/* * QTest testcase for the Nuvoton NPCM7xx Random Number Generator * * Copyright 2020 Google LLC * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include "qemu/osdep.h" #include #include "libqtest-single.h" #include "qemu/bitops.h" #include "qemu/cutils.h" #define RNG_BASE_ADDR 0xf000b000 /* Control and Status Register */ #define RNGCS 0x00 # define DVALID BIT(1) /* Data Valid */ # define RNGE BIT(0) /* RNG Enable */ /* Data Register */ #define RNGD 0x04 /* Mode Register */ #define RNGMODE 0x08 # define ROSEL_NORMAL (2) /* RNG only works in this mode */ /* Number of bits to collect for randomness tests. */ #define TEST_INPUT_BITS (128) static void dump_buf_if_failed(const uint8_t *buf, size_t size) { if (g_test_failed()) { qemu_hexdump(stderr, "", buf, size); } } static void rng_writeb(unsigned int offset, uint8_t value) { writeb(RNG_BASE_ADDR + offset, value); } static uint8_t rng_readb(unsigned int offset) { return readb(RNG_BASE_ADDR + offset); } /* Disable RNG and set normal ring oscillator mode. */ static void rng_reset(void) { rng_writeb(RNGCS, 0); rng_writeb(RNGMODE, ROSEL_NORMAL); } /* Reset RNG and then enable it. */ static void rng_reset_enable(void) { rng_reset(); rng_writeb(RNGCS, RNGE); } /* Wait until Data Valid bit is set. */ static bool rng_wait_ready(void) { /* qemu_guest_getrandom may fail. Assume it won't fail 10 times in a row. */ int retries = 10; while (retries-- > 0) { if (rng_readb(RNGCS) & DVALID) { return true; } } return false; } /* * Perform a frequency (monobit) test, as defined by NIST SP 800-22, on the * sequence in buf and return the P-value. This represents the probability of a * truly random sequence having the same proportion of zeros and ones as the * sequence in buf. * * An RNG which always returns 0x00 or 0xff, or has some bits stuck at 0 or 1, * will fail this test. However, an RNG which always returns 0x55, 0xf0 or some * other value with an equal number of zeroes and ones will pass. */ static double calc_monobit_p(const uint8_t *buf, unsigned int len) { unsigned int i; double s_obs; int sn = 0; for (i = 0; i < len; i++) { /* * Each 1 counts as 1, each 0 counts as -1. * s = cp - (8 - cp) = 2 * cp - 8 */ sn += 2 * ctpop8(buf[i]) - 8; } s_obs = abs(sn) / sqrt(len * BITS_PER_BYTE); return erfc(s_obs / sqrt(2)); } /* * Perform a runs test, as defined by NIST SP 800-22, and return the P-value. * This represents the probability of a truly random sequence having the same * number of runs (i.e. uninterrupted sequences of identical bits) as the * sequence in buf. */ static double calc_runs_p(const unsigned long *buf, unsigned int nr_bits) { unsigned int j; unsigned int k; int nr_ones = 0; int vn_obs = 0; double pi; g_assert(nr_bits % BITS_PER_LONG == 0); for (j = 0; j < nr_bits / BITS_PER_LONG; j++) { nr_ones += __builtin_popcountl(buf[j]); } pi = (double)nr_ones / nr_bits; for (k = 0; k < nr_bits - 1; k++) { vn_obs += (test_bit(k, buf) ^ test_bit(k + 1, buf)); } vn_obs += 1; return erfc(fabs(vn_obs - 2 * nr_bits * pi * (1.0 - pi)) / (2 * sqrt(2 * nr_bits) * pi * (1.0 - pi))); } /* * Verifies that DVALID is clear, and RNGD reads zero, when RNGE is cleared, * and DVALID eventually becomes set when RNGE is set. */ static void test_enable_disable(void) { /* Disable: DVALID should not be set, and RNGD should read zero */ rng_reset(); g_assert_cmphex(rng_readb(RNGCS), ==, 0); g_assert_cmphex(rng_readb(RNGD), ==, 0); /* Enable: DVALID should be set, but we can't make assumptions about RNGD */ rng_writeb(RNGCS, RNGE); g_assert_true(rng_wait_ready()); g_assert_cmphex(rng_readb(RNGCS), ==, DVALID | RNGE); /* Disable: DVALID should not be set, and RNGD should read zero */ rng_writeb(RNGCS, 0); g_assert_cmphex(rng_readb(RNGCS), ==, 0); g_assert_cmphex(rng_readb(RNGD), ==, 0); } /* * Verifies that the RNG only produces data when RNGMODE is set to 'normal' * ring oscillator mode. */ static void test_rosel(void) { rng_reset_enable(); g_assert_true(rng_wait_ready()); rng_writeb(RNGMODE, 0); g_assert_false(rng_wait_ready()); rng_writeb(RNGMODE, ROSEL_NORMAL); g_assert_true(rng_wait_ready()); rng_writeb(RNGMODE, 0); g_assert_false(rng_wait_ready()); } /* * Verifies that a continuous sequence of bits collected after enabling the RNG * satisfies a monobit test. */ static void test_continuous_monobit(void) { uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; unsigned int i; rng_reset_enable(); for (i = 0; i < sizeof(buf); i++) { g_assert_true(rng_wait_ready()); buf[i] = rng_readb(RNGD); } g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); dump_buf_if_failed(buf, sizeof(buf)); } /* * Verifies that a continuous sequence of bits collected after enabling the RNG * satisfies a runs test. */ static void test_continuous_runs(void) { union { unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; } buf; unsigned int i; rng_reset_enable(); for (i = 0; i < sizeof(buf); i++) { g_assert_true(rng_wait_ready()); buf.c[i] = rng_readb(RNGD); } g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); dump_buf_if_failed(buf.c, sizeof(buf)); } /* * Verifies that the first data byte collected after enabling the RNG satisfies * a monobit test. */ static void test_first_byte_monobit(void) { /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ uint8_t buf[TEST_INPUT_BITS / BITS_PER_BYTE]; unsigned int i; rng_reset(); for (i = 0; i < sizeof(buf); i++) { rng_writeb(RNGCS, RNGE); g_assert_true(rng_wait_ready()); buf[i] = rng_readb(RNGD); rng_writeb(RNGCS, 0); } g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01); dump_buf_if_failed(buf, sizeof(buf)); } /* * Verifies that the first data byte collected after enabling the RNG satisfies * a runs test. */ static void test_first_byte_runs(void) { /* Enable, collect one byte, disable. Repeat until we have 100 bits. */ union { unsigned long l[TEST_INPUT_BITS / BITS_PER_LONG]; uint8_t c[TEST_INPUT_BITS / BITS_PER_BYTE]; } buf; unsigned int i; rng_reset(); for (i = 0; i < sizeof(buf); i++) { rng_writeb(RNGCS, RNGE); g_assert_true(rng_wait_ready()); buf.c[i] = rng_readb(RNGD); rng_writeb(RNGCS, 0); } g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01); dump_buf_if_failed(buf.c, sizeof(buf)); } int main(int argc, char **argv) { int ret; g_test_init(&argc, &argv, NULL); g_test_set_nonfatal_assertions(); qtest_add_func("npcm7xx_rng/enable_disable", test_enable_disable); qtest_add_func("npcm7xx_rng/rosel", test_rosel); /* * These tests fail intermittently; only run them on explicit * request until we figure out why. */ if (getenv("QEMU_TEST_FLAKY_RNG_TESTS")) { qtest_add_func("npcm7xx_rng/continuous/monobit", test_continuous_monobit); qtest_add_func("npcm7xx_rng/continuous/runs", test_continuous_runs); qtest_add_func("npcm7xx_rng/first_byte/monobit", test_first_byte_monobit); qtest_add_func("npcm7xx_rng/first_byte/runs", test_first_byte_runs); } qtest_start("-machine npcm750-evb"); ret = g_test_run(); qtest_end(); return ret; }