.
2165 *
2166 * If @start + @range would overflow, @range is capped.
2167 *
2168 * NOTE: Historical use of randomize_range, which this replaces, presumed that
2169 * @start was already page aligned.  We now align it regardless.
2170 *
2171 * Return: A page aligned address within [start, start + range).  On error,
2172 * @start is returned.
2173 */
2174unsigned long randomize_page(unsigned long start, unsigned long range)
2175{
2176	if (!PAGE_ALIGNED(start)) {
2177		range -= PAGE_ALIGN(start) - start;
2178		start = PAGE_ALIGN(start);
2179	}
2180
2181	if (start > ULONG_MAX - range)
2182		range = ULONG_MAX - start;
2183
2184	range >>= PAGE_SHIFT;
2185
2186	if (range == 0)
2187		return start;
2188
2189	return start + (get_random_long() % range << PAGE_SHIFT);
2190}
2191
2192/* Interface for in-kernel drivers of true hardware RNGs.
2193 * Those devices may produce endless random bits and will be throttled
2194 * when our pool is full.
2195 */
2196void add_hwgenerator_randomness(const char *buffer, size_t count,
2197				size_t entropy)
2198{
2199	if (unlikely(crng_init == 0)) {
2200		size_t ret = crng_fast_load(buffer, count);
2201		mix_pool_bytes(buffer, ret);
2202		count -= ret;
2203		buffer += ret;
2204		if (!count || crng_init == 0)
2205			return;
2206	}
2207
2208	/* Suspend writing if we're above the trickle threshold.
2209	 * We'll be woken up again once below random_write_wakeup_thresh,
2210	 * or when the calling thread is about to terminate.
2211	 */
2212	wait_event_interruptible(random_write_wait,
2213			!system_wq || kthread_should_stop() ||
2214			POOL_ENTROPY_BITS() <= random_write_wakeup_bits);
2215	mix_pool_bytes(buffer, count);
2216	credit_entropy_bits(entropy);
2217}
2218EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
2219
2220/* Handle random seed passed by bootloader.
2221 * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
2222 * it would be regarded as device data.
2223 * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
2224 */
2225void add_bootloader_randomness(const void *buf, unsigned int size)
2226{
2227	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
2228		add_hwgenerator_randomness(buf, size, size * 8);
2229	else
2230		add_device_randomness(buf, size);
2231}
2232EXPORT_SYMBOL_GPL(add_bootloader_randomness);