| History log of /src/sys/arch/arm/sunxi/sun8i_crypto.c |
| Revision | | Date | Author | Comments |
| 1.32 |
| 22-May-2022 |
riastradh | opencrypto: Make freesession callback return void.
No functional change intended: all drivers already return zero
unconditionally.
|
| 1.31 |
| 15-May-2022 |
riastradh | sun8icrypto(4): Switch off polling when ready for interrupts.
When I introduced logic to do polling and then interrupts, I
accidentally made it switch polling from on to...still on, which had
the effect of breaking the logic after sun8i_crypto_attach because
only sun8i_crypto_attach actually did polling.
|
| 1.30 |
| 19-Mar-2022 |
riastradh | rnd(9): Adjust IPL of locks used by rndsource callbacks.
These no longer ever run from hard interrupt context or with a spin
lock held, so there is no longer any need to have them at IPL_VM to
block hard interrupts. Instead, lower them to IPL_SOFTSERIAL.
|
| 1.29 |
| 18-Mar-2022 |
riastradh | sun8icrypto(4): Do self-test and first RNG draw synchronously.
If the self-test fails, disable everything else at boot -- don't just
leave it to the operator to notice and do something.
This way we get entropy earlier at boot, before threads start and
before the first things in the kernel that draw from it (cprng fast
init, ssp init).
|
| 1.28 |
| 18-Mar-2022 |
riastradh | sun8icrypto(4): Attach rndsource as RND_TYPE_RNG.
Previously this was attached as RND_TYPE_UNKNOWN, at a time when the
kernel assumed _any_ RNG-type rndsource produced independent uniform
random bits and subjected it to automatic tests that would fail with
high probability for many other distributions. But sun8icrypto(4) is
very nonuniform (probably yields consecutive samples of a ring
oscillator, which are very much not independent).
Now the kernel no longer makes this assumption, so it is valid to
label this as what it is -- a hardware RNG. We should ideally still
have better information from the vendor about what's going on under
the hood before enabling nonzero entropy for it. But at least we can
label its type accurately.
|
| 1.27 |
| 18-Mar-2022 |
riastradh | sun8icrypto(4): Split out interrupt and thread locks.
No need to block interrupts while we're going through all the data
structures -- only need to block interrupts for the handoff from
interrupt handler to lower-priority logic.
|
| 1.26 |
| 07-Aug-2021 |
riastradh | sun8icrypto(4): Call crypto_unblock when a task completes.
Otherwise under load this would presumably just hang after returning
ERESTART to opencrypto.
|
| 1.25 |
| 28-Apr-2021 |
bad | enable sun8icrypto on Allwinner H3 too.
Allwinner H3 needs a slower mod clock according to the Linux driver.
tested on NanoPi R1.
thanks jmcneill@ and riastradh@ for advice.
XXX pullup-9
|
| 1.24 |
| 24-Apr-2021 |
riastradh | branches: 1.24.2;
arm/sunxi: Wire up sun8icrypto(4) on Allwinner H5.
Tested on NanoPi Neo PLUS2.
|
| 1.23 |
| 27-Jan-2021 |
thorpej | Rename of_match_compat_data() to of_compatible_match(). Similarly,
rename of_search_compatible() to of_compatible_lookup().
Standardize on of_compatible_match() for driver matching, and adapt
all call sites.
|
| 1.22 |
| 27-Jan-2021 |
thorpej | Use DEVICE_COMPAT_EOL.
|
| 1.21 |
| 25-Jan-2021 |
thorpej | Since we're using designated initialisers for compat data, we should
use a completely empty initializer for the sentinel.
|
| 1.20 |
| 18-Jan-2021 |
thorpej | Remove "struct of_compat_data" and replace its usage with
"struct device_compatible_entry"; they are ABI-compatible.
Fix several "loses const qualifier" bugs encountered during
this conversion.
|
| 1.19 |
| 15-Jan-2021 |
jmcneill | use fdtbus_intr_establish_xname
|
| 1.18 |
| 14-Jun-2020 |
ad | branches: 1.18.2;
Fix !DIAGNOSTIC compile.
|
| 1.17 |
| 13-Jun-2020 |
riastradh | Draft opencrypto support for Allwinner Crypto Engine.
XXX Can't handle nonzero crd_skip yet.
|
| 1.16 |
| 13-Jun-2020 |
riastradh | Rework sun8i crypto.
- Preallocate tasks and DMA maps together for now, for 4k transfers.
- Confine setup of the task descriptor to a single function, without
bus_dmamap_t as an input; just use the preallocated DMA maps.
- Take the DMA map part out of sun8i_crypto_buf.
=> Not much left here, just a dmamem segment and kva mapping.
This should make it easier to use with opencrypto.
|
| 1.15 |
| 13-Jun-2020 |
riastradh | Truncate hw.sun8icryptoN.rng queries to 4096 bytes.
...rather than fail entirely.
|
| 1.14 |
| 15-May-2020 |
maxv | branches: 1.14.2;
hardclock_ticks -> getticks()
|
| 1.13 |
| 30-Apr-2020 |
riastradh | rnd_attach_source calls the callback itself now.
No need for every driver to explicitly call it to prime the pool.
Eliminate now-unused <sys/rndpool.h>.
|
| 1.12 |
| 06-Feb-2020 |
riastradh | branches: 1.12.4;
Fix previous brainfart.
Don't use the uninitialized trng node as the root node -- derp.
Instead, use the root node as the root node, and initialize the trng
node here.
|
| 1.11 |
| 20-Jan-2020 |
riastradh | Fix (presently harmless) psato.
Don't overwrite cy_root_node; use cy_trng_node as intended.
|
| 1.10 |
| 12-Jan-2020 |
riastradh | Enable sun8icrypto in GENERIC64.
But set its entropy estimate to zero until we have a better idea of
how it works. Can't really hurt this way unless sun8icrypto is
maliciously dependent on all other inputs to the entropy pool, which
seems unlikely.
|
| 1.9 |
| 18-Dec-2019 |
riastradh | branches: 1.9.2;
Reduce entropy estimate for sun8icrypto TRNG.
NIST's SP800-90B entropy estimation tools put it at no more than .08
bits of entropy per byte of data(!), so estimate 100 bits of data per
bit of entropy. This is probably not conservative enough -- the NIST
tools were written without knowledge of how this alleged TRNG works!
Knowledge of the physics of how the TRNG is supposed to work could
probably enable a better job at predicting the outputs.
While here, bump the size of data we can sample directly with sysctl
to 4096 bytes.
|
| 1.8 |
| 15-Dec-2019 |
riastradh | Fix typo -- acknowledge interrupts _and_ errors.
|
| 1.7 |
| 10-Dec-2019 |
riastradh | Oops -- forgot to kmem_free.
|
| 1.6 |
| 09-Dec-2019 |
riastradh | Tidy up comments.
|
| 1.5 |
| 09-Dec-2019 |
riastradh | Avoid a race between interruption and reacquisition of lock.
Otherwise, we would have leaked the memory in this case.
|
| 1.4 |
| 09-Dec-2019 |
riastradh | Make sure ERESTART doesn't come flying out to userland.
I picked ERESTART to mean `all channels are occupied' because that's
what opencrypto(9) uses to decide whether to queue a request, but
it's not appropriate for sysctl(2) to return that.
|
| 1.3 |
| 09-Dec-2019 |
riastradh | Factor out some of the self-test logic used for debugging.
Add missing bus_dmamap_sync(POSTWRITE) while here.
|
| 1.2 |
| 09-Dec-2019 |
riastradh | Reduce some duplicated bus_dma clutter.
|
| 1.1 |
| 09-Dec-2019 |
riastradh | Draft driver for Allwinner Crypto Engine.
Found on, e.g., the Pinebook.
Only used for TRNG at the moment, but hooking it up to opencrypto(9)
shouldn't be too hard if anyone still cares about that these days.
The distribution of the alleged TRNG is very nonuniform distributed
seems to alternate between toward runs with exceptionally high
fractions of 0 bits and runs with exceptionally high fractions of 1
bits -- initially all my samples were mostly 0's, and then all my
samples were mostly 1's, and now I'm seeing more oscillation between
these runs.
So I've wired it up as RND_TYPE_UNKNOWN, not RND_TYPE_RNG (it will
immediately flunk our rngtest and be disabled), and I estimated it to
provide at most one bit of entropy per byte of data -- which may
still be optimistic. I also added a sysctl node hw.sun8icryptoN.rng
to read out 1024-byte samples for analysis, and I left the driver
commented out in GENERIC64 for now.
(If anyone has contacts at Allwinner who can tell us about how the
alleged TRNG is supposed to work, please let me know!)
|
| 1.9.2.3 |
| 29-Feb-2020 |
ad | Sync with head.
|
| 1.9.2.2 |
| 25-Jan-2020 |
ad | Sync with head.
|
| 1.9.2.1 |
| 17-Jan-2020 |
ad | Sync with head.
|
| 1.12.4.2 |
| 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.12.4.1 |
| 06-Feb-2020 |
martin | file sun8i_crypto.c was added on branch phil-wifi on 2020-04-08 14:07:31 +0000
|
| 1.14.2.3 |
| 25-Apr-2021 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1252):
sys/arch/arm/sunxi/sun8i_h3_ccu.c: revision 1.18 (patch)
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.24 (patch)
sys/arch/arm/dts/sun50i-h5.dtsi: revision 1.2 (patch)
arm/sunxi: Wire up sun8icrypto(4) on Allwinner H5.
Tested on NanoPi Neo PLUS2.
|
| 1.14.2.2 |
| 18-May-2020 |
martin | Pull up following revision(s) (requested by riastradh in ticket #912):
sys/arch/arm/dts/sun50i-a64.dtsi: revision 1.14
sys/arch/evbarm/conf/GENERIC64: revision 1.116
sys/arch/evbarm/conf/GENERIC64: revision 1.131
sys/arch/arm/sunxi/sun50i_a64_ccu.c: revision 1.21
sys/arch/arm/sunxi/sun50i_a64_ccu.c: revision 1.22
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.10
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.11
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.12
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.1
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.2
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.3
sys/arch/arm/sunxi/sun8i_crypto.h: revision 1.1
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.4
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.5
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.6
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.7
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.8
sys/arch/arm/sunxi/sun8i_crypto.c: revision 1.9
sys/arch/arm/sunxi/files.sunxi: revision 1.67
Add crypto engine clock
Add SUNXI_CCU_NM_ROUND_DOWN to CE clock, fix pll parents to use 2X outputs
Add crypto engine block.
Draft driver for Allwinner Crypto Engine.
Found on, e.g., the Pinebook.
Only used for TRNG at the moment, but hooking it up to opencrypto(9)
shouldn't be too hard if anyone still cares about that these days.
The distribution of the alleged TRNG is very nonuniform distributed
seems to alternate between toward runs with exceptionally high
fractions of 0 bits and runs with exceptionally high fractions of 1
bits -- initially all my samples were mostly 0's, and then all my
samples were mostly 1's, and now I'm seeing more oscillation between
these runs.
So I've wired it up as RND_TYPE_UNKNOWN, not RND_TYPE_RNG (it will
immediately flunk our rngtest and be disabled), and I estimated it to
provide at most one bit of entropy per byte of data -- which may
still be optimistic. I also added a sysctl node hw.sun8icryptoN.rng
to read out 1024-byte samples for analysis, and I left the driver
commented out in GENERIC64 for now.
(If anyone has contacts at Allwinner who can tell us about how the
alleged TRNG is supposed to work, please let me know!)
Reduce some duplicated bus_dma clutter.
Factor out some of the self-test logic used for debugging.
Add missing bus_dmamap_sync(POSTWRITE) while here.
Make sure ERESTART doesn't come flying out to userland.
I picked ERESTART to mean `all channels are occupied' because that's
what opencrypto(9) uses to decide whether to queue a request, but
it's not appropriate for sysctl(2) to return that.
Avoid a race between interruption and reacquisition of lock.
Otherwise, we would have leaked the memory in this case.
Tidy up comments.
Oops -- forgot to kmem_free.
Fix typo -- acknowledge interrupts _and_ errors.
Reduce entropy estimate for sun8icrypto TRNG.
NIST's SP800-90B entropy estimation tools put it at no more than .08
bits of entropy per byte of data(!), so estimate 100 bits of data per
bit of entropy. This is probably not conservative enough -- the NIST
tools were written without knowledge of how this alleged TRNG works!
Knowledge of the physics of how the TRNG is supposed to work could
probably enable a better job at predicting the outputs.
While here, bump the size of data we can sample directly with sysctl
to 4096 bytes.
Enable sun8icrypto in GENERIC64.
But set its entropy estimate to zero until we have a better idea of
how it works. Can't really hurt this way unless sun8icrypto is
maliciously dependent on all other inputs to the entropy pool, which
seems unlikely.
Fix (presently harmless) psato.
Don't overwrite cy_root_node; use cy_trng_node as intended.
Fix previous brainfart.
Don't use the uninitialized trng node as the root node -- derp.
Instead, use the root node as the root node, and initialize the trng
node here.
|
| 1.14.2.1 |
| 15-May-2020 |
martin | file sun8i_crypto.c was added on branch netbsd-9 on 2020-05-18 18:45:40 +0000
|
| 1.18.2.1 |
| 03-Apr-2021 |
thorpej | Sync with HEAD.
|
| 1.24.2.1 |
| 13-May-2021 |
thorpej | Sync with HEAD.
|
