1 /*
2  * Copyright (c) 2021-2022, ARM Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 #include <assert.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <lib/spinlock.h>
11 #include <plat/common/plat_trng.h>
12 
13 /*
14  * # Entropy pool
15  * Note that the TRNG Firmware interface can request up to 192 bits of entropy
16  * in a single call or three 64bit words per call. We have 4 words in the pool
17  * so that when we have 1-63 bits in the pool, and we have a request for
18  * 192 bits of entropy, we don't have to throw out the leftover 1-63 bits of
19  * entropy.
20  */
21 #define WORDS_IN_POOL	(4)
22 static uint64_t entropy[WORDS_IN_POOL];
23 /* index in bits of the first bit of usable entropy */
24 static uint32_t entropy_bit_index;
25 /* then number of valid bits in the entropy pool */
26 static uint32_t entropy_bit_size;
27 
28 static spinlock_t trng_pool_lock;
29 
30 #define BITS_PER_WORD		(sizeof(entropy[0]) * 8)
31 #define BITS_IN_POOL		(WORDS_IN_POOL * BITS_PER_WORD)
32 #define ENTROPY_MIN_WORD	(entropy_bit_index / BITS_PER_WORD)
33 #define ENTROPY_FREE_BIT	(entropy_bit_size + entropy_bit_index)
34 #define _ENTROPY_FREE_WORD	(ENTROPY_FREE_BIT / BITS_PER_WORD)
35 #define ENTROPY_FREE_INDEX	(_ENTROPY_FREE_WORD % WORDS_IN_POOL)
36 /* ENTROPY_WORD_INDEX(0) includes leftover bits in the lower bits */
37 #define ENTROPY_WORD_INDEX(i)	((ENTROPY_MIN_WORD + i) % WORDS_IN_POOL)
38 
39 /*
40  * Fill the entropy pool until we have at least as many bits as requested.
41  * Returns true after filling the pool, and false if the entropy source is out
42  * of entropy and the pool could not be filled.
43  * Assumes locks are taken.
44  */
trng_fill_entropy(uint32_t nbits)45 static bool trng_fill_entropy(uint32_t nbits)
46 {
47 	while (nbits > entropy_bit_size) {
48 		bool valid = plat_get_entropy(&entropy[ENTROPY_FREE_INDEX]);
49 
50 		if (valid) {
51 			entropy_bit_size += BITS_PER_WORD;
52 			assert(entropy_bit_size <= BITS_IN_POOL);
53 		} else {
54 			return false;
55 		}
56 	}
57 	return true;
58 }
59 
60 /*
61  * Pack entropy into the out buffer, filling and taking locks as needed.
62  * Returns true on success, false on failure.
63  *
64  * Note: out must have enough space for nbits of entropy
65  */
trng_pack_entropy(uint32_t nbits,uint64_t * out)66 bool trng_pack_entropy(uint32_t nbits, uint64_t *out)
67 {
68 	bool ret = true;
69 
70 	spin_lock(&trng_pool_lock);
71 
72 	if (!trng_fill_entropy(nbits)) {
73 		ret = false;
74 		goto out;
75 	}
76 
77 	const unsigned int rshift = entropy_bit_index % BITS_PER_WORD;
78 	const unsigned int lshift = BITS_PER_WORD - rshift;
79 	const int to_fill = ((nbits + BITS_PER_WORD - 1) / BITS_PER_WORD);
80 	int word_i;
81 
82 	for (word_i = 0; word_i < to_fill; word_i++) {
83 		/*
84 		 * Repack the entropy from the pool into the passed in out
85 		 * buffer. This takes lesser bits from the valid upper bits
86 		 * of word_i and more bits from the lower bits of (word_i + 1).
87 		 *
88 		 * I found the following diagram useful. note: `e` represents
89 		 * valid entropy, ` ` represents invalid bits (not entropy) and
90 		 * `x` represents valid entropy that must not end up in the
91 		 * packed word.
92 		 *
93 		 *          |---------entropy pool----------|
94 		 * C var    |--(word_i + 1)-|----word_i-----|
95 		 * bit idx  |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
96 		 *          [x,x,e,e,e,e,e,e|e,e, , , , , , ]
97 		 *          |   [e,e,e,e,e,e,e,e]           |
98 		 *          |   |--out[word_i]--|           |
99 		 *    lshift|---|               |--rshift---|
100 		 *
101 		 *          ==== Which is implemented as ====
102 		 *
103 		 *          |---------entropy pool----------|
104 		 * C var    |--(word_i + 1)-|----word_i-----|
105 		 * bit idx  |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
106 		 *          [x,x,e,e,e,e,e,e|e,e, , , , , , ]
107 		 * C expr       << lshift       >> rshift
108 		 * bit idx   5 4 3 2 1 0                 7 6
109 		 *          [e,e,e,e,e,e,0,0|0,0,0,0,0,0,e,e]
110 		 *                ==== bit-wise or ====
111 		 *                   5 4 3 2 1 0 7 6
112 		 *                  [e,e,e,e,e,e,e,e]
113 		 */
114 		out[word_i] = 0;
115 		out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i)] >> rshift;
116 
117 		/*
118 		 * Note that a shift of 64 bits is treated as a shift of 0 bits.
119 		 * When the shift amount is the same as the BITS_PER_WORD, we
120 		 * don't want to include the next word of entropy, so we skip
121 		 * the `|=` operation.
122 		 */
123 		if (lshift != BITS_PER_WORD) {
124 			out[word_i] |= entropy[ENTROPY_WORD_INDEX(word_i + 1)]
125 				<< lshift;
126 		}
127 	}
128 	const uint64_t mask = ~0ULL >> (BITS_PER_WORD - (nbits % BITS_PER_WORD));
129 
130 	out[to_fill - 1] &= mask;
131 
132 	entropy_bit_index = (entropy_bit_index + nbits) % BITS_IN_POOL;
133 	entropy_bit_size -= nbits;
134 
135 out:
136 	spin_unlock(&trng_pool_lock);
137 
138 	return ret;
139 }
140 
trng_entropy_pool_setup(void)141 void trng_entropy_pool_setup(void)
142 {
143 	int i;
144 
145 	for (i = 0; i < WORDS_IN_POOL; i++) {
146 		entropy[i] = 0;
147 	}
148 	entropy_bit_index = 0;
149 	entropy_bit_size = 0;
150 }
151