1 /* $NetBSD: cprng_fast.c,v 1.20 2024/10/15 17:34:06 riastradh Exp $ */ 2 3 /*- 4 * Copyright (c) 2014 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Taylor R. Campbell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __KERNEL_RCSID(0, "$NetBSD: cprng_fast.c,v 1.20 2024/10/15 17:34:06 riastradh Exp $"); 34 35 #include <sys/types.h> 36 #include <sys/param.h> 37 #include <sys/bitops.h> 38 #include <sys/cprng.h> 39 #include <sys/cpu.h> 40 #include <sys/entropy.h> 41 #include <sys/evcnt.h> 42 #include <sys/intr.h> 43 #include <sys/kmem.h> 44 #include <sys/percpu.h> 45 46 #include <crypto/chacha/chacha.h> 47 48 #define CPRNG_FAST_SEED_BYTES CHACHA_STREAM_KEYBYTES 49 50 struct cprng_fast { 51 /* 128-bit vector unit generates 256 bytes at once */ 52 uint8_t buf[256]; 53 uint8_t key[CPRNG_FAST_SEED_BYTES]; 54 uint8_t nonce[CHACHA_STREAM_NONCEBYTES]; 55 unsigned i; 56 struct evcnt *reseed_evcnt; 57 unsigned epoch; 58 }; 59 60 static void cprng_fast_init_cpu(void *, void *, struct cpu_info *); 61 static void cprng_fast_schedule_reseed(struct cprng_fast *); 62 static void cprng_fast_intr(void *); 63 64 static void cprng_fast_seed(struct cprng_fast *, const void *); 65 static void cprng_fast_buf(struct cprng_fast *, void *, unsigned); 66 67 static void cprng_fast_buf_short(void *, size_t); 68 static void cprng_fast_buf_long(void *, size_t); 69 70 static percpu_t *cprng_fast_percpu __read_mostly; 71 static void *cprng_fast_softint __read_mostly; 72 73 void 74 cprng_fast_init(void) 75 { 76 77 cprng_fast_percpu = percpu_create(sizeof(struct cprng_fast), 78 cprng_fast_init_cpu, NULL, NULL); 79 cprng_fast_softint = softint_establish(SOFTINT_SERIAL|SOFTINT_MPSAFE, 80 &cprng_fast_intr, NULL); 81 } 82 83 static void 84 cprng_fast_init_cpu(void *p, void *arg __unused, struct cpu_info *ci) 85 { 86 struct cprng_fast *const cprng = p; 87 uint8_t seed[CPRNG_FAST_SEED_BYTES]; 88 89 cprng->epoch = entropy_epoch(); 90 cprng_strong(kern_cprng, seed, sizeof seed, 0); 91 cprng_fast_seed(cprng, seed); 92 (void)explicit_memset(seed, 0, sizeof seed); 93 94 cprng->reseed_evcnt = kmem_alloc(sizeof(*cprng->reseed_evcnt), 95 KM_SLEEP); 96 evcnt_attach_dynamic(cprng->reseed_evcnt, EVCNT_TYPE_MISC, NULL, 97 ci->ci_cpuname, "cprng_fast reseed"); 98 } 99 100 static int 101 cprng_fast_get(struct cprng_fast **cprngp) 102 { 103 struct cprng_fast *cprng; 104 int s; 105 106 *cprngp = cprng = percpu_getref(cprng_fast_percpu); 107 s = splvm(); 108 109 if (__predict_false(cprng->epoch != entropy_epoch())) 110 cprng_fast_schedule_reseed(cprng); 111 112 return s; 113 } 114 115 static void 116 cprng_fast_put(struct cprng_fast *cprng, int s) 117 { 118 119 KASSERT((cprng == percpu_getref(cprng_fast_percpu)) && 120 (percpu_putref(cprng_fast_percpu), true)); 121 splx(s); 122 percpu_putref(cprng_fast_percpu); 123 } 124 125 static void 126 cprng_fast_schedule_reseed(struct cprng_fast *cprng __unused) 127 { 128 129 softint_schedule(cprng_fast_softint); 130 } 131 132 static void 133 cprng_fast_intr(void *cookie __unused) 134 { 135 unsigned epoch = entropy_epoch(); 136 struct cprng_fast *cprng; 137 uint8_t seed[CPRNG_FAST_SEED_BYTES]; 138 int s; 139 140 cprng_strong(kern_cprng, seed, sizeof(seed), 0); 141 142 cprng = percpu_getref(cprng_fast_percpu); 143 s = splvm(); 144 cprng_fast_seed(cprng, seed); 145 cprng->epoch = epoch; 146 cprng->reseed_evcnt->ev_count++; 147 splx(s); 148 percpu_putref(cprng_fast_percpu); 149 150 explicit_memset(seed, 0, sizeof(seed)); 151 } 152 153 /* CPRNG algorithm */ 154 155 static void 156 cprng_fast_seed(struct cprng_fast *cprng, const void *seed) 157 { 158 159 (void)memset(cprng->buf, 0, sizeof cprng->buf); 160 (void)memcpy(cprng->key, seed, sizeof cprng->key); 161 (void)memset(cprng->nonce, 0, sizeof cprng->nonce); 162 cprng->i = sizeof cprng->buf; 163 } 164 165 static void 166 cprng_fast_buf(struct cprng_fast *cprng, void *buf, unsigned len) 167 { 168 uint8_t *p = buf; 169 unsigned n = len, n0; 170 171 KASSERT(cprng->i <= sizeof(cprng->buf)); 172 KASSERT(len <= sizeof(cprng->buf)); 173 174 n0 = MIN(n, sizeof(cprng->buf) - cprng->i); 175 memcpy(p, &cprng->buf[cprng->i], n0); 176 if ((n -= n0) == 0) { 177 cprng->i += n0; 178 KASSERT(cprng->i <= sizeof(cprng->buf)); 179 return; 180 } 181 p += n0; 182 le64enc(cprng->nonce, 1 + le64dec(cprng->nonce)); 183 chacha_stream(cprng->buf, sizeof(cprng->buf), 0, cprng->nonce, 184 cprng->key, 8); 185 memcpy(p, cprng->buf, n); 186 cprng->i = n; 187 } 188 189 /* Public API */ 190 191 static void 192 cprng_fast_buf_short(void *buf, size_t len) 193 { 194 struct cprng_fast *cprng; 195 int s; 196 197 KASSERT(len <= sizeof(cprng->buf)); 198 199 s = cprng_fast_get(&cprng); 200 cprng_fast_buf(cprng, buf, len); 201 cprng_fast_put(cprng, s); 202 } 203 204 static void 205 cprng_fast_buf_long(void *buf, size_t len) 206 { 207 uint8_t seed[CHACHA_STREAM_KEYBYTES]; 208 uint8_t nonce[CHACHA_STREAM_NONCEBYTES] = {0}; 209 210 CTASSERT(sizeof(seed) <= sizeof(((struct cprng_fast *)0)->buf)); 211 212 #if SIZE_MAX >= 0x3fffffffff 213 /* >=256 GB is not reasonable */ 214 KASSERT(len <= 0x3fffffffff); 215 #endif 216 217 cprng_fast_buf_short(seed, sizeof seed); 218 chacha_stream(buf, len, 0, nonce, seed, 8); 219 220 (void)explicit_memset(seed, 0, sizeof seed); 221 } 222 223 uint32_t 224 cprng_fast32(void) 225 { 226 uint32_t v; 227 228 cprng_fast_buf_short(&v, sizeof v); 229 230 return v; 231 } 232 233 uint64_t 234 cprng_fast64(void) 235 { 236 uint64_t v; 237 238 cprng_fast_buf_short(&v, sizeof v); 239 240 return v; 241 } 242 243 size_t 244 cprng_fast(void *buf, size_t len) 245 { 246 247 /* 248 * We don't want to hog the CPU, so we use the short version, 249 * to generate output without preemption, only if we can do it 250 * with at most one ChaCha call. 251 */ 252 if (len <= sizeof(((struct cprng_fast *)0)->buf)) 253 cprng_fast_buf_short(buf, len); 254 else 255 cprng_fast_buf_long(buf, len); 256 257 return len; /* hysterical raisins */ 258 } 259