Lines Matching +full:reseed +full:- +full:disable
1 // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
3 * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
10 * - Initialization and readiness waiting.
11 * - Fast key erasure RNG, the "crng".
12 * - Entropy accumulation and extraction routines.
13 * - Entropy collection routines.
14 * - Userspace reader/writer interfaces.
15 * - Sysctl interface.
74 * crng_init is protected by base_crng->lock, and only increases
75 * its value (from empty->early->ready).
83 /* Various types of waiters for crng_init->CRNG_READY transition. */
95 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
123 * -ERESTARTSYS if the function was interrupted by a signal.
144 * -EALREADY if pool is already initialised (callback not called)
149 int ret = -EALREADY; in register_random_ready_notifier()
196 * RNG described at <https://blog.cr.yp.to/20170723-random.html>.
209 * functions may be higher performance for one-off random integers,
255 * because the per-cpu crngs are initialized to ULONG_MAX, so this in crng_reseed()
340 * then re-check once locked later. In the case where we're really not in crng_make_state()
361 * If the base_crng is old enough, we reseed, which in turn bumps the in crng_make_state()
371 * If our per-cpu crng is older than the base_crng, then it means in crng_make_state()
374 * for our per-cpu crng. This brings us up to date with base_crng. in crng_make_state()
376 if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) { in crng_make_state()
379 crng->key, sizeof(crng->key)); in crng_make_state()
380 crng->generation = base_crng.generation; in crng_make_state()
385 * Finally, when we've made it this far, our per-cpu crng has an up in crng_make_state()
391 crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len); in crng_make_state()
406 len -= first_block_len; in _get_random_bytes()
420 len -= CHACHA_BLOCK_SIZE; in _get_random_bytes()
490 return ret ? ret : -EFAULT; in get_random_bytes_user()
538 if (batch->position >= ARRAY_SIZE(batch->entropy) || \
539 next_gen != batch->generation) { \
540 _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \
541 batch->position = 0; \
542 batch->generation = next_gen; \
545 ret = batch->entropy[batch->position]; \
546 batch->entropy[batch->position] = 0; \
547 ++batch->position; \
565 * the per-cpu crng and all batches, so that we serve fresh in DEFINE_BATCHED_ENTROPY()
568 per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX; in DEFINE_BATCHED_ENTROPY()
569 per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX; in DEFINE_BATCHED_ENTROPY()
570 per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX; in DEFINE_BATCHED_ENTROPY()
576 * This function will use the architecture-specific hardware random
595 left -= block_len; in get_random_bytes_arch()
598 return len - left; in get_random_bytes_arch()
623 POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */
624 POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */
659 * This is an HKDF-like construction for using the hashed collected entropy
660 * as a PRF key, that's then expanded block-by-block.
696 len -= i; in extract_entropy()
759 * read-out of the RTC. This does *not* credit any actual entropy to
781 * layer request events, on a per-disk_devt basis, as input to the
782 * entropy pool. Note that high-speed solid state drives with very low
829 arch_bytes -= sizeof(entropy); in random_init()
847 * Add device- or boot-specific data to the input pool to help
867 * Interface for in-kernel drivers of true hardware RNGs.
918 * This is [Half]SipHash-1-x, starting from an empty key. Because
919 * the key is fixed, it assumes that its inputs are non-malicious,
921 * four-word SipHash state, while v represents a two-word input.
951 per_cpu_ptr(&irq_randomness, cpu)->count = 0; in random_online_cpu()
980 memcpy(pool, fast_pool->pool, sizeof(pool)); in mix_interrupt_randomness()
981 count = fast_pool->count; in mix_interrupt_randomness()
982 fast_pool->count = 0; in mix_interrupt_randomness()
983 fast_pool->last = jiffies; in mix_interrupt_randomness()
1000 fast_mix(fast_pool->pool, entropy, in add_interrupt_randomness()
1002 new_count = ++fast_pool->count; in add_interrupt_randomness()
1007 if (new_count < 1024 && !time_is_before_jiffies(fast_pool->last + HZ)) in add_interrupt_randomness()
1010 fast_pool->count |= MIX_INFLIGHT; in add_interrupt_randomness()
1011 if (!timer_pending(&fast_pool->mix)) { in add_interrupt_randomness()
1012 fast_pool->mix.expires = jiffies; in add_interrupt_randomness()
1013 add_timer_on(&fast_pool->mix, raw_smp_processor_id()); in add_interrupt_randomness()
1042 fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num); in add_timer_randomness()
1055 * We take into account the first, second and third-order deltas in add_timer_randomness()
1058 delta = now - READ_ONCE(state->last_time); in add_timer_randomness()
1059 WRITE_ONCE(state->last_time, now); in add_timer_randomness()
1061 delta2 = delta - READ_ONCE(state->last_delta); in add_timer_randomness()
1062 WRITE_ONCE(state->last_delta, delta); in add_timer_randomness()
1064 delta3 = delta2 - READ_ONCE(state->last_delta2); in add_timer_randomness()
1065 WRITE_ONCE(state->last_delta2, delta2); in add_timer_randomness()
1068 delta = -delta; in add_timer_randomness()
1070 delta2 = -delta2; in add_timer_randomness()
1072 delta3 = -delta3; in add_timer_randomness()
1092 this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1; in add_timer_randomness()
1115 if (!disk || !disk->random) in add_disk_randomness()
1118 add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); in add_disk_randomness()
1132 state->last_time = INITIAL_JIFFIES; in rand_initialize_disk()
1133 disk->random = state; in rand_initialize_disk()
1144 * Note that we don't re-arm the timer in the timer itself - we are
1149 * So the re-arming always happens in the entropy loop itself.
1169 /* Slow counter - or none. Don't even bother */ in try_to_generate_entropy()
1223 return -EINVAL; in SYSCALL_DEFINE3()
1230 return -EINVAL; in SYSCALL_DEFINE3()
1234 return -EAGAIN; in SYSCALL_DEFINE3()
1277 return ret ? ret : -EFAULT; in write_pool_user()
1293 --maxwarn; in urandom_read_iter()
1295 current->comm, iov_iter_count(iter)); in urandom_read_iter()
1307 ((kiocb->ki_flags & (IOCB_NOWAIT | IOCB_NOIO)) || in random_read_iter()
1308 (kiocb->ki_filp->f_flags & O_NONBLOCK))) in random_read_iter()
1309 return -EAGAIN; in random_read_iter()
1326 return -EFAULT; in random_ioctl()
1330 return -EPERM; in random_ioctl()
1332 return -EFAULT; in random_ioctl()
1334 return -EINVAL; in random_ioctl()
1344 return -EPERM; in random_ioctl()
1346 return -EFAULT; in random_ioctl()
1348 return -EINVAL; in random_ioctl()
1350 return -EFAULT; in random_ioctl()
1359 return -EFAULT; in random_ioctl()
1367 return -EPERM; in random_ioctl()
1371 return -EPERM; in random_ioctl()
1373 return -ENODATA; in random_ioctl()
1377 return -EINVAL; in random_ioctl()
1418 * - boot_id - a UUID representing the current boot.
1420 * - uuid - a random UUID, different each time the file is read.
1422 * - poolsize - the number of bits of entropy that the input pool can
1425 * - entropy_avail - the number of bits of entropy currently in the
1428 * - write_wakeup_threshold - the amount of entropy in the input pool
1434 * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL.
1451 * UUID. The difference is in whether table->data is NULL; if it is,
1465 return -EPERM; in proc_do_uuid()
1467 uuid = table->data; in proc_do_uuid()