Line data Source code
1 : // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2 : /*
3 : * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 : * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
5 : * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved.
6 : *
7 : * This driver produces cryptographically secure pseudorandom data. It is divided
8 : * into roughly six sections, each with a section header:
9 : *
10 : * - Initialization and readiness waiting.
11 : * - Fast key erasure RNG, the "crng".
12 : * - Entropy accumulation and extraction routines.
13 : * - Entropy collection routines.
14 : * - Userspace reader/writer interfaces.
15 : * - Sysctl interface.
16 : *
17 : * The high level overview is that there is one input pool, into which
18 : * various pieces of data are hashed. Some of that data is then "credited" as
19 : * having a certain number of bits of entropy. When enough bits of entropy are
20 : * available, the hash is finalized and handed as a key to a stream cipher that
21 : * expands it indefinitely for various consumers. This key is periodically
22 : * refreshed as the various entropy collectors, described below, add data to the
23 : * input pool and credit it. There is currently no Fortuna-like scheduler
24 : * involved, which can lead to malicious entropy sources causing a premature
25 : * reseed, and the entropy estimates are, at best, conservative guesses.
26 : */
27 :
28 : #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
29 :
30 : #include <linux/utsname.h>
31 : #include <linux/module.h>
32 : #include <linux/kernel.h>
33 : #include <linux/major.h>
34 : #include <linux/string.h>
35 : #include <linux/fcntl.h>
36 : #include <linux/slab.h>
37 : #include <linux/random.h>
38 : #include <linux/poll.h>
39 : #include <linux/init.h>
40 : #include <linux/fs.h>
41 : #include <linux/blkdev.h>
42 : #include <linux/interrupt.h>
43 : #include <linux/mm.h>
44 : #include <linux/nodemask.h>
45 : #include <linux/spinlock.h>
46 : #include <linux/kthread.h>
47 : #include <linux/percpu.h>
48 : #include <linux/ptrace.h>
49 : #include <linux/workqueue.h>
50 : #include <linux/irq.h>
51 : #include <linux/ratelimit.h>
52 : #include <linux/syscalls.h>
53 : #include <linux/completion.h>
54 : #include <linux/uuid.h>
55 : #include <linux/uaccess.h>
56 : #include <crypto/chacha.h>
57 : #include <crypto/blake2s.h>
58 : #include <asm/processor.h>
59 : #include <asm/irq.h>
60 : #include <asm/irq_regs.h>
61 : #include <asm/io.h>
62 :
63 : /*********************************************************************
64 : *
65 : * Initialization and readiness waiting.
66 : *
67 : * Much of the RNG infrastructure is devoted to various dependencies
68 : * being able to wait until the RNG has collected enough entropy and
69 : * is ready for safe consumption.
70 : *
71 : *********************************************************************/
72 :
73 : /*
74 : * crng_init = 0 --> Uninitialized
75 : * 1 --> Initialized
76 : * 2 --> Initialized from input_pool
77 : *
78 : * crng_init is protected by base_crng->lock, and only increases
79 : * its value (from 0->1->2).
80 : */
81 : static int crng_init = 0;
82 : #define crng_ready() (likely(crng_init > 1))
83 : /* Various types of waiters for crng_init->2 transition. */
84 : static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
85 : static struct fasync_struct *fasync;
86 : static DEFINE_SPINLOCK(random_ready_chain_lock);
87 : static RAW_NOTIFIER_HEAD(random_ready_chain);
88 :
89 : /* Control how we warn userspace. */
90 : static struct ratelimit_state unseeded_warning =
91 : RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
92 : static struct ratelimit_state urandom_warning =
93 : RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
94 : static int ratelimit_disable __read_mostly;
95 : module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
96 : MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
97 :
98 : /*
99 : * Returns whether or not the input pool has been seeded and thus guaranteed
100 : * to supply cryptographically secure random numbers. This applies to: the
101 : * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
102 : * ,u64,int,long} family of functions.
103 : *
104 : * Returns: true if the input pool has been seeded.
105 : * false if the input pool has not been seeded.
106 : */
107 0 : bool rng_is_initialized(void)
108 : {
109 0 : return crng_ready();
110 : }
111 : EXPORT_SYMBOL(rng_is_initialized);
112 :
113 : /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
114 : static void try_to_generate_entropy(void);
115 :
116 : /*
117 : * Wait for the input pool to be seeded and thus guaranteed to supply
118 : * cryptographically secure random numbers. This applies to: the /dev/urandom
119 : * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
120 : * family of functions. Using any of these functions without first calling
121 : * this function forfeits the guarantee of security.
122 : *
123 : * Returns: 0 if the input pool has been seeded.
124 : * -ERESTARTSYS if the function was interrupted by a signal.
125 : */
126 0 : int wait_for_random_bytes(void)
127 : {
128 0 : while (!crng_ready()) {
129 : int ret;
130 :
131 : try_to_generate_entropy();
132 0 : ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
133 0 : if (ret)
134 0 : return ret > 0 ? 0 : ret;
135 : }
136 : return 0;
137 : }
138 : EXPORT_SYMBOL(wait_for_random_bytes);
139 :
140 : /*
141 : * Add a callback function that will be invoked when the input
142 : * pool is initialised.
143 : *
144 : * returns: 0 if callback is successfully added
145 : * -EALREADY if pool is already initialised (callback not called)
146 : */
147 2 : int register_random_ready_notifier(struct notifier_block *nb)
148 : {
149 : unsigned long flags;
150 2 : int ret = -EALREADY;
151 :
152 2 : if (crng_ready())
153 : return ret;
154 :
155 2 : spin_lock_irqsave(&random_ready_chain_lock, flags);
156 2 : if (!crng_ready())
157 2 : ret = raw_notifier_chain_register(&random_ready_chain, nb);
158 2 : spin_unlock_irqrestore(&random_ready_chain_lock, flags);
159 2 : return ret;
160 : }
161 :
162 : /*
163 : * Delete a previously registered readiness callback function.
164 : */
165 0 : int unregister_random_ready_notifier(struct notifier_block *nb)
166 : {
167 : unsigned long flags;
168 : int ret;
169 :
170 0 : spin_lock_irqsave(&random_ready_chain_lock, flags);
171 0 : ret = raw_notifier_chain_unregister(&random_ready_chain, nb);
172 0 : spin_unlock_irqrestore(&random_ready_chain_lock, flags);
173 0 : return ret;
174 : }
175 :
176 0 : static void process_random_ready_list(void)
177 : {
178 : unsigned long flags;
179 :
180 0 : spin_lock_irqsave(&random_ready_chain_lock, flags);
181 0 : raw_notifier_call_chain(&random_ready_chain, 0, NULL);
182 0 : spin_unlock_irqrestore(&random_ready_chain_lock, flags);
183 0 : }
184 :
185 : #define warn_unseeded_randomness(previous) \
186 : _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
187 :
188 1 : static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
189 : {
190 : #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
191 : const bool print_once = false;
192 : #else
193 : static bool print_once __read_mostly;
194 : #endif
195 :
196 1 : if (print_once || crng_ready() ||
197 1 : (previous && (caller == READ_ONCE(*previous))))
198 : return;
199 1 : WRITE_ONCE(*previous, caller);
200 : #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
201 1 : print_once = true;
202 : #endif
203 1 : if (__ratelimit(&unseeded_warning))
204 1 : printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
205 : func_name, caller, crng_init);
206 : }
207 :
208 :
209 : /*********************************************************************
210 : *
211 : * Fast key erasure RNG, the "crng".
212 : *
213 : * These functions expand entropy from the entropy extractor into
214 : * long streams for external consumption using the "fast key erasure"
215 : * RNG described at <https://blog.cr.yp.to/20170723-random.html>.
216 : *
217 : * There are a few exported interfaces for use by other drivers:
218 : *
219 : * void get_random_bytes(void *buf, size_t nbytes)
220 : * u32 get_random_u32()
221 : * u64 get_random_u64()
222 : * unsigned int get_random_int()
223 : * unsigned long get_random_long()
224 : *
225 : * These interfaces will return the requested number of random bytes
226 : * into the given buffer or as a return value. This is equivalent to
227 : * a read from /dev/urandom. The u32, u64, int, and long family of
228 : * functions may be higher performance for one-off random integers,
229 : * because they do a bit of buffering and do not invoke reseeding
230 : * until the buffer is emptied.
231 : *
232 : *********************************************************************/
233 :
234 : enum {
235 : CRNG_RESEED_INTERVAL = 300 * HZ,
236 : CRNG_INIT_CNT_THRESH = 2 * CHACHA_KEY_SIZE
237 : };
238 :
239 : static struct {
240 : u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long));
241 : unsigned long birth;
242 : unsigned long generation;
243 : spinlock_t lock;
244 : } base_crng = {
245 : .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock)
246 : };
247 :
248 : struct crng {
249 : u8 key[CHACHA_KEY_SIZE];
250 : unsigned long generation;
251 : local_lock_t lock;
252 : };
253 :
254 : static DEFINE_PER_CPU(struct crng, crngs) = {
255 : .generation = ULONG_MAX,
256 : .lock = INIT_LOCAL_LOCK(crngs.lock),
257 : };
258 :
259 : /* Used by crng_reseed() to extract a new seed from the input pool. */
260 : static bool drain_entropy(void *buf, size_t nbytes, bool force);
261 :
262 : /*
263 : * This extracts a new crng key from the input pool, but only if there is a
264 : * sufficient amount of entropy available or force is true, in order to
265 : * mitigate bruteforcing of newly added bits.
266 : */
267 0 : static void crng_reseed(bool force)
268 : {
269 : unsigned long flags;
270 : unsigned long next_gen;
271 : u8 key[CHACHA_KEY_SIZE];
272 0 : bool finalize_init = false;
273 :
274 : /* Only reseed if we can, to prevent brute forcing a small amount of new bits. */
275 0 : if (!drain_entropy(key, sizeof(key), force))
276 0 : return;
277 :
278 : /*
279 : * We copy the new key into the base_crng, overwriting the old one,
280 : * and update the generation counter. We avoid hitting ULONG_MAX,
281 : * because the per-cpu crngs are initialized to ULONG_MAX, so this
282 : * forces new CPUs that come online to always initialize.
283 : */
284 0 : spin_lock_irqsave(&base_crng.lock, flags);
285 0 : memcpy(base_crng.key, key, sizeof(base_crng.key));
286 0 : next_gen = base_crng.generation + 1;
287 0 : if (next_gen == ULONG_MAX)
288 0 : ++next_gen;
289 0 : WRITE_ONCE(base_crng.generation, next_gen);
290 0 : WRITE_ONCE(base_crng.birth, jiffies);
291 0 : if (!crng_ready()) {
292 0 : crng_init = 2;
293 0 : finalize_init = true;
294 : }
295 0 : spin_unlock_irqrestore(&base_crng.lock, flags);
296 0 : memzero_explicit(key, sizeof(key));
297 0 : if (finalize_init) {
298 0 : process_random_ready_list();
299 0 : wake_up_interruptible(&crng_init_wait);
300 0 : kill_fasync(&fasync, SIGIO, POLL_IN);
301 0 : pr_notice("crng init done\n");
302 0 : if (unseeded_warning.missed) {
303 0 : pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
304 : unseeded_warning.missed);
305 0 : unseeded_warning.missed = 0;
306 : }
307 0 : if (urandom_warning.missed) {
308 0 : pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
309 : urandom_warning.missed);
310 0 : urandom_warning.missed = 0;
311 : }
312 : }
313 : }
314 :
315 : /*
316 : * This generates a ChaCha block using the provided key, and then
317 : * immediately overwites that key with half the block. It returns
318 : * the resultant ChaCha state to the user, along with the second
319 : * half of the block containing 32 bytes of random data that may
320 : * be used; random_data_len may not be greater than 32.
321 : *
322 : * The returned ChaCha state contains within it a copy of the old
323 : * key value, at index 4, so the state should always be zeroed out
324 : * immediately after using in order to maintain forward secrecy.
325 : * If the state cannot be erased in a timely manner, then it is
326 : * safer to set the random_data parameter to &chacha_state[4] so
327 : * that this function overwrites it before returning.
328 : */
329 1 : static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
330 : u32 chacha_state[CHACHA_STATE_WORDS],
331 : u8 *random_data, size_t random_data_len)
332 : {
333 : u8 first_block[CHACHA_BLOCK_SIZE];
334 :
335 1 : BUG_ON(random_data_len > 32);
336 :
337 1 : chacha_init_consts(chacha_state);
338 1 : memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE);
339 1 : memset(&chacha_state[12], 0, sizeof(u32) * 4);
340 1 : chacha20_block(chacha_state, first_block);
341 :
342 1 : memcpy(key, first_block, CHACHA_KEY_SIZE);
343 1 : memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len);
344 1 : memzero_explicit(first_block, sizeof(first_block));
345 1 : }
346 :
347 : /*
348 : * Return whether the crng seed is considered to be sufficiently
349 : * old that a reseeding might be attempted. This happens if the last
350 : * reseeding was CRNG_RESEED_INTERVAL ago, or during early boot, at
351 : * an interval proportional to the uptime.
352 : */
353 0 : static bool crng_has_old_seed(void)
354 : {
355 : static bool early_boot = true;
356 0 : unsigned long interval = CRNG_RESEED_INTERVAL;
357 :
358 0 : if (unlikely(READ_ONCE(early_boot))) {
359 0 : time64_t uptime = ktime_get_seconds();
360 0 : if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2)
361 0 : WRITE_ONCE(early_boot, false);
362 : else
363 0 : interval = max_t(unsigned int, 5 * HZ,
364 : (unsigned int)uptime / 2 * HZ);
365 : }
366 0 : return time_after(jiffies, READ_ONCE(base_crng.birth) + interval);
367 : }
368 :
369 : /*
370 : * This function returns a ChaCha state that you may use for generating
371 : * random data. It also returns up to 32 bytes on its own of random data
372 : * that may be used; random_data_len may not be greater than 32.
373 : */
374 1 : static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS],
375 : u8 *random_data, size_t random_data_len)
376 : {
377 : unsigned long flags;
378 : struct crng *crng;
379 :
380 1 : BUG_ON(random_data_len > 32);
381 :
382 : /*
383 : * For the fast path, we check whether we're ready, unlocked first, and
384 : * then re-check once locked later. In the case where we're really not
385 : * ready, we do fast key erasure with the base_crng directly, because
386 : * this is what crng_pre_init_inject() mutates during early init.
387 : */
388 1 : if (!crng_ready()) {
389 : bool ready;
390 :
391 1 : spin_lock_irqsave(&base_crng.lock, flags);
392 1 : ready = crng_ready();
393 1 : if (!ready)
394 1 : crng_fast_key_erasure(base_crng.key, chacha_state,
395 : random_data, random_data_len);
396 1 : spin_unlock_irqrestore(&base_crng.lock, flags);
397 1 : if (!ready)
398 : return;
399 : }
400 :
401 : /*
402 : * If the base_crng is old enough, we try to reseed, which in turn
403 : * bumps the generation counter that we check below.
404 : */
405 0 : if (unlikely(crng_has_old_seed()))
406 0 : crng_reseed(false);
407 :
408 0 : local_lock_irqsave(&crngs.lock, flags);
409 0 : crng = raw_cpu_ptr(&crngs);
410 :
411 : /*
412 : * If our per-cpu crng is older than the base_crng, then it means
413 : * somebody reseeded the base_crng. In that case, we do fast key
414 : * erasure on the base_crng, and use its output as the new key
415 : * for our per-cpu crng. This brings us up to date with base_crng.
416 : */
417 0 : if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) {
418 0 : spin_lock(&base_crng.lock);
419 0 : crng_fast_key_erasure(base_crng.key, chacha_state,
420 : crng->key, sizeof(crng->key));
421 0 : crng->generation = base_crng.generation;
422 : spin_unlock(&base_crng.lock);
423 : }
424 :
425 : /*
426 : * Finally, when we've made it this far, our per-cpu crng has an up
427 : * to date key, and we can do fast key erasure with it to produce
428 : * some random data and a ChaCha state for the caller. All other
429 : * branches of this function are "unlikely", so most of the time we
430 : * should wind up here immediately.
431 : */
432 0 : crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len);
433 0 : local_unlock_irqrestore(&crngs.lock, flags);
434 : }
435 :
436 : /*
437 : * This function is for crng_init == 0 only. It loads entropy directly
438 : * into the crng's key, without going through the input pool. It is,
439 : * generally speaking, not very safe, but we use this only at early
440 : * boot time when it's better to have something there rather than
441 : * nothing.
442 : *
443 : * If account is set, then the crng_init_cnt counter is incremented.
444 : * This shouldn't be set by functions like add_device_randomness(),
445 : * where we can't trust the buffer passed to it is guaranteed to be
446 : * unpredictable (so it might not have any entropy at all).
447 : */
448 94 : static void crng_pre_init_inject(const void *input, size_t len, bool account)
449 : {
450 : static int crng_init_cnt = 0;
451 : struct blake2s_state hash;
452 : unsigned long flags;
453 :
454 94 : blake2s_init(&hash, sizeof(base_crng.key));
455 :
456 94 : spin_lock_irqsave(&base_crng.lock, flags);
457 94 : if (crng_init != 0) {
458 0 : spin_unlock_irqrestore(&base_crng.lock, flags);
459 0 : return;
460 : }
461 :
462 94 : blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
463 94 : blake2s_update(&hash, input, len);
464 94 : blake2s_final(&hash, base_crng.key);
465 :
466 94 : if (account) {
467 0 : crng_init_cnt += min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
468 0 : if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
469 0 : ++base_crng.generation;
470 0 : crng_init = 1;
471 : }
472 : }
473 :
474 94 : spin_unlock_irqrestore(&base_crng.lock, flags);
475 :
476 94 : if (crng_init == 1)
477 0 : pr_notice("fast init done\n");
478 : }
479 :
480 1 : static void _get_random_bytes(void *buf, size_t nbytes)
481 : {
482 : u32 chacha_state[CHACHA_STATE_WORDS];
483 : u8 tmp[CHACHA_BLOCK_SIZE];
484 : size_t len;
485 :
486 1 : if (!nbytes)
487 0 : return;
488 :
489 1 : len = min_t(size_t, 32, nbytes);
490 1 : crng_make_state(chacha_state, buf, len);
491 1 : nbytes -= len;
492 1 : buf += len;
493 :
494 3 : while (nbytes) {
495 2 : if (nbytes < CHACHA_BLOCK_SIZE) {
496 1 : chacha20_block(chacha_state, tmp);
497 1 : memcpy(buf, tmp, nbytes);
498 : memzero_explicit(tmp, sizeof(tmp));
499 : break;
500 : }
501 :
502 1 : chacha20_block(chacha_state, buf);
503 1 : if (unlikely(chacha_state[12] == 0))
504 0 : ++chacha_state[13];
505 1 : nbytes -= CHACHA_BLOCK_SIZE;
506 1 : buf += CHACHA_BLOCK_SIZE;
507 : }
508 :
509 1 : memzero_explicit(chacha_state, sizeof(chacha_state));
510 : }
511 :
512 : /*
513 : * This function is the exported kernel interface. It returns some
514 : * number of good random numbers, suitable for key generation, seeding
515 : * TCP sequence numbers, etc. It does not rely on the hardware random
516 : * number generator. For random bytes direct from the hardware RNG
517 : * (when available), use get_random_bytes_arch(). In order to ensure
518 : * that the randomness provided by this function is okay, the function
519 : * wait_for_random_bytes() should be called and return 0 at least once
520 : * at any point prior.
521 : */
522 1 : void get_random_bytes(void *buf, size_t nbytes)
523 : {
524 : static void *previous;
525 :
526 1 : warn_unseeded_randomness(&previous);
527 1 : _get_random_bytes(buf, nbytes);
528 1 : }
529 : EXPORT_SYMBOL(get_random_bytes);
530 :
531 0 : static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
532 : {
533 0 : size_t len, left, ret = 0;
534 : u32 chacha_state[CHACHA_STATE_WORDS];
535 : u8 output[CHACHA_BLOCK_SIZE];
536 :
537 0 : if (!nbytes)
538 : return 0;
539 :
540 : /*
541 : * Immediately overwrite the ChaCha key at index 4 with random
542 : * bytes, in case userspace causes copy_to_user() below to sleep
543 : * forever, so that we still retain forward secrecy in that case.
544 : */
545 0 : crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE);
546 : /*
547 : * However, if we're doing a read of len <= 32, we don't need to
548 : * use chacha_state after, so we can simply return those bytes to
549 : * the user directly.
550 : */
551 0 : if (nbytes <= CHACHA_KEY_SIZE) {
552 0 : ret = nbytes - copy_to_user(buf, &chacha_state[4], nbytes);
553 0 : goto out_zero_chacha;
554 : }
555 :
556 : for (;;) {
557 0 : chacha20_block(chacha_state, output);
558 0 : if (unlikely(chacha_state[12] == 0))
559 0 : ++chacha_state[13];
560 :
561 0 : len = min_t(size_t, nbytes, CHACHA_BLOCK_SIZE);
562 0 : left = copy_to_user(buf, output, len);
563 0 : if (left) {
564 0 : ret += len - left;
565 0 : break;
566 : }
567 :
568 0 : buf += len;
569 0 : ret += len;
570 0 : nbytes -= len;
571 0 : if (!nbytes)
572 : break;
573 :
574 : BUILD_BUG_ON(PAGE_SIZE % CHACHA_BLOCK_SIZE != 0);
575 0 : if (ret % PAGE_SIZE == 0) {
576 0 : if (signal_pending(current))
577 : break;
578 0 : cond_resched();
579 : }
580 : }
581 :
582 : memzero_explicit(output, sizeof(output));
583 : out_zero_chacha:
584 0 : memzero_explicit(chacha_state, sizeof(chacha_state));
585 0 : return ret ? ret : -EFAULT;
586 : }
587 :
588 : /*
589 : * Batched entropy returns random integers. The quality of the random
590 : * number is good as /dev/urandom. In order to ensure that the randomness
591 : * provided by this function is okay, the function wait_for_random_bytes()
592 : * should be called and return 0 at least once at any point prior.
593 : */
594 : struct batched_entropy {
595 : union {
596 : /*
597 : * We make this 1.5x a ChaCha block, so that we get the
598 : * remaining 32 bytes from fast key erasure, plus one full
599 : * block from the detached ChaCha state. We can increase
600 : * the size of this later if needed so long as we keep the
601 : * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE.
602 : */
603 : u64 entropy_u64[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
604 : u32 entropy_u32[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
605 : };
606 : local_lock_t lock;
607 : unsigned long generation;
608 : unsigned int position;
609 : };
610 :
611 :
612 : static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
613 : .lock = INIT_LOCAL_LOCK(batched_entropy_u64.lock),
614 : .position = UINT_MAX
615 : };
616 :
617 0 : u64 get_random_u64(void)
618 : {
619 : u64 ret;
620 : unsigned long flags;
621 : struct batched_entropy *batch;
622 : static void *previous;
623 : unsigned long next_gen;
624 :
625 0 : warn_unseeded_randomness(&previous);
626 :
627 0 : local_lock_irqsave(&batched_entropy_u64.lock, flags);
628 0 : batch = raw_cpu_ptr(&batched_entropy_u64);
629 :
630 0 : next_gen = READ_ONCE(base_crng.generation);
631 0 : if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
632 0 : next_gen != batch->generation) {
633 0 : _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
634 0 : batch->position = 0;
635 0 : batch->generation = next_gen;
636 : }
637 :
638 0 : ret = batch->entropy_u64[batch->position];
639 0 : batch->entropy_u64[batch->position] = 0;
640 0 : ++batch->position;
641 0 : local_unlock_irqrestore(&batched_entropy_u64.lock, flags);
642 0 : return ret;
643 : }
644 : EXPORT_SYMBOL(get_random_u64);
645 :
646 : static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
647 : .lock = INIT_LOCAL_LOCK(batched_entropy_u32.lock),
648 : .position = UINT_MAX
649 : };
650 :
651 0 : u32 get_random_u32(void)
652 : {
653 : u32 ret;
654 : unsigned long flags;
655 : struct batched_entropy *batch;
656 : static void *previous;
657 : unsigned long next_gen;
658 :
659 0 : warn_unseeded_randomness(&previous);
660 :
661 0 : local_lock_irqsave(&batched_entropy_u32.lock, flags);
662 0 : batch = raw_cpu_ptr(&batched_entropy_u32);
663 :
664 0 : next_gen = READ_ONCE(base_crng.generation);
665 0 : if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
666 0 : next_gen != batch->generation) {
667 0 : _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
668 0 : batch->position = 0;
669 0 : batch->generation = next_gen;
670 : }
671 :
672 0 : ret = batch->entropy_u32[batch->position];
673 0 : batch->entropy_u32[batch->position] = 0;
674 0 : ++batch->position;
675 0 : local_unlock_irqrestore(&batched_entropy_u32.lock, flags);
676 0 : return ret;
677 : }
678 : EXPORT_SYMBOL(get_random_u32);
679 :
680 : #ifdef CONFIG_SMP
681 : /*
682 : * This function is called when the CPU is coming up, with entry
683 : * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP.
684 : */
685 : int random_prepare_cpu(unsigned int cpu)
686 : {
687 : /*
688 : * When the cpu comes back online, immediately invalidate both
689 : * the per-cpu crng and all batches, so that we serve fresh
690 : * randomness.
691 : */
692 : per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX;
693 : per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX;
694 : per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX;
695 : return 0;
696 : }
697 : #endif
698 :
699 : /**
700 : * randomize_page - Generate a random, page aligned address
701 : * @start: The smallest acceptable address the caller will take.
702 : * @range: The size of the area, starting at @start, within which the
703 : * random address must fall.
704 : *
705 : * If @start + @range would overflow, @range is capped.
706 : *
707 : * NOTE: Historical use of randomize_range, which this replaces, presumed that
708 : * @start was already page aligned. We now align it regardless.
709 : *
710 : * Return: A page aligned address within [start, start + range). On error,
711 : * @start is returned.
712 : */
713 0 : unsigned long randomize_page(unsigned long start, unsigned long range)
714 : {
715 0 : if (!PAGE_ALIGNED(start)) {
716 0 : range -= PAGE_ALIGN(start) - start;
717 0 : start = PAGE_ALIGN(start);
718 : }
719 :
720 0 : if (start > ULONG_MAX - range)
721 0 : range = ULONG_MAX - start;
722 :
723 0 : range >>= PAGE_SHIFT;
724 :
725 0 : if (range == 0)
726 : return start;
727 :
728 0 : return start + (get_random_long() % range << PAGE_SHIFT);
729 : }
730 :
731 : /*
732 : * This function will use the architecture-specific hardware random
733 : * number generator if it is available. It is not recommended for
734 : * use. Use get_random_bytes() instead. It returns the number of
735 : * bytes filled in.
736 : */
737 1 : size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
738 : {
739 1 : size_t left = nbytes;
740 1 : u8 *p = buf;
741 :
742 : while (left) {
743 : unsigned long v;
744 : size_t chunk = min_t(size_t, left, sizeof(unsigned long));
745 :
746 : if (!arch_get_random_long(&v))
747 : break;
748 :
749 : memcpy(p, &v, chunk);
750 : p += chunk;
751 : left -= chunk;
752 : }
753 :
754 1 : return nbytes - left;
755 : }
756 : EXPORT_SYMBOL(get_random_bytes_arch);
757 :
758 :
759 : /**********************************************************************
760 : *
761 : * Entropy accumulation and extraction routines.
762 : *
763 : * Callers may add entropy via:
764 : *
765 : * static void mix_pool_bytes(const void *in, size_t nbytes)
766 : *
767 : * After which, if added entropy should be credited:
768 : *
769 : * static void credit_entropy_bits(size_t nbits)
770 : *
771 : * Finally, extract entropy via these two, with the latter one
772 : * setting the entropy count to zero and extracting only if there
773 : * is POOL_MIN_BITS entropy credited prior or force is true:
774 : *
775 : * static void extract_entropy(void *buf, size_t nbytes)
776 : * static bool drain_entropy(void *buf, size_t nbytes, bool force)
777 : *
778 : **********************************************************************/
779 :
780 : enum {
781 : POOL_BITS = BLAKE2S_HASH_SIZE * 8,
782 : POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
783 : };
784 :
785 : /* For notifying userspace should write into /dev/random. */
786 : static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
787 :
788 : static struct {
789 : struct blake2s_state hash;
790 : spinlock_t lock;
791 : unsigned int entropy_count;
792 : } input_pool = {
793 : .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
794 : BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
795 : BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
796 : .hash.outlen = BLAKE2S_HASH_SIZE,
797 : .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
798 : };
799 :
800 : static void _mix_pool_bytes(const void *in, size_t nbytes)
801 : {
802 292 : blake2s_update(&input_pool.hash, in, nbytes);
803 : }
804 :
805 : /*
806 : * This function adds bytes into the entropy "pool". It does not
807 : * update the entropy estimate. The caller should call
808 : * credit_entropy_bits if this is appropriate.
809 : */
810 0 : static void mix_pool_bytes(const void *in, size_t nbytes)
811 : {
812 : unsigned long flags;
813 :
814 0 : spin_lock_irqsave(&input_pool.lock, flags);
815 0 : _mix_pool_bytes(in, nbytes);
816 0 : spin_unlock_irqrestore(&input_pool.lock, flags);
817 0 : }
818 :
819 0 : static void credit_entropy_bits(size_t nbits)
820 : {
821 : unsigned int entropy_count, orig, add;
822 :
823 0 : if (!nbits)
824 : return;
825 :
826 0 : add = min_t(size_t, nbits, POOL_BITS);
827 :
828 : do {
829 0 : orig = READ_ONCE(input_pool.entropy_count);
830 0 : entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
831 0 : } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
832 :
833 0 : if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
834 0 : crng_reseed(false);
835 : }
836 :
837 : /*
838 : * This is an HKDF-like construction for using the hashed collected entropy
839 : * as a PRF key, that's then expanded block-by-block.
840 : */
841 1 : static void extract_entropy(void *buf, size_t nbytes)
842 : {
843 : unsigned long flags;
844 : u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
845 : struct {
846 : unsigned long rdseed[32 / sizeof(long)];
847 : size_t counter;
848 : } block;
849 : size_t i;
850 :
851 5 : for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
852 4 : if (!arch_get_random_seed_long(&block.rdseed[i]) &&
853 4 : !arch_get_random_long(&block.rdseed[i]))
854 4 : block.rdseed[i] = random_get_entropy();
855 : }
856 :
857 1 : spin_lock_irqsave(&input_pool.lock, flags);
858 :
859 : /* seed = HASHPRF(last_key, entropy_input) */
860 1 : blake2s_final(&input_pool.hash, seed);
861 :
862 : /* next_key = HASHPRF(seed, RDSEED || 0) */
863 1 : block.counter = 0;
864 1 : blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
865 1 : blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
866 :
867 1 : spin_unlock_irqrestore(&input_pool.lock, flags);
868 : memzero_explicit(next_key, sizeof(next_key));
869 :
870 2 : while (nbytes) {
871 1 : i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
872 : /* output = HASHPRF(seed, RDSEED || ++counter) */
873 1 : ++block.counter;
874 1 : blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
875 1 : nbytes -= i;
876 1 : buf += i;
877 : }
878 :
879 1 : memzero_explicit(seed, sizeof(seed));
880 1 : memzero_explicit(&block, sizeof(block));
881 1 : }
882 :
883 : /*
884 : * First we make sure we have POOL_MIN_BITS of entropy in the pool unless force
885 : * is true, and then we set the entropy count to zero (but don't actually touch
886 : * any data). Only then can we extract a new key with extract_entropy().
887 : */
888 0 : static bool drain_entropy(void *buf, size_t nbytes, bool force)
889 : {
890 : unsigned int entropy_count;
891 : do {
892 0 : entropy_count = READ_ONCE(input_pool.entropy_count);
893 0 : if (!force && entropy_count < POOL_MIN_BITS)
894 : return false;
895 0 : } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
896 0 : extract_entropy(buf, nbytes);
897 0 : wake_up_interruptible(&random_write_wait);
898 0 : kill_fasync(&fasync, SIGIO, POLL_OUT);
899 0 : return true;
900 : }
901 :
902 :
903 : /**********************************************************************
904 : *
905 : * Entropy collection routines.
906 : *
907 : * The following exported functions are used for pushing entropy into
908 : * the above entropy accumulation routines:
909 : *
910 : * void add_device_randomness(const void *buf, size_t size);
911 : * void add_input_randomness(unsigned int type, unsigned int code,
912 : * unsigned int value);
913 : * void add_disk_randomness(struct gendisk *disk);
914 : * void add_hwgenerator_randomness(const void *buffer, size_t count,
915 : * size_t entropy);
916 : * void add_bootloader_randomness(const void *buf, size_t size);
917 : * void add_vmfork_randomness(const void *unique_vm_id, size_t size);
918 : * void add_interrupt_randomness(int irq);
919 : *
920 : * add_device_randomness() adds data to the input pool that
921 : * is likely to differ between two devices (or possibly even per boot).
922 : * This would be things like MAC addresses or serial numbers, or the
923 : * read-out of the RTC. This does *not* credit any actual entropy to
924 : * the pool, but it initializes the pool to different values for devices
925 : * that might otherwise be identical and have very little entropy
926 : * available to them (particularly common in the embedded world).
927 : *
928 : * add_input_randomness() uses the input layer interrupt timing, as well
929 : * as the event type information from the hardware.
930 : *
931 : * add_disk_randomness() uses what amounts to the seek time of block
932 : * layer request events, on a per-disk_devt basis, as input to the
933 : * entropy pool. Note that high-speed solid state drives with very low
934 : * seek times do not make for good sources of entropy, as their seek
935 : * times are usually fairly consistent.
936 : *
937 : * The above two routines try to estimate how many bits of entropy
938 : * to credit. They do this by keeping track of the first and second
939 : * order deltas of the event timings.
940 : *
941 : * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
942 : * entropy as specified by the caller. If the entropy pool is full it will
943 : * block until more entropy is needed.
944 : *
945 : * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
946 : * add_device_randomness(), depending on whether or not the configuration
947 : * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
948 : *
949 : * add_vmfork_randomness() adds a unique (but not necessarily secret) ID
950 : * representing the current instance of a VM to the pool, without crediting,
951 : * and then force-reseeds the crng so that it takes effect immediately.
952 : *
953 : * add_interrupt_randomness() uses the interrupt timing as random
954 : * inputs to the entropy pool. Using the cycle counters and the irq source
955 : * as inputs, it feeds the input pool roughly once a second or after 64
956 : * interrupts, crediting 1 bit of entropy for whichever comes first.
957 : *
958 : **********************************************************************/
959 :
960 : static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
961 : static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
962 0 : static int __init parse_trust_cpu(char *arg)
963 : {
964 0 : return kstrtobool(arg, &trust_cpu);
965 : }
966 0 : static int __init parse_trust_bootloader(char *arg)
967 : {
968 0 : return kstrtobool(arg, &trust_bootloader);
969 : }
970 : early_param("random.trust_cpu", parse_trust_cpu);
971 : early_param("random.trust_bootloader", parse_trust_bootloader);
972 :
973 : /*
974 : * The first collection of entropy occurs at system boot while interrupts
975 : * are still turned off. Here we push in RDSEED, a timestamp, and utsname().
976 : * Depending on the above configuration knob, RDSEED may be considered
977 : * sufficient for initialization. Note that much earlier setup may already
978 : * have pushed entropy into the input pool by the time we get here.
979 : */
980 1 : int __init rand_initialize(void)
981 : {
982 : size_t i;
983 1 : ktime_t now = ktime_get_real();
984 1 : bool arch_init = true;
985 : unsigned long rv;
986 :
987 : #if defined(LATENT_ENTROPY_PLUGIN)
988 : static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
989 : _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
990 : #endif
991 :
992 9 : for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
993 16 : if (!arch_get_random_seed_long_early(&rv) &&
994 8 : !arch_get_random_long_early(&rv)) {
995 8 : rv = random_get_entropy();
996 8 : arch_init = false;
997 : }
998 8 : _mix_pool_bytes(&rv, sizeof(rv));
999 : }
1000 1 : _mix_pool_bytes(&now, sizeof(now));
1001 2 : _mix_pool_bytes(utsname(), sizeof(*(utsname())));
1002 :
1003 1 : extract_entropy(base_crng.key, sizeof(base_crng.key));
1004 1 : ++base_crng.generation;
1005 :
1006 1 : if (arch_init && trust_cpu && !crng_ready()) {
1007 0 : crng_init = 2;
1008 0 : pr_notice("crng init done (trusting CPU's manufacturer)\n");
1009 : }
1010 :
1011 1 : if (ratelimit_disable) {
1012 0 : urandom_warning.interval = 0;
1013 0 : unseeded_warning.interval = 0;
1014 : }
1015 1 : return 0;
1016 : }
1017 :
1018 : /*
1019 : * Add device- or boot-specific data to the input pool to help
1020 : * initialize it.
1021 : *
1022 : * None of this adds any entropy; it is meant to avoid the problem of
1023 : * the entropy pool having similar initial state across largely
1024 : * identical devices.
1025 : */
1026 94 : void add_device_randomness(const void *buf, size_t size)
1027 : {
1028 94 : unsigned long cycles = random_get_entropy();
1029 94 : unsigned long flags, now = jiffies;
1030 :
1031 94 : if (crng_init == 0 && size)
1032 94 : crng_pre_init_inject(buf, size, false);
1033 :
1034 94 : spin_lock_irqsave(&input_pool.lock, flags);
1035 94 : _mix_pool_bytes(&cycles, sizeof(cycles));
1036 94 : _mix_pool_bytes(&now, sizeof(now));
1037 94 : _mix_pool_bytes(buf, size);
1038 94 : spin_unlock_irqrestore(&input_pool.lock, flags);
1039 94 : }
1040 : EXPORT_SYMBOL(add_device_randomness);
1041 :
1042 : /* There is one of these per entropy source */
1043 : struct timer_rand_state {
1044 : unsigned long last_time;
1045 : long last_delta, last_delta2;
1046 : };
1047 :
1048 : /*
1049 : * This function adds entropy to the entropy "pool" by using timing
1050 : * delays. It uses the timer_rand_state structure to make an estimate
1051 : * of how many bits of entropy this call has added to the pool.
1052 : *
1053 : * The number "num" is also added to the pool - it should somehow describe
1054 : * the type of event which just happened. This is currently 0-255 for
1055 : * keyboard scan codes, and 256 upwards for interrupts.
1056 : */
1057 0 : static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
1058 : {
1059 0 : unsigned long cycles = random_get_entropy(), now = jiffies, flags;
1060 : long delta, delta2, delta3;
1061 :
1062 0 : spin_lock_irqsave(&input_pool.lock, flags);
1063 0 : _mix_pool_bytes(&cycles, sizeof(cycles));
1064 0 : _mix_pool_bytes(&now, sizeof(now));
1065 0 : _mix_pool_bytes(&num, sizeof(num));
1066 0 : spin_unlock_irqrestore(&input_pool.lock, flags);
1067 :
1068 : /*
1069 : * Calculate number of bits of randomness we probably added.
1070 : * We take into account the first, second and third-order deltas
1071 : * in order to make our estimate.
1072 : */
1073 0 : delta = now - READ_ONCE(state->last_time);
1074 0 : WRITE_ONCE(state->last_time, now);
1075 :
1076 0 : delta2 = delta - READ_ONCE(state->last_delta);
1077 0 : WRITE_ONCE(state->last_delta, delta);
1078 :
1079 0 : delta3 = delta2 - READ_ONCE(state->last_delta2);
1080 0 : WRITE_ONCE(state->last_delta2, delta2);
1081 :
1082 0 : if (delta < 0)
1083 0 : delta = -delta;
1084 0 : if (delta2 < 0)
1085 0 : delta2 = -delta2;
1086 0 : if (delta3 < 0)
1087 0 : delta3 = -delta3;
1088 0 : if (delta > delta2)
1089 0 : delta = delta2;
1090 0 : if (delta > delta3)
1091 0 : delta = delta3;
1092 :
1093 : /*
1094 : * delta is now minimum absolute delta.
1095 : * Round down by 1 bit on general principles,
1096 : * and limit entropy estimate to 12 bits.
1097 : */
1098 0 : credit_entropy_bits(min_t(unsigned int, fls(delta >> 1), 11));
1099 0 : }
1100 :
1101 0 : void add_input_randomness(unsigned int type, unsigned int code,
1102 : unsigned int value)
1103 : {
1104 : static unsigned char last_value;
1105 : static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
1106 :
1107 : /* Ignore autorepeat and the like. */
1108 0 : if (value == last_value)
1109 : return;
1110 :
1111 0 : last_value = value;
1112 0 : add_timer_randomness(&input_timer_state,
1113 0 : (type << 4) ^ code ^ (code >> 4) ^ value);
1114 : }
1115 : EXPORT_SYMBOL_GPL(add_input_randomness);
1116 :
1117 : #ifdef CONFIG_BLOCK
1118 0 : void add_disk_randomness(struct gendisk *disk)
1119 : {
1120 0 : if (!disk || !disk->random)
1121 : return;
1122 : /* First major is 1, so we get >= 0x200 here. */
1123 0 : add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
1124 : }
1125 : EXPORT_SYMBOL_GPL(add_disk_randomness);
1126 :
1127 0 : void rand_initialize_disk(struct gendisk *disk)
1128 : {
1129 : struct timer_rand_state *state;
1130 :
1131 : /*
1132 : * If kzalloc returns null, we just won't use that entropy
1133 : * source.
1134 : */
1135 0 : state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
1136 0 : if (state) {
1137 0 : state->last_time = INITIAL_JIFFIES;
1138 0 : disk->random = state;
1139 : }
1140 0 : }
1141 : #endif
1142 :
1143 : /*
1144 : * Interface for in-kernel drivers of true hardware RNGs.
1145 : * Those devices may produce endless random bits and will be throttled
1146 : * when our pool is full.
1147 : */
1148 0 : void add_hwgenerator_randomness(const void *buffer, size_t count,
1149 : size_t entropy)
1150 : {
1151 0 : if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
1152 0 : crng_pre_init_inject(buffer, count, true);
1153 0 : mix_pool_bytes(buffer, count);
1154 0 : return;
1155 : }
1156 :
1157 : /*
1158 : * Throttle writing if we're above the trickle threshold.
1159 : * We'll be woken up again once below POOL_MIN_BITS, when
1160 : * the calling thread is about to terminate, or once
1161 : * CRNG_RESEED_INTERVAL has elapsed.
1162 : */
1163 0 : wait_event_interruptible_timeout(random_write_wait,
1164 : !system_wq || kthread_should_stop() ||
1165 : input_pool.entropy_count < POOL_MIN_BITS,
1166 : CRNG_RESEED_INTERVAL);
1167 0 : mix_pool_bytes(buffer, count);
1168 0 : credit_entropy_bits(entropy);
1169 : }
1170 : EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
1171 :
1172 : /*
1173 : * Handle random seed passed by bootloader.
1174 : * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
1175 : * it would be regarded as device data.
1176 : * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
1177 : */
1178 0 : void add_bootloader_randomness(const void *buf, size_t size)
1179 : {
1180 0 : if (trust_bootloader)
1181 0 : add_hwgenerator_randomness(buf, size, size * 8);
1182 : else
1183 0 : add_device_randomness(buf, size);
1184 0 : }
1185 : EXPORT_SYMBOL_GPL(add_bootloader_randomness);
1186 :
1187 : #if IS_ENABLED(CONFIG_VMGENID)
1188 : static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
1189 :
1190 : /*
1191 : * Handle a new unique VM ID, which is unique, not secret, so we
1192 : * don't credit it, but we do immediately force a reseed after so
1193 : * that it's used by the crng posthaste.
1194 : */
1195 : void add_vmfork_randomness(const void *unique_vm_id, size_t size)
1196 : {
1197 : add_device_randomness(unique_vm_id, size);
1198 : if (crng_ready()) {
1199 : crng_reseed(true);
1200 : pr_notice("crng reseeded due to virtual machine fork\n");
1201 : }
1202 : blocking_notifier_call_chain(&vmfork_chain, 0, NULL);
1203 : }
1204 : #if IS_MODULE(CONFIG_VMGENID)
1205 : EXPORT_SYMBOL_GPL(add_vmfork_randomness);
1206 : #endif
1207 :
1208 : int register_random_vmfork_notifier(struct notifier_block *nb)
1209 : {
1210 : return blocking_notifier_chain_register(&vmfork_chain, nb);
1211 : }
1212 : EXPORT_SYMBOL_GPL(register_random_vmfork_notifier);
1213 :
1214 : int unregister_random_vmfork_notifier(struct notifier_block *nb)
1215 : {
1216 : return blocking_notifier_chain_unregister(&vmfork_chain, nb);
1217 : }
1218 : EXPORT_SYMBOL_GPL(unregister_random_vmfork_notifier);
1219 : #endif
1220 :
1221 : struct fast_pool {
1222 : struct work_struct mix;
1223 : unsigned long pool[4];
1224 : unsigned long last;
1225 : unsigned int count;
1226 : u16 reg_idx;
1227 : };
1228 :
1229 : static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
1230 : #ifdef CONFIG_64BIT
1231 : /* SipHash constants */
1232 : .pool = { 0x736f6d6570736575UL, 0x646f72616e646f6dUL,
1233 : 0x6c7967656e657261UL, 0x7465646279746573UL }
1234 : #else
1235 : /* HalfSipHash constants */
1236 : .pool = { 0, 0, 0x6c796765U, 0x74656462U }
1237 : #endif
1238 : };
1239 :
1240 : /*
1241 : * This is [Half]SipHash-1-x, starting from an empty key. Because
1242 : * the key is fixed, it assumes that its inputs are non-malicious,
1243 : * and therefore this has no security on its own. s represents the
1244 : * 128 or 256-bit SipHash state, while v represents a 128-bit input.
1245 : */
1246 13 : static void fast_mix(unsigned long s[4], const unsigned long *v)
1247 : {
1248 : size_t i;
1249 :
1250 39 : for (i = 0; i < 16 / sizeof(long); ++i) {
1251 26 : s[3] ^= v[i];
1252 : #ifdef CONFIG_64BIT
1253 78 : s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32);
1254 52 : s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2];
1255 52 : s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0];
1256 78 : s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32);
1257 : #else
1258 : s[0] += s[1]; s[1] = rol32(s[1], 5); s[1] ^= s[0]; s[0] = rol32(s[0], 16);
1259 : s[2] += s[3]; s[3] = rol32(s[3], 8); s[3] ^= s[2];
1260 : s[0] += s[3]; s[3] = rol32(s[3], 7); s[3] ^= s[0];
1261 : s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16);
1262 : #endif
1263 26 : s[0] ^= v[i];
1264 : }
1265 13 : }
1266 :
1267 : #ifdef CONFIG_SMP
1268 : /*
1269 : * This function is called when the CPU has just come online, with
1270 : * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE.
1271 : */
1272 : int random_online_cpu(unsigned int cpu)
1273 : {
1274 : /*
1275 : * During CPU shutdown and before CPU onlining, add_interrupt_
1276 : * randomness() may schedule mix_interrupt_randomness(), and
1277 : * set the MIX_INFLIGHT flag. However, because the worker can
1278 : * be scheduled on a different CPU during this period, that
1279 : * flag will never be cleared. For that reason, we zero out
1280 : * the flag here, which runs just after workqueues are onlined
1281 : * for the CPU again. This also has the effect of setting the
1282 : * irq randomness count to zero so that new accumulated irqs
1283 : * are fresh.
1284 : */
1285 : per_cpu_ptr(&irq_randomness, cpu)->count = 0;
1286 : return 0;
1287 : }
1288 : #endif
1289 :
1290 : static unsigned long get_reg(struct fast_pool *f, struct pt_regs *regs)
1291 : {
1292 13 : unsigned long *ptr = (unsigned long *)regs;
1293 : unsigned int idx;
1294 :
1295 13 : if (regs == NULL)
1296 : return 0;
1297 13 : idx = READ_ONCE(f->reg_idx);
1298 13 : if (idx >= sizeof(struct pt_regs) / sizeof(unsigned long))
1299 0 : idx = 0;
1300 13 : ptr += idx++;
1301 13 : WRITE_ONCE(f->reg_idx, idx);
1302 13 : return *ptr;
1303 : }
1304 :
1305 0 : static void mix_interrupt_randomness(struct work_struct *work)
1306 : {
1307 0 : struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
1308 : /*
1309 : * The size of the copied stack pool is explicitly 16 bytes so that we
1310 : * tax mix_pool_byte()'s compression function the same amount on all
1311 : * platforms. This means on 64-bit we copy half the pool into this,
1312 : * while on 32-bit we copy all of it. The entropy is supposed to be
1313 : * sufficiently dispersed between bits that in the sponge-like
1314 : * half case, on average we don't wind up "losing" some.
1315 : */
1316 : u8 pool[16];
1317 :
1318 : /* Check to see if we're running on the wrong CPU due to hotplug. */
1319 : local_irq_disable();
1320 0 : if (fast_pool != this_cpu_ptr(&irq_randomness)) {
1321 : local_irq_enable();
1322 0 : return;
1323 : }
1324 :
1325 : /*
1326 : * Copy the pool to the stack so that the mixer always has a
1327 : * consistent view, before we reenable irqs again.
1328 : */
1329 0 : memcpy(pool, fast_pool->pool, sizeof(pool));
1330 0 : fast_pool->count = 0;
1331 0 : fast_pool->last = jiffies;
1332 : local_irq_enable();
1333 :
1334 0 : if (unlikely(crng_init == 0)) {
1335 0 : crng_pre_init_inject(pool, sizeof(pool), true);
1336 0 : mix_pool_bytes(pool, sizeof(pool));
1337 : } else {
1338 0 : mix_pool_bytes(pool, sizeof(pool));
1339 0 : credit_entropy_bits(1);
1340 : }
1341 :
1342 0 : memzero_explicit(pool, sizeof(pool));
1343 : }
1344 :
1345 13 : void add_interrupt_randomness(int irq)
1346 : {
1347 : enum { MIX_INFLIGHT = 1U << 31 };
1348 13 : unsigned long cycles = random_get_entropy(), now = jiffies;
1349 13 : struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
1350 13 : struct pt_regs *regs = get_irq_regs();
1351 : unsigned int new_count;
1352 : union {
1353 : u32 u32[4];
1354 : u64 u64[2];
1355 : unsigned long longs[16 / sizeof(long)];
1356 : } irq_data;
1357 :
1358 : if (cycles == 0)
1359 13 : cycles = get_reg(fast_pool, regs);
1360 :
1361 : if (sizeof(unsigned long) == 8) {
1362 13 : irq_data.u64[0] = cycles ^ rol64(now, 32) ^ irq;
1363 13 : irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
1364 : } else {
1365 : irq_data.u32[0] = cycles ^ irq;
1366 : irq_data.u32[1] = now;
1367 : irq_data.u32[2] = regs ? instruction_pointer(regs) : _RET_IP_;
1368 : irq_data.u32[3] = get_reg(fast_pool, regs);
1369 : }
1370 :
1371 13 : fast_mix(fast_pool->pool, irq_data.longs);
1372 13 : new_count = ++fast_pool->count;
1373 :
1374 13 : if (new_count & MIX_INFLIGHT)
1375 13 : return;
1376 :
1377 26 : if (new_count < 64 && (!time_after(now, fast_pool->last + HZ) ||
1378 13 : unlikely(crng_init == 0)))
1379 : return;
1380 :
1381 0 : if (unlikely(!fast_pool->mix.func))
1382 0 : INIT_WORK(&fast_pool->mix, mix_interrupt_randomness);
1383 0 : fast_pool->count |= MIX_INFLIGHT;
1384 0 : queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix);
1385 : }
1386 : EXPORT_SYMBOL_GPL(add_interrupt_randomness);
1387 :
1388 : /*
1389 : * Each time the timer fires, we expect that we got an unpredictable
1390 : * jump in the cycle counter. Even if the timer is running on another
1391 : * CPU, the timer activity will be touching the stack of the CPU that is
1392 : * generating entropy..
1393 : *
1394 : * Note that we don't re-arm the timer in the timer itself - we are
1395 : * happy to be scheduled away, since that just makes the load more
1396 : * complex, but we do not want the timer to keep ticking unless the
1397 : * entropy loop is running.
1398 : *
1399 : * So the re-arming always happens in the entropy loop itself.
1400 : */
1401 : static void entropy_timer(struct timer_list *t)
1402 : {
1403 : credit_entropy_bits(1);
1404 : }
1405 :
1406 : /*
1407 : * If we have an actual cycle counter, see if we can
1408 : * generate enough entropy with timing noise
1409 : */
1410 : static void try_to_generate_entropy(void)
1411 : {
1412 : struct {
1413 : unsigned long cycles;
1414 : struct timer_list timer;
1415 : } stack;
1416 :
1417 : stack.cycles = random_get_entropy();
1418 :
1419 : /* Slow counter - or none. Don't even bother */
1420 : if (stack.cycles == random_get_entropy())
1421 : return;
1422 :
1423 : timer_setup_on_stack(&stack.timer, entropy_timer, 0);
1424 : while (!crng_ready() && !signal_pending(current)) {
1425 : if (!timer_pending(&stack.timer))
1426 : mod_timer(&stack.timer, jiffies + 1);
1427 : mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
1428 : schedule();
1429 : stack.cycles = random_get_entropy();
1430 : }
1431 :
1432 : del_timer_sync(&stack.timer);
1433 : destroy_timer_on_stack(&stack.timer);
1434 : mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
1435 : }
1436 :
1437 :
1438 : /**********************************************************************
1439 : *
1440 : * Userspace reader/writer interfaces.
1441 : *
1442 : * getrandom(2) is the primary modern interface into the RNG and should
1443 : * be used in preference to anything else.
1444 : *
1445 : * Reading from /dev/random has the same functionality as calling
1446 : * getrandom(2) with flags=0. In earlier versions, however, it had
1447 : * vastly different semantics and should therefore be avoided, to
1448 : * prevent backwards compatibility issues.
1449 : *
1450 : * Reading from /dev/urandom has the same functionality as calling
1451 : * getrandom(2) with flags=GRND_INSECURE. Because it does not block
1452 : * waiting for the RNG to be ready, it should not be used.
1453 : *
1454 : * Writing to either /dev/random or /dev/urandom adds entropy to
1455 : * the input pool but does not credit it.
1456 : *
1457 : * Polling on /dev/random indicates when the RNG is initialized, on
1458 : * the read side, and when it wants new entropy, on the write side.
1459 : *
1460 : * Both /dev/random and /dev/urandom have the same set of ioctls for
1461 : * adding entropy, getting the entropy count, zeroing the count, and
1462 : * reseeding the crng.
1463 : *
1464 : **********************************************************************/
1465 :
1466 0 : SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
1467 : flags)
1468 : {
1469 0 : if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
1470 : return -EINVAL;
1471 :
1472 : /*
1473 : * Requesting insecure and blocking randomness at the same time makes
1474 : * no sense.
1475 : */
1476 0 : if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
1477 : return -EINVAL;
1478 :
1479 0 : if (count > INT_MAX)
1480 0 : count = INT_MAX;
1481 :
1482 0 : if (!(flags & GRND_INSECURE) && !crng_ready()) {
1483 : int ret;
1484 :
1485 0 : if (flags & GRND_NONBLOCK)
1486 : return -EAGAIN;
1487 0 : ret = wait_for_random_bytes();
1488 0 : if (unlikely(ret))
1489 0 : return ret;
1490 : }
1491 0 : return get_random_bytes_user(buf, count);
1492 : }
1493 :
1494 0 : static __poll_t random_poll(struct file *file, poll_table *wait)
1495 : {
1496 : __poll_t mask;
1497 :
1498 0 : poll_wait(file, &crng_init_wait, wait);
1499 0 : poll_wait(file, &random_write_wait, wait);
1500 0 : mask = 0;
1501 0 : if (crng_ready())
1502 0 : mask |= EPOLLIN | EPOLLRDNORM;
1503 0 : if (input_pool.entropy_count < POOL_MIN_BITS)
1504 0 : mask |= EPOLLOUT | EPOLLWRNORM;
1505 0 : return mask;
1506 : }
1507 :
1508 0 : static int write_pool(const char __user *ubuf, size_t count)
1509 : {
1510 : size_t len;
1511 0 : int ret = 0;
1512 : u8 block[BLAKE2S_BLOCK_SIZE];
1513 :
1514 0 : while (count) {
1515 0 : len = min(count, sizeof(block));
1516 0 : if (copy_from_user(block, ubuf, len)) {
1517 : ret = -EFAULT;
1518 : goto out;
1519 : }
1520 0 : count -= len;
1521 0 : ubuf += len;
1522 0 : mix_pool_bytes(block, len);
1523 0 : cond_resched();
1524 : }
1525 :
1526 : out:
1527 0 : memzero_explicit(block, sizeof(block));
1528 0 : return ret;
1529 : }
1530 :
1531 0 : static ssize_t random_write(struct file *file, const char __user *buffer,
1532 : size_t count, loff_t *ppos)
1533 : {
1534 : int ret;
1535 :
1536 0 : ret = write_pool(buffer, count);
1537 0 : if (ret)
1538 0 : return ret;
1539 :
1540 0 : return (ssize_t)count;
1541 : }
1542 :
1543 0 : static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
1544 : loff_t *ppos)
1545 : {
1546 : static int maxwarn = 10;
1547 :
1548 : /*
1549 : * Opportunistically attempt to initialize the RNG on platforms that
1550 : * have fast cycle counters, but don't (for now) require it to succeed.
1551 : */
1552 0 : if (!crng_ready())
1553 : try_to_generate_entropy();
1554 :
1555 0 : if (!crng_ready() && maxwarn > 0) {
1556 0 : maxwarn--;
1557 0 : if (__ratelimit(&urandom_warning))
1558 0 : pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
1559 : current->comm, nbytes);
1560 : }
1561 :
1562 0 : return get_random_bytes_user(buf, nbytes);
1563 : }
1564 :
1565 0 : static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
1566 : loff_t *ppos)
1567 : {
1568 : int ret;
1569 :
1570 0 : ret = wait_for_random_bytes();
1571 0 : if (ret != 0)
1572 0 : return ret;
1573 0 : return get_random_bytes_user(buf, nbytes);
1574 : }
1575 :
1576 0 : static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
1577 : {
1578 : int size, ent_count;
1579 0 : int __user *p = (int __user *)arg;
1580 : int retval;
1581 :
1582 0 : switch (cmd) {
1583 : case RNDGETENTCNT:
1584 : /* Inherently racy, no point locking. */
1585 0 : if (put_user(input_pool.entropy_count, p))
1586 : return -EFAULT;
1587 0 : return 0;
1588 : case RNDADDTOENTCNT:
1589 0 : if (!capable(CAP_SYS_ADMIN))
1590 : return -EPERM;
1591 0 : if (get_user(ent_count, p))
1592 : return -EFAULT;
1593 0 : if (ent_count < 0)
1594 : return -EINVAL;
1595 0 : credit_entropy_bits(ent_count);
1596 0 : return 0;
1597 : case RNDADDENTROPY:
1598 0 : if (!capable(CAP_SYS_ADMIN))
1599 : return -EPERM;
1600 0 : if (get_user(ent_count, p++))
1601 : return -EFAULT;
1602 0 : if (ent_count < 0)
1603 : return -EINVAL;
1604 0 : if (get_user(size, p++))
1605 : return -EFAULT;
1606 0 : retval = write_pool((const char __user *)p, size);
1607 0 : if (retval < 0)
1608 0 : return retval;
1609 0 : credit_entropy_bits(ent_count);
1610 0 : return 0;
1611 : case RNDZAPENTCNT:
1612 : case RNDCLEARPOOL:
1613 : /*
1614 : * Clear the entropy pool counters. We no longer clear
1615 : * the entropy pool, as that's silly.
1616 : */
1617 0 : if (!capable(CAP_SYS_ADMIN))
1618 : return -EPERM;
1619 0 : if (xchg(&input_pool.entropy_count, 0) >= POOL_MIN_BITS) {
1620 0 : wake_up_interruptible(&random_write_wait);
1621 0 : kill_fasync(&fasync, SIGIO, POLL_OUT);
1622 : }
1623 : return 0;
1624 : case RNDRESEEDCRNG:
1625 0 : if (!capable(CAP_SYS_ADMIN))
1626 : return -EPERM;
1627 0 : if (!crng_ready())
1628 : return -ENODATA;
1629 0 : crng_reseed(false);
1630 0 : return 0;
1631 : default:
1632 : return -EINVAL;
1633 : }
1634 : }
1635 :
1636 0 : static int random_fasync(int fd, struct file *filp, int on)
1637 : {
1638 0 : return fasync_helper(fd, filp, on, &fasync);
1639 : }
1640 :
1641 : const struct file_operations random_fops = {
1642 : .read = random_read,
1643 : .write = random_write,
1644 : .poll = random_poll,
1645 : .unlocked_ioctl = random_ioctl,
1646 : .compat_ioctl = compat_ptr_ioctl,
1647 : .fasync = random_fasync,
1648 : .llseek = noop_llseek,
1649 : };
1650 :
1651 : const struct file_operations urandom_fops = {
1652 : .read = urandom_read,
1653 : .write = random_write,
1654 : .unlocked_ioctl = random_ioctl,
1655 : .compat_ioctl = compat_ptr_ioctl,
1656 : .fasync = random_fasync,
1657 : .llseek = noop_llseek,
1658 : };
1659 :
1660 :
1661 : /********************************************************************
1662 : *
1663 : * Sysctl interface.
1664 : *
1665 : * These are partly unused legacy knobs with dummy values to not break
1666 : * userspace and partly still useful things. They are usually accessible
1667 : * in /proc/sys/kernel/random/ and are as follows:
1668 : *
1669 : * - boot_id - a UUID representing the current boot.
1670 : *
1671 : * - uuid - a random UUID, different each time the file is read.
1672 : *
1673 : * - poolsize - the number of bits of entropy that the input pool can
1674 : * hold, tied to the POOL_BITS constant.
1675 : *
1676 : * - entropy_avail - the number of bits of entropy currently in the
1677 : * input pool. Always <= poolsize.
1678 : *
1679 : * - write_wakeup_threshold - the amount of entropy in the input pool
1680 : * below which write polls to /dev/random will unblock, requesting
1681 : * more entropy, tied to the POOL_MIN_BITS constant. It is writable
1682 : * to avoid breaking old userspaces, but writing to it does not
1683 : * change any behavior of the RNG.
1684 : *
1685 : * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL.
1686 : * It is writable to avoid breaking old userspaces, but writing
1687 : * to it does not change any behavior of the RNG.
1688 : *
1689 : ********************************************************************/
1690 :
1691 : #ifdef CONFIG_SYSCTL
1692 :
1693 : #include <linux/sysctl.h>
1694 :
1695 : static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
1696 : static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
1697 : static int sysctl_poolsize = POOL_BITS;
1698 : static u8 sysctl_bootid[UUID_SIZE];
1699 :
1700 : /*
1701 : * This function is used to return both the bootid UUID, and random
1702 : * UUID. The difference is in whether table->data is NULL; if it is,
1703 : * then a new UUID is generated and returned to the user.
1704 : */
1705 0 : static int proc_do_uuid(struct ctl_table *table, int write, void *buffer,
1706 : size_t *lenp, loff_t *ppos)
1707 : {
1708 : u8 tmp_uuid[UUID_SIZE], *uuid;
1709 : char uuid_string[UUID_STRING_LEN + 1];
1710 0 : struct ctl_table fake_table = {
1711 : .data = uuid_string,
1712 : .maxlen = UUID_STRING_LEN
1713 : };
1714 :
1715 0 : if (write)
1716 : return -EPERM;
1717 :
1718 0 : uuid = table->data;
1719 0 : if (!uuid) {
1720 0 : uuid = tmp_uuid;
1721 0 : generate_random_uuid(uuid);
1722 : } else {
1723 : static DEFINE_SPINLOCK(bootid_spinlock);
1724 :
1725 0 : spin_lock(&bootid_spinlock);
1726 0 : if (!uuid[8])
1727 0 : generate_random_uuid(uuid);
1728 : spin_unlock(&bootid_spinlock);
1729 : }
1730 :
1731 0 : snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid);
1732 0 : return proc_dostring(&fake_table, 0, buffer, lenp, ppos);
1733 : }
1734 :
1735 : /* The same as proc_dointvec, but writes don't change anything. */
1736 0 : static int proc_do_rointvec(struct ctl_table *table, int write, void *buffer,
1737 : size_t *lenp, loff_t *ppos)
1738 : {
1739 0 : return write ? 0 : proc_dointvec(table, 0, buffer, lenp, ppos);
1740 : }
1741 :
1742 : static struct ctl_table random_table[] = {
1743 : {
1744 : .procname = "poolsize",
1745 : .data = &sysctl_poolsize,
1746 : .maxlen = sizeof(int),
1747 : .mode = 0444,
1748 : .proc_handler = proc_dointvec,
1749 : },
1750 : {
1751 : .procname = "entropy_avail",
1752 : .data = &input_pool.entropy_count,
1753 : .maxlen = sizeof(int),
1754 : .mode = 0444,
1755 : .proc_handler = proc_dointvec,
1756 : },
1757 : {
1758 : .procname = "write_wakeup_threshold",
1759 : .data = &sysctl_random_write_wakeup_bits,
1760 : .maxlen = sizeof(int),
1761 : .mode = 0644,
1762 : .proc_handler = proc_do_rointvec,
1763 : },
1764 : {
1765 : .procname = "urandom_min_reseed_secs",
1766 : .data = &sysctl_random_min_urandom_seed,
1767 : .maxlen = sizeof(int),
1768 : .mode = 0644,
1769 : .proc_handler = proc_do_rointvec,
1770 : },
1771 : {
1772 : .procname = "boot_id",
1773 : .data = &sysctl_bootid,
1774 : .mode = 0444,
1775 : .proc_handler = proc_do_uuid,
1776 : },
1777 : {
1778 : .procname = "uuid",
1779 : .mode = 0444,
1780 : .proc_handler = proc_do_uuid,
1781 : },
1782 : { }
1783 : };
1784 :
1785 : /*
1786 : * rand_initialize() is called before sysctl_init(),
1787 : * so we cannot call register_sysctl_init() in rand_initialize()
1788 : */
1789 1 : static int __init random_sysctls_init(void)
1790 : {
1791 1 : register_sysctl_init("kernel/random", random_table);
1792 1 : return 0;
1793 : }
1794 : device_initcall(random_sysctls_init);
1795 : #endif
|
