1 /* 2 * QTest testcase for the Nuvoton NPCM7xx Random Number Generator 3 * 4 * Copyright 2020 Google LLC 5 * 6 * This program is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License as published by the 8 * Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * for more details. 15 */ 16 17 #include "qemu/osdep.h" 18 19 #include <math.h> 20 21 #include "libqtest-single.h" 22 #include "qemu/bitops.h" 23 24 #define RNG_BASE_ADDR 0xf000b000 25 26 /* Control and Status Register */ 27 #define RNGCS 0x00 28 # define DVALID BIT(1) /* Data Valid */ 29 # define RNGE BIT(0) /* RNG Enable */ 30 /* Data Register */ 31 #define RNGD 0x04 32 /* Mode Register */ 33 #define RNGMODE 0x08 34 # define ROSEL_NORMAL (2) /* RNG only works in this mode */ 35 36 /* Number of bits to collect for randomness tests. */ 37 #define TEST_INPUT_BITS (128) 38 39 static void rng_writeb(unsigned int offset, uint8_t value) 40 { 41 writeb(RNG_BASE_ADDR + offset, value); 42 } 43 44 static uint8_t rng_readb(unsigned int offset) 45 { 46 return readb(RNG_BASE_ADDR + offset); 47 } 48 49 /* Disable RNG and set normal ring oscillator mode. */ 50 static void rng_reset(void) 51 { 52 rng_writeb(RNGCS, 0); 53 rng_writeb(RNGMODE, ROSEL_NORMAL); 54 } 55 56 /* Reset RNG and then enable it. */ 57 static void rng_reset_enable(void) 58 { 59 rng_reset(); 60 rng_writeb(RNGCS, RNGE); 61 } 62 63 /* Wait until Data Valid bit is set. */ 64 static bool rng_wait_ready(void) 65 { 66 /* qemu_guest_getrandom may fail. Assume it won't fail 10 times in a row. */ 67 int retries = 10; 68 69 while (retries-- > 0) { 70 if (rng_readb(RNGCS) & DVALID) { 71 return true; 72 } 73 } 74 75 return false; 76 } 77 78 /* 79 * Perform a frequency (monobit) test, as defined by NIST SP 800-22, on the 80 * sequence in buf and return the P-value. This represents the probability of a 81 * truly random sequence having the same proportion of zeros and ones as the 82 * sequence in buf. 83 * 84 * An RNG which always returns 0x00 or 0xff, or has some bits stuck at 0 or 1, 85 * will fail this test. However, an RNG which always returns 0x55, 0xf0 or some 86 * other value with an equal number of zeroes and ones will pass. 87 */ 88 static double calc_monobit_p(const uint8_t *buf, unsigned int len) 89 { 90 unsigned int i; 91 double s_obs; 92 int sn = 0; 93 94 for (i = 0; i < len; i++) { 95 /* 96 * Each 1 counts as 1, each 0 counts as -1. 97 * s = cp - (8 - cp) = 2 * cp - 8 98 */ 99 sn += 2 * ctpop8(buf[i]) - 8; 100 } 101 102 s_obs = abs(sn) / sqrt(len * BITS_PER_BYTE); 103 104 return erfc(s_obs / sqrt(2)); 105 } 106 107 /* 108 * Perform a runs test, as defined by NIST SP 800-22, and return the P-value. 109 * This represents the probability of a truly random sequence having the same 110 * number of runs (i.e. uninterrupted sequences of identical bits) as the 111 * sequence in buf. 112 */ 113 static double calc_runs_p(const unsigned long *buf, unsigned int nr_bits) 114 { 115 unsigned int j; 116 unsigned int k; 117 int nr_ones = 0; 118 int vn_obs = 0; 119 double pi; 120 121 g_assert(nr_bits % BITS_PER_LONG == 0); 122 123 for (j = 0; j < nr_bits / BITS_PER_LONG; j++) { 124 nr_ones += __builtin_popcountl(buf[j]); 125 } 126 pi = (double)nr_ones / nr_bits; 127 128 for (k = 0; k < nr_bits - 1; k++) { 129 vn_obs += (test_bit(k, buf) ^ test_bit(k + 1, buf)); 130 } 131 vn_obs += 1; 132 133 return erfc(fabs(vn_obs - 2 * nr_bits * pi * (1.0 - pi)) 134 / (2 * sqrt(2 * nr_bits) * pi * (1.0 - pi))); 135 } 136 137 /* 138 * Verifies that DVALID is clear, and RNGD reads zero, when RNGE is cleared, 139 * and DVALID eventually becomes set when RNGE is set. 140 */ 141 static void test_enable_disable(void) 142 { 143 /* Disable: DVALID should not be set, and RNGD should read zero */ 144 rng_reset(); 145 g_assert_cmphex(rng_readb(RNGCS), ==, 0); 146 g_assert_cmphex(rng_readb(RNGD), ==, 0); 147 148 /* Enable: DVALID should be set, but we can't make assumptions about RNGD */ 149 rng_writeb(RNGCS, RNGE); 150 g_assert_true(rng_wait_ready()); 151 g_assert_cmphex(rng_readb(RNGCS), ==, DVALID | RNGE); 152 153 /* Disable: DVALID should not be set, and RNGD should read zero */ 154 rng_writeb(RNGCS, 0); 155 g_assert_cmphex(rng_readb(RNGCS), ==, 0); 156 g_assert_cmphex(rng_readb(RNGD), ==, 0); 157 } 158 159 /* 160 * Verifies that the RNG only produces data when RNGMODE is set to 'normal' 161 * ring oscillator mode. 162 */ 163 static void test_rosel(void) 164 { 165 rng_reset_enable(); 166 g_assert_true(rng_wait_ready()); 167 rng_writeb(RNGMODE, 0); 168 g_assert_false(rng_wait_ready()); 169 rng_writeb(RNGMODE, ROSEL_NORMAL); 170 g_assert_true(rng_wait_ready()); 171 rng_writeb(RNGMODE, 0); 172 g_assert_false(rng_wait_ready()); 173 } 174 175 /* 176 * Verifies that a continuous sequence of bits collected after enabling the RNG 177 * satisfies a monobit test. 178 */ 179 static void test_continuous_monobit(void) 180 { 181 uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 182 unsigned int i; 183 184 rng_reset_enable(); 185 for (i = 0; i < sizeof(buf); i++) { 186 g_assert_true(rng_wait_ready()); 187 buf[i] = rng_readb(RNGD); 188 } 189 190 g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 191 } 192 193 /* 194 * Verifies that a continuous sequence of bits collected after enabling the RNG 195 * satisfies a runs test. 196 */ 197 static void test_continuous_runs(void) 198 { 199 union { 200 unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 201 uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 202 } buf; 203 unsigned int i; 204 205 rng_reset_enable(); 206 for (i = 0; i < sizeof(buf); i++) { 207 g_assert_true(rng_wait_ready()); 208 buf.c[i] = rng_readb(RNGD); 209 } 210 211 g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 212 } 213 214 /* 215 * Verifies that the first data byte collected after enabling the RNG satisfies 216 * a monobit test. 217 */ 218 static void test_first_byte_monobit(void) 219 { 220 /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 221 uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; 222 unsigned int i; 223 224 rng_reset(); 225 for (i = 0; i < sizeof(buf); i++) { 226 rng_writeb(RNGCS, RNGE); 227 g_assert_true(rng_wait_ready()); 228 buf[i] = rng_readb(RNGD); 229 rng_writeb(RNGCS, 0); 230 } 231 232 g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); 233 } 234 235 /* 236 * Verifies that the first data byte collected after enabling the RNG satisfies 237 * a runs test. 238 */ 239 static void test_first_byte_runs(void) 240 { 241 /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ 242 union { 243 unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; 244 uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; 245 } buf; 246 unsigned int i; 247 248 rng_reset(); 249 for (i = 0; i < sizeof(buf); i++) { 250 rng_writeb(RNGCS, RNGE); 251 g_assert_true(rng_wait_ready()); 252 buf.c[i] = rng_readb(RNGD); 253 rng_writeb(RNGCS, 0); 254 } 255 256 g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); 257 } 258 259 int main(int argc, char **argv) 260 { 261 int ret; 262 263 g_test_init(&argc, &argv, NULL); 264 g_test_set_nonfatal_assertions(); 265 266 qtest_add_func("npcm7xx_rng/enable_disable", test_enable_disable); 267 qtest_add_func("npcm7xx_rng/rosel", test_rosel); 268 /* 269 * These tests fail intermittently; only run them on explicit 270 * request until we figure out why. 271 */ 272 if (getenv("QEMU_TEST_FLAKY_RNG_TESTS")) { 273 qtest_add_func("npcm7xx_rng/continuous/monobit", test_continuous_monobit); 274 qtest_add_func("npcm7xx_rng/continuous/runs", test_continuous_runs); 275 qtest_add_func("npcm7xx_rng/first_byte/monobit", test_first_byte_monobit); 276 qtest_add_func("npcm7xx_rng/first_byte/runs", test_first_byte_runs); 277 } 278 279 qtest_start("-machine npcm750-evb"); 280 ret = g_test_run(); 281 qtest_end(); 282 283 return ret; 284 } 285