/* * Non-physical true random number generator based on timing jitter. * * Copyright Stephan Mueller <smueller@chronox.de>, 2014 - 2019 * * Design * ====== * * See documentation in doc/ folder. * * Interface * ========= * * See documentation in jitterentropy(3) man page. * * License * ======= * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU General Public License, in which case the provisions of the GPL2 are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH * DAMAGE. */ /* Adapted for VeraCrypt */ #ifdef TC_WINDOWS_DRIVER #define UINT64_MAX 0xffffffffffffffffU #else #include <stdint.h> #endif #undef _FORTIFY_SOURCE #ifdef _MSC_VER #pragma optimize( "", off ) #pragma warning(disable:4242 4244 4334) /* disable warnings on the original code */ #else #if defined(__clang__) #pragma clang optimize off #elif defined (__GNUC__) #pragma GCC optimize ("O0") #endif #endif #include "jitterentropy.h" #ifdef __OPTIMIZE__ #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy-base.c." #endif #define MAJVERSION 2 /* API / ABI incompatible changes, functional changes that * require consumer to be updated (as long as this number * is zero, the API is not considered stable and can * change without a bump of the major version) */ #define MINVERSION 2 /* API compatible, ABI may change, functional * enhancements only, consumer can be left unchanged if * enhancements are not considered */ #define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no * enhancements, bug fixes only */ #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) /** * jent_version() - Return machine-usable version number of jent library * * The function returns a version number that is monotonic increasing * for newer versions. The version numbers are multiples of 100. For example, * version 1.2.3 is converted to 1020300 -- the last two digits are reserved * for future use. * * The result of this function can be used in comparing the version number * in a calling program if version-specific calls need to be make. * * @return Version number of jitterentropy library */ JENT_PRIVATE_STATIC unsigned int jent_version(void) { unsigned int version = 0; version = MAJVERSION * 1000000; version += MINVERSION * 10000; version += PATCHLEVEL * 100; return version; } /*************************************************************************** * Adaptive Proportion Test * * This test complies with SP800-90B section 4.4.2. ***************************************************************************/ /** * Reset the APT counter * * @ec [in] Reference to entropy collector */ static void jent_apt_reset(struct rand_data *ec, unsigned int delta_masked) { /* Reset APT counter */ ec->apt_count = 0; ec->apt_base = delta_masked; ec->apt_observations = 0; } /** * Insert a new entropy event into APT * * @ec [in] Reference to entropy collector * @delta_masked [in] Masked time delta to process */ static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked) { /* Initialize the base reference */ if (!ec->apt_base_set) { ec->apt_base = delta_masked; ec->apt_base_set = 1; return; } if (delta_masked == ec->apt_base) { ec->apt_count++; if (ec->apt_count >= JENT_APT_CUTOFF) ec->health_failure = 1; } ec->apt_observations++; if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) jent_apt_reset(ec, delta_masked); } /*************************************************************************** * Stuck Test and its use as Repetition Count Test * * The Jitter RNG uses an enhanced version of the Repetition Count Test * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical * back-to-back values, the input to the RCT is the counting of the stuck * values during the generation of one Jitter RNG output block. * * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8. * * During the counting operation, the Jitter RNG always calculates the RCT * cut-off value of C. If that value exceeds the allowed cut-off value, * the Jitter RNG output block will be calculated completely but discarded at * the end. The caller of the Jitter RNG is informed with an error code. ***************************************************************************/ /** * Repetition Count Test as defined in SP800-90B section 4.4.1 * * @ec [in] Reference to entropy collector * @stuck [in] Indicator whether the value is stuck */ static void jent_rct_insert(struct rand_data *ec, int stuck) { /* * If we have a count less than zero, a previous RCT round identified * a failure. We will not overwrite it. */ if (ec->rct_count < 0) return; if (stuck) { ec->rct_count++; /* * The cutoff value is based on the following consideration: * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8. * In addition, we require an entropy value H of 1/OSR as this * is the minimum entropy required to provide full entropy. * Note, we collect 64 * OSR deltas for inserting them into * the entropy pool which should then have (close to) 64 bits * of entropy. * * Note, ec->rct_count (which equals to value B in the pseudo * code of SP800-90B section 4.4.1) starts with zero. Hence * we need to subtract one from the cutoff value as calculated * following SP800-90B. */ if ((unsigned int)ec->rct_count >= (30 * ec->osr)) { ec->rct_count = -1; ec->health_failure = 1; } } else { ec->rct_count = 0; } } /** * Is there an RCT health test failure? * * @ec [in] Reference to entropy collector * * @return * 0 No health test failure * 1 Permanent health test failure */ static int jent_rct_failure(struct rand_data *ec) { if (ec->rct_count < 0) return 1; return 0; } #ifdef _MSC_VER static #endif VC_INLINE uint64_t jent_delta(uint64_t prev, uint64_t next) { return (prev < next) ? (next - prev) : (UINT64_MAX - prev + 1 + next); } /** * Stuck test by checking the: * 1st derivative of the jitter measurement (time delta) * 2nd derivative of the jitter measurement (delta of time deltas) * 3rd derivative of the jitter measurement (delta of delta of time deltas) * * All values must always be non-zero. * * @ec [in] Reference to entropy collector * @current_delta [in] Jitter time delta * * @return * 0 jitter measurement not stuck (good bit) * 1 jitter measurement stuck (reject bit) */ static int jent_stuck(struct rand_data *ec, uint64_t current_delta) { uint64_t delta2 = jent_delta(ec->last_delta, current_delta); uint64_t delta3 = jent_delta(ec->last_delta2, delta2); unsigned int delta_masked = current_delta & JENT_APT_WORD_MASK; ec->last_delta = current_delta; ec->last_delta2 = delta2; /* * Insert the result of the comparison of two back-to-back time * deltas. */ jent_apt_insert(ec, delta_masked); if (!current_delta || !delta2 || !delta3) { /* RCT with a stuck bit */ jent_rct_insert(ec, 1); return 1; } /* RCT with a non-stuck bit */ jent_rct_insert(ec, 0); return 0; } /** * Report any health test failures * * @ec [in] Reference to entropy collector * * @return * 0 No health test failure * 1 Permanent health test failure */ static int jent_health_failure(struct rand_data *ec) { /* Test is only enabled in FIPS mode */ if (!ec->fips_enabled) return 0; return ec->health_failure; } /*************************************************************************** * Noise sources ***************************************************************************/ /** * Update of the loop count used for the next round of * an entropy collection. * * @ec [in] entropy collector struct -- may be NULL * @bits [in] is the number of low bits of the timer to consider * @min [in] is the number of bits we shift the timer value to the right at * the end to make sure we have a guaranteed minimum value * * @return Newly calculated loop counter */ static uint64_t jent_loop_shuffle(struct rand_data *ec, unsigned int bits, unsigned int min) { uint64_t time = 0; uint64_t shuffle = 0; unsigned int i = 0; unsigned int mask = (1<<bits) - 1; jent_get_nstime(&time); /* * Mix the current state of the random number into the shuffle * calculation to balance that shuffle a bit more. */ if (ec) time ^= ec->data; /* * We fold the time value as much as possible to ensure that as many * bits of the time stamp are included as possible. */ for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { shuffle ^= time & mask; time = time >> bits; } /* * We add a lower boundary value to ensure we have a minimum * RNG loop count. */ return (shuffle + (1<<min)); } /** * CPU Jitter noise source -- this is the noise source based on the CPU * execution time jitter * * This function injects the individual bits of the time value into the * entropy pool using an LFSR. * * The code is deliberately inefficient with respect to the bit shifting * and shall stay that way. This function is the root cause why the code * shall be compiled without optimization. This function not only acts as * LFSR operation, but this function's execution is used to measure * the CPU execution time jitter. Any change to the loop in this function * implies that careful retesting must be done. * * @ec [in] entropy collector struct -- may be NULL * @time [in] time stamp to be injected * @loop_cnt [in] if a value not equal to 0 is set, use the given value as * number of loops to perform the LFSR * * Output: * updated ec->data */ static void jent_lfsr_time(struct rand_data *ec, uint64_t time, uint64_t loop_cnt, int stuck) { unsigned int i; uint64_t j = 0; uint64_t new = 0; #define MAX_FOLD_LOOP_BIT 4 #define MIN_FOLD_LOOP_BIT 0 uint64_t lfsr_loop_cnt = jent_loop_shuffle(ec, MAX_FOLD_LOOP_BIT, MIN_FOLD_LOOP_BIT); /* * testing purposes -- allow test app to set the counter, not * needed during runtime */ if (loop_cnt) lfsr_loop_cnt = loop_cnt; for (j = 0; j < lfsr_loop_cnt; j++) { new = ec->data; for (i = 1; (DATA_SIZE_BITS) >= i; i++) { uint64_t tmp = time << (DATA_SIZE_BITS - i); tmp = tmp >> (DATA_SIZE_BITS - 1); /* * Fibonacci LSFR with polynomial of * x^64 + x^61 + x^56 + x^31 + x^28 + x^23 + 1 which is * primitive according to * http://poincare.matf.bg.ac.rs/~ezivkovm/publications/primpol1.pdf * (the shift values are the polynomial values minus one * due to counting bits from 0 to 63). As the current * position is always the LSB, the polynomial only needs * to shift data in from the left without wrap. */ tmp ^= ((new >> 63) & 1); tmp ^= ((new >> 60) & 1); tmp ^= ((new >> 55) & 1); tmp ^= ((new >> 30) & 1); tmp ^= ((new >> 27) & 1); tmp ^= ((new >> 22) & 1); new <<= 1; new ^= tmp; } } /* * If the time stamp is stuck, do not finally insert the value into * the entropy pool. Although this operation should not do any harm * even when the time stamp has no entropy, SP800-90B requires that * any conditioning operation (SP800-90B considers the LFSR to be a * conditioning operation) to have an identical amount of input * data according to section 3.1.5. */ if (!stuck) ec->data = new; } /** * Memory Access noise source -- this is a noise source based on variations in * memory access times * * This function performs memory accesses which will add to the timing * variations due to an unknown amount of CPU wait states that need to be * added when accessing memory. The memory size should be larger than the L1 * caches as outlined in the documentation and the associated testing. * * The L1 cache has a very high bandwidth, albeit its access rate is usually * slower than accessing CPU registers. Therefore, L1 accesses only add minimal * variations as the CPU has hardly to wait. Starting with L2, significant * variations are added because L2 typically does not belong to the CPU any more * and therefore a wider range of CPU wait states is necessary for accesses. * L3 and real memory accesses have even a wider range of wait states. However, * to reliably access either L3 or memory, the ec->mem memory must be quite * large which is usually not desirable. * * @ec [in] Reference to the entropy collector with the memory access data -- if * the reference to the memory block to be accessed is NULL, this noise * source is disabled * @loop_cnt [in] if a value not equal to 0 is set, use the given value as * number of loops to perform the folding */ static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) { unsigned int wrap = 0; uint64_t i = 0; #define MAX_ACC_LOOP_BIT 7 #define MIN_ACC_LOOP_BIT 0 uint64_t acc_loop_cnt = jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); if (NULL == ec || NULL == ec->mem) return; wrap = ec->memblocksize * ec->memblocks; /* * testing purposes -- allow test app to set the counter, not * needed during runtime */ if (loop_cnt) acc_loop_cnt = loop_cnt; for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { unsigned char *tmpval = ec->mem + ec->memlocation; /* * memory access: just add 1 to one byte, * wrap at 255 -- memory access implies read * from and write to memory location */ *tmpval = (*tmpval + 1) & 0xff; /* * Addition of memblocksize - 1 to pointer * with wrap around logic to ensure that every * memory location is hit evenly */ ec->memlocation = ec->memlocation + ec->memblocksize - 1; ec->memlocation = ec->memlocation % wrap; } } /*************************************************************************** * Start of entropy processing logic ***************************************************************************/ /** * This is the heart of the entropy generation: calculate time deltas and * use the CPU jitter in the time deltas. The jitter is injected into the * entropy pool. * * WARNING: ensure that ->prev_time is primed before using the output * of this function! This can be done by calling this function * and not using its result. * * @ec [in] Reference to entropy collector * * @return: result of stuck test */ static int jent_measure_jitter(struct rand_data *ec) { uint64_t time = 0; uint64_t current_delta = 0; int stuck; /* Invoke one noise source before time measurement to add variations */ jent_memaccess(ec, 0); /* * Get time stamp and calculate time delta to previous * invocation to measure the timing variations */ jent_get_nstime(&time); current_delta = jent_delta(ec->prev_time, time); ec->prev_time = time; /* Check whether we have a stuck measurement. */ stuck = jent_stuck(ec, current_delta); /* Now call the next noise sources which also injects the data */ jent_lfsr_time(ec, current_delta, 0, stuck); return stuck; } /** * Generator of one 64 bit random number * Function fills rand_data->data * * @ec [in] Reference to entropy collector */ static void jent_gen_entropy(struct rand_data *ec) { unsigned int k = 0; /* priming of the ->prev_time value */ jent_measure_jitter(ec); while (1) { /* If a stuck measurement is received, repeat measurement */ if (jent_measure_jitter(ec)) continue; /* * We multiply the loop value with ->osr to obtain the * oversampling rate requested by the caller */ if (++k >= (DATA_SIZE_BITS * ec->osr)) break; } } /** * Entry function: Obtain entropy for the caller. * * This function invokes the entropy gathering logic as often to generate * as many bytes as requested by the caller. The entropy gathering logic * creates 64 bit per invocation. * * This function truncates the last 64 bit entropy value output to the exact * size specified by the caller. * * @ec [in] Reference to entropy collector * @data [out] pointer to buffer for storing random data -- buffer must * already exist * @len [in] size of the buffer, specifying also the requested number of random * in bytes * * @return number of bytes returned when request is fulfilled or an error * * The following error codes can occur: * -1 entropy_collector is NULL * -2 RCT failed * -3 Chi-Squared test failed */ JENT_PRIVATE_STATIC ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len) { char *p = data; size_t orig_len = len; if (NULL == ec) return -1; while (0 < len) { size_t tocopy; jent_gen_entropy(ec); if (jent_health_failure(ec)) { if (jent_rct_failure(ec)) return -2; else return -3; } if ((DATA_SIZE_BITS / 8) < len) tocopy = (DATA_SIZE_BITS / 8); else tocopy = len; memcpy(p, &ec->data, tocopy); len -= tocopy; p += tocopy; } /* * To be on the safe side, we generate one more round of entropy * which we do not give out to the caller. That round shall ensure * that in case the calling application crashes, memory dumps, pages * out, or due to the CPU Jitter RNG lingering in memory for long * time without being moved and an attacker cracks the application, * all he reads in the entropy pool is a value that is NEVER EVER * being used for anything. Thus, he does NOT see the previous value * that was returned to the caller for cryptographic purposes. */ /* * If we use secured memory, do not use that precaution as the secure * memory protects the entropy pool. Moreover, note that using this * call reduces the speed of the RNG by up to half */ #ifndef CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY jent_gen_entropy(ec); #endif return orig_len; } /*************************************************************************** * Initialization logic ***************************************************************************/ JENT_PRIVATE_STATIC struct rand_data *jent_entropy_collector_alloc(unsigned int osr, unsigned int flags) { struct rand_data *entropy_collector; entropy_collector = jent_zalloc(sizeof(struct rand_data)); if (NULL == entropy_collector) return NULL; if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { /* Allocate memory for adding variations based on memory * access */ entropy_collector->mem = (unsigned char *)jent_zalloc(JENT_MEMORY_SIZE); if (NULL == entropy_collector->mem) { jent_zfree(entropy_collector, sizeof(struct rand_data)); return NULL; } entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; entropy_collector->memblocks = JENT_MEMORY_BLOCKS; entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; } /* verify and set the oversampling rate */ if (0 == osr) osr = 1; /* minimum sampling rate is 1 */ entropy_collector->osr = osr; if (jent_fips_enabled()) entropy_collector->fips_enabled = 1; /* fill the data pad with non-zero values */ jent_gen_entropy(entropy_collector); return entropy_collector; } JENT_PRIVATE_STATIC void jent_entropy_collector_free(struct rand_data *entropy_collector) { if (NULL != entropy_collector) { if (NULL != entropy_collector->mem) { jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); entropy_collector->mem = NULL; } jent_zfree(entropy_collector, sizeof(struct rand_data)); } } JENT_PRIVATE_STATIC int jent_entropy_init(void) { int i; uint64_t delta_sum = 0; uint64_t old_delta = 0; unsigned int nonstuck = 0; int time_backwards = 0; int count_mod = 0; int count_stuck = 0; struct rand_data ec; memset(&ec, 0, sizeof(ec)); /* Required for RCT */ ec.osr = 1; if (jent_fips_enabled()) ec.fips_enabled = 1; /* We could perform statistical tests here, but the problem is * that we only have a few loop counts to do testing. These * loop counts may show some slight skew and we produce * false positives. * * Moreover, only old systems show potentially problematic * jitter entropy that could potentially be caught here. But * the RNG is intended for hardware that is available or widely * used, but not old systems that are long out of favor. Thus, * no statistical tests. */ /* * We could add a check for system capabilities such as clock_getres or * check for CONFIG_X86_TSC, but it does not make much sense as the * following sanity checks verify that we have a high-resolution * timer. */ /* * TESTLOOPCOUNT needs some loops to identify edge systems. 100 is * definitely too little. * * SP800-90B requires at least 1024 initial test cycles. */ #define TESTLOOPCOUNT 1024 #define CLEARCACHE 100 for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { uint64_t time = 0; uint64_t time2 = 0; uint64_t delta = 0; unsigned int lowdelta = 0; int stuck; /* Invoke core entropy collection logic */ jent_get_nstime(&time); ec.prev_time = time; jent_memaccess(&ec, 0); jent_lfsr_time(&ec, time, 0, 0); jent_get_nstime(&time2); /* test whether timer works */ if (!time || !time2) return ENOTIME; delta = jent_delta(time, time2); /* * test whether timer is fine grained enough to provide * delta even when called shortly after each other -- this * implies that we also have a high resolution timer */ if (!delta) return ECOARSETIME; stuck = jent_stuck(&ec, delta); /* * up to here we did not modify any variable that will be * evaluated later, but we already performed some work. Thus we * already have had an impact on the caches, branch prediction, * etc. with the goal to clear it to get the worst case * measurements. */ if (CLEARCACHE > i) continue; if (stuck) count_stuck++; else { nonstuck++; /* * Ensure that the APT succeeded. * * With the check below that count_stuck must be less * than 10% of the overall generated raw entropy values * it is guaranteed that the APT is invoked at * floor((TESTLOOPCOUNT * 0.9) / 64) == 14 times. */ if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) { jent_apt_reset(&ec, delta & JENT_APT_WORD_MASK); if (jent_health_failure(&ec)) return EHEALTH; } } /* Validate RCT */ if (jent_rct_failure(&ec)) return ERCT; /* test whether we have an increasing timer */ if (!(time2 > time)) time_backwards++; /* use 32 bit value to ensure compilation on 32 bit arches */ lowdelta = (uint64_t)time2 - (uint64_t)time; if (!(lowdelta % 100)) count_mod++; /* * ensure that we have a varying delta timer which is necessary * for the calculation of entropy -- perform this check * only after the first loop is executed as we need to prime * the old_data value */ if (delta > old_delta) delta_sum += (delta - old_delta); else delta_sum += (old_delta - delta); old_delta = delta; } /* * we allow up to three times the time running backwards. * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, * if such an operation just happens to interfere with our test, it * should not fail. The value of 3 should cover the NTP case being * performed during our test run. */ if (3 < time_backwards) return ENOMONOTONIC; /* * Variations of deltas of time must on average be larger * than 1 to ensure the entropy estimation * implied with 1 is preserved */ if ((delta_sum) <= 1) return EMINVARVAR; /* * Ensure that we have variations in the time stamp below 10 for at least * 10% of all checks -- on some platforms, the counter increments in * multiples of 100, but not always */ if ((TESTLOOPCOUNT/10 * 9) < count_mod) return ECOARSETIME; /* * If we have more than 90% stuck results, then this Jitter RNG is * likely to not work well. */ if ((TESTLOOPCOUNT/10 * 9) < count_stuck) return ESTUCK; return 0; }