• H
    s390/archrandom: Rework arch random implementation. · 3376d980
    Harald Freudenberger 提交于
    The arch_get_random_seed_long() invocation done by the random device
    driver is done in interrupt context and may be invoked very very
    frequently. The existing s390 arch_get_random_seed*() implementation
    uses the PRNO(TRNG) instruction which produces excellent high quality
    entropy but is relatively slow and thus expensive.
    
    This fix reworks the arch_get_random_seed* implementation. It
    introduces a buffer concept to decouple the delivery of random data
    via arch_get_random_seed*() from the generation of new random
    bytes. The buffer of random data is filled asynchronously by a
    workqueue thread.
    If there are enough bytes in the buffer the s390_arch_random_generate()
    just delivers these bytes. Otherwise false is returned until the worker
    thread refills the buffer.
    The worker fills the rng buffer by pulling fresh entropy from the
    high quality (but slow) true hardware random generator. This entropy
    is then spread over the buffer with an pseudo random generator.
    As the arch_get_random_seed_long() fetches 8 bytes and the calling
    function add_interrupt_randomness() counts this as 1 bit entropy the
    distribution needs to make sure there is in fact 1 bit entropy
    contained in 8 bytes of the buffer. The current values pull 32 byte
    entropy and scatter this into a 2048 byte buffer. So 8 byte in the
    buffer will contain 1 bit of entropy.
    The worker thread is rescheduled based on the charge level of the
    buffer but at least with 500 ms delay to avoid too much cpu consumption.
    So the max. amount of rng data delivered via arch_get_random_seed is
    limited to 4Kb per second.
    Signed-off-by: NHarald Freudenberger <freude@de.ibm.com>
    Reviewed-by: NPatrick Steuer <patrick.steuer@de.ibm.com>
    Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
    3376d980
archrandom.h 1.3 KB