Software APIs
dif_csrng.h
Go to the documentation of this file.
1// Copyright lowRISC contributors (OpenTitan project).
2// Licensed under the Apache License, Version 2.0, see LICENSE for details.
3// SPDX-License-Identifier: Apache-2.0
4
5#ifndef OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
6#define OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_
7
8/**
9 * @file
10 * @brief <a href="/book/hw/ip/csrng/">CSRNG</a> Device Interface Functions
11 */
12
13#include <stdint.h>
14
15#include "sw/device/lib/base/macros.h"
16#include "sw/device/lib/base/mmio.h"
17#include "sw/device/lib/dif/dif_base.h"
18
19#include "hw/top/csrng_regs.h" // Generated
20#include "sw/device/lib/dif/autogen/dif_csrng_autogen.h"
21
22#ifdef __cplusplus
23extern "C" {
24#endif // __cplusplus
25
26/**
27 * This API implements an interface for the CSRNG hardware.
28 *
29 * The API follows the naming conventions used in NIST SP 800-90Ar1:
30 *
31 * - Instantiate.
32 * - Update
33 * - Reseed
34 * - Generate
35 * - Uninstantiate
36 *
37 * The seed used for instantiation can either be provided directly in
38 * hardware by an entropy source module; or directly by software. See
39 * `dif_csrng_instantiate()` and `dif_csrng_entropy_src` for
40 * more details.
41 *
42 * The following sequence of operations are required to initialize
43 * and generate cryptographic entropy from the CSRNG module:
44 *
45 * - `dif_csrng_init()`
46 * - `dif_csrng_configure()`
47 * - `dif_csrng_instantiate()`
48 * - `dif_csrng_generate_start()`
49 * - `dif_csrng_uninstantiate()`
50 *
51 * The following functions can be used for reseed and update operations:
52 *
53 * - `dif_csrng_reseed()`
54 * - `dif_csrng_update()`
55 *
56 * The following utility functions are available to poll the state of
57 * the hardware:
58 *
59 * - `dif_csrng_get_cmd_interface_status()`
60 * - `dif_csrng_get_output_status()`
61 *
62 * Please see the following documentation for more information:
63 * https://opentitan.org/book/hw/ip/csrng/
64 *
65 * Remaining work:
66 *
67 * - Add error status interface.
68 * - Add internal state control and debug interface.
69 */
70
71/**
72 * Enumeration of CSRNG command interface states.
73 */
74typedef enum dif_csrng_cmd_status_kind {
75 /**
76 * The command interface is ready to accept commands.
77 */
78 kDifCsrngCmdStatusReady,
79 /**
80 * The command interface is processing a command.
81 */
82 kDifCsrngCmdStatusBusy,
83 /**
84 * The command interface completed with an error.
85 */
86 kDifCsrngCmdStatusError,
87} dif_csrng_cmd_status_kind_t;
88
89/**
90 * Enumeration of CSRNG FIFOs, which indicates which part of the hardware
91 * produced an error.
92 */
93typedef enum dif_csrng_fifo {
94 kDifCsrngFifoCmd,
95 kDifCsrngFifoGenBits,
96} dif_csrng_fifo_t;
97
98/**
99 * Enumeration of CSRNG FIFO errors.
100 */
101typedef enum dif_csrng_error {
102 /**
103 * Indicates an error in the command stage state machine.
104 */
105 kDifCsrngErrorCmdStageSm,
106 /**
107 * Indicates an error in the main state machine.
108 */
109 kDifCsrngErrorMainSm,
110 /**
111 * Indicates an error in the CTR_DRBG data path state machine.
112 */
113 kDifCsrngErrorCtrDrbgSm,
114 /**
115 * Indicates an error in the AES state machine.
116 */
117 kDifCsrngErrorAesSm,
118 /**
119 * Indicates an error in one of the counters.
120 */
121 kDifCsrngErrorCounters,
122 /**
123 * Indicates a write to a full FIFO occurred.
124 */
125 kDifCsrngErrorFifoWrite,
126 /**
127 * Indicates a read from an empty FIFO occurred.
128 */
129 kDifCsrngErrorFifoRead,
130 /**
131 * Indicates a FIFO was somehow both full and empty.
132 */
133 kDifCsrngErrorFifoFullAndEmpty,
134} dif_csrng_error_t;
135
136/**
137 * Enumeration of CSRNG command status errors.
138 */
139typedef enum dif_csrng_cmd_sts_error {
140 /**
141 * Indicates that the command completed successfully.
142 */
143 kDifCsrngCmdStsSuccess = 0,
144 /**
145 * Indicates that an invalid apllication command has been issued.
146 */
147 kDifCsrngCmdStsInvalidAcmd = 1,
148 /**
149 * Indicates that the state wasn't zeroized properly after an uninstantiate
150 * command due to invalid state parameters in the cmd drbg.
151 */
152 kDifCsrngCmdStsInvalidStateParams = 2,
153 /**
154 * Indicates that CSRNG entropy was generated for a command that is not a
155 * generate command.
156 */
157 kDifCsrngCmdStsInvalidCtrDrbgCmd = 3,
158 /**
159 * Indicates that last command was not issued in sequence.
160 * E.g. an instantiate on an instantiated state or any command other than an
161 * instantiate on an uninstantiated state.
162 */
163 kDifCsrngCmdStsInvalidCmdSeq = 4,
164} dif_csrng_cmd_sts_t;
165
166/**
167 * The status of the CSRNG block at a particular moment in time.
168 */
169typedef struct dif_csrng_cmd_status {
170 /**
171 * The kind of status the CSRNG is in.
172 */
173 dif_csrng_cmd_status_kind_t kind;
174 /**
175 * The status value CSRNG returns.
176 */
177 dif_csrng_cmd_sts_t cmd_sts;
178} dif_csrng_cmd_status_t;
179
180/**
181 * CSRNG consume seed from entropy source enable.
182 */
183typedef enum dif_csrng_entropy_src_toggle {
184 /**
185 * Seed material used as the only seed material.
186 *
187 * This configuration option will toggle the hardware state of the
188 * CSRNG to non-FIPS compliant until it is re-instantiated.
189 *
190 * Note: Software may opt to XOR the seed material with a seed to implement
191 * a software assisted FIPS mode of operation.
192 */
193 kDifCsrngEntropySrcToggleDisable = 1,
194 /**
195 * Entropy source XOR'ed with the provided seed material.
196 */
197 kDifCsrngEntropySrcToggleEnable = 0,
198} dif_csrng_entropy_src_toggle_t;
199
200enum {
201 /**
202 * Maximum seed material number of uint32_t words supported in CSRNG
203 * instantiate and seed commands.
204 */
205 kDifCsrngSeedMaterialMaxWordLen = 12,
206};
207
208/**
209 * CSRNG common transaction parameters.
210 */
211typedef struct dif_csrng_seed_material {
212 /**
213 * Number of uint32_t words in `seed_material`. Up to 12 words can be
214 * set to initialize the CSRNG. CSRNG will extend the `seed_material`
215 * to zeros if the provided value is less that 12.
216 */
217 size_t seed_material_len;
218 /**
219 * Seed material used in CSRNG
220 */
221 uint32_t seed_material[kDifCsrngSeedMaterialMaxWordLen];
222} dif_csrng_seed_material_t;
223
224/**
225 * Generated output state.
226 */
227typedef struct dif_csrng_output_status {
228 /**
229 * Set to true when there is cryptographic entropy data available to
230 * read using `dif_csrng_generate_read()`.
231 */
232 bool valid_data;
233 /**
234 * Set to true when the cryptographic entropy data available to read
235 * is FIPS/CC compliant at the hardware level.
236 */
237 bool fips_mode;
238} dif_csrng_output_status_t;
239
240/**
241 * CSRNG internal state selector ID.
242 */
243typedef enum dif_csrng_internal_state_id {
244 /**
245 * CSRNG instance assigned to Entropy Distribution Network (EDN) 0.
246 */
247 kCsrngInternalStateIdEdn0 = 0,
248 /**
249 * CSRNG instance assigned to Entropy Distribution Network (EDN) 1.
250 */
251 kCsrngInternalStateIdEdn1 = 1,
252 /**
253 * CSRNG instance assigned to software interface.
254 */
255 kCsrngInternalStateIdSw = 2,
256} dif_csrng_internal_state_id_t;
257
258/**
259 * CSRNG internal state.
260 */
261typedef struct dif_csrng_internal_state {
262 /**
263 * Indicates the number of requests for pseudorandom bits since instantiation
264 * or reseeding.
265 */
266 uint32_t reseed_counter;
267 /**
268 * Internal V working state with a 128bit block size.
269 */
270 uint32_t v[4];
271 /**
272 * Internal key used to configure the internal CSRNG cipher.
273 */
274 uint32_t key[8];
275 /**
276 * Set to true when the CSRNG instance has been instantiated.
277 */
278 bool instantiated;
279 /**
280 * Set to true when FIPS compliant entropy was provided directly by the
281 * entropy source to instantiate or reseed the CSRNG instance.
282 */
283 bool fips_compliance;
284} dif_csrng_internal_state_t;
285
286/**
287 * Recoverable alerts emitted by the CSRNG.
288 */
289typedef enum dif_csrng_recoverable_alert {
290 /**
291 * Indicates a bad value was written to the ENABLE field of the control
292 * register.
293 */
294 kDifCsrngRecoverableAlertBadEnable =
295 1U << CSRNG_RECOV_ALERT_STS_ENABLE_FIELD_ALERT_BIT,
296 /**
297 * Indicates a bad value was written to the SW_APP_ENABLE field of the control
298 * register.
299 */
300 kDifCsrngRecoverableAlertBadSwAppEnable =
301 1U << CSRNG_RECOV_ALERT_STS_SW_APP_ENABLE_FIELD_ALERT_BIT,
302 /**
303 * Indicates a bad value was written to the READ_INT_STATE field of the
304 * control register.
305 */
306 kDifCsrngRecoverableAlertBadIntState =
307 1U << CSRNG_RECOV_ALERT_STS_READ_INT_STATE_FIELD_ALERT_BIT,
308 /**
309 * Indicates the FLAG0 field in the Application Command is set to a value
310 * other than kMultiBitBool4True or kMultiBitBool4False.
311 */
312 kDifCsrngRecoverableAlertBadFlag0 =
313 1U << CSRNG_RECOV_ALERT_STS_ACMD_FLAG0_FIELD_ALERT_BIT,
314 /**
315 * Indicates the genbits bus saw two identical values, indicating a possible
316 * attack.
317 */
318 kDifCsrngRecoverableAlertRepeatedGenBits =
319 1U << CSRNG_RECOV_ALERT_STS_CS_BUS_CMP_ALERT_BIT,
320 /**
321 * Indicates an unsupported CSRNG command was issued.
322 */
323 kDifCsrngRecoverableAlertBadCsrngCmd =
324 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_ACMD_ALERT_BIT,
325 /**
326 * Indicates a supported CSRNG command was issued out of sequence.
327 */
328 kDifCsrngRecoverableAlertBadCsrngCmdSeq =
329 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_INVALID_CMD_SEQ_ALERT_BIT,
330 /**
331 * Indicates that too many generate commands were issued in a row.
332 */
333 kDifCsrngRecoverableAlertMaxReseedsExceeded =
334 1U << CSRNG_RECOV_ALERT_STS_CMD_STAGE_RESEED_CNT_ALERT_BIT,
335} dif_csrng_recoverable_alert_t;
336
337/**
338 * Configures CSRNG.
339 *
340 * This function should need to be called once for the lifetime of `csrng`.
341 *
342 * @param csrng A CSRNG handle.
343 * @return The result of the operation.
344 */
345OT_WARN_UNUSED_RESULT
346dif_result_t dif_csrng_configure(const dif_csrng_t *csrng);
347
348/**
349 * Initializes CSRNG instance with a new seed value.
350 *
351 * `seed_material` is used as specified in NIST SP 800-90Ar1 section
352 * 10.2.1.3.1. See `dif_csrng_entropy_src` for details on how this value
353 * is mixed with the CSRNG seed.
354 *
355 * `seed_material` can be NULL, in which case CSRNG will use a zero
356 * vector instead.
357 *
358 * @param csrng A CSRNG handle.
359 * @param entropy_src_enable Entropy source input enable.
360 * @param seed_material Seed initialization parameters.
361 * @return The result of the operation.
362 */
363OT_WARN_UNUSED_RESULT
364dif_result_t dif_csrng_instantiate(
365 const dif_csrng_t *csrng, dif_csrng_entropy_src_toggle_t entropy_src_enable,
366 const dif_csrng_seed_material_t *seed_material);
367
368/**
369 * Reseeds CSRNG instance.
370 *
371 * When `seed_material.seed_material_len` is set to 0, only the entropy source
372 * seed is used to reseed the instance, otherwise it will be XOR'ed with the
373 * entropy source.
374 *
375 * @param csrng A CSRNG handle.
376 * @param seed_material Reseed parameters.
377 * @return The result of the operation.
378 */
379OT_WARN_UNUSED_RESULT
380dif_result_t dif_csrng_reseed(const dif_csrng_t *csrng,
381 const dif_csrng_seed_material_t *seed_material);
382
383/**
384 * Updates CSRNG state.
385 *
386 * This function is similar to `dif_csrng_reseed()`, except:
387 *
388 * - Only `seed_material.seed_material` is used in the update operation.
389 * - The update operation does not reset the internal CSRNG reseed
390 * counter.
391 *
392 * @param csrng A CSRNG handle.
393 * @param seed_material Update parameters.
394 * @return The result of the operation.
395 */
396OT_WARN_UNUSED_RESULT
397dif_result_t dif_csrng_update(const dif_csrng_t *csrng,
398 const dif_csrng_seed_material_t *seed_material);
399
400/**
401 * Requests cryptographic entropy bits from the CSRNG.
402 *
403 * The prediction resistance flag as specified in SP 800-90Ar1 section
404 * 10.2.1.1 is not directily supported by the hardware. It is the
405 * responsibility of the caller to reseed as needed before calling
406 * this function.
407 *
408 * The CSRNG accepts generation requests with 128-bit granularity, with
409 * a minimum 128-bit request size. This function will increase the size
410 * of the request to align it to the nearest 128-bit boundary.
411 *
412 * @param csrng A CSRNG handle.
413 * @param additional_data Additional data for the generate command. Set to NULL
414 * if unused.
415 * @param len Number of uint32_t words to generate.
416 * @return The result of the operation. KDifOutOfRange if the `len` parameter
417 * results in a 128bit block level size greater than 0x800.
418 */
419OT_WARN_UNUSED_RESULT
420dif_result_t dif_csrng_generate_start(
421 const dif_csrng_t *csrng, const dif_csrng_seed_material_t *additional_data,
422 size_t len);
423
424/**
425 * Reads the output of the last CSRNG generate call.
426 *
427 * This function reads `len` words out of the CSRNG. This function should be
428 * called repeatedly until the number of words requested in
429 * `dif_csrng_generate_start()` is exhausted. This function will block until
430 * `len` words are read.
431 *
432 * `dif_csrng_get_output_status()` can be called before this function to ensure
433 * there is data available in the CSRNG output buffer.
434 *
435 * @param csrng A CSRNG handle.
436 * @param[out] buf A buffer to fill with words from the pipeline.
437 * @param len The number of words to read into `buf`.
438 * @return The result of the operation.
439 */
440OT_WARN_UNUSED_RESULT
441dif_result_t dif_csrng_generate_read(const dif_csrng_t *csrng, uint32_t *buf,
442 size_t len);
443
444/**
445 * Uninstantiates CSRNG
446 *
447 * Resets the CSRNG instance. Values in the CSRNG are zeroed out. This
448 * command effectively resets the CSRNG, clearing any errors that it
449 * may have encountered due to processing or entropy source errors.
450 *
451 * @param csrng An CSRNG handle.
452 * @return The result of the operation.
453 */
454OT_WARN_UNUSED_RESULT
455dif_result_t dif_csrng_uninstantiate(const dif_csrng_t *csrng);
456
457/**
458 * Gets the current command interface status.
459 *
460 * This function can be called before or after any of the following functions:
461 *
462 * - `dif_csrng_instantiate()`
463 * - `dif_csrng_reseed()`
464 * - `dif_csrng_update()`
465 * - `dif_csrng_generate_start()`
466 * - `dif_csrng_uninstantiate()`
467 *
468 * @param csrng An CSRNG handle
469 * @param[out] status Command interface status.
470 * @return The result of the operation.
471 */
472OT_WARN_UNUSED_RESULT
473dif_result_t dif_csrng_get_cmd_interface_status(const dif_csrng_t *csrng,
474 dif_csrng_cmd_status_t *status);
475
476/**
477 * Forces the status registers to indicate `fifo` as being in an unhealthy
478 * state.
479 *
480 * @param csrng An CSRNG handle
481 * @param fifo The FIFO to mark as unhealthy.
482 * @return The result of the operation.
483 */
484OT_WARN_UNUSED_RESULT
485dif_result_t dif_csrng_get_cmd_force_unhealthy_fifo(const dif_csrng_t *csrng,
486 dif_csrng_fifo_t fifo);
487
488/**
489 * Forces the status registers to indicate a particular error cause.
490 *
491 * @param csrng An CSRNG handle
492 * @param error The error to force.
493 * @return The result of the operation.
494 */
495OT_WARN_UNUSED_RESULT
496dif_result_t dif_csrng_get_cmd_force_error(const dif_csrng_t *csrng,
497 dif_csrng_error_t error);
498
499/**
500 * Returns an opaque blob indicating the main state machine's current state.
501 *
502 * @param csrng An CSRNG handle
503 * @param state[out] The state machine state as an opaque blob.
504 * @return The result of the operation.
505 */
506OT_WARN_UNUSED_RESULT
507dif_result_t dif_csrng_get_main_state_machine(const dif_csrng_t *csrng,
508 uint32_t *state);
509
510/**
511 * Returns a bitset indicating which hardware CSRNGs have encountered
512 * exceptions.
513 *
514 * @param csrng An CSRNG handle
515 * @param exceptions[out] The bitset of exception states.
516 * @return The result of the operation.
517 */
518OT_WARN_UNUSED_RESULT
519dif_result_t dif_csrng_get_hw_csrng_exceptions(const dif_csrng_t *csrng,
520 uint32_t *exceptions);
521
522/**
523 * Clears recorded hardware CSRNG exceptions.
524 *
525 * @param csrng An CSRNG handle
526 * @return The result of the operation.
527 */
528OT_WARN_UNUSED_RESULT
529dif_result_t dif_csrng_clear_hw_csrng_exceptions(const dif_csrng_t *csrng);
530
531/**
532 * Gets the current cryptographic entropy output data status.
533 *
534 * This function can be used before calling `dif_csrng_generate_read()` to
535 * check if there is data available to read.
536 *
537 * @param csrng A CSRNG handle.
538 * @param[out] status CSRNG output status.
539 * @return The result of the operation.
540 */
541OT_WARN_UNUSED_RESULT
542dif_result_t dif_csrng_get_output_status(const dif_csrng_t *csrng,
543 dif_csrng_output_status_t *status);
544
545/**
546 * Gets the working state of a CSRNG instance.
547 *
548 * @param csrng A CSRNG handle
549 * @param instance_id CSRNG instance ID.
550 * @param[out] state The working state of a CSRNG instance.
551 * @return The result of the operation.
552 */
553OT_WARN_UNUSED_RESULT
554dif_result_t dif_csrng_get_internal_state(
555 const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
556 dif_csrng_internal_state_t *state);
557
558/**
559 * Gets the reseed counter of a CSRNG instance.
560 *
561 * @param csrng A CSRNG handle
562 * @param instance_id CSRNG instance ID.
563 * @param[out] reseed counter The current reseed counter value of a CSRNG
564 * instance.
565 * @return The result of the operation.
566 */
567OT_WARN_UNUSED_RESULT
568dif_result_t dif_csrng_get_reseed_counter(
569 const dif_csrng_t *csrng, dif_csrng_internal_state_id_t instance_id,
570 uint32_t *reseed_counter);
571
572/**
573 * Locks out CSRNG functionality.
574 *
575 * This function is reentrant: calling it while functionality is locked will
576 * have no effect and return `kDifCsrngOk`.
577 *
578 * @param csrng A CSRNG handle.
579 * @return The result of the operation.
580 */
581OT_WARN_UNUSED_RESULT
582dif_result_t dif_csrng_lock(const dif_csrng_t *csrng);
583
584/**
585 * Checks whether this CSRNG is locked.
586 *
587 * @param csrng A CSRNG handle.
588 * @param[out] is_locked Out-param for the locked state.
589 * @return The result of the operation.
590 */
591OT_WARN_UNUSED_RESULT
592dif_result_t dif_csrng_is_locked(const dif_csrng_t *csrng, bool *is_locked);
593
594/**
595 * Disables the CSRNG module.
596 *
597 * @param csrng A CSRNG handle.
598 * @return The result of the operation.
599 */
600OT_WARN_UNUSED_RESULT
601dif_result_t dif_csrng_stop(const dif_csrng_t *csrng);
602
603/**
604 * Gets the recoverable alerts currently recorded in the CSRNG block.
605 *
606 * This function returns the alerts in a bitset whose indices are given by
607 * `dif_csrng_recoverable_alert_t`.
608 *
609 * @param csrng A CSRNG handle.
610 * @param[out] alerts Bitset of alerts currently recorded.
611 * @return The result of the operation.
612 */
613OT_WARN_UNUSED_RESULT
614dif_result_t dif_csrng_get_recoverable_alerts(const dif_csrng_t *csrng,
615 uint32_t *alerts);
616
617/**
618 * Clears all recoverable alerts currently recorded in the CSRNG block.
619 *
620 * @param csrng A CSRNG handle.
621 * @return The result of the operation.
622 */
623OT_WARN_UNUSED_RESULT
624dif_result_t dif_csrng_clear_recoverable_alerts(const dif_csrng_t *csrng);
625
626#ifdef __cplusplus
627} // extern "C"
628#endif // __cplusplus
629
630#endif // OPENTITAN_SW_DEVICE_LIB_DIF_DIF_CSRNG_H_