Pavona Software APIs
dif_csrng.h
Go to the documentation of this file.
1// Copyright lowRISC contributors (OpenTitan project).
2// Licensed under the Apache License, Version 2.0, see LICENSE for details.
3// SPDX-License-Identifier: Apache-2.0
4
5#ifndef OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
6#define OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
7
8/**
9 * @file
10 * @brief <a href="/book/hw/ip/csrng/">CSRNG</a> Device Interface Functions
11 */
12
13#include <stdint.h>
14
15#include "sw/device/lib/base/macros.h"
16#include "sw/device/lib/base/mmio.h"
17#include "sw/device/lib/dif/dif_base.h"
18
19#include "hw/top/csrng_regs.h" // Generated
20#include "sw/device/lib/dif/autogen/dif_csrng_autogen.h"
21
22#ifdef __cplusplus
23extern "C" {
24#endif // __cplusplus
25
26/**
27 * This API implements an interface for the CSRNG hardware.
28 *
29 * The API follows the naming conventions used in NIST SP 800-90Ar1:
30 *
31 * - Instantiate.
32 * - Update
33 * - Reseed
34 * - Generate
35 * - Uninstantiate
36 *
37 * The seed used for instantiation can either be provided directly in
38 * hardware by an entropy source module; or directly by software. See
39 * `dif_csrng_instantiate()` and `dif_csrng_entropy_src` for
40 * more details.
41 *
42 * The following sequence of operations are required to initialize
43 * and generate cryptographic entropy from the CSRNG module:
44 *
45 * - `dif_csrng_init()`
46 * - `dif_csrng_configure()`
47 * - `dif_csrng_instantiate()`
48 * - `dif_csrng_generate_start()`
49 * - `dif_csrng_uninstantiate()`
50 *
51 * The following functions can be used for reseed and update operations:
52 *
53 * - `dif_csrng_reseed()`
54 * - `dif_csrng_update()`
55 *
56 * The following utility functions are available to poll the state of
57 * the hardware:
58 *
59 * - `dif_csrng_get_cmd_interface_status()`
60 * - `dif_csrng_get_output_status()`
61 *
62 * Please see the following documentation for more information:
63 * hw/ip/csrng/
64 *
65 * Remaining work:
66 *
67 * - Add error status interface.
68 * - Add internal state control and debug interface.
69 */
70
71/**
72 * Enumeration of CSRNG command interface states.
73 */
74typedef enum dif_csrng_cmd_status_kind {
75 /**
76 * The command interface is ready to accept commands.
77 */
78 kDifCsrngCmdStatusReady,
79 /**
80 * The command interface is processing a command.
81 */
82 kDifCsrngCmdStatusBusy,
83 /**
84 * The command interface completed with an error.
85 */
86 kDifCsrngCmdStatusError,
87} dif_csrng_cmd_status_kind_t;
88
89/**
90 * Enumeration of CSRNG FIFOs, which indicates which part of the hardware
91 * produced an error.
92 */
93typedef enum dif_csrng_fifo {
94 kDifCsrngFifoCmd,
95 kDifCsrngFifoGenBits,
96 kDifCsrngFifoGBencAck,
97 kDifCsrngFifoGadStage,
98 kDifCsrngFifoCmdId,
99} dif_csrng_fifo_t;
100
101/**
102 * Enumeration of CSRNG FIFO errors.
103 */
104typedef enum dif_csrng_error {
105 /**
106 * Indicates an error in the command stage state machine.
107 */
108 kDifCsrngErrorCmdStageSm,
109 /**
110 * Indicates an error in the main state machine.
111 */
112 kDifCsrngErrorMainSm,
113 /**
114 * Indicates an error in the DRBG's command unit state machine.
115 */
116 kDifCsrngErrorDrbgCmdSm,
117 /**
118 * Indicates an error in the DRBG's generator state machine.
119 */
120 kDifCsrngErrorDrbgGenSm,
121 /**
122 * Indicates an error in the DRBG's block encoding state machine.
123 */
124 kDifCsrngErrorDrbgUpdateBlockEncSm,
125 /**
126 * Indicates an error in the DRBG's block output state machine.
127 */
128 kDifCsrngErrorDrbgUpdateOutBlockSm,
129 /**
130 * Indicates an error in the AES state machine.
131 */
132 kDifCsrngErrorAesSm,
133 /**
134 * Indicates an error in the generate command's counter.
135 */
136 kDifCsrngErrorGenerateCmdCounter,
137 /**
138 * Indicates a write to a full FIFO occurred.
139 */
140 kDifCsrngErrorFifoWrite,
141 /**
142 * Indicates a read from an empty FIFO occurred.
143 */
144 kDifCsrngErrorFifoRead,
145 /**
146 * Indicates a FIFO was somehow both full and empty.
147 */
148 kDifCsrngErrorFifoFullAndEmpty,
149} dif_csrng_error_t;
150
151/**
152 * Enumeration of CSRNG command status errors.
153 */
154typedef enum dif_csrng_cmd_sts_error {
155 /**
156 * Indicates that the command completed successfully.
157 */
158 kDifCsrngCmdStsSuccess = 0,
159 /**
160 * Indicates that an invalid apllication command has been issued.
161 */
162 kDifCsrngCmdStsInvalidAcmd = 1,
163 /**
164 * Indicates that the state wasn't zeroized properly after an uninstantiate
165 * command due to invalid state parameters in the cmd drbg.
166 */
167 kDifCsrngCmdStsInvalidStateParams = 2,
168 /**
169 * Indicates that CSRNG entropy was generated for a command that is not a
170 * generate command.
171 */
172 kDifCsrngCmdStsInvalidCtrDrbgCmd = 3,
173 /**
174 * Indicates that last command was not issued in sequence.
175 * E.g. an instantiate on an instantiated state or any command other than an
176 * instantiate on an uninstantiated state.
177 */
178 kDifCsrngCmdStsInvalidCmdSeq = 4,
179} dif_csrng_cmd_sts_t;
180
181/**
182 * The status of the CSRNG block at a particular moment in time.
183 */
184typedef struct dif_csrng_cmd_status {
185 /**
186 * The kind of status the CSRNG is in.
187 */
188 dif_csrng_cmd_status_kind_t kind;
189 /**
190 * The status value CSRNG returns.
191 */
192 dif_csrng_cmd_sts_t cmd_sts;
193} dif_csrng_cmd_status_t;
194
195/**
196 * CSRNG consume seed from entropy source enable.
197 */
198typedef enum dif_csrng_entropy_src_toggle {
199 /**
200 * Seed material used as the only seed material.
201 *
202 * This configuration option will toggle the hardware state of the
203 * CSRNG to non-FIPS compliant until it is re-instantiated.
204 *
205 * Note: Software may opt to XOR the seed material with a seed to implement
206 * a software assisted FIPS mode of operation.
207 */
208 kDifCsrngEntropySrcToggleDisable = 1,
209 /**
210 * Entropy source XOR'ed with the provided seed material.
211 */
212 kDifCsrngEntropySrcToggleEnable = 0,
213} dif_csrng_entropy_src_toggle_t;
214
215enum {
216 /**
217 * Maximum seed material number of uint32_t words supported in CSRNG
218 * instantiate and seed commands.
219 */
220 kDifCsrngSeedMaterialMaxWordLen = 12,
221};
222
223/**
224 * CSRNG common transaction parameters.
225 */
226typedef struct dif_csrng_seed_material {
227 /**
228 * Number of uint32_t words in `seed_material`. Up to 12 words can be
229 * set to initialize the CSRNG. CSRNG will extend the `seed_material`
230 * to zeros if the provided value is less that 12.
231 */
232 size_t seed_material_len;
233 /**
234 * Seed material used in CSRNG
235 */
236 uint32_t seed_material[kDifCsrngSeedMaterialMaxWordLen];
237} dif_csrng_seed_material_t;
238
239/**
240 * Generated output state.
241 */
242typedef struct dif_csrng_output_status {
243 /**
244 * Set to true when there is cryptographic entropy data available to
245 * read using `dif_csrng_generate_read()`.
246 */
247 bool valid_data;
248 /**
249 * Set to true when the cryptographic entropy data available to read
250 * is FIPS/CC compliant at the hardware level.
251 */
252 bool fips_mode;
253} dif_csrng_output_status_t;
254
255/**
256 * CSRNG internal state selector ID.
257 */
258typedef enum dif_csrng_internal_state_id {
259 /**
260 * CSRNG instance assigned to Entropy Distribution Network (EDN) 0.
261 */
262 kCsrngInternalStateIdEdn0 = 0,
263 /**
264 * CSRNG instance assigned to Entropy Distribution Network (EDN) 1.
265 */
266 kCsrngInternalStateIdEdn1 = 1,
267 /**
268 * CSRNG instance assigned to software interface.
269 */
270 kCsrngInternalStateIdSw = 2,
271} dif_csrng_internal_state_id_t;
272
273/**
274 * CSRNG internal state.
275 */
276typedef struct dif_csrng_internal_state {
277 /**
278 * Indicates the number of requests for pseudorandom bits since instantiation
279 * or reseeding.
280 */
281 uint32_t reseed_counter;
282 /**
283 * Internal V working state with a 128bit block size.
284 */
285 uint32_t v[4];
286 /**
287 * Internal key used to configure the internal CSRNG cipher.
288 */
289 uint32_t key[8];
290 /**
291 * Set to true when the CSRNG instance has been instantiated.
292 */
293 bool instantiated;
294 /**
295 * Set to true when FIPS compliant entropy was provided directly by the
296 * entropy source to instantiate or reseed the CSRNG instance.
297 */
298 bool fips_compliance;
299} dif_csrng_internal_state_t;
300
301/**
302 * Recoverable alerts emitted by the CSRNG.
303 */
304typedef enum dif_csrng_recoverable_alert {
305 /**
306 * Indicates a bad value was written to the ENABLE field of the control
307 * register.
308 */
309 kDifCsrngRecoverableAlertBadEnable =
310 1U << CSRNG_RECOV_ALERT_STS_ENABLE_FIELD_ALERT_BIT,
311 /**
312 * Indicates a bad value was written to the SW_APP_ENABLE field of the control
313 * register.
314 */
315 kDifCsrngRecoverableAlertBadSwAppEnable =
316 1U << CSRNG_RECOV_ALERT_STS_SW_APP_ENABLE_FIELD_ALERT_BIT,
317 /**
318 * Indicates a bad value was written to the READ_INT_STATE field of the
319 * control register.
320 */
321 kDifCsrngRecoverableAlertBadIntState =
322 1U << CSRNG_RECOV_ALERT_STS_READ_INT_STATE_FIELD_ALERT_BIT,
323 /**
324 * Indicates the FLAG0 field in the Application Command is set to a value
325 * other than kMultiBitBool4True or kMultiBitBool4False.
326 */
327 kDifCsrngRecoverableAlertBadFlag0 =
328 1U << CSRNG_RECOV_ALERT_STS_ACMD_FLAG0_FIELD_ALERT_BIT,
329 /**
330 * Indicates the genbits bus saw two identical values, indicating a possible
331 * attack.
332 */
333 kDifCsrngRecoverableAlertRepeatedGenBits =
334 1U << CSRNG_RECOV_ALERT_STS_CS_BUS_CMP_ALERT_BIT,
335 /**
336 * Indicates an unsupported CSRNG command was issued.
337 */
338 kDifCsrngRecoverableAlertBadCsrngCmd =
339 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_ACMD_ALERT_BIT,
340 /**
341 * Indicates a supported CSRNG command was issued out of sequence.
342 */
343 kDifCsrngRecoverableAlertBadCsrngCmdSeq =
344 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_CMD_SEQ_ALERT_BIT,
345 /**
346 * Indicates that too many generate commands were issued in a row.
347 */
348 kDifCsrngRecoverableAlertMaxReseedsExceeded =
349 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_RESEED_CNT_ALERT_BIT,
350} dif_csrng_recoverable_alert_t;
351
352/**
353 * Configures CSRNG.
354 *
355 * This function should need to be called once for the lifetime of `csrng`.
356 *
357 * @param csrng A CSRNG handle.
358 * @return The result of the operation.
359 */
360OT_WARN_UNUSED_RESULT
361dif_result_t dif_csrng_configure(const dif_csrng_t *csrng);
362
363/**
364 * Initializes CSRNG instance with a new seed value.
365 *
366 * `seed_material` is used as specified in NIST SP 800-90Ar1 section
367 * 10.2.1.3.1. See `dif_csrng_entropy_src` for details on how this value
368 * is mixed with the CSRNG seed.
369 *
370 * `seed_material` can be NULL, in which case CSRNG will use a zero
371 * vector instead.
372 *
373 * @param csrng A CSRNG handle.
374 * @param entropy_src_enable Entropy source input enable.
375 * @param seed_material Seed initialization parameters.
376 * @return The result of the operation.
377 */
378OT_WARN_UNUSED_RESULT
379dif_result_t dif_csrng_instantiate(
380 const dif_csrng_t *csrng, dif_csrng_entropy_src_toggle_t entropy_src_enable,
381 const dif_csrng_seed_material_t *seed_material);
382
383/**
384 * Reseeds CSRNG instance.
385 *
386 * When `seed_material.seed_material_len` is set to 0, only the entropy source
387 * seed is used to reseed the instance, otherwise it will be XOR'ed with the
388 * entropy source.
389 *
390 * @param csrng A CSRNG handle.
391 * @param seed_material Reseed parameters.
392 * @return The result of the operation.
393 */
394OT_WARN_UNUSED_RESULT
395dif_result_t dif_csrng_reseed(const dif_csrng_t *csrng,
396 const dif_csrng_seed_material_t *seed_material);
397
398/**
399 * Updates CSRNG state.
400 *
401 * This function is similar to `dif_csrng_reseed()`, except:
402 *
403 * - Only `seed_material.seed_material` is used in the update operation.
404 * - The update operation does not reset the internal CSRNG reseed
405 * counter.
406 *
407 * @param csrng A CSRNG handle.
408 * @param seed_material Update parameters.
409 * @return The result of the operation.
410 */
411OT_WARN_UNUSED_RESULT
412dif_result_t dif_csrng_update(const dif_csrng_t *csrng,
413 const dif_csrng_seed_material_t *seed_material);
414
415/**
416 * Requests cryptographic entropy bits from the CSRNG.
417 *
418 * The prediction resistance flag as specified in SP 800-90Ar1 section
419 * 10.2.1.1 is not directily supported by the hardware. It is the
420 * responsibility of the caller to reseed as needed before calling
421 * this function.
422 *
423 * The CSRNG accepts generation requests with 128-bit granularity, with
424 * a minimum 128-bit request size. This function will increase the size
425 * of the request to align it to the nearest 128-bit boundary.
426 *
427 * @param csrng A CSRNG handle.
428 * @param len Number of uint32_t words to generate.
429 * @return The result of the operation. KDifOutOfRange if the `len` parameter
430 * results in a 128bit block level size greater than 0x800.
431 */
432OT_WARN_UNUSED_RESULT
433dif_result_t dif_csrng_generate_start(const dif_csrng_t *csrng, size_t len);
434
435/**
436 * Reads the output of the last CSRNG generate call.
437 *
438 * This function reads `len` words out of the CSRNG. This function should be
439 * called repeatedly until the number of words requested in
440 * `dif_csrng_generate_start()` is exhausted. This function will block until
441 * `len` words are read.
442 *
443 * `dif_csrng_get_output_status()` can be called before this function to ensure
444 * there is data available in the CSRNG output buffer.
445 *
446 * @param csrng A CSRNG handle.
447 * @param[out] buf A buffer to fill with words from the pipeline.
448 * @param len The number of words to read into `buf`.
449 * @return The result of the operation.
450 */
451OT_WARN_UNUSED_RESULT
452dif_result_t dif_csrng_generate_read(const dif_csrng_t *csrng, uint32_t *buf,
453 size_t len);
454
455/**
456 * Uninstantiates CSRNG
457 *
458 * Resets the CSRNG instance. Values in the CSRNG are zeroed out. This
459 * command effectively resets the CSRNG, clearing any errors that it
460 * may have encountered due to processing or entropy source errors.
461 *
462 * @param csrng An CSRNG handle.
463 * @return The result of the operation.
464 */
465OT_WARN_UNUSED_RESULT
466dif_result_t dif_csrng_uninstantiate(const dif_csrng_t *csrng);
467
468/**
469 * Gets the current command interface status.
470 *
471 * This function can be called before or after any of the following functions:
472 *
473 * - `dif_csrng_instantiate()`
474 * - `dif_csrng_reseed()`
475 * - `dif_csrng_update()`
476 * - `dif_csrng_generate_start()`
477 * - `dif_csrng_uninstantiate()`
478 *
479 * @param csrng An CSRNG handle
480 * @param[out] status Command interface status.
481 * @return The result of the operation.
482 */
483OT_WARN_UNUSED_RESULT
484dif_result_t dif_csrng_get_cmd_interface_status(const dif_csrng_t *csrng,
485 dif_csrng_cmd_status_t *status);
486
487/**
488 * Forces the status registers to indicate `fifo` as being in an unhealthy
489 * state.
490 *
491 * @param csrng An CSRNG handle
492 * @param fifo The FIFO to mark as unhealthy.
493 * @return The result of the operation.
494 */
495OT_WARN_UNUSED_RESULT
496dif_result_t dif_csrng_get_cmd_force_unhealthy_fifo(const dif_csrng_t *csrng,
497 dif_csrng_fifo_t fifo);
498
499/**
500 * Forces the status registers to indicate a particular error cause.
501 *
502 * @param csrng An CSRNG handle
503 * @param error The error to force.
504 * @return The result of the operation.
505 */
506OT_WARN_UNUSED_RESULT
507dif_result_t dif_csrng_get_cmd_force_error(const dif_csrng_t *csrng,
508 dif_csrng_error_t error);
509
510/**
511 * Returns an opaque blob indicating the main state machine's current state.
512 *
513 * @param csrng An CSRNG handle
514 * @param state[out] The state machine state as an opaque blob.
515 * @return The result of the operation.
516 */
517OT_WARN_UNUSED_RESULT
518dif_result_t dif_csrng_get_main_state_machine(const dif_csrng_t *csrng,
519 uint32_t *state);
520
521/**
522 * Returns a bitset indicating which hardware CSRNGs have encountered
523 * exceptions.
524 *
525 * @param csrng An CSRNG handle
526 * @param exceptions[out] The bitset of exception states.
527 * @return The result of the operation.
528 */
529OT_WARN_UNUSED_RESULT
530dif_result_t dif_csrng_get_hw_csrng_exceptions(const dif_csrng_t *csrng,
531 uint32_t *exceptions);
532
533/**
534 * Clears recorded hardware CSRNG exceptions.
535 *
536 * @param csrng An CSRNG handle
537 * @return The result of the operation.
538 */
539OT_WARN_UNUSED_RESULT
540dif_result_t dif_csrng_clear_hw_csrng_exceptions(const dif_csrng_t *csrng);
541
542/**
543 * Gets the current cryptographic entropy output data status.
544 *
545 * This function can be used before calling `dif_csrng_generate_read()` to
546 * check if there is data available to read.
547 *
548 * @param csrng A CSRNG handle.
549 * @param[out] status CSRNG output status.
550 * @return The result of the operation.
551 */
552OT_WARN_UNUSED_RESULT
553dif_result_t dif_csrng_get_output_status(const dif_csrng_t *csrng,
554 dif_csrng_output_status_t *status);
555
556/**
557 * Gets the working state of a CSRNG instance.
558 *
559 * @param csrng A CSRNG handle
560 * @param instance_id CSRNG instance ID.
561 * @param[out] state The working state of a CSRNG instance.
562 * @return The result of the operation.
563 */
564OT_WARN_UNUSED_RESULT
565dif_result_t dif_csrng_get_internal_state(
566 const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
567 dif_csrng_internal_state_t *state);
568
569/**
570 * Gets the reseed counter of a CSRNG instance.
571 *
572 * @param csrng A CSRNG handle
573 * @param instance_id CSRNG instance ID.
574 * @param[out] reseed counter The current reseed counter value of a CSRNG
575 * instance.
576 * @return The result of the operation.
577 */
578OT_WARN_UNUSED_RESULT
579dif_result_t dif_csrng_get_reseed_counter(
580 const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
581 uint32_t *reseed_counter);
582
583/**
584 * Locks out CSRNG functionality.
585 *
586 * This function is reentrant: calling it while functionality is locked will
587 * have no effect and return `kDifCsrngOk`.
588 *
589 * @param csrng A CSRNG handle.
590 * @return The result of the operation.
591 */
592OT_WARN_UNUSED_RESULT
593dif_result_t dif_csrng_lock(const dif_csrng_t *csrng);
594
595/**
596 * Checks whether this CSRNG is locked.
597 *
598 * @param csrng A CSRNG handle.
599 * @param[out] is_locked Out-param for the locked state.
600 * @return The result of the operation.
601 */
602OT_WARN_UNUSED_RESULT
603dif_result_t dif_csrng_is_locked(const dif_csrng_t *csrng, bool *is_locked);
604
605/**
606 * Disables the CSRNG module.
607 *
608 * @param csrng A CSRNG handle.
609 * @return The result of the operation.
610 */
611OT_WARN_UNUSED_RESULT
612dif_result_t dif_csrng_stop(const dif_csrng_t *csrng);
613
614/**
615 * Gets the recoverable alerts currently recorded in the CSRNG block.
616 *
617 * This function returns the alerts in a bitset whose indices are given by
618 * `dif_csrng_recoverable_alert_t`.
619 *
620 * @param csrng A CSRNG handle.
621 * @param[out] alerts Bitset of alerts currently recorded.
622 * @return The result of the operation.
623 */
624OT_WARN_UNUSED_RESULT
625dif_result_t dif_csrng_get_recoverable_alerts(const dif_csrng_t *csrng,
626 uint32_t *alerts);
627
628/**
629 * Clears all recoverable alerts currently recorded in the CSRNG block.
630 *
631 * @param csrng A CSRNG handle.
632 * @return The result of the operation.
633 */
634OT_WARN_UNUSED_RESULT
635dif_result_t dif_csrng_clear_recoverable_alerts(const dif_csrng_t *csrng);
636
637#ifdef __cplusplus
638} // extern "C"
639#endif // __cplusplus
640
641#endif // OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_