# SPDX-License-Identifier: GPL-2.0
#
# Linux Random Number Generator configuration
#

menuconfig LRNG
	bool "Linux Random Number Generator"
	select CRYPTO_LIB_SHA256 if CRYPTO
	help
	  The Linux Random Number Generator (LRNG) is the replacement
	  of the existing /dev/random provided with drivers/char/random.c.
	  It generates entropy from different noise sources and
	  delivers significant entropy during boot.

if LRNG

menu "Specific DRNG seeding strategies"

config LRNG_OVERSAMPLE_ENTROPY_SOURCES
	bool "Oversample entropy sources"
	default n
	help
	  When enabling this option, the entropy sources are
	  over-sampled with the following approach: First, the
	  the entropy sources are requested to provide 64 bits more
	  entropy than the size of the entropy buffer. For example,
	  if the entropy buffer is 256 bits, 320 bits of entropy
	  is requested to fill that buffer.

	  Second, the seed operation of the deterministic RNG
	  requests 128 bits more data from each entropy source than
	  the security strength of the DRNG during initialization.
	  A prerequisite for this operation is that the digest size
	  of the used hash must be at least equally large to generate
	  that buffer. If the prerequisite is not met, this
	  oversampling is not applied.

	  This strategy is intended to offset the asymptotic entropy
	  increase to reach full entropy in a buffer.

	  The strategy is consistent with the requirements in
	  NIST SP800-90C and is only enforced with fips=1.

	  If unsure, say N.

config LRNG_OVERSAMPLE_ES_BITS
	int
	default 0 if !LRNG_OVERSAMPLE_ENTROPY_SOURCES
	default 64 if LRNG_OVERSAMPLE_ENTROPY_SOURCES

config LRNG_SEED_BUFFER_INIT_ADD_BITS
	int
	default 0 if !LRNG_OVERSAMPLE_ENTROPY_SOURCES
	default 128 if LRNG_OVERSAMPLE_ENTROPY_SOURCES

endmenu # "Specific DRNG seeding strategies"

menu "Entropy Source Configuration"

comment "Interrupt Entropy Source"

choice
	prompt "Continuous entropy compression boot time setting"
	default LRNG_CONTINUOUS_COMPRESSION_ENABLED
	help
	  Select the default behavior of the interrupt entropy source
	  continuous compression operation.

	  The Linux RNG collects entropy data during each interrupt.
	  For performance reasons, a amount of entropy data defined by
	  the LRNG entropy collection pool size is concatenated into
	  an array. When that array is filled up, a hash is calculated
	  to compress the entropy. That hash is calculated in
	  interrupt context.

	  In case such hash calculation in interrupt context is deemed
	  too time-consuming, the continuous compression operation
	  can be disabled. If disabled, the collection of entropy will
	  not trigger a hash compression operation in interrupt context.
	  The compression happens only when the DRNG is reseeded which is
	  in process context. This implies that old entropy data
	  collected after the last DRNG-reseed is overwritten with newer
	  entropy data once the collection pool is full instead of
	  retaining its entropy with the compression operation.

	config LRNG_CONTINUOUS_COMPRESSION_ENABLED
		bool "Enable continuous compression (default)"

	config LRNG_CONTINUOUS_COMPRESSION_DISABLED
		bool "Disable continuous compression"
endchoice

config LRNG_ENABLE_CONTINUOUS_COMPRESSION
	bool
	default y if LRNG_CONTINUOUS_COMPRESSION_ENABLED
	default n if LRNG_CONTINUOUS_COMPRESSION_DISABLED

config LRNG_SWITCHABLE_CONTINUOUS_COMPRESSION
	bool "Runtime-switchable continuous entropy compression"
	help
	  Per default, the interrupt entropy source continuous
	  compression operation behavior is hard-wired into the kernel.
	  Enable this option to allow it to be configurable at boot time.

	  To modify the default behavior of the continuous
	  compression operation, use the kernel command line option
	  of lrng_sw_noise.lrng_pcpu_continuous_compression.

	  If unsure, say N.

choice
	prompt "LRNG Entropy Collection Pool Size"
	default LRNG_COLLECTION_SIZE_1024
	help
	  Select the size of the LRNG entropy collection pool
	  storing data for the interrupt entropy source without
	  performing a compression operation. The larger the
	  collection size is, the faster the average interrupt
	  handling will be. The collection size represents the
	  number of bytes of the per-CPU memory used to batch
	  up entropy event data.

	  The default value is good for regular operations. Choose
	  larger sizes for servers that have no memory limitations.
	  If runtime memory is precious, choose a smaller size.

	  The collection size is unrelated to the entropy rate
	  or the amount of entropy the LRNG can process.

	config LRNG_COLLECTION_SIZE_32
	depends on LRNG_CONTINUOUS_COMPRESSION_ENABLED
	depends on !LRNG_SWITCHABLE_CONTINUOUS_COMPRESSION
	depends on !LRNG_OVERSAMPLE_ENTROPY_SOURCES
		bool "32 interrupt events"

	config LRNG_COLLECTION_SIZE_256
	depends on !LRNG_OVERSAMPLE_ENTROPY_SOURCES
		bool "256 interrupt events"

	config LRNG_COLLECTION_SIZE_512
		bool "512 interrupt events"

	config LRNG_COLLECTION_SIZE_1024
		bool "1024 interrupt events (default)"

	config LRNG_COLLECTION_SIZE_2048
		bool "2048 interrupt events"

	config LRNG_COLLECTION_SIZE_4096
		bool "4096 interrupt events"

	config LRNG_COLLECTION_SIZE_8192
		bool "8192 interrupt events"

endchoice

config LRNG_COLLECTION_SIZE
	int
	default 32 if LRNG_COLLECTION_SIZE_32
	default 256 if LRNG_COLLECTION_SIZE_256
	default 512 if LRNG_COLLECTION_SIZE_512
	default 1024 if LRNG_COLLECTION_SIZE_1024
	default 2048 if LRNG_COLLECTION_SIZE_2048
	default 4096 if LRNG_COLLECTION_SIZE_4096
	default 8192 if LRNG_COLLECTION_SIZE_8192

config LRNG_HEALTH_TESTS
	bool "Enable interrupt entropy source online health tests"
	help
	  The online health tests applied to the interrupt entropy
	  source validate the noise source at runtime for fatal
	  errors. These tests include SP800-90B compliant tests
	  which are invoked if the system is booted with fips=1.
	  In case of fatal errors during active SP800-90B tests,
	  the issue is logged and the noise data is discarded.
	  These tests are required for full compliance of the
	  interrupt entropy source with SP800-90B.

	  If unsure, say Y.

config LRNG_RCT_BROKEN
	bool "SP800-90B RCT with dangerous low cutoff value"
	depends on LRNG_HEALTH_TESTS
	depends on BROKEN
	default n
	help
	  This option enables a dangerously low SP800-90B repetitive
	  count test (RCT) cutoff value which makes it very likely
	  that the RCT is triggered to raise a self test failure.

	  This option is ONLY intended for developers wanting to
	  test the effectiveness of the SP800-90B RCT health test.

	  If unsure, say N.

config LRNG_APT_BROKEN
	bool "SP800-90B APT with dangerous low cutoff value"
	depends on LRNG_HEALTH_TESTS
	depends on BROKEN
	default n
	help
	  This option enables a dangerously low SP800-90B adaptive
	  proportion test (APT) cutoff value which makes it very
	  likely that the APT is triggered to raise a self test
	  failure.

	  This option is ONLY intended for developers wanting to
	  test the effectiveness of the SP800-90B APT health test.

	  If unsure, say N.

# Default taken from SP800-90B sec 4.4.1 - significance level 2^-30
config LRNG_RCT_CUTOFF
	int
	default 31 if !LRNG_RCT_BROKEN
	default 1 if LRNG_RCT_BROKEN

# Default taken from SP800-90B sec 4.4.2 - significance level 2^-30
config LRNG_APT_CUTOFF
	int
	default 325 if !LRNG_APT_BROKEN
	default 32 if LRNG_APT_BROKEN

config LRNG_IRQ_ENTROPY_RATE
	int "Interrupt Entropy Source Entropy Rate"
	range 256 4294967295
	default 256
	help
	  The LRNG will collect the configured number of interrupts to
	  obtain 256 bits of entropy. This value can be set to any between
	  256 and 4294967295. The LRNG guarantees that this value is not
	  lower than 256. This lower limit implies that one interrupt event
	  is credited with one bit of entropy. This value is subject to the
	  increase by the oversampling factor, if no high-resolution timer
	  is found.

	  In order to effectively disable the interrupt entropy source,
	  the option has to be set to 4294967295. In this case, the
	  interrupt entropy source will still deliver data but without
	  being credited with entropy.

comment "Jitter RNG Entropy Source"

config LRNG_JENT
	bool "Enable Jitter RNG as LRNG Seed Source"
	depends on CRYPTO
	select CRYPTO_JITTERENTROPY
	help
	  The Linux RNG may use the Jitter RNG as noise source. Enabling
	  this option enables the use of the Jitter RNG. Its default
	  entropy level is 16 bits of entropy per 256 data bits delivered
	  by the Jitter RNG. This entropy level can be changed at boot
	  time or at runtime with the lrng_base.jitterrng configuration
	  variable.

config LRNG_JENT_ENTROPY_RATE
	int "Jitter RNG Entropy Source Entropy Rate"
	range 0 256
	default 16
	help
	  The option defines the amount of entropy the LRNG applies to 256
	  bits of data obtained from the Jitter RNG entropy source. The
	  LRNG enforces the limit that this value must be in the range
	  between 0 and 256.

	  In order to disable the Jitter RNG entropy source, the option
	  has to be set to 0.

comment "CPU Entropy Source"

config LRNG_CPU_ENTROPY_RATE
	int "CPU Entropy Source Entropy Rate"
	range 0 256
	default 8
	help
	  The option defines the amount of entropy the LRNG applies to 256
	  bits of data obtained from the CPU entropy source. The LRNG
	  enforces the limit that this value must be in the range between
	  0 and 256.

	  In order to disable the CPU entropy source, the option has to
	  be set to 0.

	  Note, this option is overwritten when the option
	  CONFIG_RANDOM_TRUST_CPU is set.

endmenu # "Entropy Source Configuration"

menuconfig LRNG_DRNG_SWITCH
	bool "Support DRNG runtime switching"
	help
	  The Linux RNG per default uses a ChaCha20 DRNG that is
	  accessible via the external interfaces. With this configuration
	  option other DRNGs can be selected and loaded at runtime.

if LRNG_DRNG_SWITCH

config LRNG_KCAPI_HASH
	bool
	select CRYPTO_HASH

config LRNG_DRBG
	tristate "SP800-90A support for the LRNG"
	depends on CRYPTO
	select CRYPTO_DRBG_MENU
	select CRYPTO_SHA512
	select LRNG_KCAPI_HASH
	help
	  Enable the SP800-90A DRBG support for the LRNG. Once the
	  module is loaded, output from /dev/random, /dev/urandom,
	  getrandom(2), or get_random_bytes_full is provided by a DRBG.

config LRNG_KCAPI
	tristate "Kernel Crypto API support for the LRNG"
	depends on CRYPTO
	depends on !LRNG_DRBG
	select CRYPTO_RNG
	select LRNG_KCAPI_HASH
	help
	  Enable the support for generic pseudo-random number
	  generators offered by the kernel crypto API with the
	  LRNG. Once the module is loaded, output from /dev/random,
	  /dev/urandom, getrandom(2), or get_random_bytes is
	  provided by the selected kernel crypto API RNG.
endif # LRNG_DRNG_SWITCH

menuconfig LRNG_TESTING_MENU
	bool "LRNG testing interfaces"
	depends on DEBUG_FS
	help
	  Enable one or more of the following test interfaces.

	  If unsure, say N.

if LRNG_TESTING_MENU

config LRNG_RAW_HIRES_ENTROPY
	bool "Enable entropy test interface to hires timer noise source"
	default y
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned high resolution time stamp noise that
	  is collected by the LRNG for statistical analysis. Extracted
	  noise data is not used to seed the LRNG.

	  The raw noise data can be obtained using the lrng_raw_hires
	  debugfs file. Using the option lrng_testing.boot_raw_hires_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_JIFFIES_ENTROPY
	bool "Enable entropy test interface to Jiffies noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned Jiffies that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the LRNG if a high-resolution time stamp is not
	  available. If a high-resolution time stamp is detected,
	  the Jiffies value is not collected by the LRNG and no
	  data is provided via the test interface. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_jiffies
	  debugfs file. Using the option lrng_testing.boot_raw_jiffies_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_IRQ_ENTROPY
	bool "Enable entropy test interface to IRQ number noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt number that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the random32 PRNG external to the LRNG if a
	  high-resolution time stamp is available or it will be used to
	  seed the LRNG otherwise. Extracted noise data is not used to
	  seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_irq
	  debugfs file. Using the option lrng_testing.boot_raw_irq_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_IRQFLAGS_ENTROPY
	bool "Enable entropy test interface to IRQ flags noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt flags that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the random32 PRNG external to the LRNG if a
	  high-resolution time stamp is available or it will be used to
	  seed the LRNG otherwise. Extracted noise data is not used to
	  seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_irqflags
	  debugfs file. Using the option lrng_testing.boot_raw_irqflags_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_RETIP_ENTROPY
	bool "Enable entropy test interface to RETIP value noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned return instruction pointer value
	  that is collected by the LRNG for statistical analysis.
	  This data is used for seeding the random32 PRNG external
	  to the LRNG if a high-resolution time stamp is available or
	  it will be used to seed the LRNG otherwise. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_retip
	  debugfs file. Using the option lrng_testing.boot_raw_retip_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_REGS_ENTROPY
	bool "Enable entropy test interface to IRQ register value noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt register value that is
	  collected by the LRNG for statistical analysis. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_regs
	  debugfs file. Using the option lrng_testing.boot_raw_regs_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_ARRAY
	bool "Enable test interface to LRNG raw entropy storage array"
	help
	  The test interface allows a privileged process to capture
	  the raw noise data that is collected by the LRNG
	  in the per-CPU array for statistical analysis. The purpose
	  of this interface is to verify that the array handling code
	  truly only concatenates data and provides the same entropy
	  rate as the raw unconditioned noise source when assessing
	  the collected data byte-wise.

	  The data can be obtained using the lrng_raw_array debugfs
	  file. Using the option lrng_testing.boot_raw_array=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_IRQ_PERF
	bool "Enable LRNG interrupt performance monitor"
	help
	  With this option, the performance monitor of the LRNG
	  interrupt handling code is enabled. The file provides
	  the execution time of the interrupt handler in
	  cycles.

	  The interrupt performance data can be obtained using
	  the lrng_irq_perf debugfs file. Using the option
	  lrng_testing.boot_irq_perf=1 the performance data of
	  the first 1000 entropy events since boot can be sampled.

config LRNG_ACVT_HASH
	bool "Enable LRNG ACVT Hash interface"
	help
	  With this option, the LRNG built-in hash function used for
	  auxiliary pool management and prior to switching the
	  cryptographic backends is made available for ACVT. The
	  interface allows writing of the data to be hashed
	  into the interface. The read operation triggers the hash
	  operation to generate message digest.

	  The ACVT interface is available with the lrng_acvt_hash
	  debugfs file.

config LRNG_RUNTIME_ES_CONFIG
	bool "Enable runtime configuration of entropy sources"
	help
	  When enabling this option, the LRNG provides the mechanism
	  allowing to alter the entropy rate of each entropy source
	  during boot time and runtime.

	  The following interfaces are available:
	  lrng_archrandom.archrandom for the CPU entropy source,
	  lrng_jent.jitterrng for the Jitter RNG entropy source, and
	  lrng_sw_noise.irq_entropy for the interrupt entropy source.

config LRNG_TESTING
	bool
	default y if (LRNG_RAW_HIRES_ENTROPY || LRNG_RAW_JIFFIES_ENTROPY ||LRNG_RAW_IRQ_ENTROPY || LRNG_RAW_IRQFLAGS_ENTROPY || LRNG_RAW_RETIP_ENTROPY || LRNG_RAW_REGS_ENTROPY || LRNG_RAW_ARRAY || LRNG_IRQ_PERF || LRNG_ACVT_HASH)

endif #LRNG_TESTING_MENU

config LRNG_SELFTEST
	bool "Enable power-on and on-demand self-tests"
	help
	  The power-on self-tests are executed during boot time
	  covering the ChaCha20 DRNG, the hash operation used for
	  processing the entropy pools and the auxiliary pool, and
	  the time stamp management of the LRNG.

	  The on-demand self-tests are triggered by writing any
	  value into the SysFS file selftest_status. At the same
	  time, when reading this file, the test status is
	  returned. A zero indicates that all tests were executed
	  successfully.

	  If unsure, say Y.

if LRNG_SELFTEST

config LRNG_SELFTEST_PANIC
	bool "Panic the kernel upon self-test failure"
	help
	  If the option is enabled, the kernel is terminated if an
	  LRNG power-on self-test failure is detected.

endif # LRNG_SELFTEST

endif # LRNG
