diff options
| -rw-r--r-- | board/cr50/dcrypto/fips_rand.c | 16 | ||||
| -rw-r--r-- | board/cr50/dcrypto/fips_rand.h | 49 |
2 files changed, 40 insertions, 25 deletions
diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c index f949993450..bc6fa29e7a 100644 --- a/board/cr50/dcrypto/fips_rand.c +++ b/board/cr50/dcrypto/fips_rand.c @@ -244,8 +244,8 @@ bool fips_trng_startup(int stage) return fips_powerup_passed(); } -/* Assuming H=0.8, we need 550 bits from TRNG to get 440 bits. */ -#define ENTROPY_SIZE_BITS 550 +/* Assuming H=0.77, we need 571 bits from TRNG to get 440 bits. */ +#define ENTROPY_SIZE_BITS 571 #define ENTROPY_SIZE_WORDS (BITS_TO_WORDS(ENTROPY_SIZE_BITS)) bool fips_drbg_init(void) @@ -260,15 +260,15 @@ bool fips_drbg_init(void) return true; /** - * Get entropy + nonce from TRNG. Assume H>=0.8. + * Get entropy + nonce from TRNG. Assume H>=0.77. */ if (!fips_trng_bytes(entropy_input, sizeof(entropy_input))) return false; /** - * Pass combined seed containing total 550 bits of entropy and nonce, - * and assuming H=0.8, we will get total entropy in seed as 440bits as - * defined for HMAC DBRG in NIST SP 800-90Ar1 B.2. + * Pass combined seed containing total 571 bits of entropy and nonce, + * and assuming H=0.77, we will get total entropy in seed as 440 bits + * as defined for HMAC DBRG in NIST SP 800-90Ar1 B.2. * Required minimum entropy for the entropy input at instantiation = * (3/2) security_strength (this includes the entropy required for the * nonce). For 256-bit security, this means at least 384 bits. @@ -276,10 +276,10 @@ bool fips_drbg_init(void) * Maximum length of the personalization string = 160 bits. * Maximum length of the entropy input = 1000 bits. * - * Reseed_interval = 10 000 requests. + * Reseed_interval = 1000 requests. */ hmac_drbg_init(&fips_drbg, &entropy_input, sizeof(entropy_input), NULL, - 0, NULL, 0, 10000); + 0, NULL, 0, 1000); always_memset(entropy_input, 0, sizeof(entropy_input)); return true; diff --git a/board/cr50/dcrypto/fips_rand.h b/board/cr50/dcrypto/fips_rand.h index 1010ad5e4d..e3f37c82e5 100644 --- a/board/cr50/dcrypto/fips_rand.h +++ b/board/cr50/dcrypto/fips_rand.h @@ -22,7 +22,11 @@ extern "C" { * Probability of false positive in single APT/RCT test * defined as 2^(-TRNG_TEST_ALPHA). */ -#define TRNG_TEST_ALPHA 40 +#define TRNG_TEST_ALPHA 39 + +/* Entropy estimate for H1 = 0.77 = 77/100 */ +#define H_ENTROPY 77 +#define H_ENTROPY_DIVISOR 100 /** * TRNG Health Tests @@ -48,13 +52,19 @@ extern "C" { * (1) Repetition Count Test (RCT) NIST SP 800-90B 4.4.1 * Cut off value is computed as: * c = ceil(1 + (-log2 alpha)/H); - * alpha = 2^-50, H = 0.8; RCT_CUTOFF = CEIL(1+(ALPHA/0.8)) + * RCT_CUTOFF = CEIL(1+(ALPHA/H)) = CEIL(1+(ALPHA*(1/H))) */ -#if TRNG_TEST_ALPHA == 40 -#define RCT_CUTOFF_SAMPLES 51 -#else -/* RCT cut off for TRNG_TEST_ALPHA == 30 */ -#define RCT_CUTOFF_SAMPLES 39 +#define RCT_CUTOFF_SAMPLES \ + (1 + (((TRNG_TEST_ALPHA * H_ENTROPY_DIVISOR) + H_ENTROPY - 1) / \ + H_ENTROPY)) + +/* Our implementation supports only certain range of RCT_CUTOFF values. */ +BUILD_ASSERT((RCT_CUTOFF_SAMPLES >= 1) && (RCT_CUTOFF_SAMPLES <= 63)); + +#if TRNG_TEST_ALPHA == 39 +BUILD_ASSERT(RCT_CUTOFF_SAMPLES == 52); +#elif TRNG_TEST_ALPHA == 30 +BUILD_ASSERT(RCT_CUTOFF_SAMPLES == 40); #endif /** @@ -65,26 +75,31 @@ extern "C" { /** * (2) Adaptive Proportion Test (APT), NIST SP 800-90B 4.4.2, Table 2 */ -#if TRNG_SAMPLE_BITS == 1 +/* We only support 1-bit alphabet for TRNG. */ +BUILD_ASSERT(TRNG_SAMPLE_BITS == 1); /* APT Windows size W = 1024 for 1 bit samples */ #define APT_WINDOW_SIZE_SAMPLES 1024 -#else -/* or 512 samples if more than 1 bit per sample */ -#define APT_WINDOW_SIZE_SAMPLES 512 -#endif #define APT_WINDOW_SIZE_BITS (APT_WINDOW_SIZE_SAMPLES * TRNG_SAMPLE_BITS) #define APT_WINDOW_SIZE_NWORDS (BITS_TO_WORDS(APT_WINDOW_SIZE_BITS)) + /** * Cut off value = CRITBINOM(W, power(2,(-H)),1-α). - * 698 = CRITBINOM(1024, power(2,(-0.8)), 1 - 2^(-40)) + * 708 = CRITBINOM(1024, power(2,(-0.77)), 1 - 2^(-39)) */ -#if TRNG_TEST_ALPHA == 40 -#define APT_CUTOFF_SAMPLES 698 -#else +#if TRNG_TEST_ALPHA == 39 +#define APT_CUTOFF_SAMPLES 708 +#elif TRNG_TEST_ALPHA == 30 /* APT cut off for TRNG_TEST_ALPHA == 30 */ -#define APT_CUTOFF_SAMPLES 682 +#define APT_CUTOFF_SAMPLES 694 #endif +/** + * APT_CUTOFF should be larger than half of window size, but less + * than windows size. + */ +BUILD_ASSERT((APT_CUTOFF_SAMPLES >= (APT_WINDOW_SIZE_SAMPLES / 2)) && + (APT_CUTOFF_SAMPLES < APT_WINDOW_SIZE_SAMPLES)); + #ifdef __cplusplus } #endif |