2  * Non-physical true random number generator based on timing jitter --
5  * Copyright Stephan Mueller <smueller@chronox.de>, 2015 - 2020
10  * See https://www.chronox.de/jent.html
32  * the restrictions contained in a BSD-style copyright.)
50  * version 2.2.0 provided at https://www.chronox.de/jent.html
54 … be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitt…
90 	/* Adaptive Proportion Test for a significance level of 2^-30 */
91 #define JENT_APT_CUTOFF		325	/* Taken from SP800-90B sec 4.4.2 */
95 #define JENT_APT_WORD_MASK	(JENT_APT_LSB - 1)
109 /* -- error codes for init function -- */
125  * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
130  * entropy in each bit of output to at least 1-epsilon, where epsilon is
131  * required to be <= 2^(-32).
141  * This test complies with SP800-90B section 4.4.2.
152 	ec->apt_count = 0;  in jent_apt_reset()
153 	ec->apt_base = delta_masked;  in jent_apt_reset()
154 	ec->apt_observations = 0;  in jent_apt_reset()
166 	if (!ec->apt_base_set) {  in jent_apt_insert()
167 		ec->apt_base = delta_masked;  in jent_apt_insert()
168 		ec->apt_base_set = 1;  in jent_apt_insert()
172 	if (delta_masked == ec->apt_base) {  in jent_apt_insert()
173 		ec->apt_count++;  in jent_apt_insert()
175 		if (ec->apt_count >= JENT_APT_CUTOFF)  in jent_apt_insert()
176 			ec->health_failure = 1;  in jent_apt_insert()
179 	ec->apt_observations++;  in jent_apt_insert()
181 	if (ec->apt_observations >= JENT_APT_WINDOW_SIZE)  in jent_apt_insert()
189  * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical
190  * back-to-back values, the input to the RCT is the counting of the stuck
193  * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8.
196  * cut-off value of C. If that value exceeds the allowed cut-off value,
202  * Repetition Count Test as defined in SP800-90B section 4.4.1
213 	if (ec->rct_count < 0)  in jent_rct_insert()
217 		ec->rct_count++;  in jent_rct_insert()
221 		 * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8.  in jent_rct_insert()
228 		 * Note, ec->rct_count (which equals to value B in the pseudo  in jent_rct_insert()
229 		 * code of SP800-90B section 4.4.1) starts with zero. Hence  in jent_rct_insert()
231 		 * following SP800-90B.  in jent_rct_insert()
233 		if ((unsigned int)ec->rct_count >= (31 * ec->osr)) {  in jent_rct_insert()
234 			ec->rct_count = -1;  in jent_rct_insert()
235 			ec->health_failure = 1;  in jent_rct_insert()
238 		ec->rct_count = 0;  in jent_rct_insert()
253 	if (ec->rct_count < 0)  in jent_rct_failure()
261 	return (prev < next) ? (next - prev) :  in jent_delta()
262 			       (JENT_UINT64_MAX - prev + 1 + next);  in jent_delta()
271  * All values must always be non-zero.
282 	__u64 delta2 = jent_delta(ec->last_delta, current_delta);  in jent_stuck()
283 	__u64 delta3 = jent_delta(ec->last_delta2, delta2);  in jent_stuck()
285 	ec->last_delta = current_delta;  in jent_stuck()
286 	ec->last_delta2 = delta2;  in jent_stuck()
289 	 * Insert the result of the comparison of two back-to-back time  in jent_stuck()
300 	/* RCT with a non-stuck bit */  in jent_stuck()
317 	return ec->health_failure;  in jent_health_failure()
329  * @ec entropy collector struct -- may be NULL
342 	unsigned int mask = (1<<bits) - 1;  in jent_loop_shuffle()
350 		time ^= ec->data;  in jent_loop_shuffle()
355 	for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {  in jent_loop_shuffle()
368  * CPU Jitter noise source -- this is the noise source based on the CPU
388  * updated ec->data
404 	 * testing purposes -- allow test app to set the counter, not  in jent_lfsr_time()
410 		new = ec->data;  in jent_lfsr_time()
412 			__u64 tmp = time << (DATA_SIZE_BITS - i);  in jent_lfsr_time()
414 			tmp = tmp >> (DATA_SIZE_BITS - 1);  in jent_lfsr_time()
440 	 * even when the time stamp has no entropy, SP800-90B requires that  in jent_lfsr_time()
441 	 * any conditioning operation (SP800-90B considers the LFSR to be a  in jent_lfsr_time()
446 		ec->data = new;  in jent_lfsr_time()
450  * Memory Access noise source -- this is a noise source based on variations in
464  * to reliably access either L3 or memory, the ec->mem memory must be quite
467  * @ec [in] Reference to the entropy collector with the memory access data -- if
482 	if (NULL == ec || NULL == ec->mem)  in jent_memaccess()
484 	wrap = ec->memblocksize * ec->memblocks;  in jent_memaccess()
487 	 * testing purposes -- allow test app to set the counter, not  in jent_memaccess()
493 	for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) {  in jent_memaccess()
494 		unsigned char *tmpval = ec->mem + ec->memlocation;  in jent_memaccess()
497 		 * wrap at 255 -- memory access implies read  in jent_memaccess()
502 		 * Addition of memblocksize - 1 to pointer  in jent_memaccess()
506 		ec->memlocation = ec->memlocation + ec->memblocksize - 1;  in jent_memaccess()
507 		ec->memlocation = ec->memlocation % wrap;  in jent_memaccess()
519  * WARNING: ensure that ->prev_time is primed before using the output
541 	current_delta = jent_delta(ec->prev_time, time);  in jent_measure_jitter()
542 	ec->prev_time = time;  in jent_measure_jitter()
555  * Function fills rand_data->data
566 	/* priming of the ->prev_time value */  in jent_gen_entropy()
575 		 * We multiply the loop value with ->osr to obtain the  in jent_gen_entropy()
578 		if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))  in jent_gen_entropy()
594  * @data [in] pointer to buffer for storing random data -- buffer must already
602  *	-1	entropy_collector is NULL
603  *	-2	RCT failed
604  *	-3	APT test failed
612 		return -1;  in jent_read_entropy()
623 				ret = -2;  in jent_read_entropy()
625 				ret = -3;  in jent_read_entropy()
628 			 * Re-initialize the noise source  in jent_read_entropy()
639 			ec->apt_base_set = 0;  in jent_read_entropy()
642 			ec->rct_count = 0;  in jent_read_entropy()
644 			/* Re-enable Jitter RNG */  in jent_read_entropy()
645 			ec->health_failure = 0;  in jent_read_entropy()
658 		jent_memcpy(p, &ec->data, tocopy);  in jent_read_entropy()
660 		len -= tocopy;  in jent_read_entropy()
684 		entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE);  in jent_entropy_collector_alloc()
685 		if (!entropy_collector->mem) {  in jent_entropy_collector_alloc()
689 		entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE;  in jent_entropy_collector_alloc()
690 		entropy_collector->memblocks = JENT_MEMORY_BLOCKS;  in jent_entropy_collector_alloc()
691 		entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;  in jent_entropy_collector_alloc()
697 	entropy_collector->osr = osr;  in jent_entropy_collector_alloc()
699 	/* fill the data pad with non-zero values */  in jent_entropy_collector_alloc()
707 	jent_zfree(entropy_collector->mem);  in jent_entropy_collector_free()
708 	entropy_collector->mem = NULL;  in jent_entropy_collector_free()
728 	 * loop counts may show some slight skew and we produce  in jent_entropy_init()
741 	 * following sanity checks verify that we have a high-resolution  in jent_entropy_init()
748 	 * SP800-90B requires at least 1024 initial test cycles.  in jent_entropy_init()
771 		 * delta even when called shortly after each other -- this  in jent_entropy_init()
819 		lowdelta = time2 - time;  in jent_entropy_init()
825 		 * for the calculation of entropy -- perform this check  in jent_entropy_init()
830 			delta_sum += (delta - old_delta);  in jent_entropy_init()
832 			delta_sum += (old_delta - delta);  in jent_entropy_init()
856 	 * least 10% of all checks -- on some platforms, the counter increments  in jent_entropy_init()