Lines Matching +full:scaled +full:- +full:output +full:- +full:hz
2 * random.c -- A strong random number generator
29 * the restrictions contained in a BSD-style copyright.)
59 * to produce truly random numbers on a computer --- as opposed to
60 * pseudo-random numbers, which can easily generated by using a
62 * the sequence of pseudo-random number generators, and for some
69 * Sources of randomness from the environment include inter-keyboard
70 * timings, inter-interrupt timings from some interrupts, and other
71 * events which are both (a) non-deterministic and (b) hard for an
73 * added to an "entropy pool", which is mixed using a CRC-like function.
85 * about the input of SHA from its output. Even if it is possible to
88 * the pool, the output data is totally unpredictable. For this
95 * able to infer the future output of the generator from prior
101 * Exported interfaces ---- output
107 * Exported interfaces ---- userspace output
108 * -----------------------------------------
113 * one-time pads), as it will only return a maximum of the number of
123 * Exported interfaces ---- kernel output
124 * --------------------------------------
143 * for most in-kernel operations *if the result is going to be stored in
147 * "anti-backtracking". If you capture the state of the kernel (e.g.
152 * It *is* safe to expose get_random_int() output to attackers (e.g. as
185 * -------------
189 * numbers aren't security-critical at all, these are *far* cheaper.
190 * Useful for self-tests, random error simulation, randomized backoffs,
194 * Exported interfaces ---- input
209 * read-out of the RTC. This does *not* add any actual entropy to the
222 * layer request events, on a per-disk_devt basis, as input to the
223 * entropy pool. Note that high-speed solid state drives with very low
236 * if the start-up does not involve interaction with a human operator.
240 * entropy pool across shut-downs and start-ups. To do this, put the
245 * random_seed=/var/run/random-seed
246 * # Carry a random seed from start-up to start-up
248 * if [ -f $random_seed ]; then
259 * # Carry a random seed from shut-down to start-up
262 * random_seed=/var/run/random-seed
273 * to be saved at shut-down time and reloaded into the entropy pool at
274 * start-up. (The 'dd' in the addition to the bootup script is to
275 * make sure that /etc/random-seed is different for every start-up,
277 * complete knowledge of the start-up activities, predicting the state
356 #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
358 #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
362 #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
372 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
387 * For the purposes of better mixing, we use the CRC-32 polynomial as
391 * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted
393 * Simulation 4:254-266)
397 * The mixing operation is much less sensitive than the output hash,
398 * where we use SHA-1. All that we want of mixing operation is that
399 * it be a good non-cryptographic hash; i.e. it not produce collisions
456 * crng_init = 0 --> Uninitialized
457 * 1 --> Initialized
458 * 2 --> Initialized from input_pool
460 * crng_init is protected by primary_crng->lock, and only increases
461 * its value (from 0->1->2).
476 RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
478 RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
494 /* read-only data: */
499 /* read-write data: */
536 * the entropy is concentrated in the low-order bits.
543 int wordmask = r->poolinfo->poolwords - 1; in _mix_pool_bytes()
547 tap1 = r->poolinfo->tap1; in _mix_pool_bytes()
548 tap2 = r->poolinfo->tap2; in _mix_pool_bytes()
549 tap3 = r->poolinfo->tap3; in _mix_pool_bytes()
550 tap4 = r->poolinfo->tap4; in _mix_pool_bytes()
551 tap5 = r->poolinfo->tap5; in _mix_pool_bytes()
553 input_rotate = r->input_rotate; in _mix_pool_bytes()
554 i = r->add_ptr; in _mix_pool_bytes()
557 while (nbytes--) { in _mix_pool_bytes()
559 i = (i - 1) & wordmask; in _mix_pool_bytes()
562 w ^= r->pool[i]; in _mix_pool_bytes()
563 w ^= r->pool[(i + tap1) & wordmask]; in _mix_pool_bytes()
564 w ^= r->pool[(i + tap2) & wordmask]; in _mix_pool_bytes()
565 w ^= r->pool[(i + tap3) & wordmask]; in _mix_pool_bytes()
566 w ^= r->pool[(i + tap4) & wordmask]; in _mix_pool_bytes()
567 w ^= r->pool[(i + tap5) & wordmask]; in _mix_pool_bytes()
570 r->pool[i] = (w >> 3) ^ twist_table[w & 7]; in _mix_pool_bytes()
581 r->input_rotate = input_rotate; in _mix_pool_bytes()
582 r->add_ptr = i; in _mix_pool_bytes()
588 trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_); in __mix_pool_bytes()
597 trace_mix_pool_bytes(r->name, nbytes, _RET_IP_); in mix_pool_bytes()
598 spin_lock_irqsave(&r->lock, flags); in mix_pool_bytes()
600 spin_unlock_irqrestore(&r->lock, flags); in mix_pool_bytes()
617 __u32 a = f->pool[0], b = f->pool[1]; in fast_mix()
618 __u32 c = f->pool[2], d = f->pool[3]; in fast_mix()
636 f->pool[0] = a; f->pool[1] = b; in fast_mix()
637 f->pool[2] = c; f->pool[3] = d; in fast_mix()
638 f->count++; in fast_mix()
648 struct module *owner = rdy->owner; in process_random_ready_list()
650 list_del_init(&rdy->list); in process_random_ready_list()
651 rdy->func(rdy); in process_random_ready_list()
665 const int pool_size = r->poolinfo->poolfracbits; in credit_entropy_bits()
672 entropy_count = orig = READ_ONCE(r->entropy_count); in credit_entropy_bits()
683 * entropy <- entropy + (pool_size - entropy) * in credit_entropy_bits()
684 * (1 - exp(-add_entropy/pool_size)) in credit_entropy_bits()
687 * (1 - exp(-add_entropy/pool_size)) >= in credit_entropy_bits()
693 * The use of pool_size-2 in the while statement is to in credit_entropy_bits()
699 const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2; in credit_entropy_bits()
705 ((pool_size - entropy_count)*anfrac*3) >> s; in credit_entropy_bits()
708 pnfrac -= anfrac; in credit_entropy_bits()
709 } while (unlikely(entropy_count < pool_size-2 && pnfrac)); in credit_entropy_bits()
714 r->name, entropy_count); in credit_entropy_bits()
718 if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) in credit_entropy_bits()
722 r->initialized = 1; in credit_entropy_bits()
726 trace_credit_entropy_bits(r->name, nbits, in credit_entropy_bits()
743 const int nbits_max = r->poolinfo->poolwords * 32; in credit_entropy_bits_safe()
746 return -EINVAL; in credit_entropy_bits_safe()
761 #define CRNG_RESEED_INTERVAL (300*HZ)
797 crng->state[i] ^= rv; in crng_init_try_arch()
815 crng->state[i] ^= rv; in crng_init_try_arch_early()
823 chacha_init_consts(crng->state); in crng_initialize_secondary()
824 _get_random_bytes(&crng->state[4], sizeof(__u32) * 12); in crng_initialize_secondary()
826 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; in crng_initialize_secondary()
831 chacha_init_consts(crng->state); in crng_initialize_primary()
832 _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0); in crng_initialize_primary()
839 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; in crng_initialize_primary()
883 spin_lock_init(&crng->lock); in do_numa_crng_init()
925 * path. So we can't afford to dilly-dally. Returns the number of
943 cp++; crng_init_cnt++; len--; ret++; in crng_fast_load()
1017 spin_lock_irqsave(&crng->lock, flags); in crng_reseed()
1023 crng->state[i+4] ^= buf.key[i] ^ rv; in crng_reseed()
1026 WRITE_ONCE(crng->init_time, jiffies); in crng_reseed()
1027 spin_unlock_irqrestore(&crng->lock, flags); in crng_reseed()
1037 init_time = READ_ONCE(crng->init_time); in _extract_crng()
1043 spin_lock_irqsave(&crng->lock, flags); in _extract_crng()
1045 crng->state[14] ^= v; in _extract_crng()
1046 chacha20_block(&crng->state[0], out); in _extract_crng()
1047 if (crng->state[12] == 0) in _extract_crng()
1048 crng->state[13]++; in _extract_crng()
1049 spin_unlock_irqrestore(&crng->lock, flags); in _extract_crng()
1058 * Use the leftover bytes from the CRNG block output (if there is
1073 spin_lock_irqsave(&crng->lock, flags); in _crng_backtrack_protect()
1075 d = &crng->state[4]; in _crng_backtrack_protect()
1078 spin_unlock_irqrestore(&crng->lock, flags); in _crng_backtrack_protect()
1096 ret = -ERESTARTSYS; in extract_crng_user()
1105 ret = -EFAULT; in extract_crng_user()
1109 nbytes -= i; in extract_crng_user()
1137 * Add device- or boot-specific data to the input pool to help
1167 * The number "num" is also added to the pool - it should somehow describe
1168 * the type of event which just happened. This is currently 0-255 for
1190 * We take into account the first, second and third-order deltas in add_timer_randomness()
1193 delta = sample.jiffies - READ_ONCE(state->last_time); in add_timer_randomness()
1194 WRITE_ONCE(state->last_time, sample.jiffies); in add_timer_randomness()
1196 delta2 = delta - READ_ONCE(state->last_delta); in add_timer_randomness()
1197 WRITE_ONCE(state->last_delta, delta); in add_timer_randomness()
1199 delta3 = delta2 - READ_ONCE(state->last_delta2); in add_timer_randomness()
1200 WRITE_ONCE(state->last_delta2, delta2); in add_timer_randomness()
1203 delta = -delta; in add_timer_randomness()
1205 delta2 = -delta2; in add_timer_randomness()
1207 delta3 = -delta3; in add_timer_randomness()
1243 #define FIXED_1_2 (1 << (AVG_SHIFT-1))
1247 long delta = random_get_entropy() - start; in add_interrupt_bench()
1250 delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT); in add_interrupt_bench()
1253 delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT); in add_interrupt_bench()
1267 idx = READ_ONCE(f->reg_idx); in get_reg()
1271 WRITE_ONCE(f->reg_idx, idx); in get_reg()
1291 fast_pool->pool[0] ^= cycles ^ j_high ^ irq; in add_interrupt_randomness()
1292 fast_pool->pool[1] ^= now ^ c_high; in add_interrupt_randomness()
1294 fast_pool->pool[2] ^= ip; in add_interrupt_randomness()
1295 fast_pool->pool[3] ^= (sizeof(ip) > 4) ? ip >> 32 : in add_interrupt_randomness()
1302 if ((fast_pool->count >= 64) && in add_interrupt_randomness()
1303 crng_fast_load((char *) fast_pool->pool, in add_interrupt_randomness()
1304 sizeof(fast_pool->pool)) > 0) { in add_interrupt_randomness()
1305 fast_pool->count = 0; in add_interrupt_randomness()
1306 fast_pool->last = now; in add_interrupt_randomness()
1311 if ((fast_pool->count < 64) && in add_interrupt_randomness()
1312 !time_after(now, fast_pool->last + HZ)) in add_interrupt_randomness()
1316 if (!spin_trylock(&r->lock)) in add_interrupt_randomness()
1319 fast_pool->last = now; in add_interrupt_randomness()
1320 __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool)); in add_interrupt_randomness()
1332 spin_unlock(&r->lock); in add_interrupt_randomness()
1334 fast_pool->count = 0; in add_interrupt_randomness()
1344 if (!disk || !disk->random) in add_disk_randomness()
1347 add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); in add_disk_randomness()
1369 BUG_ON(r->entropy_count > r->poolinfo->poolfracbits); in account()
1373 entropy_count = orig = READ_ONCE(r->entropy_count); in account()
1378 if ((have_bytes -= reserved) < 0) in account()
1386 r->name, entropy_count); in account()
1391 entropy_count -= nfrac; in account()
1395 if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) in account()
1398 trace_debit_entropy(r->name, 8 * ibytes); in account()
1436 spin_lock_irqsave(&r->lock, flags); in extract_buf()
1437 for (i = 0; i < r->poolinfo->poolwords; i += 16) in extract_buf()
1438 sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace); in extract_buf()
1446 * brute-forcing the feedback as hard as brute-forcing the in extract_buf()
1450 spin_unlock_irqrestore(&r->lock, flags); in extract_buf()
1455 * In case the hash function has some recognizable output in extract_buf()
1457 * twice as much data as we output. in extract_buf()
1478 spin_lock_irqsave(&r->lock, flags); in _extract_entropy()
1479 if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) in _extract_entropy()
1480 panic("Hardware RNG duplicated output!\n"); in _extract_entropy()
1481 memcpy(r->last_data, tmp, EXTRACT_SIZE); in _extract_entropy()
1482 spin_unlock_irqrestore(&r->lock, flags); in _extract_entropy()
1486 nbytes -= i; in _extract_entropy()
1514 spin_lock_irqsave(&r->lock, flags); in extract_entropy()
1515 if (!r->last_data_init) { in extract_entropy()
1516 r->last_data_init = 1; in extract_entropy()
1517 spin_unlock_irqrestore(&r->lock, flags); in extract_entropy()
1518 trace_extract_entropy(r->name, EXTRACT_SIZE, in extract_entropy()
1521 spin_lock_irqsave(&r->lock, flags); in extract_entropy()
1522 memcpy(r->last_data, tmp, EXTRACT_SIZE); in extract_entropy()
1524 spin_unlock_irqrestore(&r->lock, flags); in extract_entropy()
1527 trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); in extract_entropy()
1578 nbytes -= CHACHA_BLOCK_SIZE; in _get_random_bytes()
1606 * Note that we don't re-arm the timer in the timer itself - we are
1611 * So the re-arming always happens in the entropy loop itself.
1631 /* Slow counter - or none. Don't even bother */ in try_to_generate_entropy()
1657 * -ERESTARTSYS if the function was interrupted by a signal.
1666 ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); in wait_for_random_bytes()
1697 * -EALREADY if pool is already initialised (callback not called)
1698 * -ENOENT if module for callback is not alive
1704 int err = -EALREADY; in add_random_ready_callback()
1709 owner = rdy->owner; in add_random_ready_callback()
1711 return -ENOENT; in add_random_ready_callback()
1719 list_add(&rdy->list, &random_ready_list); in add_random_ready_callback()
1740 if (!list_empty(&rdy->list)) { in del_random_ready_callback()
1741 list_del_init(&rdy->list); in del_random_ready_callback()
1742 owner = rdy->owner; in del_random_ready_callback()
1751 * This function will use the architecture-specific hardware random
1752 * number generator if it is available. The arch-specific hw RNG will
1777 left -= chunk; in get_random_bytes_arch()
1780 return nbytes - left; in get_random_bytes_arch()
1785 * init_std_data - initialize pool with system data
1800 for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) { in init_std_data()
1844 state->last_time = INITIAL_JIFFIES; in rand_initialize_disk()
1845 disk->random = state; in rand_initialize_disk()
1869 maxwarn--; in urandom_read()
1872 current->comm, nbytes); in urandom_read()
1919 return -EFAULT; in write_pool()
1921 for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { in write_pool()
1927 count -= bytes; in write_pool()
1960 return -EFAULT; in random_ioctl()
1964 return -EPERM; in random_ioctl()
1966 return -EFAULT; in random_ioctl()
1970 return -EPERM; in random_ioctl()
1972 return -EFAULT; in random_ioctl()
1974 return -EINVAL; in random_ioctl()
1976 return -EFAULT; in random_ioctl()
1989 return -EPERM; in random_ioctl()
1994 return -EPERM; in random_ioctl()
1996 return -ENODATA; in random_ioctl()
1998 WRITE_ONCE(crng_global_init_time, jiffies - 1); in random_ioctl()
2001 return -EINVAL; in random_ioctl()
2035 return -EINVAL; in SYSCALL_DEFINE3()
2042 return -EINVAL; in SYSCALL_DEFINE3()
2049 return -EAGAIN; in SYSCALL_DEFINE3()
2074 * UUID. The difference is in whether table->data is NULL; if it is,
2087 uuid = table->data; in proc_do_uuid()
2109 * Return entropy available scaled to integral bits
2117 entropy_count = *(int *)table->data >> ENTROPY_SHIFT; in proc_do_entropy()
2222 spin_lock_irqsave(&batch->batch_lock, flags); in get_random_u64()
2223 if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) { in get_random_u64()
2224 extract_crng((u8 *)batch->entropy_u64); in get_random_u64()
2225 batch->position = 0; in get_random_u64()
2227 ret = batch->entropy_u64[batch->position++]; in get_random_u64()
2228 spin_unlock_irqrestore(&batch->batch_lock, flags); in get_random_u64()
2246 spin_lock_irqsave(&batch->batch_lock, flags); in get_random_u32()
2247 if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) { in get_random_u32()
2248 extract_crng((u8 *)batch->entropy_u32); in get_random_u32()
2249 batch->position = 0; in get_random_u32()
2251 ret = batch->entropy_u32[batch->position++]; in get_random_u32()
2252 spin_unlock_irqrestore(&batch->batch_lock, flags); in get_random_u32()
2259 * simply resetting the counter to zero so that it's re-extracted on the
2270 spin_lock_irqsave(&batched_entropy->batch_lock, flags); in invalidate_batched_entropy()
2271 batched_entropy->position = 0; in invalidate_batched_entropy()
2272 spin_unlock(&batched_entropy->batch_lock); in invalidate_batched_entropy()
2275 spin_lock(&batched_entropy->batch_lock); in invalidate_batched_entropy()
2276 batched_entropy->position = 0; in invalidate_batched_entropy()
2277 spin_unlock_irqrestore(&batched_entropy->batch_lock, flags); in invalidate_batched_entropy()
2282 * randomize_page - Generate a random, page aligned address
2299 range -= PAGE_ALIGN(start) - start; in randomize_page()
2303 if (start > ULONG_MAX - range) in randomize_page()
2304 range = ULONG_MAX - start; in randomize_page()
2314 /* Interface for in-kernel drivers of true hardware RNGs.
2325 count -= ret; in add_hwgenerator_randomness()