Print this page
fixup .text where possible
7127 remove -Wno-missing-braces from Makefile.uts
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/crypto/io/swrand.c
+++ new/usr/src/uts/common/crypto/io/swrand.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * Software based random number provider for the Kernel Cryptographic
28 28 * Framework (KCF). This provider periodically collects unpredictable input
29 29 * from external sources and processes it into a pool of entropy (randomness)
30 30 * in order to satisfy requests for random bits from kCF. It implements
31 31 * software-based mixing, extraction, and generation algorithms.
32 32 *
33 33 * A history note: The software-based algorithms in this file used to be
34 34 * part of the /dev/random driver.
35 35 */
36 36
37 37 #include <sys/types.h>
38 38 #include <sys/errno.h>
39 39 #include <sys/debug.h>
40 40 #include <vm/seg_kmem.h>
41 41 #include <vm/hat.h>
42 42 #include <sys/systm.h>
43 43 #include <sys/memlist.h>
44 44 #include <sys/cmn_err.h>
45 45 #include <sys/ksynch.h>
46 46 #include <sys/random.h>
47 47 #include <sys/ddi.h>
48 48 #include <sys/mman.h>
49 49 #include <sys/sysmacros.h>
50 50 #include <sys/mem_config.h>
51 51 #include <sys/time.h>
52 52 #include <sys/crypto/spi.h>
53 53 #include <sys/sha1.h>
54 54 #include <sys/sunddi.h>
55 55 #include <sys/modctl.h>
56 56 #include <sys/hold_page.h>
57 57 #include <rng/fips_random.h>
58 58
59 59 #define RNDPOOLSIZE 1024 /* Pool size in bytes */
60 60 #define HASHBUFSIZE 64 /* Buffer size used for pool mixing */
61 61 #define MAXMEMBLOCKS 16384 /* Number of memory blocks to scan */
62 62 #define MEMBLOCKSIZE 4096 /* Size of memory block to read */
63 63 #define MINEXTRACTBITS 160 /* Min entropy level for extraction */
64 64 #define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */
65 65
66 66 /* Hash-algo generic definitions. For now, they are SHA1's. */
67 67 #define HASHSIZE 20
68 68 #define HASH_CTX SHA1_CTX
69 69 #define HashInit(ctx) SHA1Init((ctx))
70 70 #define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s))
71 71 #define HashFinal(d, ctx) SHA1Final((d), (ctx))
72 72
73 73 /* Physical memory entropy source */
74 74 typedef struct physmem_entsrc_s {
75 75 uint8_t *parity; /* parity bit vector */
76 76 caddr_t pmbuf; /* buffer for memory block */
77 77 uint32_t nblocks; /* number of memory blocks */
78 78 int entperblock; /* entropy bits per block read */
79 79 hrtime_t last_diff; /* previous time to process a block */
80 80 hrtime_t last_delta; /* previous time delta */
81 81 hrtime_t last_delta2; /* previous 2nd order time delta */
82 82 } physmem_entsrc_t;
83 83
84 84 static uint32_t srndpool[RNDPOOLSIZE/4]; /* Pool of random bits */
85 85 static uint32_t buffer[RNDPOOLSIZE/4]; /* entropy mixed in later */
86 86 static int buffer_bytes; /* bytes written to buffer */
87 87 static uint32_t entropy_bits; /* pool's current amount of entropy */
88 88 static kmutex_t srndpool_lock; /* protects r/w accesses to the pool, */
89 89 /* and the global variables */
90 90 static kmutex_t buffer_lock; /* protects r/w accesses to buffer */
91 91 static kcondvar_t srndpool_read_cv; /* serializes poll/read syscalls */
92 92 static int pindex; /* Global index for adding/extracting */
93 93 /* from the pool */
94 94 static int bstart, bindex; /* Global vars for adding/extracting */
95 95 /* from the buffer */
96 96 static uint8_t leftover[HASHSIZE]; /* leftover output */
97 97 static uint32_t swrand_XKEY[6]; /* one extra word for getentropy */
98 98 static int leftover_bytes; /* leftover length */
99 99 static uint32_t previous_bytes[HASHSIZE/BYTES_IN_WORD]; /* prev random bytes */
100 100
101 101 static physmem_entsrc_t entsrc; /* Physical mem as an entropy source */
102 102 static timeout_id_t rnd_timeout_id;
103 103 static int snum_waiters;
104 104 static crypto_kcf_provider_handle_t swrand_prov_handle = NULL;
105 105 swrand_stats_t swrand_stats;
106 106
107 107 static int physmem_ent_init(physmem_entsrc_t *);
108 108 static void physmem_ent_fini(physmem_entsrc_t *);
109 109 static void physmem_ent_gen(physmem_entsrc_t *);
110 110 static int physmem_parity_update(uint8_t *, uint32_t, int);
111 111 static void physmem_count_blocks();
112 112 static void rnd_dr_callback_post_add(void *, pgcnt_t);
113 113 static int rnd_dr_callback_pre_del(void *, pgcnt_t);
114 114 static void rnd_dr_callback_post_del(void *, pgcnt_t, int);
115 115 static void rnd_handler(void *arg);
116 116 static void swrand_init();
117 117 static void swrand_schedule_timeout(void);
118 118 static int swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t);
119 119 static void swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est);
120 120 static void swrand_add_entropy_later(uint8_t *ptr, size_t len);
121 121
122 122 /* Dynamic Reconfiguration related declarations */
123 123 kphysm_setup_vector_t rnd_dr_callback_vec = {
124 124 KPHYSM_SETUP_VECTOR_VERSION,
125 125 rnd_dr_callback_post_add,
126 126 rnd_dr_callback_pre_del,
127 127 rnd_dr_callback_post_del
128 128 };
129 129
130 130 extern struct mod_ops mod_cryptoops;
131 131
|
↓ open down ↓ |
131 lines elided |
↑ open up ↑ |
132 132 /*
133 133 * Module linkage information for the kernel.
134 134 */
135 135 static struct modlcrypto modlcrypto = {
136 136 &mod_cryptoops,
137 137 "Kernel Random number Provider"
138 138 };
139 139
140 140 static struct modlinkage modlinkage = {
141 141 MODREV_1,
142 - (void *)&modlcrypto,
143 - NULL
142 + { (void *)&modlcrypto,
143 + NULL }
144 144 };
145 145
146 146 /*
147 147 * CSPI information (entry points, provider info, etc.)
148 148 */
149 149 static void swrand_provider_status(crypto_provider_handle_t, uint_t *);
150 150
151 151 static crypto_control_ops_t swrand_control_ops = {
152 152 swrand_provider_status
153 153 };
154 154
155 155 static int swrand_seed_random(crypto_provider_handle_t, crypto_session_id_t,
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
156 156 uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
157 157 static int swrand_generate_random(crypto_provider_handle_t,
158 158 crypto_session_id_t, uchar_t *, size_t, crypto_req_handle_t);
159 159
160 160 static crypto_random_number_ops_t swrand_random_number_ops = {
161 161 swrand_seed_random,
162 162 swrand_generate_random
163 163 };
164 164
165 165 static crypto_ops_t swrand_crypto_ops = {
166 - &swrand_control_ops,
167 - NULL,
168 - NULL,
169 - NULL,
170 - NULL,
171 - NULL,
172 - NULL,
173 - NULL,
174 - &swrand_random_number_ops,
175 - NULL,
176 - NULL,
177 - NULL,
178 - NULL,
179 - NULL,
180 - NULL,
181 - NULL,
182 - NULL,
166 + .co_control_ops = &swrand_control_ops,
167 + .co_random_ops = &swrand_random_number_ops
183 168 };
184 169
185 -static crypto_provider_info_t swrand_prov_info = {
170 +static crypto_provider_info_t swrand_prov_info = {{{{
186 171 CRYPTO_SPI_VERSION_4,
187 172 "Kernel Random Number Provider",
188 173 CRYPTO_SW_PROVIDER,
189 174 {&modlinkage},
190 175 NULL,
191 176 &swrand_crypto_ops,
192 177 0,
193 178 NULL
194 -};
179 +}}}};
195 180
196 181 int
197 182 _init(void)
198 183 {
199 184 int ret;
200 185 hrtime_t ts;
201 186 time_t now;
202 187
203 188 mutex_init(&srndpool_lock, NULL, MUTEX_DEFAULT, NULL);
204 189 mutex_init(&buffer_lock, NULL, MUTEX_DEFAULT, NULL);
205 190 cv_init(&srndpool_read_cv, NULL, CV_DEFAULT, NULL);
206 191 entropy_bits = 0;
207 192 pindex = 0;
208 193 bindex = 0;
209 194 bstart = 0;
210 195 snum_waiters = 0;
211 196 leftover_bytes = 0;
212 197 buffer_bytes = 0;
213 198
214 199 /*
215 200 * Initialize the pool using
216 201 * . 2 unpredictable times: high resolution time since the boot-time,
217 202 * and the current time-of-the day.
218 203 * . The initial physical memory state.
219 204 */
220 205 ts = gethrtime();
221 206 swrand_add_entropy((uint8_t *)&ts, sizeof (ts), 0);
222 207
223 208 (void) drv_getparm(TIME, &now);
224 209 swrand_add_entropy((uint8_t *)&now, sizeof (now), 0);
225 210
226 211 ret = kphysm_setup_func_register(&rnd_dr_callback_vec, NULL);
227 212 ASSERT(ret == 0);
228 213
229 214 if (physmem_ent_init(&entsrc) != 0) {
230 215 ret = ENOMEM;
231 216 goto exit1;
232 217 }
233 218
234 219 if ((ret = mod_install(&modlinkage)) != 0)
235 220 goto exit2;
236 221
237 222 /* Schedule periodic mixing of the pool. */
238 223 mutex_enter(&srndpool_lock);
239 224 swrand_schedule_timeout();
240 225 mutex_exit(&srndpool_lock);
241 226 (void) swrand_get_entropy((uint8_t *)swrand_XKEY, HASHSIZE, B_TRUE);
242 227 bcopy(swrand_XKEY, previous_bytes, HASHSIZE);
243 228
244 229 /* Register with KCF. If the registration fails, return error. */
245 230 if (crypto_register_provider(&swrand_prov_info, &swrand_prov_handle)) {
246 231 (void) mod_remove(&modlinkage);
247 232 ret = EACCES;
248 233 goto exit2;
249 234 }
250 235
251 236 return (0);
252 237
253 238 exit2:
254 239 physmem_ent_fini(&entsrc);
255 240 exit1:
256 241 mutex_destroy(&srndpool_lock);
257 242 mutex_destroy(&buffer_lock);
258 243 cv_destroy(&srndpool_read_cv);
259 244 return (ret);
260 245 }
261 246
262 247 int
263 248 _info(struct modinfo *modinfop)
264 249 {
265 250 return (mod_info(&modlinkage, modinfop));
266 251 }
267 252
268 253 /*
269 254 * Control entry points.
270 255 */
271 256 /* ARGSUSED */
272 257 static void
273 258 swrand_provider_status(crypto_provider_handle_t provider, uint_t *status)
274 259 {
275 260 *status = CRYPTO_PROVIDER_READY;
276 261 }
277 262
278 263 /*
279 264 * Random number entry points.
280 265 */
281 266 /* ARGSUSED */
282 267 static int
283 268 swrand_seed_random(crypto_provider_handle_t provider, crypto_session_id_t sid,
284 269 uchar_t *buf, size_t len, uint_t entropy_est, uint32_t flags,
285 270 crypto_req_handle_t req)
286 271 {
287 272 /* The entropy estimate is always 0 in this path */
288 273 if (flags & CRYPTO_SEED_NOW)
289 274 swrand_add_entropy(buf, len, 0);
290 275 else
291 276 swrand_add_entropy_later(buf, len);
292 277 return (CRYPTO_SUCCESS);
293 278 }
294 279
295 280 /* ARGSUSED */
296 281 static int
297 282 swrand_generate_random(crypto_provider_handle_t provider,
298 283 crypto_session_id_t sid, uchar_t *buf, size_t len, crypto_req_handle_t req)
299 284 {
300 285 if (crypto_kmflag(req) == KM_NOSLEEP)
301 286 (void) swrand_get_entropy(buf, len, B_TRUE);
302 287 else
303 288 (void) swrand_get_entropy(buf, len, B_FALSE);
304 289
305 290 return (CRYPTO_SUCCESS);
306 291 }
307 292
308 293 /*
309 294 * Extraction of entropy from the pool.
310 295 *
311 296 * Returns "len" random bytes in *ptr.
312 297 * Try to gather some more entropy by calling physmem_ent_gen() when less than
313 298 * MINEXTRACTBITS are present in the pool.
314 299 * Will block if not enough entropy was available and the call is blocking.
315 300 */
316 301 static int
317 302 swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t nonblock)
318 303 {
319 304 int i, bytes;
320 305 HASH_CTX hashctx;
321 306 uint8_t digest[HASHSIZE], *pool;
322 307 uint32_t tempout[HASHSIZE/BYTES_IN_WORD];
323 308 int size;
324 309
325 310 mutex_enter(&srndpool_lock);
326 311 if (leftover_bytes > 0) {
327 312 bytes = min(len, leftover_bytes);
328 313 bcopy(leftover, ptr, bytes);
329 314 len -= bytes;
330 315 ptr += bytes;
331 316 leftover_bytes -= bytes;
332 317 if (leftover_bytes > 0)
333 318 ovbcopy(leftover+bytes, leftover, leftover_bytes);
334 319 }
335 320
336 321 while (len > 0) {
337 322 /* Check if there is enough entropy */
338 323 while (entropy_bits < MINEXTRACTBITS) {
339 324
340 325 physmem_ent_gen(&entsrc);
341 326
342 327 if (entropy_bits < MINEXTRACTBITS &&
343 328 nonblock == B_TRUE) {
344 329 mutex_exit(&srndpool_lock);
345 330 return (EAGAIN);
346 331 }
347 332
348 333 if (entropy_bits < MINEXTRACTBITS) {
349 334 ASSERT(nonblock == B_FALSE);
350 335 snum_waiters++;
351 336 if (cv_wait_sig(&srndpool_read_cv,
352 337 &srndpool_lock) == 0) {
353 338 snum_waiters--;
354 339 mutex_exit(&srndpool_lock);
355 340 return (EINTR);
356 341 }
357 342 snum_waiters--;
358 343 }
359 344 }
360 345
361 346 /* Figure out how many bytes to extract */
362 347 bytes = min(HASHSIZE, len);
363 348 bytes = min(bytes, CRYPTO_BITS2BYTES(entropy_bits));
364 349 entropy_bits -= CRYPTO_BYTES2BITS(bytes);
365 350 BUMP_SWRAND_STATS(ss_entOut, CRYPTO_BYTES2BITS(bytes));
366 351 swrand_stats.ss_entEst = entropy_bits;
367 352
368 353 /* Extract entropy by hashing pool content */
369 354 HashInit(&hashctx);
370 355 HashUpdate(&hashctx, (uint8_t *)srndpool, RNDPOOLSIZE);
371 356 HashFinal(digest, &hashctx);
372 357
373 358 /*
374 359 * Feed the digest back into the pool so next
375 360 * extraction produces different result
376 361 */
377 362 pool = (uint8_t *)srndpool;
378 363 for (i = 0; i < HASHSIZE; i++) {
379 364 pool[pindex++] ^= digest[i];
380 365 /* pindex modulo RNDPOOLSIZE */
381 366 pindex &= (RNDPOOLSIZE - 1);
382 367 }
383 368
384 369 /* LINTED E_BAD_PTR_CAST_ALIGN */
385 370 fips_random_inner(swrand_XKEY, tempout, (uint32_t *)digest);
386 371
387 372 if (len >= HASHSIZE) {
388 373 size = HASHSIZE;
389 374 } else {
390 375 size = min(bytes, HASHSIZE);
391 376 }
392 377
393 378 /*
394 379 * FIPS 140-2: Continuous RNG test - each generation
395 380 * of an n-bit block shall be compared with the previously
396 381 * generated block. Test shall fail if any two compared
397 382 * n-bit blocks are equal.
398 383 */
399 384 for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) {
400 385 if (tempout[i] != previous_bytes[i])
401 386 break;
402 387 }
403 388
404 389 if (i == HASHSIZE/BYTES_IN_WORD) {
405 390 cmn_err(CE_WARN, "swrand: The value of 160-bit block "
406 391 "random bytes are same as the previous one.\n");
407 392 /* discard random bytes and return error */
408 393 return (EIO);
409 394 }
410 395
411 396 bcopy(tempout, previous_bytes, HASHSIZE);
412 397
413 398 bcopy(tempout, ptr, size);
414 399 if (len < HASHSIZE) {
415 400 leftover_bytes = HASHSIZE - bytes;
416 401 bcopy((uint8_t *)tempout + bytes, leftover,
417 402 leftover_bytes);
418 403 }
419 404
420 405 ptr += size;
421 406 len -= size;
422 407 BUMP_SWRAND_STATS(ss_bytesOut, size);
423 408 }
424 409
425 410 /* Zero out sensitive information */
426 411 bzero(digest, HASHSIZE);
427 412 bzero(tempout, HASHSIZE);
428 413 mutex_exit(&srndpool_lock);
429 414 return (0);
430 415 }
431 416
432 417 #define SWRAND_ADD_BYTES(ptr, len, i, pool) \
433 418 ASSERT((ptr) != NULL && (len) > 0); \
434 419 BUMP_SWRAND_STATS(ss_bytesIn, (len)); \
435 420 while ((len)--) { \
436 421 (pool)[(i)++] ^= *(ptr); \
437 422 (ptr)++; \
438 423 (i) &= (RNDPOOLSIZE - 1); \
439 424 }
440 425
441 426 /* Write some more user-provided entropy to the pool */
442 427 static void
443 428 swrand_add_bytes(uint8_t *ptr, size_t len)
444 429 {
445 430 uint8_t *pool = (uint8_t *)srndpool;
446 431
447 432 ASSERT(MUTEX_HELD(&srndpool_lock));
448 433 SWRAND_ADD_BYTES(ptr, len, pindex, pool);
449 434 }
450 435
451 436 /*
452 437 * Add bytes to buffer. Adding the buffer to the random pool
453 438 * is deferred until the random pool is mixed.
454 439 */
455 440 static void
456 441 swrand_add_bytes_later(uint8_t *ptr, size_t len)
457 442 {
458 443 uint8_t *pool = (uint8_t *)buffer;
459 444
460 445 ASSERT(MUTEX_HELD(&buffer_lock));
461 446 SWRAND_ADD_BYTES(ptr, len, bindex, pool);
462 447 buffer_bytes += len;
463 448 }
464 449
465 450 #undef SWRAND_ADD_BYTES
466 451
467 452 /* Mix the pool */
468 453 static void
469 454 swrand_mix_pool(uint16_t entropy_est)
470 455 {
471 456 int i, j, k, start;
472 457 HASH_CTX hashctx;
473 458 uint8_t digest[HASHSIZE];
474 459 uint8_t *pool = (uint8_t *)srndpool;
475 460 uint8_t *bp = (uint8_t *)buffer;
476 461
477 462 ASSERT(MUTEX_HELD(&srndpool_lock));
478 463
479 464 /* add deferred bytes */
480 465 mutex_enter(&buffer_lock);
481 466 if (buffer_bytes > 0) {
482 467 if (buffer_bytes >= RNDPOOLSIZE) {
483 468 for (i = 0; i < RNDPOOLSIZE/4; i++) {
484 469 srndpool[i] ^= buffer[i];
485 470 buffer[i] = 0;
486 471 }
487 472 bstart = bindex = 0;
488 473 } else {
489 474 for (i = 0; i < buffer_bytes; i++) {
490 475 pool[pindex++] ^= bp[bstart];
491 476 bp[bstart++] = 0;
492 477 pindex &= (RNDPOOLSIZE - 1);
493 478 bstart &= (RNDPOOLSIZE - 1);
494 479 }
495 480 ASSERT(bstart == bindex);
496 481 }
497 482 buffer_bytes = 0;
498 483 }
499 484 mutex_exit(&buffer_lock);
500 485
501 486 start = 0;
502 487 for (i = 0; i < RNDPOOLSIZE/HASHSIZE + 1; i++) {
503 488 HashInit(&hashctx);
504 489
505 490 /* Hash a buffer centered on a block in the pool */
506 491 if (start + HASHBUFSIZE <= RNDPOOLSIZE)
507 492 HashUpdate(&hashctx, &pool[start], HASHBUFSIZE);
508 493 else {
509 494 HashUpdate(&hashctx, &pool[start],
510 495 RNDPOOLSIZE - start);
511 496 HashUpdate(&hashctx, pool,
512 497 HASHBUFSIZE - RNDPOOLSIZE + start);
513 498 }
514 499 HashFinal(digest, &hashctx);
515 500
516 501 /* XOR the hash result back into the block */
517 502 k = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
518 503 for (j = 0; j < HASHSIZE; j++) {
519 504 pool[k++] ^= digest[j];
520 505 k &= (RNDPOOLSIZE - 1);
521 506 }
522 507
523 508 /* Slide the hash buffer and repeat with next block */
524 509 start = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
525 510 }
526 511
527 512 entropy_bits += entropy_est;
528 513 if (entropy_bits > CRYPTO_BYTES2BITS(RNDPOOLSIZE))
529 514 entropy_bits = CRYPTO_BYTES2BITS(RNDPOOLSIZE);
530 515
531 516 swrand_stats.ss_entEst = entropy_bits;
532 517 BUMP_SWRAND_STATS(ss_entIn, entropy_est);
533 518 }
534 519
535 520 static void
536 521 swrand_add_entropy_later(uint8_t *ptr, size_t len)
537 522 {
538 523 mutex_enter(&buffer_lock);
539 524 swrand_add_bytes_later(ptr, len);
540 525 mutex_exit(&buffer_lock);
541 526 }
542 527
543 528 static void
544 529 swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est)
545 530 {
546 531 mutex_enter(&srndpool_lock);
547 532 swrand_add_bytes(ptr, len);
548 533 swrand_mix_pool(entropy_est);
549 534 mutex_exit(&srndpool_lock);
550 535 }
551 536
552 537 /*
553 538 * The physmem_* routines below generate entropy by reading blocks of
554 539 * physical memory. Entropy is gathered in a couple of ways:
555 540 *
556 541 * - By reading blocks of physical memory and detecting if changes
557 542 * occurred in the blocks read.
558 543 *
559 544 * - By measuring the time it takes to load and hash a block of memory
560 545 * and computing the differences in the measured time.
561 546 *
562 547 * The first method was used in the CryptoRand implementation. Physical
563 548 * memory is divided into blocks of fixed size. A block of memory is
564 549 * chosen from the possible blocks and hashed to produce a digest. This
565 550 * digest is then mixed into the pool. A single bit from the digest is
566 551 * used as a parity bit or "checksum" and compared against the previous
567 552 * "checksum" computed for the block. If the single-bit checksum has not
568 553 * changed, no entropy is credited to the pool. If there is a change,
569 554 * then the assumption is that at least one bit in the block has changed.
570 555 * The possible locations within the memory block of where the bit change
571 556 * occurred is used as a measure of entropy. For example, if a block
572 557 * size of 4096 bytes is used, about log_2(4096*8)=15 bits worth of
573 558 * entropy is available. Because the single-bit checksum will miss half
574 559 * of the changes, the amount of entropy credited to the pool is doubled
575 560 * when a change is detected. With a 4096 byte block size, a block
576 561 * change will add a total of 30 bits of entropy to the pool.
577 562 *
578 563 * The second method measures the amount of time it takes to read and
579 564 * hash a physical memory block (as described above). The time measured
580 565 * can vary depending on system load, scheduling and other factors.
581 566 * Differences between consecutive measurements are computed to come up
582 567 * with an entropy estimate. The first, second, and third order delta is
583 568 * calculated to determine the minimum delta value. The number of bits
584 569 * present in this minimum delta value is the entropy estimate. This
585 570 * entropy estimation technique using time deltas is similar to that used
586 571 * in /dev/random implementations from Linux/BSD.
587 572 */
588 573
589 574 static int
590 575 physmem_ent_init(physmem_entsrc_t *entsrc)
591 576 {
592 577 uint8_t *ptr;
593 578 int i;
594 579
595 580 bzero(entsrc, sizeof (*entsrc));
596 581
597 582 /*
598 583 * The maximum entropy amount in bits per block of memory read is
599 584 * log_2(MEMBLOCKSIZE * 8);
600 585 */
601 586 i = CRYPTO_BYTES2BITS(MEMBLOCKSIZE);
602 587 while (i >>= 1)
603 588 entsrc->entperblock++;
604 589
605 590 /* Initialize entsrc->nblocks */
606 591 physmem_count_blocks();
607 592
608 593 if (entsrc->nblocks == 0) {
609 594 cmn_err(CE_WARN, "no memory blocks to scan!");
610 595 return (-1);
611 596 }
612 597
613 598 /* Allocate space for the parity vector and memory page */
614 599 entsrc->parity = kmem_alloc(howmany(entsrc->nblocks, 8),
615 600 KM_SLEEP);
616 601 entsrc->pmbuf = vmem_alloc(heap_arena, PAGESIZE, VM_SLEEP);
617 602
618 603
619 604 /* Initialize parity vector with bits from the pool */
620 605 i = howmany(entsrc->nblocks, 8);
621 606 ptr = entsrc->parity;
622 607 while (i > 0) {
623 608 if (i > RNDPOOLSIZE) {
624 609 bcopy(srndpool, ptr, RNDPOOLSIZE);
625 610 mutex_enter(&srndpool_lock);
626 611 swrand_mix_pool(0);
627 612 mutex_exit(&srndpool_lock);
628 613 ptr += RNDPOOLSIZE;
629 614 i -= RNDPOOLSIZE;
630 615 } else {
631 616 bcopy(srndpool, ptr, i);
632 617 break;
633 618 }
634 619 }
635 620
636 621 /* Generate some entropy to further initialize the pool */
637 622 mutex_enter(&srndpool_lock);
638 623 physmem_ent_gen(entsrc);
639 624 entropy_bits = 0;
640 625 mutex_exit(&srndpool_lock);
641 626
642 627 return (0);
643 628 }
644 629
645 630 static void
646 631 physmem_ent_fini(physmem_entsrc_t *entsrc)
647 632 {
648 633 if (entsrc->pmbuf != NULL)
649 634 vmem_free(heap_arena, entsrc->pmbuf, PAGESIZE);
650 635 if (entsrc->parity != NULL)
651 636 kmem_free(entsrc->parity, howmany(entsrc->nblocks, 8));
652 637 bzero(entsrc, sizeof (*entsrc));
653 638 }
654 639
655 640 static void
656 641 physmem_ent_gen(physmem_entsrc_t *entsrc)
657 642 {
658 643 struct memlist *pmem;
659 644 offset_t offset, poffset;
660 645 pfn_t pfn;
661 646 int i, nbytes, len, ent = 0;
662 647 uint32_t block, oblock;
663 648 hrtime_t ts1, ts2, diff, delta, delta2, delta3;
664 649 uint8_t digest[HASHSIZE];
665 650 HASH_CTX ctx;
666 651 page_t *pp;
667 652
668 653 /*
669 654 * Use each 32-bit quantity in the pool to pick a memory
670 655 * block to read.
671 656 */
672 657 for (i = 0; i < RNDPOOLSIZE/4; i++) {
673 658
674 659 /* If the pool is "full", stop after one block */
675 660 if (entropy_bits + ent >= CRYPTO_BYTES2BITS(RNDPOOLSIZE)) {
676 661 if (i > 0)
677 662 break;
678 663 }
679 664
680 665 /*
681 666 * This lock protects reading of phys_install.
682 667 * Any changes to this list, by DR, are done while
683 668 * holding this lock. So, holding this lock is sufficient
684 669 * to handle DR also.
685 670 */
686 671 memlist_read_lock();
687 672
688 673 /* We're left with less than 4K of memory after DR */
689 674 ASSERT(entsrc->nblocks > 0);
690 675
691 676 /* Pick a memory block to read */
692 677 block = oblock = srndpool[i] % entsrc->nblocks;
693 678
694 679 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
695 680 if (block < pmem->ml_size / MEMBLOCKSIZE)
696 681 break;
697 682 block -= pmem->ml_size / MEMBLOCKSIZE;
698 683 }
699 684
700 685 ASSERT(pmem != NULL);
701 686
702 687 offset = pmem->ml_address + block * MEMBLOCKSIZE;
703 688
704 689 if (!address_in_memlist(phys_install, offset, MEMBLOCKSIZE)) {
705 690 memlist_read_unlock();
706 691 continue;
707 692 }
708 693
709 694 /*
710 695 * Do an initial check to see if the address is safe
711 696 */
712 697 if (plat_hold_page(offset >> PAGESHIFT, PLAT_HOLD_NO_LOCK, NULL)
713 698 == PLAT_HOLD_FAIL) {
714 699 memlist_read_unlock();
715 700 continue;
716 701 }
717 702
718 703 /*
719 704 * Figure out which page to load to read the
720 705 * memory block. Load the page and compute the
721 706 * hash of the memory block.
722 707 */
723 708 len = MEMBLOCKSIZE;
724 709 ts1 = gethrtime();
725 710 HashInit(&ctx);
726 711 while (len) {
727 712 pfn = offset >> PAGESHIFT;
728 713 poffset = offset & PAGEOFFSET;
729 714 nbytes = PAGESIZE - poffset < len ?
730 715 PAGESIZE - poffset : len;
731 716
732 717 /*
733 718 * Re-check the offset, and lock the frame. If the
734 719 * page was given away after the above check, we'll
735 720 * just bail out.
736 721 */
737 722 if (plat_hold_page(pfn, PLAT_HOLD_LOCK, &pp) ==
738 723 PLAT_HOLD_FAIL)
739 724 break;
740 725
741 726 hat_devload(kas.a_hat, entsrc->pmbuf,
742 727 PAGESIZE, pfn, PROT_READ,
743 728 HAT_LOAD_NOCONSIST | HAT_LOAD_LOCK);
744 729
745 730 HashUpdate(&ctx, (uint8_t *)entsrc->pmbuf + poffset,
746 731 nbytes);
747 732
748 733 hat_unload(kas.a_hat, entsrc->pmbuf, PAGESIZE,
749 734 HAT_UNLOAD_UNLOCK);
750 735
751 736 plat_release_page(pp);
752 737
753 738 len -= nbytes;
754 739 offset += nbytes;
755 740 }
756 741 /* We got our pages. Let the DR roll */
757 742 memlist_read_unlock();
758 743
759 744 /* See if we had to bail out due to a page being given away */
760 745 if (len)
761 746 continue;
762 747
763 748 HashFinal(digest, &ctx);
764 749 ts2 = gethrtime();
765 750
766 751 /*
767 752 * Compute the time it took to load and hash the
768 753 * block and compare it against the previous
769 754 * measurement. The delta of the time values
770 755 * provides a small amount of entropy. The
771 756 * minimum of the first, second, and third order
772 757 * delta is used to estimate how much entropy
773 758 * is present.
774 759 */
775 760 diff = ts2 - ts1;
776 761 delta = diff - entsrc->last_diff;
777 762 if (delta < 0)
778 763 delta = -delta;
779 764 delta2 = delta - entsrc->last_delta;
780 765 if (delta2 < 0)
781 766 delta2 = -delta2;
782 767 delta3 = delta2 - entsrc->last_delta2;
783 768 if (delta3 < 0)
784 769 delta3 = -delta3;
785 770 entsrc->last_diff = diff;
786 771 entsrc->last_delta = delta;
787 772 entsrc->last_delta2 = delta2;
788 773
789 774 if (delta > delta2)
790 775 delta = delta2;
791 776 if (delta > delta3)
792 777 delta = delta3;
793 778 delta2 = 0;
794 779 while (delta >>= 1)
795 780 delta2++;
796 781 ent += delta2;
797 782
798 783 /*
799 784 * If the memory block has changed, credit the pool with
800 785 * the entropy estimate. The entropy estimate is doubled
801 786 * because the single-bit checksum misses half the change
802 787 * on average.
803 788 */
804 789 if (physmem_parity_update(entsrc->parity, oblock,
805 790 digest[0] & 1))
806 791 ent += 2 * entsrc->entperblock;
807 792
808 793 /* Add the entropy bytes to the pool */
809 794 swrand_add_bytes(digest, HASHSIZE);
810 795 swrand_add_bytes((uint8_t *)&ts1, sizeof (ts1));
811 796 swrand_add_bytes((uint8_t *)&ts2, sizeof (ts2));
812 797 }
813 798
814 799 swrand_mix_pool(ent);
815 800 }
816 801
817 802 static int
818 803 physmem_parity_update(uint8_t *parity_vec, uint32_t block, int parity)
819 804 {
820 805 /* Test and set the parity bit, return 1 if changed */
821 806 if (parity == ((parity_vec[block >> 3] >> (block & 7)) & 1))
822 807 return (0);
823 808 parity_vec[block >> 3] ^= 1 << (block & 7);
824 809 return (1);
825 810 }
826 811
827 812 /* Compute number of memory blocks available to scan */
828 813 static void
829 814 physmem_count_blocks()
830 815 {
831 816 struct memlist *pmem;
832 817
833 818 memlist_read_lock();
834 819 entsrc.nblocks = 0;
835 820 for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
836 821 entsrc.nblocks += pmem->ml_size / MEMBLOCKSIZE;
837 822 if (entsrc.nblocks > MAXMEMBLOCKS) {
838 823 entsrc.nblocks = MAXMEMBLOCKS;
839 824 break;
840 825 }
841 826 }
842 827 memlist_read_unlock();
843 828 }
844 829
845 830 /*
846 831 * Dynamic Reconfiguration call-back functions
847 832 */
848 833
849 834 /* ARGSUSED */
850 835 static void
851 836 rnd_dr_callback_post_add(void *arg, pgcnt_t delta)
852 837 {
853 838 /* More memory is available now, so update entsrc->nblocks. */
854 839 physmem_count_blocks();
855 840 }
856 841
857 842 /* Call-back routine invoked before the DR starts a memory removal. */
858 843 /* ARGSUSED */
859 844 static int
860 845 rnd_dr_callback_pre_del(void *arg, pgcnt_t delta)
861 846 {
862 847 return (0);
863 848 }
864 849
865 850 /* Call-back routine invoked after the DR starts a memory removal. */
866 851 /* ARGSUSED */
867 852 static void
868 853 rnd_dr_callback_post_del(void *arg, pgcnt_t delta, int cancelled)
869 854 {
870 855 /* Memory has shrunk, so update entsrc->nblocks. */
871 856 physmem_count_blocks();
872 857 }
873 858
874 859 /* Timeout handling to gather entropy from physmem events */
875 860 static void
876 861 swrand_schedule_timeout(void)
877 862 {
878 863 clock_t ut; /* time in microseconds */
879 864
880 865 ASSERT(MUTEX_HELD(&srndpool_lock));
881 866 /*
882 867 * The new timeout value is taken from the pool of random bits.
883 868 * We're merely reading the first 32 bits from the pool here, not
884 869 * consuming any entropy.
885 870 * This routine is usually called right after stirring the pool, so
886 871 * srndpool[0] will have a *fresh* random value each time.
887 872 * The timeout multiplier value is a random value between 0.7 sec and
888 873 * 1.748575 sec (0.7 sec + 0xFFFFF microseconds).
889 874 * The new timeout is TIMEOUT_INTERVAL times that multiplier.
890 875 */
891 876 ut = 700000 + (clock_t)(srndpool[0] & 0xFFFFF);
892 877 rnd_timeout_id = timeout(rnd_handler, NULL,
893 878 TIMEOUT_INTERVAL * drv_usectohz(ut));
894 879 }
895 880
896 881 /*ARGSUSED*/
897 882 static void
898 883 rnd_handler(void *arg)
899 884 {
900 885 mutex_enter(&srndpool_lock);
901 886
902 887 physmem_ent_gen(&entsrc);
903 888 if (snum_waiters > 0)
904 889 cv_broadcast(&srndpool_read_cv);
905 890 swrand_schedule_timeout();
906 891
907 892 mutex_exit(&srndpool_lock);
908 893 }
|
↓ open down ↓ |
704 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX