17dfb9911SJimmy Brisson /* 20b22e591SJayanth Dodderi Chidanand * Copyright (c) 2021-2022, ARM Limited. All rights reserved. 37dfb9911SJimmy Brisson * 47dfb9911SJimmy Brisson * SPDX-License-Identifier: BSD-3-Clause 57dfb9911SJimmy Brisson */ 67dfb9911SJimmy Brisson 77dfb9911SJimmy Brisson #include <assert.h> 87dfb9911SJimmy Brisson #include <stdbool.h> 97dfb9911SJimmy Brisson #include <stdint.h> 107dfb9911SJimmy Brisson #include <lib/spinlock.h> 117dfb9911SJimmy Brisson #include <plat/common/plat_trng.h> 127dfb9911SJimmy Brisson 137dfb9911SJimmy Brisson /* 147dfb9911SJimmy Brisson * # Entropy pool 157dfb9911SJimmy Brisson * Note that the TRNG Firmware interface can request up to 192 bits of entropy 167dfb9911SJimmy Brisson * in a single call or three 64bit words per call. We have 4 words in the pool 177dfb9911SJimmy Brisson * so that when we have 1-63 bits in the pool, and we have a request for 187dfb9911SJimmy Brisson * 192 bits of entropy, we don't have to throw out the leftover 1-63 bits of 197dfb9911SJimmy Brisson * entropy. 207dfb9911SJimmy Brisson */ 217dfb9911SJimmy Brisson #define WORDS_IN_POOL (4) 227dfb9911SJimmy Brisson static uint64_t entropy[WORDS_IN_POOL]; 237dfb9911SJimmy Brisson /* index in bits of the first bit of usable entropy */ 247dfb9911SJimmy Brisson static uint32_t entropy_bit_index; 257dfb9911SJimmy Brisson /* then number of valid bits in the entropy pool */ 267dfb9911SJimmy Brisson static uint32_t entropy_bit_size; 277dfb9911SJimmy Brisson 287dfb9911SJimmy Brisson static spinlock_t trng_pool_lock; 297dfb9911SJimmy Brisson 307dfb9911SJimmy Brisson #define BITS_PER_WORD (sizeof(entropy[0]) * 8) 317dfb9911SJimmy Brisson #define BITS_IN_POOL (WORDS_IN_POOL * BITS_PER_WORD) 327dfb9911SJimmy Brisson #define ENTROPY_MIN_WORD (entropy_bit_index / BITS_PER_WORD) 337dfb9911SJimmy Brisson #define ENTROPY_FREE_BIT (entropy_bit_size + entropy_bit_index) 347dfb9911SJimmy Brisson #define _ENTROPY_FREE_WORD (ENTROPY_FREE_BIT / BITS_PER_WORD) 357dfb9911SJimmy Brisson #define ENTROPY_FREE_INDEX (_ENTROPY_FREE_WORD % WORDS_IN_POOL) 367dfb9911SJimmy Brisson /* ENTROPY_WORD_INDEX(0) includes leftover bits in the lower bits */ 377dfb9911SJimmy Brisson #define ENTROPY_WORD_INDEX(i) ((ENTROPY_MIN_WORD + i) % WORDS_IN_POOL) 387dfb9911SJimmy Brisson 397dfb9911SJimmy Brisson /* 407dfb9911SJimmy Brisson * Fill the entropy pool until we have at least as many bits as requested. 417dfb9911SJimmy Brisson * Returns true after filling the pool, and false if the entropy source is out 427dfb9911SJimmy Brisson * of entropy and the pool could not be filled. 437dfb9911SJimmy Brisson * Assumes locks are taken. 447dfb9911SJimmy Brisson */ 457dfb9911SJimmy Brisson static bool trng_fill_entropy(uint32_t nbits) 467dfb9911SJimmy Brisson { 477dfb9911SJimmy Brisson while (nbits > entropy_bit_size) { 487dfb9911SJimmy Brisson bool valid = plat_get_entropy(&entropy[ENTROPY_FREE_INDEX]); 497dfb9911SJimmy Brisson 507dfb9911SJimmy Brisson if (valid) { 517dfb9911SJimmy Brisson entropy_bit_size += BITS_PER_WORD; 527dfb9911SJimmy Brisson assert(entropy_bit_size <= BITS_IN_POOL); 537dfb9911SJimmy Brisson } else { 547dfb9911SJimmy Brisson return false; 557dfb9911SJimmy Brisson } 567dfb9911SJimmy Brisson } 577dfb9911SJimmy Brisson return true; 587dfb9911SJimmy Brisson } 597dfb9911SJimmy Brisson 607dfb9911SJimmy Brisson /* 617dfb9911SJimmy Brisson * Pack entropy into the out buffer, filling and taking locks as needed. 627dfb9911SJimmy Brisson * Returns true on success, false on failure. 637dfb9911SJimmy Brisson * 647dfb9911SJimmy Brisson * Note: out must have enough space for nbits of entropy 657dfb9911SJimmy Brisson */ 667dfb9911SJimmy Brisson bool trng_pack_entropy(uint32_t nbits, uint64_t *out) 677dfb9911SJimmy Brisson { 680b22e591SJayanth Dodderi Chidanand bool ret = true; 69*db1c6faaSJayanth Dodderi Chidanand uint32_t bits_to_discard = nbits; 707dfb9911SJimmy Brisson spin_lock(&trng_pool_lock); 717dfb9911SJimmy Brisson 727dfb9911SJimmy Brisson if (!trng_fill_entropy(nbits)) { 730b22e591SJayanth Dodderi Chidanand ret = false; 747dfb9911SJimmy Brisson goto out; 757dfb9911SJimmy Brisson } 767dfb9911SJimmy Brisson 777dfb9911SJimmy Brisson const unsigned int rshift = entropy_bit_index % BITS_PER_WORD; 787dfb9911SJimmy Brisson const unsigned int lshift = BITS_PER_WORD - rshift; 797dfb9911SJimmy Brisson const int to_fill = ((nbits + BITS_PER_WORD - 1) / BITS_PER_WORD); 807dfb9911SJimmy Brisson int word_i; 817dfb9911SJimmy Brisson 827dfb9911SJimmy Brisson for (word_i = 0; word_i < to_fill; word_i++) { 837dfb9911SJimmy Brisson /* 847dfb9911SJimmy Brisson * Repack the entropy from the pool into the passed in out 850b22e591SJayanth Dodderi Chidanand * buffer. This takes lesser bits from the valid upper bits 860b22e591SJayanth Dodderi Chidanand * of word_i and more bits from the lower bits of (word_i + 1). 877dfb9911SJimmy Brisson * 887dfb9911SJimmy Brisson * I found the following diagram useful. note: `e` represents 897dfb9911SJimmy Brisson * valid entropy, ` ` represents invalid bits (not entropy) and 907dfb9911SJimmy Brisson * `x` represents valid entropy that must not end up in the 917dfb9911SJimmy Brisson * packed word. 927dfb9911SJimmy Brisson * 937dfb9911SJimmy Brisson * |---------entropy pool----------| 947dfb9911SJimmy Brisson * C var |--(word_i + 1)-|----word_i-----| 957dfb9911SJimmy Brisson * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 967dfb9911SJimmy Brisson * [x,x,e,e,e,e,e,e|e,e, , , , , , ] 977dfb9911SJimmy Brisson * | [e,e,e,e,e,e,e,e] | 987dfb9911SJimmy Brisson * | |--out[word_i]--| | 997dfb9911SJimmy Brisson * lshift|---| |--rshift---| 1007dfb9911SJimmy Brisson * 1017dfb9911SJimmy Brisson * ==== Which is implemented as ==== 1027dfb9911SJimmy Brisson * 1037dfb9911SJimmy Brisson * |---------entropy pool----------| 1047dfb9911SJimmy Brisson * C var |--(word_i + 1)-|----word_i-----| 1057dfb9911SJimmy Brisson * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 1067dfb9911SJimmy Brisson * [x,x,e,e,e,e,e,e|e,e, , , , , , ] 1077dfb9911SJimmy Brisson * C expr << lshift >> rshift 1087dfb9911SJimmy Brisson * bit idx 5 4 3 2 1 0 7 6 1097dfb9911SJimmy Brisson * [e,e,e,e,e,e,0,0|0,0,0,0,0,0,e,e] 1107dfb9911SJimmy Brisson * ==== bit-wise or ==== 1117dfb9911SJimmy Brisson * 5 4 3 2 1 0 7 6 1127dfb9911SJimmy Brisson * [e,e,e,e,e,e,e,e] 1137dfb9911SJimmy Brisson */ 1147dfb9911SJimmy Brisson out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i)] >> rshift; 1157dfb9911SJimmy Brisson 116*db1c6faaSJayanth Dodderi Chidanand /** 117*db1c6faaSJayanth Dodderi Chidanand * Discarding the used/packed entropy bits from the respective 118*db1c6faaSJayanth Dodderi Chidanand * words, (word_i) and (word_i+1) as applicable. 119*db1c6faaSJayanth Dodderi Chidanand * In each iteration of the loop, we pack 64bits of entropy to 120*db1c6faaSJayanth Dodderi Chidanand * the output buffer. The bits are picked linearly starting from 121*db1c6faaSJayanth Dodderi Chidanand * 1st word (entropy[0]) till 4th word (entropy[3]) and then 122*db1c6faaSJayanth Dodderi Chidanand * rolls back (entropy[0]). Discarding of bits is managed 123*db1c6faaSJayanth Dodderi Chidanand * similarly. 124*db1c6faaSJayanth Dodderi Chidanand * 125*db1c6faaSJayanth Dodderi Chidanand * The following diagram illustrates the logic: 126*db1c6faaSJayanth Dodderi Chidanand * 127*db1c6faaSJayanth Dodderi Chidanand * |---------entropy pool----------| 128*db1c6faaSJayanth Dodderi Chidanand * C var |--(word_i + 1)-|----word_i-----| 129*db1c6faaSJayanth Dodderi Chidanand * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 130*db1c6faaSJayanth Dodderi Chidanand * [e,e,e,e,e,e,e,e|e,e,0,0,0,0,0,0] 131*db1c6faaSJayanth Dodderi Chidanand * | [e,e,e,e,e,e,e,e] | 132*db1c6faaSJayanth Dodderi Chidanand * | |--out[word_i]--| | 133*db1c6faaSJayanth Dodderi Chidanand * lshift|---| |--rshift---| 134*db1c6faaSJayanth Dodderi Chidanand * |e,e|0,0,0,0,0,0,0,0|0,0,0,0,0,0| 135*db1c6faaSJayanth Dodderi Chidanand * |<== || ==>| 136*db1c6faaSJayanth Dodderi Chidanand * bits_to_discard (from these bytes) 137*db1c6faaSJayanth Dodderi Chidanand * 138*db1c6faaSJayanth Dodderi Chidanand * variable(bits_to_discard): Tracks the amount of bits to be 139*db1c6faaSJayanth Dodderi Chidanand * discarded and is updated accordingly in each iteration. 140*db1c6faaSJayanth Dodderi Chidanand * 141*db1c6faaSJayanth Dodderi Chidanand * It monitors these packed bits from respective word_i and 142*db1c6faaSJayanth Dodderi Chidanand * word_i+1 and overwrites them with zeros accordingly. 143*db1c6faaSJayanth Dodderi Chidanand * It discards linearly from the lowest index and moves upwards 144*db1c6faaSJayanth Dodderi Chidanand * until bits_to_discard variable becomes zero. 145*db1c6faaSJayanth Dodderi Chidanand * 146*db1c6faaSJayanth Dodderi Chidanand * In the above diagram,for example, we pack 2bytes(7th and 6th 147*db1c6faaSJayanth Dodderi Chidanand * from word_i) and 6bytes(0th till 5th from word_i+1), combine 148*db1c6faaSJayanth Dodderi Chidanand * and pack them as 64bit to output buffer out[i]. 149*db1c6faaSJayanth Dodderi Chidanand * Depending on the number of bits requested, we discard the 150*db1c6faaSJayanth Dodderi Chidanand * bits from these packed bytes by overwriting them with zeros. 151*db1c6faaSJayanth Dodderi Chidanand */ 152*db1c6faaSJayanth Dodderi Chidanand 153*db1c6faaSJayanth Dodderi Chidanand /* 154*db1c6faaSJayanth Dodderi Chidanand * If the bits to be discarded is lesser than the amount of bits 155*db1c6faaSJayanth Dodderi Chidanand * copied to the output buffer from word_i, we discard that much 156*db1c6faaSJayanth Dodderi Chidanand * amount of bits only. 157*db1c6faaSJayanth Dodderi Chidanand */ 158*db1c6faaSJayanth Dodderi Chidanand if (bits_to_discard < (BITS_PER_WORD - rshift)) { 159*db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i)] &= 160*db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((bits_to_discard+rshift) % BITS_PER_WORD)); 161*db1c6faaSJayanth Dodderi Chidanand bits_to_discard = 0; 162*db1c6faaSJayanth Dodderi Chidanand } else { 163*db1c6faaSJayanth Dodderi Chidanand /* 164*db1c6faaSJayanth Dodderi Chidanand * If the bits to be discarded is more than the amount of valid 165*db1c6faaSJayanth Dodderi Chidanand * upper bits from word_i, which has been copied to the output 166*db1c6faaSJayanth Dodderi Chidanand * buffer, we just set the entire word_i to 0, as the lower bits 167*db1c6faaSJayanth Dodderi Chidanand * will be already zeros from previous operations, and the 168*db1c6faaSJayanth Dodderi Chidanand * bits_to_discard is updated precisely. 169*db1c6faaSJayanth Dodderi Chidanand */ 170*db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i)] = 0; 171*db1c6faaSJayanth Dodderi Chidanand bits_to_discard -= (BITS_PER_WORD - rshift); 172*db1c6faaSJayanth Dodderi Chidanand } 173*db1c6faaSJayanth Dodderi Chidanand 1747dfb9911SJimmy Brisson /* 1757dfb9911SJimmy Brisson * Note that a shift of 64 bits is treated as a shift of 0 bits. 1767dfb9911SJimmy Brisson * When the shift amount is the same as the BITS_PER_WORD, we 1777dfb9911SJimmy Brisson * don't want to include the next word of entropy, so we skip 1787dfb9911SJimmy Brisson * the `|=` operation. 1797dfb9911SJimmy Brisson */ 1807dfb9911SJimmy Brisson if (lshift != BITS_PER_WORD) { 1817dfb9911SJimmy Brisson out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i + 1)] 1827dfb9911SJimmy Brisson << lshift; 183*db1c6faaSJayanth Dodderi Chidanand /** 184*db1c6faaSJayanth Dodderi Chidanand * Discarding the remaining packed bits from upperword 185*db1c6faaSJayanth Dodderi Chidanand * (word[i+1]) which was copied to output buffer by 186*db1c6faaSJayanth Dodderi Chidanand * overwriting with zeros. 187*db1c6faaSJayanth Dodderi Chidanand * 188*db1c6faaSJayanth Dodderi Chidanand * If the remaining bits to be discarded is lesser than 189*db1c6faaSJayanth Dodderi Chidanand * the amount of bits from [word_i+1], which has been 190*db1c6faaSJayanth Dodderi Chidanand * copied to the output buffer, we overwrite that much 191*db1c6faaSJayanth Dodderi Chidanand * amount of bits only. 192*db1c6faaSJayanth Dodderi Chidanand */ 193*db1c6faaSJayanth Dodderi Chidanand if (bits_to_discard < (BITS_PER_WORD - lshift)) { 194*db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i+1)] &= 195*db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((bits_to_discard) % BITS_PER_WORD)); 196*db1c6faaSJayanth Dodderi Chidanand bits_to_discard = 0; 197*db1c6faaSJayanth Dodderi Chidanand } else { 198*db1c6faaSJayanth Dodderi Chidanand /* 199*db1c6faaSJayanth Dodderi Chidanand * If bits to discard is more than the bits from word_i+1 200*db1c6faaSJayanth Dodderi Chidanand * which got packed into the output, then we discard all 201*db1c6faaSJayanth Dodderi Chidanand * those copied bits. 202*db1c6faaSJayanth Dodderi Chidanand * 203*db1c6faaSJayanth Dodderi Chidanand * Note: we cannot set the entire word_i+1 to 0, as 204*db1c6faaSJayanth Dodderi Chidanand * there are still some unused valid entropy bits at the 205*db1c6faaSJayanth Dodderi Chidanand * upper end for future use. 206*db1c6faaSJayanth Dodderi Chidanand */ 207*db1c6faaSJayanth Dodderi Chidanand entropy[ENTROPY_WORD_INDEX(word_i+1)] &= 208*db1c6faaSJayanth Dodderi Chidanand (~0ULL << ((BITS_PER_WORD - lshift) % BITS_PER_WORD)); 209*db1c6faaSJayanth Dodderi Chidanand bits_to_discard -= (BITS_PER_WORD - lshift); 210*db1c6faaSJayanth Dodderi Chidanand } 211*db1c6faaSJayanth Dodderi Chidanand 2127dfb9911SJimmy Brisson } 2137dfb9911SJimmy Brisson } 2147dfb9911SJimmy Brisson const uint64_t mask = ~0ULL >> (BITS_PER_WORD - (nbits % BITS_PER_WORD)); 2157dfb9911SJimmy Brisson 2167dfb9911SJimmy Brisson out[to_fill - 1] &= mask; 2177dfb9911SJimmy Brisson 2187dfb9911SJimmy Brisson entropy_bit_index = (entropy_bit_index + nbits) % BITS_IN_POOL; 2197dfb9911SJimmy Brisson entropy_bit_size -= nbits; 2207dfb9911SJimmy Brisson 2217dfb9911SJimmy Brisson out: 2227dfb9911SJimmy Brisson spin_unlock(&trng_pool_lock); 2237dfb9911SJimmy Brisson 2240b22e591SJayanth Dodderi Chidanand return ret; 2257dfb9911SJimmy Brisson } 2267dfb9911SJimmy Brisson 2277dfb9911SJimmy Brisson void trng_entropy_pool_setup(void) 2287dfb9911SJimmy Brisson { 2297dfb9911SJimmy Brisson int i; 2307dfb9911SJimmy Brisson 2317dfb9911SJimmy Brisson for (i = 0; i < WORDS_IN_POOL; i++) { 2327dfb9911SJimmy Brisson entropy[i] = 0; 2337dfb9911SJimmy Brisson } 2347dfb9911SJimmy Brisson entropy_bit_index = 0; 2357dfb9911SJimmy Brisson entropy_bit_size = 0; 2367dfb9911SJimmy Brisson } 237