The following source code contains the older implementation of the Linux Random Number Generator.
| Link | Changes |
|---|---|
|
Initial release |
|
|
Removal of the Jitter RNG fast noise source as requested by Ted Addition of processing of add_input_randomness as suggested by Ted Update documentation and testing to cover the updates Addition of a SystemTap script to test add_input_randomness To clarify the question whether sufficient entropy is present during boot I added one more test in 3.3.1 which demonstrates the providing of sufficient entropy during initialization. In the worst case of no fast noise sources, in the worst case of a virtual machine with only very few hardware devices, the testing shows that the secondary DRBG is fully seeded with 256 bits of entropy before user space injects the random data obtained during shutdown of the previous boot (i.e. the requirement phrased by the legacy /dev/random implementation). As the writing of the random data into /dev/random by user space will happen before any cryptographic service is initialized in user space, this test demonstrates that sufficient entropy is already present in the LRNG at the time user space requires it for seeding cryptographic daemons. Note, this test result was obtained for different architectures, such as x86 64 bit, x86 32 bit, ARM 32 bit and MIPS 32 bit. |
|
|
Convert debug printk to pr_debug as suggested by Joe Perches Add missing \n as suggested by Joe Perches Do not mix in struck IRQ measurements as requested by Pavel Machek Add handling logic for systems without high-res timer as suggested by Pavel Machek -- it uses ideas from the add_interrupt_randomness of the legacy /dev/random implementation add per NUMA node secondary DRBGs as suggested by Andi Kleen -- the explanation of how the logic works is given in section 2.1.1 of my documentation [1], especially how the initial seeding is performed. |
|
|
port to 4.7-rc1 Use classical twisted LFSR approach to collect entropic data as requested by George Spelvin. The LFSR is based on a primitive and irreducible polynomial whose taps are not too close to the location the current byte is mixed in. Primitive polynomials for other entropy pool sizes are offered in the code. The reading of the entropy pool is performed with a hash. The hash can be specified at compile time. The pre-defined hashes are the same as used for the DRBG type (e.g. a SHA256 Hash DRBG implies the use of SHA-256, an AES256 CTR DRBG implies the use of CMAC-AES). Addition of the example defines for a CTR DRBG with AES128 which can be enabled during compile time. Entropy estimate: one bit of entropy per interrupt. In case a system does not have a high-resolution timer, apply 1/10th bit of entropy per interrupt. The interrupt estimates can be changed arbitrarily at compile time. Use kmalloc_node for the per-NUMA node secondary DRBGs. Add boot time entropy tests discussed in section 3.4.3 [1]. Align all buffers that are processed by the kernel crypto API to an 8 byte boundary. This boundary covers all currently existing cipher implementations. |
|
|
fix treating LRNG_POOL_SIZE_BITS as entropy value in lrng_get_pool use CTR DRBG with AES256 as default due to its superior speed -- on X86_64 executing within a KVM I get read speeds of up to 850 MB/s now. When using a fake NUMA system with 4 nodes on 4 CPUs, I still get up to 430 MB/s read speed with four parallel reads. Note, this patch applies to the current cryptodev-2.6 tree. simplify lrng_get_arch use DRBG security strengths as defined in SP800-57 section 5.6.1 add security strength to /proc/sys/kernel/random/lrng_type add ChaCha20 DRNG: in case the kernel crypto API is not compiled, the ChaCha20 DRNG with the SHA-1 C implementations are used to drive the cryptographic part of the LRNG.The ChaCha20 RNG is described in [1]. I analyzed it with a user space version of it. Editorial changes requested by checkpatch.pl |
|
|
port to 4.8-rc1 add missing memzero_explicit to ChaCha20 DRNG use kernel-doc documentation style use of min3 in lrng_get_pool to beautify code prevent fast noise sources from dominating slow noise sources in case of /dev/random set read wakeup threshold to 64 bits to comply with legacy /dev/random simplify the interrupt to entropy amount conversion code move wakeup call of entropy-providers to a code location where /dev/urandom will benefit from the wake up as well (i.e. when the primary DRBG entropy runs low because of /dev/urandom reseeds, the entropy provider is woken up) inject current time into primary DRBG at the time of seeding from noise sources (suggested by Sandy Harris) |
|
|
port to 4.9-rc1 add lrng_drng_generate_helper_full() function for DRNGs to inform them about requests that shall have the capability to transport close to 1 bit of entropy per data bit streamline code in lrng_pdrbg_seed_internal test NUMA code on real NUMA system: fixes of NUMA support code to support deactivated NUMA nodes constify buffers to crypto operations |
|
|
port to kernel v4.10-rc1 works also on the released linux kernel 4.10fix race condition in add_interrupt_randomness when low res timer is used re-add Jitter RNG noise source assumed to provide one 16th bit of entropy per data bit (every source of entropy is helpful) make LFSR invocation much more efficient in hot code paths increase reseed threshold of secondary DRBG to 2^17 requests (maximum number of bytes to be generated without reseeding attempt: 2^17 requests * 2^12 bytes per requests) initialize ChaCha20 key space with time stamp and arch_get_random_long reseed the secondary DRBG always with full entropy equal to its security strength -- further details are given in section 2.6 of the documentation add FIPS 140-2 continuous self test to ChaCha20 code path |
|
|
port to kernel v4.11-rc1 fix race condition in initialization code path of secondary DRBGs SHA-256 based DRBG have a security strength of 256 bits as per SP800-57A table 3 Increase LRNG_MIN_SEED_ENTROPY_BITS to 128 bits based on updates proposed to FIPS 140-2 and BSI's TR02102 when writing/IOCTL to /dev/random or /dev/urandom, the data is only inserted into the primary DRBG, the secondary DRBG(s) will forcefully reseeded when processing next request for the respective secondary DRBG instead of injecting the input data also into the secondary DRBGs use ERR_PTR for return code of lrng_drng_alloc |
|
|
port to kernel v4.11 contintionally compile JitterRNG code depending on CONFIG_CRYPTO_JITTERENTROPY update error code path when lrng_hash_buffer fails to report the successfully read entropy remove LRNG_DRBG_BLOCKLEN_BYTES in favor of LRNG_DRBG_BLOCKSIZE add get_random_u64 and get_random_u32 from legacy /dev/random |
|
|
port to 4.12-rc1 (identical to code 20170502) contintionally compile JitterRNG code depending on CONFIG_CRYPTO_JITTERENTROPY (identical to code 20170502) update error code path when lrng_hash_buffer fails to report the successfully read entropy (identical to code 20170502) remove LRNG_DRBG_BLOCKLEN_BYTES in favor of LRNG_DRBG_BLOCKSIZE (identical to code 20170502) add get_random_u64 and get_random_u32 from legacy /dev/random to prevent any modifications of random.c move LRNG to drivers/char/ wakeup user space writers only when entropy in pool is low (not when primary DRBG entropy is low) LFSR alteration to space the processed words 67 words apart to counter polynomial taps that are close together which may be affected by dependencies Always mix in an interrupt time stamp even when considered stuck, just do not increment number of collected interrupts used to determine the entropy content |
|
|
port to 4.13-rc1 use PTR_ERR_OR_ZERO as suggested by Julia Lawall fixed coccocinelle warnings fixed cppcheck style hints streamlined add_interrupt_randomness all DRNG-specific code is re-allocated to the C files specific to the respective DRNG rename all macros from DRBG -> DRNG rename all functions from *drbg* -> *drng* functions grouped into pdrng and sdrng processing for easier reading Use Jitter RNG to seed even the init RNG for entropy at earliest boot time which implies that the very first random number generated by the LRNG is seeded with the Jitter RNG incorporate wait_for_random_bytes from Jason A. Donenfeld incorporate invalidate_batched_entropy from Jason A. Donenfeld incorporate debug logs for unseeded DRNGs from Jason A. Donenfeld including rate limiting from Ted Ts'o rename lrng_standalone.c -> lrng_chacha20.c bug fix edge condition during reseed on NUMA systems enable stuck test during early boot When waiting for "good" random numbers, the following concept applies: - kernel space: reaching the minimally seeded level triggers wakeup - user space: reaching the fully seeded level triggers wakeup Use RDSEED for seeding operations and RDRAND as a fallback as suggested by DJ Johnston (note, the final fallback to use a high-resolution timer is implicitly present by using the time stamp unconditional for each reseed). conserve entropy in output function of primary DRNG |
|
|
port to 4.13 and 4.14-rc1 works also on the released linux kernel 4.14Update drivers/char/Makefile as suggested by Arnd Bergmann Update use of jitterentropy.c as suggested by Arnd Bergmann Add runtime loading/unloading of DRNG implementations |
|
|
Use mutex for locking as kernel crypto API may sleep Add fix to prandom to prevent calling of get_random_bytes from atomic context DRBG support: allow run-time switching of DRBG type using lrng_drbg_type insmod parameter port to 4.15 |
|
|
Covered kernel version: 4.15
Add put_cpu_var in the code paths where get_cpu_var is used in patch 1 (reported by Farin Sami) |
|
|
Covered kernel version: 4.16
Addition of SPOX copyright identifier Use the updated poll infrastructure Add the kernel crypto API PRNG support |
|
|
Covered kernel version: 4.17
Bug fix in add_device_randomness use wq_has_sleeper async allocation of per-NUMA-node DRNG instances in a work queue add RNDRESEEDCRNG IOCTL |
|
|
Covered kernel version: 4.18
Provide full support for get_random_bytes in atomic operations (LRNG is now fully complete for all use cases in the kernel) Increase performance of ChaCha20 DRNG by using unused random numbers during the update operation - the LRNG speed using ChaCha20 is between 20% (smaller block sizes) and 120% (larger block sizes) higher than the legacy implementation. Drop patch modifying genhd.h |
|
|
Covered kernel version: 4.20
Port to 4.20 |
|
|
Covered kernel version: 5.0
Port to 5.0 |
|
|
Covered kernel version: 5.1
Port to 5.1 Fix a bug in error handling Add raw entropy sampling code |
|
|
Covered kernel version: 5.2
Port to 5.2 Enhance raw entropy sampling code Add support for CONFIG_RANDOM_TRUST_CPU |
|
|
2019-11-11 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.4-rc6
breakup of the monolithic code base into several logically isolated files and move all files into drivers/char/lrng/ - this also reduces the number of ifdefs in the code significantly as the make system is used to select the enabled code Add Tested-by and Reviewed-by lines Significant speedup of code executing in interrupt handler: the LRNG is now almost 50% faster as the existing /dev/random. On one example system, the LRNG interrupt handling code executes within an average of 65 cycles whereas the existing /dev/random on the same device takes about 97 cycles. SP800-90B compliance
prune base LRNG code of any FIPS-related code - all FIPS-related code is in the SP800-90B compliance code that can be deactivated at compile time testing performed with all tests offered at [1] including all required SP800-90B tests, as well as KASAN, UBSAN, and lockdep while executing stress tests. Tests were performed on: x86, S390 make DRNG switching support compile-time configurable selection of entropy pool size is now a configure option support deactivation of TRNG (i.e. blocking behavior of /dev/random) at compile time. If deactivated, /dev/random behaves like getrandom(2). conditionally compile NUMA support eliminate in_atomic() invocation: In-kernel consumers always use the ChaCha20 DRNG unless the new API call get_random_bytes_full is invoked which may sleep but offer access to the full functionality of the LRNG including all types of DRNG. use debugfs file for obtaining raw entropy test data required to fulfill SP800-90B requirements fix: ensure that gathering raw entropy does not affect runtime of the kernel fix: import upstream patch b7d5dc21072cda7124d13eae2aefb7343ef94197 fix: import upstream patch 428826f5358c922dc378830a1717b682c0823160 fix: integrate patch "random: Don't freeze in add_hwgenerator_randomness() if stopping kthread" documentation enhancement: import upstream patch 92e507d216139b356a375afbda2824e85235e748 into documentation to cover all interfaces of the LRNG speedup of injection of non-aligned data into entropy pool |
|
2019-11-16 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Remove of the boiler plate disclaimers as requested by Thomas Gleixner fix compile issues reported by kbuild: adding missing header files and turn large stack variable into a heap variable with lrng_testing.c fix patch descriptions as suggested by Florian Weimer and Alexander E. Patrakov remove stale comment in _lrng_sdrng_seed ove blocking of /dev/random and getrandom(GRND_RANDOM) until LRNG is seeded to the interface handling code to simplify the code and to ensure the blocking is also enforced if the TRNG is not compiled. add BROKEN test support for SP800-90B adaptive proportion test and repetitive count test as suggested by Alexander E. Patrakov |
|
2019-11-23 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Extract the time initalization code into its own function lrng_init_time_source and invoke it with core_initcall as reported by Nicolai Stange Add linux/errno.h include to lrng.h as suggested by Nicolai Stange Add linux/slab.h to lrng_chacha20.h Changed lrng_testing.c reading/writing of ring buffer to use a lock as suggested by Andy Lutomirski Use "depends on DEBUG_FS" for lrng_testing.c Kconfig entry as suggested by Randy Dunlap Remove declaration of random_table from lrng_proc.c as suggested by Eric W. Biederman Move the lrng_type file out of the sysctl table into its own file /proc/lrng_type since its purpose is not to serve as a sysctl as suggested by Eric W. Biederman Update patch description for /proc patch to refer to sysctls as suggested by Eric W. Biederman /dev/random and getrandom(GRND_RANDOM) now invokes the secondary DRNG ensuring that the DRNG is fully seeded before requests are served. With this change, /dev/random is no TRNG any more. This change implements the suggestion from Andy Lutomirski and is based on the discussions previously on the LKML and the changes developed by Andy for the existing random.c implementation. Simplification of the debugfs code in lrng_testing.c as return code checks are not further needed any more as suggested by Nicolai Stange. Addition of GRND_TRUERANDOM to the getrandom(2) syscall to make the TRNG externally accessible as a TRNG. The change also includes the GRND_INSECURE flag as proposed by Andy Lutomirski. To avoid touching the random.h and potentially clashing with Andy's patch set, I kept the symbol definitions in lrng_interfaces.c noting that they should be moved to random.h. The GRND_TRUERANDOM allows unprivileged user space to access the TRNG as follows: if CAP_SYS_ADMIN calls, the whole entropy available to the LRNG is used. If an unprivileged process invokes GRND_TRUERANDOM, at least 1024 bits of entropy will remain in the pool to serve CAP_SYS_ADMIN and all secondary DRNGs serving /dev/urandom, /dev/random and getrandom(.., 0) with entropy. With that unprivileged processes calling GRND_TRUERANDOM have the lowest priority in getting entropy and must wait accordingly. If the TRNG is not present, GRND_TRUERANDOM returns -EOPNOTSUPP. A new test tool is provided as part of the LRNG test archive found at [1] allowing to analyze all four types of RNGs accessible via getrandom(2). Remove duplication of MODULE_LICENSE/AUTHOR/DESCRIPTION from lrng_testing.c |
|
2020-01-09 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.5-rc5 - requires patch 75551dbf112c992bc6c99a972990b3f272247e23 from Ted Tso's kernel tree (specifically the addition of GRND_INSECURE to random.h)
fix function prototype of lrng_init_time_source fix indentation in getrandom add unlock to error code path as reported by Julia Lawall integrate 0da522107e5d9c000a4871d52e570912aa1225a2 from Arnd Bergmann and supplemental patch 4aa37c463764052c68c5c430af2a67b5d784c1e0 from Jason A. Donenfeld use new jitterentropy.h header file add power-on self-tests of security critical functions of hash_df, LFSR, ChaCha20 DRNG, and time stamp array management add support for significantly reduced runtime memory footprint as outlined in patch 1 drop TRNG support - the LRNG has the same user experience as random.c with Andy Lutomirski's recent patch removing the blocking_pool - rename all *sdrng* symbols to *drng* ensure that external noise sources can provide seed at least once when a DRNG is reseeded to ensure internal and external noise sources are balanced add full documentation to all API calls provided to the remainder of the kernel ensure that after a SP800-90B health test failure the interrupt handler triggers reseeds like during boot time |
|
2020-01-15 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.5-rc5 - requires patch 75551dbf112c992bc6c99a972990b3f272247e23 from Ted Tso's kernel tree (specifically the addition of GRND_INSECURE to random.h)
make comments compliant to kernel-doc style update LRNG_RCT_CUTOFF from 30 to 31 (a cutoff of 30 implies an alpha of 2^-29 and a cutoff of 31 is an alpha of 2^-30 - both values are in line with SP800-90B, but to be consistent with documentation update the cutoff value) - reported by Marcos Portnoi remove lrng_drng_generate_helper_full that was only needed by removed TRNG support Remove "unlikely" from lrng_drng_lock which seems to cause additional grief
with sparse. Note, sparse will still report a lock context imbalance as it
used to since we indeed have two lock contexts as documented in
lrng_drng_switch. Reported-by: kbuild test robot Fix allocation size calculation in self-test code as reported by
Dan Carpenter |
|
2020-01-19 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.5-rc6 - requires patch 75551dbf112c992bc6c99a972990b3f272247e23 from Ted Tso's kernel tree (specifically the addition of GRND_INSECURE to random.h)
All grep-able strings are placed on one line as requested by Randy Dunlap. Add "depend on CRYPTO" to CONFIG_LRNG_DRBG, CONFIG_LRNG_KCAPI, CONFIG_LRNG_JENT allowing the LRNG to be compiled without the kernel crypto API. A successful compilation of the LRNG with the remaining configure options was performed. Thanks to Randy Dunlap for pointing this out. |
|
2020-04-15 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.7-rc1
Port to v5.7-rc1 Fix endianess bug that caused the self test to fail on big endian systems Add rng_is_initialized function Perform entropy and stress testing on ARM 32 bit, ARM 64 bit, POWER 7 BE, POWER 8 LE, IBM System Z, MIPS systems - see documentation Appendix C |
|
2020-07-13 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.8-rc5 - LRNG and Jitter RNG noise sources are fully SP800-90B compliant
Port to v5.8-rc5 including updated initialization of static Jitter RNG instance Add latent_entropy GCC compiler plugin annotations Add test interfaces to validate performance of interrupt handler and time stamp concatenation Fix memleak during rmmod lrng_drbg.ko which was missing deallocation of cipher handles Remove seeding from CPU noise sources for get_random_u64/u32 compliant to random.c Use of arch_get_random_seed_long_early / arch_get_random_long_early for initialization of LFSR state and ChaCha20 DRNG state. |
|
2020-08-20 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.9-rc1 - LRNG and Jitter RNG noise sources are fully SP800-90B compliant
Use of SHA-256 for hashing the entropy pool per default to ensure the LRNG can be claimed to manage 256 bits of entropy pursuant to SP800-90B (note, the required CONFIG_CRYPTO_LIB_SHA256 current depends on CONFIG_CRYPTO due to artificial Kconfig settings - technically CONFIG_CRYPTO_LIB_SHA256 could be compiled without CONFIG_CRYPTO) When using CTR DRBG, use SHA-256 for hashing entropy pool instead of CMAC AES to fully comply with SP800-90B to the letter of the law Correctly use CONFIG_BASE_SMALL in C code speed up add_interrupt_randomness if high-resolution time stamp is not available integrate patch a2541dcb51127dc31934ab93bc99ae7df458e41b integrate patch f227e3ec3b5cad859ad15666874405e8c1bbc1d4 and ensure that its associated design concerns documented in [2] section 2.2.5 are addressed add test interfaces for Jiffies, interrupt numbers, interrupt flags, and return instruction pointer supporting integration of patch f227e3ec3b5cad859ad15666874405e8c1bbc1d4 and systems with a missing high-resolution timer |
|
2020-08-21 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.9-rc1 - LRNG and Jitter RNG noise sources are fully SP800-90B compliant
fix const static to static const as indicated by kernel test robot fix double initialization as indicated by kernel test robot add hw_random.h header file and add get_random_bytes_full prototypes as indicated by kernel test robot if to ifdef for CONFIG_CRYPTO_LIB_SHA256 in lrng_selftest.c Note, the warning on random_table is expected as it is there to ensure patch 0001 can be compiled. This symbol is "fixed" with patch 0003. |
|
2020-08-25 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.9-rc1 - LRNG and Jitter RNG noise sources are fully SP800-90B compliant
fix all sparse warnings, partially reported by kernel test robot ensure that DRBG or KCAPI backend can only be exclusively compiled if it is selected for static compilation - suggested by Andy Lavr fix Kconfig to enable compilation of lrng_testing.c in all possible configurations reported by kernel test robot include trace/events/random.h to make lib/random32.c happy (even though the LRNG does not need this header file) reported by kernel test robot |
|
2020-09-18 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.9-rc5 - LRNG and Jitter RNG noise sources are fully SP800-90B compliant and are based solely on hash operations for conditioning
replace hash_df operation with simple hash to make code leaner without affecting entropy statements replace central LFSR with per-CPU entropy pools which implies that LRNG only uses a hash for conditioning - this makes data processing much cleaner (see [2] section 2.2) entropy assessment significantly easier (see [2] section 3.2.6) add aux_pool to process data received from user space and add_hwgenerator_randomness with a cryptographic hash compliant to SP800-90B section 3.1.6 to allow data from those sources and stay SP800-90B compliant remove duplicated code - add lrng_kcapi_hash.c to consolidate hash handling code from lrng_drbg.c and lrng_kcapi.c ensure that the NUMA pool allocation also allocates the hash instance as a precaution in case the DRNG switching code is executed before the NUMA allocation Make invocation of SHA-1 compliant to FIPS 180-4 Addition of test interface for interrupt registers noise data - with that interface, all data potentially delivering entropy can be sampled. Addition of ACVT interface to validate correct invocation of SHA by LRNG (for test definition, see https://github.com/usnistgov/ACVP) - interface was used for successful testing of the SHA-256 and SHA-1 handling of the LRNG. remove superfluous backslash from Makefile reported by Andy Lavr move prototype of lrng_reset() to a spot in lrng_internal.h that is compiled unconditional as requested by kernel test robot correctly advance *ppos in DebugFS read function for testing interfaces preventing successive read operations fix __latent_entropy usage as reported by kernel test robot use compxch_release / smp_load_acquire to set NUMA pool as suggested by Eric Biggers |
|
2020-10-19 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.9
fix display of available entropy - the fix only affects the display of available entropy at /proc/sys/kernel/random/entropy_avail simplify code to obtain available and max entropy always reset entropy gathering interface when listener detaches |
|
2021-02-16 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.11
Use new SHA header files simplify code initializing ChaCha20 simplify code processing time stamp Simplify code for self test use u32 instead of uint32_t increase entropy pool size config values report available pool size add hash update operation to add yet uncompressed entropy data in data array into entropy pool during DRNG seeding Support disabling of continuous compression - this allows a user to disable the continuous hash compression operation performed in interrupt context once the per-CPU data array is full. In this case, the continuous compression operation is disabled, the compression is performed when the DRNG is reseeded. This implies that no hash operation is performed in interrupt context at all and thus increases the performance even further. Yet, the drawback is that entropy data may be overwritten instead of compressed. |
|
2021-05-15 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.12
Output of all entropy sources are now concatenated - no conditioning to merge output any more All entropy sources are now treated fully equally - ensure a clean separation between the DRNG and the entropy sources, the entropy rate of each entropy source can be configured during boot time Add oversampling support of entropy sources to account for collision probability with an applied epsilon of <= 2^-32 Seed DRNG with all entropy sources immediately after initialization supporting an immediately available fully seeded DRNG during early boot in case fast noise sources are trusted - remove now unneeded specific ChaCha20 seeding operation Add zeroization of hash buffer allocated on stack Update seeding threshold when loading DRNG to ensure the new digest size is applied during seeding Standards compliance: AIS20/31, SP800-90A/B/C |
|
2021-05-25 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.12
add dependency to CRYPTO_HASH when compiling lrng_kcapi_hash initialize Jitter RNG during device_initcall speed up early boot entropy gathering add sha1.h include in case the kernel crypto API is not compiled Standards compliance: AIS20/31, SP800-90A/B/C |
|
2021-07-03 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.13
update seeding threshold when loading DRNG only if min seeded insert bootloader entropy directly into the aux pool RNDADDTOENTCNT - entropy estmate update of aux pool cleanup of initial seeding use work queue after initialization only add_random_ready_callback ping after full initialization zeroize seed buffer invoke processing of ready_list only if fully seeded invoke invalidate_batched_entropy after initialization always fill in the time stamp into seed buffer initialize entropy value if insufficient entropy available signal end of boot cycle in non-NUMA configuration set NUMA node online flag in proper condition harden entropy source configuration significantly enhance performance of aux pool fix LRNG reseed locking set LRNG to non-operational for 90C compliance fix increment of ChaCha20 nonce make switch functions a noop if switching is disabled |
|
v42 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.14
Use common ChaCha20 initialization function enforce max generate ops without reseed of full entropy remove code duplication SP800-90C - reseed with security strength once fully seeded split out aux pool operation rename entropy source files to lrng_es_*.c SP800-90C ES oversampling subject to ent-data-conversion calculate GCD of timer used for IRQ ES dynamically allocate Jitter RNG entropy source SP800-90A/B/C compliant |
|
v43 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.15
Replace '/**' with '/*' in comments Jitter RNG ES: if configured to have zero entropy, it still returns data CPU ES: if configured to have zero entropy, it still returns data; allow disabling it with config option - extract CPU ES into its own patch for better assessment (patch 5) IRQ ES: if configured to have zero entropy, it still returns data; allow disabling it with config option - extract IRQ ES into its own patch for better assessment (patch 2) use hash lock only when LRNG switching support is enabled write_wakeup now contains the wakeup threshold in bits and is updated when the hash is updated fix: do not expect user space to provide entropy if it is woken up - this allows haveged to fully work rearrange patch set: patches 01 through 05 are the baseline to get the LRNG running covering all use cases currently available. Even this base would provide better functionality than the existing /dev/random implementation considering the use of SHA-256 and a much faster IRQ handler. fix: ensure that applying the oversampling rate implies a larger or equal interrupt collection in case no highres timer is present fix: PowerISA DARN specifies that it only delivers 0.5 bits of entropy -> CPU ES takes this into account when configured to trust CPU add compression support for CPU entropy sources without full entropy SP800-90A/B/C compliant |
|
v45 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.18
fix pulling insufficient data from AUX pool add scheduler-based entropy source - the full explanation and analysis is provided with the PDF documentation support the concurrent presence of the legacy RNG and the LRNG: add entropy source pulling the legacy RNG add ability to allow LRNG run concurrently with legaacy RNG add new interfaces: LRNG is callable from kernel crypto API's RNG framework as well as via the HW_RAND framework, and the device file /dev/lrng that behaves identically to /dev/random - all interfaces can be enabled independently from each other during compile time change lrng_get_random_bytes_full to synchronously wait for the LRNG to become operational and get random numbers afterwards split up of the code base into self-contained components to allow only enabling the code required for a given use case add additional, but optional interfaces to use the LRNG: kernel crypto API, /dev/hwrand framework, an individual device file that behaves like /dev/random (e.g. when the LRNG is compiled along with random.c but user space wants to interact with LRNG) SP800-90A/B/C compliant |
|
v46 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 5.19
- add support for invoking DRNG with prediction resistance when opening /dev/random with O_SYNC or using the lrng_get_random_bytes_pr API. This reestablishes the NTG.1 property as well as well as supports using the DRBG as a conditioning component pursuent to SP800-90C and FIPS 140 IG 7.19 / D.K. modify collection in scheduler ES: maintain a hash state per CPU as a per-CPU entropy pool add full ABI compliance by only reporting the auxiliary pool status at /proc/sys/kernel/random/[entropy_avail|poolsize] - this implies that /proc/lrng_type now contains the entropy content of the LRNG SP800-90A/B/C compliant AIS20/31 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs |
|
v47 (Signature of source code) Test code including SP800-90B tests (Signature of test code) |
Covered kernel version: 6.0
add support for random.trust_bootloader add lrng_get_seed API call and wire it up to getrandom(2) cover changes to arch_get_random_*_longs remove register_random_ready_notifier code add compliance to new AIS20/31 2022 draft SP800-90A/B/C compliant AIS20/31 2011 compliant AIS20/31 draft 2022 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs |