fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * CDDL HEADER START
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * The contents of this file are subject to the terms of the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Common Development and Distribution License (the "License").
fec509a05ddbf645268fe2e537314def7d1b67c8gm * You may not use this file except in compliance with the License.
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fec509a05ddbf645268fe2e537314def7d1b67c8gm * or http://www.opensolaris.org/os/licensing.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * See the License for the specific language governing permissions
fec509a05ddbf645268fe2e537314def7d1b67c8gm * and limitations under the License.
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * When distributing Covered Code, include this CDDL HEADER in each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fec509a05ddbf645268fe2e537314def7d1b67c8gm * If applicable, add the following below this CDDL HEADER, with the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * fields enclosed by brackets "[]" replaced with your own identifying
fec509a05ddbf645268fe2e537314def7d1b67c8gm * information: Portions Copyright [yyyy] [name of copyright owner]
fec509a05ddbf645268fe2e537314def7d1b67c8gm *
fec509a05ddbf645268fe2e537314def7d1b67c8gm * CDDL HEADER END
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/types.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sysmacros.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/modctl.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/conf.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/devops.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/cmn_err.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/kmem.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/stat.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/open.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/file.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/cpuvar.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/disp.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/hsvc.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/machsystm.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/ksynch.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/hypervisor_api.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/n2rng.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sha1.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/ddi.h> /* near end to get min and max macros right */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#include <sys/sunddi.h>
fe54a78e1aacf39261ad56e9903bce02e3fb6d21Hai-May Chao#include <rng/fips_random.h>
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/* n must be a power of 2 */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define ROUNDUP(k, n) (((k) + (n) - 1) & ~((n) - 1))
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Policy. ENTROPY_STARVATION is the maximum number of calls each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * FIPS instance will accept without successfully getting more
fec509a05ddbf645268fe2e537314def7d1b67c8gm * entropy. It needs to be large enough to allow RNG operations to
fec509a05ddbf645268fe2e537314def7d1b67c8gm * not stall because of health checks, etc. But we don't want it too
fec509a05ddbf645268fe2e537314def7d1b67c8gm * large. FIPS 186-2 change 1 (5 October 2001) states that no more
fec509a05ddbf645268fe2e537314def7d1b67c8gm * that 2,000,000 DSA signatures (done using this algorithm) should be
fec509a05ddbf645268fe2e537314def7d1b67c8gm * done without reseeding. We make sure we add 64 bits of entropy at
fec509a05ddbf645268fe2e537314def7d1b67c8gm * most every 10000 operations, hence we will have stirred in 160 bits
fec509a05ddbf645268fe2e537314def7d1b67c8gm * of entropy at most once every 30000 operations. Normally, we stir
fec509a05ddbf645268fe2e537314def7d1b67c8gm * in 64 bits of entropy for every number generated.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm#define ENTROPY_STARVATION 10000ULL
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gmint
fec509a05ddbf645268fe2e537314def7d1b67c8gmfips_random(n2rng_t *n2rng, uint8_t *out, size_t nbytes)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm int i;
fec509a05ddbf645268fe2e537314def7d1b67c8gm fipsrandomstruct_t *frsp;
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke int rv;
fec509a05ddbf645268fe2e537314def7d1b67c8gm union {
fec509a05ddbf645268fe2e537314def7d1b67c8gm uint32_t as32[SHA1WORDS];
fec509a05ddbf645268fe2e537314def7d1b67c8gm uint64_t as64[ROUNDUP(SHA1WORDS, 2) >> 1];
fec509a05ddbf645268fe2e537314def7d1b67c8gm } entropy = {0};
fec509a05ddbf645268fe2e537314def7d1b67c8gm uint32_t tempout[SHA1WORDS];
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm for (i = 0; i < nbytes; i += SHA1BYTES) {
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke frsp = &n2rng->n_frs.fipsarray[
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke N2RNG_FIPS_INSTANCES];
fec509a05ddbf645268fe2e537314def7d1b67c8gm /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Since in the new scheme of things, the RNG latency
fec509a05ddbf645268fe2e537314def7d1b67c8gm * will be high on reads after the first, we get just
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke * one word of entropy per call.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke if ((rv = n2rng_getentropy(n2rng, (void *)&entropy.as64[1],
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke sizeof (uint64_t))) != 0) {
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke /*
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke * If all rngs have failed, dispatch task to unregister
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke * from kcf and put the driver in an error state. If
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke * recoverable errors persist, a configuration retry
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke * will be initiated.
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke */
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke if (rv == EPERM) {
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke n2rng_failure(n2rng);
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke return (EIO);
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke }
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke /* Failure with possible recovery */
fec509a05ddbf645268fe2e537314def7d1b67c8gm entropy.as64[1] = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * The idea here is that a Niagara2 chip is highly
fec509a05ddbf645268fe2e537314def7d1b67c8gm * parallel, with many strands. If we have just one
fec509a05ddbf645268fe2e537314def7d1b67c8gm * instance of the FIPS data, then only one FIPS
fec509a05ddbf645268fe2e537314def7d1b67c8gm * computation can happen at a time, serializeing all
fec509a05ddbf645268fe2e537314def7d1b67c8gm * the RNG stuff. So we make N2RNG_FIPS_INSTANCES,
fec509a05ddbf645268fe2e537314def7d1b67c8gm * and use them round-robin, with the counter being
fec509a05ddbf645268fe2e537314def7d1b67c8gm * n2rng->n_frs.fips_round_robin_j. We increment the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * counter with an atomic op, avoiding having to have
fec509a05ddbf645268fe2e537314def7d1b67c8gm * a global muxtex. The atomic ops are also
fec509a05ddbf645268fe2e537314def7d1b67c8gm * significantly faster than mutexes. The mutex is
fec509a05ddbf645268fe2e537314def7d1b67c8gm * put inside the loop, otherwise one thread reading
fec509a05ddbf645268fe2e537314def7d1b67c8gm * many blocks could stall all other strands.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm frsp = &n2rng->n_frs.fipsarray[
fec509a05ddbf645268fe2e537314def7d1b67c8gm atomic_inc_32_nv(&n2rng->n_frs.fips_round_robin_j) %
fec509a05ddbf645268fe2e537314def7d1b67c8gm N2RNG_FIPS_INSTANCES];
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm mutex_enter(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm if (entropy.as64[1] == 0) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * If we did not get any entropy, entropyword
fec509a05ddbf645268fe2e537314def7d1b67c8gm * is zero. We get a false positive with
fec509a05ddbf645268fe2e537314def7d1b67c8gm * probablitity 2^-64. It's not worth a few
fec509a05ddbf645268fe2e537314def7d1b67c8gm * extra stores and tests eliminate the false
fec509a05ddbf645268fe2e537314def7d1b67c8gm * positive.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm if (++frsp->entropyhunger > ENTROPY_STARVATION) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm mutex_exit(&frsp->mtx);
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke n2rng_unconfigured(n2rng);
fec509a05ddbf645268fe2e537314def7d1b67c8gm return (EIO);
fec509a05ddbf645268fe2e537314def7d1b67c8gm }
fec509a05ddbf645268fe2e537314def7d1b67c8gm } else {
fec509a05ddbf645268fe2e537314def7d1b67c8gm frsp->entropyhunger = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm /* nbytes - i is bytes to go */
fe54a78e1aacf39261ad56e9903bce02e3fb6d21Hai-May Chao fips_random_inner(frsp->XKEY, tempout, entropy.as32);
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita bcopy(tempout, &out[i], min(nbytes - i, SHA1BYTES));
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm mutex_exit(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm }
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm /* Zeroize sensitive information */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm entropy.as64[1] = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm bzero(tempout, SHA1BYTES);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm return (0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm/*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Initializes one FIPS RNG instance. Must be called once for each
fec509a05ddbf645268fe2e537314def7d1b67c8gm * instance.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gmint
fec509a05ddbf645268fe2e537314def7d1b67c8gmn2rng_fips_random_init(n2rng_t *n2rng, fipsrandomstruct_t *frsp)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * All FIPS-approved algorithms will operate as cryptograpic
fec509a05ddbf645268fe2e537314def7d1b67c8gm * quality PRNGs even if there is no entropy source. (In
fec509a05ddbf645268fe2e537314def7d1b67c8gm * fact, this the only one that accepts entropy on the fly.)
fec509a05ddbf645268fe2e537314def7d1b67c8gm * One motivation for this is that they system keeps on
fec509a05ddbf645268fe2e537314def7d1b67c8gm * delivering cryptographic quality random numbers, even if
fec509a05ddbf645268fe2e537314def7d1b67c8gm * the entropy source fails.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm int rv;
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita static uint32_t FIPS_RNG_NO_USER_INPUT[] = {0, 0, 0, 0, 0};
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gm rv = n2rng_getentropy(n2rng, (void *)frsp->XKEY, ROUNDUP(SHA1BYTES, 8));
fec509a05ddbf645268fe2e537314def7d1b67c8gm if (rv) {
fec509a05ddbf645268fe2e537314def7d1b67c8gm return (rv);
fec509a05ddbf645268fe2e537314def7d1b67c8gm }
741c280d5486676df48cd5d5e8ed8d92eac714a8twelke frsp->entropyhunger = 0;
fec509a05ddbf645268fe2e537314def7d1b67c8gm mutex_init(&frsp->mtx, NULL, MUTEX_DRIVER, NULL);
fec509a05ddbf645268fe2e537314def7d1b67c8gm
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita /* compute the first (compare only) random value */
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita fips_random_inner(frsp->XKEY, frsp->x_jminus1, FIPS_RNG_NO_USER_INPUT);
32e0ab73531b6e6e8957e9ecdbbd42603865f2d0Misaki Miyashita
fec509a05ddbf645268fe2e537314def7d1b67c8gm return (0);
fec509a05ddbf645268fe2e537314def7d1b67c8gm}
fec509a05ddbf645268fe2e537314def7d1b67c8gm
fec509a05ddbf645268fe2e537314def7d1b67c8gmvoid
fec509a05ddbf645268fe2e537314def7d1b67c8gmn2rng_fips_random_fini(fipsrandomstruct_t *frsp)
fec509a05ddbf645268fe2e537314def7d1b67c8gm{
fec509a05ddbf645268fe2e537314def7d1b67c8gm mutex_destroy(&frsp->mtx);
fec509a05ddbf645268fe2e537314def7d1b67c8gm /*
fec509a05ddbf645268fe2e537314def7d1b67c8gm * Zeroise fips data. Not really necessary, since the
fec509a05ddbf645268fe2e537314def7d1b67c8gm * algorithm has backtracking resistance, but do it anyway.
fec509a05ddbf645268fe2e537314def7d1b67c8gm */
fec509a05ddbf645268fe2e537314def7d1b67c8gm bzero(frsp, sizeof (fipsrandomstruct_t));
fec509a05ddbf645268fe2e537314def7d1b67c8gm}