Merge tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random

#ifdef CONFIG_ARCH_RANDOM

#include <linux/bug.h>

#include <linux/kernel.h>

#include <linux/random.h>

#include <asm/cpufeature.h>

	return (ftr >> ID_AA64ISAR0_RNDR_SHIFT) & 0xf;

}

static inline bool __init __must_check

arch_get_random_seed_long_early(unsigned long *v)

{

	WARN_ON(system_state != SYSTEM_BOOTING);

	if (!__early_cpu_has_rndr())

		return false;

	return __arm64_rndr(v);

}

#define arch_get_random_seed_long_early arch_get_random_seed_long_early

#else

static inline bool __arm64_rndr(unsigned long *v) { return false; }

config RANDOM_TRUST_CPU

	bool "Trust the CPU manufacturer to initialize Linux's CRNG"

	depends on X86 || S390 || PPC

	depends on ARCH_RANDOM

	default n

	help

	Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or

}

early_param("random.trust_cpu", parse_trust_cpu);

static void crng_initialize(struct crng_state *crng)

static bool crng_init_try_arch(struct crng_state *crng)

{

	int		i;

	int		arch_init = 1;

	bool		arch_init = true;

	unsigned long	rv;

	memcpy(&crng->state[0], "expand 32-byte k", 16);

	if (crng == &primary_crng)

		_extract_entropy(&input_pool, &crng->state[4],

				 sizeof(__u32) * 12, 0);

	else

		_get_random_bytes(&crng->state[4], sizeof(__u32) * 12);

	for (i = 4; i < 16; i++) {

		if (!arch_get_random_seed_long(&rv) &&

		    !arch_get_random_long(&rv)) {

			rv = random_get_entropy();

			arch_init = 0;

			arch_init = false;

		}

		crng->state[i] ^= rv;

	}

	return arch_init;

}

static bool __init crng_init_try_arch_early(struct crng_state *crng)

{

	int		i;

	bool		arch_init = true;

	unsigned long	rv;

	for (i = 4; i < 16; i++) {

		if (!arch_get_random_seed_long_early(&rv) &&

		    !arch_get_random_long_early(&rv)) {

			rv = random_get_entropy();

			arch_init = false;

		}

		crng->state[i] ^= rv;

	}

	if (trust_cpu && arch_init && crng == &primary_crng) {

	return arch_init;

}

static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)

{

	memcpy(&crng->state[0], "expand 32-byte k", 16);

	_get_random_bytes(&crng->state[4], sizeof(__u32) * 12);

	crng_init_try_arch(crng);

	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;

}

static void __init crng_initialize_primary(struct crng_state *crng)

{

	memcpy(&crng->state[0], "expand 32-byte k", 16);

	_extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);

	if (crng_init_try_arch_early(crng) && trust_cpu) {

		invalidate_batched_entropy();

		numa_crng_init();

		crng_init = 2;

		crng = kmalloc_node(sizeof(struct crng_state),

				    GFP_KERNEL | __GFP_NOFAIL, i);

		spin_lock_init(&crng->lock);

		crng_initialize(crng);

		crng_initialize_secondary(crng);

		pool[i] = crng;

	}

	mb();

	 * We take into account the first, second and third-order deltas

	 * in order to make our estimate.

	 */

	delta = sample.jiffies - state->last_time;

	state->last_time = sample.jiffies;

	delta = sample.jiffies - READ_ONCE(state->last_time);

	WRITE_ONCE(state->last_time, sample.jiffies);

	delta2 = delta - state->last_delta;

	state->last_delta = delta;

	delta2 = delta - READ_ONCE(state->last_delta);

	WRITE_ONCE(state->last_delta, delta);

	delta3 = delta2 - state->last_delta2;

	state->last_delta2 = delta2;

	delta3 = delta2 - READ_ONCE(state->last_delta2);

	WRITE_ONCE(state->last_delta2, delta2);

	if (delta < 0)

		delta = -delta;

int __init rand_initialize(void)

{

	init_std_data(&input_pool);

	crng_initialize(&primary_crng);

	crng_initialize_primary(&primary_crng);

	crng_global_init_time = jiffies;

	if (ratelimit_disable) {

		urandom_warning.interval = 0;

/*

 * Get a random word for internal kernel use only. The quality of the random

 * number is either as good as RDRAND or as good as /dev/urandom, with the

 * goal of being quite fast and not depleting entropy. In order to ensure

 * number is good as /dev/urandom, but there is no backtrack protection, with

 * the goal of being quite fast and not depleting entropy. In order to ensure

 * that the randomness provided by this function is okay, the function

 * wait_for_random_bytes() should be called and return 0 at least once

 * at any point prior.

 * wait_for_random_bytes() should be called and return 0 at least once at any

 * point prior.

 */

static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {

	.batch_lock	= __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),

	struct batched_entropy *batch;

	static void *previous;

#if BITS_PER_LONG == 64

	if (arch_get_random_long((unsigned long *)&ret))

		return ret;

#else

	if (arch_get_random_long((unsigned long *)&ret) &&

	    arch_get_random_long((unsigned long *)&ret + 1))

	    return ret;

#endif

	warn_unseeded_randomness(&previous);

	batch = raw_cpu_ptr(&batched_entropy_u64);

	struct batched_entropy *batch;

	static void *previous;

	if (arch_get_random_int(&ret))

		return ret;

	warn_unseeded_randomness(&previous);

	batch = raw_cpu_ptr(&batched_entropy_u32);

#ifndef _LINUX_RANDOM_H

#define _LINUX_RANDOM_H

#include <linux/bug.h>

#include <linux/kernel.h>

#include <linux/list.h>

#include <linux/once.h>

}

#endif

/*

 * Called from the boot CPU during startup; not valid to call once

 * secondary CPUs are up and preemption is possible.

 */

#ifndef arch_get_random_seed_long_early

static inline bool __init arch_get_random_seed_long_early(unsigned long *v)

{

	WARN_ON(system_state != SYSTEM_BOOTING);

	return arch_get_random_seed_long(v);

}

#endif

#ifndef arch_get_random_long_early

static inline bool __init arch_get_random_long_early(unsigned long *v)

{

	WARN_ON(system_state != SYSTEM_BOOTING);

	return arch_get_random_long(v);

}

#endif

/* Pseudo random number generator from numerical recipes. */

static inline u32 next_pseudo_random32(u32 seed)

{