[crypto/entropy] Make the entropy source ready for use#29615
Open
siemen11 wants to merge 4 commits intolowRISC:earlgrey_1.0.0from
Open
[crypto/entropy] Make the entropy source ready for use#29615siemen11 wants to merge 4 commits intolowRISC:earlgrey_1.0.0from
siemen11 wants to merge 4 commits intolowRISC:earlgrey_1.0.0from
Conversation
siemen11
requested review from
andrea-caforio,
cfrantz,
johannheyszl,
moidx,
nasahlpa,
pamaury and
vsukhoml
and removed request for
a team and
pamaury
Contributor
Author
|
A question: the entropy_complex_init now changed to new FIPS thresholds. Does this have an impact in provisioning or silicon_creator? |
siemen11
force-pushed
the
entropy_src_config
branch
5 times, most recently
from
0912e5f to
d33fd99
Compare
vsukhoml
reviewed
Mar 30, 2026
| .adaptp_lo_threshold = 2048 - 1591, // 457 | ||
| .bucket_threshold = 201, | ||
| .markov_hi_threshold = 824, | ||
| .markov_lo_threshold = 1024 - 824, // 200 |
There was a problem hiding this comment.
This configuration is made under assumption that OpenTitan implements analogue part of entropy source with H=0.5. It may not be true for other implementations.
Contributor
Author
There was a problem hiding this comment.
You mean to leave this setting specifically for earlgrey_1.0.0? I will add a comment on this
vsukhoml
approved these changes
Mar 30, 2026
siemen11
force-pushed
the
entropy_src_config
branch
from
d33fd99 to
9cca2bb
Compare
cfrantz
approved these changes
Mar 31, 2026
Originally, the idea was to call entropy_complex_init in the ROM_EXT to instantiate the RNG in a final FIPS state. However, the ROM_EXT is in its frozen final version and the entropy_complex_init still has dummy threshold values. Hence, the entropy_complex_init should be called from firmware instead. However, the entropy_complex_init is only a driver function returning a regular status_t, it is not an impl function with an otcrypto_status_t. Hence, it is not opened up to the user. Instead, make a wrapper to the functions needed by the user and add them in the include folder. Switch all functests to use the wrapper instead (since ideally to ingest impl functions). Collateral: looks like the driver was some glue for missing Bazel dependencies, add rv_core_ibex to the random_order function. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
The TODOs in entropy specified to ensure fault protection. With the entropy source configure, reread the registers to ensure the configuration written is the expected one. Remove the TODOs. The entropy check is presumed to be called multiple times, hence it does not need additional protection. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
Add timeouts to all polling of registers. This is just to add reliability in situations where the chips experiences a malfunction. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
Set the entropy source driver to align with certified
NIST SP 800-90B requirements.
Specific changes include:
- NIST 800-90B Health Test Thresholds: Increased the `fips_test_window_size` to 2048 bits to comply with
FIPS standards for binary noise sources.
- Bypass Register Configuration: Updated the `SET_FIPS_THRESH` and `VERIFY_FIPS_THRESH` macros to
write and verify both the `FIPS_THRESH` and `BYPASS_THRESH` fields
simultaneously.
Note: CSRNG `FIPS_FORCE_ENABLE` and EDN continuous polling rates remain at
their defaults to ensure the FIFO does not run empty with, for exmaple, the OTBN during the initial TRNG FIPS warm-up phase.
Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
siemen11
force-pushed
the
entropy_src_config
branch
from
9cca2bb to
fce0466
Compare
siemen11
removed
CherryPick:master
johannheyszl
reviewed
Apr 1, 2026
| }, | ||
| // All cut off values are calculated with the assumption that: | ||
| // H=0.5 per bit => H=2 for 4-bit symbols | ||
| // α = 2⁻⁴⁰ (alpha = 2^-40), false positive probability |
Contributor
There was a problem hiding this comment.
Suggested change
| // α = 2⁻⁴⁰ (alpha = 2^-40), false positive probability | |
| // α = 2⁻⁴⁰ (alpha = 2^-40), false positive probability | |
| // Please note that entropy H per bit will depend on silicon and will likely need to be adapted. |
johannheyszl
reviewed
Apr 1, 2026
| }, | ||
| }, | ||
| // All cut off values are calculated with the assumption that: | ||
| // H=0.5 per bit => H=2 for 4-bit symbols |
Contributor
There was a problem hiding this comment.
Suggested change
| // H=0.5 per bit => H=2 for 4-bit symbols | |
| // H = 0.5 per bit => H = 2 for 4-bit symbols |
johannheyszl
approved these changes
Apr 1, 2026
Contributor
johannheyszl
left a comment
johannheyszl
left a comment
There was a problem hiding this comment.
Thanks @siemen11 this lgtm - important we can call this from user
| otcrypto_status_t otcrypto_entropy_init(void); | ||
|
|
||
| /** | ||
| * Ensures that the entropy complex is ready for use and verify the health |
Contributor
There was a problem hiding this comment.
Suggested change
| * Ensures that the entropy complex is ready for use and verify the health | |
| * Ensures that the entropy complex is ready for use and runs the health |
|
|
||
| /** | ||
| * Ensures that the entropy complex is ready for use and verify the health | ||
| * checks of the generated randomness. |
Contributor
There was a problem hiding this comment.
Suggested change
| * checks of the generated randomness. | |
| * checks for the generated randomness. |
| * Ensures that the entropy complex is running and that `entropy_src` is in | ||
| * FIPS mode, and verifies the thresholds for health tests in `entropy_src`. | ||
| * This function should be called periodically while the entropy complex is in | ||
| * use, because the threshold registers are not shadowed. |
Contributor
There was a problem hiding this comment.
Suggested change
| * use, because the threshold registers are not shadowed. | |
| * use, to prevent FI because the threshold registers are not shadowed. |
| * use, because the threshold registers are not shadowed. | ||
| * | ||
| * The test also verifies the health checks of the generated randomness | ||
| * providing a status error if a health test jumped. |
Contributor
There was a problem hiding this comment.
Suggested change
| * providing a status error if a health test jumped. | |
| * providing a status error if a health test failed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR does the following: