jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 5881817d0d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5881817d0d'
${ noResults }
blog/content/2022/02/nearly-complete-rng-guide.html

301 lines
15 KiB
Raw Blame History 

  1. ---

  2. title: Nearly Complete Guide to RNG on a microcontroller

  3. description: >

  4.   How to initialize and run an RNG on an STM32L151CC microcontroller.

  5. posted: !!timestamp '2022-02-12'

  6. created: !!timestamp '2022-02-12'

  7. time: 11:50 AM

  8. tags:

  9.   - security

  10.   - rng

  11.   - microcontroller

  12. ---

  13. 

  14. Security depends upon cryptography and which in turn depends upon a

  15. Random Number Generator (RNG).  An RNG is used for key generation (both

  16. symmetric and asymmetric) and key negotiation (session establishment).

  17. The later is an absolute requirement to ensure that communications can

  18. be secured.  The former (key generation) can be used at first boot for

  19. personalization, but isn't necessary as it could be done when personalizing

  20. the device at programming or first deployment.

  21. 

  22. There are two types of RNGs, the first is a True Random Number Generator

  23. (TRNG).  This is one that takes some non-deterministic process, often

  24. physical, and measures it.  Often, these are slow and are not uniform,

  25. requiring a post processing step before the are useful.

  26. 

  27. The second type is a Pseudo Random Number Generator (PRNG)<label

  28. for="sn-drbg" class="margin-toggle sidenote-number"></label><input

  29. type="checkbox" id="sn-drbg" class="margin-toggle"/><span

  30. class="sidenote">[NIST](https://www.nist.gov/) also refers to a

  31. PRNG as a Deterministic Random Bit Generator (DRBG).</span>.  PRNGs

  32. take a seed, and can generate large, effectively unlimited amounts of

  33. random data, when seeded properly.  The issue is than if someone is able

  34. to obtain the seed, they will be able to predict the subsequent values,

  35. allowing breaking security.

  36. 

  37. The standard practice is to gather data from a TRNG, and use it to seed

  38. a PRNG.  It used to be common that the PRNG should more additional random

  39. data mixed in, but I agree w/ djb (D. J. Bernstein) that once seeded, no

  40. additional seeding is needed<label for="sn-entropy" class="margin-toggle

  41. sidenote-number"></label><input type="checkbox" id="sn-entropy"

  42. class="margin-toggle"/><span class="sidenote">See his blog post

  43. [Entropy Attacks!](https://blog.cr.yp.to/20140205-entropy.html)</span>

  44. as modern PRNGs are secure and can generate random data such that their

  45. state will not leak.<label for="sn-prng-secure" class="margin-toggle

  46. sidenote-number"></label><input type="checkbox" id="sn-prng-secure"

  47. class="margin-toggle"/><span class="sidenote">That is, taking it's output,

  48. that neither past nor future output can be predicted.</span>

  49. 

  50. There are lots of libraries and papers that talk about how to solve the

  51. problem for RNGs on a microcontroller that may not have an integrated

  52. [T]RNG block, but I have not been able to find a complete guide for

  53. integrating their work into a project where even a relative beginner

  54. could get it functional.

  55. 

  56. This article was written as I developed the

  57. [lora-irrigation](https://www.funkthat.com/gitea/jmg/lora-irrigation)

  58. project.  This project will be used as an example, and the code reference

  59. is mostly licensed under the 2-clause BSD license, and so is freely

  60. usable for your own projects.

  61. 

  62. 

  63. Sources of Randomness

  64. ---------------------

  65. 

  66. As mentioned, most microcontrollers do not have a dedicated hardware

  67. block like modern AMD64 (aka x86-64) processors do w/ the RDRAND

  68. instruction.  Though they do not, there are other sources that are

  69. available.

  70. 

  71. The first, and easiest one is the Analog Digital Converter (ADC).  Even

  72. if the ADC pin is tied to ground, the process of digital conversion is

  73. not 100% deterministic as there are errors in the converter or noise

  74. introduced on the pin.<label for="sn-adcnoise"

  75. class="margin-toggle sidenote-number"></label><input type="checkbox"

  76. id="sn-adcnoise" class="margin-toggle"/><span class="sidenote">The article

  77. [ADC Input Noise: The Good, The Bad, and The Ugly. Is No Noise Good

  78. Noise?](https://www.analog.com/en/analog-dialogue/articles/adc-input-noise.html)

  79. talks about this.</span>

  80. 

  81. The data sheet for the microcontroller will help determine the expected

  82. randomness from the part.  In the case of the

  83. [STM32L151CC](https://www.st.com/content/st_com/en/products/microcontrollers-microprocessors/stm32-32-bit-arm-cortex-mcus/stm32-ultra-low-power-mcus/stm32l1-series/stm32l151-152/stm32l151cc.html)

  84. that I'm using, Table 57 of the data sheet lists the Effective number

  85. of bits (ENOB) as typically 10 bits, which is a couple bits short of

  86. the 12 bit resolution of the ADC.  This means that the 2 least

  87. significant bits are likely to have some noise in them.  I did a run,

  88. and collected 114200 samples from the ADC.  The [Shannon

  89. entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Shannon_entropy)

  90. calculated using the empirical probabilities was 2.48.<label

  91. for="sn-shannonenropy" class="margin-toggle sidenote-number"></label>

  92. <input type="checkbox" id="sn-shannonenropy" class="margin-toggle"/>

  93. <span class="sidenote">Now this is not strictly Shannon entropy, as the

  94. values were calculated from the experiment, and Shannon entropy should

  95. be calculated from the a priori probabilities.</span>  Discarding the

  96. 0's (which makes up over half the results) improves the entropy

  97. calculation to 3.29.  The

  98. [min-entropy](https://en.wikipedia.org/wiki/R%C3%A9nyi_entropy#Min-entropy)<label for="sn-min-entropy-fwdref" class="margin-toggle sidenote-number"></label>,

  99. <input type="checkbox" id="sn-min-entropy-fwdref" class="margin-toggle"/>

  100. <span class="sidenote">Forward reference:

  101. <a href="#min-entropy-awk">min-entropy awk script</a></span>

  102. a better indicator of entropy, calculation is 1.2 bits, and if all the

  103. 0's are dropped, it improves to 2.943.  This does help, but in the end,

  104. subtracting the data sheet's ENOB from the ADC resolution does result

  105. in an approximate estimate of entropy.

  106. 

  107. It is possibly that a correlation analysis between samples could

  108. further reduce the entropy gathers via the ADC, but with sufficient

  109. collection, this should be able to be avoided.

  110. 

  111. The second is using uninitialized SRAM.  It turns out that this has

  112. been studied in [Software Only, Extremely Compact, Keccak-based Secure

  113. PRNG on ARM Cortex-M](https://dl.acm.org/doi/10.1145/2593069.2593218)

  114. and [Secure PRNG Seeding on Commercial Off-the-Shelf

  115. Microcontrollers](https://www.intrinsic-id.com/wp-content/uploads/2017/05/prng_seeding.pdf).

  116. Depending upon how the SRAM is designed in the chip, it can create a

  117. situation where each bit of SRAM will be indeterminate at boot up.

  118. Both of these papers studied a similar microcontroller, an

  119. STM32F100R8 to the one I am using, a STM32L151CC.

  120. 

  121. I ran my own experiments where I powered on an STM3L151CC and dumped

  122. the SRAM 8 times and analyzed the results.  I limited my analysis to

  123. 26863 bytes the 32 KiBytes of ram (remaining was data/bss or stack, so

  124. would not change, or was zeros). I then calculated the min-entropy for

  125. each bit across power cycles and the resulting sum was 11188, or

  126. approximately .416 bits per byte.  This is 5.2% and in line with what

  127. the later paper observed for a similar device.

  128. 

  129. Part of using a source of randomness is making sure that it is usable.

  130. In the case of the ADC, each reading can be evaluated against previous

  131. reads to ensure that the data being obtained is possibly random.  In

  132. the case of SRAM, this is more tricky, as the state of SRAM is static,

  133. and short of a reset, will not change.  This means that to use SRAM,

  134. proper analysis of the device, or family of devices, need to be evaluated

  135. for suitability.  There are cases where a device's SRAM does not provide

  136. adequate entropy, as discussed in the papers, and so this method should

  137. not be used in those cases, or not solely relied upon.

  138. 

  139. The following is an `awk` script for calculating the min-entropy of the

  140. provided data.  Each sample must be the first item on a line, and each

  141. sample must be a hexadecimal value w/o any leading `0x` or other leading

  142. identifier:

  143. <pre id="min-entropy-awk" class="language-awk fullwidth"><code># Copyright 2021 John-Mark Gurney

  144. # This script is licensed under the 2-clause BSD license

  145. 

  146. function max(a, b)

  147. {

  148.         if (a > b)

  149.                 return a;

  150.         else

  151.                 return b;

  152. }

  153. 

  154. {

  155.         v = ("0x" $1) + 0; a[NR] = v;

  156.         maxv = max(maxv, v);

  157. }

  158. 

  159. END {

  160.         tcnt = length(a);

  161.         me = 0;

  162.         for (bit = 0; 2^bit <= maxv; bit += 1) {

  163.                 cnt0 = 0;

  164.                 cnt1 = 0;

  165.                 for (i in a) {

  166.                         tbit = int((a[i] / 2 ^ bit) % 2);

  167.                         if (tbit)

  168.                                 cnt1 += 1;

  169.                         else

  170.                                 cnt0 += 1;

  171.                 }

  172.                 v = -log(max(cnt0, cnt1) / tcnt) / log(2);

  173.                 print "bit " bit ":\t" v;

  174.                 me += v;

  175.         }

  176.         printf "total:\t%0.3f\n", me;

  177. }

  178. </code></pre>

  179. 

  180. It is also possible that there are other parts of the board/design

  181. that could be a source of randomness.  The project that started this

  182. journey is using [LoRa](https://en.wikipedia.org/wiki/LoRa) for

  183. communication.  It turns out that the sample code for the radio chip

  184. ([LoRaMac&#x2011;node](https://github.com/Lora-net/LoRaMac-node)) implements

  185. a [random interface](https://github.com/Lora-net/LoRaMac-node/blob/7f12997754ad8e38a84daa85f62e7e6c0e5dbe59/src/radio/radio.h#L154-L163).

  186. The function just waits one milisecond, reads the RSSI value, takes

  187. the low bit and repeats this 32 times to return a 32-bit word.  There

  188. are issues with this as I cannot find any description of the expected

  189. randomness in the data sheet, nor in the code.  It also does not do

  190. any conditioning, so just because it returns 32-bits, does not guarantee

  191. 32-bits of usable entropy.  I have briefly looked at the output, and

  192. there does appear to be higher lengths of runs than expected.  Another

  193. issue is that it's collection takes a while, as the fastest is 1 bit

  194. per ms.  So, assuming the need to collect 8 bits for 1 bit of entropy

  195. (pure speculation), that means at minimum 2 seconds to collect the

  196. 2048 bits necessary for 256 bits of entropy.

  197. 

  198. 

  199. Uniquifying

  200. -----------

  201. 

  202. One of the other ways to help ensure that a microcontroller is to

  203. integrate per device values into the PRNG.  This does not guarantee

  204. uniqueness between boots, but it does make it harder to attack if an

  205. attacker is able to control the other sources of randomness.

  206. 

  207. In the case of the STM32L151 chip I am using, there is a unique

  208. device id register.  The device register is programmed at the

  209. factory.  Because it is unknown if this unique id is recorded by the

  210. manufacturer, and possibly traced through the supply chain, and no

  211. guarantees are made to both the uniqueness or privacy, it has limited

  212. use to provide any serious additional randomization.

  213. 

  214. Another method, is to write entropy at provisioning time.  This can be

  215. done in either flash memory or EEPROM, which may have a more granular

  216. write access.

  217. 

  218. 

  219. Using SRAM

  220. ----------

  221. 

  222. The tricky part of using SRAM is figuring out how to access the

  223. uninitialized memory.  Despite having full access to the environment,

  224. modifying the startup code, which is often written in assembly, to do

  225. the harvesting makes an implementation less portable.  Using standard

  226. C, or another high level language, makes this easier, *but* we need to

  227. know where the end of the data and bss segments are.  This is where

  228. looking at the linker script will come in.

  229. 

  230. A linker script is used to allocate and map the program's data to the

  231. correct locations.  This includes allocating memory so that all the

  232. code and data fits in flash, but also allocating ram for variables, and

  233. stack.  Often there will be a symbol provided that marks where the data

  234. and bss sections in ram end, and the heap should begin.  For example,

  235. in [`STM32L151CCUX_FLASH.ld` at lines 185 &

  236. 186](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/stm32/l151ccux/STM32L151CCUX_FLASH.ld#L185-L186)

  237. it defines the symbols `end` and `_end`, the later of which is often

  238. used by `sbrk` (or `_sbrk` in my project's case in

  239. libnosys<label for="sn-sbrk-sample" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-sbrk-sample" class="margin-toggle"/>

  240. <span class="sidenote">A sample `_sbrk` is in [utils_syscalls.c](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/commit/91a6fb590b68af1bcd34f776d4a58c89ac581c7d/loramac/src/boards/mcu/saml21/hal/utils/src/utils_syscalls.c#L67-L83),

  241. though this particular implementation is not used by my project.</span>)

  242. to allocate memory for the heap.  Using sbrk is the easiest method to

  243. access uninitalized SRAM, but modifying or adding a symbol can be used

  244. if your microcontroller's framework does not support sbrk.

  245. 

  246. 

  247. Putting it together

  248. -------------------

  249. 

  250. It is accepted that integrating as many difference sournces of entropy

  251. (TRNGs) is best.  This ensures that as long as any single soruce is

  252. good, or each one is not great, but combined they provide enough

  253. entropy (preferably at least 128 bits), that the seeded PRNG will be

  254. secure and unpredictable.

  255. 

  256. As some sources are only available at first boot, e.g. SRAM, it is

  257. best to save a fork of the PRNG to stable storage.  In my

  258. implementation, I decided to use EEPROM for this.  I added an

  259. additional EEPROM section in the linker script, and then added a symbol

  260. [rng_save](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe_rng_init.c#L39)

  261. that is put in this section.  This should be 256-bits (32-bytes) as

  262. the savings of smaller does not make sense, and any proper PRNG when

  263. seeded with 256-bits will provide enough randomness.  Writing to EEPROM

  264. does require a little more work to have the code save to this region,

  265. rather than RAM, but the STM32 HAL layer has functions that make this

  266. easy.

  267. 

  268. It would be great if the PRNG seed could be stored in read-once,

  269. write-once memory to ensure that it can be read, mixed in with any

  270. additional entropy, and then written out, but I do not know of any

  271. microcontroller that supports this feature.

  272. 

  273. Part of this is is to ensure that the the state between the saved

  274. seed, and the PRNG state used for this boot is disjoint, and that if

  275. either seed is compromised, neither can be backtracked to obtain the

  276. other.  In the case of [strobe](https://strobe.sourceforge.io/papers/strobe-latest.pdf),

  277. the function [strobe_randomize](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/strobe/strobe.c#L319-L331)

  278. does a RATCHET operation at the end, which ensure the state cannot be rolled

  279. back to figure out what was generated, and as the generated bytes does

  280. not contain the entire state of the PRNG, it cannot be used to

  281. reconstruct the future seed.

  282. 

  283. Another advantage of using EEPROM is the ability to provide an initial

  284. set of entropy bytes at firmware flashing time.  I did attempt to add

  285. this, but OpenOCD, which I use for programming the Node151 device,

  286. does not support programming EEPROM, so in my case, this was not

  287. possible<label for="sn-eeprom-flash" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-eeprom-flash" class="margin-toggle"/><span class="sidenote">Despite not using it, the infrastructure to generate perso entropy is still present in the [Makefile](https://www.funkthat.com/gitea/jmg/lora-irrigation/src/branch/main/Makefile#L152-L157).</span>.

  288. I could have added an additional source data file to the flash, but

  289. figured that the other sources of entropy were adequate enough for my

  290. project.

  291. 

  292. 

  293. {#

  294. Conclusion

  295. ----------

  296. 

  297. Modern microcontrollers do have a number of sources of entropy that can

  298. be used.  With a little bit of work, a PRNG seed can be saved between

  299. resets, allowing for more secure operation, and even preloading of

  300. entropy. #}