[NRF52840]: TRNG support

[nvlsianpu]

Description

TRNG hal support for nRF52840 using nordic's TRNG peripheral.

[0xc0170]

codestyle nit ,

if (condition) {

}

[0xc0170]

How was this tested ? share test results pls if possible

[bridadan]

/morph test

[mbed-bot]

Result: SUCCESS

Your command has finished executing! Here's what you wrote!

/morph test

Output

mbed Build Number: 1791

All builds and test passed!

[nvlsianpu]

@0xc0170 Output from mbed TLS Authenticated Encryption example:
plaintext message: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
ciphertext: 35f5665e10490f8d2c0f876a19dd521a7e40002ed8082cb05c755990e04354fd705ad86246f37b8dfcb5b64a99cba6576dcd724717279a98ac518d
decrypted: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400

DONE

plaintext message: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
ciphertext: 2b6a4fff10260a627969b2c5de906c296f6e61661f15eb1690b89b77df3d1c1147805894f16686ed4370f5c12ecf93d34b75d5602e8176bdff2650
decrypted: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400

DONE

[yanesca]

It is not necessary to return length bytes, it is perfectly fine to return with less. The length input variable only indicate the length of the output buffer.

[nvlsianpu]

I disagree. There is the indirect limit for the time of providing all of requested bytes for entropy module in mbedtls -> entropy.c, entropy.h. Nordic TRNG module is too slow and therefore it return 0 bytes to many times (this will get worse if nordic BLE stack is runing) for this condition.

[yanesca]

Sorry, I am not sure if I understand. I am just saying that if this function returns with some nonzero but less than length bytes, then it might be enough, mbed TLS won't poll until it gets length bytes of random data. The amount of bytes it needs is usually less.

[nvlsianpu]

It was my more generic remark for mbed-os/mbedtls entropy implementation. The code in this PR didn't present this case.

[0xc0170]

@yanesca Pleas review again

[0xc0170]

/morph test

[kl-cruz]

NULL value passed in config pointer causes that rng peripheral will be configured without bias correction. Maybe we should consider to enable it to be sure about statistically uniform distribution of the random values? Of course enabling this function causes slow down generation of random numbers.

[nvlsianpu]

Nice hint. Discussed out-of -band with @kl-cruz . We will keep this as is for this PR.

[mbed-bot]

Result: SUCCESS

Your command has finished executing! Here's what you wrote!

/morph test

Output

mbed Build Number: 1835

All builds and test passed!

[0xc0170]

@yanesca Pleas review again

Happy with the changes?

[0xc0170]

@yanesca @RonEld bump

[sg-]

@nvlsianpu Can you resolve the conflict?

[nvlsianpu]

I rebased it onto mbed-os-workshop-17q2.

[RonEld]

I added one small comment to verify with experts.
Assuming nrf_drv_rng_rand results in enough entropy, I approve this, but I would like @yanesca to review as well

[RonEld]

If I understand correct, this means gathering total one byte. This is not enough entropy.
the mbedtls_entropy_func will try to gather more later, so I am less worried about the threshold ( on expense of performance), I am more concerned about whether collecting one byte every time will result in enough entropy, considering that there is a trng_init and trng_free between every collection. Please verify with your experts

[nvlsianpu]

@RonEld
I consulted this doubt. There ain't obstacles to using Nordic TRNG According to mentioned algorithm:

The RNG module produces 1 byte of random data per event. It is not correlated with previous data, so the entropy is not affected by the number of bytes gathered. However, it will obviously take more time to gather more bytes.

[RonEld]

ok, thanks

[theotherjimmy]

bump @RonEld Are you happy with this now?

[RonEld]

@theotherjimmy I have already approved this from my side. I only wanted my question answered, for verification, and I am happy with the answer. Keep in mind that I am not the mbed TLS gate keeper though

[andresag01]

The TRNG implementation seems to be OK. I have the following questions:

• What are the requirements of this implementation regarding thread safety?
• What is the amount of entropy returned?
• If we want to actually initialise the device in the trng_init() function, I think we need to add a return code to that function as it is currently not easy to check whether the initialisation call was successful or not.

[andresag01]

It would be nice to check the return code for this function. The function does not have a return code though....

[0xc0170]

What are the requirements of this implementation regarding thread safety?

HAL is not thread safe, thus a consumer needs to provide it

[andresag01]

@0xc0170: Thanks for the information, I think that slightly conflicts with the mbed TLS policy.

[0xc0170]

@0xc0170: Thanks for the information, I think that slightly conflicts with the mbed TLS policy.

please verify that. we got mbed wrapper in mbedtls that should take care of it ! If not, we shall fix it

[andresag01]

Well, as it says here:

most functions use an explicit context. Most of the time, as long as this context is not shared between threads, you're safe. However, be aware that sometimes a context can be share indirectly, for example an SSL context can point to an RSA context (our private key).

Also, the mbed TLS wrapper around the TRNG API is here and its usage here is not guarded. However, this is for mbed TLS, I am not sure what the policy is when integrating with mbed OS.

[gilles-peskine-arm]

Looks fine to me

[yanesca]

Looks good to me