1/* $NetBSD: rndpseudo.c,v 1.35 2015/08/20 14:40:17 christos Exp $ */
2
3/*-
4 * Copyright (c) 1997-2013 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Michael Graff <explorer@flame.org>, Thor Lancelot Simon, and
9 * Taylor R. Campbell.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.35 2015/08/20 14:40:17 christos Exp $");
35
36#if defined(_KERNEL_OPT)
37#include "opt_compat_netbsd.h"
38#endif
39
40#include <sys/param.h>
41#include <sys/atomic.h>
42#include <sys/conf.h>
43#include <sys/cprng.h>
44#include <sys/cpu.h>
45#include <sys/evcnt.h>
46#include <sys/fcntl.h>
47#include <sys/file.h>
48#include <sys/filedesc.h>
49#include <sys/ioctl.h>
50#include <sys/kauth.h>
51#include <sys/kernel.h>
52#include <sys/kmem.h>
53#include <sys/mutex.h>
54#include <sys/percpu.h>
55#include <sys/poll.h>
56#include <sys/pool.h>
57#include <sys/proc.h>
58#include <sys/rnd.h>
59#include <sys/rndpool.h>
60#include <sys/rndsource.h>
61#include <sys/select.h>
62#include <sys/stat.h>
63#include <sys/systm.h>
64#include <sys/vnode.h>
65
66#include <dev/rnd_private.h>
67
68#include "ioconf.h"
69
70#if defined(__HAVE_CPU_COUNTER)
71#include <machine/cpu_counter.h>
72#endif
73
74#ifdef RND_DEBUG
75#define DPRINTF(l,x) if (rnd_debug & (l)) printf x
76#else
77#define DPRINTF(l,x)
78#endif
79
80/*
81 * list devices attached
82 */
83#if 0
84#define RND_VERBOSE
85#endif
86
87/*
88 * The size of a temporary buffer for reading and writing entropy.
89 */
90#define RND_TEMP_BUFFER_SIZE 512
91
92static pool_cache_t rnd_temp_buffer_cache __read_mostly;
93
94/*
95 * Per-open state -- a lazily initialized CPRNG.
96 */
97struct rnd_ctx {
98 struct cprng_strong *rc_cprng;
99 bool rc_hard;
100};
101
102static pool_cache_t rnd_ctx_cache __read_mostly;
103
104/*
105 * The per-CPU RNGs used for short requests
106 */
107static percpu_t *percpu_urandom_cprng __read_mostly;
108
109
110dev_type_open(rndopen);
111
112const struct cdevsw rnd_cdevsw = {
113 .d_open = rndopen,
114 .d_close = noclose,
115 .d_read = noread,
116 .d_write = nowrite,
117 .d_ioctl = noioctl,
118 .d_stop = nostop,
119 .d_tty = notty,
120 .d_poll = nopoll,
121 .d_mmap = nommap,
122 .d_kqfilter = nokqfilter,
123 .d_discard = nodiscard,
124 .d_flag = D_OTHER | D_MPSAFE
125};
126
127static int rnd_read(struct file *, off_t *, struct uio *, kauth_cred_t, int);
128static int rnd_write(struct file *, off_t *, struct uio *, kauth_cred_t, int);
129static int rnd_ioctl(struct file *, u_long, void *);
130static int rnd_poll(struct file *, int);
131static int rnd_stat(struct file *, struct stat *);
132static int rnd_close(struct file *);
133static int rnd_kqfilter(struct file *, struct knote *);
134
135const struct fileops rnd_fileops = {
136 .fo_read = rnd_read,
137 .fo_write = rnd_write,
138 .fo_ioctl = rnd_ioctl,
139 .fo_fcntl = fnullop_fcntl,
140 .fo_poll = rnd_poll,
141 .fo_stat = rnd_stat,
142 .fo_close = rnd_close,
143 .fo_kqfilter = rnd_kqfilter,
144 .fo_restart = fnullop_restart
145};
146
147static struct evcnt rndpseudo_soft = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
148 NULL, "rndpseudo", "open soft");
149static struct evcnt rndpseudo_hard = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
150 NULL, "rndpseudo", "open hard");
151EVCNT_ATTACH_STATIC(rndpseudo_soft);
152EVCNT_ATTACH_STATIC(rndpseudo_hard);
153
154/*
155 * Generate a 32-bit counter.
156 */
157static inline uint32_t
158rndpseudo_counter(void)
159{
160 struct bintime bt;
161 uint32_t ret;
162
163#if defined(__HAVE_CPU_COUNTER)
164 if (cpu_hascounter())
165 return (cpu_counter32());
166#endif
167
168 binuptime(&bt);
169 ret = bt.sec;
170 ret ^= bt.sec >> 32;
171 ret ^= bt.frac;
172 ret ^= bt.frac >> 32;
173
174 return ret;
175}
176
177/*
178 * Used by ioconf.c to attach the rnd pseudo-device.
179 * `Attach' the random device. We use the timing of this event as
180 * another potential source of initial entropy.
181 */
182void
183rndattach(int num)
184{
185 uint32_t c;
186
187 /* Trap unwary players who don't call rnd_init() early. */
188 KASSERT(rnd_ready);
189
190 rnd_temp_buffer_cache = pool_cache_init(RND_TEMP_BUFFER_SIZE, 0, 0, 0,
191 "rndtemp", NULL, IPL_NONE, NULL, NULL, NULL);
192 rnd_ctx_cache = pool_cache_init(sizeof(struct rnd_ctx), 0, 0, 0,
193 "rndctx", NULL, IPL_NONE, NULL, NULL, NULL);
194 percpu_urandom_cprng = percpu_alloc(sizeof(struct cprng_strong *));
195
196 /* Mix in another counter. */
197 c = rndpseudo_counter();
198 rnd_add_data(NULL, &c, sizeof(c), 1);
199}
200
201int
202rndopen(dev_t dev, int flags, int fmt, struct lwp *l)
203{
204 bool hard;
205 struct file *fp;
206 int fd;
207 int error;
208
209 switch (minor(dev)) {
210 case RND_DEV_URANDOM:
211 hard = false;
212 rndpseudo_soft.ev_count++;
213 break;
214
215 case RND_DEV_RANDOM:
216 hard = true;
217 rndpseudo_hard.ev_count++;
218 break;
219
220 default:
221 return ENXIO;
222 }
223
224 error = fd_allocfile(&fp, &fd);
225 if (error)
226 return error;
227
228 /*
229 * Allocate a context, but don't create a CPRNG yet -- do that
230 * lazily because it consumes entropy from the system entropy
231 * pool, which (currently) has the effect of depleting it and
232 * causing readers from /dev/random to block. If this is
233 * /dev/urandom and the process is about to send only short
234 * reads to it, then we will be using a per-CPU CPRNG anyway.
235 */
236 struct rnd_ctx *const ctx = pool_cache_get(rnd_ctx_cache, PR_WAITOK);
237 ctx->rc_cprng = NULL;
238 ctx->rc_hard = hard;
239
240 error = fd_clone(fp, fd, flags, &rnd_fileops, ctx);
241 KASSERT(error == EMOVEFD);
242
243 return error;
244}
245
246/*
247 * Fetch a /dev/u?random context's CPRNG, or create and save one if
248 * necessary.
249 */
250static struct cprng_strong *
251rnd_ctx_cprng(struct rnd_ctx *ctx)
252{
253 struct cprng_strong *cprng, *tmp = NULL;
254
255 /* Fast path: if someone has already allocated a CPRNG, use it. */
256 cprng = ctx->rc_cprng;
257 if (__predict_true(cprng != NULL)) {
258 /* Make sure the CPU hasn't prefetched cprng's guts. */
259 membar_consumer();
260 goto out;
261 }
262
263 /* Slow path: create a CPRNG. Allocate before taking locks. */
264 char name[64];
265 struct lwp *const l = curlwp;
266 (void)snprintf(name, sizeof(name), "%d %"PRIu64" %u",
267 (int)l->l_proc->p_pid, l->l_ncsw, l->l_cpticks);
268 const int flags = (ctx->rc_hard? (CPRNG_USE_CV | CPRNG_HARD) :
269 (CPRNG_INIT_ANY | CPRNG_REKEY_ANY));
270 tmp = cprng_strong_create(name, IPL_NONE, flags);
271
272 /* Publish cprng's guts before the pointer to them. */
273 membar_producer();
274
275 /* Attempt to publish tmp, unless someone beat us. */
276 cprng = atomic_cas_ptr(&ctx->rc_cprng, NULL, tmp);
277 if (__predict_false(cprng != NULL)) {
278 /* Make sure the CPU hasn't prefetched cprng's guts. */
279 membar_consumer();
280 goto out;
281 }
282
283 /* Published. Commit tmp. */
284 cprng = tmp;
285 tmp = NULL;
286
287out: if (tmp != NULL)
288 cprng_strong_destroy(tmp);
289 KASSERT(cprng != NULL);
290 return cprng;
291}
292
293/*
294 * Fetch a per-CPU CPRNG, or create and save one if necessary.
295 */
296static struct cprng_strong *
297rnd_percpu_cprng(void)
298{
299 struct cprng_strong **cprngp, *cprng, *tmp = NULL;
300
301 /* Fast path: if there already is a CPRNG for this CPU, use it. */
302 cprngp = percpu_getref(percpu_urandom_cprng);
303 cprng = *cprngp;
304 if (__predict_true(cprng != NULL))
305 goto out;
306 percpu_putref(percpu_urandom_cprng);
307
308 /*
309 * Slow path: create a CPRNG named by this CPU.
310 *
311 * XXX The CPU of the name may be different from the CPU to
312 * which it is assigned, because we need to choose a name and
313 * allocate a cprng while preemption is enabled. This could be
314 * fixed by changing the cprng_strong API (e.g., by adding a
315 * cprng_strong_setname or by separating allocation from
316 * initialization), but it's not clear that's worth the
317 * trouble.
318 */
319 char name[32];
320 (void)snprintf(name, sizeof(name), "urandom%u", cpu_index(curcpu()));
321 tmp = cprng_strong_create(name, IPL_NONE,
322 (CPRNG_INIT_ANY | CPRNG_REKEY_ANY));
323
324 /* Try again, but we may have been preempted and lost a race. */
325 cprngp = percpu_getref(percpu_urandom_cprng);
326 cprng = *cprngp;
327 if (__predict_false(cprng != NULL))
328 goto out;
329
330 /* Commit the CPRNG we just created. */
331 cprng = tmp;
332 tmp = NULL;
333 *cprngp = cprng;
334
335out: percpu_putref(percpu_urandom_cprng);
336 if (tmp != NULL)
337 cprng_strong_destroy(tmp);
338 KASSERT(cprng != NULL);
339 return cprng;
340}
341
342static int
343rnd_read(struct file *fp, off_t *offp, struct uio *uio, kauth_cred_t cred,
344 int flags)
345{
346 int error = 0;
347
348 DPRINTF(RND_DEBUG_READ,
349 ("Random: Read of %zu requested, flags 0x%08x\n",
350 uio->uio_resid, flags));
351
352 if (uio->uio_resid == 0)
353 return 0;
354
355 struct rnd_ctx *const ctx = fp->f_rndctx;
356 uint8_t *const buf = pool_cache_get(rnd_temp_buffer_cache, PR_WAITOK);
357
358 /*
359 * Choose a CPRNG to use -- either the per-open CPRNG, if this
360 * is /dev/random or a long read, or the per-CPU one otherwise.
361 *
362 * XXX NIST_BLOCK_KEYLEN_BYTES is a detail of the cprng(9)
363 * implementation and as such should not be mentioned here.
364 */
365 struct cprng_strong *const cprng =
366 ((ctx->rc_hard || (uio->uio_resid > NIST_BLOCK_KEYLEN_BYTES))?
367 rnd_ctx_cprng(ctx) : rnd_percpu_cprng());
368
369 /*
370 * Generate the data in RND_TEMP_BUFFER_SIZE chunks.
371 */
372 while (uio->uio_resid > 0) {
373 const size_t n_req = MIN(uio->uio_resid, RND_TEMP_BUFFER_SIZE);
374
375 CTASSERT(RND_TEMP_BUFFER_SIZE <= CPRNG_MAX_LEN);
376 const size_t n_read = cprng_strong(cprng, buf, n_req,
377 ((ctx->rc_hard && ISSET(fp->f_flag, FNONBLOCK))?
378 FNONBLOCK : 0));
379
380 /*
381 * Equality will hold unless this is /dev/random, in
382 * which case we get only as many bytes as are left
383 * from the CPRNG's `information-theoretic strength'
384 * since the last rekey.
385 */
386 KASSERT(n_read <= n_req);
387 KASSERT(ctx->rc_hard || (n_read == n_req));
388
389 error = uiomove(buf, n_read, uio);
390 if (error)
391 goto out;
392
393 /*
394 * For /dev/urandom: Reads always succeed in full, no
395 * matter how many iterations that takes. (XXX But
396 * this means the computation can't be interrupted,
397 * wihch seems suboptimal.)
398 *
399 * For /dev/random, nonblocking: Reads succeed with as
400 * many bytes as a single request can return without
401 * blocking, or fail with EAGAIN if a request would
402 * block. (There is no sense in trying multiple
403 * requests because if the first one didn't fill the
404 * buffer, the second one would almost certainly
405 * block.)
406 *
407 * For /dev/random, blocking: Reads succeed with as
408 * many bytes as a single request -- which may block --
409 * can return if uninterrupted, or fail with EINTR if
410 * the request is interrupted.
411 */
412 KASSERT((0 < n_read) || ctx->rc_hard);
413 if (ctx->rc_hard) {
414 if (0 < n_read)
415 error = 0;
416 else if (ISSET(fp->f_flag, FNONBLOCK))
417 error = EAGAIN;
418 else
419 error = EINTR;
420 goto out;
421 }
422 }
423
424out: pool_cache_put(rnd_temp_buffer_cache, buf);
425 return error;
426}
427
428static int
429rnd_write(struct file *fp, off_t *offp, struct uio *uio,
430 kauth_cred_t cred, int flags)
431{
432 uint8_t *bf;
433 int n, ret = 0, estimate_ok = 0, estimate = 0, added = 0;
434
435 ret = kauth_authorize_device(cred,
436 KAUTH_DEVICE_RND_ADDDATA, NULL, NULL, NULL, NULL);
437 if (ret) {
438 return (ret);
439 }
440 estimate_ok = !kauth_authorize_device(cred,
441 KAUTH_DEVICE_RND_ADDDATA_ESTIMATE, NULL, NULL, NULL, NULL);
442
443 DPRINTF(RND_DEBUG_WRITE,
444 ("Random: Write of %zu requested\n", uio->uio_resid));
445
446 if (uio->uio_resid == 0)
447 return (0);
448 ret = 0;
449 bf = pool_cache_get(rnd_temp_buffer_cache, PR_WAITOK);
450 while (uio->uio_resid > 0) {
451 /*
452 * Don't flood the pool.
453 */
454 if (added > RND_POOLWORDS * sizeof(int)) {
455#ifdef RND_VERBOSE
456 printf("rnd: added %d already, adding no more.\n",
457 added);
458#endif
459 break;
460 }
461 n = min(RND_TEMP_BUFFER_SIZE, uio->uio_resid);
462
463 ret = uiomove((void *)bf, n, uio);
464 if (ret != 0)
465 break;
466
467 if (estimate_ok) {
468 /*
469 * Don't cause samples to be discarded by taking
470 * the pool's entropy estimate to the max.
471 */
472 if (added > RND_POOLWORDS / 2)
473 estimate = 0;
474 else
475 estimate = n * NBBY / 2;
476#ifdef RND_VERBOSE
477 printf("rnd: adding on write, %d bytes, estimate %d\n",
478 n, estimate);
479#endif
480 } else {
481#ifdef RND_VERBOSE
482 printf("rnd: kauth says no entropy.\n");
483#endif
484 }
485
486 /*
487 * Mix in the bytes.
488 */
489 rnd_add_data(NULL, bf, n, estimate);
490
491 added += n;
492 DPRINTF(RND_DEBUG_WRITE, ("Random: Copied in %d bytes\n", n));
493 }
494 pool_cache_put(rnd_temp_buffer_cache, bf);
495 return (ret);
496}
497
498int
499rnd_ioctl(struct file *fp, u_long cmd, void *addr)
500{
501
502 switch (cmd) {
503 case FIONBIO:
504 case FIOASYNC:
505 return 0;
506 default:
507 return rnd_system_ioctl(fp, cmd, addr);
508 }
509}
510
511static int
512rnd_poll(struct file *fp, int events)
513{
514 struct rnd_ctx *const ctx = fp->f_rndctx;
515 int revents;
516
517 /*
518 * We are always writable.
519 */
520 revents = events & (POLLOUT | POLLWRNORM);
521
522 /*
523 * Save some work if not checking for reads.
524 */
525 if ((events & (POLLIN | POLLRDNORM)) == 0)
526 return revents;
527
528 /*
529 * For /dev/random, ask the CPRNG, which may require creating
530 * one. For /dev/urandom, we're always readable.
531 */
532 if (ctx->rc_hard)
533 revents |= cprng_strong_poll(rnd_ctx_cprng(ctx), events);
534 else
535 revents |= (events & (POLLIN | POLLRDNORM));
536
537 return revents;
538}
539
540static int
541rnd_stat(struct file *fp, struct stat *st)
542{
543 struct rnd_ctx *const ctx = fp->f_rndctx;
544
545 /* XXX lock, if cprng allocated? why? */
546 memset(st, 0, sizeof(*st));
547 st->st_dev = makedev(cdevsw_lookup_major(&rnd_cdevsw),
548 (ctx->rc_hard? RND_DEV_RANDOM : RND_DEV_URANDOM));
549 /* XXX leave atimespect, mtimespec, ctimespec = 0? */
550
551 st->st_uid = kauth_cred_geteuid(fp->f_cred);
552 st->st_gid = kauth_cred_getegid(fp->f_cred);
553 st->st_mode = S_IFCHR;
554 return 0;
555}
556
557static int
558rnd_close(struct file *fp)
559{
560 struct rnd_ctx *const ctx = fp->f_rndctx;
561
562 if (ctx->rc_cprng != NULL)
563 cprng_strong_destroy(ctx->rc_cprng);
564 fp->f_rndctx = NULL;
565 pool_cache_put(rnd_ctx_cache, ctx);
566
567 return 0;
568}
569
570static int
571rnd_kqfilter(struct file *fp, struct knote *kn)
572{
573 struct rnd_ctx *const ctx = fp->f_rndctx;
574
575 return cprng_strong_kqfilter(rnd_ctx_cprng(ctx), kn);
576}
577