WSL2-Linux-Kernel/crypto
Stephan Müller bb897c5504 crypto: jitter - replace LFSR with SHA3-256
Using the kernel crypto API, the SHA3-256 algorithm is used as
conditioning element to replace the LFSR in the Jitter RNG. All other
parts of the Jitter RNG are unchanged.

The application and use of the SHA-3 conditioning operation is identical
to the user space Jitter RNG 3.4.0 by applying the following concept:

- the Jitter RNG initializes a SHA-3 state which acts as the "entropy
  pool" when the Jitter RNG is allocated.

- When a new time delta is obtained, it is inserted into the "entropy
  pool" with a SHA-3 update operation. Note, this operation in most of
  the cases is a simple memcpy() onto the SHA-3 stack.

- To cause a true SHA-3 operation for each time delta operation, a
  second SHA-3 operation is performed hashing Jitter RNG status
  information. The final message digest is also inserted into the
  "entropy pool" with a SHA-3 update operation. Yet, this data is not
  considered to provide any entropy, but it shall stir the entropy pool.

- To generate a random number, a SHA-3 final operation is performed to
  calculate a message digest followed by an immediate SHA-3 init to
  re-initialize the "entropy pool". The obtained message digest is one
  block of the Jitter RNG that is returned to the caller.

Mathematically speaking, the random number generated by the Jitter RNG
is:

aux_t = SHA-3(Jitter RNG state data)

Jitter RNG block = SHA-3(time_i || aux_i || time_(i-1) || aux_(i-1) ||
                         ... || time_(i-255) || aux_(i-255))

when assuming that the OSR = 1, i.e. the default value.

This operation implies that the Jitter RNG has an output-blocksize of
256 bits instead of the 64 bits of the LFSR-based Jitter RNG that is
replaced with this patch.

The patch also replaces the varying number of invocations of the
conditioning function with one fixed number of invocations. The use
of the conditioning function consistent with the userspace Jitter RNG
library version 3.4.0.

The code is tested with a system that exhibited the least amount of
entropy generated by the Jitter RNG: the SiFive Unmatched RISC-V
system. The measured entropy rate is well above the heuristically
implied entropy value of 1 bit of entropy per time delta. On all other
tested systems, the measured entropy rate is even higher by orders
of magnitude. The measurement was performed using updated tooling
provided with the user space Jitter RNG library test framework.

The performance of the Jitter RNG with this patch is about en par
with the performance of the Jitter RNG without the patch.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-05-12 18:48:01 +08:00
..
asymmetric_keys modules-6.4-rc1 2023-04-27 16:36:55 -07:00
async_tx async_tx: fix kernel-doc notation warnings 2023-03-24 18:22:28 +08:00
842.c
Kconfig crypto: jitter - replace LFSR with SHA3-256 2023-05-12 18:48:01 +08:00
Makefile
acompress.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
adiantum.c
aead.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
aegis.h
aegis128-core.c
aegis128-neon-inner.c
aegis128-neon.c
aes_generic.c
aes_ti.c
af_alg.c
ahash.c crypto: hash - Make crypto_ahash_alg helper available 2023-05-12 18:48:01 +08:00
akcipher.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
algapi.c crypto: engine - fix crypto_queue backlog handling 2023-04-28 17:50:43 +08:00
algboss.c
algif_aead.c
algif_hash.c crypto: algif_hash - Allocate hash state with kmalloc 2023-04-06 16:18:53 +08:00
algif_rng.c
algif_skcipher.c
ansi_cprng.c
anubis.c
api.c crypto: api - Add crypto_clone_tfm 2023-04-20 18:20:04 +08:00
arc4.c
aria_generic.c
authenc.c
authencesn.c
blake2b_generic.c
blowfish_common.c
blowfish_generic.c
camellia_generic.c
cast5_generic.c
cast6_generic.c
cast_common.c
cbc.c
ccm.c
cfb.c
chacha20poly1305.c
chacha_generic.c
cipher.c
cmac.c
compress.c
compress.h crypto: acomp - Count error stats differently 2023-03-14 17:06:42 +08:00
crc32_generic.c
crc32c_generic.c
crc64_rocksoft_generic.c
crct10dif_common.c
crct10dif_generic.c
cryptd.c crypto: cryptd - Add support for cloning hashes 2023-04-20 18:20:04 +08:00
crypto_engine.c crypto: engine - fix crypto_queue backlog handling 2023-04-28 17:50:43 +08:00
crypto_null.c
crypto_user_base.c
crypto_user_stat.c crypto: rng - Count error stats differently 2023-03-14 17:06:42 +08:00
ctr.c
cts.c
curve25519-generic.c
deflate.c
des_generic.c
dh.c
dh_helper.c
drbg.c crypto: drbg - Only fail when jent is unavailable in FIPS mode 2023-04-06 16:18:53 +08:00
ecb.c
ecc.c
ecc_curve_defs.h
ecdh.c
ecdh_helper.c
ecdsa.c
ecdsasignature.asn1
echainiv.c
ecrdsa.c
ecrdsa_defs.h
ecrdsa_params.asn1
ecrdsa_pub_key.asn1
essiv.c
fcrypt.c
fips.c crypto: fips - simplify one-level sysctl registration for crypto_sysctl_table 2023-03-17 11:16:44 +08:00
gcm.c
geniv.c
ghash-generic.c
hash.h crypto: hash - Add crypto_clone_ahash/shash 2023-04-20 18:20:04 +08:00
hash_info.c
hctr2.c
hmac.c crypto: hmac - Add support for cloning 2023-04-20 18:20:04 +08:00
internal.h crypto: api - Add crypto_clone_tfm 2023-04-20 18:20:04 +08:00
jitterentropy-kcapi.c crypto: jitter - replace LFSR with SHA3-256 2023-05-12 18:48:01 +08:00
jitterentropy.c crypto: jitter - replace LFSR with SHA3-256 2023-05-12 18:48:01 +08:00
jitterentropy.h crypto: jitter - replace LFSR with SHA3-256 2023-05-12 18:48:01 +08:00
kdf_sp800108.c
keywrap.c
khazad.c
kpp.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
lrw.c
lz4.c
lz4hc.c
lzo-rle.c
lzo.c
md4.c
md5.c
michael_mic.c
nhpoly1305.c
ofb.c
pcbc.c
pcrypt.c
poly1305_generic.c
polyval-generic.c
proc.c
ripemd.h
rmd160.c
rng.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
rsa-pkcs1pad.c
rsa.c
rsa_helper.c
rsaprivkey.asn1
rsapubkey.asn1
scatterwalk.c
scompress.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
seed.c
seqiv.c
serpent_generic.c
sha1_generic.c
sha3_generic.c
sha256_generic.c
sha512_generic.c
shash.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
simd.c
skcipher.c crypto: api - Fix CRYPTO_USER checks for report function 2023-05-02 18:22:24 +08:00
sm2.c
sm2signature.asn1
sm3.c
sm3_generic.c
sm4.c
sm4_generic.c
streebog_generic.c
tcrypt.c crypto: api - Move low-level functions into algapi.h 2023-04-14 18:59:34 +08:00
tcrypt.h
tea.c
testmgr.c crypto: testmgr - Add some test vectors for cmac(camellia) 2023-04-20 18:20:04 +08:00
testmgr.h crypto: testmgr - Add some test vectors for cmac(camellia) 2023-04-20 18:20:04 +08:00
twofish_common.c
twofish_generic.c
vmac.c
wp512.c
xcbc.c
xctr.c
xor.c
xts.c
xxhash_generic.c
zstd.c