Skip to content

Commit

Permalink
UPSTREAM: crypto: jitter - add oversampling of noise source
Browse files Browse the repository at this point in the history
The output n bits can receive more than n bits of min entropy, of course,
but the fixed output of the conditioning function can only asymptotically
approach the output size bits of min entropy, not attain that bound.
Random maps will tend to have output collisions, which reduces the
creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
attempts to bound).

The value "64" is justified in Appendix A.4 of the current 90C draft,
and aligns with NIST's in "epsilon" definition in this document, which is
that a string can be considered "full entropy" if you can bound the min
entropy in each bit of output to at least 1-epsilon, where epsilon is
required to be <= 2^(-32).

Note, this patch causes the Jitter RNG to cut its performance in half in
FIPS mode because the conditioning function of the LFSR produces 64 bits
of entropy in one block. The oversampling requires that additionally 64
bits of entropy are sampled from the noise source. If the conditioner is
changed, such as using SHA-256, the impact of the oversampling is only
one fourth, because for the 256 bit block of the conditioner, only 64
additional bits from the noise source must be sampled.

This patch is derived from the user space jitterentropy-library.

Signed-off-by: Stephan Mueller <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

Bug: 188620248
(cherry picked from commit 908dffaf88a248e542bdae3ca174f27b8f4ccf37)
Change-Id: I7ae1fe58c1b5ea5f206a8f3675f0c20e255a97ec
Signed-off-by: Eric Biggers <[email protected]>
  • Loading branch information
smuellerDD authored and metti committed Oct 7, 2022
1 parent 6ed90e9 commit befd3e3
Showing 1 changed file with 21 additions and 2 deletions.
23 changes: 21 additions & 2 deletions crypto/jitterentropy.c
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,22 @@ struct rand_data {
#define JENT_EHEALTH 9 /* Health test failed during initialization */
#define JENT_ERCT 10 /* RCT failed during initialization */

/*
* The output n bits can receive more than n bits of min entropy, of course,
* but the fixed output of the conditioning function can only asymptotically
* approach the output size bits of min entropy, not attain that bound. Random
* maps will tend to have output collisions, which reduces the creditable
* output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
*
* The value "64" is justified in Appendix A.4 of the current 90C draft,
* and aligns with NIST's in "epsilon" definition in this document, which is
* that a string can be considered "full entropy" if you can bound the min
* entropy in each bit of output to at least 1-epsilon, where epsilon is
* required to be <= 2^(-32).
*/
#define JENT_ENTROPY_SAFETY_FACTOR 64

#include <linux/fips.h>
#include "jitterentropy.h"

/***************************************************************************
Expand Down Expand Up @@ -546,7 +562,10 @@ static int jent_measure_jitter(struct rand_data *ec)
*/
static void jent_gen_entropy(struct rand_data *ec)
{
unsigned int k = 0;
unsigned int k = 0, safety_factor = 0;

if (fips_enabled)
safety_factor = JENT_ENTROPY_SAFETY_FACTOR;

/* priming of the ->prev_time value */
jent_measure_jitter(ec);
Expand All @@ -560,7 +579,7 @@ static void jent_gen_entropy(struct rand_data *ec)
* We multiply the loop value with ->osr to obtain the
* oversampling rate requested by the caller
*/
if (++k >= (DATA_SIZE_BITS * ec->osr))
if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
break;
}
}
Expand Down

0 comments on commit befd3e3

Please sign in to comment.