diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-10-14 10:58:22 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-16 05:43:09 +0000 |
| commit | 69753e1de353c26e047b702a7d360dfc2c2c2521 (patch) | |
| tree | 15567ebcb9bf966030cfbe6e22adfdb35e0015f7 /board/cr50/dcrypto/fips_rand.c | |
| parent | 69492c43e78abfb8647bab969526cd3e2d300707 (diff) | |
| download | chrome-ec-69753e1de353c26e047b702a7d360dfc2c2c2521.tar.gz | |
cr50: update TRNG health tests cut off values for new entropy estimate
Once all H1 Entropy tests completed at different environmental points
our entropy estimate changed to value 0.77. Also we decided to use
alpha = 2^-39 vs. 2^-40. This requires change of RCT and APT cutoff
values.
RCT cutoff value changed to compile-time constant computation, added
static asserts to make sure it is valid and matches known values.
APT cutoff can't be computed at compile time and updated to values
matching entropy and alpha.
Updated entropy size for instantiation of FIPS DRBG.
Reseeding interval is reduced to 1000 from 10000 to make it more
non-deterministic. Performance impact is very low - can't even measure
it precisely.
BUG=b:138577834
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I38735492d072b3d4445fca926524ef1c159627a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3223967
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/dcrypto/fips_rand.c')
| -rw-r--r-- | board/cr50/dcrypto/fips_rand.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c index f949993450..bc6fa29e7a 100644 --- a/board/cr50/dcrypto/fips_rand.c +++ b/board/cr50/dcrypto/fips_rand.c @@ -244,8 +244,8 @@ bool fips_trng_startup(int stage) return fips_powerup_passed(); } -/* Assuming H=0.8, we need 550 bits from TRNG to get 440 bits. */ -#define ENTROPY_SIZE_BITS 550 +/* Assuming H=0.77, we need 571 bits from TRNG to get 440 bits. */ +#define ENTROPY_SIZE_BITS 571 #define ENTROPY_SIZE_WORDS (BITS_TO_WORDS(ENTROPY_SIZE_BITS)) bool fips_drbg_init(void) @@ -260,15 +260,15 @@ bool fips_drbg_init(void) return true; /** - * Get entropy + nonce from TRNG. Assume H>=0.8. + * Get entropy + nonce from TRNG. Assume H>=0.77. */ if (!fips_trng_bytes(entropy_input, sizeof(entropy_input))) return false; /** - * Pass combined seed containing total 550 bits of entropy and nonce, - * and assuming H=0.8, we will get total entropy in seed as 440bits as - * defined for HMAC DBRG in NIST SP 800-90Ar1 B.2. + * Pass combined seed containing total 571 bits of entropy and nonce, + * and assuming H=0.77, we will get total entropy in seed as 440 bits + * as defined for HMAC DBRG in NIST SP 800-90Ar1 B.2. * Required minimum entropy for the entropy input at instantiation = * (3/2) security_strength (this includes the entropy required for the * nonce). For 256-bit security, this means at least 384 bits. @@ -276,10 +276,10 @@ bool fips_drbg_init(void) * Maximum length of the personalization string = 160 bits. * Maximum length of the entropy input = 1000 bits. * - * Reseed_interval = 10 000 requests. + * Reseed_interval = 1000 requests. */ hmac_drbg_init(&fips_drbg, &entropy_input, sizeof(entropy_input), NULL, - 0, NULL, 0, 10000); + 0, NULL, 0, 1000); always_memset(entropy_input, 0, sizeof(entropy_input)); return true; |