-
Notifications
You must be signed in to change notification settings - Fork 791
/
dif_csrng.h
647 lines (605 loc) · 18.6 KB
/
dif_csrng.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
// Copyright lowRISC contributors (OpenTitan project).
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
#ifndef OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
#define OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
/**
* @file
* @brief <a href="/hw/ip/csrng/doc/">CSRNG</a> Device Interface Functions
*/
#include <stdint.h>
#include "sw/device/lib/base/macros.h"
#include "sw/device/lib/base/mmio.h"
#include "sw/device/lib/dif/dif_base.h"
#include "csrng_regs.h" // Generated
#include "sw/device/lib/dif/autogen/dif_csrng_autogen.h"
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
/**
* This API implements an interface for the CSRNG hardware.
*
* The API follows the naming conventions used in NIST SP 800-90Ar1:
*
* - Instantiate.
* - Update
* - Reseed
* - Generate
* - Uninstantiate
*
* The seed used for instantiation can either be provided directly in
* hardware by an entropy source module; or directly by software. See
* `dif_csrng_instantiate()` and `dif_csrng_entropy_src` for
* more details.
*
* The following sequence of operations are required to initialize
* and generate cryptographic entropy from the CSRNG module:
*
* - `dif_csrng_init()`
* - `dif_csrng_configure()`
* - `dif_csrng_instantiate()`
* - `dif_csrng_generate_start()`
* - `dif_csrng_uninstantiate()`
*
* The following functions can be used for reseed and update operations:
*
* - `dif_csrng_reseed()`
* - `dif_csrng_update()`
*
* The following utility functions are available to poll the state of
* the hardware:
*
* - `dif_csrng_get_cmd_interface_status()`
* - `dif_csrng_get_output_status()`
*
* Please see the following documentation for more information:
* https://docs.opentitan.org/hw/ip/csrng/doc/
*
* Remaining work:
*
* - Add error status interface.
* - Add internal state control and debug interface.
*/
/**
* Enumeration of CSRNG command interface states.
*/
typedef enum dif_csrng_cmd_status_kind {
/**
* The command interface is ready to accept commands.
*/
kDifCsrngCmdStatusReady,
/**
* The command interface is processing a command.
*/
kDifCsrngCmdStatusBusy,
/**
* The command interface completed with an error.
*/
kDifCsrngCmdStatusError,
} dif_csrng_cmd_status_kind_t;
/**
* Enumeration of CSRNG FIFOs, which indicates which part of the hardware
* produced an error.
*/
typedef enum dif_csrng_fifo {
kDifCsrngFifoCmd,
kDifCsrngFifoGenBits,
kDifCsrngFifoCmdReq,
kDifCsrngFifoRcStage,
kDifCsrngFifoKeyVrc,
kDifCsrngFifoUpdateReq,
kDifCsrngFifoBencRec,
kDifCsrngFifoBencAck,
kDifCsrngFifoPData,
kDifCsrngFifoFinal,
kDifCsrngFifoGBencAck,
kDifCsrngFifoGrcStage,
kDifCsrngFifoGGenReq,
kDifCsrngFifoGadStage,
kDifCsrngFifoBlockEnc,
} dif_csrng_fifo_t;
/**
* Enumeration of CSRNG FIFO errors.
*/
typedef enum dif_csrng_error {
/**
* Indicates an error in the command stage state machine.
*/
kDifCsrngErrorCmdStageSm,
/**
* Indicates an error in the main state machine.
*/
kDifCsrngErrorMainSm,
/**
* Indicates an error in the DRBG's generator state machine.
*/
kDifCsrngErrorDrbgGenSm,
/**
* Indicates an error in the DRBG's block encoding state machine.
*/
kDifCsrngErrorDrbgUpdateBlockEncSm,
/**
* Indicates an error in the DRBG's block output state machine.
*/
kDifCsrngErrorDrbgUpdateOutBlockSm,
/**
* Indicates an error in the AES state machine.
*/
kDifCsrngErrorAesSm,
/**
* Indicates an error in the generate command's counter.
*/
kDifCsrngErrorGenerateCmdCounter,
/**
* Indicates a write to a full FIFO occured.
*/
kDifCsrngErrorFifoWrite,
/**
* Indicates a read from an empty FIFO occured.
*/
kDifCsrngErrorFifoRead,
/**
* Indicates a FIFO was somehow both full and empty.
*/
kDifCsrngErrorFifoFullAndEmpty,
} dif_csrng_error_t;
/**
* Enumeration of CSRNG command status errors.
*/
typedef enum dif_csrng_cmd_sts_error {
/**
* Indicates that the command completed successfully.
*/
kDifCsrngCmdStsSuccess = 0,
/**
* Indicates that an invalid apllication command has been issued.
*/
kDifCsrngCmdStsInvalidAcmd = 1,
/**
* Indicates that the state wasn't zeroized properly after an uninstantiate
* command due to invalid state parameters in the cmd drbg.
*/
kDifCsrngCmdStsInvalidStateParams = 2,
/**
* Indicates that CSRNG entropy was generated for a command that is not a
* generate command.
*/
kDifCsrngCmdStsInvalidCtrDrbgCmd = 3,
/**
* Indicates that last command was not issued in sequence.
* E.g. an instantiate on an instantiated state or any command other than an
* instantiate on an uninstantiated state.
*/
kDifCsrngCmdStsInvalidCmdSeq = 4,
} dif_csrng_cmd_sts_t;
/**
* The status of the CSRNG block at a particular moment in time.
*/
typedef struct dif_csrng_cmd_status {
/**
* The kind of status the CSRNG is in.
*/
dif_csrng_cmd_status_kind_t kind;
/**
* The status value CSRNG returns.
*/
dif_csrng_cmd_sts_t cmd_sts;
} dif_csrng_cmd_status_t;
/**
* CSRNG consume seed from entropy source enable.
*/
typedef enum dif_csrng_entropy_src_toggle {
/**
* Seed material used as the only seed material.
*
* This configuration option will toggle the hardware state of the
* CSRNG to non-FIPS compliant until it is re-instantiated.
*
* Note: Software may opt to XOR the seed material with a seed to implement
* a software assisted FIPS mode of operation.
*/
kDifCsrngEntropySrcToggleDisable = 1,
/**
* Entropy source XOR'ed with the provided seed material.
*/
kDifCsrngEntropySrcToggleEnable = 0,
} dif_csrng_entropy_src_toggle_t;
enum {
/**
* Maximum seed material number of uint32_t words supported in CSRNG
* instantiate and seed commands.
*/
kDifCsrngSeedMaterialMaxWordLen = 12,
};
/**
* CSRNG common transaction parameters.
*/
typedef struct dif_csrng_seed_material {
/**
* Number of uint32_t words in `seed_material`. Up to 12 words can be
* set to initialize the CSRNG. CSRNG will extend the `seed_material`
* to zeros if the provided value is less that 12.
*/
size_t seed_material_len;
/**
* Seed material used in CSRNG
*/
uint32_t seed_material[kDifCsrngSeedMaterialMaxWordLen];
} dif_csrng_seed_material_t;
/**
* Generated output state.
*/
typedef struct dif_csrng_output_status {
/**
* Set to true when there is cryptographic entropy data available to
* read using `dif_csrng_generate_read()`.
*/
bool valid_data;
/**
* Set to true when the cryptographic entropy data available to read
* is FIPS/CC compliant at the hardware level.
*/
bool fips_mode;
} dif_csrng_output_status_t;
/**
* CSRNG internal state selector ID.
*/
typedef enum dif_csrng_internal_state_id {
/**
* CSRNG instance assigned to Entropy Distribution Network (EDN) 0.
*/
kCsrngInternalStateIdEdn0 = 0,
/**
* CSRNG instance assigned to Entropy Distribution Network (EDN) 1.
*/
kCsrngInternalStateIdEdn1 = 1,
/**
* CSRNG instance assigned to software interface.
*/
kCsrngInternalStateIdSw = 2,
} dif_csrng_internal_state_id_t;
/**
* CSRNG internal state.
*/
typedef struct dif_csrng_internal_state {
/**
* Indicates the number of requests for pseudorandom bits since instantiation
* or reseeding.
*/
uint32_t reseed_counter;
/**
* Internal V working state with a 128bit block size.
*/
uint32_t v[4];
/**
* Internal key used to configure the internal CSRNG cipher.
*/
uint32_t key[8];
/**
* Set to true when the CSRNG instance has been instantiated.
*/
bool instantiated;
/**
* Set to true when FIPS compliant entropy was provided directly by the
* entropy source to instantiate or reseed the CSRNG instance.
*/
bool fips_compliance;
} dif_csrng_internal_state_t;
/**
* Recoverable alerts emitted by the CSRNG.
*/
typedef enum dif_csrng_recoverable_alert {
/**
* Indicates a bad value was written to the ENABLE field of the control
* register.
*/
kDifCsrngRecoverableAlertBadEnable =
1U << CSRNG_RECOV_ALERT_STS_ENABLE_FIELD_ALERT_BIT,
/**
* Indicates a bad value was written to the SW_APP_ENABLE field of the control
* register.
*/
kDifCsrngRecoverableAlertBadSwAppEnable =
1U << CSRNG_RECOV_ALERT_STS_SW_APP_ENABLE_FIELD_ALERT_BIT,
/**
* Indicates a bad value was written to the READ_INT_STATE field of the
* control register.
*/
kDifCsrngRecoverableAlertBadIntState =
1U << CSRNG_RECOV_ALERT_STS_READ_INT_STATE_FIELD_ALERT_BIT,
/**
* Indicates the FLAG0 field in the Application Command is set to a value
* other than kMultiBitBool4True or kMultiBitBool4False.
*/
kDifCsrngRecoverableAlertBadFlag0 =
1U << CSRNG_RECOV_ALERT_STS_ACMD_FLAG0_FIELD_ALERT_BIT,
/**
* Indicates the genbits bus saw two identical values, indicating a possible
* attack.
*/
kDifCsrngRecoverableAlertRepeatedGenBits =
1U << CSRNG_RECOV_ALERT_STS_CS_BUS_CMP_ALERT_BIT,
/**
* Indicates an unsupported CSRNG command was issued.
*/
kDifCsrngRecoverableAlertBadCsrngCmd =
1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_ACMD_ALERT_BIT,
/**
* Indicates a supported CSRNG command was issued out of sequence.
*/
kDifCsrngRecoverableAlertBadCsrngCmdSeq =
1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_CMD_SEQ_ALERT_BIT,
/**
* Indicates that too many generate commands were issued in a row.
*/
kDifCsrngRecoverableAlertMaxReseedsExceeded =
1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_RESEED_CNT_ALERT_BIT,
} dif_csrng_recoverable_alert_t;
/**
* Configures CSRNG.
*
* This function should need to be called once for the lifetime of `csrng`.
*
* @param csrng A CSRNG handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_configure(const dif_csrng_t *csrng);
/**
* Initializes CSRNG instance with a new seed value.
*
* `seed_material` is used as specified in NIST SP 800-90Ar1 section
* 10.2.1.3.1. See `dif_csrng_entropy_src` for details on how this value
* is mixed with the CSRNG seed.
*
* `seed_material` can be NULL, in which case CSRNG will use a zero
* vector instead.
*
* @param csrng A CSRNG handle.
* @param entropy_src_enable Entropy source input enable.
* @param seed_material Seed initialization parameters.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_instantiate(
const dif_csrng_t *csrng, dif_csrng_entropy_src_toggle_t entropy_src_enable,
const dif_csrng_seed_material_t *seed_material);
/**
* Reseeds CSRNG instance.
*
* When `seed_material.seed_material_len` is set to 0, only the entropy source
* seed is used to reseed the instance, otherwise it will be XOR'ed with the
* entropy source.
*
* @param csrng A CSRNG handle.
* @param seed_material Reseed parameters.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_reseed(const dif_csrng_t *csrng,
const dif_csrng_seed_material_t *seed_material);
/**
* Updates CSRNG state.
*
* This function is similar to `dif_csrng_reseed()`, except:
*
* - Only `seed_material.seed_material` is used in the update operation.
* - The update operation does not reset the internal CSRNG reseed
* counter.
*
* @param csrng A CSRNG handle.
* @param seed_material Update parameters.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_update(const dif_csrng_t *csrng,
const dif_csrng_seed_material_t *seed_material);
/**
* Requests cryptographic entropy bits from the CSRNG.
*
* The prediction resistance flag as specified in SP 800-90Ar1 section
* 10.2.1.1 is not directily supported by the hardware. It is the
* responsibility of the caller to reseed as needed before calling
* this function.
*
* The CSRNG accepts generation requests with 128-bit granularity, with
* a minimum 128-bit request size. This function will increase the size
* of the request to align it to the nearest 128-bit boundary.
*
* @param csrng A CSRNG handle.
* @param len Number of uint32_t words to generate.
* @return The result of the operation. KDifOutOfRange if the `len` parameter
* results in a 128bit block level size greater than 0x800.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_generate_start(const dif_csrng_t *csrng, size_t len);
/**
* Reads the output of the last CSRNG generate call.
*
* This function reads `len` words out of the CSRNG. This function should be
* called repeatedly until the number of words requested in
* `dif_csrng_generate_start()` is exhausted. This function will block until
* `len` words are read.
*
* `dif_csrng_get_output_status()` can be called before this function to ensure
* there is data available in the CSRNG output buffer.
*
* @param csrng A CSRNG handle.
* @param[out] buf A buffer to fill with words from the pipeline.
* @param len The number of words to read into `buf`.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_generate_read(const dif_csrng_t *csrng, uint32_t *buf,
size_t len);
/**
* Uninstantiates CSRNG
*
* Resets the CSRNG instance. Values in the CSRNG are zeroed out. This
* command effectively resets the CSRNG, clearing any errors that it
* may have encountered due to processing or entropy source errors.
*
* @param csrng An CSRNG handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_uninstantiate(const dif_csrng_t *csrng);
/**
* Gets the current command interface status.
*
* This function can be called before or after any of the following functions:
*
* - `dif_csrng_instantiate()`
* - `dif_csrng_reseed()`
* - `dif_csrng_update()`
* - `dif_csrng_generate_start()`
* - `dif_csrng_uninstantiate()`
*
* @param csrng An CSRNG handle
* @param[out] status Command interface status.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_cmd_interface_status(const dif_csrng_t *csrng,
dif_csrng_cmd_status_t *status);
/**
* Forces the status registers to indicate `fifo` as being in an unhealthy
* state.
*
* @param csrng An CSRNG handle
* @param fifo The FIFO to mark as unhealthy.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_cmd_force_unhealthy_fifo(const dif_csrng_t *csrng,
dif_csrng_fifo_t fifo);
/**
* Forces the status registers to indicate a particular error cause.
*
* @param csrng An CSRNG handle
* @param error The error to force.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_cmd_force_error(const dif_csrng_t *csrng,
dif_csrng_error_t error);
/**
* Returns an opaque blob indicating the main state machine's current state.
*
* @param csrng An CSRNG handle
* @param state[out] The state machine state as an opaque blob.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_main_state_machine(const dif_csrng_t *csrng,
uint32_t *state);
/**
* Returns a bitset indicating which hardware CSRNGs have encountered
* exceptions.
*
* @param csrng An CSRNG handle
* @param exceptions[out] The bitset of exception states.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_hw_csrng_exceptions(const dif_csrng_t *csrng,
uint32_t *exceptions);
/**
* Clears recorded hardware CSRNG exceptions.
*
* @param csrng An CSRNG handle
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_clear_hw_csrng_exceptions(const dif_csrng_t *csrng);
/**
* Gets the current cryptographic entropy output data status.
*
* This function can be used before calling `dif_csrng_generate_read()` to
* check if there is data available to read.
*
* @param csrng A CSRNG handle.
* @param[out] status CSRNG output status.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_output_status(const dif_csrng_t *csrng,
dif_csrng_output_status_t *status);
/**
* Gets the working state of a CSRNG instance.
*
* @param csrng A CSRNG handle
* @param instance_id CSRNG instance ID.
* @param[out] state The working state of a CSRNG instance.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_internal_state(
const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
dif_csrng_internal_state_t *state);
/**
* Gets the reseed counter of a CSRNG instance.
*
* @param csrng A CSRNG handle
* @param instance_id CSRNG instance ID.
* @param[out] reseed counter The current reseed counter value of a CSRNG
* instance.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_reseed_counter(
const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
uint32_t *reseed_counter);
/**
* Locks out CSRNG functionality.
*
* This function is reentrant: calling it while functionality is locked will
* have no effect and return `kDifCsrngOk`.
*
* @param csrng A CSRNG handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_lock(const dif_csrng_t *csrng);
/**
* Checks whether this CSRNG is locked.
*
* @param csrng A CSRNG handle.
* @param[out] is_locked Out-param for the locked state.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_is_locked(const dif_csrng_t *csrng, bool *is_locked);
/**
* Disables the CSRNG module.
*
* @param csrng A CSRNG handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_stop(const dif_csrng_t *csrng);
/**
* Gets the recoverable alerts currently recorded in the CSRNG block.
*
* This function returns the alerts in a bitset whose indices are given by
* `dif_csrng_recoverable_alert_t`.
*
* @param csrng A CSRNG handle.
* @param[out] alerts Bitset of alerts currently recorded.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_get_recoverable_alerts(const dif_csrng_t *csrng,
uint32_t *alerts);
/**
* Clears all recoverable alerts currently recorded in the CSRNG block.
*
* @param csrng A CSRNG handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_csrng_clear_recoverable_alerts(const dif_csrng_t *csrng);
#ifdef __cplusplus
} // extern "C"
#endif // __cplusplus
#endif // OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_