jmg
/
blog
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
The blog.
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
90 Commity
1 Gałąź
4.6 MiB
 
 
 
 
Drzewo: 9850ebbe5a
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '9850ebbe5a'
${ noResults }
blog/content/2022/02/nearly-complete-rng-guide.html

300 wiersze
15 KiB
Czysty Wina Historia 

  1. ---

  2. title: Nearly Complete Guide to RNG on a microcontroller

  3. description: >

  4.   How to initialize and run an RNG on an STM32L151CC microcontroller.

  5. created: !!timestamp '2022-02-12'

  6. time: 11:50 AM

  7. tags:

  8.   - security

  9.   - rng

  10.   - microcontroller

  11. ---

  12. 

  13. Security depends upon cryptography and which in turn depends upon a

  14. Random Number Generator (RNG).  An RNG is used for key generation (both

  15. symmetric and asymmetric) and key negotiation (session establishment).

  16. The later is an absolute requirement to ensure that communications can

  17. be secured.  The former (key generation) can be used at first boot for

  18. personalization, but isn't necessary as it could be done when personalizing

  19. the device at programming or first deployment.

  20. 

  21. There are two types of RNGs, the first is a True Random Number Generator

  22. (TRNG).  This is one that takes some non-deterministic process, often

  23. physical, and measures it.  Often, these are slow and are not uniform,

  24. requiring a post processing step before the are useful.

  25. 

  26. The second type is a Pseudo Random Number Generator (PRNG)<label

  27. for="sn-drbg" class="margin-toggle sidenote-number"></label><input

  28. type="checkbox" id="sn-drbg" class="margin-toggle"/><span

  29. class="sidenote">[NIST](https://www.nist.gov/) also refers to a

  30. PRNG as a Deterministic Random Bit Generator (DRBG).</span>.  PRNGs

  31. take a seed, and can generate large, effectively unlimited amounts of

  32. random data, when seeded properly.  The issue is than if someone is able

  33. to obtain the seed, they will be able to predict the subsequent values,

  34. allowing breaking security.

  35. 

  36. The standard practice is to gather data from a TRNG, and use it to seed

  37. a PRNG.  It used to be common that the PRNG should more additional random

  38. data mixed in, but I agree w/ djb (D. J. Bernstein) that once seeded, no

  39. additional seeding is needed<label for="sn-entropy" class="margin-toggle

  40. sidenote-number"></label><input type="checkbox" id="sn-entropy"

  41. class="margin-toggle"/><span class="sidenote">See his blog post

  42. [Entropy Attacks!](https://blog.cr.yp.to/20140205-entropy.html)</span>

  43. as modern PRNGs are secure and can generate random data such that their

  44. state will not leak.<label for="sn-prng-secure" class="margin-toggle

  45. sidenote-number"></label><input type="checkbox" id="sn-prng-secure"

  46. class="margin-toggle"/><span class="sidenote">That is, taking it's output,

  47. that neither past nor future output can be predicted.</span>

  48. 

  49. There are lots of libraries and papers that talk about how to solve the

  50. problem for RNGs on a microcontroller that may not have an integrated

  51. [T]RNG block, but I have not been able to find a complete guide for

  52. integrating their work into a project where even a relative beginner

  53. could get it functional.

  54. 

  55. This article was written as I developed the

  56. [lora-irrigation](https://www.funkthat.com/gitea/jmg/lora-irrigation)

  57. project.  This project will be used as an example, and the code reference

  58. is mostly licensed under the 2-clause BSD license, and so is freely

  59. usable for your own projects.

  60. 

  61. 

  62. Sources of Randomness

  63. ---------------------

  64. 

  65. As mentioned, most microcontrollers do not have a dedicated hardware

  66. block like modern AMD64 (aka x86-64) processors do w/ the RDRAND

  67. instruction.  Though they do not, there are other sources that are

  68. available.

  69. 

  70. The first, and easiest one is the Analog Digital Converter (ADC).  Even

  71. if the ADC pin is tied to ground, the process of digital conversion is

  72. not 100% deterministic as there are errors in the converter or noise

  73. introduced on the pin.<label for="sn-adcnoise"

  74. class="margin-toggle sidenote-number"></label><input type="checkbox"

  75. id="sn-adcnoise" class="margin-toggle"/><span class="sidenote">The article

  76. [ADC Input Noise: The Good, The Bad, and The Ugly. Is No Noise Good

  77. Noise?](https://www.analog.com/en/analog-dialogue/articles/adc-input-noise.html)

  78. talks about this.</span>

  79. 

  80. The data sheet for the microcontroller will help determine the expected

  81. randomness from the part.  In the case of the

  82. [STM32L151CC](https://www.st.com/content/st_com/en/products/microcontrollers-microprocessors/stm32-32-bit-arm-cortex-mcus/stm32-ultra-low-power-mcus/stm32l1-series/stm32l151-152/stm32l151cc.html)

  83. that I'm using, Table 57 of the data sheet lists the Effective number

  84. of bits (ENOB) as typically 10 bits, which is a couple bits short of

  85. the 12 bit resolution of the ADC.  This means that the 2 least

  86. significant bits are likely to have some noise in them.  I did a run,

  87. and collected 114200 samples from the ADC.  The [Shannon

  88. entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Shannon_entropy)

  89. calculated using the empirical probabilities was 2.48.<label

  90. for="sn-shannonenropy" class="margin-toggle sidenote-number"></label>

  91. <input type="checkbox" id="sn-shannonenropy" class="margin-toggle"/>

  92. <span class="sidenote">Now this is not strictly Shannon entropy, as the

  93. values were calculated from the experiment, and Shannon entropy should

  94. be calculated from the a priori probabilities.</span>  Discarding the

  95. 0's (which makes up over half the results) improves the entropy

  96. calculation to 3.29.  The

  97. [min-entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Min-entropy)<label for="sn-min-entropy-fwdref" class="margin-toggle sidenote-number"></label>,

  98. <input type="checkbox" id="sn-min-entropy-fwdref" class="margin-toggle"/>

  99. <span class="sidenote">Forward reference:

  100. <a href="#min-entropy-awk">min-entropy awk script</a></span>

  101. a better indicator of entropy, calculation is 1.2 bits, and if all the

  102. 0's are dropped, it improves to 2.943.  This does help, but in the end,

  103. subtracting the data sheet's ENOB from the ADC resolution does result

  104. in an approximate estimate of entropy.

  105. 

  106. It is possibly that a correlation analysis between samples could

  107. further reduce the entropy gathers via the ADC, but with sufficient

  108. collection, this should be able to be avoided.

  109. 

  110. The second is using uninitialized SRAM.  It turns out that this has

  111. been studied in [Software Only, Extremely Compact, Keccak-based Secure

  112. PRNG on ARM Cortex-M](https://dl.acm.org/doi/10.1145/2593069.2593218)

  113. and [Secure PRNG Seeding on Commercial Off-the-Shelf

  114. Microcontrollers](https://www.intrinsic-id.com/wp-content/uploads/2017/05/prng_seeding.pdf).

  115. Depending upon how the SRAM is designed in the chip, it can create a

  116. situation where each bit of SRAM will be indeterminate at boot up.

  117. Both of these papers studied a similar microcontroller, an

  118. STM32F100R8 to the one I am using, a STM32L151CC.

  119. 

  120. I ran my own experiments where I powered on an STM3L151CC and dumped

  121. the SRAM 8 times and analyzed the results.  I limited my analysis to

  122. 26863 bytes the 32 KiBytes of ram (remaining was data/bss or stack, so

  123. would not change, or was zeros). I then calculated the min-entropy for

  124. each bit across power cycles and the resulting sum was 11188, or

  125. approximately .416 bits per byte.  This is 5.2% and in line with what

  126. the later paper observed for a similar device.

  127. 

  128. Part of using a source of randomness is making sure that it is usable.

  129. In the case of the ADC, each reading can be evaluated against previous

  130. reads to ensure that the data being obtained is possibly random.  In

  131. the case of SRAM, this is more tricky, as the state of SRAM is static,

  132. and short of a reset, will not change.  This means that to use SRAM,

  133. proper analysis of the device, or family of devices, need to be evaluated

  134. for suitability.  There are cases where a device's SRAM does not provide

  135. adequate entropy, as discussed in the papers, and so this method should

  136. not be used in those cases, or not solely relied upon.

  137. 

  138. The following is an `awk` script for calculating the min-entropy of the

  139. provided data.  Each sample must be the first item on a line, and each

  140. sample must be a hexadecimal value w/o any leading `0x` or other leading

  141. identifier:

  142. <pre id="min-entropy-awk" class="language-awk fullwidth"><code># Copyright 2021 John-Mark Gurney

  143. # This script is licensed under the 2-clause BSD license

  144. 

  145. function max(a, b)

  146. {

  147.         if (a > b)

  148.                 return a;

  149.         else

  150.                 return b;

  151. }

  152. 

  153. {

  154.         v = ("0x" $1) + 0; a[NR] = v;

  155.         maxv = max(maxv, v);

  156. }

  157. 

  158. END {

  159.         tcnt = length(a);

  160.         me = 0;

  161.         for (bit = 0; 2^bit <= maxv; bit += 1) {

  162.                 cnt0 = 0;

  163.                 cnt1 = 0;

  164.                 for (i in a) {

  165.                         tbit = int((a[i] / 2 ^ bit) % 2);

  166.                         if (tbit)

  167.                                 cnt1 += 1;

  168.                         else

  169.                                 cnt0 += 1;

  170.                 }

  171.                 v = -log(max(cnt0, cnt1) / tcnt) / log(2);

  172.                 print "bit " bit ":\t" v;

  173.                 me += v;

  174.         }

  175.         printf "total:\t%0.3f\n", me;

  176. }

  177. </code></pre>

  178. 

  179. It is also possible that there are other parts of the board/design

  180. that could be a source of randomness.  The project that started this

  181. journey is using [LoRa](https://en.wikipedia.org/wiki/LoRa) for

  182. communication.  It turns out that the sample code for the radio chip

  183. ([LoRaMac&#x2011;node](https://github.com/Lora-net/LoRaMac-node)) implements

  184. a [random interface](https://github.com/Lora-net/LoRaMac-node/blob/7f12997754ad8e38a84daa85f62e7e6c0e5dbe59/src/radio/radio.h#L154-L163).

  185. The function just waits one milisecond, reads the RSSI value, takes

  186. the low bit and repeats this 32 times to return a 32-bit word.  There

  187. are issues with this as I cannot find any description of the expected

  188. randomness in the data sheet, nor in the code.  It also does not do

  189. any conditioning, so just because it returns 32-bits, does not guarantee

  190. 32-bits of usable entropy.  I have briefly looked at the output, and

  191. there does appear to be higher lengths of runs than expected.  Another

  192. issue is that it's collection takes a while, as the fastest is 1 bit

  193. per ms.  So, assuming the need to collect 8 bits for 1 bit of entropy

  194. (pure speculation), that means at minimum 2 seconds to collect the

  195. 2048 bits necessary for 256 bits of entropy.

  196. 

  197. 

  198. Uniquifying

  199. -----------

  200. 

  201. One of the other ways to help ensure that a microcontroller is to

  202. integrate per device values into the PRNG.  This does not guarantee

  203. uniqueness between boots, but it does make it harder to attack if an

  204. attacker is able to control the other sources of randomness.

  205. 

  206. In the case of the STM32L151 chip I am using, there is a unique

  207. device id register.  The device register is programmed at the

  208. factory.  Because it is unknown if this unique id is recorded by the

  209. manufacturer, and possibly traced through the supply chain, and no

  210. guarantees are made to both the uniqueness or privacy, it has limited

  211. use to provide any serious additional randomization.

  212. 

  213. Another method, is to write entropy at provisioning time.  This can be

  214. done in either flash memory or EEPROM, which may have a more granular

  215. write access.

  216. 

  217. 

  218. Using SRAM

  219. ----------

  220. 

  221. The tricky part of using SRAM is figuring out how to access the

  222. uninitialized memory.  Despite having full access to the environment,

  223. modifying the startup code, which is often written in assembly, to do

  224. the harvesting makes an implementation less portable.  Using standard

  225. C, or another high level language, makes this easier, *but* we need to

  226. know where the end of the data and bss segments are.  This is where

  227. looking at the linker script will come in.

  228. 

  229. A linker script is used to allocate and map the program's data to the

  230. correct locations.  This includes allocating memory so that all the

  231. code and data fits in flash, but also allocating ram for variables, and

  232. stack.  Often there will be a symbol provided that marks where the data

  233. and bss sections in ram end, and the heap should begin.  For example,

  234. in [`STM32L151CCUX_FLASH.ld` at lines 185 &

  235. 186](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/stm32/l151ccux/STM32L151CCUX_FLASH.ld#L185-L186)

  236. it defines the symbols `end` and `_end`, the later of which is often

  237. used by `sbrk` (or `_sbrk` in my project's case in

  238. libnosys<label for="sn-sbrk-sample" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-sbrk-sample" class="margin-toggle"/>

  239. <span class="sidenote">A sample `_sbrk` is in [utils_syscalls.c](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/loramac/src/boards/mcu/saml21/hal/utils/src/utils_syscalls.c#L67-L83),

  240. though this particular implementation is not used by my project.</span>)

  241. to allocate memory for the heap.  Using sbrk is the easiest method to

  242. access uninitalized SRAM, but modifying or adding a symbol can be used

  243. if your microcontroller's framework does not support sbrk.

  244. 

  245. 

  246. Putting it together

  247. -------------------

  248. 

  249. It is accepted that integrating as many difference sournces of entropy

  250. (TRNGs) is best.  This ensures that as long as any single soruce is

  251. good, or each one is not great, but combined they provide enough

  252. entropy (preferably at least 128 bits), that the seeded PRNG will be

  253. secure and unpredictable.

  254. 

  255. As some sources are only available at first boot, e.g. SRAM, it is

  256. best to save a fork of the PRNG to stable storage.  In my

  257. implementation, I decided to use EEPROM for this.  I added an

  258. additional EEPROM section in the linker script, and then added a symbol

  259. [rng_save](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe_rng_init.c#L39)

  260. that is put in this section.  This should be 256-bits (32-bytes) as

  261. the savings of smaller does not make sense, and any proper PRNG when

  262. seeded with 256-bits will provide enough randomness.  Writing to EEPROM

  263. does require a little more work to have the code save to this region,

  264. rather than RAM, but the STM32 HAL layer has functions that make this

  265. easy.

  266. 

  267. It would be great if the PRNG seed could be stored in read-once,

  268. write-once memory to ensure that it can be read, mixed in with any

  269. additional entropy, and then written out, but I do not know of any

  270. microcontroller that supports this feature.

  271. 

  272. Part of this is is to ensure that the the state between the saved

  273. seed, and the PRNG state used for this boot is disjoint, and that if

  274. either seed is compromised, neither can be backtracked to obtain the

  275. other.  In the case of [strobe](https://strobe.sourceforge.io/papers/strobe-latest.pdf),

  276. the function [strobe_randomize](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe/strobe.c#L319-L331)

  277. does a RATCHET operation at the end, which ensure the state cannot be rolled

  278. back to figure out what was generated, and as the generated bytes does

  279. not contain the entire state of the PRNG, it cannot be used to

  280. reconstruct the future seed.

  281. 

  282. Another advantage of using EEPROM is the ability to provide an initial

  283. set of entropy bytes at firmware flashing time.  I did attempt to add

  284. this, but OpenOCD, which I use for programming the Node151 device,

  285. does not support programming EEPROM, so in my case, this was not

  286. possible<label for="sn-eeprom-flash" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-eeprom-flash" class="margin-toggle"/><span class="sidenote">Despite not using it, the infrastructure to generate perso entropy is still present in the [Makefile](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/Makefile#L152-L157).</span>.

  287. I could have added an additional source data file to the flash, but

  288. figured that the other sources of entropy were adequate enough for my

  289. project.

  290. 

  291. 

  292. {#

  293. Conclusion

  294. ----------

  295. 

  296. Modern microcontrollers do have a number of sources of entropy that can

  297. be used.  With a little bit of work, a PRNG seed can be saved between

  298. resets, allowing for more secure operation, and even preloading of

  299. entropy. #}