RZ_A1LU: Fix TRNG function #5970
Conversation
| if (idx == 0) { | ||
| memset(output, 0, length); | ||
| } | ||
| memset(recv_data, 0, sizeof(recv_data)); |
There was a problem hiding this comment.
This might be optimized away by the compiler, please consider using something similar to mbedtls_zeroize.
| @@ -65,13 +65,18 @@ extern "C" int trng_get_bytes_esp32(uint8_t *output, size_t length, size_t *outp | |||
| send_data[0] = 0; | |||
| ret = mI2c.write(ESP32_I2C_ADDR, send_data, 1); | |||
| if (ret == 0) { | |||
| mI2c.read(ESP32_I2C_ADDR, recv_data, sizeof(recv_data)); | |||
| ret = mI2c.read(ESP32_I2C_ADDR, recv_data, sizeof(recv_data)); | |||
There was a problem hiding this comment.
Why are we maintaining an error counter for the write calls, but none for read?
|
@TomoYamanaka @hanno-arm Thank you for being so prompt with this PR! @TomoYamanaka I'm holding off on merging in #5967 for now, and won't merge unless this PR takes too long to get into 5.7.5 (two-ish weeks from now). |
|
@cmonr |
|
@hanno-arm
I changed the way of zeroization of buffer from
|
|
@0xc0170 Could you also request a review from @mazimkhan please? Thanks! |
| ret = mI2c.read(ESP32_I2C_ADDR, recv_data, sizeof(recv_data)); | ||
| if (ret != 0) { | ||
| idx = 0; | ||
| break; |
There was a problem hiding this comment.
No retry in case of read error. How is it different than a write error?
There was a problem hiding this comment.
@mazimkhan There has already been some discussion on this. See above.
| @@ -59,19 +64,24 @@ extern "C" int trng_get_bytes_esp32(uint8_t *output, size_t length, size_t *outp | |||
| char recv_data[4]; | |||
| size_t idx = 0; | |||
| int i; | |||
| int err_cnt = 0; | |||
| int retry_cnt = 0; | |||
|
|
|||
| while (idx < length) { | |||
| send_data[0] = 0; | |||
| ret = mI2c.write(ESP32_I2C_ADDR, send_data, 1); | |||
| output[idx++] = recv_data[i]; | ||
| } | ||
| } else { | ||
| err_cnt++; | ||
| if (err_cnt >= 20) { | ||
| retry_cnt++; |
There was a problem hiding this comment.
Mixing retry logic within this loop is not clean and it does not cover read error (if that is also required to be covered). I suggest having a supervising retry loop with condition for ( retry = 0; retry < 20 && idx < length; retry++ ).
| @@ -80,6 +90,10 @@ extern "C" int trng_get_bytes_esp32(uint8_t *output, size_t length, size_t *outp | |||
| if (output_length != NULL) { | |||
There was a problem hiding this comment.
If output_length is a required out parameter then output_length == NULL is an invalid input. In that case it should be tested in the beginning of the function.
Related to the review of ARMmbed#5857, I fixed the TRNG function for GR-LYCHEE. - I modified to zeroize "recv_data" before the function return. - I added the processing that check the return value of I2C.read function. If return value is error, "output" is zeroized before function return. - In trng_get_bytes_esp32 function, there is a time lag in the period from ESP32 reset to start working, error may occur when "Write" is called. Thus, I added a retry counter due to address this concern. There is not this counter for "Read" since it is called after "Write".
|
@mazimkhan
I modified from
This retry loop is not required to cover read error, I think that read error does not occur usually in this situation. However, just in case, I accepted your suggestion and modified this retry logic.
I added the NULL check process at the beginning of the function. |
|
/morph build |
Build : SUCCESSBuild number : 1071 Triggering tests/morph test |
Exporter Build : SUCCESSBuild number : 749 |
Test : SUCCESSBuild number : 879 |
|
/morph uvisor-test |
3 similar comments
|
/morph uvisor-test |
|
/morph uvisor-test |
|
/morph uvisor-test |
|
Waiting on #6026 to be merged to retest. |
|
/morph uvisor-test |
|
/morph uvisor-test |
Related to the review of #5857, I fixed the TRNG function for GR-LYCHEE.
Related PRs
#5857
Request
@cmonr
Could you revert #5967 when this PR passed?