OP-TEE RNG Oddity

Macdog · ‎2023-05-10

Hello,

Sorry for a long post this needs some context.

I've been configuring and testing OP-TEE from the following guide:

https://wiki.st.com/stm32mpu/wiki/How_to_configure_OP-TEE

I'm using the STMicro fork of optee_os (tag 3.16.0-stm32mp-r2), and the OP-TEE client, test, and examples from v3.16 from the OPTEE and linaro github repos. The full xtest passes.

Eventually I'll need more than 16 random bytes so changed the optee_example_random to generate more random bytes. Now for the Oddity. When generating longer runs of random bytes, there is almost always a string of all zeros towards the beginning. Here is the output of the linaro version (generates 16 bytes):

# seq 8 | xargs -I -- /usr/bin/optee_example_random
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0xbbe9fda061c8fd5b43632e5126fd12
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0x2f448cb95069476141daed86052c461
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0xa3ac3a8719da5ce58e6dad29a8e9fbe9
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0x7f437f3de098e599ffc6b60d4661f8d
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0x478d186c583d6c7ca3f9fd5ae7c9e77
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0xb218164e80c0925df79fe849e56fe31
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0x4f66ec9bafcf5c5f24e8ec7434b6a46
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 16 bytes.
TA generated UUID value = 0x526f14533ae4fc5d2d449d2f981f2d1

Now do the same for 32 bytes:

# seq 8 | xargs -I -- /usr/bin/optee_example_random_32
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x159387711116e9d9733c64b8feac1130bd4e9e0be486a12ae618a4624e2a38
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x90883986afa9b4f76551dc63ab16abc3bc64773e56b3a4d34adb4dd5244522
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xf276ac2ae00cb98418d22a8fc42163fc434b55d182767f90fc6961a218b3f
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x719c81a638568e76bd3165dc8fd2137dbc1241b91d1eeabff9a94faa3a35edf
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x88a1b2a8d72cbfeaf7f2f38000019352dac516db4b7c2cf8f2bcd56b1ea
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x6319897f76cfa5c8aa5583c0000137ff3dda91278759ecd4cf5ee98a4ec
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xbc8e87b43bd238b6d50e552000064acfeb2f517f8d860bdfbdafe5fe917
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x52a95fa8396174f6a733c4630000e2f8dc616b80f5fdd3848d42ad5facc1
# seq 16 | xargs -I -- /usr/bin/optee_example_random_32
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x53978d94ccb126b4666d296387ba9252edde887ad68dc2d457403c8dd5803794
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x3ad2282c48e27329c8cc976e8615e40dd2dfcf1a95f74df488d3fa1afe317
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xe1844678e88289ec46fbdbaf3f9d461963ac2415ba9d9c6e99967dfd5399cf5e
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x7c26ed542a0e87734ac4001c9f61732a54927a1bc42a374777f22739ec2e
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xcfaaf5ebf8339c765ee7810000c265925b9067eac97efc1c183cdf94dc
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x82cae935ab11f2f353682b510000eebf7f9f246cd684f37f779618b328ad
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x75bb54797bd5d497dad9f7e3000036bff4fb8f13e282677417d9aeea8afb
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x57b858eef04572f43ca8ab490000ea1f24575c3ccdfae9c36cb7ed8718a
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xc4eb12bdee3985b9351227e20000d1c73576b2469f86884198e99f8b544b
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xe6f1e4c398d6249979f75ab00000c672f08f50cb285e3a254e4159e5119
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x4d9ade2927b8d77fadbff140000c94398b358def624c6452a405d50e486
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x7c3fe2ee212689fdb21916000037133c9b734ab78c57dcc15d68328118
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x70123222fd6758112c6131a00000e0a78ac96b22db984d9614ba6a482f1
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0x43aec366a35733b4db7fe5a0000c374253e74a358999a5d3b8d9e7a9dc
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xd9f02f457cfc3b5147974ab0000cb37cb408a3025aec9499e9d692a38a
Invoking TA to generate random UUID...
D/TA:  random_number_generate:74 has been called
I/TA: Generating random data over 32 bytes.
TA generated UUID value = 0xd8ae825765bf61531efe74400000cea8baa8ac9f4cf491f926318f3793
#

See the zeros in most of the outputs? They look suspicious to me. Has anyone tested the ST OP-TEE RNG implementation against the NIST SP800-90b test suite?

Any questions, answers, or comments most welcome!

-Mark Carlin

Macdog · ‎2023-05-24

@Erwan SZYMANSKI ,

Thanks for your quick response on this issue. I applied the patch and the suspicious runs of zeros are gone. I also tested generating 4k random bytes per TA call and it all looks good to me. Before closing this out, I do have a few more questions, or we can move it to a new topic if you prefer. These questions are concerning AN4230 ("STM32 microcontroller random number generation validation using the NIST statistical test suite")

AN4230 documents the required RNG hardware configuration for running the NIST SP800-90b test suite. But there is no RNG configuration listed for the STM32MP1 series. Has ST tested STM32MP1 series?
The SN4230 listed RNG hardware configurations for NIST testing correspond to an RNG clock of 48 MHz. The STM32MP157C-DK2 RNG clock is configured to 4 MHz (according to CubeMX). Should we change that to 48 MHz to insure NIST SP800-90b compliance?
Does ST have any plans to verify the STM32MP1 series OP-TEE secure random service with the NIST SP800-90b test suite?

Thanks, and best regards,

Mark

Erwan SZYMANSKI · ‎2023-05-26

Hello @Community member ,

Please see below the answers provided by RNG experts:

1) STM32MP15x family of product embeds an older generation of RNG peripheral that is not certifiable NIST SP800-90B à I will check if AN4230 should be fixed (see below)

Alternative is to use the AIS-31 test suite to evaluate the entropy of the peripheral.

2)Reference manual mentions: RNG clock rng_clk= 48 MHz (CED bit = ‘0’ in RNG_CR register) and rng_clk = 400 kHz (CED bit = ‘1’ in RNG_CR register).

STM32MP157 reference manual does not talk about NIST SP800-90B compliance.

Rule of thumb for the IP is the lower RNG clock is the better is the entropy. So 4MHz is better than 48MHz from an entropy point of view.

3) I will check with my experts if using SP800-90b test suite makes sense for a non-certifiable random source (I have no idea)

I hope that it can answer your questions.

Kind regards,

Erwan.

In order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Macdog · ‎2023-05-31

Hi @PatrickF and @Erwan SZYMANSKI ,

Thank you both for all the assistance. I have conflicting information from you concerning the STM32MP15x hardware RNG compliance and NIST testing.

@PatrickF - quote from above

"The RNG HW is fully compliant and tested with NIST requirements.

We will check if we have a regression inside OP-TEE SW implementation."

@Erwan SZYMANSKI - quote from above

"STM32MP15x family of product embeds an older generation of RNG peripheral that is not certifiable NIST SP800-90B à I will check if AN4230 should be fixed (see below)

Alternative is to use the AIS-31 test suite to evaluate the entropy of the peripheral."

Do you have any test data beyond AN4230 for the STM32MP15x RNG with NIST requirements? Any regression testing using the OP-TEE random service?

Are there plans to update AN4230 to indicate which NIST test suite (if any) the STM32MP15x hardware RND device meets compliance requirements? We are preparing to enter into FIPS 140-3 certification and would like to use the correct information in our docs package.

Thanks and best regards,

Mark

Erwan SZYMANSKI · ‎2023-05-31

Hello @Community member ,

MP15 and MP13 series have different RNG, and MP13 is suitable for NIST test suite, that is why there was a misinformation between our 2 answers. MP15 is not certifiable NIST SP800-90B.

Concerning the Application Note, our internal team is on the point to update it with MPX series.

Kind regards,

Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Macdog · ‎2023-06-01

Thank you both @Erwan SZYMANSKI and @PatrickF for your help regarding this matter. Let's close this out.