2 * Non-physical true random number generator based on timing jitter.
4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
9 * See http://www.chronox.de/jent.html
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, and the entire permission notice in its entirety,
19 * including the disclaimer of warranties.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The name of the author may not be used to endorse or promote
24 * products derived from this software without specific prior
27 * ALTERNATIVELY, this product may be distributed under the terms of
28 * the GNU General Public License, in which case the provisions of the GPL2 are
29 * required INSTEAD OF the above restrictions. (This clause is
30 * necessary due to a potential bad interaction between the GPL and
31 * the restrictions contained in a BSD-style copyright.)
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
34 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
35 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
36 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
37 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
38 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
39 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
40 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
41 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
42 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
43 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
48 * This Jitterentropy RNG is based on the jitterentropy library
49 * version 1.1.0 provided at http://www.chronox.de/jent.html
52 #include <linux/module.h>
53 #include <linux/slab.h>
54 #include <linux/module.h>
55 #include <linux/fips.h>
56 #include <linux/time.h>
57 #include <linux/crypto.h>
58 #include <crypto/internal/rng.h>
61 #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c."
64 /* The entropy pool */
66 /* all data values that are vital to maintain the security
67 * of the RNG are marked as SENSITIVE. A user must not
68 * access that information while the RNG executes its loops to
69 * calculate the next random value. */
70 __u64 data
; /* SENSITIVE Actual random number */
71 __u64 old_data
; /* SENSITIVE Previous random number */
72 __u64 prev_time
; /* SENSITIVE Previous time stamp */
73 #define DATA_SIZE_BITS ((sizeof(__u64)) * 8)
74 __u64 last_delta
; /* SENSITIVE stuck test */
75 __s64 last_delta2
; /* SENSITIVE stuck test */
76 unsigned int stuck
:1; /* Time measurement stuck */
77 unsigned int osr
; /* Oversample rate */
78 unsigned int stir
:1; /* Post-processing stirring */
79 unsigned int disable_unbias
:1; /* Deactivate Von-Neuman unbias */
80 #define JENT_MEMORY_BLOCKS 64
81 #define JENT_MEMORY_BLOCKSIZE 32
82 #define JENT_MEMORY_ACCESSLOOPS 128
83 #define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE)
84 unsigned char *mem
; /* Memory access location with size of
85 * memblocks * memblocksize */
86 unsigned int memlocation
; /* Pointer to byte in *mem */
87 unsigned int memblocks
; /* Number of memory blocks in *mem */
88 unsigned int memblocksize
; /* Size of one memory block in bytes */
89 unsigned int memaccessloops
; /* Number of memory accesses per random
93 /* Flags that can be used to initialize the RNG */
94 #define JENT_DISABLE_STIR (1<<0) /* Disable stirring the entropy pool */
95 #define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
96 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
97 * entropy, saves MEMORY_SIZE RAM for
98 * entropy collector */
100 #define DRIVER_NAME "jitterentropy"
102 /* -- error codes for init function -- */
103 #define JENT_ENOTIME 1 /* Timer service not available */
104 #define JENT_ECOARSETIME 2 /* Timer too coarse for RNG */
105 #define JENT_ENOMONOTONIC 3 /* Timer is not monotonic increasing */
106 #define JENT_EMINVARIATION 4 /* Timer variations too small for RNG */
107 #define JENT_EVARVAR 5 /* Timer does not produce variations of
108 * variations (2nd derivation of time is
110 #define JENT_EMINVARVAR 6 /* Timer variations of variations is tooi
113 /***************************************************************************
115 ***************************************************************************/
117 static inline void jent_get_nstime(__u64
*out
)
122 tmp
= random_get_entropy();
125 * If random_get_entropy does not return a value (which is possible on,
126 * for example, MIPS), invoke __getnstimeofday
127 * hoping that there are timers we can work with.
129 * The list of available timers can be obtained from
130 * /sys/devices/system/clocksource/clocksource0/available_clocksource
131 * and are registered with clocksource_register()
135 (0 == timekeeping_valid_for_hres()) &&
137 (0 == __getnstimeofday(&ts
))) {
140 tmp
= tmp
| ts
.tv_nsec
;
148 * Update of the loop count used for the next round of
149 * an entropy collection.
152 * @ec entropy collector struct -- may be NULL
153 * @bits is the number of low bits of the timer to consider
154 * @min is the number of bits we shift the timer value to the right at
155 * the end to make sure we have a guaranteed minimum value
157 * @return Newly calculated loop counter
159 static __u64
jent_loop_shuffle(struct rand_data
*ec
,
160 unsigned int bits
, unsigned int min
)
165 unsigned int mask
= (1<<bits
) - 1;
167 jent_get_nstime(&time
);
169 * mix the current state of the random number into the shuffle
170 * calculation to balance that shuffle a bit more
175 * we fold the time value as much as possible to ensure that as many
176 * bits of the time stamp are included as possible
178 for (i
= 0; (DATA_SIZE_BITS
/ bits
) > i
; i
++) {
179 shuffle
^= time
& mask
;
184 * We add a lower boundary value to ensure we have a minimum
187 return (shuffle
+ (1<<min
));
190 /***************************************************************************
192 ***************************************************************************/
195 * CPU Jitter noise source -- this is the noise source based on the CPU
196 * execution time jitter
198 * This function folds the time into one bit units by iterating
199 * through the DATA_SIZE_BITS bit time value as follows: assume our time value
201 * 1st loop, 1st shift generates 0xd000
202 * 1st loop, 2nd shift generates 0x000d
203 * 2nd loop, 1st shift generates 0xcd00
204 * 2nd loop, 2nd shift generates 0x000c
205 * 3rd loop, 1st shift generates 0xbcd0
206 * 3rd loop, 2nd shift generates 0x000b
207 * 4th loop, 1st shift generates 0xabcd
208 * 4th loop, 2nd shift generates 0x000a
209 * Now, the values at the end of the 2nd shifts are XORed together.
211 * The code is deliberately inefficient and shall stay that way. This function
212 * is the root cause why the code shall be compiled without optimization. This
213 * function not only acts as folding operation, but this function's execution
214 * is used to measure the CPU execution time jitter. Any change to the loop in
215 * this function implies that careful retesting must be done.
218 * @ec entropy collector struct -- may be NULL
219 * @time time stamp to be folded
220 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
221 * loops to perform the folding
224 * @folded result of folding operation
226 * @return Number of loops the folding operation is performed
228 static __u64
jent_fold_time(struct rand_data
*ec
, __u64 time
,
229 __u64
*folded
, __u64 loop_cnt
)
234 #define MAX_FOLD_LOOP_BIT 4
235 #define MIN_FOLD_LOOP_BIT 0
236 __u64 fold_loop_cnt
=
237 jent_loop_shuffle(ec
, MAX_FOLD_LOOP_BIT
, MIN_FOLD_LOOP_BIT
);
240 * testing purposes -- allow test app to set the counter, not
241 * needed during runtime
244 fold_loop_cnt
= loop_cnt
;
245 for (j
= 0; j
< fold_loop_cnt
; j
++) {
247 for (i
= 1; (DATA_SIZE_BITS
) >= i
; i
++) {
248 __u64 tmp
= time
<< (DATA_SIZE_BITS
- i
);
250 tmp
= tmp
>> (DATA_SIZE_BITS
- 1);
255 return fold_loop_cnt
;
259 * Memory Access noise source -- this is a noise source based on variations in
260 * memory access times
262 * This function performs memory accesses which will add to the timing
263 * variations due to an unknown amount of CPU wait states that need to be
264 * added when accessing memory. The memory size should be larger than the L1
265 * caches as outlined in the documentation and the associated testing.
267 * The L1 cache has a very high bandwidth, albeit its access rate is usually
268 * slower than accessing CPU registers. Therefore, L1 accesses only add minimal
269 * variations as the CPU has hardly to wait. Starting with L2, significant
270 * variations are added because L2 typically does not belong to the CPU any more
271 * and therefore a wider range of CPU wait states is necessary for accesses.
272 * L3 and real memory accesses have even a wider range of wait states. However,
273 * to reliably access either L3 or memory, the ec->mem memory must be quite
274 * large which is usually not desirable.
277 * @ec Reference to the entropy collector with the memory access data -- if
278 * the reference to the memory block to be accessed is NULL, this noise
280 * @loop_cnt if a value not equal to 0 is set, use the given value as number of
281 * loops to perform the folding
283 * @return Number of memory access operations
285 static unsigned int jent_memaccess(struct rand_data
*ec
, __u64 loop_cnt
)
287 unsigned char *tmpval
= NULL
;
288 unsigned int wrap
= 0;
290 #define MAX_ACC_LOOP_BIT 7
291 #define MIN_ACC_LOOP_BIT 0
293 jent_loop_shuffle(ec
, MAX_ACC_LOOP_BIT
, MIN_ACC_LOOP_BIT
);
295 if (NULL
== ec
|| NULL
== ec
->mem
)
297 wrap
= ec
->memblocksize
* ec
->memblocks
;
300 * testing purposes -- allow test app to set the counter, not
301 * needed during runtime
304 acc_loop_cnt
= loop_cnt
;
306 for (i
= 0; i
< (ec
->memaccessloops
+ acc_loop_cnt
); i
++) {
307 tmpval
= ec
->mem
+ ec
->memlocation
;
309 * memory access: just add 1 to one byte,
310 * wrap at 255 -- memory access implies read
311 * from and write to memory location
313 *tmpval
= (*tmpval
+ 1) & 0xff;
315 * Addition of memblocksize - 1 to pointer
316 * with wrap around logic to ensure that every
317 * memory location is hit evenly
319 ec
->memlocation
= ec
->memlocation
+ ec
->memblocksize
- 1;
320 ec
->memlocation
= ec
->memlocation
% wrap
;
325 /***************************************************************************
326 * Start of entropy processing logic
327 ***************************************************************************/
330 * Stuck test by checking the:
331 * 1st derivation of the jitter measurement (time delta)
332 * 2nd derivation of the jitter measurement (delta of time deltas)
333 * 3rd derivation of the jitter measurement (delta of delta of time deltas)
335 * All values must always be non-zero.
338 * @ec Reference to entropy collector
339 * @current_delta Jitter time delta
342 * 0 jitter measurement not stuck (good bit)
343 * 1 jitter measurement stuck (reject bit)
345 static void jent_stuck(struct rand_data
*ec
, __u64 current_delta
)
347 __s64 delta2
= ec
->last_delta
- current_delta
;
348 __s64 delta3
= delta2
- ec
->last_delta2
;
350 ec
->last_delta
= current_delta
;
351 ec
->last_delta2
= delta2
;
353 if (!current_delta
|| !delta2
|| !delta3
)
358 * This is the heart of the entropy generation: calculate time deltas and
359 * use the CPU jitter in the time deltas. The jitter is folded into one
360 * bit. You can call this function the "random bit generator" as it
361 * produces one random bit per invocation.
363 * WARNING: ensure that ->prev_time is primed before using the output
364 * of this function! This can be done by calling this function
365 * and not using its result.
368 * @entropy_collector Reference to entropy collector
370 * @return One random bit
372 static __u64
jent_measure_jitter(struct rand_data
*ec
)
376 __u64 current_delta
= 0;
378 /* Invoke one noise source before time measurement to add variations */
379 jent_memaccess(ec
, 0);
382 * Get time stamp and calculate time delta to previous
383 * invocation to measure the timing variations
385 jent_get_nstime(&time
);
386 current_delta
= time
- ec
->prev_time
;
387 ec
->prev_time
= time
;
389 /* Now call the next noise sources which also folds the data */
390 jent_fold_time(ec
, current_delta
, &data
, 0);
393 * Check whether we have a stuck measurement. The enforcement
394 * is performed after the stuck value has been mixed into the
397 jent_stuck(ec
, current_delta
);
403 * Von Neuman unbias as explained in RFC 4086 section 4.2. As shown in the
404 * documentation of that RNG, the bits from jent_measure_jitter are considered
405 * independent which implies that the Von Neuman unbias operation is applicable.
406 * A proof of the Von-Neumann unbias operation to remove skews is given in the
407 * document "A proposal for: Functionality classes for random number
408 * generators", version 2.0 by Werner Schindler, section 5.4.1.
411 * @entropy_collector Reference to entropy collector
413 * @return One random bit
415 static __u64
jent_unbiased_bit(struct rand_data
*entropy_collector
)
418 __u64 a
= jent_measure_jitter(entropy_collector
);
419 __u64 b
= jent_measure_jitter(entropy_collector
);
431 * Shuffle the pool a bit by mixing some value with a bijective function (XOR)
434 * The function generates a mixer value that depends on the bits set and the
435 * location of the set bits in the random number generated by the entropy
436 * source. Therefore, based on the generated random number, this mixer value
437 * can have 2**64 different values. That mixer value is initialized with the
438 * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
441 * The mixer value is not assumed to contain any entropy. But due to the XOR
442 * operation, it can also not destroy any entropy present in the entropy pool.
445 * @entropy_collector Reference to entropy collector
447 static void jent_stir_pool(struct rand_data
*entropy_collector
)
450 * to shut up GCC on 32 bit, we have to initialize the 64 variable
451 * with two 32 bit variables
458 * This constant is derived from the first two 32 bit initialization
459 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1
463 * The start value of the mixer variable is derived from the third
464 * and fourth 32 bit initialization vector of SHA-1 as defined in
465 * FIPS 180-4 section 5.3.1
471 * Store the SHA-1 constants in reverse order to make up the 64 bit
472 * value -- this applies to a little endian system, on a big endian
473 * system, it reverses as expected. But this really does not matter
474 * as we do not rely on the specific numbers. We just pick the SHA-1
475 * constants as they have a good mix of bit set and unset.
477 constant
.u32
[1] = 0x67452301;
478 constant
.u32
[0] = 0xefcdab89;
479 mixer
.u32
[1] = 0x98badcfe;
480 mixer
.u32
[0] = 0x10325476;
482 for (i
= 0; i
< DATA_SIZE_BITS
; i
++) {
484 * get the i-th bit of the input random number and only XOR
485 * the constant into the mixer value when that bit is set
487 if ((entropy_collector
->data
>> i
) & 1)
488 mixer
.u64
^= constant
.u64
;
489 mixer
.u64
= rol64(mixer
.u64
, 1);
491 entropy_collector
->data
^= mixer
.u64
;
495 * Generator of one 64 bit random number
496 * Function fills rand_data->data
499 * @ec Reference to entropy collector
501 static void jent_gen_entropy(struct rand_data
*ec
)
505 /* priming of the ->prev_time value */
506 jent_measure_jitter(ec
);
511 if (ec
->disable_unbias
== 1)
512 data
= jent_measure_jitter(ec
);
514 data
= jent_unbiased_bit(ec
);
516 /* enforcement of the jent_stuck test */
519 * We only mix in the bit considered not appropriate
520 * without the LSFR. The reason is that if we apply
521 * the LSFR and we do not rotate, the 2nd bit with LSFR
522 * will cancel out the first LSFR application on the
525 * And we do not rotate as we apply the next bit to the
526 * current bit location again.
534 * Fibonacci LSFR with polynom of
535 * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is
536 * primitive according to
537 * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf
538 * (the shift values are the polynom values minus one
539 * due to counting bits from 0 to 63). As the current
540 * position is always the LSB, the polynom only needs
541 * to shift data in from the left without wrap.
544 ec
->data
^= ((ec
->data
>> 63) & 1);
545 ec
->data
^= ((ec
->data
>> 60) & 1);
546 ec
->data
^= ((ec
->data
>> 55) & 1);
547 ec
->data
^= ((ec
->data
>> 30) & 1);
548 ec
->data
^= ((ec
->data
>> 27) & 1);
549 ec
->data
^= ((ec
->data
>> 22) & 1);
550 ec
->data
= rol64(ec
->data
, 1);
553 * We multiply the loop value with ->osr to obtain the
554 * oversampling rate requested by the caller
556 if (++k
>= (DATA_SIZE_BITS
* ec
->osr
))
564 * The continuous test required by FIPS 140-2 -- the function automatically
565 * primes the test if needed.
568 * 0 if FIPS test passed
569 * < 0 if FIPS test failed
571 static void jent_fips_test(struct rand_data
*ec
)
576 /* prime the FIPS test */
578 ec
->old_data
= ec
->data
;
579 jent_gen_entropy(ec
);
582 if (ec
->data
== ec
->old_data
)
583 panic(DRIVER_NAME
": Duplicate output detected\n");
585 ec
->old_data
= ec
->data
;
590 * Entry function: Obtain entropy for the caller.
592 * This function invokes the entropy gathering logic as often to generate
593 * as many bytes as requested by the caller. The entropy gathering logic
594 * creates 64 bit per invocation.
596 * This function truncates the last 64 bit entropy value output to the exact
597 * size specified by the caller.
600 * @ec Reference to entropy collector
601 * @data pointer to buffer for storing random data -- buffer must already
603 * @len size of the buffer, specifying also the requested number of random
606 * @return 0 when request is fulfilled or an error
608 * The following error codes can occur:
609 * -1 entropy_collector is NULL
611 static ssize_t
jent_read_entropy(struct rand_data
*ec
, u8
*data
, size_t len
)
621 jent_gen_entropy(ec
);
623 if ((DATA_SIZE_BITS
/ 8) < len
)
624 tocopy
= (DATA_SIZE_BITS
/ 8);
627 memcpy(p
, &ec
->data
, tocopy
);
636 /***************************************************************************
637 * Initialization logic
638 ***************************************************************************/
640 static struct rand_data
*jent_entropy_collector_alloc(unsigned int osr
,
643 struct rand_data
*entropy_collector
;
645 entropy_collector
= kzalloc(sizeof(struct rand_data
), GFP_KERNEL
);
646 if (!entropy_collector
)
649 if (!(flags
& JENT_DISABLE_MEMORY_ACCESS
)) {
650 /* Allocate memory for adding variations based on memory
653 entropy_collector
->mem
= kzalloc(JENT_MEMORY_SIZE
, GFP_KERNEL
);
654 if (!entropy_collector
->mem
) {
655 kfree(entropy_collector
);
658 entropy_collector
->memblocksize
= JENT_MEMORY_BLOCKSIZE
;
659 entropy_collector
->memblocks
= JENT_MEMORY_BLOCKS
;
660 entropy_collector
->memaccessloops
= JENT_MEMORY_ACCESSLOOPS
;
663 /* verify and set the oversampling rate */
665 osr
= 1; /* minimum sampling rate is 1 */
666 entropy_collector
->osr
= osr
;
668 entropy_collector
->stir
= 1;
669 if (flags
& JENT_DISABLE_STIR
)
670 entropy_collector
->stir
= 0;
671 if (flags
& JENT_DISABLE_UNBIAS
)
672 entropy_collector
->disable_unbias
= 1;
674 /* fill the data pad with non-zero values */
675 jent_gen_entropy(entropy_collector
);
677 return entropy_collector
;
680 static void jent_entropy_collector_free(struct rand_data
*entropy_collector
)
682 if (entropy_collector
->mem
)
683 kzfree(entropy_collector
->mem
);
684 entropy_collector
->mem
= NULL
;
685 if (entropy_collector
)
686 kzfree(entropy_collector
);
687 entropy_collector
= NULL
;
690 static int jent_entropy_init(void)
695 int time_backwards
= 0;
699 /* We could perform statistical tests here, but the problem is
700 * that we only have a few loop counts to do testing. These
701 * loop counts may show some slight skew and we produce
704 * Moreover, only old systems show potentially problematic
705 * jitter entropy that could potentially be caught here. But
706 * the RNG is intended for hardware that is available or widely
707 * used, but not old systems that are long out of favor. Thus,
708 * no statistical tests.
712 * We could add a check for system capabilities such as clock_getres or
713 * check for CONFIG_X86_TSC, but it does not make much sense as the
714 * following sanity checks verify that we have a high-resolution
718 * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is
719 * definitely too little.
721 #define TESTLOOPCOUNT 300
722 #define CLEARCACHE 100
723 for (i
= 0; (TESTLOOPCOUNT
+ CLEARCACHE
) > i
; i
++) {
728 unsigned int lowdelta
= 0;
730 jent_get_nstime(&time
);
731 jent_fold_time(NULL
, time
, &folded
, 1<<MIN_FOLD_LOOP_BIT
);
732 jent_get_nstime(&time2
);
734 /* test whether timer works */
737 delta
= time2
- time
;
739 * test whether timer is fine grained enough to provide
740 * delta even when called shortly after each other -- this
741 * implies that we also have a high resolution timer
744 return JENT_ECOARSETIME
;
747 * up to here we did not modify any variable that will be
748 * evaluated later, but we already performed some work. Thus we
749 * already have had an impact on the caches, branch prediction,
750 * etc. with the goal to clear it to get the worst case
756 /* test whether we have an increasing timer */
761 * Avoid modulo of 64 bit integer to allow code to compile
762 * on 32 bit architectures.
764 lowdelta
= time2
- time
;
765 if (!(lowdelta
% 100))
769 * ensure that we have a varying delta timer which is necessary
770 * for the calculation of entropy -- perform this check
771 * only after the first loop is executed as we need to prime
775 if (delta
!= old_delta
)
777 if (delta
> old_delta
)
778 delta_sum
+= (delta
- old_delta
);
780 delta_sum
+= (old_delta
- delta
);
786 * we allow up to three times the time running backwards.
787 * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus,
788 * if such an operation just happens to interfere with our test, it
789 * should not fail. The value of 3 should cover the NTP case being
790 * performed during our test run.
792 if (3 < time_backwards
)
793 return JENT_ENOMONOTONIC
;
794 /* Error if the time variances are always identical */
799 * Variations of deltas of time must on average be larger
800 * than 1 to ensure the entropy estimation
801 * implied with 1 is preserved
804 return JENT_EMINVARVAR
;
807 * Ensure that we have variations in the time stamp below 10 for at
808 * least 10% of all checks -- on some platforms, the counter
809 * increments in multiples of 100, but not always
811 if ((TESTLOOPCOUNT
/10 * 9) < count_mod
)
812 return JENT_ECOARSETIME
;
817 /***************************************************************************
818 * Kernel crypto API interface
819 ***************************************************************************/
821 struct jitterentropy
{
822 spinlock_t jent_lock
;
823 struct rand_data
*entropy_collector
;
826 static int jent_kcapi_init(struct crypto_tfm
*tfm
)
828 struct jitterentropy
*rng
= crypto_tfm_ctx(tfm
);
831 rng
->entropy_collector
= jent_entropy_collector_alloc(1, 0);
832 if (!rng
->entropy_collector
)
835 spin_lock_init(&rng
->jent_lock
);
839 static void jent_kcapi_cleanup(struct crypto_tfm
*tfm
)
841 struct jitterentropy
*rng
= crypto_tfm_ctx(tfm
);
843 spin_lock(&rng
->jent_lock
);
844 if (rng
->entropy_collector
)
845 jent_entropy_collector_free(rng
->entropy_collector
);
846 rng
->entropy_collector
= NULL
;
847 spin_unlock(&rng
->jent_lock
);
850 static int jent_kcapi_random(struct crypto_rng
*tfm
,
851 const u8
*src
, unsigned int slen
,
852 u8
*rdata
, unsigned int dlen
)
854 struct jitterentropy
*rng
= crypto_rng_ctx(tfm
);
857 spin_lock(&rng
->jent_lock
);
858 ret
= jent_read_entropy(rng
->entropy_collector
, rdata
, dlen
);
859 spin_unlock(&rng
->jent_lock
);
864 static int jent_kcapi_reset(struct crypto_rng
*tfm
,
865 const u8
*seed
, unsigned int slen
)
870 static struct rng_alg jent_alg
= {
871 .generate
= jent_kcapi_random
,
872 .seed
= jent_kcapi_reset
,
875 .cra_name
= "jitterentropy_rng",
876 .cra_driver_name
= "jitterentropy_rng",
878 .cra_ctxsize
= sizeof(struct jitterentropy
),
879 .cra_module
= THIS_MODULE
,
880 .cra_init
= jent_kcapi_init
,
881 .cra_exit
= jent_kcapi_cleanup
,
886 static int __init
jent_mod_init(void)
890 ret
= jent_entropy_init();
892 pr_info(DRIVER_NAME
": Initialization failed with host not compliant with requirements: %d\n", ret
);
895 return crypto_register_rng(&jent_alg
);
898 static void __exit
jent_mod_exit(void)
900 crypto_unregister_rng(&jent_alg
);
903 module_init(jent_mod_init
);
904 module_exit(jent_mod_exit
);
906 MODULE_LICENSE("Dual BSD/GPL");
907 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
908 MODULE_DESCRIPTION("Non-physical True Random Number Generator based on CPU Jitter");
909 MODULE_ALIAS_CRYPTO("jitterentropy_rng");