src/interface/efi/efi_entropy.c - ipxe - Git at Google

 /*
  * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
  * published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  *
  * You can also choose to distribute this program under the terms of
  * the Unmodified Binary Distribution Licence (as given in the file
  * COPYING.UBDL), provided that you have satisfied its requirements.
  */

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

 #include <errno.h>
 #include <ipxe/entropy.h>
 #include <ipxe/crc32.h>
 #include <ipxe/profile.h>
 #include <ipxe/efi/efi.h>
 #include <ipxe/efi/Protocol/Rng.h>

 /** @file
  *
  * EFI entropy source
  *
  */

 /** Random number generator protocol */
 static EFI_RNG_PROTOCOL *efirng;
 EFI_REQUEST_PROTOCOL ( EFI_RNG_PROTOCOL, &efirng );

 /** Minimum number of bytes to request from RNG
  *
  * The UEFI spec states (for no apparently good reason) that "When a
  * Deterministic Random Bit Generator (DRBG) is used on the output of
  * a (raw) entropy source, its security level must be at least 256
  * bits."  The EDK2 codebase (mis)interprets this to mean that the
  * call to GetRNG() should fail if given a buffer less than 32 bytes.
  *
  * Incidentally, nothing in the EFI RNG protocol provides any way to
  * report the actual amount of entropy returned by GetRNG().
  */
 #define EFI_ENTROPY_RNG_LEN 32

 /** Time (in 100ns units) to delay waiting for timer tick
  *
  * In theory, UEFI allows us to specify a trigger time of zero to
  * simply wait for the next timer tick.  In practice, specifying zero
  * seems to often return immediately, which produces almost no
  * entropy.  Specify a delay of 1000ns to try to force an existent
  * delay.
  */
 #define EFI_ENTROPY_TRIGGER_TIME 10

 /** Event used to wait for timer tick */
 static EFI_EVENT tick;

 /**
  * Enable entropy gathering
  *
  * @ret rc		Return status code
  */
 static int efi_entropy_enable ( void ) {
 	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
 	EFI_STATUS efirc;
 	int rc;

 	DBGC ( &tick, "ENTROPY %s RNG protocol\n",
 	       ( efirng ? "has" : "has no" ) );

 	/* Drop to external TPL to allow timer tick event to take place */
 	bs->RestoreTPL ( efi_external_tpl );

 	/* Create timer tick event */
 	if ( ( efirc = bs->CreateEvent ( EVT_TIMER, TPL_NOTIFY, NULL, NULL,
 					 &tick ) ) != 0 ) {
 		rc = -EEFI ( efirc );
 		DBGC ( &tick, "ENTROPY could not create event: %s\n",
 		       strerror ( rc ) );
 		return rc;
 	}

 	return 0;
 }

 /**
  * Disable entropy gathering
  *
  */
 static void efi_entropy_disable ( void ) {
 	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;

 	/* Close timer tick event */
 	bs->CloseEvent ( tick );

 	/* Return to internal TPL */
 	bs->RaiseTPL ( efi_internal_tpl );
 }

 /**
  * Wait for a timer tick
  *
  * @ret low		CPU profiling low-order bits, or negative error
  */
 static int efi_entropy_tick ( void ) {
 	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
 	UINTN index;
 	uint16_t low;
 	EFI_STATUS efirc;
 	int rc;

 	/* Wait for next timer tick */
 	if ( ( efirc = bs->SetTimer ( tick, TimerRelative,
 				      EFI_ENTROPY_TRIGGER_TIME ) ) != 0 ) {
 		rc = -EEFI ( efirc );
 		DBGC ( &tick, "ENTROPY could not set timer: %s\n",
 		       strerror ( rc ) );
 		return rc;
 	}
 	if ( ( efirc = bs->WaitForEvent ( 1, &tick, &index ) ) != 0 ) {
 		rc = -EEFI ( efirc );
 		DBGC ( &tick, "ENTROPY could not wait for timer tick: %s\n",
 		       strerror ( rc ) );
 		return rc;
 	}

 	/* Get current CPU profiling timestamp low-order bits */
 	low = profile_timestamp();

 	return low;
 }

 /**
  * Get noise sample from timer ticks
  *
  * @ret noise		Noise sample
  * @ret rc		Return status code
  */
 static int efi_get_noise_ticks ( noise_sample_t *noise ) {
 	int before;
 	int after;
 	int rc;

 	/* Wait for a timer tick */
 	before = efi_entropy_tick();
 	if ( before < 0 ) {
 		rc = before;
 		return rc;
 	}

 	/* Wait for another timer tick */
 	after = efi_entropy_tick();
 	if ( after < 0 ) {
 		rc = after;
 		return rc;
 	}

 	/* Use TSC delta as noise sample */
 	*noise = ( after - before );

 	return 0;
 }

 /**
  * Get noise sample from RNG protocol
  *
  * @ret noise		Noise sample
  * @ret rc		Return status code
  */
 static int efi_get_noise_rng ( noise_sample_t *noise ) {
 	static uint8_t prev[EFI_ENTROPY_RNG_LEN];
 	uint8_t buf[EFI_ENTROPY_RNG_LEN];
 	EFI_STATUS efirc;
 	int rc;

 	/* Fail if we have no EFI RNG protocol */
 	if ( ! efirng )
 		return -ENOTSUP;

 	/* Get the minimum allowed number of random bytes */
 	if ( ( efirc = efirng->GetRNG ( efirng, NULL, EFI_ENTROPY_RNG_LEN,
 					buf ) ) != 0 ) {
 		rc = -EEFI ( efirc );
 		DBGC ( &tick, "ENTROPY could not read from RNG: %s\n",
 		       strerror ( rc ) );
 		return rc;
 	}

 	/* Fail (and permanently disable the EFI RNG) if we get
 	 * consecutive identical results.
 	 */
 	if ( memcmp ( buf, prev, sizeof ( buf ) ) == 0 ) {
 		DBGC ( &tick, "ENTROPY detected broken EFI RNG:\n" );
 		DBGC_HDA ( &tick, 0, buf, sizeof ( buf ) );
 		efirng = NULL;
 		return -EIO;
 	}
 	memcpy ( prev, buf, sizeof ( prev ) );

 	/* Reduce random bytes to a single noise sample.  This seems
 	 * like overkill, but we have no way of knowing how much
 	 * entropy is actually present in the bytes returned by the
 	 * RNG protocol.
 	 */
 	*noise = crc32_le ( 0, buf, sizeof ( buf ) );

 	return 0;
 }

 /**
  * Get noise sample
  *
  * @ret noise		Noise sample
  * @ret rc		Return status code
  */
 static int efi_get_noise ( noise_sample_t *noise ) {
 	int rc;

 	/* Try RNG first, falling back to timer ticks */
 	if ( ( ( rc = efi_get_noise_rng ( noise ) ) != 0 ) &&
 	     ( ( rc = efi_get_noise_ticks ( noise ) ) != 0 ) )
 		return rc;

 	return 0;
 }

 PROVIDE_ENTROPY_INLINE ( efi, min_entropy_per_sample );
 PROVIDE_ENTROPY ( efi, entropy_enable, efi_entropy_enable );
 PROVIDE_ENTROPY ( efi, entropy_disable, efi_entropy_disable );
 PROVIDE_ENTROPY ( efi, get_noise, efi_get_noise );
	/*
	* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
	*
	* This program is free software; you can redistribute it and/or
	* modify it under the terms of the GNU General Public License as
	* published by the Free Software Foundation; either version 2 of the
	* License, or (at your option) any later version.
	*
	* This program is distributed in the hope that it will be useful, but
	* WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	* 02110-1301, USA.
	*
	* You can also choose to distribute this program under the terms of
	* the Unmodified Binary Distribution Licence (as given in the file
	* COPYING.UBDL), provided that you have satisfied its requirements.
	*/

	FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

	#include <errno.h>
	#include <ipxe/entropy.h>
	#include <ipxe/crc32.h>
	#include <ipxe/profile.h>
	#include <ipxe/efi/efi.h>
	#include <ipxe/efi/Protocol/Rng.h>

	/** @file
	*
	* EFI entropy source
	*
	*/

	/** Random number generator protocol */
	static EFI_RNG_PROTOCOL *efirng;
	EFI_REQUEST_PROTOCOL ( EFI_RNG_PROTOCOL, &efirng );

	/** Minimum number of bytes to request from RNG
	*
	* The UEFI spec states (for no apparently good reason) that "When a
	* Deterministic Random Bit Generator (DRBG) is used on the output of
	* a (raw) entropy source, its security level must be at least 256
	* bits." The EDK2 codebase (mis)interprets this to mean that the
	* call to GetRNG() should fail if given a buffer less than 32 bytes.
	*
	* Incidentally, nothing in the EFI RNG protocol provides any way to
	* report the actual amount of entropy returned by GetRNG().
	*/
	#define EFI_ENTROPY_RNG_LEN 32

	/** Time (in 100ns units) to delay waiting for timer tick
	*
	* In theory, UEFI allows us to specify a trigger time of zero to
	* simply wait for the next timer tick. In practice, specifying zero
	* seems to often return immediately, which produces almost no
	* entropy. Specify a delay of 1000ns to try to force an existent
	* delay.
	*/
	#define EFI_ENTROPY_TRIGGER_TIME 10

	/** Event used to wait for timer tick */
	static EFI_EVENT tick;

	/**
	* Enable entropy gathering
	*
	* @ret rc Return status code
	*/
	static int efi_entropy_enable ( void ) {
	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
	EFI_STATUS efirc;
	int rc;

	DBGC ( &tick, "ENTROPY %s RNG protocol\n",
	( efirng ? "has" : "has no" ) );

	/* Drop to external TPL to allow timer tick event to take place */
	bs->RestoreTPL ( efi_external_tpl );

	/* Create timer tick event */
	if ( ( efirc = bs->CreateEvent ( EVT_TIMER, TPL_NOTIFY, NULL, NULL,
	&tick ) ) != 0 ) {
	rc = -EEFI ( efirc );
	DBGC ( &tick, "ENTROPY could not create event: %s\n",
	strerror ( rc ) );
	return rc;
	}

	return 0;
	}

	/**
	* Disable entropy gathering
	*
	*/
	static void efi_entropy_disable ( void ) {
	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;

	/* Close timer tick event */
	bs->CloseEvent ( tick );

	/* Return to internal TPL */
	bs->RaiseTPL ( efi_internal_tpl );
	}

	/**
	* Wait for a timer tick
	*
	* @ret low CPU profiling low-order bits, or negative error
	*/
	static int efi_entropy_tick ( void ) {
	EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
	UINTN index;
	uint16_t low;
	EFI_STATUS efirc;
	int rc;

	/* Wait for next timer tick */
	if ( ( efirc = bs->SetTimer ( tick, TimerRelative,
	EFI_ENTROPY_TRIGGER_TIME ) ) != 0 ) {
	rc = -EEFI ( efirc );
	DBGC ( &tick, "ENTROPY could not set timer: %s\n",
	strerror ( rc ) );
	return rc;
	}
	if ( ( efirc = bs->WaitForEvent ( 1, &tick, &index ) ) != 0 ) {
	rc = -EEFI ( efirc );
	DBGC ( &tick, "ENTROPY could not wait for timer tick: %s\n",
	strerror ( rc ) );
	return rc;
	}

	/* Get current CPU profiling timestamp low-order bits */
	low = profile_timestamp();

	return low;
	}

	/**
	* Get noise sample from timer ticks
	*
	* @ret noise Noise sample
	* @ret rc Return status code
	*/
	static int efi_get_noise_ticks ( noise_sample_t *noise ) {
	int before;
	int after;
	int rc;

	/* Wait for a timer tick */
	before = efi_entropy_tick();
	if ( before < 0 ) {
	rc = before;
	return rc;
	}

	/* Wait for another timer tick */
	after = efi_entropy_tick();
	if ( after < 0 ) {
	rc = after;
	return rc;
	}

	/* Use TSC delta as noise sample */
	*noise = ( after - before );

	return 0;
	}

	/**
	* Get noise sample from RNG protocol
	*
	* @ret noise Noise sample
	* @ret rc Return status code
	*/
	static int efi_get_noise_rng ( noise_sample_t *noise ) {
	static uint8_t prev[EFI_ENTROPY_RNG_LEN];
	uint8_t buf[EFI_ENTROPY_RNG_LEN];
	EFI_STATUS efirc;
	int rc;

	/* Fail if we have no EFI RNG protocol */
	if ( ! efirng )
	return -ENOTSUP;

	/* Get the minimum allowed number of random bytes */
	if ( ( efirc = efirng->GetRNG ( efirng, NULL, EFI_ENTROPY_RNG_LEN,
	buf ) ) != 0 ) {
	rc = -EEFI ( efirc );
	DBGC ( &tick, "ENTROPY could not read from RNG: %s\n",
	strerror ( rc ) );
	return rc;
	}

	/* Fail (and permanently disable the EFI RNG) if we get
	* consecutive identical results.
	*/
	if ( memcmp ( buf, prev, sizeof ( buf ) ) == 0 ) {
	DBGC ( &tick, "ENTROPY detected broken EFI RNG:\n" );
	DBGC_HDA ( &tick, 0, buf, sizeof ( buf ) );
	efirng = NULL;
	return -EIO;
	}
	memcpy ( prev, buf, sizeof ( prev ) );

	/* Reduce random bytes to a single noise sample. This seems
	* like overkill, but we have no way of knowing how much
	* entropy is actually present in the bytes returned by the
	* RNG protocol.
	*/
	*noise = crc32_le ( 0, buf, sizeof ( buf ) );

	return 0;
	}

	/**
	* Get noise sample
	*
	* @ret noise Noise sample
	* @ret rc Return status code
	*/
	static int efi_get_noise ( noise_sample_t *noise ) {
	int rc;

	/* Try RNG first, falling back to timer ticks */
	if ( ( ( rc = efi_get_noise_rng ( noise ) ) != 0 ) &&
	( ( rc = efi_get_noise_ticks ( noise ) ) != 0 ) )
	return rc;

	return 0;
	}

	PROVIDE_ENTROPY_INLINE ( efi, min_entropy_per_sample );
	PROVIDE_ENTROPY ( efi, entropy_enable, efi_entropy_enable );
	PROVIDE_ENTROPY ( efi, entropy_disable, efi_entropy_disable );
	PROVIDE_ENTROPY ( efi, get_noise, efi_get_noise );