17dfb9911SJimmy Brisson /*
20b22e591SJayanth Dodderi Chidanand * Copyright (c) 2021-2022, ARM Limited. All rights reserved.
37dfb9911SJimmy Brisson *
47dfb9911SJimmy Brisson * SPDX-License-Identifier: BSD-3-Clause
57dfb9911SJimmy Brisson */
67dfb9911SJimmy Brisson
77dfb9911SJimmy Brisson #include <assert.h>
87dfb9911SJimmy Brisson #include <stdbool.h>
97dfb9911SJimmy Brisson #include <stdint.h>
107dfb9911SJimmy Brisson #include <lib/spinlock.h>
117dfb9911SJimmy Brisson #include <plat/common/plat_trng.h>
127dfb9911SJimmy Brisson
137dfb9911SJimmy Brisson /*
147dfb9911SJimmy Brisson * # Entropy pool
157dfb9911SJimmy Brisson * Note that the TRNG Firmware interface can request up to 192 bits of entropy
167dfb9911SJimmy Brisson * in a single call or three 64bit words per call. We have 4 words in the pool
177dfb9911SJimmy Brisson * so that when we have 1-63 bits in the pool, and we have a request for
187dfb9911SJimmy Brisson * 192 bits of entropy, we don't have to throw out the leftover 1-63 bits of
197dfb9911SJimmy Brisson * entropy.
207dfb9911SJimmy Brisson */
217dfb9911SJimmy Brisson #define WORDS_IN_POOL (4)
227dfb9911SJimmy Brisson static uint64_t entropy[WORDS_IN_POOL];
237dfb9911SJimmy Brisson /* index in bits of the first bit of usable entropy */
247dfb9911SJimmy Brisson static uint32_t entropy_bit_index;
257dfb9911SJimmy Brisson /* then number of valid bits in the entropy pool */
267dfb9911SJimmy Brisson static uint32_t entropy_bit_size;
277dfb9911SJimmy Brisson
287dfb9911SJimmy Brisson static spinlock_t trng_pool_lock;
297dfb9911SJimmy Brisson
307dfb9911SJimmy Brisson #define BITS_PER_WORD (sizeof(entropy[0]) * 8)
317dfb9911SJimmy Brisson #define BITS_IN_POOL (WORDS_IN_POOL * BITS_PER_WORD)
327dfb9911SJimmy Brisson #define ENTROPY_MIN_WORD (entropy_bit_index / BITS_PER_WORD)
337dfb9911SJimmy Brisson #define ENTROPY_FREE_BIT (entropy_bit_size + entropy_bit_index)
347dfb9911SJimmy Brisson #define _ENTROPY_FREE_WORD (ENTROPY_FREE_BIT / BITS_PER_WORD)
357dfb9911SJimmy Brisson #define ENTROPY_FREE_INDEX (_ENTROPY_FREE_WORD % WORDS_IN_POOL)
367dfb9911SJimmy Brisson /* ENTROPY_WORD_INDEX(0) includes leftover bits in the lower bits */
377dfb9911SJimmy Brisson #define ENTROPY_WORD_INDEX(i) ((ENTROPY_MIN_WORD + i) % WORDS_IN_POOL)
387dfb9911SJimmy Brisson
397dfb9911SJimmy Brisson /*
407dfb9911SJimmy Brisson * Fill the entropy pool until we have at least as many bits as requested.
417dfb9911SJimmy Brisson * Returns true after filling the pool, and false if the entropy source is out
427dfb9911SJimmy Brisson * of entropy and the pool could not be filled.
437dfb9911SJimmy Brisson * Assumes locks are taken.
447dfb9911SJimmy Brisson */
trng_fill_entropy(uint32_t nbits)457dfb9911SJimmy Brisson static bool trng_fill_entropy(uint32_t nbits)
467dfb9911SJimmy Brisson {
477dfb9911SJimmy Brisson while (nbits > entropy_bit_size) {
487dfb9911SJimmy Brisson bool valid = plat_get_entropy(&entropy[ENTROPY_FREE_INDEX]);
497dfb9911SJimmy Brisson
507dfb9911SJimmy Brisson if (valid) {
517dfb9911SJimmy Brisson entropy_bit_size += BITS_PER_WORD;
527dfb9911SJimmy Brisson assert(entropy_bit_size <= BITS_IN_POOL);
537dfb9911SJimmy Brisson } else {
547dfb9911SJimmy Brisson return false;
557dfb9911SJimmy Brisson }
567dfb9911SJimmy Brisson }
577dfb9911SJimmy Brisson return true;
587dfb9911SJimmy Brisson }
597dfb9911SJimmy Brisson
607dfb9911SJimmy Brisson /*
617dfb9911SJimmy Brisson * Pack entropy into the out buffer, filling and taking locks as needed.
627dfb9911SJimmy Brisson * Returns true on success, false on failure.
637dfb9911SJimmy Brisson *
647dfb9911SJimmy Brisson * Note: out must have enough space for nbits of entropy
657dfb9911SJimmy Brisson */
trng_pack_entropy(uint32_t nbits,uint64_t * out)667dfb9911SJimmy Brisson bool trng_pack_entropy(uint32_t nbits, uint64_t *out)
677dfb9911SJimmy Brisson {
680b22e591SJayanth Dodderi Chidanand bool ret = true;
69db1c6faaSJayanth Dodderi Chidanand uint32_t bits_to_discard = nbits;
707dfb9911SJimmy Brisson spin_lock(&trng_pool_lock);
717dfb9911SJimmy Brisson
727dfb9911SJimmy Brisson if (!trng_fill_entropy(nbits)) {
730b22e591SJayanth Dodderi Chidanand ret = false;
747dfb9911SJimmy Brisson goto out;
757dfb9911SJimmy Brisson }
767dfb9911SJimmy Brisson
777dfb9911SJimmy Brisson const unsigned int rshift = entropy_bit_index % BITS_PER_WORD;
787dfb9911SJimmy Brisson const unsigned int lshift = BITS_PER_WORD - rshift;
797dfb9911SJimmy Brisson const int to_fill = ((nbits + BITS_PER_WORD - 1) / BITS_PER_WORD);
807dfb9911SJimmy Brisson int word_i;
817dfb9911SJimmy Brisson
827dfb9911SJimmy Brisson for (word_i = 0; word_i < to_fill; word_i++) {
837dfb9911SJimmy Brisson /*
847dfb9911SJimmy Brisson * Repack the entropy from the pool into the passed in out
850b22e591SJayanth Dodderi Chidanand * buffer. This takes lesser bits from the valid upper bits
860b22e591SJayanth Dodderi Chidanand * of word_i and more bits from the lower bits of (word_i + 1).
877dfb9911SJimmy Brisson *
887dfb9911SJimmy Brisson * I found the following diagram useful. note: `e` represents
897dfb9911SJimmy Brisson * valid entropy, ` ` represents invalid bits (not entropy) and
907dfb9911SJimmy Brisson * `x` represents valid entropy that must not end up in the
917dfb9911SJimmy Brisson * packed word.
927dfb9911SJimmy Brisson *
937dfb9911SJimmy Brisson * |---------entropy pool----------|
947dfb9911SJimmy Brisson * C var |--(word_i + 1)-|----word_i-----|
957dfb9911SJimmy Brisson * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
967dfb9911SJimmy Brisson * [x,x,e,e,e,e,e,e|e,e, , , , , , ]
977dfb9911SJimmy Brisson * | [e,e,e,e,e,e,e,e] |
987dfb9911SJimmy Brisson * | |--out[word_i]--| |
997dfb9911SJimmy Brisson * lshift|---| |--rshift---|
1007dfb9911SJimmy Brisson *
1017dfb9911SJimmy Brisson * ==== Which is implemented as ====
1027dfb9911SJimmy Brisson *
1037dfb9911SJimmy Brisson * |---------entropy pool----------|
1047dfb9911SJimmy Brisson * C var |--(word_i + 1)-|----word_i-----|
1057dfb9911SJimmy Brisson * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
1067dfb9911SJimmy Brisson * [x,x,e,e,e,e,e,e|e,e, , , , , , ]
1077dfb9911SJimmy Brisson * C expr << lshift >> rshift
1087dfb9911SJimmy Brisson * bit idx 5 4 3 2 1 0 7 6
1097dfb9911SJimmy Brisson * [e,e,e,e,e,e,0,0|0,0,0,0,0,0,e,e]
1107dfb9911SJimmy Brisson * ==== bit-wise or ====
1117dfb9911SJimmy Brisson * 5 4 3 2 1 0 7 6
1127dfb9911SJimmy Brisson * [e,e,e,e,e,e,e,e]
1137dfb9911SJimmy Brisson */
1147dfb9911SJimmy Brisson out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i)] >> rshift;
1157dfb9911SJimmy Brisson
116db1c6faaSJayanth Dodderi Chidanand /**
117db1c6faaSJayanth Dodderi Chidanand * Discarding the used/packed entropy bits from the respective
118db1c6faaSJayanth Dodderi Chidanand * words, (word_i) and (word_i+1) as applicable.
119db1c6faaSJayanth Dodderi Chidanand * In each iteration of the loop, we pack 64bits of entropy to
120db1c6faaSJayanth Dodderi Chidanand * the output buffer. The bits are picked linearly starting from
121db1c6faaSJayanth Dodderi Chidanand * 1st word (entropy[0]) till 4th word (entropy[3]) and then
122db1c6faaSJayanth Dodderi Chidanand * rolls back (entropy[0]). Discarding of bits is managed
123db1c6faaSJayanth Dodderi Chidanand * similarly.
124db1c6faaSJayanth Dodderi Chidanand *
125db1c6faaSJayanth Dodderi Chidanand * The following diagram illustrates the logic:
126db1c6faaSJayanth Dodderi Chidanand *
127db1c6faaSJayanth Dodderi Chidanand * |---------entropy pool----------|
128db1c6faaSJayanth Dodderi Chidanand * C var |--(word_i + 1)-|----word_i-----|
129db1c6faaSJayanth Dodderi Chidanand * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
130db1c6faaSJayanth Dodderi Chidanand * [e,e,e,e,e,e,e,e|e,e,0,0,0,0,0,0]
131db1c6faaSJayanth Dodderi Chidanand * | [e,e,e,e,e,e,e,e] |
132db1c6faaSJayanth Dodderi Chidanand * | |--out[word_i]--| |
133db1c6faaSJayanth Dodderi Chidanand * lshift|---| |--rshift---|
134db1c6faaSJayanth Dodderi Chidanand * |e,e|0,0,0,0,0,0,0,0|0,0,0,0,0,0|
135db1c6faaSJayanth Dodderi Chidanand * |<== || ==>|
136db1c6faaSJayanth Dodderi Chidanand * bits_to_discard (from these bytes)
137db1c6faaSJayanth Dodderi Chidanand *
138db1c6faaSJayanth Dodderi Chidanand * variable(bits_to_discard): Tracks the amount of bits to be
139db1c6faaSJayanth Dodderi Chidanand * discarded and is updated accordingly in each iteration.
140db1c6faaSJayanth Dodderi Chidanand *
141db1c6faaSJayanth Dodderi Chidanand * It monitors these packed bits from respective word_i and
142db1c6faaSJayanth Dodderi Chidanand * word_i+1 and overwrites them with zeros accordingly.
143db1c6faaSJayanth Dodderi Chidanand * It discards linearly from the lowest index and moves upwards
144db1c6faaSJayanth Dodderi Chidanand * until bits_to_discard variable becomes zero.
145db1c6faaSJayanth Dodderi Chidanand *
146db1c6faaSJayanth Dodderi Chidanand * In the above diagram,for example, we pack 2bytes(7th and 6th
147db1c6faaSJayanth Dodderi Chidanand * from word_i) and 6bytes(0th till 5th from word_i+1), combine
148db1c6faaSJayanth Dodderi Chidanand * and pack them as 64bit to output buffer out[i].
149db1c6faaSJayanth Dodderi Chidanand * Depending on the number of bits requested, we discard the
150db1c6faaSJayanth Dodderi Chidanand * bits from these packed bytes by overwriting them with zeros.
151db1c6faaSJayanth Dodderi Chidanand */
152db1c6faaSJayanth Dodderi Chidanand
153db1c6faaSJayanth Dodderi Chidanand /*
154db1c6faaSJayanth Dodderi Chidanand * If the bits to be discarded is lesser than the amount of bits
155db1c6faaSJayanth Dodderi Chidanand * copied to the output buffer from word_i, we discard that much
156db1c6faaSJayanth Dodderi Chidanand * amount of bits only.
157db1c6faaSJayanth Dodderi Chidanand */
158db1c6faaSJayanth Dodderi Chidanand if (bits_to_discard < (BITS_PER_WORD - rshift)) {
159db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i)] &=
160db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((bits_to_discard+rshift) % BITS_PER_WORD));
161db1c6faaSJayanth Dodderi Chidanand bits_to_discard = 0;
162db1c6faaSJayanth Dodderi Chidanand } else {
163db1c6faaSJayanth Dodderi Chidanand /*
164db1c6faaSJayanth Dodderi Chidanand * If the bits to be discarded is more than the amount of valid
165db1c6faaSJayanth Dodderi Chidanand * upper bits from word_i, which has been copied to the output
166db1c6faaSJayanth Dodderi Chidanand * buffer, we just set the entire word_i to 0, as the lower bits
167db1c6faaSJayanth Dodderi Chidanand * will be already zeros from previous operations, and the
168db1c6faaSJayanth Dodderi Chidanand * bits_to_discard is updated precisely.
169db1c6faaSJayanth Dodderi Chidanand */
170db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i)] = 0;
171db1c6faaSJayanth Dodderi Chidanand bits_to_discard -= (BITS_PER_WORD - rshift);
172db1c6faaSJayanth Dodderi Chidanand }
173db1c6faaSJayanth Dodderi Chidanand
1747dfb9911SJimmy Brisson /*
1757dfb9911SJimmy Brisson * Note that a shift of 64 bits is treated as a shift of 0 bits.
1767dfb9911SJimmy Brisson * When the shift amount is the same as the BITS_PER_WORD, we
1777dfb9911SJimmy Brisson * don't want to include the next word of entropy, so we skip
1787dfb9911SJimmy Brisson * the `|=` operation.
1797dfb9911SJimmy Brisson */
1807dfb9911SJimmy Brisson if (lshift != BITS_PER_WORD) {
1817dfb9911SJimmy Brisson out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i + 1)]
1827dfb9911SJimmy Brisson << lshift;
183db1c6faaSJayanth Dodderi Chidanand /**
184db1c6faaSJayanth Dodderi Chidanand * Discarding the remaining packed bits from upperword
185db1c6faaSJayanth Dodderi Chidanand * (word[i+1]) which was copied to output buffer by
186db1c6faaSJayanth Dodderi Chidanand * overwriting with zeros.
187db1c6faaSJayanth Dodderi Chidanand *
188db1c6faaSJayanth Dodderi Chidanand * If the remaining bits to be discarded is lesser than
189db1c6faaSJayanth Dodderi Chidanand * the amount of bits from [word_i+1], which has been
190db1c6faaSJayanth Dodderi Chidanand * copied to the output buffer, we overwrite that much
191db1c6faaSJayanth Dodderi Chidanand * amount of bits only.
192db1c6faaSJayanth Dodderi Chidanand */
193db1c6faaSJayanth Dodderi Chidanand if (bits_to_discard < (BITS_PER_WORD - lshift)) {
194db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i+1)] &=
195db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((bits_to_discard) % BITS_PER_WORD));
196db1c6faaSJayanth Dodderi Chidanand bits_to_discard = 0;
197db1c6faaSJayanth Dodderi Chidanand } else {
198db1c6faaSJayanth Dodderi Chidanand /*
199db1c6faaSJayanth Dodderi Chidanand * If bits to discard is more than the bits from word_i+1
200db1c6faaSJayanth Dodderi Chidanand * which got packed into the output, then we discard all
201db1c6faaSJayanth Dodderi Chidanand * those copied bits.
202db1c6faaSJayanth Dodderi Chidanand *
203db1c6faaSJayanth Dodderi Chidanand * Note: we cannot set the entire word_i+1 to 0, as
204db1c6faaSJayanth Dodderi Chidanand * there are still some unused valid entropy bits at the
205db1c6faaSJayanth Dodderi Chidanand * upper end for future use.
206db1c6faaSJayanth Dodderi Chidanand */
207db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i+1)] &=
208db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((BITS_PER_WORD - lshift) % BITS_PER_WORD));
209db1c6faaSJayanth Dodderi Chidanand bits_to_discard -= (BITS_PER_WORD - lshift);
210db1c6faaSJayanth Dodderi Chidanand }
211db1c6faaSJayanth Dodderi Chidanand
2127dfb9911SJimmy Brisson }
2137dfb9911SJimmy Brisson }
2147dfb9911SJimmy Brisson
215*f2db4ebcSJamie Fox /* Mask off higher bits if only part of the last word was requested */
216*f2db4ebcSJamie Fox if ((nbits % BITS_PER_WORD) != 0) {
217*f2db4ebcSJamie Fox const uint64_t mask = UINT64_MAX >>
218*f2db4ebcSJamie Fox (BITS_PER_WORD - (nbits % BITS_PER_WORD));
2197dfb9911SJimmy Brisson out[to_fill - 1] &= mask;
220*f2db4ebcSJamie Fox }
2217dfb9911SJimmy Brisson
2227dfb9911SJimmy Brisson entropy_bit_index = (entropy_bit_index + nbits) % BITS_IN_POOL;
2237dfb9911SJimmy Brisson entropy_bit_size -= nbits;
2247dfb9911SJimmy Brisson
2257dfb9911SJimmy Brisson out:
2267dfb9911SJimmy Brisson spin_unlock(&trng_pool_lock);
2277dfb9911SJimmy Brisson
2280b22e591SJayanth Dodderi Chidanand return ret;
2297dfb9911SJimmy Brisson }
2307dfb9911SJimmy Brisson
trng_entropy_pool_setup(void)2317dfb9911SJimmy Brisson void trng_entropy_pool_setup(void)
2327dfb9911SJimmy Brisson {
2337dfb9911SJimmy Brisson int i;
2347dfb9911SJimmy Brisson
2357dfb9911SJimmy Brisson for (i = 0; i < WORDS_IN_POOL; i++) {
2367dfb9911SJimmy Brisson entropy[i] = 0;
2377dfb9911SJimmy Brisson }
2387dfb9911SJimmy Brisson entropy_bit_index = 0;
2397dfb9911SJimmy Brisson entropy_bit_size = 0;
2407dfb9911SJimmy Brisson }
241