/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Software based random number provider for the Kernel Cryptographic
* Framework (KCF). This provider periodically collects unpredictable input
* from external sources and processes it into a pool of entropy (randomness)
* in order to satisfy requests for random bits from kCF. It implements
* software-based mixing, extraction, and generation algorithms.
*
* A history note: The software-based algorithms in this file used to be
* part of the /dev/random driver.
*/
#include <sys/types.h>
#include <sys/errno.h>
#include <sys/debug.h>
#include <vm/seg_kmem.h>
#include <vm/hat.h>
#include <sys/systm.h>
#include <sys/memlist.h>
#include <sys/cmn_err.h>
#include <sys/ksynch.h>
#include <sys/random.h>
#include <sys/ddi.h>
#include <sys/mman.h>
#include <sys/sysmacros.h>
#include <sys/mem_config.h>
#include <sys/time.h>
#include <sys/crypto/spi.h>
#include <sys/sha1.h>
#include <sys/sunddi.h>
#include <sys/modctl.h>
#include <sys/hold_page.h>
#include <rng/fips_random.h>
#define RNDPOOLSIZE 1024 /* Pool size in bytes */
#define HASHBUFSIZE 64 /* Buffer size used for pool mixing */
#define MAXMEMBLOCKS 16384 /* Number of memory blocks to scan */
#define MEMBLOCKSIZE 4096 /* Size of memory block to read */
#define MINEXTRACTBITS 160 /* Min entropy level for extraction */
#define TIMEOUT_INTERVAL 5 /* Periodic mixing interval in secs */
/* Hash-algo generic definitions. For now, they are SHA1's. */
#define HASHSIZE 20
#define HASH_CTX SHA1_CTX
#define HashInit(ctx) SHA1Init((ctx))
#define HashUpdate(ctx, p, s) SHA1Update((ctx), (p), (s))
#define HashFinal(d, ctx) SHA1Final((d), (ctx))
/* Physical memory entropy source */
typedef struct physmem_entsrc_s {
uint8_t *parity; /* parity bit vector */
caddr_t pmbuf; /* buffer for memory block */
uint32_t nblocks; /* number of memory blocks */
int entperblock; /* entropy bits per block read */
hrtime_t last_diff; /* previous time to process a block */
hrtime_t last_delta; /* previous time delta */
hrtime_t last_delta2; /* previous 2nd order time delta */
} physmem_entsrc_t;
static uint32_t srndpool[RNDPOOLSIZE/4]; /* Pool of random bits */
static uint32_t buffer[RNDPOOLSIZE/4]; /* entropy mixed in later */
static int buffer_bytes; /* bytes written to buffer */
static uint32_t entropy_bits; /* pool's current amount of entropy */
static kmutex_t srndpool_lock; /* protects r/w accesses to the pool, */
/* and the global variables */
static kmutex_t buffer_lock; /* protects r/w accesses to buffer */
static kcondvar_t srndpool_read_cv; /* serializes poll/read syscalls */
static int pindex; /* Global index for adding/extracting */
/* from the pool */
static int bstart, bindex; /* Global vars for adding/extracting */
/* from the buffer */
static uint8_t leftover[HASHSIZE]; /* leftover output */
static uint32_t swrand_XKEY[6]; /* one extra word for getentropy */
static int leftover_bytes; /* leftover length */
static uint32_t previous_bytes[HASHSIZE/BYTES_IN_WORD]; /* prev random bytes */
static physmem_entsrc_t entsrc; /* Physical mem as an entropy source */
static timeout_id_t rnd_timeout_id;
static int snum_waiters;
static crypto_kcf_provider_handle_t swrand_prov_handle = NULL;
swrand_stats_t swrand_stats;
static int physmem_ent_init(physmem_entsrc_t *);
static void physmem_ent_fini(physmem_entsrc_t *);
static void physmem_ent_gen(physmem_entsrc_t *);
static int physmem_parity_update(uint8_t *, uint32_t, int);
static void physmem_count_blocks();
static void rnd_dr_callback_post_add(void *, pgcnt_t);
static int rnd_dr_callback_pre_del(void *, pgcnt_t);
static void rnd_dr_callback_post_del(void *, pgcnt_t, int);
static void rnd_handler(void *arg);
static void swrand_init();
static void swrand_schedule_timeout(void);
static int swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t);
static void swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est);
static void swrand_add_entropy_later(uint8_t *ptr, size_t len);
/* Dynamic Reconfiguration related declarations */
kphysm_setup_vector_t rnd_dr_callback_vec = {
KPHYSM_SETUP_VECTOR_VERSION,
rnd_dr_callback_post_add,
rnd_dr_callback_pre_del,
rnd_dr_callback_post_del
};
extern struct mod_ops mod_cryptoops;
/*
* Module linkage information for the kernel.
*/
static struct modlcrypto modlcrypto = {
&mod_cryptoops,
"Kernel Random number Provider"
};
static struct modlinkage modlinkage = {
MODREV_1,
(void *)&modlcrypto,
NULL
};
/*
* CSPI information (entry points, provider info, etc.)
*/
static void swrand_provider_status(crypto_provider_handle_t, uint_t *);
static crypto_control_ops_t swrand_control_ops = {
swrand_provider_status
};
static int swrand_seed_random(crypto_provider_handle_t, crypto_session_id_t,
uchar_t *, size_t, uint_t, uint32_t, crypto_req_handle_t);
static int swrand_generate_random(crypto_provider_handle_t,
crypto_session_id_t, uchar_t *, size_t, crypto_req_handle_t);
static crypto_random_number_ops_t swrand_random_number_ops = {
swrand_seed_random,
swrand_generate_random
};
static crypto_ops_t swrand_crypto_ops = {
&swrand_control_ops,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
&swrand_random_number_ops,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
};
static crypto_provider_info_t swrand_prov_info = {
CRYPTO_SPI_VERSION_4,
"Kernel Random Number Provider",
CRYPTO_SW_PROVIDER,
{&modlinkage},
NULL,
&swrand_crypto_ops,
0,
NULL
};
int
_init(void)
{
int ret;
hrtime_t ts;
time_t now;
mutex_init(&srndpool_lock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&buffer_lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&srndpool_read_cv, NULL, CV_DEFAULT, NULL);
entropy_bits = 0;
pindex = 0;
bindex = 0;
bstart = 0;
snum_waiters = 0;
leftover_bytes = 0;
buffer_bytes = 0;
/*
* Initialize the pool using
* . 2 unpredictable times: high resolution time since the boot-time,
* and the current time-of-the day.
* . The initial physical memory state.
*/
ts = gethrtime();
swrand_add_entropy((uint8_t *)&ts, sizeof (ts), 0);
(void) drv_getparm(TIME, &now);
swrand_add_entropy((uint8_t *)&now, sizeof (now), 0);
ret = kphysm_setup_func_register(&rnd_dr_callback_vec, NULL);
ASSERT(ret == 0);
if (physmem_ent_init(&entsrc) != 0) {
ret = ENOMEM;
goto exit1;
}
if ((ret = mod_install(&modlinkage)) != 0)
goto exit2;
/* Schedule periodic mixing of the pool. */
mutex_enter(&srndpool_lock);
swrand_schedule_timeout();
mutex_exit(&srndpool_lock);
(void) swrand_get_entropy((uint8_t *)swrand_XKEY, HASHSIZE, B_TRUE);
bcopy(swrand_XKEY, previous_bytes, HASHSIZE);
/* Register with KCF. If the registration fails, return error. */
if (crypto_register_provider(&swrand_prov_info, &swrand_prov_handle)) {
(void) mod_remove(&modlinkage);
ret = EACCES;
goto exit2;
}
return (0);
exit2:
physmem_ent_fini(&entsrc);
exit1:
mutex_destroy(&srndpool_lock);
mutex_destroy(&buffer_lock);
cv_destroy(&srndpool_read_cv);
return (ret);
}
int
_info(struct modinfo *modinfop)
{
return (mod_info(&modlinkage, modinfop));
}
/*
* Control entry points.
*/
/* ARGSUSED */
static void
swrand_provider_status(crypto_provider_handle_t provider, uint_t *status)
{
*status = CRYPTO_PROVIDER_READY;
}
/*
* Random number entry points.
*/
/* ARGSUSED */
static int
swrand_seed_random(crypto_provider_handle_t provider, crypto_session_id_t sid,
uchar_t *buf, size_t len, uint_t entropy_est, uint32_t flags,
crypto_req_handle_t req)
{
/* The entropy estimate is always 0 in this path */
if (flags & CRYPTO_SEED_NOW)
swrand_add_entropy(buf, len, 0);
else
swrand_add_entropy_later(buf, len);
return (CRYPTO_SUCCESS);
}
/* ARGSUSED */
static int
swrand_generate_random(crypto_provider_handle_t provider,
crypto_session_id_t sid, uchar_t *buf, size_t len, crypto_req_handle_t req)
{
if (crypto_kmflag(req) == KM_NOSLEEP)
(void) swrand_get_entropy(buf, len, B_TRUE);
else
(void) swrand_get_entropy(buf, len, B_FALSE);
return (CRYPTO_SUCCESS);
}
/*
* Extraction of entropy from the pool.
*
* Returns "len" random bytes in *ptr.
* Try to gather some more entropy by calling physmem_ent_gen() when less than
* MINEXTRACTBITS are present in the pool.
* Will block if not enough entropy was available and the call is blocking.
*/
static int
swrand_get_entropy(uint8_t *ptr, size_t len, boolean_t nonblock)
{
int i, bytes;
HASH_CTX hashctx;
uint8_t digest[HASHSIZE], *pool;
uint32_t tempout[HASHSIZE/BYTES_IN_WORD];
int size;
mutex_enter(&srndpool_lock);
if (leftover_bytes > 0) {
bytes = min(len, leftover_bytes);
bcopy(leftover, ptr, bytes);
len -= bytes;
ptr += bytes;
leftover_bytes -= bytes;
if (leftover_bytes > 0)
ovbcopy(leftover+bytes, leftover, leftover_bytes);
}
while (len > 0) {
/* Check if there is enough entropy */
while (entropy_bits < MINEXTRACTBITS) {
physmem_ent_gen(&entsrc);
if (entropy_bits < MINEXTRACTBITS &&
nonblock == B_TRUE) {
mutex_exit(&srndpool_lock);
return (EAGAIN);
}
if (entropy_bits < MINEXTRACTBITS) {
ASSERT(nonblock == B_FALSE);
snum_waiters++;
if (cv_wait_sig(&srndpool_read_cv,
&srndpool_lock) == 0) {
snum_waiters--;
mutex_exit(&srndpool_lock);
return (EINTR);
}
snum_waiters--;
}
}
/* Figure out how many bytes to extract */
bytes = min(HASHSIZE, len);
bytes = min(bytes, CRYPTO_BITS2BYTES(entropy_bits));
entropy_bits -= CRYPTO_BYTES2BITS(bytes);
BUMP_SWRAND_STATS(ss_entOut, CRYPTO_BYTES2BITS(bytes));
swrand_stats.ss_entEst = entropy_bits;
/* Extract entropy by hashing pool content */
HashInit(&hashctx);
HashUpdate(&hashctx, (uint8_t *)srndpool, RNDPOOLSIZE);
HashFinal(digest, &hashctx);
/*
* Feed the digest back into the pool so next
* extraction produces different result
*/
pool = (uint8_t *)srndpool;
for (i = 0; i < HASHSIZE; i++) {
pool[pindex++] ^= digest[i];
/* pindex modulo RNDPOOLSIZE */
pindex &= (RNDPOOLSIZE - 1);
}
/* LINTED E_BAD_PTR_CAST_ALIGN */
fips_random_inner(swrand_XKEY, tempout, (uint32_t *)digest);
if (len >= HASHSIZE) {
size = HASHSIZE;
} else {
size = min(bytes, HASHSIZE);
}
/*
* FIPS 140-2: Continuous RNG test - each generation
* of an n-bit block shall be compared with the previously
* generated block. Test shall fail if any two compared
* n-bit blocks are equal.
*/
for (i = 0; i < HASHSIZE/BYTES_IN_WORD; i++) {
if (tempout[i] != previous_bytes[i])
break;
}
if (i == HASHSIZE/BYTES_IN_WORD) {
cmn_err(CE_WARN, "swrand: The value of 160-bit block "
"random bytes are same as the previous one.\n");
/* discard random bytes and return error */
return (EIO);
}
bcopy(tempout, previous_bytes, HASHSIZE);
bcopy(tempout, ptr, size);
if (len < HASHSIZE) {
leftover_bytes = HASHSIZE - bytes;
bcopy((uint8_t *)tempout + bytes, leftover,
leftover_bytes);
}
ptr += size;
len -= size;
BUMP_SWRAND_STATS(ss_bytesOut, size);
}
/* Zero out sensitive information */
bzero(digest, HASHSIZE);
bzero(tempout, HASHSIZE);
mutex_exit(&srndpool_lock);
return (0);
}
#define SWRAND_ADD_BYTES(ptr, len, i, pool) \
ASSERT((ptr) != NULL && (len) > 0); \
BUMP_SWRAND_STATS(ss_bytesIn, (len)); \
while ((len)--) { \
(pool)[(i)++] ^= *(ptr); \
(ptr)++; \
(i) &= (RNDPOOLSIZE - 1); \
}
/* Write some more user-provided entropy to the pool */
static void
swrand_add_bytes(uint8_t *ptr, size_t len)
{
uint8_t *pool = (uint8_t *)srndpool;
ASSERT(MUTEX_HELD(&srndpool_lock));
SWRAND_ADD_BYTES(ptr, len, pindex, pool);
}
/*
* Add bytes to buffer. Adding the buffer to the random pool
* is deferred until the random pool is mixed.
*/
static void
swrand_add_bytes_later(uint8_t *ptr, size_t len)
{
uint8_t *pool = (uint8_t *)buffer;
ASSERT(MUTEX_HELD(&buffer_lock));
SWRAND_ADD_BYTES(ptr, len, bindex, pool);
buffer_bytes += len;
}
#undef SWRAND_ADD_BYTES
/* Mix the pool */
static void
swrand_mix_pool(uint16_t entropy_est)
{
int i, j, k, start;
HASH_CTX hashctx;
uint8_t digest[HASHSIZE];
uint8_t *pool = (uint8_t *)srndpool;
uint8_t *bp = (uint8_t *)buffer;
ASSERT(MUTEX_HELD(&srndpool_lock));
/* add deferred bytes */
mutex_enter(&buffer_lock);
if (buffer_bytes > 0) {
if (buffer_bytes >= RNDPOOLSIZE) {
for (i = 0; i < RNDPOOLSIZE/4; i++) {
srndpool[i] ^= buffer[i];
buffer[i] = 0;
}
bstart = bindex = 0;
} else {
for (i = 0; i < buffer_bytes; i++) {
pool[pindex++] ^= bp[bstart];
bp[bstart++] = 0;
pindex &= (RNDPOOLSIZE - 1);
bstart &= (RNDPOOLSIZE - 1);
}
ASSERT(bstart == bindex);
}
buffer_bytes = 0;
}
mutex_exit(&buffer_lock);
start = 0;
for (i = 0; i < RNDPOOLSIZE/HASHSIZE + 1; i++) {
HashInit(&hashctx);
/* Hash a buffer centered on a block in the pool */
if (start + HASHBUFSIZE <= RNDPOOLSIZE)
HashUpdate(&hashctx, &pool[start], HASHBUFSIZE);
else {
HashUpdate(&hashctx, &pool[start],
RNDPOOLSIZE - start);
HashUpdate(&hashctx, pool,
HASHBUFSIZE - RNDPOOLSIZE + start);
}
HashFinal(digest, &hashctx);
/* XOR the hash result back into the block */
k = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
for (j = 0; j < HASHSIZE; j++) {
pool[k++] ^= digest[j];
k &= (RNDPOOLSIZE - 1);
}
/* Slide the hash buffer and repeat with next block */
start = (start + HASHSIZE) & (RNDPOOLSIZE - 1);
}
entropy_bits += entropy_est;
if (entropy_bits > CRYPTO_BYTES2BITS(RNDPOOLSIZE))
entropy_bits = CRYPTO_BYTES2BITS(RNDPOOLSIZE);
swrand_stats.ss_entEst = entropy_bits;
BUMP_SWRAND_STATS(ss_entIn, entropy_est);
}
static void
swrand_add_entropy_later(uint8_t *ptr, size_t len)
{
mutex_enter(&buffer_lock);
swrand_add_bytes_later(ptr, len);
mutex_exit(&buffer_lock);
}
static void
swrand_add_entropy(uint8_t *ptr, size_t len, uint16_t entropy_est)
{
mutex_enter(&srndpool_lock);
swrand_add_bytes(ptr, len);
swrand_mix_pool(entropy_est);
mutex_exit(&srndpool_lock);
}
/*
* The physmem_* routines below generate entropy by reading blocks of
* physical memory. Entropy is gathered in a couple of ways:
*
* - By reading blocks of physical memory and detecting if changes
* occurred in the blocks read.
*
* - By measuring the time it takes to load and hash a block of memory
* and computing the differences in the measured time.
*
* The first method was used in the CryptoRand implementation. Physical
* memory is divided into blocks of fixed size. A block of memory is
* chosen from the possible blocks and hashed to produce a digest. This
* digest is then mixed into the pool. A single bit from the digest is
* used as a parity bit or "checksum" and compared against the previous
* "checksum" computed for the block. If the single-bit checksum has not
* changed, no entropy is credited to the pool. If there is a change,
* then the assumption is that at least one bit in the block has changed.
* The possible locations within the memory block of where the bit change
* occurred is used as a measure of entropy. For example, if a block
* size of 4096 bytes is used, about log_2(4096*8)=15 bits worth of
* entropy is available. Because the single-bit checksum will miss half
* of the changes, the amount of entropy credited to the pool is doubled
* when a change is detected. With a 4096 byte block size, a block
* change will add a total of 30 bits of entropy to the pool.
*
* The second method measures the amount of time it takes to read and
* hash a physical memory block (as described above). The time measured
* can vary depending on system load, scheduling and other factors.
* Differences between consecutive measurements are computed to come up
* with an entropy estimate. The first, second, and third order delta is
* calculated to determine the minimum delta value. The number of bits
* present in this minimum delta value is the entropy estimate. This
* entropy estimation technique using time deltas is similar to that used
* in /dev/random implementations from Linux/BSD.
*/
static int
physmem_ent_init(physmem_entsrc_t *entsrc)
{
uint8_t *ptr;
int i;
bzero(entsrc, sizeof (*entsrc));
/*
* The maximum entropy amount in bits per block of memory read is
* log_2(MEMBLOCKSIZE * 8);
*/
i = CRYPTO_BYTES2BITS(MEMBLOCKSIZE);
while (i >>= 1)
entsrc->entperblock++;
/* Initialize entsrc->nblocks */
physmem_count_blocks();
if (entsrc->nblocks == 0) {
cmn_err(CE_WARN, "no memory blocks to scan!");
return (-1);
}
/* Allocate space for the parity vector and memory page */
entsrc->parity = kmem_alloc(howmany(entsrc->nblocks, 8),
KM_SLEEP);
entsrc->pmbuf = vmem_alloc(heap_arena, PAGESIZE, VM_SLEEP);
/* Initialize parity vector with bits from the pool */
i = howmany(entsrc->nblocks, 8);
ptr = entsrc->parity;
while (i > 0) {
if (i > RNDPOOLSIZE) {
bcopy(srndpool, ptr, RNDPOOLSIZE);
mutex_enter(&srndpool_lock);
swrand_mix_pool(0);
mutex_exit(&srndpool_lock);
ptr += RNDPOOLSIZE;
i -= RNDPOOLSIZE;
} else {
bcopy(srndpool, ptr, i);
break;
}
}
/* Generate some entropy to further initialize the pool */
mutex_enter(&srndpool_lock);
physmem_ent_gen(entsrc);
entropy_bits = 0;
mutex_exit(&srndpool_lock);
return (0);
}
static void
physmem_ent_fini(physmem_entsrc_t *entsrc)
{
if (entsrc->pmbuf != NULL)
vmem_free(heap_arena, entsrc->pmbuf, PAGESIZE);
if (entsrc->parity != NULL)
kmem_free(entsrc->parity, howmany(entsrc->nblocks, 8));
bzero(entsrc, sizeof (*entsrc));
}
static void
physmem_ent_gen(physmem_entsrc_t *entsrc)
{
struct memlist *pmem;
offset_t offset, poffset;
pfn_t pfn;
int i, nbytes, len, ent = 0;
uint32_t block, oblock;
hrtime_t ts1, ts2, diff, delta, delta2, delta3;
uint8_t digest[HASHSIZE];
HASH_CTX ctx;
page_t *pp;
/*
* Use each 32-bit quantity in the pool to pick a memory
* block to read.
*/
for (i = 0; i < RNDPOOLSIZE/4; i++) {
/* If the pool is "full", stop after one block */
if (entropy_bits + ent >= CRYPTO_BYTES2BITS(RNDPOOLSIZE)) {
if (i > 0)
break;
}
/*
* This lock protects reading of phys_install.
* Any changes to this list, by DR, are done while
* holding this lock. So, holding this lock is sufficient
* to handle DR also.
*/
memlist_read_lock();
/* We're left with less than 4K of memory after DR */
ASSERT(entsrc->nblocks > 0);
/* Pick a memory block to read */
block = oblock = srndpool[i] % entsrc->nblocks;
for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
if (block < pmem->ml_size / MEMBLOCKSIZE)
break;
block -= pmem->ml_size / MEMBLOCKSIZE;
}
ASSERT(pmem != NULL);
offset = pmem->ml_address + block * MEMBLOCKSIZE;
if (!address_in_memlist(phys_install, offset, MEMBLOCKSIZE)) {
memlist_read_unlock();
continue;
}
/*
* Do an initial check to see if the address is safe
*/
if (plat_hold_page(offset >> PAGESHIFT, PLAT_HOLD_NO_LOCK, NULL)
== PLAT_HOLD_FAIL) {
memlist_read_unlock();
continue;
}
/*
* Figure out which page to load to read the
* memory block. Load the page and compute the
* hash of the memory block.
*/
len = MEMBLOCKSIZE;
ts1 = gethrtime();
HashInit(&ctx);
while (len) {
pfn = offset >> PAGESHIFT;
poffset = offset & PAGEOFFSET;
nbytes = PAGESIZE - poffset < len ?
PAGESIZE - poffset : len;
/*
* Re-check the offset, and lock the frame. If the
* page was given away after the above check, we'll
* just bail out.
*/
if (plat_hold_page(pfn, PLAT_HOLD_LOCK, &pp) ==
PLAT_HOLD_FAIL)
break;
hat_devload(kas.a_hat, entsrc->pmbuf,
PAGESIZE, pfn, PROT_READ,
HAT_LOAD_NOCONSIST | HAT_LOAD_LOCK);
HashUpdate(&ctx, (uint8_t *)entsrc->pmbuf + poffset,
nbytes);
hat_unload(kas.a_hat, entsrc->pmbuf, PAGESIZE,
HAT_UNLOAD_UNLOCK);
plat_release_page(pp);
len -= nbytes;
offset += nbytes;
}
/* We got our pages. Let the DR roll */
memlist_read_unlock();
/* See if we had to bail out due to a page being given away */
if (len)
continue;
HashFinal(digest, &ctx);
ts2 = gethrtime();
/*
* Compute the time it took to load and hash the
* block and compare it against the previous
* measurement. The delta of the time values
* provides a small amount of entropy. The
* minimum of the first, second, and third order
* delta is used to estimate how much entropy
* is present.
*/
diff = ts2 - ts1;
delta = diff - entsrc->last_diff;
if (delta < 0)
delta = -delta;
delta2 = delta - entsrc->last_delta;
if (delta2 < 0)
delta2 = -delta2;
delta3 = delta2 - entsrc->last_delta2;
if (delta3 < 0)
delta3 = -delta3;
entsrc->last_diff = diff;
entsrc->last_delta = delta;
entsrc->last_delta2 = delta2;
if (delta > delta2)
delta = delta2;
if (delta > delta3)
delta = delta3;
delta2 = 0;
while (delta >>= 1)
delta2++;
ent += delta2;
/*
* If the memory block has changed, credit the pool with
* the entropy estimate. The entropy estimate is doubled
* because the single-bit checksum misses half the change
* on average.
*/
if (physmem_parity_update(entsrc->parity, oblock,
digest[0] & 1))
ent += 2 * entsrc->entperblock;
/* Add the entropy bytes to the pool */
swrand_add_bytes(digest, HASHSIZE);
swrand_add_bytes((uint8_t *)&ts1, sizeof (ts1));
swrand_add_bytes((uint8_t *)&ts2, sizeof (ts2));
}
swrand_mix_pool(ent);
}
static int
physmem_parity_update(uint8_t *parity_vec, uint32_t block, int parity)
{
/* Test and set the parity bit, return 1 if changed */
if (parity == ((parity_vec[block >> 3] >> (block & 7)) & 1))
return (0);
parity_vec[block >> 3] ^= 1 << (block & 7);
return (1);
}
/* Compute number of memory blocks available to scan */
static void
physmem_count_blocks()
{
struct memlist *pmem;
memlist_read_lock();
entsrc.nblocks = 0;
for (pmem = phys_install; pmem != NULL; pmem = pmem->ml_next) {
entsrc.nblocks += pmem->ml_size / MEMBLOCKSIZE;
if (entsrc.nblocks > MAXMEMBLOCKS) {
entsrc.nblocks = MAXMEMBLOCKS;
break;
}
}
memlist_read_unlock();
}
/*
* Dynamic Reconfiguration call-back functions
*/
/* ARGSUSED */
static void
rnd_dr_callback_post_add(void *arg, pgcnt_t delta)
{
/* More memory is available now, so update entsrc->nblocks. */
physmem_count_blocks();
}
/* Call-back routine invoked before the DR starts a memory removal. */
/* ARGSUSED */
static int
rnd_dr_callback_pre_del(void *arg, pgcnt_t delta)
{
return (0);
}
/* Call-back routine invoked after the DR starts a memory removal. */
/* ARGSUSED */
static void
rnd_dr_callback_post_del(void *arg, pgcnt_t delta, int cancelled)
{
/* Memory has shrunk, so update entsrc->nblocks. */
physmem_count_blocks();
}
/* Timeout handling to gather entropy from physmem events */
static void
swrand_schedule_timeout(void)
{
clock_t ut; /* time in microseconds */
ASSERT(MUTEX_HELD(&srndpool_lock));
/*
* The new timeout value is taken from the pool of random bits.
* We're merely reading the first 32 bits from the pool here, not
* consuming any entropy.
* This routine is usually called right after stirring the pool, so
* srndpool[0] will have a *fresh* random value each time.
* The timeout multiplier value is a random value between 0.7 sec and
* 1.748575 sec (0.7 sec + 0xFFFFF microseconds).
* The new timeout is TIMEOUT_INTERVAL times that multiplier.
*/
ut = 700000 + (clock_t)(srndpool[0] & 0xFFFFF);
rnd_timeout_id = timeout(rnd_handler, NULL,
TIMEOUT_INTERVAL * drv_usectohz(ut));
}
/*ARGSUSED*/
static void
rnd_handler(void *arg)
{
mutex_enter(&srndpool_lock);
physmem_ent_gen(&entsrc);
if (snum_waiters > 0)
cv_broadcast(&srndpool_read_cv);
swrand_schedule_timeout();
mutex_exit(&srndpool_lock);
}