1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 /*
27 * Software based random number provider for the Kernel Cryptographic
28 * Framework (KCF). This provider periodically collects unpredictable input
29 * from external sources and processes it into a pool of entropy (randomness)
30 * in order to satisfy requests for random bits from kCF. It implements
31 * software-based mixing, extraction, and generation algorithms.
32 *
33 * A history note: The software-based algorithms in this file used to be
34 * part of the /dev/random driver.
35 */
36
37 #include <sys/types.h>
38 #include <sys/errno.h>
39 #include <sys/debug.h>
40 #include <vm/seg_kmem.h>
41 #include <vm/hat.h>
42 #include <sys/systm.h>
43 #include <sys/memlist.h>
44 #include <sys/cmn_err.h>
45 #include <sys/ksynch.h>
46 #include <sys/random.h>
47 #include <sys/ddi.h>
48 #include <sys/mman.h>
49 #include <sys/sysmacros.h>
50 #include <sys/mem_config.h>
51 #include <sys/time.h>
52 #include <sys/crypto/spi.h>
53 #include <sys/sha1.h>
54 #include <sys/sunddi.h>
55 #include <sys/modctl.h>
56 #include <sys/hold_page.h>
57 #include <rng/fips_random.h>
58
59 #define RNDPOOLSIZE 1024 /* Pool size in bytes */
60 #define HASHBUFSIZE 64 /* Buffer size used for pool mixing */
61 #define MAXMEMBLOCKS 16384 /* Number of memory blocks to scan */
62 #define MEMBLOCKSIZE 4096 /* Size of memory block to read */
63 #define MINEXTRACTBITS 160 /* Min entropy level for extraction */
64 #define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */
65
66 /* Hash-algo generic definitions. For now, they are SHA1's. */
67 #define HASHSIZE 20
68 #define HASH_CTX SHA1_CTX
69 #define HashInit(ctx) SHA1Init((ctx))
70 #define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s))
71 #define HashFinal(d, ctx) SHA1Final((d), (ctx))
72
73 /* Physical memory entropy source */
74 typedef struct physmem_entsrc_s {
75 uint8_t *parity; /* parity bit vector */
76 caddr_t pmbuf; /* buffer for memory block */
77 uint32_t nblocks; /* number of memory blocks */
78 int entperblock; /* entropy bits per block read */
79 hrtime_t last_diff; /* previous time to process a block */
80 hrtime_t last_delta; /* previous time delta */
81 hrtime_t last_delta2; /* previous 2nd order time delta */
82 } physmem_entsrc_t;
83
84 static uint32_t srndpool[RNDPOOLSIZE/4]; /* Pool of random bits */
85 static uint32_t buffer[RNDPOOLSIZE/4]; /* entropy mixed in later */
86 static int buffer_bytes; /* bytes written to buffer */
87 static uint32_t entropy_bits; /* pool's current amount of entropy */
88 static kmutex_t srndpool_lock; /* protects r/w accesses to the pool, */
89 /* and the global variables */
90 static kmutex_t buffer_lock; /* protects r/w accesses to buffer */
91 static kcondvar_t srndpool_read_cv; /* serializes poll/read syscalls */
92 static int pindex; /* Global index for adding/extracting */
93 /* from the pool */
94 static int bstart, bindex; /* Global vars for adding/extracting */
95 /* from the buffer */
96 static uint8_t leftover[HASHSIZE]; /* leftover output */
97 static uint32_t swrand_XKEY[6]; /* one extra word for getentropy */
98 static int leftover_bytes; /* leftover length */
99 static uint32_t previous_bytes[HASHSIZE/BYTES_IN_WORD]; /* prev random bytes */
100
101 static physmem_entsrc_t entsrc; /* Physical mem as an entropy source */
102 static timeout_id_t rnd_timeout_id;
103 static int snum_waiters;
104 static crypto_kcf_provider_handle_t swrand_prov_handle = NULL;
105 swrand_stats_t swrand_stats;
106
107 static int physmem_ent_init(physmem_entsrc_t *);
108 static void physmem_ent_fini(physmem_entsrc_t *);
109 static void physmem_ent_gen(physmem_entsrc_t *);
110 static int physmem_parity_update(uint8_t *, uint32_t, int);
111 static void physmem_count_blocks();
112 static void rnd_dr_callback_post_add(void *, pgcnt_t);
113 static int rnd_dr_callback_pre_del(void *, pgcnt_t);
114 static void rnd_dr_callback_post_del(void *, pgcnt_t, int);
115 static void rnd_handler(void *arg);
116 static void swrand_init();
117 static void swrand_schedule_timeout(void);
118 static int swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t);
119 static void swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est);
120 static void swrand_add_entropy_later(uint8_t *ptr, size_t len);
121
122 /* Dynamic Reconfiguration related declarations */
123 kphysm_setup_vector_t rnd_dr_callback_vec = {
124 KPHYSM_SETUP_VECTOR_VERSION,
125 rnd_dr_callback_post_add,
126 rnd_dr_callback_pre_del,
127 rnd_dr_callback_post_del
128 };
129
130 extern struct mod_ops mod_cryptoops;
131
132 /*
133 * Module linkage information for the kernel.
134 */
135 static struct modlcrypto modlcrypto = {
136 &mod_cryptoops,
137 "Kernel Random number Provider"
138 };
139
140 static struct modlinkage modlinkage = {
141 MODREV_1,
142 (void *)&modlcrypto,
143 NULL
144 };
145
146 /*
147 * CSPI information (entry points, provider info, etc.)
148 */
149 static void swrand_provider_status(crypto_provider_handle_t, uint_t *);
150
151 static crypto_control_ops_t swrand_control_ops = {
152 swrand_provider_status
153 };
154
155 static int swrand_seed_random(crypto_provider_handle_t, crypto_session_id_t,
156 uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
157 static int swrand_generate_random(crypto_provider_handle_t,
158 crypto_session_id_t, uchar_t *, size_t, crypto_req_handle_t);
159
160 static crypto_random_number_ops_t swrand_random_number_ops = {
161 swrand_seed_random,
162 swrand_generate_random
163 };
164
165 static crypto_ops_t swrand_crypto_ops = {
166 &swrand_control_ops,
167 NULL,
168 NULL,
169 NULL,
170 NULL,
171 NULL,
172 NULL,
173 NULL,
174 &swrand_random_number_ops,
175 NULL,
176 NULL,
177 NULL,
178 NULL,
179 NULL,
180 NULL,
181 NULL,
182 NULL,
183 };
184
185 static crypto_provider_info_t swrand_prov_info = {
186 CRYPTO_SPI_VERSION_4,
187 "Kernel Random Number Provider",
188 CRYPTO_SW_PROVIDER,
189 {&modlinkage},
190 NULL,
191 &swrand_crypto_ops,
192 0,
193 NULL
194 };
195
196 int
197 _init(void)
198 {
199 int ret;
200 hrtime_t ts;
201 time_t now;
202
203 mutex_init(&srndpool_lock, NULL, MUTEX_DEFAULT, NULL);
204 mutex_init(&buffer_lock, NULL, MUTEX_DEFAULT, NULL);
205 cv_init(&srndpool_read_cv, NULL, CV_DEFAULT, NULL);
206 entropy_bits = 0;
207 pindex = 0;
208 bindex = 0;
209 bstart = 0;
210 snum_waiters = 0;
211 leftover_bytes = 0;
212 buffer_bytes = 0;
213
214 /*
215 * Initialize the pool using
216 * . 2 unpredictable times: high resolution time since the boot-time,
217 * and the current time-of-the day.
218 * . The initial physical memory state.
219 */
220 ts = gethrtime();
221 swrand_add_entropy((uint8_t *)&ts, sizeof (ts), 0);
222
223 (void) drv_getparm(TIME, &now);
224 swrand_add_entropy((uint8_t *)&now, sizeof (now), 0);
225
226 ret = kphysm_setup_func_register(&rnd_dr_callback_vec, NULL);
227 ASSERT(ret == 0);
228
229 if (physmem_ent_init(&entsrc) != 0) {
230 ret = ENOMEM;
231 goto exit1;
232 }
233
234 if ((ret = mod_install(&modlinkage)) != 0)
235 goto exit2;
236
237 /* Schedule periodic mixing of the pool. */
238 mutex_enter(&srndpool_lock);
239 swrand_schedule_timeout();
240 mutex_exit(&srndpool_lock);
241 (void) swrand_get_entropy((uint8_t *)swrand_XKEY, HASHSIZE, B_TRUE);
242 bcopy(swrand_XKEY, previous_bytes, HASHSIZE);
243
244 /* Register with KCF. If the registration fails, return error. */
245 if (crypto_register_provider(&swrand_prov_info, &swrand_prov_handle)) {
246 (void) mod_remove(&modlinkage);
247 ret = EACCES;
248 goto exit2;
249 }
250
251 return (0);
252
253 exit2:
254 physmem_ent_fini(&entsrc);
255 exit1:
256 mutex_destroy(&srndpool_lock);
257 mutex_destroy(&buffer_lock);
258 cv_destroy(&srndpool_read_cv);
259 return (ret);
260 }
261
262 int
263 _info(struct modinfo *modinfop)
264 {
265 return (mod_info(&modlinkage, modinfop));
266 }
267
268 /*
269 * Control entry points.
270 */
271 /* ARGSUSED */
272 static void
273 swrand_provider_status(crypto_provider_handle_t provider, uint_t *status)
274 {
275 *status = CRYPTO_PROVIDER_READY;
276 }
277
278 /*
279 * Random number entry points.
280 */
281 /* ARGSUSED */
282 static int
283 swrand_seed_random(crypto_provider_handle_t provider, crypto_session_id_t sid,
284 uchar_t *buf, size_t len, uint_t entropy_est, uint32_t flags,
285 crypto_req_handle_t req)
286 {
287 /* The entropy estimate is always 0 in this path */
288 if (flags & CRYPTO_SEED_NOW)
289 swrand_add_entropy(buf, len, 0);
290 else
291 swrand_add_entropy_later(buf, len);
292 return (CRYPTO_SUCCESS);
293 }
294
295 /* ARGSUSED */
296 static int
297 swrand_generate_random(crypto_provider_handle_t provider,
298 crypto_session_id_t sid, uchar_t *buf, size_t len, crypto_req_handle_t req)
299 {
300 if (crypto_kmflag(req) == KM_NOSLEEP)
301 (void) swrand_get_entropy(buf, len, B_TRUE);
302 else
303 (void) swrand_get_entropy(buf, len, B_FALSE);
304
305 return (CRYPTO_SUCCESS);
306 }
307
308 /*
309 * Extraction of entropy from the pool.
310 *
311 * Returns "len" random bytes in *ptr.
312 * Try to gather some more entropy by calling physmem_ent_gen() when less than
313 * MINEXTRACTBITS are present in the pool.
314 * Will block if not enough entropy was available and the call is blocking.
315 */
316 static int
317 swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t nonblock)
318 {
319 int i, bytes;
320 HASH_CTX hashctx;
321 uint8_t digest[HASHSIZE], *pool;
322 uint32_t tempout[HASHSIZE/BYTES_IN_WORD];
323 int size;
324
325 mutex_enter(&srndpool_lock);
326 if (leftover_bytes > 0) {
327 bytes = min(len, leftover_bytes);
328 bcopy(leftover, ptr, bytes);
329 len -= bytes;
330 ptr += bytes;
331 leftover_bytes -= bytes;
332 if (leftover_bytes > 0)
333 ovbcopy(leftover+bytes, leftover, leftover_bytes);
334 }
335
336 while (len > 0) {
337 /* Check if there is enough entropy */
338 while (entropy_bits < MINEXTRACTBITS) {
339
340 physmem_ent_gen(&entsrc);
341
342 if (entropy_bits < MINEXTRACTBITS &&
343 nonblock == B_TRUE) {
344 mutex_exit(&srndpool_lock);
345 return (EAGAIN);
346 }
347
348 if (entropy_bits < MINEXTRACTBITS) {
349 ASSERT(nonblock == B_FALSE);
350 snum_waiters++;
351 if (cv_wait_sig(&srndpool_read_cv,
352 &srndpool_lock) == 0) {
353 snum_waiters--;
354 mutex_exit(&srndpool_lock);
355 return (EINTR);
356 }
357 snum_waiters--;
358 }
359 }
360
361 /* Figure out how many bytes to extract */
362 bytes = min(HASHSIZE, len);
363 bytes = min(bytes, CRYPTO_BITS2BYTES(entropy_bits));
364 entropy_bits -= CRYPTO_BYTES2BITS(bytes);
365 BUMP_SWRAND_STATS(ss_entOut, CRYPTO_BYTES2BITS(bytes));
366 swrand_stats.ss_entEst = entropy_bits;
367
368 /* Extract entropy by hashing pool content */
369 HashInit(&hashctx);
370 HashUpdate(&hashctx, (uint8_t *)srndpool, RNDPOOLSIZE);
371 HashFinal(digest, &hashctx);
372
373 /*
374 * Feed the digest back into the pool so next
375 * extraction produces different result
376 */
377 pool = (uint8_t *)srndpool;
378 for (i = 0; i < HASHSIZE; i++) {
379 pool[pindex++] ^= digest[i];
380 /* pindex modulo RNDPOOLSIZE */
381 pindex &= (RNDPOOLSIZE - 1);
382 }
383
384 /* LINTED E_BAD_PTR_CAST_ALIGN */
385 fips_random_inner(swrand_XKEY, tempout, (uint32_t *)digest);
386
387 if (len >= HASHSIZE) {
388 size = HASHSIZE;
389 } else {
390 size = min(bytes, HASHSIZE);
391 }
392
393 /*
394 * FIPS 140-2: Continuous RNG test - each generation
395 * of an n-bit block shall be compared with the previously
396 * generated block. Test shall fail if any two compared
397 * n-bit blocks are equal.
398 */
399 for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) {
400 if (tempout[i] != previous_bytes[i])
401 break;
402 }
403
404 if (i == HASHSIZE/BYTES_IN_WORD) {
405 cmn_err(CE_WARN, "swrand: The value of 160-bit block "
406 "random bytes are same as the previous one.\n");
407 /* discard random bytes and return error */
408 return (EIO);
409 }
410
411 bcopy(tempout, previous_bytes, HASHSIZE);
412
413 bcopy(tempout, ptr, size);
414 if (len < HASHSIZE) {
415 leftover_bytes = HASHSIZE - bytes;
416 bcopy((uint8_t *)tempout + bytes, leftover,
417 leftover_bytes);
418 }
419
420 ptr += size;
421 len -= size;
422 BUMP_SWRAND_STATS(ss_bytesOut, size);
423 }
424
425 /* Zero out sensitive information */
426 bzero(digest, HASHSIZE);
427 bzero(tempout, HASHSIZE);
428 mutex_exit(&srndpool_lock);
429 return (0);
430 }
431
432 #define SWRAND_ADD_BYTES(ptr, len, i, pool) \
433 ASSERT((ptr) != NULL && (len) > 0); \
434 BUMP_SWRAND_STATS(ss_bytesIn, (len)); \
435 while ((len)--) { \
436 (pool)[(i)++] ^= *(ptr); \
437 (ptr)++; \
438 (i) &= (RNDPOOLSIZE - 1); \
439 }
440
441 /* Write some more user-provided entropy to the pool */
442 static void
443 swrand_add_bytes(uint8_t *ptr, size_t len)
444 {
445 uint8_t *pool = (uint8_t *)srndpool;
446
447 ASSERT(MUTEX_HELD(&srndpool_lock));
448 SWRAND_ADD_BYTES(ptr, len, pindex, pool);
449 }
450
451 /*
452 * Add bytes to buffer. Adding the buffer to the random pool
453 * is deferred until the random pool is mixed.
454 */
455 static void
456 swrand_add_bytes_later(uint8_t *ptr, size_t len)
457 {
458 uint8_t *pool = (uint8_t *)buffer;
459
460 ASSERT(MUTEX_HELD(&buffer_lock));
461 SWRAND_ADD_BYTES(ptr, len, bindex, pool);
462 buffer_bytes += len;
463 }
464
465 #undef SWRAND_ADD_BYTES
466
467 /* Mix the pool */
468 static void
469 swrand_mix_pool(uint16_t entropy_est)
470 {
471 int i, j, k, start;
472 HASH_CTX hashctx;
473 uint8_t digest[HASHSIZE];
474 uint8_t *pool = (uint8_t *)srndpool;
475 uint8_t *bp = (uint8_t *)buffer;
476
477 ASSERT(MUTEX_HELD(&srndpool_lock));
478
479 /* add deferred bytes */
480 mutex_enter(&buffer_lock);
481 if (buffer_bytes > 0) {
482 if (buffer_bytes >= RNDPOOLSIZE) {
483 for (i = 0; i < RNDPOOLSIZE/4; i++) {
484 srndpool[i] ^= buffer[i];
485 buffer[i] = 0;
486 }
487 bstart = bindex = 0;
488 } else {
489 for (i = 0; i < buffer_bytes; i++) {
490 pool[pindex++] ^= bp[bstart];
491 bp[bstart++] = 0;
492 pindex &= (RNDPOOLSIZE - 1);
493 bstart &= (RNDPOOLSIZE - 1);
494 }
495 ASSERT(bstart == bindex);
496 }
497 buffer_bytes = 0;
498 }
499 mutex_exit(&buffer_lock);
500
501 start = 0;
502 for (i = 0; i < RNDPOOLSIZE/HASHSIZE + 1; i++) {
503 HashInit(&hashctx);
504
505 /* Hash a buffer centered on a block in the pool */
506 if (start + HASHBUFSIZE <= RNDPOOLSIZE)
507 HashUpdate(&hashctx, &pool[start], HASHBUFSIZE);
508 else {
509 HashUpdate(&hashctx, &pool[start],
510 RNDPOOLSIZE - start);
511 HashUpdate(&hashctx, pool,
512 HASHBUFSIZE - RNDPOOLSIZE + start);
513 }
514 HashFinal(digest, &hashctx);
515
516 /* XOR the hash result back into the block */
517 k = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
518 for (j = 0; j < HASHSIZE; j++) {
519 pool[k++] ^= digest[j];
520 k &= (RNDPOOLSIZE - 1);
521 }
522
523 /* Slide the hash buffer and repeat with next block */
524 start = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
525 }
526
527 entropy_bits += entropy_est;
528 if (entropy_bits > CRYPTO_BYTES2BITS(RNDPOOLSIZE))
529 entropy_bits = CRYPTO_BYTES2BITS(RNDPOOLSIZE);
530
531 swrand_stats.ss_entEst = entropy_bits;
532 BUMP_SWRAND_STATS(ss_entIn, entropy_est);
533 }
534
535 static void
536 swrand_add_entropy_later(uint8_t *ptr, size_t len)
537 {
538 mutex_enter(&buffer_lock);
539 swrand_add_bytes_later(ptr, len);
540 mutex_exit(&buffer_lock);
541 }
542
543 static void
544 swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est)
545 {
546 mutex_enter(&srndpool_lock);
547 swrand_add_bytes(ptr, len);
548 swrand_mix_pool(entropy_est);
549 mutex_exit(&srndpool_lock);
550 }
551
552 /*
553 * The physmem_* routines below generate entropy by reading blocks of
554 * physical memory. Entropy is gathered in a couple of ways:
555 *
556 * - By reading blocks of physical memory and detecting if changes
557 * occurred in the blocks read.
558 *
559 * - By measuring the time it takes to load and hash a block of memory
560 * and computing the differences in the measured time.
561 *
562 * The first method was used in the CryptoRand implementation. Physical
563 * memory is divided into blocks of fixed size. A block of memory is
564 * chosen from the possible blocks and hashed to produce a digest. This
565 * digest is then mixed into the pool. A single bit from the digest is
566 * used as a parity bit or "checksum" and compared against the previous
567 * "checksum" computed for the block. If the single-bit checksum has not
568 * changed, no entropy is credited to the pool. If there is a change,
569 * then the assumption is that at least one bit in the block has changed.
570 * The possible locations within the memory block of where the bit change
571 * occurred is used as a measure of entropy. For example, if a block
572 * size of 4096 bytes is used, about log_2(4096*8)=15 bits worth of
573 * entropy is available. Because the single-bit checksum will miss half
574 * of the changes, the amount of entropy credited to the pool is doubled
575 * when a change is detected. With a 4096 byte block size, a block
576 * change will add a total of 30 bits of entropy to the pool.
577 *
578 * The second method measures the amount of time it takes to read and
579 * hash a physical memory block (as described above). The time measured
580 * can vary depending on system load, scheduling and other factors.
581 * Differences between consecutive measurements are computed to come up
582 * with an entropy estimate. The first, second, and third order delta is
583 * calculated to determine the minimum delta value. The number of bits
584 * present in this minimum delta value is the entropy estimate. This
585 * entropy estimation technique using time deltas is similar to that used
586 * in /dev/random implementations from Linux/BSD.
587 */
588
589 static int
590 physmem_ent_init(physmem_entsrc_t *entsrc)
591 {
592 uint8_t *ptr;
593 int i;
594
595 bzero(entsrc, sizeof (*entsrc));
596
597 /*
598 * The maximum entropy amount in bits per block of memory read is
599 * log_2(MEMBLOCKSIZE * 8);
600 */
601 i = CRYPTO_BYTES2BITS(MEMBLOCKSIZE);
602 while (i >>= 1)
603 entsrc->entperblock++;
604
605 /* Initialize entsrc->nblocks */
606 physmem_count_blocks();
607
608 if (entsrc->nblocks == 0) {
609 cmn_err(CE_WARN, "no memory blocks to scan!");
610 return (-1);
611 }
612
613 /* Allocate space for the parity vector and memory page */
614 entsrc->parity = kmem_alloc(howmany(entsrc->nblocks, 8),
615 KM_SLEEP);
616 entsrc->pmbuf = vmem_alloc(heap_arena, PAGESIZE, VM_SLEEP);
617
618
619 /* Initialize parity vector with bits from the pool */
620 i = howmany(entsrc->nblocks, 8);
621 ptr = entsrc->parity;
622 while (i > 0) {
623 if (i > RNDPOOLSIZE) {
624 bcopy(srndpool, ptr, RNDPOOLSIZE);
625 mutex_enter(&srndpool_lock);
626 swrand_mix_pool(0);
627 mutex_exit(&srndpool_lock);
628 ptr += RNDPOOLSIZE;
629 i -= RNDPOOLSIZE;
630 } else {
631 bcopy(srndpool, ptr, i);
632 break;
633 }
634 }
635
636 /* Generate some entropy to further initialize the pool */
637 mutex_enter(&srndpool_lock);
638 physmem_ent_gen(entsrc);
639 entropy_bits = 0;
640 mutex_exit(&srndpool_lock);
641
642 return (0);
643 }
644
645 static void
646 physmem_ent_fini(physmem_entsrc_t *entsrc)
647 {
648 if (entsrc->pmbuf != NULL)
649 vmem_free(heap_arena, entsrc->pmbuf, PAGESIZE);
650 if (entsrc->parity != NULL)
651 kmem_free(entsrc->parity, howmany(entsrc->nblocks, 8));
652 bzero(entsrc, sizeof (*entsrc));
653 }
654
655 static void
656 physmem_ent_gen(physmem_entsrc_t *entsrc)
657 {
658 struct memlist *pmem;
659 offset_t offset, poffset;
660 pfn_t pfn;
661 int i, nbytes, len, ent = 0;
662 uint32_t block, oblock;
663 hrtime_t ts1, ts2, diff, delta, delta2, delta3;
664 uint8_t digest[HASHSIZE];
665 HASH_CTX ctx;
666 page_t *pp;
667
668 /*
669 * Use each 32-bit quantity in the pool to pick a memory
670 * block to read.
671 */
672 for (i = 0; i < RNDPOOLSIZE/4; i++) {
673
674 /* If the pool is "full", stop after one block */
675 if (entropy_bits + ent >= CRYPTO_BYTES2BITS(RNDPOOLSIZE)) {
676 if (i > 0)
677 break;
678 }
679
680 /*
681 * This lock protects reading of phys_install.
682 * Any changes to this list, by DR, are done while
683 * holding this lock. So, holding this lock is sufficient
684 * to handle DR also.
685 */
686 memlist_read_lock();
687
688 /* We're left with less than 4K of memory after DR */
689 ASSERT(entsrc->nblocks > 0);
690
691 /* Pick a memory block to read */
692 block = oblock = srndpool[i] % entsrc->nblocks;
693
694 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
695 if (block < pmem->ml_size / MEMBLOCKSIZE)
696 break;
697 block -= pmem->ml_size / MEMBLOCKSIZE;
698 }
699
700 ASSERT(pmem != NULL);
701
702 offset = pmem->ml_address + block * MEMBLOCKSIZE;
703
704 if (!address_in_memlist(phys_install, offset, MEMBLOCKSIZE)) {
705 memlist_read_unlock();
706 continue;
707 }
708
709 /*
710 * Do an initial check to see if the address is safe
711 */
712 if (plat_hold_page(offset >> PAGESHIFT, PLAT_HOLD_NO_LOCK, NULL)
713 == PLAT_HOLD_FAIL) {
714 memlist_read_unlock();
715 continue;
716 }
717
718 /*
719 * Figure out which page to load to read the
720 * memory block. Load the page and compute the
721 * hash of the memory block.
722 */
723 len = MEMBLOCKSIZE;
724 ts1 = gethrtime();
725 HashInit(&ctx);
726 while (len) {
727 pfn = offset >> PAGESHIFT;
728 poffset = offset & PAGEOFFSET;
729 nbytes = PAGESIZE - poffset < len ?
730 PAGESIZE - poffset : len;
731
732 /*
733 * Re-check the offset, and lock the frame. If the
734 * page was given away after the above check, we'll
735 * just bail out.
736 */
737 if (plat_hold_page(pfn, PLAT_HOLD_LOCK, &pp) ==
738 PLAT_HOLD_FAIL)
739 break;
740
741 hat_devload(kas.a_hat, entsrc->pmbuf,
742 PAGESIZE, pfn, PROT_READ,
743 HAT_LOAD_NOCONSIST | HAT_LOAD_LOCK);
744
745 HashUpdate(&ctx, (uint8_t *)entsrc->pmbuf + poffset,
746 nbytes);
747
748 hat_unload(kas.a_hat, entsrc->pmbuf, PAGESIZE,
749 HAT_UNLOAD_UNLOCK);
750
751 plat_release_page(pp);
752
753 len -= nbytes;
754 offset += nbytes;
755 }
756 /* We got our pages. Let the DR roll */
757 memlist_read_unlock();
758
759 /* See if we had to bail out due to a page being given away */
760 if (len)
761 continue;
762
763 HashFinal(digest, &ctx);
764 ts2 = gethrtime();
765
766 /*
767 * Compute the time it took to load and hash the
768 * block and compare it against the previous
769 * measurement. The delta of the time values
770 * provides a small amount of entropy. The
771 * minimum of the first, second, and third order
772 * delta is used to estimate how much entropy
773 * is present.
774 */
775 diff = ts2 - ts1;
776 delta = diff - entsrc->last_diff;
777 if (delta < 0)
778 delta = -delta;
779 delta2 = delta - entsrc->last_delta;
780 if (delta2 < 0)
781 delta2 = -delta2;
782 delta3 = delta2 - entsrc->last_delta2;
783 if (delta3 < 0)
784 delta3 = -delta3;
785 entsrc->last_diff = diff;
786 entsrc->last_delta = delta;
787 entsrc->last_delta2 = delta2;
788
789 if (delta > delta2)
790 delta = delta2;
791 if (delta > delta3)
792 delta = delta3;
793 delta2 = 0;
794 while (delta >>= 1)
795 delta2++;
796 ent += delta2;
797
798 /*
799 * If the memory block has changed, credit the pool with
800 * the entropy estimate. The entropy estimate is doubled
801 * because the single-bit checksum misses half the change
802 * on average.
803 */
804 if (physmem_parity_update(entsrc->parity, oblock,
805 digest[0] & 1))
806 ent += 2 * entsrc->entperblock;
807
808 /* Add the entropy bytes to the pool */
809 swrand_add_bytes(digest, HASHSIZE);
810 swrand_add_bytes((uint8_t *)&ts1, sizeof (ts1));
811 swrand_add_bytes((uint8_t *)&ts2, sizeof (ts2));
812 }
813
814 swrand_mix_pool(ent);
815 }
816
817 static int
818 physmem_parity_update(uint8_t *parity_vec, uint32_t block, int parity)
819 {
820 /* Test and set the parity bit, return 1 if changed */
821 if (parity == ((parity_vec[block >> 3] >> (block & 7)) & 1))
822 return (0);
823 parity_vec[block >> 3] ^= 1 << (block & 7);
824 return (1);
825 }
826
827 /* Compute number of memory blocks available to scan */
828 static void
829 physmem_count_blocks()
830 {
831 struct memlist *pmem;
832
833 memlist_read_lock();
834 entsrc.nblocks = 0;
835 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
836 entsrc.nblocks += pmem->ml_size / MEMBLOCKSIZE;
837 if (entsrc.nblocks > MAXMEMBLOCKS) {
838 entsrc.nblocks = MAXMEMBLOCKS;
839 break;
840 }
841 }
842 memlist_read_unlock();
843 }
844
845 /*
846 * Dynamic Reconfiguration call-back functions
847 */
848
849 /* ARGSUSED */
850 static void
851 rnd_dr_callback_post_add(void *arg, pgcnt_t delta)
852 {
853 /* More memory is available now, so update entsrc->nblocks. */
854 physmem_count_blocks();
855 }
856
857 /* Call-back routine invoked before the DR starts a memory removal. */
858 /* ARGSUSED */
859 static int
860 rnd_dr_callback_pre_del(void *arg, pgcnt_t delta)
861 {
862 return (0);
863 }
864
865 /* Call-back routine invoked after the DR starts a memory removal. */
866 /* ARGSUSED */
867 static void
868 rnd_dr_callback_post_del(void *arg, pgcnt_t delta, int cancelled)
869 {
870 /* Memory has shrunk, so update entsrc->nblocks. */
871 physmem_count_blocks();
872 }
873
874 /* Timeout handling to gather entropy from physmem events */
875 static void
876 swrand_schedule_timeout(void)
877 {
878 clock_t ut; /* time in microseconds */
879
880 ASSERT(MUTEX_HELD(&srndpool_lock));
881 /*
882 * The new timeout value is taken from the pool of random bits.
883 * We're merely reading the first 32 bits from the pool here, not
884 * consuming any entropy.
885 * This routine is usually called right after stirring the pool, so
886 * srndpool[0] will have a *fresh* random value each time.
887 * The timeout multiplier value is a random value between 0.7 sec and
888 * 1.748575 sec (0.7 sec + 0xFFFFF microseconds).
889 * The new timeout is TIMEOUT_INTERVAL times that multiplier.
890 */
891 ut = 700000 + (clock_t)(srndpool[0] & 0xFFFFF);
892 rnd_timeout_id = timeout(rnd_handler, NULL,
893 TIMEOUT_INTERVAL * drv_usectohz(ut));
894 }
895
896 /*ARGSUSED*/
897 static void
898 rnd_handler(void *arg)
899 {
900 mutex_enter(&srndpool_lock);
901
902 physmem_ent_gen(&entsrc);
903 if (snum_waiters > 0)
904 cv_broadcast(&srndpool_read_cv);
905 swrand_schedule_timeout();
906
907 mutex_exit(&srndpool_lock);
908 }