linux/crypto/jitterentropy.c
<<
>>
Prefs
   1/*
   2 * Non-physical true random number generator based on timing jitter --
   3 * Jitter RNG standalone code.
   4 *
   5 * Copyright Stephan Mueller <smueller@chronox.de>, 2015
   6 *
   7 * Design
   8 * ======
   9 *
  10 * See http://www.chronox.de/jent.html
  11 *
  12 * License
  13 * =======
  14 *
  15 * Redistribution and use in source and binary forms, with or without
  16 * modification, are permitted provided that the following conditions
  17 * are met:
  18 * 1. Redistributions of source code must retain the above copyright
  19 *    notice, and the entire permission notice in its entirety,
  20 *    including the disclaimer of warranties.
  21 * 2. Redistributions in binary form must reproduce the above copyright
  22 *    notice, this list of conditions and the following disclaimer in the
  23 *    documentation and/or other materials provided with the distribution.
  24 * 3. The name of the author may not be used to endorse or promote
  25 *    products derived from this software without specific prior
  26 *    written permission.
  27 *
  28 * ALTERNATIVELY, this product may be distributed under the terms of
  29 * the GNU General Public License, in which case the provisions of the GPL2 are
  30 * required INSTEAD OF the above restrictions.  (This clause is
  31 * necessary due to a potential bad interaction between the GPL and
  32 * the restrictions contained in a BSD-style copyright.)
  33 *
  34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  36 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  37 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
  38 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  40 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  43 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  44 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  45 * DAMAGE.
  46 */
  47
  48/*
  49 * This Jitterentropy RNG is based on the jitterentropy library
  50 * version 1.1.0 provided at http://www.chronox.de/jent.html
  51 */
  52
  53#ifdef __OPTIMIZE__
  54 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
  55#endif
  56
  57typedef unsigned long long      __u64;
  58typedef long long               __s64;
  59typedef unsigned int            __u32;
  60#define NULL    ((void *) 0)
  61
  62/* The entropy pool */
  63struct rand_data {
  64        /* all data values that are vital to maintain the security
  65         * of the RNG are marked as SENSITIVE. A user must not
  66         * access that information while the RNG executes its loops to
  67         * calculate the next random value. */
  68        __u64 data;             /* SENSITIVE Actual random number */
  69        __u64 old_data;         /* SENSITIVE Previous random number */
  70        __u64 prev_time;        /* SENSITIVE Previous time stamp */
  71#define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
  72        __u64 last_delta;       /* SENSITIVE stuck test */
  73        __s64 last_delta2;      /* SENSITIVE stuck test */
  74        unsigned int stuck:1;   /* Time measurement stuck */
  75        unsigned int osr;       /* Oversample rate */
  76        unsigned int stir:1;            /* Post-processing stirring */
  77        unsigned int disable_unbias:1;  /* Deactivate Von-Neuman unbias */
  78#define JENT_MEMORY_BLOCKS 64
  79#define JENT_MEMORY_BLOCKSIZE 32
  80#define JENT_MEMORY_ACCESSLOOPS 128
  81#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
  82        unsigned char *mem;     /* Memory access location with size of
  83                                 * memblocks * memblocksize */
  84        unsigned int memlocation; /* Pointer to byte in *mem */
  85        unsigned int memblocks; /* Number of memory blocks in *mem */
  86        unsigned int memblocksize; /* Size of one memory block in bytes */
  87        unsigned int memaccessloops; /* Number of memory accesses per random
  88                                      * bit generation */
  89};
  90
  91/* Flags that can be used to initialize the RNG */
  92#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
  93#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
  94#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
  95                                           * entropy, saves MEMORY_SIZE RAM for
  96                                           * entropy collector */
  97
  98/* -- error codes for init function -- */
  99#define JENT_ENOTIME            1 /* Timer service not available */
 100#define JENT_ECOARSETIME        2 /* Timer too coarse for RNG */
 101#define JENT_ENOMONOTONIC       3 /* Timer is not monotonic increasing */
 102#define JENT_EMINVARIATION      4 /* Timer variations too small for RNG */
 103#define JENT_EVARVAR            5 /* Timer does not produce variations of
 104                                   * variations (2nd derivation of time is
 105                                   * zero). */
 106#define JENT_EMINVARVAR         6 /* Timer variations of variations is tooi
 107                                   * small. */
 108
 109/***************************************************************************
 110 * Helper functions
 111 ***************************************************************************/
 112
 113void jent_get_nstime(__u64 *out);
 114__u64 jent_rol64(__u64 word, unsigned int shift);
 115void *jent_zalloc(unsigned int len);
 116void jent_zfree(void *ptr);
 117int jent_fips_enabled(void);
 118void jent_panic(char *s);
 119void jent_memcpy(void *dest, const void *src, unsigned int n);
 120
 121/**
 122 * Update of the loop count used for the next round of
 123 * an entropy collection.
 124 *
 125 * Input:
 126 * @ec entropy collector struct -- may be NULL
 127 * @bits is the number of low bits of the timer to consider
 128 * @min is the number of bits we shift the timer value to the right at
 129 *      the end to make sure we have a guaranteed minimum value
 130 *
 131 * @return Newly calculated loop counter
 132 */
 133static __u64 jent_loop_shuffle(struct rand_data *ec,
 134                               unsigned int bits, unsigned int min)
 135{
 136        __u64 time = 0;
 137        __u64 shuffle = 0;
 138        unsigned int i = 0;
 139        unsigned int mask = (1<<bits) - 1;
 140
 141        jent_get_nstime(&time);
 142        /*
 143         * mix the current state of the random number into the shuffle
 144         * calculation to balance that shuffle a bit more
 145         */
 146        if (ec)
 147                time ^= ec->data;
 148        /*
 149         * we fold the time value as much as possible to ensure that as many
 150         * bits of the time stamp are included as possible
 151         */
 152        for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) {
 153                shuffle ^= time & mask;
 154                time = time >> bits;
 155        }
 156
 157        /*
 158         * We add a lower boundary value to ensure we have a minimum
 159         * RNG loop count.
 160         */
 161        return (shuffle + (1<<min));
 162}
 163
 164/***************************************************************************
 165 * Noise sources
 166 ***************************************************************************/
 167
 168/**
 169 * CPU Jitter noise source -- this is the noise source based on the CPU
 170 *                            execution time jitter
 171 *
 172 * This function folds the time into one bit units by iterating
 173 * through the DATA_SIZE_BITS bit time value as follows: assume our time value
 174 * is 0xabcd
 175 * 1st loop, 1st shift generates 0xd000
 176 * 1st loop, 2nd shift generates 0x000d
 177 * 2nd loop, 1st shift generates 0xcd00
 178 * 2nd loop, 2nd shift generates 0x000c
 179 * 3rd loop, 1st shift generates 0xbcd0
 180 * 3rd loop, 2nd shift generates 0x000b
 181 * 4th loop, 1st shift generates 0xabcd
 182 * 4th loop, 2nd shift generates 0x000a
 183 * Now, the values at the end of the 2nd shifts are XORed together.
 184 *
 185 * The code is deliberately inefficient and shall stay that way. This function
 186 * is the root cause why the code shall be compiled without optimization. This
 187 * function not only acts as folding operation, but this function's execution
 188 * is used to measure the CPU execution time jitter. Any change to the loop in
 189 * this function implies that careful retesting must be done.
 190 *
 191 * Input:
 192 * @ec entropy collector struct -- may be NULL
 193 * @time time stamp to be folded
 194 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
 195 *           loops to perform the folding
 196 *
 197 * Output:
 198 * @folded result of folding operation
 199 *
 200 * @return Number of loops the folding operation is performed
 201 */
 202static __u64 jent_fold_time(struct rand_data *ec, __u64 time,
 203                            __u64 *folded, __u64 loop_cnt)
 204{
 205        unsigned int i;
 206        __u64 j = 0;
 207        __u64 new = 0;
 208#define MAX_FOLD_LOOP_BIT 4
 209#define MIN_FOLD_LOOP_BIT 0
 210        __u64 fold_loop_cnt =
 211                jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT);
 212
 213        /*
 214         * testing purposes -- allow test app to set the counter, not
 215         * needed during runtime
 216         */
 217        if (loop_cnt)
 218                fold_loop_cnt = loop_cnt;
 219        for (j = 0; j < fold_loop_cnt; j++) {
 220                new = 0;
 221                for (i = 1; (DATA_SIZE_BITS) >= i; i++) {
 222                        __u64 tmp = time << (DATA_SIZE_BITS - i);
 223
 224                        tmp = tmp >> (DATA_SIZE_BITS - 1);
 225                        new ^= tmp;
 226                }
 227        }
 228        *folded = new;
 229        return fold_loop_cnt;
 230}
 231
 232/**
 233 * Memory Access noise source -- this is a noise source based on variations in
 234 *                               memory access times
 235 *
 236 * This function performs memory accesses which will add to the timing
 237 * variations due to an unknown amount of CPU wait states that need to be
 238 * added when accessing memory. The memory size should be larger than the L1
 239 * caches as outlined in the documentation and the associated testing.
 240 *
 241 * The L1 cache has a very high bandwidth, albeit its access rate is  usually
 242 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
 243 * variations as the CPU has hardly to wait. Starting with L2, significant
 244 * variations are added because L2 typically does not belong to the CPU any more
 245 * and therefore a wider range of CPU wait states is necessary for accesses.
 246 * L3 and real memory accesses have even a wider range of wait states. However,
 247 * to reliably access either L3 or memory, the ec->mem memory must be quite
 248 * large which is usually not desirable.
 249 *
 250 * Input:
 251 * @ec Reference to the entropy collector with the memory access data -- if
 252 *     the reference to the memory block to be accessed is NULL, this noise
 253 *     source is disabled
 254 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
 255 *           loops to perform the folding
 256 *
 257 * @return Number of memory access operations
 258 */
 259static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt)
 260{
 261        unsigned char *tmpval = NULL;
 262        unsigned int wrap = 0;
 263        __u64 i = 0;
 264#define MAX_ACC_LOOP_BIT 7
 265#define MIN_ACC_LOOP_BIT 0
 266        __u64 acc_loop_cnt =
 267                jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
 268
 269        if (NULL == ec || NULL == ec->mem)
 270                return 0;
 271        wrap = ec->memblocksize * ec->memblocks;
 272
 273        /*
 274         * testing purposes -- allow test app to set the counter, not
 275         * needed during runtime
 276         */
 277        if (loop_cnt)
 278                acc_loop_cnt = loop_cnt;
 279
 280        for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {
 281                tmpval = ec->mem + ec->memlocation;
 282                /*
 283                 * memory access: just add 1 to one byte,
 284                 * wrap at 255 -- memory access implies read
 285                 * from and write to memory location
 286                 */
 287                *tmpval = (*tmpval + 1) & 0xff;
 288                /*
 289                 * Addition of memblocksize - 1 to pointer
 290                 * with wrap around logic to ensure that every
 291                 * memory location is hit evenly
 292                 */
 293                ec->memlocation = ec->memlocation + ec->memblocksize - 1;
 294                ec->memlocation = ec->memlocation % wrap;
 295        }
 296        return i;
 297}
 298
 299/***************************************************************************
 300 * Start of entropy processing logic
 301 ***************************************************************************/
 302
 303/**
 304 * Stuck test by checking the:
 305 *      1st derivation of the jitter measurement (time delta)
 306 *      2nd derivation of the jitter measurement (delta of time deltas)
 307 *      3rd derivation of the jitter measurement (delta of delta of time deltas)
 308 *
 309 * All values must always be non-zero.
 310 *
 311 * Input:
 312 * @ec Reference to entropy collector
 313 * @current_delta Jitter time delta
 314 *
 315 * @return
 316 *      0 jitter measurement not stuck (good bit)
 317 *      1 jitter measurement stuck (reject bit)
 318 */
 319static void jent_stuck(struct rand_data *ec, __u64 current_delta)
 320{
 321        __s64 delta2 = ec->last_delta - current_delta;
 322        __s64 delta3 = delta2 - ec->last_delta2;
 323
 324        ec->last_delta = current_delta;
 325        ec->last_delta2 = delta2;
 326
 327        if (!current_delta || !delta2 || !delta3)
 328                ec->stuck = 1;
 329}
 330
 331/**
 332 * This is the heart of the entropy generation: calculate time deltas and
 333 * use the CPU jitter in the time deltas. The jitter is folded into one
 334 * bit. You can call this function the "random bit generator" as it
 335 * produces one random bit per invocation.
 336 *
 337 * WARNING: ensure that ->prev_time is primed before using the output
 338 *          of this function! This can be done by calling this function
 339 *          and not using its result.
 340 *
 341 * Input:
 342 * @entropy_collector Reference to entropy collector
 343 *
 344 * @return One random bit
 345 */
 346static __u64 jent_measure_jitter(struct rand_data *ec)
 347{
 348        __u64 time = 0;
 349        __u64 data = 0;
 350        __u64 current_delta = 0;
 351
 352        /* Invoke one noise source before time measurement to add variations */
 353        jent_memaccess(ec, 0);
 354
 355        /*
 356         * Get time stamp and calculate time delta to previous
 357         * invocation to measure the timing variations
 358         */
 359        jent_get_nstime(&time);
 360        current_delta = time - ec->prev_time;
 361        ec->prev_time = time;
 362
 363        /* Now call the next noise sources which also folds the data */
 364        jent_fold_time(ec, current_delta, &data, 0);
 365
 366        /*
 367         * Check whether we have a stuck measurement. The enforcement
 368         * is performed after the stuck value has been mixed into the
 369         * entropy pool.
 370         */
 371        jent_stuck(ec, current_delta);
 372
 373        return data;
 374}
 375
 376/**
 377 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
 378 * documentation of that RNG, the bits from jent_measure_jitter are considered
 379 * independent which implies that the Von Neuman unbias operation is applicable.
 380 * A proof of the Von-Neumann unbias operation to remove skews is given in the
 381 * document "A proposal for: Functionality classes for random number
 382 * generators", version 2.0 by Werner Schindler, section 5.4.1.
 383 *
 384 * Input:
 385 * @entropy_collector Reference to entropy collector
 386 *
 387 * @return One random bit
 388 */
 389static __u64 jent_unbiased_bit(struct rand_data *entropy_collector)
 390{
 391        do {
 392                __u64 a = jent_measure_jitter(entropy_collector);
 393                __u64 b = jent_measure_jitter(entropy_collector);
 394
 395                if (a == b)
 396                        continue;
 397                if (1 == a)
 398                        return 1;
 399                else
 400                        return 0;
 401        } while (1);
 402}
 403
 404/**
 405 * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
 406 * into the pool.
 407 *
 408 * The function generates a mixer value that depends on the bits set and the
 409 * location of the set bits in the random number generated by the entropy
 410 * source. Therefore, based on the generated random number, this mixer value
 411 * can have 2**64 different values. That mixer value is initialized with the
 412 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
 413 * the random number.
 414 *
 415 * The mixer value is not assumed to contain any entropy. But due to the XOR
 416 * operation, it can also not destroy any entropy present in the entropy pool.
 417 *
 418 * Input:
 419 * @entropy_collector Reference to entropy collector
 420 */
 421static void jent_stir_pool(struct rand_data *entropy_collector)
 422{
 423        /*
 424         * to shut up GCC on 32 bit, we have to initialize the 64 variable
 425         * with two 32 bit variables
 426         */
 427        union c {
 428                __u64 u64;
 429                __u32 u32[2];
 430        };
 431        /*
 432         * This constant is derived from the first two 32 bit initialization
 433         * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
 434         */
 435        union c constant;
 436        /*
 437         * The start value of the mixer variable is derived from the third
 438         * and fourth 32 bit initialization vector of SHA-1 as defined in
 439         * FIPS 180-4 section 5.3.1
 440         */
 441        union c mixer;
 442        unsigned int i = 0;
 443
 444        /*
 445         * Store the SHA-1 constants in reverse order to make up the 64 bit
 446         * value -- this applies to a little endian system, on a big endian
 447         * system, it reverses as expected. But this really does not matter
 448         * as we do not rely on the specific numbers. We just pick the SHA-1
 449         * constants as they have a good mix of bit set and unset.
 450         */
 451        constant.u32[1] = 0x67452301;
 452        constant.u32[0] = 0xefcdab89;
 453        mixer.u32[1] = 0x98badcfe;
 454        mixer.u32[0] = 0x10325476;
 455
 456        for (i = 0; i < DATA_SIZE_BITS; i++) {
 457                /*
 458                 * get the i-th bit of the input random number and only XOR
 459                 * the constant into the mixer value when that bit is set
 460                 */
 461                if ((entropy_collector->data >> i) & 1)
 462                        mixer.u64 ^= constant.u64;
 463                mixer.u64 = jent_rol64(mixer.u64, 1);
 464        }
 465        entropy_collector->data ^= mixer.u64;
 466}
 467
 468/**
 469 * Generator of one 64 bit random number
 470 * Function fills rand_data->data
 471 *
 472 * Input:
 473 * @ec Reference to entropy collector
 474 */
 475static void jent_gen_entropy(struct rand_data *ec)
 476{
 477        unsigned int k = 0;
 478
 479        /* priming of the ->prev_time value */
 480        jent_measure_jitter(ec);
 481
 482        while (1) {
 483                __u64 data = 0;
 484
 485                if (ec->disable_unbias == 1)
 486                        data = jent_measure_jitter(ec);
 487                else
 488                        data = jent_unbiased_bit(ec);
 489
 490                /* enforcement of the jent_stuck test */
 491                if (ec->stuck) {
 492                        /*
 493                         * We only mix in the bit considered not appropriate
 494                         * without the LSFR. The reason is that if we apply
 495                         * the LSFR and we do not rotate, the 2nd bit with LSFR
 496                         * will cancel out the first LSFR application on the
 497                         * bad bit.
 498                         *
 499                         * And we do not rotate as we apply the next bit to the
 500                         * current bit location again.
 501                         */
 502                        ec->data ^= data;
 503                        ec->stuck = 0;
 504                        continue;
 505                }
 506
 507                /*
 508                 * Fibonacci LSFR with polynom of
 509                 *  x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
 510                 *  primitive according to
 511                 *   http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
 512                 * (the shift values are the polynom values minus one
 513                 * due to counting bits from 0 to 63). As the current
 514                 * position is always the LSB, the polynom only needs
 515                 * to shift data in from the left without wrap.
 516                 */
 517                ec->data ^= data;
 518                ec->data ^= ((ec->data >> 63) & 1);
 519                ec->data ^= ((ec->data >> 60) & 1);
 520                ec->data ^= ((ec->data >> 55) & 1);
 521                ec->data ^= ((ec->data >> 30) & 1);
 522                ec->data ^= ((ec->data >> 27) & 1);
 523                ec->data ^= ((ec->data >> 22) & 1);
 524                ec->data = jent_rol64(ec->data, 1);
 525
 526                /*
 527                 * We multiply the loop value with ->osr to obtain the
 528                 * oversampling rate requested by the caller
 529                 */
 530                if (++k >= (DATA_SIZE_BITS * ec->osr))
 531                        break;
 532        }
 533        if (ec->stir)
 534                jent_stir_pool(ec);
 535}
 536
 537/**
 538 * The continuous test required by FIPS 140-2 -- the function automatically
 539 * primes the test if needed.
 540 *
 541 * Return:
 542 * 0 if FIPS test passed
 543 * < 0 if FIPS test failed
 544 */
 545static void jent_fips_test(struct rand_data *ec)
 546{
 547        if (!jent_fips_enabled())
 548                return;
 549
 550        /* prime the FIPS test */
 551        if (!ec->old_data) {
 552                ec->old_data = ec->data;
 553                jent_gen_entropy(ec);
 554        }
 555
 556        if (ec->data == ec->old_data)
 557                jent_panic("jitterentropy: Duplicate output detected\n");
 558
 559        ec->old_data = ec->data;
 560}
 561
 562/**
 563 * Entry function: Obtain entropy for the caller.
 564 *
 565 * This function invokes the entropy gathering logic as often to generate
 566 * as many bytes as requested by the caller. The entropy gathering logic
 567 * creates 64 bit per invocation.
 568 *
 569 * This function truncates the last 64 bit entropy value output to the exact
 570 * size specified by the caller.
 571 *
 572 * Input:
 573 * @ec Reference to entropy collector
 574 * @data pointer to buffer for storing random data -- buffer must already
 575 *       exist
 576 * @len size of the buffer, specifying also the requested number of random
 577 *      in bytes
 578 *
 579 * @return 0 when request is fulfilled or an error
 580 *
 581 * The following error codes can occur:
 582 *      -1      entropy_collector is NULL
 583 */
 584int jent_read_entropy(struct rand_data *ec, unsigned char *data,
 585                      unsigned int len)
 586{
 587        unsigned char *p = data;
 588
 589        if (!ec)
 590                return -1;
 591
 592        while (0 < len) {
 593                unsigned int tocopy;
 594
 595                jent_gen_entropy(ec);
 596                jent_fips_test(ec);
 597                if ((DATA_SIZE_BITS / 8) < len)
 598                        tocopy = (DATA_SIZE_BITS / 8);
 599                else
 600                        tocopy = len;
 601                jent_memcpy(p, &ec->data, tocopy);
 602
 603                len -= tocopy;
 604                p += tocopy;
 605        }
 606
 607        return 0;
 608}
 609
 610/***************************************************************************
 611 * Initialization logic
 612 ***************************************************************************/
 613
 614struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
 615                                               unsigned int flags)
 616{
 617        struct rand_data *entropy_collector;
 618
 619        entropy_collector = jent_zalloc(sizeof(struct rand_data));
 620        if (!entropy_collector)
 621                return NULL;
 622
 623        if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
 624                /* Allocate memory for adding variations based on memory
 625                 * access
 626                 */
 627                entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE);
 628                if (!entropy_collector->mem) {
 629                        jent_zfree(entropy_collector);
 630                        return NULL;
 631                }
 632                entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;
 633                entropy_collector->memblocks = JENT_MEMORY_BLOCKS;
 634                entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
 635        }
 636
 637        /* verify and set the oversampling rate */
 638        if (0 == osr)
 639                osr = 1; /* minimum sampling rate is 1 */
 640        entropy_collector->osr = osr;
 641
 642        entropy_collector->stir = 1;
 643        if (flags & JENT_DISABLE_STIR)
 644                entropy_collector->stir = 0;
 645        if (flags & JENT_DISABLE_UNBIAS)
 646                entropy_collector->disable_unbias = 1;
 647
 648        /* fill the data pad with non-zero values */
 649        jent_gen_entropy(entropy_collector);
 650
 651        return entropy_collector;
 652}
 653
 654void jent_entropy_collector_free(struct rand_data *entropy_collector)
 655{
 656        jent_zfree(entropy_collector->mem);
 657        entropy_collector->mem = NULL;
 658        jent_zfree(entropy_collector);
 659        entropy_collector = NULL;
 660}
 661
 662int jent_entropy_init(void)
 663{
 664        int i;
 665        __u64 delta_sum = 0;
 666        __u64 old_delta = 0;
 667        int time_backwards = 0;
 668        int count_var = 0;
 669        int count_mod = 0;
 670
 671        /* We could perform statistical tests here, but the problem is
 672         * that we only have a few loop counts to do testing. These
 673         * loop counts may show some slight skew and we produce
 674         * false positives.
 675         *
 676         * Moreover, only old systems show potentially problematic
 677         * jitter entropy that could potentially be caught here. But
 678         * the RNG is intended for hardware that is available or widely
 679         * used, but not old systems that are long out of favor. Thus,
 680         * no statistical tests.
 681         */
 682
 683        /*
 684         * We could add a check for system capabilities such as clock_getres or
 685         * check for CONFIG_X86_TSC, but it does not make much sense as the
 686         * following sanity checks verify that we have a high-resolution
 687         * timer.
 688         */
 689        /*
 690         * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
 691         * definitely too little.
 692         */
 693#define TESTLOOPCOUNT 300
 694#define CLEARCACHE 100
 695        for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) {
 696                __u64 time = 0;
 697                __u64 time2 = 0;
 698                __u64 folded = 0;
 699                __u64 delta = 0;
 700                unsigned int lowdelta = 0;
 701
 702                jent_get_nstime(&time);
 703                jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT);
 704                jent_get_nstime(&time2);
 705
 706                /* test whether timer works */
 707                if (!time || !time2)
 708                        return JENT_ENOTIME;
 709                delta = time2 - time;
 710                /*
 711                 * test whether timer is fine grained enough to provide
 712                 * delta even when called shortly after each other -- this
 713                 * implies that we also have a high resolution timer
 714                 */
 715                if (!delta)
 716                        return JENT_ECOARSETIME;
 717
 718                /*
 719                 * up to here we did not modify any variable that will be
 720                 * evaluated later, but we already performed some work. Thus we
 721                 * already have had an impact on the caches, branch prediction,
 722                 * etc. with the goal to clear it to get the worst case
 723                 * measurements.
 724                 */
 725                if (CLEARCACHE > i)
 726                        continue;
 727
 728                /* test whether we have an increasing timer */
 729                if (!(time2 > time))
 730                        time_backwards++;
 731
 732                /*
 733                 * Avoid modulo of 64 bit integer to allow code to compile
 734                 * on 32 bit architectures.
 735                 */
 736                lowdelta = time2 - time;
 737                if (!(lowdelta % 100))
 738                        count_mod++;
 739
 740                /*
 741                 * ensure that we have a varying delta timer which is necessary
 742                 * for the calculation of entropy -- perform this check
 743                 * only after the first loop is executed as we need to prime
 744                 * the old_data value
 745                 */
 746                if (i) {
 747                        if (delta != old_delta)
 748                                count_var++;
 749                        if (delta > old_delta)
 750                                delta_sum += (delta - old_delta);
 751                        else
 752                                delta_sum += (old_delta - delta);
 753                }
 754                old_delta = delta;
 755        }
 756
 757        /*
 758         * we allow up to three times the time running backwards.
 759         * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
 760         * if such an operation just happens to interfere with our test, it
 761         * should not fail. The value of 3 should cover the NTP case being
 762         * performed during our test run.
 763         */
 764        if (3 < time_backwards)
 765                return JENT_ENOMONOTONIC;
 766        /* Error if the time variances are always identical */
 767        if (!delta_sum)
 768                return JENT_EVARVAR;
 769
 770        /*
 771         * Variations of deltas of time must on average be larger
 772         * than 1 to ensure the entropy estimation
 773         * implied with 1 is preserved
 774         */
 775        if (delta_sum <= 1)
 776                return JENT_EMINVARVAR;
 777
 778        /*
 779         * Ensure that we have variations in the time stamp below 10 for at
 780         * least 10% of all checks -- on some platforms, the counter
 781         * increments in multiples of 100, but not always
 782         */
 783        if ((TESTLOOPCOUNT/10 * 9) < count_mod)
 784                return JENT_ECOARSETIME;
 785
 786        return 0;
 787}
 788