| Jimmy Brisson | 26c5b5c | 2020-06-22 14:18:42 -0500 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (c) 2021, ARM Limited. All rights reserved. |
| 3 | * |
| 4 | * SPDX-License-Identifier: BSD-3-Clause |
| 5 | */ |
| 6 | |
| 7 | #include <assert.h> |
| 8 | #include <stdbool.h> |
| 9 | #include <stdint.h> |
| 10 | #include <lib/spinlock.h> |
| 11 | #include <plat/common/plat_trng.h> |
| 12 | |
| 13 | /* |
| 14 | * # Entropy pool |
| 15 | * Note that the TRNG Firmware interface can request up to 192 bits of entropy |
| 16 | * in a single call or three 64bit words per call. We have 4 words in the pool |
| 17 | * so that when we have 1-63 bits in the pool, and we have a request for |
| 18 | * 192 bits of entropy, we don't have to throw out the leftover 1-63 bits of |
| 19 | * entropy. |
| 20 | */ |
| 21 | #define WORDS_IN_POOL (4) |
| 22 | static uint64_t entropy[WORDS_IN_POOL]; |
| 23 | /* index in bits of the first bit of usable entropy */ |
| 24 | static uint32_t entropy_bit_index; |
| 25 | /* then number of valid bits in the entropy pool */ |
| 26 | static uint32_t entropy_bit_size; |
| 27 | |
| 28 | static spinlock_t trng_pool_lock; |
| 29 | |
| 30 | #define BITS_PER_WORD (sizeof(entropy[0]) * 8) |
| 31 | #define BITS_IN_POOL (WORDS_IN_POOL * BITS_PER_WORD) |
| 32 | #define ENTROPY_MIN_WORD (entropy_bit_index / BITS_PER_WORD) |
| 33 | #define ENTROPY_FREE_BIT (entropy_bit_size + entropy_bit_index) |
| 34 | #define _ENTROPY_FREE_WORD (ENTROPY_FREE_BIT / BITS_PER_WORD) |
| 35 | #define ENTROPY_FREE_INDEX (_ENTROPY_FREE_WORD % WORDS_IN_POOL) |
| 36 | /* ENTROPY_WORD_INDEX(0) includes leftover bits in the lower bits */ |
| 37 | #define ENTROPY_WORD_INDEX(i) ((ENTROPY_MIN_WORD + i) % WORDS_IN_POOL) |
| 38 | |
| 39 | /* |
| 40 | * Fill the entropy pool until we have at least as many bits as requested. |
| 41 | * Returns true after filling the pool, and false if the entropy source is out |
| 42 | * of entropy and the pool could not be filled. |
| 43 | * Assumes locks are taken. |
| 44 | */ |
| 45 | static bool trng_fill_entropy(uint32_t nbits) |
| 46 | { |
| 47 | while (nbits > entropy_bit_size) { |
| 48 | bool valid = plat_get_entropy(&entropy[ENTROPY_FREE_INDEX]); |
| 49 | |
| 50 | if (valid) { |
| 51 | entropy_bit_size += BITS_PER_WORD; |
| 52 | assert(entropy_bit_size <= BITS_IN_POOL); |
| 53 | } else { |
| 54 | return false; |
| 55 | } |
| 56 | } |
| 57 | return true; |
| 58 | } |
| 59 | |
| 60 | /* |
| 61 | * Pack entropy into the out buffer, filling and taking locks as needed. |
| 62 | * Returns true on success, false on failure. |
| 63 | * |
| 64 | * Note: out must have enough space for nbits of entropy |
| 65 | */ |
| 66 | bool trng_pack_entropy(uint32_t nbits, uint64_t *out) |
| 67 | { |
| 68 | bool success = true; |
| 69 | |
| 70 | spin_lock(&trng_pool_lock); |
| 71 | |
| 72 | if (!trng_fill_entropy(nbits)) { |
| 73 | success = false; |
| 74 | goto out; |
| 75 | } |
| 76 | |
| 77 | const unsigned int rshift = entropy_bit_index % BITS_PER_WORD; |
| 78 | const unsigned int lshift = BITS_PER_WORD - rshift; |
| 79 | const int to_fill = ((nbits + BITS_PER_WORD - 1) / BITS_PER_WORD); |
| 80 | int word_i; |
| 81 | |
| 82 | for (word_i = 0; word_i < to_fill; word_i++) { |
| 83 | /* |
| 84 | * Repack the entropy from the pool into the passed in out |
| 85 | * buffer. This takes the lower bits from the valid upper bits |
| 86 | * of word_i and the upper bits from the lower bits of |
| 87 | * (word_i + 1). |
| 88 | * |
| 89 | * I found the following diagram useful. note: `e` represents |
| 90 | * valid entropy, ` ` represents invalid bits (not entropy) and |
| 91 | * `x` represents valid entropy that must not end up in the |
| 92 | * packed word. |
| 93 | * |
| 94 | * |---------entropy pool----------| |
| 95 | * C var |--(word_i + 1)-|----word_i-----| |
| 96 | * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| |
| 97 | * [x,x,e,e,e,e,e,e|e,e, , , , , , ] |
| 98 | * | [e,e,e,e,e,e,e,e] | |
| 99 | * | |--out[word_i]--| | |
| 100 | * lshift|---| |--rshift---| |
| 101 | * |
| 102 | * ==== Which is implemented as ==== |
| 103 | * |
| 104 | * |---------entropy pool----------| |
| 105 | * C var |--(word_i + 1)-|----word_i-----| |
| 106 | * bit idx |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| |
| 107 | * [x,x,e,e,e,e,e,e|e,e, , , , , , ] |
| 108 | * C expr << lshift >> rshift |
| 109 | * bit idx 5 4 3 2 1 0 7 6 |
| 110 | * [e,e,e,e,e,e,0,0|0,0,0,0,0,0,e,e] |
| 111 | * ==== bit-wise or ==== |
| 112 | * 5 4 3 2 1 0 7 6 |
| 113 | * [e,e,e,e,e,e,e,e] |
| 114 | */ |
| 115 | out[word_i] = 0; |
| 116 | out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i)] >> rshift; |
| 117 | |
| 118 | /* |
| 119 | * Note that a shift of 64 bits is treated as a shift of 0 bits. |
| 120 | * When the shift amount is the same as the BITS_PER_WORD, we |
| 121 | * don't want to include the next word of entropy, so we skip |
| 122 | * the `|=` operation. |
| 123 | */ |
| 124 | if (lshift != BITS_PER_WORD) { |
| 125 | out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i + 1)] |
| 126 | << lshift; |
| 127 | } |
| 128 | } |
| 129 | const uint64_t mask = ~0ULL >> (BITS_PER_WORD - (nbits % BITS_PER_WORD)); |
| 130 | |
| 131 | out[to_fill - 1] &= mask; |
| 132 | |
| 133 | entropy_bit_index = (entropy_bit_index + nbits) % BITS_IN_POOL; |
| 134 | entropy_bit_size -= nbits; |
| 135 | |
| 136 | out: |
| 137 | spin_unlock(&trng_pool_lock); |
| 138 | |
| 139 | return success; |
| 140 | } |
| 141 | |
| 142 | void trng_entropy_pool_setup(void) |
| 143 | { |
| 144 | int i; |
| 145 | |
| 146 | for (i = 0; i < WORDS_IN_POOL; i++) { |
| 147 | entropy[i] = 0; |
| 148 | } |
| 149 | entropy_bit_index = 0; |
| 150 | entropy_bit_size = 0; |
| 151 | } |