/* | |

* Non-physical true random number generator based on timing jitter. | |

* | |

* Copyright Stephan Mueller <smueller@chronox.de>, 2014 - 2017 | |

* | |

* Design | |

* ====== | |

* | |

* See documentation in doc/ folder. | |

* | |

* Interface | |

* ========= | |

* | |

* See documentation in doc/ folder. | |

* | |

* License | |

* ======= | |

* | |

* Redistribution and use in source and binary forms, with or without | |

* modification, are permitted provided that the following conditions | |

* are met: | |

* 1. Redistributions of source code must retain the above copyright | |

* notice, and the entire permission notice in its entirety, | |

* including the disclaimer of warranties. | |

* 2. Redistributions in binary form must reproduce the above copyright | |

* notice, this list of conditions and the following disclaimer in the | |

* documentation and/or other materials provided with the distribution. | |

* 3. The name of the author may not be used to endorse or promote | |

* products derived from this software without specific prior | |

* written permission. | |

* | |

* ALTERNATIVELY, this product may be distributed under the terms of | |

* the GNU General Public License, in which case the provisions of the GPL2 are | |

* required INSTEAD OF the above restrictions. (This clause is | |

* necessary due to a potential bad interaction between the GPL and | |

* the restrictions contained in a BSD-style copyright.) | |

* | |

* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |

* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |

* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF | |

* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE | |

* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |

* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |

* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |

* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |

* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |

* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE | |

* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH | |

* DAMAGE. | |

* | |

* Modifications by the Fuchsia Authors, 2017 | |

* ======= | |

* | |

* - Add #include lines for stdlib.h, string.h, and internal.h. | |

* - Change #include line for Zircon file conventions. | |

* - Remove CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT flag. | |

* - Add jent_entropy_collector_init definition. | |

* - Remove '#pragma GCC optimize ("O0")' (not recognized by clang) | |

* - Replace 'min' parameter by 'lfsr_loops_override' and 'mem_loops_override' | |

* in jent_lfsr_var_stat, and moved comment for jent_lfsr_var_stat to | |

* jitterentropy.h. | |

* - Add jent_have_clock check to jent_entropy_init. | |

*/ | |

#undef _FORTIFY_SOURCE | |

#include <assert.h> | |

#include <lib/jitterentropy/jitterentropy.h> | |

#include "internal.h" | |

#include <stdlib.h> | |

#include <string.h> | |

/* only check optimization in a compilation for real work */ | |

#ifdef __OPTIMIZE__ | |

#error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy-base.c." | |

#endif | |

#define MAJVERSION 2 /* API / ABI incompatible changes, functional changes that | |

* require consumer to be updated (as long as this number | |

* is zero, the API is not considered stable and can | |

* change without a bump of the major version) */ | |

#define MINVERSION 1 /* API compatible, ABI may change, functional | |

* enhancements only, consumer can be left unchanged if | |

* enhancements are not considered */ | |

#define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no | |

* enhancements, bug fixes only */ | |

/** | |

* jent_version() - Return machine-usable version number of jent library | |

* | |

* The function returns a version number that is monotonic increasing | |

* for newer versions. The version numbers are multiples of 100. For example, | |

* version 1.2.3 is converted to 1020300 -- the last two digits are reserved | |

* for future use. | |

* | |

* The result of this function can be used in comparing the version number | |

* in a calling program if version-specific calls need to be make. | |

* | |

* Return: Version number of kcapi library | |

*/ | |

JENT_PRIVATE_STATIC | |

unsigned int jent_version(void) | |

{ | |

unsigned int version = 0; | |

version = MAJVERSION * 1000000; | |

version += MINVERSION * 10000; | |

version += PATCHLEVEL * 100; | |

return version; | |

} | |

/** | |

* Update of the loop count used for the next round of | |

* an entropy collection. | |

* | |

* Input: | |

* @ec entropy collector struct -- may be NULL | |

* @bits is the number of low bits of the timer to consider | |

* @min is the number of bits we shift the timer value to the right at | |

* the end to make sure we have a guaranteed minimum value | |

* | |

* @return Newly calculated loop counter | |

*/ | |

static uint64_t jent_loop_shuffle(struct rand_data *ec, | |

unsigned int bits, unsigned int min) | |

{ | |

uint64_t time = 0; | |

uint64_t shuffle = 0; | |

unsigned int i = 0; | |

unsigned int mask = (1<<bits) - 1; | |

jent_get_nstime(&time); | |

/* | |

* Mix the current state of the random number into the shuffle | |

* calculation to balance that shuffle a bit more. | |

*/ | |

if (ec) | |

time ^= ec->data; | |

/* | |

* We fold the time value as much as possible to ensure that as many | |

* bits of the time stamp are included as possible. | |

*/ | |

for (i = 0; (DATA_SIZE_BITS / bits) > i; i++) { | |

shuffle ^= time & mask; | |

time = time >> bits; | |

} | |

/* | |

* We add a lower boundary value to ensure we have a minimum | |

* RNG loop count. | |

*/ | |

return (shuffle + (1<<min)); | |

} | |

/*************************************************************************** | |

* Noise sources | |

***************************************************************************/ | |

/** | |

* CPU Jitter noise source -- this is the noise source based on the CPU | |

* execution time jitter | |

* | |

* This function injects the individual bits of the time value into the | |

* entropy pool using an LFSR. | |

* | |

* The code is deliberately inefficient with respect to the bit shifting | |

* and shall stay that way. This function is the root cause why the code | |

* shall be compiled without optimization. This function not only acts as | |

* folding operation, but this function's execution is used to measure | |

* the CPU execution time jitter. Any change to the loop in this function | |

* implies that careful retesting must be done. | |

* | |

* Input: | |

* @ec entropy collector struct -- may be NULL | |

* @time time stamp to be injected | |

* @loop_cnt if a value not equal to 0 is set, use the given value as number of | |

* loops to perform the folding | |

* | |

* Output: | |

* updated ec->data | |

* | |

* @return Number of loops the folding operation is performed | |

*/ | |

static uint64_t jent_lfsr_time(struct rand_data *ec, uint64_t time, | |

uint64_t loop_cnt) | |

{ | |

unsigned int i; | |

uint64_t j = 0; | |

uint64_t new = 0; | |

#define MAX_FOLD_LOOP_BIT 4 | |

#define MIN_FOLD_LOOP_BIT 0 | |

// loop_cnt is normally passed as 0, where a loop_cnt is decided by a function | |

// based on current time. This may trick the entropy estimate program to | |

// overestimate entropy. So it is not used in Fuchsia. Instead loop_cnt | |

// is set by caller. | |

uint64_t fold_loop_cnt = loop_cnt; | |

if (fold_loop_cnt == 0) { | |

fold_loop_cnt = jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT); | |

} | |

for (j = 0; j < fold_loop_cnt; j++) { | |

new = ec->data; | |

for (i = 1; (DATA_SIZE_BITS) >= i; i++) { | |

uint64_t tmp = time << (DATA_SIZE_BITS - i); | |

tmp = tmp >> (DATA_SIZE_BITS - 1); | |

/* | |

* Fibonacci LSFR with polynomial of | |

* x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is | |

* primitive according to | |

* http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf | |

* (the shift values are the polynomial values minus one | |

* due to counting bits from 0 to 63). As the current | |

* position is always the LSB, the polynomial only needs | |

* to shift data in from the left without wrap. | |

*/ | |

new ^= tmp; | |

new ^= ((new >> 63) & 1); | |

new ^= ((new >> 60) & 1); | |

new ^= ((new >> 55) & 1); | |

new ^= ((new >> 30) & 1); | |

new ^= ((new >> 27) & 1); | |

new ^= ((new >> 22) & 1); | |

new = rol64(new, 1); | |

} | |

} | |

ec->data = new; | |

return fold_loop_cnt; | |

} | |

/** | |

* Memory Access noise source -- this is a noise source based on variations in | |

* memory access times | |

* | |

* This function performs memory accesses which will add to the timing | |

* variations due to an unknown amount of CPU wait states that need to be | |

* added when accessing memory. The memory size should be larger than the L1 | |

* caches as outlined in the documentation and the associated testing. | |

* | |

* The L1 cache has a very high bandwidth, albeit its access rate is usually | |

* slower than accessing CPU registers. Therefore, L1 accesses only add minimal | |

* variations as the CPU has hardly to wait. Starting with L2, significant | |

* variations are added because L2 typically does not belong to the CPU any more | |

* and therefore a wider range of CPU wait states is necessary for accesses. | |

* L3 and real memory accesses have even a wider range of wait states. However, | |

* to reliably access either L3 or memory, the ec->mem memory must be quite | |

* large which is usually not desirable. | |

* | |

* Input: | |

* @ec Reference to the entropy collector with the memory access data -- if | |

* the reference to the memory block to be accessed is NULL, this noise | |

* source is disabled | |

* @loop_cnt if a value not equal to 0 is set, use the given value as number of | |

* loops to perform the folding | |

* | |

* @return Number of memory access operations | |

*/ | |

static unsigned int jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) | |

{ | |

unsigned int wrap = 0; | |

uint64_t i = 0; | |

#define MAX_ACC_LOOP_BIT 7 | |

#define MIN_ACC_LOOP_BIT 0 | |

// loop_cnt is normally passed as 0, where a loop_cnt is decided by a function | |

// based on current time. This may trick the entropy estimate program to | |

// overestimate entropy. So it is not used in Fuchsia. Instead loop_cnt | |

// is set by caller. | |

uint64_t acc_loop_cnt = loop_cnt; | |

if (acc_loop_cnt == 0) { | |

acc_loop_cnt = jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); | |

} | |

if (NULL == ec || NULL == ec->mem) | |

return 0; | |

wrap = ec->memblocksize * ec->memblocks; | |

for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { | |

unsigned char *tmpval = ec->mem + ec->memlocation; | |

/* | |

* memory access: just add 1 to one byte, | |

* wrap at 255 -- memory access implies read | |

* from and write to memory location | |

*/ | |

*tmpval = (*tmpval + 1) & 0xff; | |

/* | |

* Addition of memblocksize - 1 to pointer | |

* with wrap around logic to ensure that every | |

* memory location is hit evenly | |

*/ | |

ec->memlocation = ec->memlocation + ec->memblocksize - 1; | |

ec->memlocation = ec->memlocation % wrap; | |

} | |

return i; | |

} | |

/*************************************************************************** | |

* Start of entropy processing logic | |

***************************************************************************/ | |

/** | |

* Stuck test by checking the: | |

* 1st derivation of the jitter measurement (time delta) | |

* 2nd derivation of the jitter measurement (delta of time deltas) | |

* 3rd derivation of the jitter measurement (delta of delta of time deltas) | |

* | |

* All values must always be non-zero. | |

* | |

* Input: | |

* @ec Reference to entropy collector | |

* @current_delta Jitter time delta | |

* | |

* @return | |

* 0 jitter measurement not stuck (good bit) | |

* 1 jitter measurement stuck (reject bit) | |

*/ | |

static int jent_stuck(struct rand_data *ec, uint64_t current_delta) | |

{ | |

int64_t delta2 = ec->last_delta - current_delta; | |

int64_t delta3 = delta2 - ec->last_delta2; | |

ec->last_delta = current_delta; | |

ec->last_delta2 = delta2; | |

if (!current_delta || !delta2 || !delta3) | |

return 1; | |

return 0; | |

} | |

/** | |

* This is the heart of the entropy generation: calculate time deltas and | |

* use the CPU jitter in the time deltas. The jitter is injected into the | |

* entropy pool. | |

* | |

* WARNING: ensure that ->prev_time is primed before using the output | |

* of this function! This can be done by calling this function | |

* and not using its result. | |

* | |

* Input: | |

* @entropy_collector Reference to entropy collector | |

* | |

* @return: result of stuck test | |

*/ | |

static int jent_measure_jitter(struct rand_data *ec) | |

{ | |

uint64_t time = 0; | |

uint64_t current_delta = 0; | |

int stuck; | |

/* Invoke one noise source before time measurement to add variations */ | |

jent_memaccess(ec, 0); | |

/* | |

* Get time stamp and calculate time delta to previous | |

* invocation to measure the timing variations | |

*/ | |

jent_get_nstime(&time); | |

current_delta = time - ec->prev_time; | |

ec->prev_time = time; | |

/* Now call the next noise sources which also injects the data */ | |

jent_lfsr_time(ec, current_delta, 0); | |

/* Check whether we have a stuck measurement. */ | |

stuck = jent_stuck(ec, current_delta); | |

/* | |

* Rotate the data buffer by a prime number (any odd number would | |

* do) to ensure that every bit position of the input time stamp | |

* has an even chance of being merged with a bit position in the | |

* entropy pool. We do not use one here as the adjacent bits in | |

* successive time deltas may have some form of dependency. The | |

* chosen value of 7 implies that the low 7 bits of the next | |

* time delta value is concatenated with the current time delta. | |

*/ | |

if (!stuck) | |

ec->data = rol64(ec->data, 7); | |

return stuck; | |

} | |

/** | |

* Shuffle the pool a bit by mixing some value with a bijective function (XOR) | |

* into the pool. | |

* | |

* The function generates a mixer value that depends on the bits set and the | |

* location of the set bits in the random number generated by the entropy | |

* source. Therefore, based on the generated random number, this mixer value | |

* can have 2**64 different values. That mixer value is initialized with the | |

* first two SHA-1 constants. After obtaining the mixer value, it is XORed into | |

* the random number. | |

* | |

* The mixer value is not assumed to contain any entropy. But due to the XOR | |

* operation, it can also not destroy any entropy present in the entropy pool. | |

* | |

* Input: | |

* @entropy_collector Reference to entropy collector | |

*/ | |

static void jent_stir_pool(struct rand_data *entropy_collector) | |

{ | |

/* | |

* to shut up GCC on 32 bit, we have to initialize the 64 variable | |

* with two 32 bit variables | |

*/ | |

union c { | |

uint64_t uint64; | |

uint32_t uint32[2]; | |

}; | |

/* | |

* This constant is derived from the first two 32 bit initialization | |

* vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1 | |

*/ | |

union c constant; | |

/* | |

* The start value of the mixer variable is derived from the third | |

* and fourth 32 bit initialization vector of SHA-1 as defined in | |

* FIPS 180-4 section 5.3.1 | |

*/ | |

union c mixer; | |

unsigned int i = 0; | |

/* Ensure that the function implements a constant time operation. */ | |

union c throw_away; | |

/* | |

* Store the SHA-1 constants in reverse order to make up the 64 bit | |

* value -- this applies to a little endian system, on a big endian | |

* system, it reverses as expected. But this really does not matter | |

* as we do not rely on the specific numbers. We just pick the SHA-1 | |

* constants as they have a good mix of bit set and unset. | |

*/ | |

constant.uint32[1] = 0x67452301; | |

constant.uint32[0] = 0xefcdab89; | |

mixer.uint32[1] = 0x98badcfe; | |

mixer.uint32[0] = 0x10325476; | |

for (i = 0; i < DATA_SIZE_BITS; i++) { | |

/* | |

* get the i-th bit of the input random number and only XOR | |

* the constant into the mixer value when that bit is set | |

*/ | |

if ((entropy_collector->data >> i) & 1) | |

mixer.uint64 ^= constant.uint64; | |

else | |

throw_away.uint64 ^= constant.uint64; | |

mixer.uint64 = rol64(mixer.uint64, 1); | |

} | |

entropy_collector->data ^= mixer.uint64; | |

} | |

/** | |

* Generator of one 64 bit random number | |

* Function fills rand_data->data | |

* | |

* Input: | |

* @ec Reference to entropy collector | |

*/ | |

static void jent_gen_entropy(struct rand_data *ec) | |

{ | |

unsigned int k = 0; | |

/* priming of the ->prev_time value */ | |

jent_measure_jitter(ec); | |

while (1) { | |

/* If a stuck measurement is received, repeat measurement */ | |

if (jent_measure_jitter(ec)) | |

continue; | |

/* | |

* We multiply the loop value with ->osr to obtain the | |

* oversampling rate requested by the caller | |

*/ | |

if (++k >= (DATA_SIZE_BITS * ec->osr)) | |

break; | |

} | |

if (ec->stir) | |

jent_stir_pool(ec); | |

} | |

/** | |

* The continuous test required by FIPS 140-2 -- the function automatically | |

* primes the test if needed. | |

* | |

* Return: | |

* 0 if FIPS test passed | |

* < 0 if FIPS test failed | |

*/ | |

static int jent_fips_test(struct rand_data *ec) | |

{ | |

if (ec->fips_enabled == -1) | |

return 0; | |

if (ec->fips_enabled == 0) { | |

if (!jent_fips_enabled()) { | |

ec->fips_enabled = -1; | |

return 0; | |

} else | |

ec->fips_enabled = 1; | |

} | |

/* prime the FIPS test */ | |

if (!ec->old_data) { | |

ec->old_data = ec->data; | |

jent_gen_entropy(ec); | |

} | |

if (ec->data == ec->old_data) | |

return -1; | |

ec->old_data = ec->data; | |

return 0; | |

} | |

/** | |

* Entry function: Obtain entropy for the caller. | |

* | |

* This function invokes the entropy gathering logic as often to generate | |

* as many bytes as requested by the caller. The entropy gathering logic | |

* creates 64 bit per invocation. | |

* | |

* This function truncates the last 64 bit entropy value output to the exact | |

* size specified by the caller. | |

* | |

* Input: | |

* @ec Reference to entropy collector | |

* @data pointer to buffer for storing random data -- buffer must already | |

* exist | |

* @len size of the buffer, specifying also the requested number of random | |

* in bytes | |

* | |

* @return number of bytes returned when request is fulfilled or an error | |

* | |

* The following error codes can occur: | |

* -1 entropy_collector is NULL | |

* -2 FIPS test failed | |

*/ | |

JENT_PRIVATE_STATIC | |

ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len) | |

{ | |

char *p = data; | |

size_t orig_len = len; | |

if (NULL == ec) | |

return -1; | |

while (0 < len) { | |

size_t tocopy; | |

jent_gen_entropy(ec); | |

if (jent_fips_test(ec)) | |

return -2; | |

if ((DATA_SIZE_BITS / 8) < len) | |

tocopy = (DATA_SIZE_BITS / 8); | |

else | |

tocopy = len; | |

memcpy(p, &ec->data, tocopy); | |

len -= tocopy; | |

p += tocopy; | |

} | |

/* | |

* To be on the safe side, we generate one more round of entropy | |

* which we do not give out to the caller. That round shall ensure | |

* that in case the calling application crashes, memory dumps, pages | |

* out, or due to the CPU Jitter RNG lingering in memory for long | |

* time without being moved and an attacker cracks the application, | |

* all he reads in the entropy pool is a value that is NEVER EVER | |

* being used for anything. Thus, he does NOT see the previous value | |

* that was returned to the caller for cryptographic purposes. | |

*/ | |

/* | |

* If we use secured memory, do not use that precaution as the secure | |

* memory protects the entropy pool. Moreover, note that using this | |

* call reduces the speed of the RNG by up to half | |

*/ | |

#ifndef CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY | |

jent_gen_entropy(ec); | |

#endif | |

return orig_len; | |

} | |

/*************************************************************************** | |

* Initialization logic | |

***************************************************************************/ | |

JENT_PRIVATE_STATIC | |

struct rand_data *jent_entropy_collector_alloc(unsigned int osr, | |

unsigned int flags) | |

{ | |

struct rand_data *entropy_collector; | |

entropy_collector = jent_zalloc(sizeof(struct rand_data)); | |

if (NULL == entropy_collector) | |

return NULL; | |

if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { | |

/* Allocate memory for adding variations based on memory | |

* access | |

*/ | |

entropy_collector->mem = | |

(unsigned char *)jent_zalloc(JENT_MEMORY_SIZE); | |

if (NULL == entropy_collector->mem) { | |

jent_zfree(entropy_collector, sizeof(struct rand_data)); | |

return NULL; | |

} | |

entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; | |

entropy_collector->memblocks = JENT_MEMORY_BLOCKS; | |

entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; | |

} | |

/* verify and set the oversampling rate */ | |

if (0 == osr) | |

osr = 1; /* minimum sampling rate is 1 */ | |

entropy_collector->osr = osr; | |

entropy_collector->stir = 1; | |

if (flags & JENT_DISABLE_STIR) | |

entropy_collector->stir = 0; | |

if (flags & JENT_DISABLE_UNBIAS) | |

entropy_collector->disable_unbias = 1; | |

/* fill the data pad with non-zero values */ | |

jent_gen_entropy(entropy_collector); | |

return entropy_collector; | |

} | |

JENT_PRIVATE_STATIC | |

void jent_entropy_collector_free(struct rand_data *entropy_collector) | |

{ | |

if (NULL != entropy_collector) { | |

if (NULL != entropy_collector->mem) { | |

jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); | |

entropy_collector->mem = NULL; | |

} | |

jent_zfree(entropy_collector, sizeof(struct rand_data)); | |

} | |

} | |

JENT_PRIVATE_STATIC | |

int jent_entropy_init(void) | |

{ | |

int i; | |

uint64_t delta_sum = 0; | |

uint64_t old_delta = 0; | |

int time_backwards = 0; | |

int count_mod = 0; | |

int count_stuck = 0; | |

struct rand_data ec; | |

if (!jent_have_clock()) { | |

return ENOTIME; | |

} | |

/* We could perform statistical tests here, but the problem is | |

* that we only have a few loop counts to do testing. These | |

* loop counts may show some slight skew and we produce | |

* false positives. | |

* | |

* Moreover, only old systems show potentially problematic | |

* jitter entropy that could potentially be caught here. But | |

* the RNG is intended for hardware that is available or widely | |

* used, but not old systems that are long out of favor. Thus, | |

* no statistical tests. | |

*/ | |

/* | |

* We could add a check for system capabilities such as clock_getres or | |

* check for CONFIG_X86_TSC, but it does not make much sense as the | |

* following sanity checks verify that we have a high-resolution | |

* timer. | |

*/ | |

/* | |

* TESTLOOPCOUNT needs some loops to identify edge systems. 100 is | |

* definitely too little. | |

*/ | |

#define TESTLOOPCOUNT 300 | |

#define CLEARCACHE 100 | |

for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { | |

uint64_t time = 0; | |

uint64_t time2 = 0; | |

uint64_t delta = 0; | |

unsigned int lowdelta = 0; | |

int stuck; | |

/* Invoke core entropy collection logic */ | |

jent_get_nstime(&time); | |

ec.prev_time = time; | |

jent_lfsr_time(&ec, time, 0); | |

jent_get_nstime(&time2); | |

/* test whether timer works */ | |

if (!time || !time2) | |

return ENOTIME; | |

delta = time2 - time; | |

/* | |

* test whether timer is fine grained enough to provide | |

* delta even when called shortly after each other -- this | |

* implies that we also have a high resolution timer | |

*/ | |

if (!delta) | |

return ECOARSETIME; | |

stuck = jent_stuck(&ec, delta); | |

/* | |

* up to here we did not modify any variable that will be | |

* evaluated later, but we already performed some work. Thus we | |

* already have had an impact on the caches, branch prediction, | |

* etc. with the goal to clear it to get the worst case | |

* measurements. | |

*/ | |

if (CLEARCACHE > i) | |

continue; | |

if (stuck) | |

count_stuck++; | |

/* test whether we have an increasing timer */ | |

if (!(time2 > time)) | |

time_backwards++; | |

/* use 32 bit value to ensure compilation on 32 bit arches */ | |

lowdelta = time2 - time; | |

if (!(lowdelta % 100)) | |

count_mod++; | |

/* | |

* ensure that we have a varying delta timer which is necessary | |

* for the calculation of entropy -- perform this check | |

* only after the first loop is executed as we need to prime | |

* the old_data value | |

*/ | |

if (delta > old_delta) | |

delta_sum += (delta - old_delta); | |

else | |

delta_sum += (old_delta - delta); | |

old_delta = delta; | |

} | |

/* | |

* we allow up to three times the time running backwards. | |

* CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, | |

* if such an operation just happens to interfere with our test, it | |

* should not fail. The value of 3 should cover the NTP case being | |

* performed during our test run. | |

*/ | |

if (3 < time_backwards) | |

return ENOMONOTONIC; | |

/* | |

* Variations of deltas of time must on average be larger | |

* than 1 to ensure the entropy estimation | |

* implied with 1 is preserved | |

*/ | |

if ((delta_sum) <= 1) | |

return EMINVARVAR; | |

/* | |

* Ensure that we have variations in the time stamp below 10 for at least | |

* 10% of all checks -- on some platforms, the counter increments in | |

* multiples of 100, but not always | |

*/ | |

if ((TESTLOOPCOUNT/10 * 9) < count_mod) | |

return ECOARSETIME; | |

/* | |

* If we have more than 90% stuck results, then this Jitter RNG is | |

* likely to not work well. | |

*/ | |

if (JENT_STUCK_INIT_THRES(TESTLOOPCOUNT) < count_stuck) | |

return ESTUCK; | |

return 0; | |

} | |

/*************************************************************************** | |

* Statistical test logic not compiled for regular operation | |

***************************************************************************/ | |

JENT_PRIVATE_STATIC | |

uint64_t jent_lfsr_var_stat(struct rand_data *ec, | |

unsigned int lfsr_loops_override, | |

unsigned int mem_loops_override) | |

{ | |

uint64_t time = 0; | |

uint64_t time2 = 0; | |

jent_get_nstime(&time); | |

jent_memaccess(ec, mem_loops_override); | |

jent_lfsr_time(ec, time, lfsr_loops_override); | |

jent_get_nstime(&time2); | |

return ((time2 - time)); | |

} | |

/*************************************************************************** | |

* Zircon interface | |

***************************************************************************/ | |

void jent_entropy_collector_init( | |

struct rand_data* ec, uint8_t* mem, size_t mem_size, | |

unsigned int mem_block_size, unsigned int mem_block_count, | |

unsigned int mem_loops, bool stir) { | |

DEBUG_ASSERT(((size_t)mem_block_size) * mem_block_count <= mem_size); | |

memset(ec, 0, sizeof(*ec)); | |

/* Oversample rate. The jitterentropy man page (not included with Zircon) | |

* suggests a value of 1. Higher values cause jitterentropy to discount its | |

* entropy estimates by a factor of osr, so that more random bytes are | |

* collected than would be with osr == 1. */ | |

ec->osr = 1; | |

/* For now, we don't enable the FIPS 140-2 test mode built into | |

* jitterentropy. Zircon should handle entropy source health tests itself, | |

* to ensure uniform testing of all entropy sources. */ | |

ec->fips_enabled = 0; | |

ec->stir = stir; | |

/* von Neumann unbiasing is never performed, and the disable_unbias flag is | |

* never even checked. To avoid confusion, always set the flag to true. */ | |

ec->disable_unbias = true; | |

ec->mem = mem; | |

ec->memlocation = 0; | |

ec->memblocks = mem_block_count; | |

ec->memblocksize = mem_block_size; | |

ec->memaccessloops = mem_loops; | |

} |