crys_rnd.h 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398
  1. /**************************************************************************************
  2. * Copyright (c) 2016-2017, ARM Limited or its affiliates. All rights reserved *
  3. * *
  4. * This file and the related binary are licensed under the following license: *
  5. * *
  6. * ARM Object Code and Header Files License, v1.0 Redistribution. *
  7. * *
  8. * Redistribution and use of object code, header files, and documentation, without *
  9. * modification, are permitted provided that the following conditions are met: *
  10. * *
  11. * 1) Redistributions must reproduce the above copyright notice and the *
  12. * following disclaimer in the documentation and/or other materials *
  13. * provided with the distribution. *
  14. * *
  15. * 2) Unless to the extent explicitly permitted by law, no reverse *
  16. * engineering, decompilation, or disassembly of is permitted. *
  17. * *
  18. * 3) Redistribution and use is permitted solely for the purpose of *
  19. * developing or executing applications that are targeted for use *
  20. * on an ARM-based product. *
  21. * *
  22. * DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND *
  23. * CONTRIBUTORS "AS IS." ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT *
  24. * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, *
  25. * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE *
  26. * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, *
  27. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED *
  28. * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR *
  29. * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF *
  30. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING *
  31. * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS *
  32. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
  33. **************************************************************************************/
  34. #ifndef CRYS_RND_H
  35. #define CRYS_RND_H
  36. #include "crys_error.h"
  37. #include "ssi_aes.h"
  38. #ifdef __cplusplus
  39. extern "C"
  40. {
  41. #endif
  42. /*!
  43. @file
  44. @brief This file contains the CRYS APIs used for random number generation.
  45. The random-number generation module implements referenced standard [SP800-90].
  46. @defgroup crys_rnd CryptoCell Random Generator APIs
  47. @{
  48. @ingroup cryptocell_api
  49. */
  50. /************************ Defines ******************************/
  51. /*! Maximal reseed counter - indicates maximal number of
  52. requests allowed between reseeds; according to NIST 800-90
  53. it is (2^48 - 1), our restriction is : (0xFFFFFFFF - 0xF).*/
  54. #define CRYS_RND_MAX_RESEED_COUNTER (0xFFFFFFFF - 0xF)
  55. /* Max size for one RNG generation (in bits) =
  56. max_num_of_bits_per_request = 2^19 (FIPS 800-90 Tab.3) */
  57. /*! Maximal size of generated vector in bits. */
  58. #define CRYS_RND_MAX_GEN_VECTOR_SIZE_BITS 0x7FFFF
  59. /*! Maximal size of generated vector in bytes. */
  60. #define CRYS_RND_MAX_GEN_VECTOR_SIZE_BYTES 0xFFFF
  61. /*! AES output block size in words. */
  62. #define CRYS_RND_AES_BLOCK_SIZE_IN_WORDS SASI_AES_BLOCK_SIZE_IN_WORDS
  63. /* RND seed and additional input sizes */
  64. /*! Maximal size of random seed in words. */
  65. #define CRYS_RND_SEED_MAX_SIZE_WORDS 12
  66. #ifndef CRYS_RND_ADDITINAL_INPUT_MAX_SIZE_WORDS
  67. /*! Maximal size of additional input data in words. */
  68. #define CRYS_RND_ADDITINAL_INPUT_MAX_SIZE_WORDS CRYS_RND_SEED_MAX_SIZE_WORDS
  69. #endif
  70. /* allowed sizes of AES Key, in words */
  71. /*! AES key size (128 bits) in words. */
  72. #define CRYS_RND_AES_KEY_128_SIZE_WORDS 4
  73. /*! AES key size (192 bits) in words. */
  74. #define CRYS_RND_AES_KEY_192_SIZE_WORDS 6
  75. /*! AES key size (256 bits) in words. */
  76. #define CRYS_RND_AES_KEY_256_SIZE_WORDS 8
  77. /* Definitions of temp buffer for RND_DMA version of CRYS_RND */
  78. /*******************************************************************/
  79. /* Definitions of temp buffer for DMA version of CRYS_RND */
  80. /*! Temporary buffer size in words. */
  81. #define CRYS_RND_WORK_BUFFER_SIZE_WORDS 1528
  82. /*! A definition for RAM buffer to be internally used in instantiation (or reseeding) operation. */
  83. typedef struct
  84. {
  85. /*! Internal buffer*/
  86. uint32_t crysRndWorkBuff[CRYS_RND_WORK_BUFFER_SIZE_WORDS];
  87. }CRYS_RND_WorkBuff_t;
  88. /*! A definition for entropy estimation data type. */
  89. #define CRYS_RND_EntropyEstimatData_t CRYS_RND_WorkBuff_t
  90. /*! A definition for entropy estimation buffer. */
  91. #define crysRndEntrIntBuff crysRndWorkBuff
  92. /* RND source buffer inner (entrpopy) offset */
  93. /*! An internal offset definition. */
  94. #define CRYS_RND_TRNG_SRC_INNER_OFFSET_WORDS 2
  95. /*! An internal offset definition. */
  96. #define CRYS_RND_TRNG_SRC_INNER_OFFSET_BYTES (CRYS_RND_TRNG_SRC_INNER_OFFSET_WORDS*sizeof(uint32_t))
  97. /* Size of the expected output buffer used by FIPS KAT */
  98. /*! FIPS Known answer test output size. */
  99. #define CRYS_PRNG_FIPS_KAT_OUT_DATA_SIZE 64
  100. /************************ Enumerators ****************************/
  101. /*! Definition of random operation modes. */
  102. typedef enum
  103. {
  104. /*! SW entropy estimation mode. */
  105. CRYS_RND_Fast = 0,
  106. /*! Full entropy mode. */
  107. CRYS_RND_Slow = 1,
  108. /*! Reserved. */
  109. CRYS_RND_ModeLast = 0x7FFFFFFF,
  110. } CRYS_RND_mode_t;
  111. /************************ Structs *****************************/
  112. /* The internal state of DRBG mechanism based on AES CTR and CBC-MAC
  113. algorithms. It is set as global data defined by the following
  114. structure */
  115. /*! RND state structure. Includes internal data that needs to be saved between boots by the user.*/
  116. typedef struct
  117. {
  118. /* Seed buffer, consists from concatenated Key||V: max size 12 words */
  119. /*! Random Seed buffer */
  120. uint32_t Seed[CRYS_RND_SEED_MAX_SIZE_WORDS];
  121. /* Previous value for continuous test */
  122. /*! Previous random data (used for continuous test). */
  123. uint32_t PreviousRandValue[SASI_AES_BLOCK_SIZE_IN_WORDS];
  124. /* AdditionalInput buffer max size = seed max size words + 4w for padding*/
  125. /*! Previous additional input buffer. */
  126. uint32_t PreviousAdditionalInput[CRYS_RND_ADDITINAL_INPUT_MAX_SIZE_WORDS+5];
  127. /*! Additional input buffer. */
  128. uint32_t AdditionalInput[CRYS_RND_ADDITINAL_INPUT_MAX_SIZE_WORDS+4];
  129. /*! Additional input size in words. */
  130. uint32_t AddInputSizeWords; /* size of additional data set by user, words */
  131. /*! Entropy source size in words */
  132. uint32_t EntropySourceSizeWords;
  133. /*! Reseed counter (32 bits active) - indicates number of requests for entropy
  134. since instantiation or reseeding */
  135. uint32_t ReseedCounter;
  136. /*! Key size: 4 or 8 words according to security strength 128 bits or 256 bits*/
  137. uint32_t KeySizeWords;
  138. /* State flag (see definition of StateFlag above), containing bit-fields, defining:
  139. - b'0: instantiation steps: 0 - not done, 1 - done;
  140. - 2b'9,8: working or testing mode: 0 - working, 1 - KAT DRBG test, 2 -
  141. KAT TRNG test;
  142. b'16: flag defining is Previous random valid or not:
  143. 0 - not valid, 1 - valid */
  144. /*! State flag used internally in the code.*/
  145. uint32_t StateFlag;
  146. /* Trng processing flag - indicates which ROSC lengths are:
  147. - allowed (bits 0-3);
  148. - total started (bits 8-11);
  149. - processed (bits 16-19);
  150. - started, but not processed (bits24-27) */
  151. /*! TRNG process state used internally in the code */
  152. uint32_t TrngProcesState;
  153. /* validation tag */
  154. /*! Validation tag used internally in the code */
  155. uint32_t ValidTag;
  156. /*! Rnd source entropy size in bits */
  157. uint32_t EntropySizeBits;
  158. } CRYS_RND_State_t;
  159. /*! The RND Generate vector function pointer type definition.
  160. The prototype intendent for External and CRYS internal RND functions
  161. pointers definitions.
  162. Full description can be found in ::CRYS_RND_GenerateVector function API. */
  163. typedef uint32_t (*SaSiRndGenerateVectWorkFunc_t)( \
  164. void *rndState_ptr, /*context*/ \
  165. uint16_t outSizeBytes, /*in*/ \
  166. uint8_t *out_ptr /*out*/);
  167. /*! Data structure required for internal FIPS verification for PRNG KAT. */
  168. typedef struct
  169. {
  170. /*! Internal working buffer. */
  171. CRYS_RND_WorkBuff_t rndWorkBuff;
  172. /*! Output buffer. */
  173. uint8_t rndOutputBuff[CRYS_PRNG_FIPS_KAT_OUT_DATA_SIZE];
  174. } CRYS_PrngFipsKatCtx_t;
  175. /*****************************************************************************/
  176. /********************** Public Functions *************************/
  177. /*****************************************************************************/
  178. /*!
  179. @brief This function needs to be called once.
  180. It calls CRYS_RND_Instantiation to initialize the TRNG and the primary RND context.
  181. An initialized RND context is required for calling RND APIs and asymmetric cryptography key generation and signatures.
  182. The primary context returned by this function can be used as a single global context for all RND needs.
  183. Alternatively, other contexts may be initialized and used with a more limited scope (for specific applications or specific threads).
  184. \note The Mutexes, if used, are initialized by this API. Therefore, unlike the other APIs in the library,
  185. this API is not thread-safe.
  186. @param[in/out] rnd_ctx - Pointer to the RND state structure.
  187. @param[in/out] rndWorkBuff_ptr - Pointer to the RND scratch buffer.
  188. */
  189. CEXPORT_C CRYSError_t CRYS_RndInit(void* rnd_ctx, /*!< [in/out] Pointer to the RND state buffer,
  190. allocated by the user. This state must be saved and provided
  191. as parameter to any API that uses the RND module.*/
  192. CRYS_RND_WorkBuff_t *rndWorkBuff_ptr /*!< [in] Scratchpad for the RND module's work. */);
  193. /*!
  194. @brief This function initializes the RND context.
  195. It must be called at least once prior to using this context with any API that requires it as a parameter (e.g., other RND APIs, asymmetric
  196. cryptography key generation and signatures).
  197. It is called as part of ARM TrustZone CryptoCell library initialization, which initializes and returns the primary RND context.
  198. This primary context can be used as a single global context for all RND needs.
  199. Alternatively, other contexts may be initialized and used with a more limited scope (for specific applications or specific threads).
  200. The call to this function must be followed by a call to ::CRYS_RND_SetGenerateVectorFunc API to set the generate vector function.
  201. It implements referenced standard [SP800-90] - 10.2.1.3.2 - CTR-DRBG Instantiate algorithm using AES (FIPS-PUB 197) and Derivation Function (DF).
  202. \note Additional data can be mixed with the random seed (personalization data or nonce). If required, this data should be provided by calling ::CRYS_RND_AddAdditionalInput prior to using this API.
  203. @return CRYS_OK on success.
  204. @return A non-zero value from crys_rnd_error.h on failure.
  205. */
  206. CIMPORT_C CRYSError_t CRYS_RND_Instantiation(
  207. void *rndState_ptr, /*!< [in/out] Pointer to the RND state buffer allocated by the user, which is used to
  208. maintain the RND state. This context state must be saved and provided as a
  209. parameter to any API that uses the RND module.
  210. \note the context must be cleared before sent to the function. */
  211. CRYS_RND_WorkBuff_t *rndWorkBuff_ptr /*!< [in/out] Scratchpad for the RND module's work. */
  212. );
  213. /*!
  214. @brief Clears existing RNG instantiation state.
  215. @return CRYS_OK on success.
  216. @return A non-zero value from crys_rnd_error.h on failure.
  217. */
  218. CIMPORT_C CRYSError_t CRYS_RND_UnInstantiation(
  219. void *rndState_ptr /*!< [in/out] Pointer to the RND context state buffer. */
  220. );
  221. /*!
  222. @brief This function is used for reseeding the RNG with additional entropy and additional user-provided input.
  223. (additional data should be provided by calling ::CRYS_RND_AddAdditionalInput prior to using this API).
  224. It implements referenced standard [SP800-90] - 10.2.1.4.2 - CTR-DRBG Reseeding algorithm, using AES (FIPS-PUB 197) and Derivation Function (DF).
  225. @return CRYS_OK on success.
  226. @return A non-zero value from crys_rnd_error.h on failure.
  227. */
  228. CIMPORT_C CRYSError_t CRYS_RND_Reseeding(
  229. void *rndState_ptr, /*!< [in/out] Pointer to the RND context buffer. */
  230. CRYS_RND_WorkBuff_t *rndWorkBuff_ptr /*!< [in/out] Scratchpad for the RND module's work. */
  231. );
  232. /****************************************************************************************/
  233. /*!
  234. @brief Generates a random vector according to the algorithm defined in referenced standard [SP800-90] - 10.2.1.5.2 - CTR-DRBG.
  235. The generation algorithm uses AES (FIPS-PUB 197) and Derivation Function (DF).
  236. \note
  237. <ul id="noteb"><li> The RND module must be instantiated prior to invocation of this API.</li>
  238. <li> In the following cases, Reseeding operation must be performed prior to vector generation:</li>
  239. <ul><li> Prediction resistance is required.</li>
  240. <li> The function returns CRYS_RND_RESEED_COUNTER_OVERFLOW_ERROR, stating that the Reseed Counter has passed its upper-limit (2^32-2).</li></ul></ul>
  241. @return CRYS_OK on success.
  242. @return A non-zero value from crys_rnd_error.h on failure.
  243. */
  244. CIMPORT_C CRYSError_t CRYS_RND_GenerateVector(
  245. void *rndState_ptr, /*!< [in/out] Pointer to the RND state structure, which is part of the RND context structure.
  246. Use rndContext->rndState field of the context for this parameter. */
  247. uint16_t outSizeBytes, /*!< [in] The size in bytes of the random vector required. The maximal size is 2^16 -1 bytes. */
  248. uint8_t *out_ptr /*!< [out] The pointer to output buffer. */
  249. );
  250. /**********************************************************************************************************/
  251. /*!
  252. @brief Generates a random vector with specific limitations by testing candidates (described and used in FIPS 186-4: B.1.2, B.4.2 etc.).
  253. This function draws a random vector, compare it to the range limits, and if within range - return it in rndVect_ptr.
  254. If outside the range, the function continues retrying until a conforming vector is found, or the maximal retries limit is exceeded.
  255. If maxVect_ptr is provided, rndSizeInBits specifies its size, and the output vector must conform to the range [1 < rndVect < maxVect].
  256. If maxVect_ptr is NULL, rndSizeInBits specifies the exact required vector size, and the output vector must be the exact same
  257. bit size (with its most significant bit = 1).
  258. \note
  259. The RND module must be instantiated prior to invocation of this API.
  260. @return CRYS_OK on success.
  261. @return A non-zero value from crys_rnd_error.h on failure.
  262. */
  263. CIMPORT_C CRYSError_t CRYS_RND_GenerateVectorInRange(
  264. void *rndState_ptr, /*!< [in/out] Pointer to the RND state structure. */
  265. SaSiRndGenerateVectWorkFunc_t rndGenerateVectFunc, /*!< [in] Pointer to the random vector generation function. */
  266. uint32_t rndSizeInBits, /*!< [in] The size in bits of the random vector required. The allowed size in range 2 <= rndSizeInBits < 2^19-1, bits. */
  267. uint8_t *maxVect_ptr, /*!< [in] Pointer to the vector defining the upper limit for the random vector output, Given as little-endian byte array.
  268. If not NULL, its actual size is treated as [(rndSizeInBits+7)/8] bytes and its value must be in range (3, 2^19) */
  269. uint8_t *rndVect_ptr /*!< [in/out] Pointer to the output buffer for the random vector. Must be at least [(rndSizeInBits+7)/8] bytes.
  270. Treated as little-endian byte array. */
  271. );
  272. /*************************************************************************************/
  273. /*!
  274. @brief Used for adding additional input/personalization data provided by the user,
  275. to be later used by the ::CRYS_RND_Instantiation/::CRYS_RND_Reseeding/::CRYS_RND_GenerateVector functions.
  276. @return CRYS_OK on success.
  277. @return A non-zero value from crys_rnd_error.h on failure.
  278. */
  279. CIMPORT_C CRYSError_t CRYS_RND_AddAdditionalInput(
  280. void *rndState_ptr, /*!< [in/out] Pointer to the RND context state buffer. */
  281. uint8_t *additonalInput_ptr, /*!< [in] The Additional Input buffer. */
  282. uint16_t additonalInputSize /*!< [in] The size of the Additional Input buffer. It must
  283. be <= CRYS_RND_ADDITINAL_INPUT_MAX_SIZE_WORDS and a multiple of 4. */
  284. );
  285. /*!
  286. @brief The CRYS_RND_EnterKatMode function sets KAT mode bit into StateFlag of global CRYS_RND_WorkingState structure.
  287. The user must call this function before calling functions performing KAT tests.
  288. \note Total size of entropy and nonce must be not great than 126 words (maximal size of entropy and nonce).
  289. @return CRYS_OK on success.
  290. @return A non-zero value from crys_rnd_error.h on failure.
  291. */
  292. CIMPORT_C CRYSError_t CRYS_RND_EnterKatMode(
  293. void *rndState_ptr, /*!< [in/out] Pointer to the RND context state buffer. */
  294. uint8_t *entrData_ptr, /*!< [in] Entropy data. */
  295. uint32_t entrSize, /*!< [in] Entropy size in bytes. */
  296. uint8_t *nonce_ptr, /*!< [in] Nonce. */
  297. uint32_t nonceSize, /*!< [in] Entropy size in bytes. */
  298. CRYS_RND_WorkBuff_t *workBuff_ptr /*!< [out] RND working buffer, must be the same buffer, which should be passed into
  299. Instantiation/Reseeding functions. */
  300. );
  301. /**********************************************************************************************************/
  302. /*!
  303. @brief The CRYS_RND_DisableKatMode function disables KAT mode bit into StateFlag of global CRYS_RND_State_t structure.
  304. The user must call this function after KAT tests before actual using RND module (Instantiation etc.).
  305. @return CRYS_OK on success.
  306. @return A non-zero value from crys_rnd_error.h on failure.
  307. */
  308. CIMPORT_C void CRYS_RND_DisableKatMode(
  309. void *rndState_ptr /*!< [in/out] Pointer to the RND state buffer. */
  310. );
  311. #ifdef __cplusplus
  312. }
  313. #endif
  314. /**
  315. @}
  316. */
  317. #endif /* #ifndef CRYS_RND_H */