z_impl_sys_csrand_get is implement if the system is build with either
CONFIG_CTR_DRBG_CSPRNG_GENERATOR or CONFIG_HARDWARE_DEVICE_CS_GENERATOR.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
PR #36996 disabled running mem_protect/stack_random test on qemu_riscv32
platform because of this test consistently failing on said platform.
This test starts new threads in equal time intervals, and because of
that we get repeating values after performing the modulus operation when
calculating the stack pointer address.
This can be solved by changing the value of the _RAND32_INC constant
that is used to increase the value returned by the timer-based PRNG.
This commit decreases the value of the mentioned constant from
1000000013U to 1000000003U.
Fixes#37006.
Signed-off-by: Filip Kokosinski <fkokosinski@antmicro.com>
Deprecate the xoroshiro128+ PRNG algorithm in favour of xoshiro128++.
xoshiro128++ is a drop-in replacement which is invisible from the user
perspective.
xoroshiro128+ is unsuitable because it is explicitly a floating-point
PRNG, not a general-purpose PRNG. This means that the lower 4 bits of
the output are actually linear, not random (from the designers,
https://prng.di.unimi.it/). This means 1/8th of the generated data is
not random.
Additionally, xoroshiro128+ is not a 32bit algorithm, it operates on
64bit numbers. For the vast majority of Zephyr devices, this makes the
PRNG slower than it needs to be. The replacement (xoshiro128++) is
32bit, with no loss in state space (still 128 bit).
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Adds an implementation of xoshiro128++ as a pseudo random number
generator from https://prng.di.unimi.it/ that operates on 32bit words.
The algorithm postfix signifies the main operation in the generation
function. Therefore xoshiro++ is chosen over xoshiro** as we would
prefer to do 2 additions isntead of 2 multiplications on embedded
hardware. The quality of the generators appears to be the same in all
other respects.
xoshiro+ is not chosen despite being faster as it generates random
floating-point values, not general purpose random values (The lower 4
bits are linear).
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
The previous implementation assumed that the dst pointer was always
aligned to a 4-byte boundary in platforms that require alignment for
storage of 32-bit integers. Since this is required for certain platforms
(eg. Arm Cortex-M0), use memcpy() instead, which always takes
alignment into account.
Fixes#33969.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
When ctr_drbg_initialize fails the function returns without unlock irq
that was previously locked.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
entropy_get_entropy return is not being checked what may result in a
vulnerability because tc_ctr_prng_reseed will not get proper entropy
data.
Fixes#29869
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
If rand32_xoroshiro128::z_impl_sys_rand_get is called with outlen
not divisible by 4, it will overflow the dst buffer. This happens
because blocksize is not changed from 4 to the difference between
outlen and len. If outlen is < 4, z_impl_sys_rand_get will be stuck
in an infinite loop that keeps writing random bytes outside the buffer.
If outlen is > 4, z_impl_sys_rand_get returns after the correct number
of loops, but it writes every byte to the buffer, not just outlen number
of bytes. This causes the buffer to be overflowed with up to and
including 3 bytes.
Signed-off-by: Didrik Rokhaug <didrik.rokhaug@gmail.com>
Generates a warning message when building with
CONFIG_TEST_RANDOM_GENERATOR. The purpose is inform that this is not
secure and should not used in production.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Both operands of an operator in the arithmetic conversions
performed shall have the same essential type category.
Changes are related to converting the integer constants to the
unsigned integer constants
Signed-off-by: Aastha Grover <aastha.grover@intel.com>
Now that device_api attribute is unmodified at runtime, as well as all
the other attributes, it is possible to switch all device driver
instance to be constant.
A coccinelle rule is used for this:
@r_const_dev_1
disable optional_qualifier
@
@@
-struct device *
+const struct device *
@r_const_dev_2
disable optional_qualifier
@
@@
-struct device * const
+const struct device *
Fixes#27399
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Create syscalls to make possible using random APIs from user mode
threads. These APIs can have different implementations, like using
entropy driver or Xoroshiro128. Some of these implementations also have
some globals to preserve state between calls.
Make it run entire in user space would require user adding these globals
to their memeory domains and/or grant access to entropy device. Syscalls
simplify its usage.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
In sys_rand_get() if the entropy hardware unlikely return error, the
fallgback is using the system timer to and fill the given buffer with
that data.
The problem what that k_cycle_get_32() returns a four bytes integer and
depending the sizeof of the buffer we need copy the right amount of
data. That was not being done properly leading to invalid read/write
memory access.
Fixes#26435
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Replace CONFIG_ENTROPY_NAME with DT_CHOSEN_ZEPHYR_ENTROPY_LABEL. We now
set zephyr,entropy in the chosen node of the device tree to the entropy
device.
This allows us to remove CONFIG_ENTROPY_NAME from dts_fixup.h. Also
remove any other stale ENTROPY related defines in dts_fixup.h files.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This is a copy of rand32_timer.c that uses
z_do_read_cpu_timestamp32() instead of k_cycle_get_32(),
with some logic to ensure different values when called in
rapid succession missing.
Like the other driver, its reported values are not random,
it's a testing generator only.
This appears to have no advantages over rand32_timer.c,
just remove it. In QEMU emulation, the reported TSC values
tend to have the lowest five bits zeroed.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Initialize function has to fail when a call to get entropy fails.
TinyCrypt prng_init relies on a proper entropy data, so we need to
check if the driver return it properly.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Propagate driver error when getting entropy data when calling a
cryptographically secure random generator.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
The build infrastructure should not be adding the drivers subdirectory
to the include path. Fix the legacy uses that depended on that
addition.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
When using LLVM/Clang, it complains about memcpy() being
casted to (void *):
warning: expression result unused; should this cast be to 'void'? [-Wunused-value]
So change those to (void) instead as the return of memcpy()
is not used anyway.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
1) Add cryptographically secure random functions to provide
FIPS 140-2 compliant random functions.
2) Add name to random function choice selectors to ease
selection in SOC .defconfig files
3) Add bulk fill random functions.
Signed-off-by: David Leach <david.leach@nxp.com>
Use this short header style in all Kconfig files:
# <description>
# <copyright>
# <license>
...
Also change all <description>s from
# Kconfig[.extension] - Foo-related options
to just
# Foo-related options
It's clear enough that it's about Kconfig.
The <description> cleanup was done with this command, along with some
manual cleanup (big letter at the start, etc.)
git ls-files '*Kconfig*' | \
xargs sed -i -E '1 s/#\s*Kconfig[\w.-]*\s*-\s*/# /'
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
move entropy.h to drivers/entropy.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
