Lines Matching +full:scaled +full:- +full:output +full:- +full:hz
2 * random.c -- A strong random number generator
29 * the restrictions contained in a BSD-style copyright.)
59 * to produce truly random numbers on a computer --- as opposed to
60 * pseudo-random numbers, which can easily generated by using a
62 * the sequence of pseudo-random number generators, and for some
69 * Sources of randomness from the environment include inter-keyboard
70 * timings, inter-interrupt timings from some interrupts, and other
71 * events which are both (a) non-deterministic and (b) hard for an
73 * added to an "entropy pool", which is mixed using a CRC-like function.
85 * about the input of SHA from its output. Even if it is possible to
88 * the pool, the output data is totally unpredictable. For this
95 * able to infer the future output of the generator from prior
101 * Exported interfaces ---- output
107 * Exported interfaces ---- userspace output
108 * -----------------------------------------
113 * one-time pads), as it will only return a maximum of the number of
123 * Exported interfaces ---- kernel output
124 * --------------------------------------
143 * for most in-kernel operations *if the result is going to be stored in
147 * "anti-backtracking". If you capture the state of the kernel (e.g.
152 * It *is* safe to expose get_random_int() output to attackers (e.g. as
185 * -------------
189 * numbers aren't security-critical at all, these are *far* cheaper.
190 * Useful for self-tests, random error simulation, randomized backoffs,
194 * Exported interfaces ---- input
209 * read-out of the RTC. This does *not* add any actual entropy to the
222 * layer request events, on a per-disk_devt basis, as input to the
223 * entropy pool. Note that high-speed solid state drives with very low
236 * if the start-up does not involve interaction with a human operator.
240 * entropy pool across shut-downs and start-ups. To do this, put the
245 * random_seed=/var/run/random-seed
246 * # Carry a random seed from start-up to start-up
248 * if [ -f $random_seed ]; then
259 * # Carry a random seed from shut-down to start-up
262 * random_seed=/var/run/random-seed
273 * to be saved at shut-down time and reloaded into the entropy pool at
274 * start-up. (The 'dd' in the addition to the bootup script is to
275 * make sure that /etc/random-seed is different for every start-up,
277 * complete knowledge of the start-up activities, predicting the state
356 #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
358 #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
362 #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
372 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
387 * For the purposes of better mixing, we use the CRC-32 polynomial as
391 * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted
393 * Simulation 4:254-266)
397 * The mixing operation is much less sensitive than the output hash,
398 * where we use SHA-1. All that we want of mixing operation is that
399 * it be a good non-cryptographic hash; i.e. it not produce collisions
456 * crng_init = 0 --> Uninitialized
457 * 1 --> Initialized
458 * 2 --> Initialized from input_pool
460 * crng_init is protected by primary_crng->lock, and only increases
461 * its value (from 0->1->2).
475 RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
477 RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
493 /* read-only data: */
498 /* read-write data: */
535 * the entropy is concentrated in the low-order bits.
542 int wordmask = r->poolinfo->poolwords - 1; in _mix_pool_bytes()
546 tap1 = r->poolinfo->tap1; in _mix_pool_bytes()
547 tap2 = r->poolinfo->tap2; in _mix_pool_bytes()
548 tap3 = r->poolinfo->tap3; in _mix_pool_bytes()
549 tap4 = r->poolinfo->tap4; in _mix_pool_bytes()
550 tap5 = r->poolinfo->tap5; in _mix_pool_bytes()
552 input_rotate = r->input_rotate; in _mix_pool_bytes()
553 i = r->add_ptr; in _mix_pool_bytes()
556 while (nbytes--) { in _mix_pool_bytes()
558 i = (i - 1) & wordmask; in _mix_pool_bytes()
561 w ^= r->pool[i]; in _mix_pool_bytes()
562 w ^= r->pool[(i + tap1) & wordmask]; in _mix_pool_bytes()
563 w ^= r->pool[(i + tap2) & wordmask]; in _mix_pool_bytes()
564 w ^= r->pool[(i + tap3) & wordmask]; in _mix_pool_bytes()
565 w ^= r->pool[(i + tap4) & wordmask]; in _mix_pool_bytes()
566 w ^= r->pool[(i + tap5) & wordmask]; in _mix_pool_bytes()
569 r->pool[i] = (w >> 3) ^ twist_table[w & 7]; in _mix_pool_bytes()
580 r->input_rotate = input_rotate; in _mix_pool_bytes()
581 r->add_ptr = i; in _mix_pool_bytes()
587 trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_); in __mix_pool_bytes()
596 trace_mix_pool_bytes(r->name, nbytes, _RET_IP_); in mix_pool_bytes()
597 spin_lock_irqsave(&r->lock, flags); in mix_pool_bytes()
599 spin_unlock_irqrestore(&r->lock, flags); in mix_pool_bytes()
616 __u32 a = f->pool[0], b = f->pool[1]; in fast_mix()
617 __u32 c = f->pool[2], d = f->pool[3]; in fast_mix()
635 f->pool[0] = a; f->pool[1] = b; in fast_mix()
636 f->pool[2] = c; f->pool[3] = d; in fast_mix()
637 f->count++; in fast_mix()
647 struct module *owner = rdy->owner; in process_random_ready_list()
649 list_del_init(&rdy->list); in process_random_ready_list()
650 rdy->func(rdy); in process_random_ready_list()
664 const int pool_size = r->poolinfo->poolfracbits; in credit_entropy_bits()
671 entropy_count = orig = READ_ONCE(r->entropy_count); in credit_entropy_bits()
682 * entropy <- entropy + (pool_size - entropy) * in credit_entropy_bits()
683 * (1 - exp(-add_entropy/pool_size)) in credit_entropy_bits()
686 * (1 - exp(-add_entropy/pool_size)) >= in credit_entropy_bits()
692 * The use of pool_size-2 in the while statement is to in credit_entropy_bits()
698 const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2; in credit_entropy_bits()
704 ((pool_size - entropy_count)*anfrac*3) >> s; in credit_entropy_bits()
707 pnfrac -= anfrac; in credit_entropy_bits()
708 } while (unlikely(entropy_count < pool_size-2 && pnfrac)); in credit_entropy_bits()
713 r->name, entropy_count); in credit_entropy_bits()
717 if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) in credit_entropy_bits()
721 r->initialized = 1; in credit_entropy_bits()
725 trace_credit_entropy_bits(r->name, nbits, in credit_entropy_bits()
742 const int nbits_max = r->poolinfo->poolwords * 32; in credit_entropy_bits_safe()
745 return -EINVAL; in credit_entropy_bits_safe()
760 #define CRNG_RESEED_INTERVAL (300*HZ)
796 crng->state[i] ^= rv; in crng_init_try_arch()
814 crng->state[i] ^= rv; in crng_init_try_arch_early()
822 memcpy(&crng->state[0], "expand 32-byte k", 16); in crng_initialize_secondary()
823 _get_random_bytes(&crng->state[4], sizeof(__u32) * 12); in crng_initialize_secondary()
825 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; in crng_initialize_secondary()
830 memcpy(&crng->state[0], "expand 32-byte k", 16); in crng_initialize_primary()
831 _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0); in crng_initialize_primary()
838 crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; in crng_initialize_primary()
852 spin_lock_init(&crng->lock); in do_numa_crng_init()
876 * path. So we can't afford to dilly-dally.
892 cp++; crng_init_cnt++; len--; in crng_fast_load()
966 spin_lock_irqsave(&crng->lock, flags); in crng_reseed()
972 crng->state[i+4] ^= buf.key[i] ^ rv; in crng_reseed()
975 crng->init_time = jiffies; in crng_reseed()
976 spin_unlock_irqrestore(&crng->lock, flags); in crng_reseed()
1004 (time_after(crng_global_init_time, crng->init_time) || in _extract_crng()
1005 time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) in _extract_crng()
1007 spin_lock_irqsave(&crng->lock, flags); in _extract_crng()
1009 crng->state[14] ^= v; in _extract_crng()
1010 chacha20_block(&crng->state[0], out); in _extract_crng()
1011 if (crng->state[12] == 0) in _extract_crng()
1012 crng->state[13]++; in _extract_crng()
1013 spin_unlock_irqrestore(&crng->lock, flags); in _extract_crng()
1030 * Use the leftover bytes from the CRNG block output (if there is
1045 spin_lock_irqsave(&crng->lock, flags); in _crng_backtrack_protect()
1047 d = &crng->state[4]; in _crng_backtrack_protect()
1050 spin_unlock_irqrestore(&crng->lock, flags); in _crng_backtrack_protect()
1076 ret = -ERESTARTSYS; in extract_crng_user()
1085 ret = -EFAULT; in extract_crng_user()
1089 nbytes -= i; in extract_crng_user()
1117 * Add device- or boot-specific data to the input pool to help
1147 * The number "num" is also added to the pool - it should somehow describe
1148 * the type of event which just happened. This is currently 0-255 for
1170 * We take into account the first, second and third-order deltas in add_timer_randomness()
1173 delta = sample.jiffies - READ_ONCE(state->last_time); in add_timer_randomness()
1174 WRITE_ONCE(state->last_time, sample.jiffies); in add_timer_randomness()
1176 delta2 = delta - READ_ONCE(state->last_delta); in add_timer_randomness()
1177 WRITE_ONCE(state->last_delta, delta); in add_timer_randomness()
1179 delta3 = delta2 - READ_ONCE(state->last_delta2); in add_timer_randomness()
1180 WRITE_ONCE(state->last_delta2, delta2); in add_timer_randomness()
1183 delta = -delta; in add_timer_randomness()
1185 delta2 = -delta2; in add_timer_randomness()
1187 delta3 = -delta3; in add_timer_randomness()
1223 #define FIXED_1_2 (1 << (AVG_SHIFT-1))
1227 long delta = random_get_entropy() - start; in add_interrupt_bench()
1230 delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT); in add_interrupt_bench()
1233 delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT); in add_interrupt_bench()
1247 idx = READ_ONCE(f->reg_idx); in get_reg()
1251 WRITE_ONCE(f->reg_idx, idx); in get_reg()
1271 fast_pool->pool[0] ^= cycles ^ j_high ^ irq; in add_interrupt_randomness()
1272 fast_pool->pool[1] ^= now ^ c_high; in add_interrupt_randomness()
1274 fast_pool->pool[2] ^= ip; in add_interrupt_randomness()
1275 fast_pool->pool[3] ^= (sizeof(ip) > 4) ? ip >> 32 : in add_interrupt_randomness()
1282 if ((fast_pool->count >= 64) && in add_interrupt_randomness()
1283 crng_fast_load((char *) fast_pool->pool, in add_interrupt_randomness()
1284 sizeof(fast_pool->pool))) { in add_interrupt_randomness()
1285 fast_pool->count = 0; in add_interrupt_randomness()
1286 fast_pool->last = now; in add_interrupt_randomness()
1291 if ((fast_pool->count < 64) && in add_interrupt_randomness()
1292 !time_after(now, fast_pool->last + HZ)) in add_interrupt_randomness()
1296 if (!spin_trylock(&r->lock)) in add_interrupt_randomness()
1299 fast_pool->last = now; in add_interrupt_randomness()
1300 __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool)); in add_interrupt_randomness()
1312 spin_unlock(&r->lock); in add_interrupt_randomness()
1314 fast_pool->count = 0; in add_interrupt_randomness()
1324 if (!disk || !disk->random) in add_disk_randomness()
1327 add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); in add_disk_randomness()
1349 BUG_ON(r->entropy_count > r->poolinfo->poolfracbits); in account()
1353 entropy_count = orig = READ_ONCE(r->entropy_count); in account()
1358 if ((have_bytes -= reserved) < 0) in account()
1366 r->name, entropy_count); in account()
1371 entropy_count -= nfrac; in account()
1375 if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) in account()
1378 trace_debit_entropy(r->name, 8 * ibytes); in account()
1416 spin_lock_irqsave(&r->lock, flags); in extract_buf()
1417 for (i = 0; i < r->poolinfo->poolwords; i += 16) in extract_buf()
1418 sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace); in extract_buf()
1426 * brute-forcing the feedback as hard as brute-forcing the in extract_buf()
1430 spin_unlock_irqrestore(&r->lock, flags); in extract_buf()
1435 * In case the hash function has some recognizable output in extract_buf()
1437 * twice as much data as we output. in extract_buf()
1458 spin_lock_irqsave(&r->lock, flags); in _extract_entropy()
1459 if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) in _extract_entropy()
1460 panic("Hardware RNG duplicated output!\n"); in _extract_entropy()
1461 memcpy(r->last_data, tmp, EXTRACT_SIZE); in _extract_entropy()
1462 spin_unlock_irqrestore(&r->lock, flags); in _extract_entropy()
1466 nbytes -= i; in _extract_entropy()
1494 spin_lock_irqsave(&r->lock, flags); in extract_entropy()
1495 if (!r->last_data_init) { in extract_entropy()
1496 r->last_data_init = 1; in extract_entropy()
1497 spin_unlock_irqrestore(&r->lock, flags); in extract_entropy()
1498 trace_extract_entropy(r->name, EXTRACT_SIZE, in extract_entropy()
1501 spin_lock_irqsave(&r->lock, flags); in extract_entropy()
1502 memcpy(r->last_data, tmp, EXTRACT_SIZE); in extract_entropy()
1504 spin_unlock_irqrestore(&r->lock, flags); in extract_entropy()
1507 trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); in extract_entropy()
1558 nbytes -= CHACHA_BLOCK_SIZE; in _get_random_bytes()
1586 * Note that we don't re-arm the timer in the timer itself - we are
1591 * So the re-arming always happens in the entropy loop itself.
1611 /* Slow counter - or none. Don't even bother */ in try_to_generate_entropy()
1637 * -ERESTARTSYS if the function was interrupted by a signal.
1646 ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); in wait_for_random_bytes()
1677 * -EALREADY if pool is already initialised (callback not called)
1678 * -ENOENT if module for callback is not alive
1684 int err = -EALREADY; in add_random_ready_callback()
1689 owner = rdy->owner; in add_random_ready_callback()
1691 return -ENOENT; in add_random_ready_callback()
1699 list_add(&rdy->list, &random_ready_list); in add_random_ready_callback()
1720 if (!list_empty(&rdy->list)) { in del_random_ready_callback()
1721 list_del_init(&rdy->list); in del_random_ready_callback()
1722 owner = rdy->owner; in del_random_ready_callback()
1731 * This function will use the architecture-specific hardware random
1732 * number generator if it is available. The arch-specific hw RNG will
1757 left -= chunk; in get_random_bytes_arch()
1760 return nbytes - left; in get_random_bytes_arch()
1765 * init_std_data - initialize pool with system data
1780 for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) { in init_std_data()
1822 state->last_time = INITIAL_JIFFIES; in rand_initialize_disk()
1823 disk->random = state; in rand_initialize_disk()
1847 maxwarn--; in urandom_read()
1850 current->comm, nbytes); in urandom_read()
1897 return -EFAULT; in write_pool()
1899 for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { in write_pool()
1905 count -= bytes; in write_pool()
1938 return -EFAULT; in random_ioctl()
1942 return -EPERM; in random_ioctl()
1944 return -EFAULT; in random_ioctl()
1948 return -EPERM; in random_ioctl()
1950 return -EFAULT; in random_ioctl()
1952 return -EINVAL; in random_ioctl()
1954 return -EFAULT; in random_ioctl()
1967 return -EPERM; in random_ioctl()
1972 return -EPERM; in random_ioctl()
1974 return -ENODATA; in random_ioctl()
1976 crng_global_init_time = jiffies - 1; in random_ioctl()
1979 return -EINVAL; in random_ioctl()
2013 return -EINVAL; in SYSCALL_DEFINE3()
2020 return -EINVAL; in SYSCALL_DEFINE3()
2027 return -EAGAIN; in SYSCALL_DEFINE3()
2052 * UUID. The difference is in whether table->data is NULL; if it is,
2065 uuid = table->data; in proc_do_uuid()
2087 * Return entropy available scaled to integral bits
2095 entropy_count = *(int *)table->data >> ENTROPY_SHIFT; in proc_do_entropy()
2200 spin_lock_irqsave(&batch->batch_lock, flags); in get_random_u64()
2201 if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) { in get_random_u64()
2202 extract_crng((u8 *)batch->entropy_u64); in get_random_u64()
2203 batch->position = 0; in get_random_u64()
2205 ret = batch->entropy_u64[batch->position++]; in get_random_u64()
2206 spin_unlock_irqrestore(&batch->batch_lock, flags); in get_random_u64()
2224 spin_lock_irqsave(&batch->batch_lock, flags); in get_random_u32()
2225 if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) { in get_random_u32()
2226 extract_crng((u8 *)batch->entropy_u32); in get_random_u32()
2227 batch->position = 0; in get_random_u32()
2229 ret = batch->entropy_u32[batch->position++]; in get_random_u32()
2230 spin_unlock_irqrestore(&batch->batch_lock, flags); in get_random_u32()
2237 * simply resetting the counter to zero so that it's re-extracted on the
2248 spin_lock_irqsave(&batched_entropy->batch_lock, flags); in invalidate_batched_entropy()
2249 batched_entropy->position = 0; in invalidate_batched_entropy()
2250 spin_unlock(&batched_entropy->batch_lock); in invalidate_batched_entropy()
2253 spin_lock(&batched_entropy->batch_lock); in invalidate_batched_entropy()
2254 batched_entropy->position = 0; in invalidate_batched_entropy()
2255 spin_unlock_irqrestore(&batched_entropy->batch_lock, flags); in invalidate_batched_entropy()
2260 * randomize_page - Generate a random, page aligned address
2277 range -= PAGE_ALIGN(start) - start; in randomize_page()
2281 if (start > ULONG_MAX - range) in randomize_page()
2282 range = ULONG_MAX - start; in randomize_page()
2292 /* Interface for in-kernel drivers of true hardware RNGs.