2  * Non-physical true random number generator based on timing jitter --
21  * 2. Redistributions in binary form must reproduce the above copyright
32  * the restrictions contained in a BSD-style copyright.)
54 … be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitt…
76 	unsigned int stir:1;		/* Post-processing stirring */
77 	unsigned int disable_unbias:1;	/* Deactivate Von-Neuman unbias */
93 #define JENT_DISABLE_UNBIAS (1<<1) /* Disable the Von-Neuman Unbiaser */
94 #define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more
98 /* -- error codes for init function -- */
100 #define JENT_ECOARSETIME	2 /* Timer too coarse for RNG */
104 				   * variations (2nd derivation of time is
126  * @ec entropy collector struct -- may be NULL
139 	unsigned int mask = (1<<bits) - 1;  in jent_loop_shuffle()
147 		time ^= ec->data;  in jent_loop_shuffle()
169  * CPU Jitter noise source -- this is the noise source based on the CPU
176  * 1st loop, 2nd shift generates 0x000d
177  * 2nd loop, 1st shift generates 0xcd00
178  * 2nd loop, 2nd shift generates 0x000c
180  * 3rd loop, 2nd shift generates 0x000b
182  * 4th loop, 2nd shift generates 0x000a
183  * Now, the values at the end of the 2nd shifts are XORed together.
192  * @ec entropy collector struct -- may be NULL
214 	 * testing purposes -- allow test app to set the counter, not  in jent_fold_time()
222 			__u64 tmp = time << (DATA_SIZE_BITS - i);  in jent_fold_time()
224 			tmp = tmp >> (DATA_SIZE_BITS - 1);  in jent_fold_time()
233  * Memory Access noise source -- this is a noise source based on variations in
247  * to reliably access either L3 or memory, the ec->mem memory must be quite
251  * @ec Reference to the entropy collector with the memory access data -- if
269 	if (NULL == ec || NULL == ec->mem)  in jent_memaccess()
271 	wrap = ec->memblocksize * ec->memblocks;  in jent_memaccess()
274 	 * testing purposes -- allow test app to set the counter, not  in jent_memaccess()
280 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {  in jent_memaccess()
281 		tmpval = ec->mem + ec->memlocation;  in jent_memaccess()
284 		 * wrap at 255 -- memory access implies read  in jent_memaccess()
289 		 * Addition of memblocksize - 1 to pointer  in jent_memaccess()
293 		ec->memlocation = ec->memlocation + ec->memblocksize - 1;  in jent_memaccess()
294 		ec->memlocation = ec->memlocation % wrap;  in jent_memaccess()
306  *	2nd derivation of the jitter measurement (delta of time deltas)
309  * All values must always be non-zero.
321 	__s64 delta2 = ec->last_delta - current_delta;  in jent_stuck()
322 	__s64 delta3 = delta2 - ec->last_delta2;  in jent_stuck()
324 	ec->last_delta = current_delta;  in jent_stuck()
325 	ec->last_delta2 = delta2;  in jent_stuck()
328 		ec->stuck = 1;  in jent_stuck()
337  * WARNING: ensure that ->prev_time is primed before using the output
360 	current_delta = time - ec->prev_time;  in jent_measure_jitter()
361 	ec->prev_time = time;  in jent_measure_jitter()
380  * A proof of the Von-Neumann unbias operation to remove skews is given in the
411  * can have 2**64 different values. That mixer value is initialized with the
412  * first two SHA-1 constants. After obtaining the mixer value, it is XORed into
429 		__u32 u32[2];  in jent_stir_pool()
433 	 * vectors of SHA-1 as defined in FIPS 180-4 section 5.3.1  in jent_stir_pool()
438 	 * and fourth 32 bit initialization vector of SHA-1 as defined in  in jent_stir_pool()
439 	 * FIPS 180-4 section 5.3.1  in jent_stir_pool()
445 	 * Store the SHA-1 constants in reverse order to make up the 64 bit  in jent_stir_pool()
446 	 * value -- this applies to a little endian system, on a big endian  in jent_stir_pool()
448 	 * as we do not rely on the specific numbers. We just pick the SHA-1  in jent_stir_pool()
458 		 * get the i-th bit of the input random number and only XOR  in jent_stir_pool()
461 		if ((entropy_collector->data >> i) & 1)  in jent_stir_pool()
465 	entropy_collector->data ^= mixer.u64;  in jent_stir_pool()
470  * Function fills rand_data->data
479 	/* priming of the ->prev_time value */  in jent_gen_entropy()
485 		if (ec->disable_unbias == 1)  in jent_gen_entropy()
491 		if (ec->stuck) {  in jent_gen_entropy()
495 			 * the LSFR and we do not rotate, the 2nd bit with LSFR  in jent_gen_entropy()
502 			ec->data ^= data;  in jent_gen_entropy()
503 			ec->stuck = 0;  in jent_gen_entropy()
517 		ec->data ^= data;  in jent_gen_entropy()
518 		ec->data ^= ((ec->data >> 63) & 1);  in jent_gen_entropy()
519 		ec->data ^= ((ec->data >> 60) & 1);  in jent_gen_entropy()
520 		ec->data ^= ((ec->data >> 55) & 1);  in jent_gen_entropy()
521 		ec->data ^= ((ec->data >> 30) & 1);  in jent_gen_entropy()
522 		ec->data ^= ((ec->data >> 27) & 1);  in jent_gen_entropy()
523 		ec->data ^= ((ec->data >> 22) & 1);  in jent_gen_entropy()
524 		ec->data = jent_rol64(ec->data, 1);  in jent_gen_entropy()
527 		 * We multiply the loop value with ->osr to obtain the  in jent_gen_entropy()
530 		if (++k >= (DATA_SIZE_BITS * ec->osr))  in jent_gen_entropy()
533 	if (ec->stir)  in jent_gen_entropy()
538  * The continuous test required by FIPS 140-2 -- the function automatically
542  * 0 if FIPS test passed
543  * < 0 if FIPS test failed
550 	/* prime the FIPS test */  in jent_fips_test()
551 	if (!ec->old_data) {  in jent_fips_test()
552 		ec->old_data = ec->data;  in jent_fips_test()
556 	if (ec->data == ec->old_data)  in jent_fips_test()
559 	ec->old_data = ec->data;  in jent_fips_test()
574  * @data pointer to buffer for storing random data -- buffer must already
582  *	-1	entropy_collector is NULL
590 		return -1;  in jent_read_entropy()
601 		jent_memcpy(p, &ec->data, tocopy);  in jent_read_entropy()
603 		len -= tocopy;  in jent_read_entropy()
627 		entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE);  in jent_entropy_collector_alloc()
628 		if (!entropy_collector->mem) {  in jent_entropy_collector_alloc()
632 		entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;  in jent_entropy_collector_alloc()
633 		entropy_collector->memblocks = JENT_MEMORY_BLOCKS;  in jent_entropy_collector_alloc()
634 		entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;  in jent_entropy_collector_alloc()
640 	entropy_collector->osr = osr;  in jent_entropy_collector_alloc()
642 	entropy_collector->stir = 1;  in jent_entropy_collector_alloc()
644 		entropy_collector->stir = 0;  in jent_entropy_collector_alloc()
646 		entropy_collector->disable_unbias = 1;  in jent_entropy_collector_alloc()
648 	/* fill the data pad with non-zero values */  in jent_entropy_collector_alloc()
656 	jent_zfree(entropy_collector->mem);  in jent_entropy_collector_free()
657 	entropy_collector->mem = NULL;  in jent_entropy_collector_free()
686 	 * following sanity checks verify that we have a high-resolution  in jent_entropy_init()
709 		delta = time2 - time;  in jent_entropy_init()
712 		 * delta even when called shortly after each other -- this  in jent_entropy_init()
736 		lowdelta = time2 - time;  in jent_entropy_init()
742 		 * for the calculation of entropy -- perform this check  in jent_entropy_init()
750 				delta_sum += (delta - old_delta);  in jent_entropy_init()
752 				delta_sum += (old_delta - delta);  in jent_entropy_init()
780 	 * least 10% of all checks -- on some platforms, the counter  in jent_entropy_init()