jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 3a86394d54
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3a86394d54'
${ noResults }
blog/content/2021/05/nearly-complete-rng-guide.html

298 lines
15 KiB
Raw Blame History 

  1. ---

  2. title: Nearly Complete Guide to RNG on a microcontroller

  3. description: >

  4.   How to initialize and run an RNG on an STM32L151CC microcontroller.

  5. created: !!timestamp '2021-05-18'

  6. listable: false

  7. time: 12:00 PM

  8. tags:

  9.   - security

  10.   - rng

  11.   - microcontroller

  12. ---

  13. 

  14. Security depends upon cryptography and which in turn depends upon a

  15. Random Number Generator (RNG).  An RNG is used for key generation (both

  16. symmetric and asymmetric) and key negotiation (session establishment).

  17. The later is an absolute requirement to ensure that communications can

  18. be secured.  The former (key generation) can be used at first boot for

  19. personalization, but isn't necessary as it could be done when personalizing

  20. the device at programming or first deployment.

  21. 

  22. There are two types of RNGs, the first is a True Random Number Generator

  23. (TRNG).  This is one that takes some non-deterministic process, often

  24. physical, and measures it.  Often, these are slow and are not uniform,

  25. requiring a post processing step before the are useful.

  26. 

  27. The second type is a Pseudo Random Number Generator (PRNG)<label

  28. for="sn-drbg" class="margin-toggle sidenote-number"></label><input

  29. type="checkbox" id="sn-drbg" class="margin-toggle"/><span

  30. class="sidenote">[NIST](https://www.nist.gov/) also refers to a

  31. PRNG as a Deterministic Random Bit Generator (DRBG).</span>.  PRNGs

  32. take a seed, and can generate large, effectively unlimited when seeded

  33. properly, amounts of random looking data from them.  The issue is than

  34. if someone is able to obtain the seed, they will be able to predict

  35. the subsequent values, allowing breaking security.

  36. 

  37. The standard practice is to gather data from a TRNG, and use it to seed

  38. a PRNG.  It used to be common that the PRNG would be reseeded, but I

  39. agree w/ djb (D. J. Bernstein) that once seeded, no additional seeding

  40. is needed<label for="sn-entropy" class="margin-toggle sidenote-number"></label>

  41. <input type="checkbox" id="sn-entropy" class="margin-toggle"/>

  42. <span class="sidenote">See his blog post

  43. [Entropy Attacks!](https://blog.cr.yp.to/20140205-entropy.html)</span>

  44. as modern PRNGs are secure enough and can generate enough randomness

  45. that their state will not leak.

  46. 

  47. There are lots of libraries and papers that talk about how to solve the

  48. problem for RNGs on a microcontroller that may not have an integrated

  49. [T]RNG block, but I have not been able to find a complete guide for

  50. integrating their work into a project where even a relative beginner

  51. could get it functional.

  52. 

  53. This article was written as I developed the

  54. [lora-irrigation](https://www.funkthat.com/gitea/jmg/lora-irrigation)

  55. project.  This project will be used as an example, and the code reference

  56. is mostly licensed under the 2-clause BSD license, and so is freely

  57. usable for your own projects.

  58. 

  59. 

  60. Sources of Randomness

  61. ---------------------

  62. 

  63. As mentioned, most microcontrollers do not have a dedicated hardware

  64. block like modern AMD64 (aka x86-64) processors do w/ the RDRAND

  65. instruction.  Though they do not, there are other sources that are

  66. available.

  67. 

  68. The first, and easiest one is the Analog Digital Converter (ADC).  Even

  69. if the ADC pin is tied to ground, the process of digital conversion is

  70. not 100% deterministic as there are errors in the converter or noise

  71. introduced on the pin.<label for="sn-adcnoise"

  72. class="margin-toggle sidenote-number"></label><input type="checkbox"

  73. id="sn-adcnoise" class="margin-toggle"/><span class="sidenote">The article

  74. [ADC Input Noise: The Good, The Bad, and The Ugly. Is No Noise Good

  75. Noise?](https://www.analog.com/en/analog-dialogue/articles/adc-input-noise.html)

  76. talks about this.</span>

  77. 

  78. The data sheet for the microcontroller will help determine the expected

  79. randomness from the part.  In the case of the

  80. [STM32L151CC](https://www.st.com/content/st_com/en/products/microcontrollers-microprocessors/stm32-32-bit-arm-cortex-mcus/stm32-ultra-low-power-mcus/stm32l1-series/stm32l151-152/stm32l151cc.html)

  81. that I'm using, Table 57 of the data sheet lists the Effective number

  82. of bits (ENOB) as typically 10 bits, which is a couple bits short of

  83. the 12 bit resolution of the ADC.  This means that the 2 least

  84. significant bits are likely to have some noise in them.  I did a run,

  85. and collected 114200 samples from the ADC.  The [Shannon

  86. entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Shannon_entropy)

  87. calculated using the empirical probabilities was 2.48.<label

  88. for="sn-shannonenropy" class="margin-toggle sidenote-number"></label>

  89. <input type="checkbox" id="sn-shannonenropy" class="margin-toggle"/>

  90. <span class="sidenote">Now this is not strictly Shannon entropy, as the

  91. values were calculated from the experiment, and Shannon entropy should

  92. be calculated from the a priori probabilities.</span>  Discarding the

  93. 0's (which makes up over half the results) improves the entropy

  94. calculation to 3.29.  The

  95. [min-entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Min-entropy)<label for="sn-min-entropy-fwdref" class="margin-toggle sidenote-number"></label>,

  96. <input type="checkbox" id="sn-min-entropy-fwdref" class="margin-toggle"/>

  97. <span class="sidenote">Forward reference:

  98. <a href="#min-entropy-awk">min-entropy awk script</a></span>

  99. a better indicator of entropy, calculation is 1.2 bits, and if all the

  100. 0's are dropped, it improves to 2.943.  This does help, but in the end,

  101. subtracting the data sheet's ENOB from the ADC resolution does result

  102. in an approximate estimate of entropy.

  103. 

  104. It is possibly that a correlation analysis between samples could

  105. further reduce the entropy gathers via the ADC, but with sufficient

  106. collection, this should be able to be avoided.

  107. 

  108. The second is using uninitialized SRAM.  It turns out that this has

  109. been studied in [Software Only, Extremely Compact, Keccak-based Secure

  110. PRNG on ARM Cortex-M](https://dl.acm.org/doi/10.1145/2593069.2593218)

  111. and [Secure PRNG Seeding on Commercial Off-the-Shelf

  112. Microcontrollers](https://www.intrinsic-id.com/wp-content/uploads/2017/05/prng_seeding.pdf).

  113. Depending upon how the SRAM is designed in the chip, it can create a

  114. situation where each bit of SRAM will be indeterminate at boot up.

  115. Both of these papers studied a similar microcontroller, an

  116. STM32F100R8 to the one I am using, a STM32L151CC.

  117. 

  118. I ran my own experiments where I powered on an STM3L151CC and dumped

  119. the SRAM 8 times and analyzed the results.  I limited my analysis to

  120. 26863 bytes the 32 KiBytes of ram (remaining was data/bss or stack, so

  121. would not change, or was zeros). I then calculated the min-entropy for

  122. each bit across power cycles and the resulting sum was 11188, or

  123. approximately .416 bits per byte.  This is 5.2% and in line with what

  124. the later paper observed for a similar device.

  125. 

  126. Part of using a source of randomness is making sure that it is usable.

  127. In the case of the ADC, each reading can be evaluated against previous

  128. reads to ensure that the data being obtained is possibly random.  In

  129. the case of SRAM, this is more tricky, as the state of SRAM is static,

  130. and short of a reset, will not change.  This means that to use SRAM,

  131. proper analysis of the device, or family of devices, need to be evaluated

  132. for suitability.  There are cases where a device's SRAM does not provide

  133. adequate entropy, as discussed in the papers, and so this method should

  134. not be used in those cases, or not solely relied upon.

  135. 

  136. The following is an `awk` script for calculating the min-entropy of the

  137. provided data.  Each sample must the first item on a line, and each sample

  138. must be a hexadecimal value w/o any leading `0x` or other leading

  139. identifier:

  140. <pre id="min-entropy-awk" class="language-awk fullwidth"><code># Copyright 2021 John-Mark Gurney

  141. # This script is licensed under the 2-clause BSD license

  142. 

  143. function max(a, b)

  144. {

  145.         if (a > b)

  146.                 return a;

  147.         else

  148.                 return b;

  149. }

  150. 

  151. {

  152.         v = ("0x" $1) + 0; a[NR] = v;

  153.         maxv = max(maxv, v);

  154. }

  155. 

  156. END {

  157.         tcnt = length(a);

  158.         me = 0;

  159.         for (bit = 0; 2^bit <= maxv; bit += 1) {

  160.                 cnt0 = 0;

  161.                 cnt1 = 0;

  162.                 for (i in a) {

  163.                         tbit = int((a[i] / 2 ^ bit) % 2);

  164.                         if (tbit)

  165.                                 cnt1 += 1;

  166.                         else

  167.                                 cnt0 += 1;

  168.                 }

  169.                 v = -log(max(cnt0, cnt1) / tcnt) / log(2);

  170.                 print "bit " bit ":\t" v;

  171.                 me += v;

  172.         }

  173.         printf "total:\t%0.3f\n", me;

  174. }

  175. </code></pre>

  176. 

  177. It is also possible that there are other parts of the board/design

  178. that could be a source of randomness.  The project that started this

  179. journey is using [LoRa](https://en.wikipedia.org/wiki/LoRa) for

  180. communication.  It turns out that the sample code for the radio chip

  181. ([LoRaMac&#x2011;node](https://github.com/Lora-net/LoRaMac-node)) implements

  182. a [random interface](https://github.com/Lora-net/LoRaMac-node/blob/7f12997754ad8e38a84daa85f62e7e6c0e5dbe59/src/radio/radio.h#L154-L163).

  183. The function just waits one milisecond, reads the RSSI value, takes

  184. the low bit and repeats this 32 times to return a 32-bit word.  There

  185. are issues with this as I cannot find any description of the expected

  186. randomness in the data sheet, nor in the code.  It also does not do

  187. any conditioning, so just because it returns 32-bits, does not guarantee

  188. 32-bits of usable entropy.  I have briefly looked at the output, and

  189. there does appear to be higher lengths of runs than expected.  Another

  190. issue is that it's collection takes a while, as the fastest is 1 bit

  191. per ms.  So, assuming the need to collect 8 bits for 1 bit of entropy

  192. (pure speculation), that means at minimum 2 seconds to collect the

  193. 2048 bits necessary for 256 bits of entropy.

  194. 

  195. 

  196. Uniquifying

  197. -----------

  198. 

  199. One of the other ways to help ensure that a microcontroller is to

  200. integrate per device values into the PRNG.  This does not guarantee

  201. uniqueness between boots, but it does make it harder to attack if an

  202. attacker is able to control the other sources of randomness.

  203. 

  204. In the case of the STM32L151 chip I am using, there is a unique

  205. device id register.  The device register is programmed at the

  206. factory.  Because it is unknown if this unique id is recorded by the

  207. manufacturer, and possibly traced through the supply chain, and no

  208. guarantees are made to both the uniqueness or privacy, it has limited

  209. use to provide any serious additional randomization.

  210. 

  211. Another method, is to write entropy at provisioning time.  This can be

  212. done in either flash memory or EEPROM, which may have a more granular

  213. write access.

  214. 

  215. 

  216. Using SRAM

  217. ----------

  218. 

  219. The tricky part of using SRAM is figuring out how to access the

  220. uninitialized memory.  Despite having full access to the environment,

  221. modifying the startup code, which is often written in assembly, to do

  222. the harvesting makes an implementation less portable.  Using standard

  223. C, or another high level language, makes this easier, *but* we need to

  224. know where the end of the data and bss segments are.  This is where

  225. looking at the linker script will come in.

  226. 

  227. A linker script is used to allocate and map the program's data to the

  228. correct locations.  This includes allocating memory so that all the

  229. code and data fits in flash, but also allocating ram for variables, and

  230. stack.  Often there will be a symbol provided that marks where the data

  231. and bss sections in ram end, and the heap should begin.  For example,

  232. in [`STM32L151CCUX_FLASH.ld` at lines 185 &

  233. 186](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/stm32/l151ccux/STM32L151CCUX_FLASH.ld#L185-L186)

  234. it defines the symbols `end` and `_end`, the later of which is often

  235. used by `sbrk` (or `_sbrk` in my project's case in

  236. libnosys<label for="sn-sbrk-sample" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-sbrk-sample" class="margin-toggle"/>

  237. <span class="sidenote">A sample `_sbrk` is in [utils_syscalls.c](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/loramac/src/boards/mcu/saml21/hal/utils/src/utils_syscalls.c#L67-L83),

  238. though this particular implementation is not used by my project.</span>)

  239. to allocate memory for the heap.  Using sbrk is the easiest method to

  240. access uninitalized SRAM, but modifying or adding a symbol can be used

  241. if your microcontroller's framework does not support sbrk.

  242. 

  243. 

  244. Putting it together

  245. -------------------

  246. 

  247. It is accepted that integrating as many difference sournces of entropy

  248. (TRNGs) is best.  This ensures that as long as any single soruce is

  249. good, or each one is not great, but combined they provide enough

  250. entropy (preferably at least 128 bits), that the seeded PRNG will be

  251. secure and unpredictable.

  252. 

  253. As some sources are only available at first boot, e.g. SRAM, it is

  254. best to save a fork of the PRNG to stable storage.  In my

  255. implementation, I decided to use EEPROM for this.  I added an

  256. additional EEPROM section in the linker script, and then added a symbol

  257. [rng_save](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe_rng_init.c#L39)

  258. that is put in this section.  This should be 256-bits (32-bytes) as

  259. the savings of smaller does not make sense, and any proper PRNG when

  260. seeded with 256-bits will provide enough randomness.  Writing to EEPROM

  261. does require a little more work to have the code save to this region,

  262. rather than RAM, but the STM32 HAL layer has functions that make this

  263. easy.

  264. 

  265. It would be great if where the PRNG seed could be in read-once,

  266. write-once memory to ensure that it can be read, mixed in with any

  267. additional entropy, and the written out, but I do not know of any

  268. microcontroller that supports this feature.

  269. 

  270. Part of this is is to ensure that the the state between the saved

  271. seed, and the PRNG state used for this boot is disjoint, and that if

  272. either seed is compromised, neither can be backtracked to obtain the

  273. other.  In the case of [strobe](https://strobe.sourceforge.io/papers/strobe-latest.pdf),

  274. the function [strobe_randomize](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe/strobe.c#L319-L331)

  275. does a RATCHET operation at the end, which ensure the state cannot be rolled

  276. back to figure out what was generated, and as the generated bytes does

  277. not contain the entire state of the PRNG, it cannot be used to

  278. reconstruct the future seed.

  279. 

  280. Another advantage of using EEPROM is the ability to provide an initial

  281. set of entropy bytes at firmware flashing time.  I did attempt to add

  282. this, but OpenOCD, which I use for programming the Node151 device,

  283. does not support programming EEPROM, so in my case, this was not

  284. possible<label for="sn-eeprom-flash" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-eeprom-flash" class="margin-toggle"/><span class="sidenote">Despite not using it, the infrastructure to generate perso entropy is still present in the [Makefile](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/Makefile#L152-L157).</span>.

  285. I could have added an additional source data file to the flash, but

  286. figured that the other sources of entropy were adequate enough for my

  287. project.

  288. 

  289. 

  290. {#

  291. Conclusion

  292. ----------

  293. 

  294. Modern microcontrollers do have a number of sources of entropy that can

  295. be used.  With a little bit of work, a PRNG seed can be saved between

  296. resets, allowing for more secure operation, and even preloading of

  297. entropy. #}