mirror of
https://github.com/torvalds/linux.git
synced 2026-05-23 14:42:08 +02:00
a680b1832c
The generate function in struct rng_alg expects that the destination
buffer is completely filled if the function returns 0. qcom_rng_read()
can run into a situation where the buffer is partially filled with
randomness and the remaining part of the buffer is zeroed since
qcom_rng_generate() doesn't check the return value. This issue can
be reproduced by running the following from libkcapi:
kcapi-rng -b 9000000 > OUTFILE
The generated OUTFILE will have three huge sections that contain all
zeros, and this is caused by the code where the test
'val & PRNG_STATUS_DATA_AVAIL' fails.
Let's fix this issue by ensuring that qcom_rng_read() always returns
with a full buffer if the function returns success. Let's also have
qcom_rng_generate() return the correct value.
Here's some statistics from the ent project
(https://www.fourmilab.ch/random/) that shows information about the
quality of the generated numbers:
$ ent -c qcom-random-before
Value Char Occurrences Fraction
0 606748 0.067416
1 33104 0.003678
2 33001 0.003667
...
253 � 32883 0.003654
254 � 33035 0.003671
255 � 33239 0.003693
Total: 9000000 1.000000
Entropy = 7.811590 bits per byte.
Optimum compression would reduce the size
of this 9000000 byte file by 2 percent.
Chi square distribution for 9000000 samples is 9329962.81, and
randomly would exceed this value less than 0.01 percent of the
times.
Arithmetic mean value of data bytes is 119.3731 (127.5 = random).
Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).
Serial correlation coefficient is 0.159130 (totally uncorrelated =
0.0).
Without this patch, the results of the chi-square test is 0.01%, and
the numbers are certainly not random according to ent's project page.
The results improve with this patch:
$ ent -c qcom-random-after
Value Char Occurrences Fraction
0 35432 0.003937
1 35127 0.003903
2 35424 0.003936
...
253 � 35201 0.003911
254 � 34835 0.003871
255 � 35368 0.003930
Total: 9000000 1.000000
Entropy = 7.999979 bits per byte.
Optimum compression would reduce the size
of this 9000000 byte file by 0 percent.
Chi square distribution for 9000000 samples is 258.77, and randomly
would exceed this value 42.24 percent of the times.
Arithmetic mean value of data bytes is 127.5006 (127.5 = random).
Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).
Serial correlation coefficient is 0.000468 (totally uncorrelated =
0.0).
This change was tested on a Nexus 5 phone (msm8974 SoC).
Signed-off-by: Brian Masney <bmasney@redhat.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| allwinner | ||
| amcc | ||
| amlogic | ||
| axis | ||
| bcm | ||
| caam | ||
| cavium | ||
| ccp | ||
| ccree | ||
| chelsio | ||
| gemini | ||
| hisilicon | ||
| inside-secure | ||
| keembay | ||
| marvell | ||
| nx | ||
| qat | ||
| qce | ||
| rockchip | ||
| stm32 | ||
| ux500 | ||
| virtio | ||
| vmx | ||
| xilinx | ||
| atmel-aes-regs.h | ||
| atmel-aes.c | ||
| atmel-authenc.h | ||
| atmel-ecc.c | ||
| atmel-i2c.c | ||
| atmel-i2c.h | ||
| atmel-sha-regs.h | ||
| atmel-sha.c | ||
| atmel-sha204a.c | ||
| atmel-tdes-regs.h | ||
| atmel-tdes.c | ||
| exynos-rng.c | ||
| geode-aes.c | ||
| geode-aes.h | ||
| hifn_795x.c | ||
| img-hash.c | ||
| ixp4xx_crypto.c | ||
| Kconfig | ||
| Makefile | ||
| mxs-dcp.c | ||
| n2_asm.S | ||
| n2_core.c | ||
| n2_core.h | ||
| omap-aes-gcm.c | ||
| omap-aes.c | ||
| omap-aes.h | ||
| omap-crypto.c | ||
| omap-crypto.h | ||
| omap-des.c | ||
| omap-sham.c | ||
| padlock-aes.c | ||
| padlock-sha.c | ||
| qcom-rng.c | ||
| s5p-sss.c | ||
| sa2ul.c | ||
| sa2ul.h | ||
| sahara.c | ||
| talitos.c | ||
| talitos.h | ||