[crypto] Move entropy_init and check

Move the entropy_complex_init function to the init from the cryptolib to ensure
that the library has a correct state to start.

Create a new entropy_complex_health_test_config_check function which
verifies the health test thresholds and alerts and move that function the otcrypto_eval_exit function such
that now every API call finishes by checking the state of the entropy
source. This allows us to remove the entropy_complex_check calls inside
the impl and drivers functions themselves.
However, this changes one critical aspect:
- The crypto functions now assume that the otcrypto_init is called
  before. Especially the drivers might be called outside of that
assumption in which case it is left to the user to call the setup and
checking of the entropy source themselves.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>

Author: siemen11

sw/device/lib/crypto/drivers/BUILD

@@ -87,7 +87,6 @@ cc_library(
     srcs = ["aes.c"],
     hdrs = ["aes.h"],
     deps = [
-        ":entropy",
         ":rv_core_ibex",
         "//hw/ip/aes/data:aes_c_regs",
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
@@ -115,6 +114,7 @@ opentitan_test(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:macros",
         "//sw/device/lib/base:memory",
+        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl:status",
         "//sw/device/lib/testing/test_framework:check",
         "//sw/device/lib/testing/test_framework:ottf_alerts",
@@ -129,7 +129,6 @@ cc_library(
         "keymgr.h",
     ],
     deps = [
-        ":entropy",
         ":rv_core_ibex",
         "//hw/ip/keymgr/data:keymgr_c_regs",
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
@@ -154,6 +153,7 @@ opentitan_test(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:macros",
         "//sw/device/lib/base:memory",
+        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl:status",
         "//sw/device/lib/testing:keymgr_testutils",
         "//sw/device/lib/testing/test_framework:check",
@@ -170,7 +170,6 @@ cc_library(
         "//sw/device/lib/crypto/include:datatypes.h",
     ],
     deps = [
-        ":entropy",
         ":rv_core_ibex",
         "//hw/ip/kmac/data:kmac_c_regs",
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
@@ -198,6 +197,7 @@ opentitan_test(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:macros",
         "//sw/device/lib/base:memory",
+        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl:integrity",
         "//sw/device/lib/crypto/impl:status",
         "//sw/device/lib/testing/test_framework:check",
@@ -278,7 +278,6 @@ cc_library(
     srcs = ["hmac.c"],
     hdrs = ["hmac.h"],
     deps = [
-        ":entropy",
         "//hw/ip/hmac/data:hmac_c_regs",
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:abs_mmio",
@@ -308,6 +307,7 @@ opentitan_test(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:macros",
         "//sw/device/lib/base:memory",
+        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl:integrity",
         "//sw/device/lib/crypto/impl:status",
         "//sw/device/lib/testing/test_framework:check",
@@ -364,7 +364,6 @@ cc_library(
     srcs = ["otbn.c"],
     hdrs = ["otbn.h"],
     deps = [
-        ":entropy",
         "//hw/ip/otbn/data:otbn_c_regs",
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:abs_mmio",
@@ -390,6 +389,7 @@ opentitan_test(
         "//hw/top_earlgrey/sw/autogen:top_earlgrey",
         "//sw/device/lib/base:macros",
         "//sw/device/lib/base:memory",
+        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl:status",
         "//sw/device/lib/testing/test_framework:check",
         "//sw/device/lib/testing/test_framework:ottf_alerts",

sw/device/lib/crypto/drivers/aes.c

@@ -11,7 +11,6 @@
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/base/macros.h"
 #include "sw/device/lib/base/memory.h"
-#include "sw/device/lib/crypto/drivers/entropy.h"
 #include "sw/device/lib/crypto/drivers/rv_core_ibex.h"
 #include "sw/device/lib/crypto/impl/status.h"
 
@@ -248,10 +247,6 @@ status_t aes_verify_ctrl_aux_reg(void) {
  */
 static status_t aes_begin(aes_key_t key, const aes_block_t *iv,
                           hardened_bool_t encrypt) {
-  // Ensure the entropy complex is in an appropriate state. The AES block seeds
-  // its PRNG from EDN for masking every time a new key is provided.
-  HARDENED_TRY(entropy_complex_check());
-
   // Wait for the AES block to be idle.
   HARDENED_TRY(spin_until(AES_STATUS_IDLE_BIT));
 

sw/device/lib/crypto/drivers/entropy.c

@@ -938,6 +938,37 @@ status_t entropy_complex_check(void) {
   return edn_check(&config->edn1);
 }
 
+OT_WARN_UNUSED_RESULT
+status_t entropy_complex_health_test_config_check(void) {
+  const entropy_src_config_t *entropy_src_config =
+      &kEntropyComplexConfigs[kEntropyComplexConfigIdContinuous].entropy_src;
+
+  uint32_t reg;
+  // Check health test window
+  reg = abs_mmio_read32(kBaseEntropySrc +
+                        ENTROPY_SRC_HEALTH_TEST_WINDOWS_REG_OFFSET);
+  HARDENED_CHECK_EQ(bitfield_field32_read(
+                        reg, ENTROPY_SRC_HEALTH_TEST_WINDOWS_FIPS_WINDOW_FIELD),
+                    entropy_src_config->fips_test_window_size);
+
+  // Check recoverable alerts
+  if (abs_mmio_read32(kBaseEntropySrc +
+                      ENTROPY_SRC_RECOV_ALERT_STS_REG_OFFSET) != 0) {
+    return OTCRYPTO_RECOV_ERR;
+  }
+
+  // Check health test thresholds
+  VERIFY_FIPS_THRESH(REPCNT, entropy_src_config->repcnt_threshold);
+  VERIFY_FIPS_THRESH(REPCNTS, entropy_src_config->repcnts_threshold);
+  VERIFY_FIPS_THRESH(ADAPTP_HI, entropy_src_config->adaptp_hi_threshold);
+  VERIFY_FIPS_THRESH(ADAPTP_LO, entropy_src_config->adaptp_lo_threshold);
+  VERIFY_FIPS_THRESH(BUCKET, entropy_src_config->bucket_threshold);
+  VERIFY_FIPS_THRESH(MARKOV_HI, entropy_src_config->markov_hi_threshold);
+  VERIFY_FIPS_THRESH(MARKOV_LO, entropy_src_config->markov_lo_threshold);
+
+  return OTCRYPTO_OK;
+}
+
 status_t entropy_csrng_instantiate(
     hardened_bool_t disable_trng_input,
     const entropy_seed_material_t *seed_material) {

sw/device/lib/crypto/drivers/entropy.h

@@ -112,6 +112,20 @@ status_t entropy_complex_init(void);
 OT_WARN_UNUSED_RESULT
 status_t entropy_complex_check(void);
 
+/**
+ * Check the entropy complex health test and alert configurations.
+ *
+ * This function checks the entropy src registers to detect tampering.
+ * The multi-bit encoded registers are checked by the HW.
+ *
+ * This function does not return a status error, and will simply assert the chip
+ * is in the correct configuration.
+ *
+ * @return error on failure.
+ */
+OT_WARN_UNUSED_RESULT
+status_t entropy_complex_health_test_config_check(void);
+
 /**
  * Instantiate the SW CSRNG with a new seed value.
  *

sw/device/lib/crypto/drivers/entropy_kat.c

@@ -110,9 +110,6 @@ static status_t check_internal_state(
 }
 
 status_t entropy_csrng_kat(void) {
-  // Check that the complex is initialized.
-  TRY(entropy_complex_check());
-
   TRY(entropy_csrng_uninstantiate());
 
   const entropy_seed_material_t kEntropyInput = {

sw/device/lib/crypto/drivers/hmac.c

@@ -10,7 +10,6 @@
 #include "sw/device/lib/base/hardened.h"
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/base/memory.h"
-#include "sw/device/lib/crypto/drivers/entropy.h"
 #include "sw/device/lib/crypto/drivers/rv_core_ibex.h"
 #include "sw/device/lib/crypto/impl/status.h"
 #include "sw/device/lib/crypto/include/integrity.h"
@@ -292,9 +291,6 @@ static void context_save(hmac_ctx_t *ctx) {
  * @return Result of the operation.
  */
 static status_t hmac_context_wipe(hmac_ctx_t *ctx) {
-  // Ensure entropy complex is initialized.
-  HARDENED_TRY(entropy_complex_check());
-
   // Randomize sensitive data.
   HARDENED_TRY(hardened_memshred(ctx->key.key_block, kHmacMaxBlockWords));
   HARDENED_TRY(hardened_memshred(ctx->H, kHmacMaxDigestWords));
@@ -439,9 +435,6 @@ static status_t oneshot(const uint32_t cfg, const hmac_key_t *key,
   // Check that the block is idle.
   HARDENED_TRY(ensure_idle());
 
-  // Make sure that the entropy complex is configured correctly.
-  HARDENED_TRY(entropy_complex_check());
-
   // Configure the HMAC block.
   abs_mmio_write32(kHmacBaseAddr + HMAC_CFG_REG_OFFSET, cfg);
 
@@ -774,9 +767,6 @@ hardened_bool_t hmac_key_integrity_checksum_check(const hmac_key_t *key) {
 }
 
 status_t hmac_update(hmac_ctx_t *ctx, const otcrypto_const_byte_buf_t *data) {
-  // Make sure that the entropy complex is configured correctly.
-  HARDENED_TRY(entropy_complex_check());
-
   // If we don't have enough new bytes to fill a block, just update the partial
   // block and return.
   size_t block_bytelen = ctx->msg_block_wordlen * sizeof(uint32_t);
@@ -836,9 +826,6 @@ status_t hmac_update(hmac_ctx_t *ctx, const otcrypto_const_byte_buf_t *data) {
 }
 
 status_t hmac_final(hmac_ctx_t *ctx, otcrypto_word32_buf_t *digest) {
-  // Make sure that the entropy complex is configured correctly.
-  HARDENED_TRY(entropy_complex_check());
-
   // Retore context will restore the context and also hit start or continue
   // button as necessary.
   HARDENED_TRY(context_restore(ctx));

sw/device/lib/crypto/drivers/keymgr.c

@@ -8,7 +8,6 @@
 #include "sw/device/lib/base/bitfield.h"
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/base/memory.h"
-#include "sw/device/lib/crypto/drivers/entropy.h"
 #include "sw/device/lib/crypto/impl/status.h"
 
 #include "hw/top_earlgrey/sw/autogen/top_earlgrey.h"
@@ -167,8 +166,6 @@ static status_t keymgr_wait_until_done(void) {
 
 status_t keymgr_generate_key_sw(keymgr_diversification_t diversification,
                                 keymgr_output_t *key) {
-  // Ensure that the entropy complex has been initialized and keymgr is idle.
-  HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate a software-visible key.
@@ -197,8 +194,6 @@ status_t keymgr_generate_key_sw(keymgr_diversification_t diversification,
 }
 
 status_t keymgr_generate_key_aes(keymgr_diversification_t diversification) {
-  // Ensure that the entropy complex has been initialized and keymgr is idle.
-  HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate an AES key.
@@ -214,8 +209,6 @@ status_t keymgr_generate_key_aes(keymgr_diversification_t diversification) {
 }
 
 status_t keymgr_generate_key_kmac(keymgr_diversification_t diversification) {
-  // Ensure that the entropy complex has been initialized and keymgr is idle.
-  HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate a KMAC key.
@@ -231,8 +224,6 @@ status_t keymgr_generate_key_kmac(keymgr_diversification_t diversification) {
 
 status_t keymgr_generate_key_otbn(keymgr_diversification_t diversification,
                                   hardened_bool_t attestation) {
-  // Ensure that the entropy complex has been initialized and keymgr is idle.
-  HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set the control register to generate an OTBN key.
@@ -277,8 +268,6 @@ status_t keymgr_generate_key_otbn(keymgr_diversification_t diversification,
  * @param slot Value to write to the SIDELOAD_CLEAR register.
  */
 static status_t keymgr_sideload_clear(uint32_t slot) {
-  // Ensure that the entropy complex has been initialized and keymgr is idle.
-  HARDENED_TRY(entropy_complex_check());
   HARDENED_TRY(keymgr_is_idle());
 
   // Set SIDELOAD_CLEAR to begin continuously clearing the requested slot.

sw/device/lib/crypto/drivers/kmac.c

@@ -8,7 +8,6 @@
 #include "sw/device/lib/base/bitfield.h"
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/base/memory.h"
-#include "sw/device/lib/crypto/drivers/entropy.h"
 #include "sw/device/lib/crypto/drivers/rv_core_ibex.h"
 #include "sw/device/lib/crypto/impl/status.h"
 #include "sw/device/lib/crypto/include/integrity.h"
@@ -253,9 +252,6 @@ status_t kmac_key_length_check(size_t key_len) {
 }
 
 status_t kmac_hwip_default_configure(void) {
-  // Ensure that the entropy complex is initialized.
-  HARDENED_TRY(entropy_complex_check());
-
   uint32_t status_reg = abs_mmio_read32(kKmacBaseAddr + KMAC_STATUS_REG_OFFSET);
 
   // Check that core is not in fault state
@@ -499,12 +495,6 @@ static status_t kmac_init(kmac_operation_t operation,
                           hardened_bool_t hw_backed) {
   HARDENED_TRY(wait_status_bit(KMAC_STATUS_SHA3_IDLE_BIT, 1));
 
-  // If the operation is KMAC, ensure that the entropy complex has been
-  // initialized for masking.
-  if (operation == kKmacOperationKmac) {
-    HARDENED_TRY(entropy_complex_check());
-  }
-
   // We need to preserve some bits of CFG register, such as:
   // entropy_mode, entropy_ready etc. On the other hand, some bits
   // need to be reset for each invocation.

sw/device/lib/crypto/drivers/mock_entropy.cc

@@ -23,6 +23,8 @@ status_t entropy_complex_init(void) { return OTCRYPTO_OK; }
 
 status_t entropy_complex_check(void) { return OTCRYPTO_OK; }
 
+status_t entropy_complex_health_test_config_check(void) { return OTCRYPTO_OK; }
+
 status_t entropy_csrng_instantiate(
     hardened_bool_t disable_trng_input,
     const entropy_seed_material_t *seed_material) {

sw/device/lib/crypto/impl/BUILD

@@ -39,7 +39,6 @@ cc_library(
         "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/base:memory",
         "//sw/device/lib/crypto/drivers:aes",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:rv_core_ibex",
         "//sw/device/lib/crypto/include:datatypes",
     ],
@@ -56,7 +55,6 @@ cc_library(
         "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/base:memory",
         "//sw/device/lib/crypto/drivers:aes",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:rv_core_ibex",
         "//sw/device/lib/crypto/impl/aes_gcm",
         "//sw/device/lib/crypto/include:datatypes",
@@ -107,7 +105,6 @@ cc_library(
         ":sha2",
         ":status",
         "//sw/device/lib/base:hardened_memory",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/impl/ecc:curve25519",
         "//sw/device/lib/crypto/include:datatypes",
     ],
@@ -121,7 +118,6 @@ cc_library(
     deps = [
         ":config",
         ":keyblob",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:hmac",
         "//sw/device/lib/crypto/impl/ecc:p256",
         "//sw/device/lib/crypto/include:datatypes",
@@ -136,7 +132,6 @@ cc_library(
     deps = [
         ":config",
         ":keyblob",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:hmac",
         "//sw/device/lib/crypto/impl/ecc:p384",
         "//sw/device/lib/crypto/include:datatypes",
@@ -193,7 +188,6 @@ cc_library(
         ":status",
         "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/base:math",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:keymgr",
         "//sw/device/lib/crypto/drivers:rv_core_ibex",
         "//sw/device/lib/crypto/include:datatypes",
@@ -274,6 +268,7 @@ cc_library(
     srcs = ["config.c"],
     hdrs = ["//sw/device/lib/crypto/include:config.h"],
     deps = [
+        ":entropy_src",
         ":integrity",
         ":status",
         "//hw/top_earlgrey/ip_autogen/clkmgr:clkmgr_c_regs",
@@ -371,7 +366,6 @@ cc_library(
         ":sha2",
         "//sw/device/lib/base:hardened",
         "//sw/device/lib/base:hardened_memory",
-        "//sw/device/lib/crypto/drivers:entropy",
         "//sw/device/lib/crypto/drivers:hmac",
         "//sw/device/lib/crypto/drivers:rv_core_ibex",
     ],