1/* 2 * Non-physical true random number generator based on timing jitter -- 3 * Jitter RNG standalone code. 4 * 5 * Copyright Stephan Mueller <smueller@chronox.de>, 2015 6 * 7 * Design 8 * ====== 9 * 10 * See http://www.chronox.de/jent.html 11 * 12 * License 13 * ======= 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, and the entire permission notice in its entirety, 20 * including the disclaimer of warranties. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 3. The name of the author may not be used to endorse or promote 25 * products derived from this software without specific prior 26 * written permission. 27 * 28 * ALTERNATIVELY, this product may be distributed under the terms of 29 * the GNU General Public License, in which case the provisions of the GPL2 are 30 * required INSTEAD OF the above restrictions. (This clause is 31 * necessary due to a potential bad interaction between the GPL and 32 * the restrictions contained in a BSD-style copyright.) 33 * 34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 36 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 37 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 38 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 40 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 43 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 44 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 45 * DAMAGE. 46 */ 47 48/* 49 * This Jitterentropy RNG is based on the jitterentropy library 50 * version 1.1.0 provided at http://www.chronox.de/jent.html 51 */ 52 53#ifdef __OPTIMIZE__ 54 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c." 55#endif 56 57typedef unsigned long long __u64; 58typedef long long __s64; 59typedef unsigned int __u32; 60#define NULL ((void *) 0) 61 62/* The entropy pool */ 63struct rand_data { 64 /* all data values that are vital to maintain the security 65 * of the RNG are marked as SENSITIVE. A user must not 66 * access that information while the RNG executes its loops to 67 * calculate the next random value. */ 68 __u64 data; /* SENSITIVE Actual random number */ 69 __u64 old_data; /* SENSITIVE Previous random number */ 70 __u64 prev_time; /* SENSITIVE Previous time stamp */ 71#define DATA_SIZE_BITS ((sizeof(__u64)) * 8) 72 __u64 last_delta; /* SENSITIVE stuck test */ 73 __s64 last_delta2; /* SENSITIVE stuck test */ 74 unsigned int stuck:1; /* Time measurement stuck */ 75 unsigned int osr; /* Oversample rate */ 76 unsigned int stir:1; /* Post-processing stirring */ 77 unsigned int disable_unbias:1; /* Deactivate Von-Neuman unbias */ 78#define JENT_MEMORY_BLOCKS 64 79#define JENT_MEMORY_BLOCKSIZE 32 80#define JENT_MEMORY_ACCESSLOOPS 128 81#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE) 82 unsigned char *mem; /* Memory access location with size of 83 * memblocks * memblocksize */ 84 unsigned int memlocation; /* Pointer to byte in *mem */ 85 unsigned int memblocks; /* Number of memory blocks in *mem */ 86 unsigned int memblocksize; /* Size of one memory block in bytes */ 87 unsigned int memaccessloops; /* Number of memory accesses per random 88 * bit generation */ 89}; 90 91/* Flags that can be used to initialize the RNG */ 92#define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */ 93#define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */ 94#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more 95 * entropy, saves MEMORY_SIZE RAM for 96 * entropy collector */ 97 98/* -- error codes for init function -- */ 99#define JENT_ENOTIME 1 /* Timer service not available */ 100#define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */ 101#define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */ 102#define JENT_EMINVARIATION 4 /* Timer variations too small for RNG */ 103#define JENT_EVARVAR 5 /* Timer does not produce variations of 104 * variations (2nd derivation of time is 105 * zero). */ 106#define JENT_EMINVARVAR 6 /* Timer variations of variations is tooi 107 * small. */ 108 109/*************************************************************************** 110 * Helper functions 111 ***************************************************************************/ 112 113void jent_get_nstime(__u64 *out); 114__u64 jent_rol64(__u64 word, unsigned int shift); 115void *jent_zalloc(unsigned int len); 116void jent_zfree(void *ptr); 117int jent_fips_enabled(void); 118void jent_panic(char *s); 119void jent_memcpy(void *dest, const void *src, unsigned int n); 120 121/** 122 * Update of the loop count used for the next round of 123 * an entropy collection. 124 * 125 * Input: 126 * @ec entropy collector struct -- may be NULL 127 * @bits is the number of low bits of the timer to consider 128 * @min is the number of bits we shift the timer value to the right at 129 * the end to make sure we have a guaranteed minimum value 130 * 131 * @return Newly calculated loop counter 132 */ 133static __u64 jent_loop_shuffle(struct rand_data *ec, 134 unsigned int bits, unsigned int min) 135{ 136 __u64 time = 0; 137 __u64 shuffle = 0; 138 unsigned int i = 0; 139 unsigned int mask = (1<<bits) - 1; 140 141 jent_get_nstime(&time); 142 /* 143 * mix the current state of the random number into the shuffle 144 * calculation to balance that shuffle a bit more 145 */ 146 if (ec) 147 time ^= ec->data; 148 /* 149 * we fold the time value as much as possible to ensure that as many 150 * bits of the time stamp are included as possible 151 */ 152 for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) { 153 shuffle ^= time & mask; 154 time = time >> bits; 155 } 156 157 /* 158 * We add a lower boundary value to ensure we have a minimum 159 * RNG loop count. 160 */ 161 return (shuffle + (1<<min)); 162} 163 164/*************************************************************************** 165 * Noise sources 166 ***************************************************************************/ 167 168/** 169 * CPU Jitter noise source -- this is the noise source based on the CPU 170 * execution time jitter 171 * 172 * This function folds the time into one bit units by iterating 173 * through the DATA_SIZE_BITS bit time value as follows: assume our time value 174 * is 0xabcd 175 * 1st loop, 1st shift generates 0xd000 176 * 1st loop, 2nd shift generates 0x000d 177 * 2nd loop, 1st shift generates 0xcd00 178 * 2nd loop, 2nd shift generates 0x000c 179 * 3rd loop, 1st shift generates 0xbcd0 180 * 3rd loop, 2nd shift generates 0x000b 181 * 4th loop, 1st shift generates 0xabcd 182 * 4th loop, 2nd shift generates 0x000a 183 * Now, the values at the end of the 2nd shifts are XORed together. 184 * 185 * The code is deliberately inefficient and shall stay that way. This function 186 * is the root cause why the code shall be compiled without optimization. This 187 * function not only acts as folding operation, but this function's execution 188 * is used to measure the CPU execution time jitter. Any change to the loop in 189 * this function implies that careful retesting must be done. 190 * 191 * Input: 192 * @ec entropy collector struct -- may be NULL 193 * @time time stamp to be folded 194 * @loop_cnt if a value not equal to 0 is set, use the given value as number of 195 * loops to perform the folding 196 * 197 * Output: 198 * @folded result of folding operation 199 * 200 * @return Number of loops the folding operation is performed 201 */ 202static __u64 jent_fold_time(struct rand_data *ec, __u64 time, 203 __u64 *folded, __u64 loop_cnt) 204{ 205 unsigned int i; 206 __u64 j = 0; 207 __u64 new = 0; 208#define MAX_FOLD_LOOP_BIT 4 209#define MIN_FOLD_LOOP_BIT 0 210 __u64 fold_loop_cnt = 211 jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT); 212 213 /* 214 * testing purposes -- allow test app to set the counter, not 215 * needed during runtime 216 */ 217 if (loop_cnt) 218 fold_loop_cnt = loop_cnt; 219 for (j = 0; j < fold_loop_cnt; j++) { 220 new = 0; 221 for (i = 1; (DATA_SIZE_BITS) >= i; i++) { 222 __u64 tmp = time << (DATA_SIZE_BITS - i); 223 224 tmp = tmp >> (DATA_SIZE_BITS - 1); 225 new ^= tmp; 226 } 227 } 228 *folded = new; 229 return fold_loop_cnt; 230} 231 232/** 233 * Memory Access noise source -- this is a noise source based on variations in 234 * memory access times 235 * 236 * This function performs memory accesses which will add to the timing 237 * variations due to an unknown amount of CPU wait states that need to be 238 * added when accessing memory. The memory size should be larger than the L1 239 * caches as outlined in the documentation and the associated testing. 240 * 241 * The L1 cache has a very high bandwidth, albeit its access rate is usually 242 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal 243 * variations as the CPU has hardly to wait. Starting with L2, significant 244 * variations are added because L2 typically does not belong to the CPU any more 245 * and therefore a wider range of CPU wait states is necessary for accesses. 246 * L3 and real memory accesses have even a wider range of wait states. However, 247 * to reliably access either L3 or memory, the ec->mem memory must be quite 248 * large which is usually not desirable. 249 * 250 * Input: 251 * @ec Reference to the entropy collector with the memory access data -- if 252 * the reference to the memory block to be accessed is NULL, this noise 253 * source is disabled 254 * @loop_cnt if a value not equal to 0 is set, use the given value as number of 255 * loops to perform the folding 256 * 257 * @return Number of memory access operations 258 */ 259static unsigned int jent_memaccess(struct rand_data *ec, __u64 loop_cnt) 260{ 261 unsigned char *tmpval = NULL; 262 unsigned int wrap = 0; 263 __u64 i = 0; 264#define MAX_ACC_LOOP_BIT 7 265#define MIN_ACC_LOOP_BIT 0 266 __u64 acc_loop_cnt = 267 jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); 268 269 if (NULL == ec || NULL == ec->mem) 270 return 0; 271 wrap = ec->memblocksize * ec->memblocks; 272 273 /* 274 * testing purposes -- allow test app to set the counter, not 275 * needed during runtime 276 */ 277 if (loop_cnt) 278 acc_loop_cnt = loop_cnt; 279 280 for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { 281 tmpval = ec->mem + ec->memlocation; 282 /* 283 * memory access: just add 1 to one byte, 284 * wrap at 255 -- memory access implies read 285 * from and write to memory location 286 */ 287 *tmpval = (*tmpval + 1) & 0xff; 288 /* 289 * Addition of memblocksize - 1 to pointer 290 * with wrap around logic to ensure that every 291 * memory location is hit evenly 292 */ 293 ec->memlocation = ec->memlocation + ec->memblocksize - 1; 294 ec->memlocation = ec->memlocation % wrap; 295 } 296 return i; 297} 298 299/*************************************************************************** 300 * Start of entropy processing logic 301 ***************************************************************************/ 302 303/** 304 * Stuck test by checking the: 305 * 1st derivation of the jitter measurement (time delta) 306 * 2nd derivation of the jitter measurement (delta of time deltas) 307 * 3rd derivation of the jitter measurement (delta of delta of time deltas) 308 * 309 * All values must always be non-zero. 310 * 311 * Input: 312 * @ec Reference to entropy collector 313 * @current_delta Jitter time delta 314 * 315 * @return 316 * 0 jitter measurement not stuck (good bit) 317 * 1 jitter measurement stuck (reject bit) 318 */ 319static void jent_stuck(struct rand_data *ec, __u64 current_delta) 320{ 321 __s64 delta2 = ec->last_delta - current_delta; 322 __s64 delta3 = delta2 - ec->last_delta2; 323 324 ec->last_delta = current_delta; 325 ec->last_delta2 = delta2; 326 327 if (!current_delta || !delta2 || !delta3) 328 ec->stuck = 1; 329} 330 331/** 332 * This is the heart of the entropy generation: calculate time deltas and 333 * use the CPU jitter in the time deltas. The jitter is folded into one 334 * bit. You can call this function the "random bit generator" as it 335 * produces one random bit per invocation. 336 * 337 * WARNING: ensure that ->prev_time is primed before using the output 338 * of this function! This can be done by calling this function 339 * and not using its result. 340 * 341 * Input: 342 * @entropy_collector Reference to entropy collector 343 * 344 * @return One random bit 345 */ 346static __u64 jent_measure_jitter(struct rand_data *ec) 347{ 348 __u64 time = 0; 349 __u64 data = 0; 350 __u64 current_delta = 0; 351 352 /* Invoke one noise source before time measurement to add variations */ 353 jent_memaccess(ec, 0); 354 355 /* 356 * Get time stamp and calculate time delta to previous 357 * invocation to measure the timing variations 358 */ 359 jent_get_nstime(&time); 360 current_delta = time - ec->prev_time; 361 ec->prev_time = time; 362 363 /* Now call the next noise sources which also folds the data */ 364 jent_fold_time(ec, current_delta, &data, 0); 365 366 /* 367 * Check whether we have a stuck measurement. The enforcement 368 * is performed after the stuck value has been mixed into the 369 * entropy pool. 370 */ 371 jent_stuck(ec, current_delta); 372 373 return data; 374} 375 376/** 377 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the 378 * documentation of that RNG, the bits from jent_measure_jitter are considered 379 * independent which implies that the Von Neuman unbias operation is applicable. 380 * A proof of the Von-Neumann unbias operation to remove skews is given in the 381 * document "A proposal for: Functionality classes for random number 382 * generators", version 2.0 by Werner Schindler, section 5.4.1. 383 * 384 * Input: 385 * @entropy_collector Reference to entropy collector 386 * 387 * @return One random bit 388 */ 389static __u64 jent_unbiased_bit(struct rand_data *entropy_collector) 390{ 391 do { 392 __u64 a = jent_measure_jitter(entropy_collector); 393 __u64 b = jent_measure_jitter(entropy_collector); 394 395 if (a == b) 396 continue; 397 if (1 == a) 398 return 1; 399 else 400 return 0; 401 } while (1); 402} 403 404/** 405 * Shuffle the pool a bit by mixing some value with a bijective function (XOR) 406 * into the pool. 407 * 408 * The function generates a mixer value that depends on the bits set and the 409 * location of the set bits in the random number generated by the entropy 410 * source. Therefore, based on the generated random number, this mixer value 411 * can have 2**64 different values. That mixer value is initialized with the 412 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into 413 * the random number. 414 * 415 * The mixer value is not assumed to contain any entropy. But due to the XOR 416 * operation, it can also not destroy any entropy present in the entropy pool. 417 * 418 * Input: 419 * @entropy_collector Reference to entropy collector 420 */ 421static void jent_stir_pool(struct rand_data *entropy_collector) 422{ 423 /* 424 * to shut up GCC on 32 bit, we have to initialize the 64 variable 425 * with two 32 bit variables 426 */ 427 union c { 428 __u64 u64; 429 __u32 u32[2]; 430 }; 431 /* 432 * This constant is derived from the first two 32 bit initialization 433 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1 434 */ 435 union c constant; 436 /* 437 * The start value of the mixer variable is derived from the third 438 * and fourth 32 bit initialization vector of SHA-1 as defined in 439 * FIPS 180-4 section 5.3.1 440 */ 441 union c mixer; 442 unsigned int i = 0; 443 444 /* 445 * Store the SHA-1 constants in reverse order to make up the 64 bit 446 * value -- this applies to a little endian system, on a big endian 447 * system, it reverses as expected. But this really does not matter 448 * as we do not rely on the specific numbers. We just pick the SHA-1 449 * constants as they have a good mix of bit set and unset. 450 */ 451 constant.u32[1] = 0x67452301; 452 constant.u32[0] = 0xefcdab89; 453 mixer.u32[1] = 0x98badcfe; 454 mixer.u32[0] = 0x10325476; 455 456 for (i = 0; i < DATA_SIZE_BITS; i++) { 457 /* 458 * get the i-th bit of the input random number and only XOR 459 * the constant into the mixer value when that bit is set 460 */ 461 if ((entropy_collector->data >> i) & 1) 462 mixer.u64 ^= constant.u64; 463 mixer.u64 = jent_rol64(mixer.u64, 1); 464 } 465 entropy_collector->data ^= mixer.u64; 466} 467 468/** 469 * Generator of one 64 bit random number 470 * Function fills rand_data->data 471 * 472 * Input: 473 * @ec Reference to entropy collector 474 */ 475static void jent_gen_entropy(struct rand_data *ec) 476{ 477 unsigned int k = 0; 478 479 /* priming of the ->prev_time value */ 480 jent_measure_jitter(ec); 481 482 while (1) { 483 __u64 data = 0; 484 485 if (ec->disable_unbias == 1) 486 data = jent_measure_jitter(ec); 487 else 488 data = jent_unbiased_bit(ec); 489 490 /* enforcement of the jent_stuck test */ 491 if (ec->stuck) { 492 /* 493 * We only mix in the bit considered not appropriate 494 * without the LSFR. The reason is that if we apply 495 * the LSFR and we do not rotate, the 2nd bit with LSFR 496 * will cancel out the first LSFR application on the 497 * bad bit. 498 * 499 * And we do not rotate as we apply the next bit to the 500 * current bit location again. 501 */ 502 ec->data ^= data; 503 ec->stuck = 0; 504 continue; 505 } 506 507 /* 508 * Fibonacci LSFR with polynom of 509 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is 510 * primitive according to 511 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf 512 * (the shift values are the polynom values minus one 513 * due to counting bits from 0 to 63). As the current 514 * position is always the LSB, the polynom only needs 515 * to shift data in from the left without wrap. 516 */ 517 ec->data ^= data; 518 ec->data ^= ((ec->data >> 63) & 1); 519 ec->data ^= ((ec->data >> 60) & 1); 520 ec->data ^= ((ec->data >> 55) & 1); 521 ec->data ^= ((ec->data >> 30) & 1); 522 ec->data ^= ((ec->data >> 27) & 1); 523 ec->data ^= ((ec->data >> 22) & 1); 524 ec->data = jent_rol64(ec->data, 1); 525 526 /* 527 * We multiply the loop value with ->osr to obtain the 528 * oversampling rate requested by the caller 529 */ 530 if (++k >= (DATA_SIZE_BITS * ec->osr)) 531 break; 532 } 533 if (ec->stir) 534 jent_stir_pool(ec); 535} 536 537/** 538 * The continuous test required by FIPS 140-2 -- the function automatically 539 * primes the test if needed. 540 * 541 * Return: 542 * 0 if FIPS test passed 543 * < 0 if FIPS test failed 544 */ 545static void jent_fips_test(struct rand_data *ec) 546{ 547 if (!jent_fips_enabled()) 548 return; 549 550 /* prime the FIPS test */ 551 if (!ec->old_data) { 552 ec->old_data = ec->data; 553 jent_gen_entropy(ec); 554 } 555 556 if (ec->data == ec->old_data) 557 jent_panic("jitterentropy: Duplicate output detected\n"); 558 559 ec->old_data = ec->data; 560} 561 562/** 563 * Entry function: Obtain entropy for the caller. 564 * 565 * This function invokes the entropy gathering logic as often to generate 566 * as many bytes as requested by the caller. The entropy gathering logic 567 * creates 64 bit per invocation. 568 * 569 * This function truncates the last 64 bit entropy value output to the exact 570 * size specified by the caller. 571 * 572 * Input: 573 * @ec Reference to entropy collector 574 * @data pointer to buffer for storing random data -- buffer must already 575 * exist 576 * @len size of the buffer, specifying also the requested number of random 577 * in bytes 578 * 579 * @return 0 when request is fulfilled or an error 580 * 581 * The following error codes can occur: 582 * -1 entropy_collector is NULL 583 */ 584int jent_read_entropy(struct rand_data *ec, unsigned char *data, 585 unsigned int len) 586{ 587 unsigned char *p = data; 588 589 if (!ec) 590 return -1; 591 592 while (0 < len) { 593 unsigned int tocopy; 594 595 jent_gen_entropy(ec); 596 jent_fips_test(ec); 597 if ((DATA_SIZE_BITS / 8) < len) 598 tocopy = (DATA_SIZE_BITS / 8); 599 else 600 tocopy = len; 601 jent_memcpy(p, &ec->data, tocopy); 602 603 len -= tocopy; 604 p += tocopy; 605 } 606 607 return 0; 608} 609 610/*************************************************************************** 611 * Initialization logic 612 ***************************************************************************/ 613 614struct rand_data *jent_entropy_collector_alloc(unsigned int osr, 615 unsigned int flags) 616{ 617 struct rand_data *entropy_collector; 618 619 entropy_collector = jent_zalloc(sizeof(struct rand_data)); 620 if (!entropy_collector) 621 return NULL; 622 623 if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { 624 /* Allocate memory for adding variations based on memory 625 * access 626 */ 627 entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE); 628 if (!entropy_collector->mem) { 629 jent_zfree(entropy_collector); 630 return NULL; 631 } 632 entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; 633 entropy_collector->memblocks = JENT_MEMORY_BLOCKS; 634 entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; 635 } 636 637 /* verify and set the oversampling rate */ 638 if (0 == osr) 639 osr = 1; /* minimum sampling rate is 1 */ 640 entropy_collector->osr = osr; 641 642 entropy_collector->stir = 1; 643 if (flags & JENT_DISABLE_STIR) 644 entropy_collector->stir = 0; 645 if (flags & JENT_DISABLE_UNBIAS) 646 entropy_collector->disable_unbias = 1; 647 648 /* fill the data pad with non-zero values */ 649 jent_gen_entropy(entropy_collector); 650 651 return entropy_collector; 652} 653 654void jent_entropy_collector_free(struct rand_data *entropy_collector) 655{ 656 jent_zfree(entropy_collector->mem); 657 entropy_collector->mem = NULL; 658 jent_zfree(entropy_collector); 659 entropy_collector = NULL; 660} 661 662int jent_entropy_init(void) 663{ 664 int i; 665 __u64 delta_sum = 0; 666 __u64 old_delta = 0; 667 int time_backwards = 0; 668 int count_var = 0; 669 int count_mod = 0; 670 671 /* We could perform statistical tests here, but the problem is 672 * that we only have a few loop counts to do testing. These 673 * loop counts may show some slight skew and we produce 674 * false positives. 675 * 676 * Moreover, only old systems show potentially problematic 677 * jitter entropy that could potentially be caught here. But 678 * the RNG is intended for hardware that is available or widely 679 * used, but not old systems that are long out of favor. Thus, 680 * no statistical tests. 681 */ 682 683 /* 684 * We could add a check for system capabilities such as clock_getres or 685 * check for CONFIG_X86_TSC, but it does not make much sense as the 686 * following sanity checks verify that we have a high-resolution 687 * timer. 688 */ 689 /* 690 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is 691 * definitely too little. 692 */ 693#define TESTLOOPCOUNT 300 694#define CLEARCACHE 100 695 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { 696 __u64 time = 0; 697 __u64 time2 = 0; 698 __u64 folded = 0; 699 __u64 delta = 0; 700 unsigned int lowdelta = 0; 701 702 jent_get_nstime(&time); 703 jent_fold_time(NULL, time, &folded, 1<<MIN_FOLD_LOOP_BIT); 704 jent_get_nstime(&time2); 705 706 /* test whether timer works */ 707 if (!time || !time2) 708 return JENT_ENOTIME; 709 delta = time2 - time; 710 /* 711 * test whether timer is fine grained enough to provide 712 * delta even when called shortly after each other -- this 713 * implies that we also have a high resolution timer 714 */ 715 if (!delta) 716 return JENT_ECOARSETIME; 717 718 /* 719 * up to here we did not modify any variable that will be 720 * evaluated later, but we already performed some work. Thus we 721 * already have had an impact on the caches, branch prediction, 722 * etc. with the goal to clear it to get the worst case 723 * measurements. 724 */ 725 if (CLEARCACHE > i) 726 continue; 727 728 /* test whether we have an increasing timer */ 729 if (!(time2 > time)) 730 time_backwards++; 731 732 /* 733 * Avoid modulo of 64 bit integer to allow code to compile 734 * on 32 bit architectures. 735 */ 736 lowdelta = time2 - time; 737 if (!(lowdelta % 100)) 738 count_mod++; 739 740 /* 741 * ensure that we have a varying delta timer which is necessary 742 * for the calculation of entropy -- perform this check 743 * only after the first loop is executed as we need to prime 744 * the old_data value 745 */ 746 if (i) { 747 if (delta != old_delta) 748 count_var++; 749 if (delta > old_delta) 750 delta_sum += (delta - old_delta); 751 else 752 delta_sum += (old_delta - delta); 753 } 754 old_delta = delta; 755 } 756 757 /* 758 * we allow up to three times the time running backwards. 759 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, 760 * if such an operation just happens to interfere with our test, it 761 * should not fail. The value of 3 should cover the NTP case being 762 * performed during our test run. 763 */ 764 if (3 < time_backwards) 765 return JENT_ENOMONOTONIC; 766 /* Error if the time variances are always identical */ 767 if (!delta_sum) 768 return JENT_EVARVAR; 769 770 /* 771 * Variations of deltas of time must on average be larger 772 * than 1 to ensure the entropy estimation 773 * implied with 1 is preserved 774 */ 775 if (delta_sum <= 1) 776 return JENT_EMINVARVAR; 777 778 /* 779 * Ensure that we have variations in the time stamp below 10 for at 780 * least 10% of all checks -- on some platforms, the counter 781 * increments in multiples of 100, but not always 782 */ 783 if ((TESTLOOPCOUNT/10 * 9) < count_mod) 784 return JENT_ECOARSETIME; 785 786 return 0; 787} 788