std_svc/trng/trng_entropy_pool.c

*7dfb9911SJimmy Brisson/*
*7dfb9911SJimmy Brisson * Copyright (c) 2021, ARM Limited. All rights reserved.
*7dfb9911SJimmy Brisson *
*7dfb9911SJimmy Brisson * SPDX-License-Identifier: BSD-3-Clause
*7dfb9911SJimmy Brisson */
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson#include <assert.h>
*7dfb9911SJimmy Brisson#include <stdbool.h>
*7dfb9911SJimmy Brisson#include <stdint.h>
*7dfb9911SJimmy Brisson#include <lib/spinlock.h>
*7dfb9911SJimmy Brisson#include <plat/common/plat_trng.h>
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson/*
*7dfb9911SJimmy Brisson * # Entropy pool
*7dfb9911SJimmy Brisson * Note that the TRNG Firmware interface can request up to 192 bits of entropy
*7dfb9911SJimmy Brisson * in a single call or three 64bit words per call. We have 4 words in the pool
*7dfb9911SJimmy Brisson * so that when we have 1-63 bits in the pool, and we have a request for
*7dfb9911SJimmy Brisson * 192 bits of entropy, we don't have to throw out the leftover 1-63 bits of
*7dfb9911SJimmy Brisson * entropy.
*7dfb9911SJimmy Brisson */
*7dfb9911SJimmy Brisson#define WORDS_IN_POOL (4)
*7dfb9911SJimmy Brissonstatic uint64_t entropy[WORDS_IN_POOL];
*7dfb9911SJimmy Brisson/* index in bits of the first bit of usable entropy */
*7dfb9911SJimmy Brissonstatic uint32_t entropy_bit_index;
*7dfb9911SJimmy Brisson/* then number of valid bits in the entropy pool */
*7dfb9911SJimmy Brissonstatic uint32_t entropy_bit_size;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brissonstatic spinlock_t trng_pool_lock;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson#define BITS_PER_WORD (sizeof(entropy[0]) * 8)
*7dfb9911SJimmy Brisson#define BITS_IN_POOL (WORDS_IN_POOL * BITS_PER_WORD)
*7dfb9911SJimmy Brisson#define ENTROPY_MIN_WORD (entropy_bit_index / BITS_PER_WORD)
*7dfb9911SJimmy Brisson#define ENTROPY_FREE_BIT (entropy_bit_size + entropy_bit_index)
*7dfb9911SJimmy Brisson#define _ENTROPY_FREE_WORD (ENTROPY_FREE_BIT / BITS_PER_WORD)
*7dfb9911SJimmy Brisson#define ENTROPY_FREE_INDEX (_ENTROPY_FREE_WORD % WORDS_IN_POOL)
*7dfb9911SJimmy Brisson/* ENTROPY_WORD_INDEX(0) includes leftover bits in the lower bits */
*7dfb9911SJimmy Brisson#define ENTROPY_WORD_INDEX(i) ((ENTROPY_MIN_WORD + i) % WORDS_IN_POOL)
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson/*
*7dfb9911SJimmy Brisson * Fill the entropy pool until we have at least as many bits as requested.
*7dfb9911SJimmy Brisson * Returns true after filling the pool, and false if the entropy source is out
*7dfb9911SJimmy Brisson * of entropy and the pool could not be filled.
*7dfb9911SJimmy Brisson * Assumes locks are taken.
*7dfb9911SJimmy Brisson */
*7dfb9911SJimmy Brissonstatic bool trng_fill_entropy(uint32_t nbits)
*7dfb9911SJimmy Brisson{
*7dfb9911SJimmy Brisson	while (nbits > entropy_bit_size) {
*7dfb9911SJimmy Brisson		bool valid = plat_get_entropy(&entropy[ENTROPY_FREE_INDEX]);
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson		if (valid) {
*7dfb9911SJimmy Brisson			entropy_bit_size += BITS_PER_WORD;
*7dfb9911SJimmy Brisson			assert(entropy_bit_size <= BITS_IN_POOL);
*7dfb9911SJimmy Brisson		} else {
*7dfb9911SJimmy Brisson			return false;
*7dfb9911SJimmy Brisson		}
*7dfb9911SJimmy Brisson	}
*7dfb9911SJimmy Brisson	return true;
*7dfb9911SJimmy Brisson}
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson/*
*7dfb9911SJimmy Brisson * Pack entropy into the out buffer, filling and taking locks as needed.
*7dfb9911SJimmy Brisson * Returns true on success, false on failure.
*7dfb9911SJimmy Brisson *
*7dfb9911SJimmy Brisson * Note: out must have enough space for nbits of entropy
*7dfb9911SJimmy Brisson */
*7dfb9911SJimmy Brissonbool trng_pack_entropy(uint32_t nbits, uint64_t *out)
*7dfb9911SJimmy Brisson{
*7dfb9911SJimmy Brisson	bool success = true;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	spin_lock(&trng_pool_lock);
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	if (!trng_fill_entropy(nbits)) {
*7dfb9911SJimmy Brisson		success = false;
*7dfb9911SJimmy Brisson		goto out;
*7dfb9911SJimmy Brisson	}
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	const unsigned int rshift = entropy_bit_index % BITS_PER_WORD;
*7dfb9911SJimmy Brisson	const unsigned int lshift = BITS_PER_WORD - rshift;
*7dfb9911SJimmy Brisson	const int to_fill = ((nbits + BITS_PER_WORD - 1) / BITS_PER_WORD);
*7dfb9911SJimmy Brisson	int word_i;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	for (word_i = 0; word_i < to_fill; word_i++) {
*7dfb9911SJimmy Brisson		/*
*7dfb9911SJimmy Brisson		 * Repack the entropy from the pool into the passed in out
*7dfb9911SJimmy Brisson		 * buffer. This takes the lower bits from the valid upper bits
*7dfb9911SJimmy Brisson		 * of word_i and the upper bits from the lower bits of
*7dfb9911SJimmy Brisson		 * (word_i + 1).
*7dfb9911SJimmy Brisson		 *
*7dfb9911SJimmy Brisson		 * I found the following diagram useful. note: `e` represents
*7dfb9911SJimmy Brisson		 * valid entropy, ` ` represents invalid bits (not entropy) and
*7dfb9911SJimmy Brisson		 * `x` represents valid entropy that must not end up in the
*7dfb9911SJimmy Brisson		 * packed word.
*7dfb9911SJimmy Brisson		 *
*7dfb9911SJimmy Brisson		 *          |---------entropy pool----------|
*7dfb9911SJimmy Brisson		 * C var    |--(word_i + 1)-|----word_i-----|
*7dfb9911SJimmy Brisson		 * bit idx  |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
*7dfb9911SJimmy Brisson		 *          [x,x,e,e,e,e,e,e|e,e, , , , , , ]
*7dfb9911SJimmy Brisson		 *          |   [e,e,e,e,e,e,e,e]           |
*7dfb9911SJimmy Brisson		 *          |   |--out[word_i]--|           |
*7dfb9911SJimmy Brisson		 *    lshift|---|               |--rshift---|
*7dfb9911SJimmy Brisson		 *
*7dfb9911SJimmy Brisson		 *          ==== Which is implemented as ====
*7dfb9911SJimmy Brisson		 *
*7dfb9911SJimmy Brisson		 *          |---------entropy pool----------|
*7dfb9911SJimmy Brisson		 * C var    |--(word_i + 1)-|----word_i-----|
*7dfb9911SJimmy Brisson		 * bit idx  |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
*7dfb9911SJimmy Brisson		 *          [x,x,e,e,e,e,e,e|e,e, , , , , , ]
*7dfb9911SJimmy Brisson		 * C expr       << lshift       >> rshift
*7dfb9911SJimmy Brisson		 * bit idx   5 4 3 2 1 0                 7 6
*7dfb9911SJimmy Brisson		 *          [e,e,e,e,e,e,0,0|0,0,0,0,0,0,e,e]
*7dfb9911SJimmy Brisson		 *                ==== bit-wise or ====
*7dfb9911SJimmy Brisson		 *                   5 4 3 2 1 0 7 6
*7dfb9911SJimmy Brisson		 *                  [e,e,e,e,e,e,e,e]
*7dfb9911SJimmy Brisson		 */
*7dfb9911SJimmy Brisson		out[word_i] = 0;
*7dfb9911SJimmy Brisson		out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i)] >> rshift;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson		/*
*7dfb9911SJimmy Brisson		 * Note that a shift of 64 bits is treated as a shift of 0 bits.
*7dfb9911SJimmy Brisson		 * When the shift amount is the same as the BITS_PER_WORD, we
*7dfb9911SJimmy Brisson		 * don't want to include the next word of entropy, so we skip
*7dfb9911SJimmy Brisson		 * the `|=` operation.
*7dfb9911SJimmy Brisson		 */
*7dfb9911SJimmy Brisson		if (lshift != BITS_PER_WORD) {
*7dfb9911SJimmy Brisson			out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i + 1)]
*7dfb9911SJimmy Brisson				<< lshift;
*7dfb9911SJimmy Brisson		}
*7dfb9911SJimmy Brisson	}
*7dfb9911SJimmy Brisson	const uint64_t mask = ~0ULL >> (BITS_PER_WORD - (nbits % BITS_PER_WORD));
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	out[to_fill - 1] &= mask;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	entropy_bit_index = (entropy_bit_index + nbits) % BITS_IN_POOL;
*7dfb9911SJimmy Brisson	entropy_bit_size -= nbits;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brissonout:
*7dfb9911SJimmy Brisson	spin_unlock(&trng_pool_lock);
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	return success;
*7dfb9911SJimmy Brisson}
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brissonvoid trng_entropy_pool_setup(void)
*7dfb9911SJimmy Brisson{
*7dfb9911SJimmy Brisson	int i;
*7dfb9911SJimmy Brisson
*7dfb9911SJimmy Brisson	for (i = 0; i < WORDS_IN_POOL; i++) {
*7dfb9911SJimmy Brisson		entropy[i] = 0;
*7dfb9911SJimmy Brisson	}
*7dfb9911SJimmy Brisson	entropy_bit_index = 0;
*7dfb9911SJimmy Brisson	entropy_bit_size = 0;
*7dfb9911SJimmy Brisson}