1*326ccfe2SHavard Skinnemoen /* 2*326ccfe2SHavard Skinnemoen * QTest testcase for the Nuvoton NPCM7xx Random Number Generator 3*326ccfe2SHavard Skinnemoen * 4*326ccfe2SHavard Skinnemoen * Copyright 2020 Google LLC 5*326ccfe2SHavard Skinnemoen * 6*326ccfe2SHavard Skinnemoen * This program is free software; you can redistribute it and/or modify it 7*326ccfe2SHavard Skinnemoen * under the terms of the GNU General Public License as published by the 8*326ccfe2SHavard Skinnemoen * Free Software Foundation; either version 2 of the License, or 9*326ccfe2SHavard Skinnemoen * (at your option) any later version. 10*326ccfe2SHavard Skinnemoen * 11*326ccfe2SHavard Skinnemoen * This program is distributed in the hope that it will be useful, but WITHOUT 12*326ccfe2SHavard Skinnemoen * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13*326ccfe2SHavard Skinnemoen * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14*326ccfe2SHavard Skinnemoen * for more details. 15*326ccfe2SHavard Skinnemoen */ 16*326ccfe2SHavard Skinnemoen 17*326ccfe2SHavard Skinnemoen #include "qemu/osdep.h" 18*326ccfe2SHavard Skinnemoen 19*326ccfe2SHavard Skinnemoen #include <math.h> 20*326ccfe2SHavard Skinnemoen 21*326ccfe2SHavard Skinnemoen #include "libqtest-single.h" 22*326ccfe2SHavard Skinnemoen #include "qemu/bitops.h" 23*326ccfe2SHavard Skinnemoen 24*326ccfe2SHavard Skinnemoen #define RNG_BASE_ADDR 0xf000b000 25*326ccfe2SHavard Skinnemoen 26*326ccfe2SHavard Skinnemoen /* Control and Status Register */ 27*326ccfe2SHavard Skinnemoen #define RNGCS 0x00 28*326ccfe2SHavard Skinnemoen # define DVALID BIT(1) /* Data Valid */ 29*326ccfe2SHavard Skinnemoen # define RNGE BIT(0) /* RNG Enable */ 30*326ccfe2SHavard Skinnemoen /* Data Register */ 31*326ccfe2SHavard Skinnemoen #define RNGD 0x04 32*326ccfe2SHavard Skinnemoen /* Mode Register */ 33*326ccfe2SHavard Skinnemoen #define RNGMODE 0x08 34*326ccfe2SHavard Skinnemoen # define ROSEL_NORMAL (2) /* RNG only works in this mode */ 35*326ccfe2SHavard Skinnemoen 36*326ccfe2SHavard Skinnemoen /* Number of bits to collect for randomness tests. */ 37*326ccfe2SHavard Skinnemoen #define TEST_INPUT_BITS (128) 38*326ccfe2SHavard Skinnemoen 39*326ccfe2SHavard Skinnemoen static void rng_writeb(unsigned int offset, uint8_t value) 40*326ccfe2SHavard Skinnemoen { 41*326ccfe2SHavard Skinnemoen writeb(RNG_BASE_ADDR + offset, value); 42*326ccfe2SHavard Skinnemoen } 43*326ccfe2SHavard Skinnemoen 44*326ccfe2SHavard Skinnemoen static uint8_t rng_readb(unsigned int offset) 45*326ccfe2SHavard Skinnemoen { 46*326ccfe2SHavard Skinnemoen return readb(RNG_BASE_ADDR + offset); 47*326ccfe2SHavard Skinnemoen } 48*326ccfe2SHavard Skinnemoen 49*326ccfe2SHavard Skinnemoen /* Disable RNG and set normal ring oscillator mode. */ 50*326ccfe2SHavard Skinnemoen static void rng_reset(void) 51*326ccfe2SHavard Skinnemoen { 52*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 53*326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 54*326ccfe2SHavard Skinnemoen } 55*326ccfe2SHavard Skinnemoen 56*326ccfe2SHavard Skinnemoen /* Reset RNG and then enable it. */ 57*326ccfe2SHavard Skinnemoen static void rng_reset_enable(void) 58*326ccfe2SHavard Skinnemoen { 59*326ccfe2SHavard Skinnemoen rng_reset(); 60*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 61*326ccfe2SHavard Skinnemoen } 62*326ccfe2SHavard Skinnemoen 63*326ccfe2SHavard Skinnemoen /* Wait until Data Valid bit is set. */ 64*326ccfe2SHavard Skinnemoen static bool rng_wait_ready(void) 65*326ccfe2SHavard Skinnemoen { 66*326ccfe2SHavard Skinnemoen /* qemu_guest_getrandom may fail. Assume it won't fail 10 times in a row. */ 67*326ccfe2SHavard Skinnemoen int retries = 10; 68*326ccfe2SHavard Skinnemoen 69*326ccfe2SHavard Skinnemoen while (retries-- > 0) { 70*326ccfe2SHavard Skinnemoen if (rng_readb(RNGCS) & DVALID) { 71*326ccfe2SHavard Skinnemoen return true; 72*326ccfe2SHavard Skinnemoen } 73*326ccfe2SHavard Skinnemoen } 74*326ccfe2SHavard Skinnemoen 75*326ccfe2SHavard Skinnemoen return false; 76*326ccfe2SHavard Skinnemoen } 77*326ccfe2SHavard Skinnemoen 78*326ccfe2SHavard Skinnemoen /* 79*326ccfe2SHavard Skinnemoen * Perform a frequency (monobit) test, as defined by NIST SP 800-22, on the 80*326ccfe2SHavard Skinnemoen * sequence in buf and return the P-value. This represents the probability of a 81*326ccfe2SHavard Skinnemoen * truly random sequence having the same proportion of zeros and ones as the 82*326ccfe2SHavard Skinnemoen * sequence in buf. 83*326ccfe2SHavard Skinnemoen * 84*326ccfe2SHavard Skinnemoen * An RNG which always returns 0x00 or 0xff, or has some bits stuck at 0 or 1, 85*326ccfe2SHavard Skinnemoen * will fail this test. However, an RNG which always returns 0x55, 0xf0 or some 86*326ccfe2SHavard Skinnemoen * other value with an equal number of zeroes and ones will pass. 87*326ccfe2SHavard Skinnemoen */ 88*326ccfe2SHavard Skinnemoen static double calc_monobit_p(const uint8_t *buf, unsigned int len) 89*326ccfe2SHavard Skinnemoen { 90*326ccfe2SHavard Skinnemoen unsigned int i; 91*326ccfe2SHavard Skinnemoen double s_obs; 92*326ccfe2SHavard Skinnemoen int sn = 0; 93*326ccfe2SHavard Skinnemoen 94*326ccfe2SHavard Skinnemoen for (i = 0; i < len; i++) { 95*326ccfe2SHavard Skinnemoen /* 96*326ccfe2SHavard Skinnemoen * Each 1 counts as 1, each 0 counts as -1. 97*326ccfe2SHavard Skinnemoen * s = cp - (8 - cp) = 2 * cp - 8 98*326ccfe2SHavard Skinnemoen */ 99*326ccfe2SHavard Skinnemoen sn += 2 * ctpop8(buf[i]) - 8; 100*326ccfe2SHavard Skinnemoen } 101*326ccfe2SHavard Skinnemoen 102*326ccfe2SHavard Skinnemoen s_obs = abs(sn) / sqrt(len * BITS_PER_BYTE); 103*326ccfe2SHavard Skinnemoen 104*326ccfe2SHavard Skinnemoen return erfc(s_obs / sqrt(2)); 105*326ccfe2SHavard Skinnemoen } 106*326ccfe2SHavard Skinnemoen 107*326ccfe2SHavard Skinnemoen /* 108*326ccfe2SHavard Skinnemoen * Perform a runs test, as defined by NIST SP 800-22, and return the P-value. 109*326ccfe2SHavard Skinnemoen * This represents the probability of a truly random sequence having the same 110*326ccfe2SHavard Skinnemoen * number of runs (i.e. uninterrupted sequences of identical bits) as the 111*326ccfe2SHavard Skinnemoen * sequence in buf. 112*326ccfe2SHavard Skinnemoen */ 113*326ccfe2SHavard Skinnemoen static double calc_runs_p(const unsigned long *buf, unsigned int nr_bits) 114*326ccfe2SHavard Skinnemoen { 115*326ccfe2SHavard Skinnemoen unsigned int j; 116*326ccfe2SHavard Skinnemoen unsigned int k; 117*326ccfe2SHavard Skinnemoen int nr_ones = 0; 118*326ccfe2SHavard Skinnemoen int vn_obs = 0; 119*326ccfe2SHavard Skinnemoen double pi; 120*326ccfe2SHavard Skinnemoen 121*326ccfe2SHavard Skinnemoen g_assert(nr_bits % BITS_PER_LONG == 0); 122*326ccfe2SHavard Skinnemoen 123*326ccfe2SHavard Skinnemoen for (j = 0; j < nr_bits / BITS_PER_LONG; j++) { 124*326ccfe2SHavard Skinnemoen nr_ones += __builtin_popcountl(buf[j]); 125*326ccfe2SHavard Skinnemoen } 126*326ccfe2SHavard Skinnemoen pi = (double)nr_ones / nr_bits; 127*326ccfe2SHavard Skinnemoen 128*326ccfe2SHavard Skinnemoen for (k = 0; k < nr_bits - 1; k++) { 129*326ccfe2SHavard Skinnemoen vn_obs += !(test_bit(k, buf) ^ test_bit(k + 1, buf)); 130*326ccfe2SHavard Skinnemoen } 131*326ccfe2SHavard Skinnemoen vn_obs += 1; 132*326ccfe2SHavard Skinnemoen 133*326ccfe2SHavard Skinnemoen return erfc(fabs(vn_obs - 2 * nr_bits * pi * (1.0 - pi)) 134*326ccfe2SHavard Skinnemoen / (2 * sqrt(2 * nr_bits) * pi * (1.0 - pi))); 135*326ccfe2SHavard Skinnemoen } 136*326ccfe2SHavard Skinnemoen 137*326ccfe2SHavard Skinnemoen /* 138*326ccfe2SHavard Skinnemoen * Verifies that DVALID is clear, and RNGD reads zero, when RNGE is cleared, 139*326ccfe2SHavard Skinnemoen * and DVALID eventually becomes set when RNGE is set. 140*326ccfe2SHavard Skinnemoen */ 141*326ccfe2SHavard Skinnemoen static void test_enable_disable(void) 142*326ccfe2SHavard Skinnemoen { 143*326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 144*326ccfe2SHavard Skinnemoen rng_reset(); 145*326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 146*326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 147*326ccfe2SHavard Skinnemoen 148*326ccfe2SHavard Skinnemoen /* Enable: DVALID should be set, but we can't make assumptions about RNGD */ 149*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 150*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 151*326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, DVALID | RNGE); 152*326ccfe2SHavard Skinnemoen 153*326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 154*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 155*326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 156*326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 157*326ccfe2SHavard Skinnemoen } 158*326ccfe2SHavard Skinnemoen 159*326ccfe2SHavard Skinnemoen /* 160*326ccfe2SHavard Skinnemoen * Verifies that the RNG only produces data when RNGMODE is set to 'normal' 161*326ccfe2SHavard Skinnemoen * ring oscillator mode. 162*326ccfe2SHavard Skinnemoen */ 163*326ccfe2SHavard Skinnemoen static void test_rosel(void) 164*326ccfe2SHavard Skinnemoen { 165*326ccfe2SHavard Skinnemoen rng_reset_enable(); 166*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 167*326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 168*326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 169*326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 170*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 171*326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 172*326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 173*326ccfe2SHavard Skinnemoen } 174*326ccfe2SHavard Skinnemoen 175*326ccfe2SHavard Skinnemoen /* 176*326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 177*326ccfe2SHavard Skinnemoen * satisfies a monobit test. 178*326ccfe2SHavard Skinnemoen */ 179*326ccfe2SHavard Skinnemoen static void test_continuous_monobit(void) 180*326ccfe2SHavard Skinnemoen { 181*326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 182*326ccfe2SHavard Skinnemoen unsigned int i; 183*326ccfe2SHavard Skinnemoen 184*326ccfe2SHavard Skinnemoen rng_reset_enable(); 185*326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 186*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 187*326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 188*326ccfe2SHavard Skinnemoen } 189*326ccfe2SHavard Skinnemoen 190*326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 191*326ccfe2SHavard Skinnemoen } 192*326ccfe2SHavard Skinnemoen 193*326ccfe2SHavard Skinnemoen /* 194*326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 195*326ccfe2SHavard Skinnemoen * satisfies a runs test. 196*326ccfe2SHavard Skinnemoen */ 197*326ccfe2SHavard Skinnemoen static void test_continuous_runs(void) 198*326ccfe2SHavard Skinnemoen { 199*326ccfe2SHavard Skinnemoen union { 200*326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 201*326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 202*326ccfe2SHavard Skinnemoen } buf; 203*326ccfe2SHavard Skinnemoen unsigned int i; 204*326ccfe2SHavard Skinnemoen 205*326ccfe2SHavard Skinnemoen rng_reset_enable(); 206*326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 207*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 208*326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 209*326ccfe2SHavard Skinnemoen } 210*326ccfe2SHavard Skinnemoen 211*326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 212*326ccfe2SHavard Skinnemoen } 213*326ccfe2SHavard Skinnemoen 214*326ccfe2SHavard Skinnemoen /* 215*326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 216*326ccfe2SHavard Skinnemoen * a monobit test. 217*326ccfe2SHavard Skinnemoen */ 218*326ccfe2SHavard Skinnemoen static void test_first_byte_monobit(void) 219*326ccfe2SHavard Skinnemoen { 220*326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 221*326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 222*326ccfe2SHavard Skinnemoen unsigned int i; 223*326ccfe2SHavard Skinnemoen 224*326ccfe2SHavard Skinnemoen rng_reset(); 225*326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 226*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 227*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 228*326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 229*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 230*326ccfe2SHavard Skinnemoen } 231*326ccfe2SHavard Skinnemoen 232*326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 233*326ccfe2SHavard Skinnemoen } 234*326ccfe2SHavard Skinnemoen 235*326ccfe2SHavard Skinnemoen /* 236*326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 237*326ccfe2SHavard Skinnemoen * a runs test. 238*326ccfe2SHavard Skinnemoen */ 239*326ccfe2SHavard Skinnemoen static void test_first_byte_runs(void) 240*326ccfe2SHavard Skinnemoen { 241*326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 242*326ccfe2SHavard Skinnemoen union { 243*326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 244*326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 245*326ccfe2SHavard Skinnemoen } buf; 246*326ccfe2SHavard Skinnemoen unsigned int i; 247*326ccfe2SHavard Skinnemoen 248*326ccfe2SHavard Skinnemoen rng_reset(); 249*326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 250*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 251*326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 252*326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 253*326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 254*326ccfe2SHavard Skinnemoen } 255*326ccfe2SHavard Skinnemoen 256*326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 257*326ccfe2SHavard Skinnemoen } 258*326ccfe2SHavard Skinnemoen 259*326ccfe2SHavard Skinnemoen int main(int argc, char **argv) 260*326ccfe2SHavard Skinnemoen { 261*326ccfe2SHavard Skinnemoen int ret; 262*326ccfe2SHavard Skinnemoen 263*326ccfe2SHavard Skinnemoen g_test_init(&argc, &argv, NULL); 264*326ccfe2SHavard Skinnemoen g_test_set_nonfatal_assertions(); 265*326ccfe2SHavard Skinnemoen 266*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/enable_disable", test_enable_disable); 267*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/rosel", test_rosel); 268*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/monobit", test_continuous_monobit); 269*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/runs", test_continuous_runs); 270*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/monobit", test_first_byte_monobit); 271*326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/runs", test_first_byte_runs); 272*326ccfe2SHavard Skinnemoen 273*326ccfe2SHavard Skinnemoen qtest_start("-machine npcm750-evb"); 274*326ccfe2SHavard Skinnemoen ret = g_test_run(); 275*326ccfe2SHavard Skinnemoen qtest_end(); 276*326ccfe2SHavard Skinnemoen 277*326ccfe2SHavard Skinnemoen return ret; 278*326ccfe2SHavard Skinnemoen } 279