From c54c1a24e1ffd10c9b7cc711803249e834bf4519 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Tue, 10 Nov 2009 03:15:06 +0000 Subject: Add support to use TPM devices as RNG sources per Matt Domsch: http://domsch.com/blog/?p=107. --- sys-apps/rng-tools/Manifest | 4 + sys-apps/rng-tools/files/2-r2/rngd | 60 +++++ sys-apps/rng-tools/files/2-r2/rngd-conf | 22 ++ sys-apps/rng-tools/files/rngd_tpm_support.patch | 288 ++++++++++++++++++++++++ sys-apps/rng-tools/rng-tools-2-r2.ebuild | 31 +++ 5 files changed, 405 insertions(+) create mode 100644 sys-apps/rng-tools/files/2-r2/rngd create mode 100644 sys-apps/rng-tools/files/2-r2/rngd-conf create mode 100644 sys-apps/rng-tools/files/rngd_tpm_support.patch create mode 100644 sys-apps/rng-tools/rng-tools-2-r2.ebuild (limited to 'sys-apps/rng-tools') diff --git a/sys-apps/rng-tools/Manifest b/sys-apps/rng-tools/Manifest index 1bb70719542b..f9b0df43ed99 100644 --- a/sys-apps/rng-tools/Manifest +++ b/sys-apps/rng-tools/Manifest @@ -1,6 +1,10 @@ +AUX 2-r2/rngd 1748 RMD160 50dc8789437105f9d8887b79a7e0b0f82fb47424 SHA1 006c03919802ec54eb10b9c1ce8b3d74d23a1aea SHA256 27921130fee5dbc252ab0ca00c2756cdaf1085bb1df753da6b4a60764438680d +AUX 2-r2/rngd-conf 526 RMD160 5539152fa9544775cb47cb18f4b0c0e1ce113a13 SHA1 ca364bc4d3b905c2892e15be5afec7da617ae5ff SHA256 311464e4f573379a81f449af43d8a7c0328ac2a84d8f6e541e015542dfb145ed AUX 2/rngd 1488 RMD160 eb3628986ba3896deb8dfaf6765c052cb2d673ae SHA1 ce333b36be8144f24d55397c06dbf0eea4f3563d SHA256 00f8d05292565feb750d20af4ff6ff8ee20a14ae09c0164ec7b6b4b1ee67028d AUX 2/rngd-conf 259 RMD160 278957b8acad462fd5c888344fb21a52dffd1c6b SHA1 a3fe13793fffe10577f94398946b20142eae0771 SHA256 4dff7a0c8406f5344f71d236e755877388e93ff6728eedfdfe6921b3de41d137 +AUX rngd_tpm_support.patch 7620 RMD160 b346d1b27edcd7cb9ad302ec870c73029e7f5276 SHA1 415115d91e823b5a74ef396d5b0bf62b8770b34b SHA256 44839db3a5dbc6d7a27d9e66ace1a68459bc532cd36e891a996b4f9dcd59f555 DIST rng-tools-2.tar.gz 86429 RMD160 c40bc13068ffb48e28e1a8da274c0be40deb0a8a SHA1 45f43b0992b9978f9e0633d31d7f4b2a3643d293 SHA256 1126f0ecc8cab3af14a562cddc5d8ffeef47df7eba34a7aadcdee35a25ec2b1e EBUILD rng-tools-2-r1.ebuild 780 RMD160 04c419c84306e79aab5a9220a3657a3bbe73641e SHA1 c8b1b7113993f9d3605e982d3cc2e7e369c886ac SHA256 c807a02a07216dfbe879742ae75cc33d3870d11f07cc8a9c5de43da0b8c98e21 +EBUILD rng-tools-2-r2.ebuild 793 RMD160 8d27c06eafddadbebec93880eb4f54b1599f8511 SHA1 ff9708cc0fdbe66c7462e559448c4e2adde40ecc SHA256 d0a0f72cbec85b6eb11758732080cfc436fbfe2c2fbc8b41d58ec7241787ad8d MISC ChangeLog 3207 RMD160 317b5208447c9116a8cd20adedcff85ccb756e3b SHA1 c37e058df5d73accdf1cfcf3eb5d6cd5755af90b SHA256 20a70bd0ee5b38b71861cd19cebb0432fbb340350851c080122f66368c210d25 MISC metadata.xml 231 RMD160 984878f0848eaa1ef84b38196bb704d218277437 SHA1 6015bdc80c95314a6250c06380f316ca4c753770 SHA256 c9a6ce79e19aa9257b980bda6f6b6332d0fcb81f50800bb12c1a1c6d2f5cd443 diff --git a/sys-apps/rng-tools/files/2-r2/rngd b/sys-apps/rng-tools/files/2-r2/rngd new file mode 100644 index 000000000000..8d8cb2c07f3f --- /dev/null +++ b/sys-apps/rng-tools/files/2-r2/rngd @@ -0,0 +1,60 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/rng-tools/files/2-r2/rngd,v 1.1 2009/11/10 03:15:06 robbat2 Exp $ + +depend() { + need localmount + after random +} + +BINARY=/usr/sbin/rngd +# Do NOT add /dev/tpm to this. +DEFAULT_DEVICE="/dev/hw_random* /dev/hwrandom* /dev/i810_rng /dev/hwrng* /dev/urandom" +DEFAULT_TPM_DEVICE="/dev/tpm*" + +find_device() { + # The echo is to cause globbing + for d in $*; do + [ -e "$d" ] && break + done + echo "$d" +} + +find_rng_device() { + local d="$(find_device $(echo ${DEVICE-${DEFAULT_DEVICE}}))" + [ -z "${d}" ] && d=/dev/null + echo "$d" +} + +find_tpm_device() { + local d="$(find_device $(echo ${TPM_DEVICE-${DEFAULT_TPM_DEVICE}}))" + [ -z "${d}" ] && d=/dev/null + echo "$d" +} + +start() { + local d t + d="$(find_rng_device)" + [ "${NO_TPM}" == "1" ] || t="$(find_tpm_device)" + [ -z "${d}" ] && d=/dev/null + [ -z "${t}" ] && t=/dev/null + # TODO: find a better way to handle multiple feedback devices. + # Notice that we only warn if TPM is not available. + [ "$d" == "/dev/urandom" -a "$t" == "/dev/null" ] && ewarn "No hardware RNG found, using $d as feedback input" + # Now sanity check and start. + if [ "$d" != "/dev/null" -o "$t" != "/dev/null" ]; then + ebegin "Starting hardware RNG daemon" + start-stop-daemon --start --quiet --exec ${BINARY} -- -b -s ${STEP-64} -t ${TIMEOUT-60} --no-tpm=${NO_TPM-0} -W ${WATERMARK-2048} -r $d + eend $? "Failed to start hardware RNG daemon" + else + eerror "No hardware RNG or feedback source available." + return 1 + fi +} + +stop() { + ebegin "Stopping hardware RNG daemon" + start-stop-daemon --stop --quiet --exec ${BINARY} + eend $? "Failed to stop hardware RNG daemon" +} diff --git a/sys-apps/rng-tools/files/2-r2/rngd-conf b/sys-apps/rng-tools/files/2-r2/rngd-conf new file mode 100644 index 000000000000..d6efc7466f5c --- /dev/null +++ b/sys-apps/rng-tools/files/2-r2/rngd-conf @@ -0,0 +1,22 @@ +# /etc/conf.d/rngd + +# Please see "/usr/sbin/rngd --help" and "man rngd" for more information + +# If a single device is preferred, then specify it here, otherwise we will +# search for suitable devices. TPM is specified via a later option, not this +# one. +#DEVICE= +#TPM_DEVICE= + +# Random step (Number of bytes written to random-device at a time): +STEP=64 + +# Timeout (Interval written to random-device when the entropy pool is full): +TIMEOUT=60 + +# Should TPM be avoided? +NO_TPM=0 + +# Fill watermark +# 0 <= n <= 4096 +WATERMARK=2048 diff --git a/sys-apps/rng-tools/files/rngd_tpm_support.patch b/sys-apps/rng-tools/files/rngd_tpm_support.patch new file mode 100644 index 000000000000..0edc47109e0a --- /dev/null +++ b/sys-apps/rng-tools/files/rngd_tpm_support.patch @@ -0,0 +1,288 @@ +Patch taken from http://sourceforge.net/tracker/?func=detail&aid=2261574&group_id=3242&atid=353242 + +diff -uNr rng-tools-2-orig/rngd.c rng-tools-2/rngd.c +--- rng-tools-2-orig/rngd.c 2004-08-24 23:30:00.000000000 +0530 ++++ rng-tools-2/rngd.c 2008-11-11 15:39:31.000000000 +0530 +@@ -91,6 +91,8 @@ + + { "timeout", 't', "nnn", 0, + "Interval written to random-device when the entropy pool is full, in seconds (default: 60)" }, ++ { "no-tpm", 'n', "1|0", 0, ++ "do not use tpm as a source of random number input (default: 0)" }, + + { 0 }, + }; +@@ -102,6 +104,7 @@ + .random_step = 64, + .fill_watermark = 2048, + .daemon = 1, ++ .no_tpm =0, + }; + struct arguments *arguments = &default_arguments; + +@@ -147,6 +150,15 @@ + arguments->fill_watermark = n; + break; + } ++ case 'n': { ++ int n; ++ if ((sscanf(arg,"%i", &n) == 0) || ((n | 1)!=1)) ++ argp_usage(state); ++ else ++ arguments->no_tpm=0; ++ break; ++ ++ } + + default: + return ARGP_ERR_UNKNOWN; +@@ -162,26 +174,41 @@ + double poll_timeout) + { + unsigned char buf[FIPS_RNG_BUFFER_SIZE]; +- unsigned char *p; +- int fips; ++ int fips,retval; + + for (;;) { +- xread(buf, sizeof buf); ++ if (arguments->no_tpm == 0) { ++ retval=xread_tpm(buf, sizeof buf); ++ if (retval < 0) ++ sleep(1); ++ else ++ update_kernel_random(random_step, ++ poll_timeout, buf, &tpm_fipsctx); ++ } ++ retval=xread(buf, sizeof buf); ++ if (retval > 0) ++ update_kernel_random(random_step, ++ poll_timeout, buf, &fipsctx); ++ } ++} + +- fips = fips_run_rng_test(&fipsctx, buf); ++int update_kernel_random(int random_step, double poll_timeout, ++ unsigned char *buf, fips_ctx_t *fipsctx) { + +- if (fips) { +- message(LOG_DAEMON|LOG_ERR, "failed fips test\n"); +- sleep(1); +- continue; +- } ++ int fips; ++ unsigned char *p; ++ fips = fips_run_rng_test(fipsctx, buf); ++ if (fips) { ++ message(LOG_DAEMON|LOG_ERR, "failed fips test\n"); ++ return 1; ++ } + +- for (p = buf; p + random_step <= &buf[sizeof buf]; +- p += random_step) { +- random_add_entropy(p, random_step); +- random_sleep(poll_timeout); +- } ++ for (p = buf; p + random_step <= &buf[FIPS_RNG_BUFFER_SIZE]; ++ p += random_step) { ++ random_add_entropy(p, random_step); ++ random_sleep(poll_timeout); + } ++ return 0; + } + + +diff -uNr rng-tools-2-orig/rngd_entsource.c rng-tools-2/rngd_entsource.c +--- rng-tools-2-orig/rngd_entsource.c 2004-04-15 10:36:17.000000000 +0530 ++++ rng-tools-2/rngd_entsource.c 2008-11-11 15:39:31.000000000 +0530 +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #include "rngd.h" + #include "fips.h" +@@ -42,17 +43,27 @@ + #include "rngd_entsource.h" + + +-/* Logic and contexts */ +-static int rng_fd; /* rng data source */ +-fips_ctx_t fipsctx; /* Context for the FIPS tests */ ++/* The overhead incured when tpm returns the random nos as per TCG spec ++ * it is 14 bytes.*/ ++#define TPM_GET_RNG_OVERHEAD 14 + ++static const char *rng_device="/dev/tpm0"; ++/* Logic and contexts */ ++static int rng_fd; /* rng data source */ ++fips_ctx_t fipsctx; /* Context for the FIPS tests */ ++fips_ctx_t tpm_fipsctx; /* Context for the tpm FIPS tests */ + + /* Read data from the entropy source */ +-void xread(void *buf, size_t size) ++int xread(void *buf, size_t size) + { + size_t off = 0; + ssize_t r; + ++ /* Do nothing if we have no hw rng, maybe we have tpm */ ++ if (rng_fd < 0) { ++ message(LOG_DAEMON|LOG_ERR, "Invalid file handle\n"); ++ return -1; ++ } + while (size > 0) { + do { + r = read(rng_fd, buf + off, size); +@@ -65,8 +76,85 @@ + + if (size) { + message(LOG_DAEMON|LOG_ERR, "read error\n"); +- exit(1); ++ return -1; ++ } ++ return 0; ++} ++ ++alarm_handler(int i) { ++ ; ++} ++/* tpm rng read call to kernel has 13 bytes of overhead ++ * the logic to process this involves reading to a temporary_buf ++ * and copying the no generated to buf*/ ++int xread_tpm(void *buf, size_t size) ++{ ++ size_t bytes_read = 0; ++ ssize_t r; ++ int retval,rngtpm_fd; ++ unsigned char *temp_buf=NULL; ++ unsigned char rng_cmd[] = { ++ 0, 193, /* TPM_TAG_RQU_COMMAND */ ++ 0, 0, 0, 14, /* length */ ++ 0, 0, 0, 70, /* TPM_ORD_GetRandom */ ++ 0, 0, 0, 0, /* number of bytes to return */ ++ }; ++ char *offset; ++ ++ rngtpm_fd=open(rng_device, O_RDWR); ++ if (rngtpm_fd < 0) { ++ message(LOG_ERR|LOG_INFO, ++ "Unable to open %s: %s\n",rng_device,strerror(errno)); ++ return -1; ++ } ++ ++ temp_buf= (unsigned char *) malloc(size + TPM_GET_RNG_OVERHEAD); ++ memset(temp_buf,0,(size+TPM_GET_RNG_OVERHEAD)); ++ if (temp_buf == NULL) { ++ message(LOG_ERR|LOG_INFO,"No memory"); ++ return -1; ++ } ++ /* 32 bits has been reserved for random byte size */ ++ rng_cmd[13]=(unsigned char)(size & 0xFF); ++ rng_cmd[12]=(unsigned char)((size >> 8) & 0xFF); ++ rng_cmd[11]=(unsigned char)((size >> 16) & 0xFF); ++ rng_cmd[10]=(unsigned char)((size >> 24) & 0xFF); ++ offset=buf; ++ while (bytes_read < size) { ++ r=0; ++ while (r < sizeof(rng_cmd)) { ++ retval=write(rngtpm_fd,rng_cmd + r,sizeof(rng_cmd)-r); ++ if (retval < 0) { ++ message(LOG_ERR|LOG_INFO, ++ "Error writing %s\n",rng_device); ++ retval=-1; ++ goto error_out; ++ } ++ r+=retval; ++ } ++ if (r < sizeof(rng_cmd)) { ++ message(LOG_ERR|LOG_INFO, ++ "Error writing %s\n",rng_device); ++ retval=-1; ++ goto error_out; ++ } ++ r=read(rngtpm_fd,temp_buf,size); ++ r=(r - TPM_GET_RNG_OVERHEAD); ++ bytes_read=bytes_read + r; ++ if (bytes_read > size) { ++ memcpy(offset,temp_buf + TPM_GET_RNG_OVERHEAD, ++ r - (bytes_read - size)); ++ break; ++ } ++ memcpy(offset, temp_buf + TPM_GET_RNG_OVERHEAD, ++ r); ++ offset=offset+r; + } ++ retval=0; ++error_out: ++ free(temp_buf); ++ close(rngtpm_fd); ++ return retval; + } + + /* Initialize entropy source */ +@@ -93,14 +181,31 @@ + */ + void init_entropy_source(const char* sourcedev) + { ++ /* We cannot keep the tpm device open always. ++ * We need to open get random data and close ++ * to allow tpm-tools and other utilities ++ * access to /dev/tpm */ ++ int tpm_fd; + rng_fd = open(sourcedev, O_RDONLY); + if (rng_fd == -1) { + message(LOG_DAEMON|LOG_ERR, "can't open %s: %s", + sourcedev, strerror(errno)); +- exit(EXIT_FAIL); ++ /* Try to open tpm this is just a test, no point in proceeding further ++ * if no source of entropy is present ++ */ ++ tpm_fd = open(rng_device, O_RDONLY); ++ if (tpm_fd < 0 ) { ++ message(LOG_DAEMON|LOG_ERR, ++ "can't open entropy source(tpm or intel/amd rng) %s", ++ strerror(errno)); ++ message(LOG_DAEMON|LOG_ERR,"Maybe RNG device modules are not loaded\n"); ++ exit(1); ++ } ++ close(tpm_fd); + } + + /* Bootstrap FIPS tests */ + fips_init(&fipsctx, discard_initial_data()); ++ fips_init(&tpm_fipsctx, 0); + } + +diff -uNr rng-tools-2-orig/rngd_entsource.h rng-tools-2/rngd_entsource.h +--- rng-tools-2-orig/rngd_entsource.h 2004-04-15 10:34:45.000000000 +0530 ++++ rng-tools-2/rngd_entsource.h 2008-11-11 15:39:31.000000000 +0530 +@@ -28,7 +28,7 @@ + + /* Logic and contexts */ + extern fips_ctx_t fipsctx; /* Context for the FIPS tests */ +- ++extern fips_ctx_t tpm_fipsctx; /* Context for the tpm FIPS tests */ + /* + * Initialize entropy source and entropy conditioning + * +@@ -37,6 +37,6 @@ + extern void init_entropy_source(const char* sourcedev); + + /* Read data from the entropy source */ +-void xread(void *buf, size_t size); ++int xread(void *buf, size_t size); + + #endif /* RNGD_ENTSOURCE__H */ +diff -uNr rng-tools-2-orig/rngd.h rng-tools-2/rngd.h +--- rng-tools-2-orig/rngd.h 2004-08-24 23:23:04.000000000 +0530 ++++ rng-tools-2/rngd.h 2008-11-11 15:39:31.000000000 +0530 +@@ -42,6 +42,7 @@ + double poll_timeout; + + int daemon; ++ int no_tpm; + }; + extern struct arguments *arguments; + diff --git a/sys-apps/rng-tools/rng-tools-2-r2.ebuild b/sys-apps/rng-tools/rng-tools-2-r2.ebuild new file mode 100644 index 000000000000..1e7ca7c351d2 --- /dev/null +++ b/sys-apps/rng-tools/rng-tools-2-r2.ebuild @@ -0,0 +1,31 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/rng-tools/rng-tools-2-r2.ebuild,v 1.1 2009/11/10 03:15:03 robbat2 Exp $ + +EAPI=2 +inherit autotools + +DESCRIPTION="Daemon to use hardware random number generators." +HOMEPAGE="http://gkernel.sourceforge.net/" +SRC_URI="mirror://sourceforge/gkernel/${P}.tar.gz" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~x86" +IUSE="" +DEPEND="" +RDEPEND="" + +src_prepare() { + epatch "${FILESDIR}"/rngd_tpm_support.patch + + echo 'bin_PROGRAMS = randstat' >> contrib/Makefile.am + eautoreconf +} + +src_install() { + make DESTDIR="${D}" install || die + + dodoc AUTHORS ChangeLog + doinitd "${FILESDIR}/2-r2/rngd" + newconfd "${FILESDIR}/2-r2/rngd-conf" rngd +} -- cgit v1.2.3-65-gdbad