1326ccfe2SHavard Skinnemoen /* 2326ccfe2SHavard Skinnemoen * QTest testcase for the Nuvoton NPCM7xx Random Number Generator 3326ccfe2SHavard Skinnemoen * 4326ccfe2SHavard Skinnemoen * Copyright 2020 Google LLC 5326ccfe2SHavard Skinnemoen * 6326ccfe2SHavard Skinnemoen * This program is free software; you can redistribute it and/or modify it 7326ccfe2SHavard Skinnemoen * under the terms of the GNU General Public License as published by the 8326ccfe2SHavard Skinnemoen * Free Software Foundation; either version 2 of the License, or 9326ccfe2SHavard Skinnemoen * (at your option) any later version. 10326ccfe2SHavard Skinnemoen * 11326ccfe2SHavard Skinnemoen * This program is distributed in the hope that it will be useful, but WITHOUT 12326ccfe2SHavard Skinnemoen * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13326ccfe2SHavard Skinnemoen * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14326ccfe2SHavard Skinnemoen * for more details. 15326ccfe2SHavard Skinnemoen */ 16326ccfe2SHavard Skinnemoen 17326ccfe2SHavard Skinnemoen #include "qemu/osdep.h" 18326ccfe2SHavard Skinnemoen 19326ccfe2SHavard Skinnemoen #include <math.h> 20326ccfe2SHavard Skinnemoen 21326ccfe2SHavard Skinnemoen #include "libqtest-single.h" 22326ccfe2SHavard Skinnemoen #include "qemu/bitops.h" 23*1af979b4SHavard Skinnemoen #include "qemu-common.h" 24326ccfe2SHavard Skinnemoen 25326ccfe2SHavard Skinnemoen #define RNG_BASE_ADDR 0xf000b000 26326ccfe2SHavard Skinnemoen 27326ccfe2SHavard Skinnemoen /* Control and Status Register */ 28326ccfe2SHavard Skinnemoen #define RNGCS 0x00 29326ccfe2SHavard Skinnemoen # define DVALID BIT(1) /* Data Valid */ 30326ccfe2SHavard Skinnemoen # define RNGE BIT(0) /* RNG Enable */ 31326ccfe2SHavard Skinnemoen /* Data Register */ 32326ccfe2SHavard Skinnemoen #define RNGD 0x04 33326ccfe2SHavard Skinnemoen /* Mode Register */ 34326ccfe2SHavard Skinnemoen #define RNGMODE 0x08 35326ccfe2SHavard Skinnemoen # define ROSEL_NORMAL (2) /* RNG only works in this mode */ 36326ccfe2SHavard Skinnemoen 37326ccfe2SHavard Skinnemoen /* Number of bits to collect for randomness tests. */ 38326ccfe2SHavard Skinnemoen #define TEST_INPUT_BITS (128) 39326ccfe2SHavard Skinnemoen 40*1af979b4SHavard Skinnemoen static void dump_buf_if_failed(const uint8_t *buf, size_t size) 41*1af979b4SHavard Skinnemoen { 42*1af979b4SHavard Skinnemoen if (g_test_failed()) { 43*1af979b4SHavard Skinnemoen qemu_hexdump(stderr, "", buf, size); 44*1af979b4SHavard Skinnemoen } 45*1af979b4SHavard Skinnemoen } 46*1af979b4SHavard Skinnemoen 47326ccfe2SHavard Skinnemoen static void rng_writeb(unsigned int offset, uint8_t value) 48326ccfe2SHavard Skinnemoen { 49326ccfe2SHavard Skinnemoen writeb(RNG_BASE_ADDR + offset, value); 50326ccfe2SHavard Skinnemoen } 51326ccfe2SHavard Skinnemoen 52326ccfe2SHavard Skinnemoen static uint8_t rng_readb(unsigned int offset) 53326ccfe2SHavard Skinnemoen { 54326ccfe2SHavard Skinnemoen return readb(RNG_BASE_ADDR + offset); 55326ccfe2SHavard Skinnemoen } 56326ccfe2SHavard Skinnemoen 57326ccfe2SHavard Skinnemoen /* Disable RNG and set normal ring oscillator mode. */ 58326ccfe2SHavard Skinnemoen static void rng_reset(void) 59326ccfe2SHavard Skinnemoen { 60326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 61326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 62326ccfe2SHavard Skinnemoen } 63326ccfe2SHavard Skinnemoen 64326ccfe2SHavard Skinnemoen /* Reset RNG and then enable it. */ 65326ccfe2SHavard Skinnemoen static void rng_reset_enable(void) 66326ccfe2SHavard Skinnemoen { 67326ccfe2SHavard Skinnemoen rng_reset(); 68326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 69326ccfe2SHavard Skinnemoen } 70326ccfe2SHavard Skinnemoen 71326ccfe2SHavard Skinnemoen /* Wait until Data Valid bit is set. */ 72326ccfe2SHavard Skinnemoen static bool rng_wait_ready(void) 73326ccfe2SHavard Skinnemoen { 74326ccfe2SHavard Skinnemoen /* qemu_guest_getrandom may fail. Assume it won't fail 10 times in a row. */ 75326ccfe2SHavard Skinnemoen int retries = 10; 76326ccfe2SHavard Skinnemoen 77326ccfe2SHavard Skinnemoen while (retries-- > 0) { 78326ccfe2SHavard Skinnemoen if (rng_readb(RNGCS) & DVALID) { 79326ccfe2SHavard Skinnemoen return true; 80326ccfe2SHavard Skinnemoen } 81326ccfe2SHavard Skinnemoen } 82326ccfe2SHavard Skinnemoen 83326ccfe2SHavard Skinnemoen return false; 84326ccfe2SHavard Skinnemoen } 85326ccfe2SHavard Skinnemoen 86326ccfe2SHavard Skinnemoen /* 87326ccfe2SHavard Skinnemoen * Perform a frequency (monobit) test, as defined by NIST SP 800-22, on the 88326ccfe2SHavard Skinnemoen * sequence in buf and return the P-value. This represents the probability of a 89326ccfe2SHavard Skinnemoen * truly random sequence having the same proportion of zeros and ones as the 90326ccfe2SHavard Skinnemoen * sequence in buf. 91326ccfe2SHavard Skinnemoen * 92326ccfe2SHavard Skinnemoen * An RNG which always returns 0x00 or 0xff, or has some bits stuck at 0 or 1, 93326ccfe2SHavard Skinnemoen * will fail this test. However, an RNG which always returns 0x55, 0xf0 or some 94326ccfe2SHavard Skinnemoen * other value with an equal number of zeroes and ones will pass. 95326ccfe2SHavard Skinnemoen */ 96326ccfe2SHavard Skinnemoen static double calc_monobit_p(const uint8_t *buf, unsigned int len) 97326ccfe2SHavard Skinnemoen { 98326ccfe2SHavard Skinnemoen unsigned int i; 99326ccfe2SHavard Skinnemoen double s_obs; 100326ccfe2SHavard Skinnemoen int sn = 0; 101326ccfe2SHavard Skinnemoen 102326ccfe2SHavard Skinnemoen for (i = 0; i < len; i++) { 103326ccfe2SHavard Skinnemoen /* 104326ccfe2SHavard Skinnemoen * Each 1 counts as 1, each 0 counts as -1. 105326ccfe2SHavard Skinnemoen * s = cp - (8 - cp) = 2 * cp - 8 106326ccfe2SHavard Skinnemoen */ 107326ccfe2SHavard Skinnemoen sn += 2 * ctpop8(buf[i]) - 8; 108326ccfe2SHavard Skinnemoen } 109326ccfe2SHavard Skinnemoen 110326ccfe2SHavard Skinnemoen s_obs = abs(sn) / sqrt(len * BITS_PER_BYTE); 111326ccfe2SHavard Skinnemoen 112326ccfe2SHavard Skinnemoen return erfc(s_obs / sqrt(2)); 113326ccfe2SHavard Skinnemoen } 114326ccfe2SHavard Skinnemoen 115326ccfe2SHavard Skinnemoen /* 116326ccfe2SHavard Skinnemoen * Perform a runs test, as defined by NIST SP 800-22, and return the P-value. 117326ccfe2SHavard Skinnemoen * This represents the probability of a truly random sequence having the same 118326ccfe2SHavard Skinnemoen * number of runs (i.e. uninterrupted sequences of identical bits) as the 119326ccfe2SHavard Skinnemoen * sequence in buf. 120326ccfe2SHavard Skinnemoen */ 121326ccfe2SHavard Skinnemoen static double calc_runs_p(const unsigned long *buf, unsigned int nr_bits) 122326ccfe2SHavard Skinnemoen { 123326ccfe2SHavard Skinnemoen unsigned int j; 124326ccfe2SHavard Skinnemoen unsigned int k; 125326ccfe2SHavard Skinnemoen int nr_ones = 0; 126326ccfe2SHavard Skinnemoen int vn_obs = 0; 127326ccfe2SHavard Skinnemoen double pi; 128326ccfe2SHavard Skinnemoen 129326ccfe2SHavard Skinnemoen g_assert(nr_bits % BITS_PER_LONG == 0); 130326ccfe2SHavard Skinnemoen 131326ccfe2SHavard Skinnemoen for (j = 0; j < nr_bits / BITS_PER_LONG; j++) { 132326ccfe2SHavard Skinnemoen nr_ones += __builtin_popcountl(buf[j]); 133326ccfe2SHavard Skinnemoen } 134326ccfe2SHavard Skinnemoen pi = (double)nr_ones / nr_bits; 135326ccfe2SHavard Skinnemoen 136326ccfe2SHavard Skinnemoen for (k = 0; k < nr_bits - 1; k++) { 1378006c984SHavard Skinnemoen vn_obs += (test_bit(k, buf) ^ test_bit(k + 1, buf)); 138326ccfe2SHavard Skinnemoen } 139326ccfe2SHavard Skinnemoen vn_obs += 1; 140326ccfe2SHavard Skinnemoen 141326ccfe2SHavard Skinnemoen return erfc(fabs(vn_obs - 2 * nr_bits * pi * (1.0 - pi)) 142326ccfe2SHavard Skinnemoen / (2 * sqrt(2 * nr_bits) * pi * (1.0 - pi))); 143326ccfe2SHavard Skinnemoen } 144326ccfe2SHavard Skinnemoen 145326ccfe2SHavard Skinnemoen /* 146326ccfe2SHavard Skinnemoen * Verifies that DVALID is clear, and RNGD reads zero, when RNGE is cleared, 147326ccfe2SHavard Skinnemoen * and DVALID eventually becomes set when RNGE is set. 148326ccfe2SHavard Skinnemoen */ 149326ccfe2SHavard Skinnemoen static void test_enable_disable(void) 150326ccfe2SHavard Skinnemoen { 151326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 152326ccfe2SHavard Skinnemoen rng_reset(); 153326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 154326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 155326ccfe2SHavard Skinnemoen 156326ccfe2SHavard Skinnemoen /* Enable: DVALID should be set, but we can't make assumptions about RNGD */ 157326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 158326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 159326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, DVALID | RNGE); 160326ccfe2SHavard Skinnemoen 161326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 162326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 163326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 164326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 165326ccfe2SHavard Skinnemoen } 166326ccfe2SHavard Skinnemoen 167326ccfe2SHavard Skinnemoen /* 168326ccfe2SHavard Skinnemoen * Verifies that the RNG only produces data when RNGMODE is set to 'normal' 169326ccfe2SHavard Skinnemoen * ring oscillator mode. 170326ccfe2SHavard Skinnemoen */ 171326ccfe2SHavard Skinnemoen static void test_rosel(void) 172326ccfe2SHavard Skinnemoen { 173326ccfe2SHavard Skinnemoen rng_reset_enable(); 174326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 175326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 176326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 177326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 178326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 179326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 180326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 181326ccfe2SHavard Skinnemoen } 182326ccfe2SHavard Skinnemoen 183326ccfe2SHavard Skinnemoen /* 184326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 185326ccfe2SHavard Skinnemoen * satisfies a monobit test. 186326ccfe2SHavard Skinnemoen */ 187326ccfe2SHavard Skinnemoen static void test_continuous_monobit(void) 188326ccfe2SHavard Skinnemoen { 189326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 190326ccfe2SHavard Skinnemoen unsigned int i; 191326ccfe2SHavard Skinnemoen 192326ccfe2SHavard Skinnemoen rng_reset_enable(); 193326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 194326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 195326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 196326ccfe2SHavard Skinnemoen } 197326ccfe2SHavard Skinnemoen 198326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 199*1af979b4SHavard Skinnemoen dump_buf_if_failed(buf, sizeof(buf)); 200326ccfe2SHavard Skinnemoen } 201326ccfe2SHavard Skinnemoen 202326ccfe2SHavard Skinnemoen /* 203326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 204326ccfe2SHavard Skinnemoen * satisfies a runs test. 205326ccfe2SHavard Skinnemoen */ 206326ccfe2SHavard Skinnemoen static void test_continuous_runs(void) 207326ccfe2SHavard Skinnemoen { 208326ccfe2SHavard Skinnemoen union { 209326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 210326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 211326ccfe2SHavard Skinnemoen } buf; 212326ccfe2SHavard Skinnemoen unsigned int i; 213326ccfe2SHavard Skinnemoen 214326ccfe2SHavard Skinnemoen rng_reset_enable(); 215326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 216326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 217326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 218326ccfe2SHavard Skinnemoen } 219326ccfe2SHavard Skinnemoen 220326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 221*1af979b4SHavard Skinnemoen dump_buf_if_failed(buf.c, sizeof(buf)); 222326ccfe2SHavard Skinnemoen } 223326ccfe2SHavard Skinnemoen 224326ccfe2SHavard Skinnemoen /* 225326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 226326ccfe2SHavard Skinnemoen * a monobit test. 227326ccfe2SHavard Skinnemoen */ 228326ccfe2SHavard Skinnemoen static void test_first_byte_monobit(void) 229326ccfe2SHavard Skinnemoen { 230326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 231326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 232326ccfe2SHavard Skinnemoen unsigned int i; 233326ccfe2SHavard Skinnemoen 234326ccfe2SHavard Skinnemoen rng_reset(); 235326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 236326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 237326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 238326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 239326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 240326ccfe2SHavard Skinnemoen } 241326ccfe2SHavard Skinnemoen 242326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 243*1af979b4SHavard Skinnemoen dump_buf_if_failed(buf, sizeof(buf)); 244326ccfe2SHavard Skinnemoen } 245326ccfe2SHavard Skinnemoen 246326ccfe2SHavard Skinnemoen /* 247326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 248326ccfe2SHavard Skinnemoen * a runs test. 249326ccfe2SHavard Skinnemoen */ 250326ccfe2SHavard Skinnemoen static void test_first_byte_runs(void) 251326ccfe2SHavard Skinnemoen { 252326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 253326ccfe2SHavard Skinnemoen union { 254326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 255326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 256326ccfe2SHavard Skinnemoen } buf; 257326ccfe2SHavard Skinnemoen unsigned int i; 258326ccfe2SHavard Skinnemoen 259326ccfe2SHavard Skinnemoen rng_reset(); 260326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 261326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 262326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 263326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 264326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 265326ccfe2SHavard Skinnemoen } 266326ccfe2SHavard Skinnemoen 267326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 268*1af979b4SHavard Skinnemoen dump_buf_if_failed(buf.c, sizeof(buf)); 269326ccfe2SHavard Skinnemoen } 270326ccfe2SHavard Skinnemoen 271326ccfe2SHavard Skinnemoen int main(int argc, char **argv) 272326ccfe2SHavard Skinnemoen { 273326ccfe2SHavard Skinnemoen int ret; 274326ccfe2SHavard Skinnemoen 275326ccfe2SHavard Skinnemoen g_test_init(&argc, &argv, NULL); 276326ccfe2SHavard Skinnemoen g_test_set_nonfatal_assertions(); 277326ccfe2SHavard Skinnemoen 278326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/enable_disable", test_enable_disable); 279326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/rosel", test_rosel); 280ffb4fbf9SPeter Maydell /* 281ffb4fbf9SPeter Maydell * These tests fail intermittently; only run them on explicit 282ffb4fbf9SPeter Maydell * request until we figure out why. 283ffb4fbf9SPeter Maydell */ 284ffb4fbf9SPeter Maydell if (getenv("QEMU_TEST_FLAKY_RNG_TESTS")) { 285326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/monobit", test_continuous_monobit); 286326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/runs", test_continuous_runs); 287326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/monobit", test_first_byte_monobit); 288326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/runs", test_first_byte_runs); 289ffb4fbf9SPeter Maydell } 290326ccfe2SHavard Skinnemoen 291326ccfe2SHavard Skinnemoen qtest_start("-machine npcm750-evb"); 292326ccfe2SHavard Skinnemoen ret = g_test_run(); 293326ccfe2SHavard Skinnemoen qtest_end(); 294326ccfe2SHavard Skinnemoen 295326ccfe2SHavard Skinnemoen return ret; 296326ccfe2SHavard Skinnemoen } 297