1326ccfe2SHavard Skinnemoen /* 2326ccfe2SHavard Skinnemoen * QTest testcase for the Nuvoton NPCM7xx Random Number Generator 3326ccfe2SHavard Skinnemoen * 4326ccfe2SHavard Skinnemoen * Copyright 2020 Google LLC 5326ccfe2SHavard Skinnemoen * 6326ccfe2SHavard Skinnemoen * This program is free software; you can redistribute it and/or modify it 7326ccfe2SHavard Skinnemoen * under the terms of the GNU General Public License as published by the 8326ccfe2SHavard Skinnemoen * Free Software Foundation; either version 2 of the License, or 9326ccfe2SHavard Skinnemoen * (at your option) any later version. 10326ccfe2SHavard Skinnemoen * 11326ccfe2SHavard Skinnemoen * This program is distributed in the hope that it will be useful, but WITHOUT 12326ccfe2SHavard Skinnemoen * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13326ccfe2SHavard Skinnemoen * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14326ccfe2SHavard Skinnemoen * for more details. 15326ccfe2SHavard Skinnemoen */ 16326ccfe2SHavard Skinnemoen 17326ccfe2SHavard Skinnemoen #include "qemu/osdep.h" 18326ccfe2SHavard Skinnemoen 19326ccfe2SHavard Skinnemoen #include <math.h> 20326ccfe2SHavard Skinnemoen 21326ccfe2SHavard Skinnemoen #include "libqtest-single.h" 22326ccfe2SHavard Skinnemoen #include "qemu/bitops.h" 23326ccfe2SHavard Skinnemoen 24326ccfe2SHavard Skinnemoen #define RNG_BASE_ADDR 0xf000b000 25326ccfe2SHavard Skinnemoen 26326ccfe2SHavard Skinnemoen /* Control and Status Register */ 27326ccfe2SHavard Skinnemoen #define RNGCS 0x00 28326ccfe2SHavard Skinnemoen # define DVALID BIT(1) /* Data Valid */ 29326ccfe2SHavard Skinnemoen # define RNGE BIT(0) /* RNG Enable */ 30326ccfe2SHavard Skinnemoen /* Data Register */ 31326ccfe2SHavard Skinnemoen #define RNGD 0x04 32326ccfe2SHavard Skinnemoen /* Mode Register */ 33326ccfe2SHavard Skinnemoen #define RNGMODE 0x08 34326ccfe2SHavard Skinnemoen # define ROSEL_NORMAL (2) /* RNG only works in this mode */ 35326ccfe2SHavard Skinnemoen 36326ccfe2SHavard Skinnemoen /* Number of bits to collect for randomness tests. */ 37326ccfe2SHavard Skinnemoen #define TEST_INPUT_BITS (128) 38326ccfe2SHavard Skinnemoen 39326ccfe2SHavard Skinnemoen static void rng_writeb(unsigned int offset, uint8_t value) 40326ccfe2SHavard Skinnemoen { 41326ccfe2SHavard Skinnemoen writeb(RNG_BASE_ADDR + offset, value); 42326ccfe2SHavard Skinnemoen } 43326ccfe2SHavard Skinnemoen 44326ccfe2SHavard Skinnemoen static uint8_t rng_readb(unsigned int offset) 45326ccfe2SHavard Skinnemoen { 46326ccfe2SHavard Skinnemoen return readb(RNG_BASE_ADDR + offset); 47326ccfe2SHavard Skinnemoen } 48326ccfe2SHavard Skinnemoen 49326ccfe2SHavard Skinnemoen /* Disable RNG and set normal ring oscillator mode. */ 50326ccfe2SHavard Skinnemoen static void rng_reset(void) 51326ccfe2SHavard Skinnemoen { 52326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 53326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 54326ccfe2SHavard Skinnemoen } 55326ccfe2SHavard Skinnemoen 56326ccfe2SHavard Skinnemoen /* Reset RNG and then enable it. */ 57326ccfe2SHavard Skinnemoen static void rng_reset_enable(void) 58326ccfe2SHavard Skinnemoen { 59326ccfe2SHavard Skinnemoen rng_reset(); 60326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 61326ccfe2SHavard Skinnemoen } 62326ccfe2SHavard Skinnemoen 63326ccfe2SHavard Skinnemoen /* Wait until Data Valid bit is set. */ 64326ccfe2SHavard Skinnemoen static bool rng_wait_ready(void) 65326ccfe2SHavard Skinnemoen { 66326ccfe2SHavard Skinnemoen /* qemu_guest_getrandom may fail. Assume it won't fail 10 times in a row. */ 67326ccfe2SHavard Skinnemoen int retries = 10; 68326ccfe2SHavard Skinnemoen 69326ccfe2SHavard Skinnemoen while (retries-- > 0) { 70326ccfe2SHavard Skinnemoen if (rng_readb(RNGCS) & DVALID) { 71326ccfe2SHavard Skinnemoen return true; 72326ccfe2SHavard Skinnemoen } 73326ccfe2SHavard Skinnemoen } 74326ccfe2SHavard Skinnemoen 75326ccfe2SHavard Skinnemoen return false; 76326ccfe2SHavard Skinnemoen } 77326ccfe2SHavard Skinnemoen 78326ccfe2SHavard Skinnemoen /* 79326ccfe2SHavard Skinnemoen * Perform a frequency (monobit) test, as defined by NIST SP 800-22, on the 80326ccfe2SHavard Skinnemoen * sequence in buf and return the P-value. This represents the probability of a 81326ccfe2SHavard Skinnemoen * truly random sequence having the same proportion of zeros and ones as the 82326ccfe2SHavard Skinnemoen * sequence in buf. 83326ccfe2SHavard Skinnemoen * 84326ccfe2SHavard Skinnemoen * An RNG which always returns 0x00 or 0xff, or has some bits stuck at 0 or 1, 85326ccfe2SHavard Skinnemoen * will fail this test. However, an RNG which always returns 0x55, 0xf0 or some 86326ccfe2SHavard Skinnemoen * other value with an equal number of zeroes and ones will pass. 87326ccfe2SHavard Skinnemoen */ 88326ccfe2SHavard Skinnemoen static double calc_monobit_p(const uint8_t *buf, unsigned int len) 89326ccfe2SHavard Skinnemoen { 90326ccfe2SHavard Skinnemoen unsigned int i; 91326ccfe2SHavard Skinnemoen double s_obs; 92326ccfe2SHavard Skinnemoen int sn = 0; 93326ccfe2SHavard Skinnemoen 94326ccfe2SHavard Skinnemoen for (i = 0; i < len; i++) { 95326ccfe2SHavard Skinnemoen /* 96326ccfe2SHavard Skinnemoen * Each 1 counts as 1, each 0 counts as -1. 97326ccfe2SHavard Skinnemoen * s = cp - (8 - cp) = 2 * cp - 8 98326ccfe2SHavard Skinnemoen */ 99326ccfe2SHavard Skinnemoen sn += 2 * ctpop8(buf[i]) - 8; 100326ccfe2SHavard Skinnemoen } 101326ccfe2SHavard Skinnemoen 102326ccfe2SHavard Skinnemoen s_obs = abs(sn) / sqrt(len * BITS_PER_BYTE); 103326ccfe2SHavard Skinnemoen 104326ccfe2SHavard Skinnemoen return erfc(s_obs / sqrt(2)); 105326ccfe2SHavard Skinnemoen } 106326ccfe2SHavard Skinnemoen 107326ccfe2SHavard Skinnemoen /* 108326ccfe2SHavard Skinnemoen * Perform a runs test, as defined by NIST SP 800-22, and return the P-value. 109326ccfe2SHavard Skinnemoen * This represents the probability of a truly random sequence having the same 110326ccfe2SHavard Skinnemoen * number of runs (i.e. uninterrupted sequences of identical bits) as the 111326ccfe2SHavard Skinnemoen * sequence in buf. 112326ccfe2SHavard Skinnemoen */ 113326ccfe2SHavard Skinnemoen static double calc_runs_p(const unsigned long *buf, unsigned int nr_bits) 114326ccfe2SHavard Skinnemoen { 115326ccfe2SHavard Skinnemoen unsigned int j; 116326ccfe2SHavard Skinnemoen unsigned int k; 117326ccfe2SHavard Skinnemoen int nr_ones = 0; 118326ccfe2SHavard Skinnemoen int vn_obs = 0; 119326ccfe2SHavard Skinnemoen double pi; 120326ccfe2SHavard Skinnemoen 121326ccfe2SHavard Skinnemoen g_assert(nr_bits % BITS_PER_LONG == 0); 122326ccfe2SHavard Skinnemoen 123326ccfe2SHavard Skinnemoen for (j = 0; j < nr_bits / BITS_PER_LONG; j++) { 124326ccfe2SHavard Skinnemoen nr_ones += __builtin_popcountl(buf[j]); 125326ccfe2SHavard Skinnemoen } 126326ccfe2SHavard Skinnemoen pi = (double)nr_ones / nr_bits; 127326ccfe2SHavard Skinnemoen 128326ccfe2SHavard Skinnemoen for (k = 0; k < nr_bits - 1; k++) { 129*8006c984SHavard Skinnemoen vn_obs += (test_bit(k, buf) ^ test_bit(k + 1, buf)); 130326ccfe2SHavard Skinnemoen } 131326ccfe2SHavard Skinnemoen vn_obs += 1; 132326ccfe2SHavard Skinnemoen 133326ccfe2SHavard Skinnemoen return erfc(fabs(vn_obs - 2 * nr_bits * pi * (1.0 - pi)) 134326ccfe2SHavard Skinnemoen / (2 * sqrt(2 * nr_bits) * pi * (1.0 - pi))); 135326ccfe2SHavard Skinnemoen } 136326ccfe2SHavard Skinnemoen 137326ccfe2SHavard Skinnemoen /* 138326ccfe2SHavard Skinnemoen * Verifies that DVALID is clear, and RNGD reads zero, when RNGE is cleared, 139326ccfe2SHavard Skinnemoen * and DVALID eventually becomes set when RNGE is set. 140326ccfe2SHavard Skinnemoen */ 141326ccfe2SHavard Skinnemoen static void test_enable_disable(void) 142326ccfe2SHavard Skinnemoen { 143326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 144326ccfe2SHavard Skinnemoen rng_reset(); 145326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 146326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 147326ccfe2SHavard Skinnemoen 148326ccfe2SHavard Skinnemoen /* Enable: DVALID should be set, but we can't make assumptions about RNGD */ 149326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 150326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 151326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, DVALID | RNGE); 152326ccfe2SHavard Skinnemoen 153326ccfe2SHavard Skinnemoen /* Disable: DVALID should not be set, and RNGD should read zero */ 154326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 155326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGCS), ==, 0); 156326ccfe2SHavard Skinnemoen g_assert_cmphex(rng_readb(RNGD), ==, 0); 157326ccfe2SHavard Skinnemoen } 158326ccfe2SHavard Skinnemoen 159326ccfe2SHavard Skinnemoen /* 160326ccfe2SHavard Skinnemoen * Verifies that the RNG only produces data when RNGMODE is set to 'normal' 161326ccfe2SHavard Skinnemoen * ring oscillator mode. 162326ccfe2SHavard Skinnemoen */ 163326ccfe2SHavard Skinnemoen static void test_rosel(void) 164326ccfe2SHavard Skinnemoen { 165326ccfe2SHavard Skinnemoen rng_reset_enable(); 166326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 167326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 168326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 169326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, ROSEL_NORMAL); 170326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 171326ccfe2SHavard Skinnemoen rng_writeb(RNGMODE, 0); 172326ccfe2SHavard Skinnemoen g_assert_false(rng_wait_ready()); 173326ccfe2SHavard Skinnemoen } 174326ccfe2SHavard Skinnemoen 175326ccfe2SHavard Skinnemoen /* 176326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 177326ccfe2SHavard Skinnemoen * satisfies a monobit test. 178326ccfe2SHavard Skinnemoen */ 179326ccfe2SHavard Skinnemoen static void test_continuous_monobit(void) 180326ccfe2SHavard Skinnemoen { 181326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 182326ccfe2SHavard Skinnemoen unsigned int i; 183326ccfe2SHavard Skinnemoen 184326ccfe2SHavard Skinnemoen rng_reset_enable(); 185326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 186326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 187326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 188326ccfe2SHavard Skinnemoen } 189326ccfe2SHavard Skinnemoen 190326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 191326ccfe2SHavard Skinnemoen } 192326ccfe2SHavard Skinnemoen 193326ccfe2SHavard Skinnemoen /* 194326ccfe2SHavard Skinnemoen * Verifies that a continuous sequence of bits collected after enabling the RNG 195326ccfe2SHavard Skinnemoen * satisfies a runs test. 196326ccfe2SHavard Skinnemoen */ 197326ccfe2SHavard Skinnemoen static void test_continuous_runs(void) 198326ccfe2SHavard Skinnemoen { 199326ccfe2SHavard Skinnemoen union { 200326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 201326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 202326ccfe2SHavard Skinnemoen } buf; 203326ccfe2SHavard Skinnemoen unsigned int i; 204326ccfe2SHavard Skinnemoen 205326ccfe2SHavard Skinnemoen rng_reset_enable(); 206326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 207326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 208326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 209326ccfe2SHavard Skinnemoen } 210326ccfe2SHavard Skinnemoen 211326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 212326ccfe2SHavard Skinnemoen } 213326ccfe2SHavard Skinnemoen 214326ccfe2SHavard Skinnemoen /* 215326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 216326ccfe2SHavard Skinnemoen * a monobit test. 217326ccfe2SHavard Skinnemoen */ 218326ccfe2SHavard Skinnemoen static void test_first_byte_monobit(void) 219326ccfe2SHavard Skinnemoen { 220326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 221326ccfe2SHavard Skinnemoen uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 222326ccfe2SHavard Skinnemoen unsigned int i; 223326ccfe2SHavard Skinnemoen 224326ccfe2SHavard Skinnemoen rng_reset(); 225326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 226326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 227326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 228326ccfe2SHavard Skinnemoen buf[i] = rng_readb(RNGD); 229326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 230326ccfe2SHavard Skinnemoen } 231326ccfe2SHavard Skinnemoen 232326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 233326ccfe2SHavard Skinnemoen } 234326ccfe2SHavard Skinnemoen 235326ccfe2SHavard Skinnemoen /* 236326ccfe2SHavard Skinnemoen * Verifies that the first data byte collected after enabling the RNG satisfies 237326ccfe2SHavard Skinnemoen * a runs test. 238326ccfe2SHavard Skinnemoen */ 239326ccfe2SHavard Skinnemoen static void test_first_byte_runs(void) 240326ccfe2SHavard Skinnemoen { 241326ccfe2SHavard Skinnemoen /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 242326ccfe2SHavard Skinnemoen union { 243326ccfe2SHavard Skinnemoen unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 244326ccfe2SHavard Skinnemoen uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 245326ccfe2SHavard Skinnemoen } buf; 246326ccfe2SHavard Skinnemoen unsigned int i; 247326ccfe2SHavard Skinnemoen 248326ccfe2SHavard Skinnemoen rng_reset(); 249326ccfe2SHavard Skinnemoen for (i = 0; i < sizeof(buf); i++) { 250326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, RNGE); 251326ccfe2SHavard Skinnemoen g_assert_true(rng_wait_ready()); 252326ccfe2SHavard Skinnemoen buf.c[i] = rng_readb(RNGD); 253326ccfe2SHavard Skinnemoen rng_writeb(RNGCS, 0); 254326ccfe2SHavard Skinnemoen } 255326ccfe2SHavard Skinnemoen 256326ccfe2SHavard Skinnemoen g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 257326ccfe2SHavard Skinnemoen } 258326ccfe2SHavard Skinnemoen 259326ccfe2SHavard Skinnemoen int main(int argc, char **argv) 260326ccfe2SHavard Skinnemoen { 261326ccfe2SHavard Skinnemoen int ret; 262326ccfe2SHavard Skinnemoen 263326ccfe2SHavard Skinnemoen g_test_init(&argc, &argv, NULL); 264326ccfe2SHavard Skinnemoen g_test_set_nonfatal_assertions(); 265326ccfe2SHavard Skinnemoen 266326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/enable_disable", test_enable_disable); 267326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/rosel", test_rosel); 268ffb4fbf9SPeter Maydell /* 269ffb4fbf9SPeter Maydell * These tests fail intermittently; only run them on explicit 270ffb4fbf9SPeter Maydell * request until we figure out why. 271ffb4fbf9SPeter Maydell */ 272ffb4fbf9SPeter Maydell if (getenv("QEMU_TEST_FLAKY_RNG_TESTS")) { 273326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/monobit", test_continuous_monobit); 274326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/continuous/runs", test_continuous_runs); 275326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/monobit", test_first_byte_monobit); 276326ccfe2SHavard Skinnemoen qtest_add_func("npcm7xx_rng/first_byte/runs", test_first_byte_runs); 277ffb4fbf9SPeter Maydell } 278326ccfe2SHavard Skinnemoen 279326ccfe2SHavard Skinnemoen qtest_start("-machine npcm750-evb"); 280326ccfe2SHavard Skinnemoen ret = g_test_run(); 281326ccfe2SHavard Skinnemoen qtest_end(); 282326ccfe2SHavard Skinnemoen 283326ccfe2SHavard Skinnemoen return ret; 284326ccfe2SHavard Skinnemoen } 285