cr50: update TRNG health tests cut off values for new entropy estimate

Once all H1 Entropy tests completed at different environmental points
our entropy estimate changed to value 0.77. Also we decided to use
alpha = 2^-39 vs. 2^-40. This requires change of RCT and APT cutoff
values.
RCT cutoff value changed to compile-time constant computation, added
static asserts to make sure it is valid and matches known values.

APT cutoff can't be computed at compile time and updated to values
matching entropy and alpha.

Updated entropy size for instantiation of FIPS DRBG.

Reseeding interval is reduced to 1000 from 10000 to make it more
non-deterministic. Performance impact is very low - can't even measure
it precisely.

BUG=b:138577834
TEST=make BOARD=cr50 CRYPTO_TEST=1; tpm_test.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I38735492d072b3d4445fca926524ef1c159627a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3223967
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

2 files changed, 40 insertions, 25 deletions

diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c
index f949993450..bc6fa29e7a 100644
--- a/board/cr50/dcrypto/fips_rand.c
+++ b/board/cr50/dcrypto/fips_rand.c
@@ -244,8 +244,8 @@ bool fips_trng_startup(int stage)
 	return fips_powerup_passed();
 }
 
-/* Assuming H=0.8, we need 550 bits from TRNG to get 440 bits. */
-#define ENTROPY_SIZE_BITS  550
+/* Assuming H=0.77, we need 571 bits from TRNG to get 440 bits. */
+#define ENTROPY_SIZE_BITS  571
 #define ENTROPY_SIZE_WORDS (BITS_TO_WORDS(ENTROPY_SIZE_BITS))
 
 bool fips_drbg_init(void)
@@ -260,15 +260,15 @@ bool fips_drbg_init(void)
 		return true;
 
 	/**
-	 * Get entropy + nonce from TRNG. Assume H>=0.8.
+	 * Get entropy + nonce from TRNG. Assume H>=0.77.
 	 */
 	if (!fips_trng_bytes(entropy_input, sizeof(entropy_input)))
 		return false;
 
 	/**
-	 * Pass combined seed containing total 550 bits of entropy and nonce,
-	 * and assuming H=0.8, we will get total entropy in seed as 440bits as
-	 * defined for HMAC DBRG in NIST SP 800-90Ar1 B.2.
+	 * Pass combined seed containing total 571 bits of entropy and nonce,
+	 * and assuming H=0.77, we will get total entropy in seed as 440 bits
+	 * as defined for HMAC DBRG in NIST SP 800-90Ar1 B.2.
 	 * Required minimum entropy for the entropy input at instantiation =
 	 * (3/2) security_strength (this includes the entropy required for the
 	 * nonce). For 256-bit security, this means at least 384 bits.
@@ -276,10 +276,10 @@ bool fips_drbg_init(void)
 	 * Maximum length of the personalization string = 160 bits.
 	 * Maximum length of the entropy input = 1000 bits.
 	 *
-	 * Reseed_interval = 10 000 requests.
+	 * Reseed_interval = 1000 requests.
 	 */
 	hmac_drbg_init(&fips_drbg, &entropy_input, sizeof(entropy_input), NULL,
-		       0, NULL, 0, 10000);
+		       0, NULL, 0, 1000);
 
 	always_memset(entropy_input, 0, sizeof(entropy_input));
 	return true;
diff --git a/board/cr50/dcrypto/fips_rand.h b/board/cr50/dcrypto/fips_rand.h
index 1010ad5e4d..e3f37c82e5 100644
--- a/board/cr50/dcrypto/fips_rand.h
+++ b/board/cr50/dcrypto/fips_rand.h
@@ -22,7 +22,11 @@ extern "C" {
  * Probability of false positive in single APT/RCT test
  * defined as 2^(-TRNG_TEST_ALPHA).
  */
-#define TRNG_TEST_ALPHA 40
+#define TRNG_TEST_ALPHA 39
+
+/* Entropy estimate for H1 = 0.77 = 77/100 */
+#define H_ENTROPY 77
+#define H_ENTROPY_DIVISOR 100
 
 /**
  * TRNG Health Tests
@@ -48,13 +52,19 @@ extern "C" {
  * (1) Repetition Count Test (RCT) NIST SP 800-90B 4.4.1
  * Cut off value is computed as:
  * c = ceil(1 + (-log2 alpha)/H);
- * alpha = 2^-50, H = 0.8; RCT_CUTOFF = CEIL(1+(ALPHA/0.8))
+ * RCT_CUTOFF = CEIL(1+(ALPHA/H)) = CEIL(1+(ALPHA*(1/H)))
  */
-#if TRNG_TEST_ALPHA == 40
-#define RCT_CUTOFF_SAMPLES 51
-#else
-/* RCT cut off for TRNG_TEST_ALPHA == 30 */
-#define RCT_CUTOFF_SAMPLES 39
+#define RCT_CUTOFF_SAMPLES                                              \
+	(1 + (((TRNG_TEST_ALPHA * H_ENTROPY_DIVISOR) + H_ENTROPY - 1) / \
+	      H_ENTROPY))
+
+/* Our implementation supports only certain range of RCT_CUTOFF values. */
+BUILD_ASSERT((RCT_CUTOFF_SAMPLES >= 1) && (RCT_CUTOFF_SAMPLES <= 63));
+
+#if TRNG_TEST_ALPHA == 39
+BUILD_ASSERT(RCT_CUTOFF_SAMPLES == 52);
+#elif TRNG_TEST_ALPHA == 30
+BUILD_ASSERT(RCT_CUTOFF_SAMPLES == 40);
 #endif
 
 /**
@@ -65,26 +75,31 @@ extern "C" {
 /**
  * (2) Adaptive Proportion Test (APT), NIST SP 800-90B 4.4.2, Table 2
  */
-#if TRNG_SAMPLE_BITS == 1
+/* We only support 1-bit alphabet for TRNG. */
+BUILD_ASSERT(TRNG_SAMPLE_BITS == 1);
 /* APT Windows size W = 1024 for 1 bit samples */
 #define APT_WINDOW_SIZE_SAMPLES 1024
-#else
-/* or 512 samples if more than 1 bit per sample */
-#define APT_WINDOW_SIZE_SAMPLES 512
-#endif
 #define APT_WINDOW_SIZE_BITS   (APT_WINDOW_SIZE_SAMPLES * TRNG_SAMPLE_BITS)
 #define APT_WINDOW_SIZE_NWORDS (BITS_TO_WORDS(APT_WINDOW_SIZE_BITS))
+
 /**
  * Cut off value = CRITBINOM(W, power(2,(-H)),1-α).
- * 698 = CRITBINOM(1024, power(2,(-0.8)), 1 - 2^(-40))
+ * 708 = CRITBINOM(1024, power(2,(-0.77)), 1 - 2^(-39))
  */
-#if TRNG_TEST_ALPHA == 40
-#define APT_CUTOFF_SAMPLES 698
-#else
+#if TRNG_TEST_ALPHA == 39
+#define APT_CUTOFF_SAMPLES 708
+#elif TRNG_TEST_ALPHA == 30
 /* APT cut off for TRNG_TEST_ALPHA == 30 */
-#define APT_CUTOFF_SAMPLES 682
+#define APT_CUTOFF_SAMPLES 694
 #endif
 
+/**
+ * APT_CUTOFF should be larger than half of window size, but less
+ * than windows size.
+ */
+BUILD_ASSERT((APT_CUTOFF_SAMPLES >= (APT_WINDOW_SIZE_SAMPLES / 2)) &&
+	     (APT_CUTOFF_SAMPLES < APT_WINDOW_SIZE_SAMPLES));
+
 #ifdef __cplusplus
 }
 #endif