Sun Jul 30 11:41:48 2023 UTC ()
Pull up following revision(s) (requested by gutteridge in ticket #256):

	sys/arch/mips/cavium/dev/octeon_rnm.c: revision 1.16 (patch)

octrnm(4): Raise delay on startup.

According to CN50XX-HRM-V0.99E and CN78XX-HM-0.99E:
    The entropy is provided by the jitter of 125 of 128 free-running
    oscillators XORed into a 128-bit LFSR.  The LFSR accumulates entropy
    over 81 cycles, after which it is fed into a SHA-1 engine.
    [...]
    The SHA-1 engine runs once every 81 cycles.
    [...]
    The hardware produces new 64-bit random number every 81 cycles.

The last sentence means that we only need to wait 81 cycles _between_
consecutive SHA-1 outputs (which isn't relevant anyway because we
reconfigure it into raw mode later), but the first two quotes might
mean that we need to wait 81+81 cycles for the _first_ output to be
produced on boot when running the self-test.

Now, in this case, the self-test is run with the LFSR unhooked, by
clearing the RNM_CTL_STATUS[ENT_EN] bit, so that SHA-1 is computed
from a known input -- this is really just paranoia to make sure that
_some_ functions of the device (which is conjured out of thin air at
a fixed virtual address, with no firmware bindings to guide us)
behave as we expect.

And it's not clear if it really does take 81+81 cycles for the first
SHA-1 output to appear when the LFSR isn't feeding into it anyway.

But experimentally, delay of 81+81 cycles seems to work whereas a
delay of only 81 cycles crashes.
PR kern/57280


(martin)
diff -r1.2.4.2 -r1.2.4.3 src/sys/arch/mips/cavium/dev/octeon_rnm.c
cvs diff -r1.2.4.2 -r1.2.4.3 src/sys/arch/mips/cavium/dev/octeon_rnm.c (expand / switch to unified diff)

--- src/sys/arch/mips/cavium/dev/octeon_rnm.c 2020/05/19 17:39:04 1.2.4.2
+++ src/sys/arch/mips/cavium/dev/octeon_rnm.c 2023/07/30 11:41:48 1.2.4.3
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: octeon_rnm.c,v 1.2.4.2 2020/05/19 17:39:04 martin Exp $ */ 1/* $NetBSD: octeon_rnm.c,v 1.2.4.3 2023/07/30 11:41:48 martin Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2007 Internet Initiative Japan, Inc. 4 * Copyright (c) 2007 Internet Initiative Japan, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -89,46 +89,47 @@ @@ -89,46 +89,47 @@
89 * more than one sample from each RO could be squeezed in there. 89 * more than one sample from each RO could be squeezed in there.
90 * 90 *
91 * The hardware exposes only 64 bits of each SHA-1 hash, and the 91 * The hardware exposes only 64 bits of each SHA-1 hash, and the
92 * Linux driver uses 32 bits of that -- which, if treated as full 92 * Linux driver uses 32 bits of that -- which, if treated as full
93 * entropy, would mean an assessment of 3.9 bits of RO samples to 93 * entropy, would mean an assessment of 3.9 bits of RO samples to
94 * get 1 bit of entropy, whereas we take 256 bits of RO samples to 94 * get 1 bit of entropy, whereas we take 256 bits of RO samples to
95 * get one bit of entropy, so this seems reasonably conservative. 95 * get one bit of entropy, so this seems reasonably conservative.
96 * 96 *
97 * Reference: Cavium Networks OCTEON Plus CN50XX Hardware Reference 97 * Reference: Cavium Networks OCTEON Plus CN50XX Hardware Reference
98 * Manual, CN50XX-HM-0.99E PRELIMINARY, July 2008. 98 * Manual, CN50XX-HM-0.99E PRELIMINARY, July 2008.
99 */ 99 */
100 100
101#include <sys/cdefs.h> 101#include <sys/cdefs.h>
102__KERNEL_RCSID(0, "$NetBSD: octeon_rnm.c,v 1.2.4.2 2020/05/19 17:39:04 martin Exp $"); 102__KERNEL_RCSID(0, "$NetBSD: octeon_rnm.c,v 1.2.4.3 2023/07/30 11:41:48 martin Exp $");
103 103
104#include <sys/param.h> 104#include <sys/param.h>
105#include <sys/device.h> 105#include <sys/device.h>
106#include <sys/kernel.h> 106#include <sys/kernel.h>
107#include <sys/rndsource.h> 107#include <sys/rndsource.h>
108#include <sys/systm.h> 108#include <sys/systm.h>
109 109
110#include <mips/locore.h> 110#include <mips/locore.h>
111#include <mips/cavium/include/iobusvar.h> 111#include <mips/cavium/include/iobusvar.h>
112#include <mips/cavium/dev/octeon_rnmreg.h> 112#include <mips/cavium/dev/octeon_rnmreg.h>
113#include <mips/cavium/dev/octeon_corereg.h> 113#include <mips/cavium/dev/octeon_corereg.h>
114#include <mips/cavium/octeonvar.h> 114#include <mips/cavium/octeonvar.h>
115 115
116#include <sys/bus.h> 116#include <sys/bus.h>
117 117
118//#define OCTEON_RNM_DEBUG 118//#define OCTEON_RNM_DEBUG
119 119
120#define ENT_DELAY_CLOCK 8 /* cycles for each 64-bit RO sample batch */ 120#define ENT_DELAY_CLOCK 8 /* cycles for each 64-bit RO sample batch */
121#define RNG_DELAY_CLOCK 81 /* cycles for each SHA-1 output */ 121#define LFSR_DELAY_CLOCK 81 /* cycles to fill LFSR buffer */
 122#define SHA1_DELAY_CLOCK 81 /* cycles to compute SHA-1 output */
122#define NROGROUPS 16 123#define NROGROUPS 16
123#define RNG_FIFO_WORDS (512/sizeof(uint64_t)) 124#define RNG_FIFO_WORDS (512/sizeof(uint64_t))
124 125
125struct octeon_rnm_softc { 126struct octeon_rnm_softc {
126 bus_space_tag_t sc_bust; 127 bus_space_tag_t sc_bust;
127 bus_space_handle_t sc_regh; 128 bus_space_handle_t sc_regh;
128 kmutex_t sc_lock; 129 kmutex_t sc_lock;
129 krndsource_t sc_rndsrc; /* /dev/random source */ 130 krndsource_t sc_rndsrc; /* /dev/random source */
130 unsigned sc_rogroup; 131 unsigned sc_rogroup;
131}; 132};
132 133
133static int octeon_rnm_match(device_t, struct cfdata *, void *); 134static int octeon_rnm_match(device_t, struct cfdata *, void *);
134static void octeon_rnm_attach(device_t, device_t, void *); 135static void octeon_rnm_attach(device_t, device_t, void *);
@@ -185,27 +186,27 @@ octeon_rnm_attach(device_t parent, devic @@ -185,27 +186,27 @@ octeon_rnm_attach(device_t parent, devic
185 /* Create a mutex to serialize access to the FIFO. */ 186 /* Create a mutex to serialize access to the FIFO. */
186 mutex_init(&sc->sc_lock, MUTEX_DEFAULT, IPL_VM); 187 mutex_init(&sc->sc_lock, MUTEX_DEFAULT, IPL_VM);
187 188
188 /* 189 /*
189 * Reset the core, enable the RNG engine without entropy, wait 190 * Reset the core, enable the RNG engine without entropy, wait
190 * 81 cycles for it to produce a single sample, and draw the 191 * 81 cycles for it to produce a single sample, and draw the
191 * deterministic sample to test. 192 * deterministic sample to test.
192 * 193 *
193 * XXX Verify that the output matches the SHA-1 computation 194 * XXX Verify that the output matches the SHA-1 computation
194 * described by the data sheet, not just a known answer. 195 * described by the data sheet, not just a known answer.
195 */ 196 */
196 octeon_rnm_reset(sc); 197 octeon_rnm_reset(sc);
197 octeon_rnm_conditioned_deterministic(sc); 198 octeon_rnm_conditioned_deterministic(sc);
198 octeon_rnm_delay(RNG_DELAY_CLOCK*1); 199 octeon_rnm_delay(LFSR_DELAY_CLOCK + SHA1_DELAY_CLOCK);
199 sample = octeon_rnm_load(sc); 200 sample = octeon_rnm_load(sc);
200 if (sample != expected) 201 if (sample != expected)
201 aprint_error_dev(self, "self-test: read %016"PRIx64"," 202 aprint_error_dev(self, "self-test: read %016"PRIx64","
202 " expected %016"PRIx64, sample, expected); 203 " expected %016"PRIx64, sample, expected);
203 204
204 /* 205 /*
205 * Reset the core again to clear the FIFO, and enable the RNG 206 * Reset the core again to clear the FIFO, and enable the RNG
206 * engine with entropy exposed directly. Start from the first 207 * engine with entropy exposed directly. Start from the first
207 * group of ring oscillators; as we gather samples we will 208 * group of ring oscillators; as we gather samples we will
208 * rotate through the rest of them. 209 * rotate through the rest of them.
209 */ 210 */
210 octeon_rnm_reset(sc); 211 octeon_rnm_reset(sc);
211 sc->sc_rogroup = 0; 212 sc->sc_rogroup = 0;