CSRNG HWIP Technical Specification

Overview

This document specifies the Cryptographically Secure Random Number Generator (CSRNG) hardware IP functionality. Due to the importance of secure random number generation (RNG), it is a topic which is extensively covered in security standards. This IP targets compliance with both BSI’s AIS31 recommendations for Common Criteria, as well as NIST’s SP 800-90A and NIST’s SP 800-90C (Second Draft), both of which are referenced in FIPS 140-3. Since these two standards use significantly different terminology, it is recommended that the reader refer to our RNG compliance strategy document for an overview of the various RNG classes and equivalencies between the two standards. The CSRNG IP supports both of these standards for both deterministic (DRNG) and true random number generation (TRNG). In NIST terms, it works with the Entropy Source IP to satisfy the requirements as a DRBG (deterministic random-bit-generator) or NRBG (non-deterministic random bit generator). In AIS31 language, this same implementation can be used to satisfy either the DRG.3 requirements for deterministic generation, or the PTG.3 requirements for cryptographically processed physical generation.

In this document the terms “DRNG” and “TRNG” are used most generally to refer to deterministic or true random number generation functionalities implemented to this specification. However, the terms “DRBG” or “NRBG” are specifically used when respectively referring to SP 800-90A or SP 800-90C requirements. Meanwhile, when addressing requirements which originate from AIS31 we refer to the specific DRG.3 or PTG.3 classes of RNGs.

This IP block is attached to the chip interconnect bus as a peripheral module conforming to the Comportable guideline for peripheral functionality, but also has direct hardware links to other IPs for secure and software-inaccessible transmission of random numbers. The bus connections to peripheral modules is done using the CSRNG application interface. This interface allows peripherals to manage CSRNG instances, and request for obfuscated entropy to be returned from the CSRNG module.

Features

  • Provides support for both deterministic (DRNG) and true random number generation (TRNG), when combined with a secure entropy source (i.e. one constructed and implemented in compliance with SP 800-90A,B,C and AIS31).
  • Compliant with NIST and BSI recommendations for random number generation.
  • Hardware peripherals and software applications issue commands to dedicated RNG instances through a common application interface.
  • In deterministic mode, meets the requirements given in AIS31 for a DRG.3 class deterministic random number generator (DRNG) meaning it provides Forward Secrecy and Enhanced Backward Secrecy.
  • Utilizes the CTR_DRBG construction specified in NIST SP 800-90A, qualifying it as a NIST-approved DRBG (deterministic random bit generator).
    • Operates at 256 bit security strength.
  • Support for multiple separate CSRNG instances per IP block.
    • Each instance has its own internal state, control, reseed counters and IO pins.
    • The number of CSRNG instances is set via a module parameter.
  • Software access to a dedicated CSRNG instance.
    • One instance, Instance N-1, is always accessible from the bus through device registers,
    • All other instances route to other hardware peripherals (e.g. the key manager, obfuscation engines etc.) and in normal operation these other instances are inaccessible from software.
    • The IP may be configured to support “debug mode” wherein all instances can be accessed by software. For security reasons this mode may be permanently disabled using one-time programmable (OTP) memory.
  • The IP interfaces with external entropy sources to obtain any required non-determinstic seed material (entropy) and nonces.
    • Requires an external entropy source which is compliant with NIST SP 800-90B, and which also satisfies the requirements for a PTG.2 class physical non-deterministic random number generator as defined in AIS31.
    • Dedicated hardware interface with external entropy source satisfies requirements for get_entropy_input() interface as defined in SP 800-90A.
    • When needed, utilizes the Block_Cipher_df derivation function (as defined in SP 800-90A) for assembling seed material. This allows the use of entropy sources which are not full-entropy (less than one bit of entropy per bit generated).
  • Also supports the optional use of personalization strings or other application inputs (e.g. OTP memory values) during instantiation.
  • Assuming a continuously-live entropy source, each instance can also optionally be used as a non-determinstic TRNG (true random number generator, also called a non-deterministic random bit generator or NRBG in SP 800-90C).
    • In this mode, an instance also meets the requirements laid out for a PTG.3 class RNG, the strongest class laid out in AIS31.
    • Implementation follows the NRBG “Oversampling Construction” approved by SP 800-90C, to meet both CC and FIPS TRNG constructions.
  • In addition to the approved DRNG mode, any instance can also operate in “Fully Deterministic mode”, meaning the seed depends entirely on application inputs or personalization strings.

Description

Though the recommendations in AIS31 are based around broad functional requirements, the recommendations in SP 800-90 are very prescriptive in nature, outlining the exact constructs needed for approval. Thus the interface and implementation are largely driven by these explicit constructs, particularly the CTR_DBRG construct.

The CSRNG IP consists of four main components:

  1. An AES primitive

  2. The CTR_DRBG state-machine (ctr_drbg_fsm) which drives the AES primitive, performing the various encryption sequences prescribed for approved DRBGs in SP 800-90A. These include:

    1. The Derivation Function: Part of the instantiation and reseed routines, this routine assembles the previous seed material (on reseed only), application inputs, and entropy.
    2. The Instantiation Routine: Combines application inputs, external entropy and nonce (more entropy) via the derivation function.
    3. The Reseed Routine: Combines the previous seed material with external entropy to generate a new seed.
    4. The Generate Routine: Generates up to CSRNG_MAX_GENERATE random bits. If called with prediction_resistance_flag, forces a reseed.
    5. The Update Routine: Updates the internal state of the DRNG instance after each generate call.
  3. State vectors for each DRNG instance.

  4. Interface logic and access control for each instance.

Note on the term “Entropy”

Every DRNG requires some initial seed material, and the requirements for the generation of that seed material varies greatly between standards, and potentially between CC security targets. In all standards considered, DRNG’s require some “entropy” from an external source to create the initial seed. However, the rules for obtaining said entropy differ. Furthermore the required delivery mechanisms differ. For this reason we must make a clear distinction between “Physical” (or “Live” or “True”) entropy and “Factory Entropy”. This distinction is most important when considering the creation of IP which is both compatible with both the relatively new SP 800-90 recommendations, as well as the well-established FIPS 140-2 guidelines.

  • Physical entropy is the only type of “entropy” described in SP 800-90. The means of generation is described in SP 800-90B. One statistical test requirement is that physical entropy must be unique between reboot cycles, ruling out sources such as one-time programmable (OTP) memories. In SP 800-90A, the delivery mechanism must come through a dedicated interface and “not be provided by the consuming application”.

  • Factory entropy is a type of entropy described in the FIPS 140-2 implementation guidance (IG) section 7.14, resolution point 2(a). It can be stored in a persistent memory, programmed at the factory. In some use cases, the consuming application needs to explicitly load this entropy itself and process it to establish the expected seed.

This document aims to make the distinction between physical entropy and factory entropy wherever possible. However, if used unqualified, the term “entropy” should be understood to refer to physical entropy strings which are obtained in accordance with SP 800-90C. That is either physical entropy, or the output of a DRNG which itself has been seeded (and possibly reseeded) with physical entropy. In CC terms, “entropy strings” (when used in this document without a qualifier) should be understood to come from either a PTG.2 or PTG.3 class RNG.

Compatibility

None.

Theory of Operations

The CSRNG block has been constructed to follow the NIST recommendation for a DRBG mechanism based on block ciphers. Specifically, it is a CTR_DRBG that uses an approved block cipher algorithm in counter mode. As such, the block diagram below makes reference to hardware blocks that either directly or closely follow NIST descriptions for the equivalent functions.

There are two major hardware interfaces: the application interface and the entropy request interface. The application interface, which is described in more detail later, is provided for an application to manage an instance in CSRNG. Once setup, the application interface user can request for entropy bits to be generated, as well as other functions. The application interface supports up to 15 hardware interfaces, and one software interface.

A walk through of how CSRNG generates entropy bits begins with the application interface. An instantiate command is issued from one of the application interfaces. This request moves into the cmd_stage block. Here the request is arbitrated between all of the cmd_stage blocks. The winner will get its command moved into the command dispatch logic. A common state machine will process all application interface commands in order of arbitration. At this point, some seed entropy may be required depending on the command and any flags. If needed, a request to the entropy source hardware interface will be made. This step can take milliseconds if seed entropy is not immediately available. Once all of the prerequisites have been collected, a CTR_DRBG command can be launched. This command will go into the ctr_drbg_cmd block. This ctr_drbg_cmd block uses two NIST-defined functions, the update and the block_encrypt functions. If the command is a generate, the ctr_drbg_cmd block will process the first half of the algorithm, and then pass it on to the ctr_drbg_gen block. Additionally, the ctr_drbg_gen block also uses the update block and the block_encrypt block. To keep resources to a minimum, both of these blocks have arbiters to allow sharing between the ctr_drbg_cmd and ctr_drbg_gen blocks. The command field called ccmd (for current command) is sent along the pipeline to not only identify the command, but is also reused as a routing tag for the arbiters to use when returning the block response.

Once the command has traversed through all of the CTR_DRBG blocks, the result will eventually land into the state_db block. This block will hold the instance state for each application interface. The specific state information held in the instance is documented below. If the command was a generate command, the genbits data word will be returned to the requesting cmd_stage block. Finally, an ack response and status will be returned to the application interface once the command has been completely processed.

Block Diagram

CSRNG Block Diagram

Hardware Interfaces

Referring to the Comportable guideline for peripheral device functionality, the module csrng has the following hardware interfaces defined.

Primary Clock: clk_i

Other Clocks: none

Bus Device Interfaces (TL-UL): tl

Bus Host Interfaces (TL-UL): none

Peripheral Pins for Chip IO: none

Interrupts:

Interrupt NameDescription
cs_cmd_req_done

Asserted when a command request is completed.

cs_entropy_req

Asserted when a request for entropy has been made.

cs_hw_inst_exc

Asserted when a hardware-attached CSRNG instance encounters a command exception

cs_fatal_err

Asserted when a FIFO error or a fatal alert occurs. Check the ERR_CODE register to get more information.

Security Alerts:

Alert NameDescription
recov_alert

This alert is triggered when a recoverable alert occurs. Check the RECOV_ALERT_STS register to get more information.

fatal_alert

This alert triggers (i) if an illegal state machine state is reached, or (ii) if an AES fatal alert condition occurs, or (iii) if a fatal integrity failure is detected on the TL-UL bus.

The table below lists other CSRNG signals.

Signal Direction Type Description
otp_en_csrng_sw_app_read_i input otp_en_t An efuse that will enable firmware to access the NIST ctr_drbg internal state and genbits through registers.
lc_hw_debug_en_i input lc_tx_t A life-cycle that will select which diversification value is used for xoring with the seed from ENTROPY_SRC.
entropy_src_hw_if_o output entropy_src_hw_if_req_t Seed request made to the ENTROPY_SRC module.
entropy_src_hw_if_i input entropy_src_hw_if_rsp_t Seed response from the ENTROPY_SRC module.
cs_aes_halt_i input cs_aes_halt_req_t Request to CSRNG from ENTROPY_SRC to halt requests to the AES block for power leveling purposes.
cs_aes_halt_o output cs_aes_halt_rsp_t Response from CSRNG to ENTROPY_SRC that all requests to AES block are halted.
csrng_cmd_i input csrng_req_t Application interface request to CSRNG from an EDN block.
csrng_cmd_o output csrng_rsp_t Application interface response from CSRNG to an EDN block.

Design Details

Non-blocking Commands

Regarding command processing, all commands process immediately except for the generate command. The command generate length count (glen) is kept in the cmd_stage block. When the state_db block issues an ack to the cmd_stage block, the cmd_stage block increments an internal counter. This process repeats until the glen field value has been matched. Because each request is pipelined, requests from other cmd_stage blocks can be processed before the original generate command is completely done. This provides some interleaving of commands since a generate command can be programmed to take a very long time.

Working State Values

The state_db has the follow attributes shown in the following table:

State Instance Description
Bits Name Description
31:0 Reseed Counter Value required by NIST to be held in the state instance.
159:32 V Value required by NIST to be held in the state instance, and is of size BlockLen.
415:160 Key Value required by NIST to be held in the state instance, and is of size SeedLen.
416 Status Set when instantiated.
417 Compliance Set when FIPS/CC compliant entropy was used to seed this instance.

AES Cipher

The block_encrypt block is where the aes_cipher_core block is located. This is the same block used in the AES design. Parameters are selected such that this is the unmasked version.

Software Support

The software application interface uses a set of TL-UL registers to send commands and receive generated bits. Since the registers are 32-bit words wide, some sequencing will need to be done by firmware to make this interface work properly.

Application Interface

This section describes the application interface, which is required for performing any operations using a CSRNG instance (i.e. instantiation, reseeding, RNG generation, or uninstantiation). Each CSRNG instance corresponds to a unique application interface port, which implements the application interface described here. Any hardware peripherals which require complete control of an instance may connect directly to a dedicated interface port. Meanwhile peripherals without any special requirements (i.e. personalization strings or non-FIPS-approved, fully-deterministic number sequences) may share access to an instance via the entropy distribution network (EDN) IP. The EDN’s manage the instantiation and reseeding of CSRNG instances for general use-cases, providing either on-demand or timed-delivery entropy streams to hardware peripherals. Firmware applications can obtain access to random bit sequences directly through application interface port 0, which is directly mapped to a set of TL-UL registers.

The total number of application interface ports (for TL-UL, directly attached peripherals or EDN instances) is determined by the NHwApp parameter.

The command bus operates like a FIFO, in which a command is pushed into the interface. An optional stream of additional data may follow, such as seed material for an instantiate application command. For the generate application command, the obfuscated entropy will be returned on the genbits bus. This bus also operates like a FIFO, and the receiving module can provide back pressure to the genbits bus. There is one instance of a firmware application interface, and uses the TL-UL registers. For more details on how the application interface works, see the Theory of Operations section above.

In general, users of the application interface are either firmware or some hardware module entity. For hardware, a module can either directly control the application interface, or it can connect to an entropy distribution networkmodule (EDN). Attaching to an EDN block allows for a simpler interface connection to a more layout-friendly distributed-chip network.

General Command Format

The general format for the application interface is a 32-bit command header, optionally followed by additional data, such as a personalization string, typically twelve 32-bit words in length. Depending on the command, these strings are typically required to be 384-bits in length, to match the size of the seed-length when operating with 256-bit security-strength. The exact function of the additional data field depends in the command. However, in general, the additional data can be any length as specified by the command length field. The command header is defined below.

Command Header

The application interface requires that a 32-bit command header be provided to instruct the CSRNG how to manage the internal working states. Below is a description of the fields of this header:

Application Interface Command Header
Bits Name Description
3:0 acmd Application Command: Selects one of five operations to perform. The commands supported are instantiate, reseed, generate, update, and uninstantiate. Each application interface port used by peripheral hardware commands a unique instance number in CSRNG.
7:4 clen Command Length: Number of 32-bit words that can optionally be appended to the command. A value of zero will only transfer the command header. A value of 4'hc will transfer the header plus an additional twelve 32-bit words of data.
11:8 flags Command Flags: Specific flags associated with a command. Used to allow additional features per command. Flags are defined as flag0, flag1, flag2, and flag3, where flag0 is bit 8, and flag1 is bit 9, etc. Note that flag0 is used for the instantiate command. All others are reserved.
30:12 glen Generate Length: Only defined for the generate command, this field is the total number of crytographic entropy bits requested. The NIST reference name is max_number_of_bit_per_request, and this field size supports the maximum size allowed. Each unit represents 128 bits of entropy returned. For example, a value of 8 would return a total of 1024 bits. The maximum value for this field is 219.
31 resv Unused and reserved.

Command Description

The command field of the application command header is described in detail in the table below. The actions performed by each command, as well as which flags are supported, are described in this table.

Application Interface Command Description
Command Name Encoded Value Description
Instantiate 0x1 Initializes an instance in CSRNG. When seeding, the following table describes how the seed is determined based on flag0 and the clen field. Note that the last table entry (flag0 is set and clen is set to non-zero) is intended for known answer testing (KAT). WARNING: Though flag0 may be useful for generating fully-determininistic bit sequences, the use of this flag will render the instance non-FIPS compliant until it is re-instantiated. When the Instantiate command is completed, the active bit in the CSRNG working state will be set.
flag0clenDescription
00Only entropy source seed is used.
01-12Entropy source seed is xor'ed with provided additional data.
10Seed of zero is used (no entropy source seed used).
11-12Only provided additional data will be used as seed.
Reseed 0x2 Reseeds an existing instance in CSRNG. The flag0 and clen table in the Instance command description above also applies to the Reseed command. Note that the last table entry (flag0 is set and clen is set to non-zero) is intended for known answer testing (KAT). The reseed command only takes in one group (a maximum of twelve 32 bit words) of generic additional data. In that case that both a seed and additional data must be provided to the reseed call, the seed and additional data must be xor'ed first. This scenario will then pass the NIST vector test requiring both a provided seed and additional data.
Generate 0x3 Starts a request to CSRNG to generate crytographic entropy bits. The glen field represents how many 128-bit words are to be returned to the application interface. The glen field needs to be a minimum value of one. The NIST reference to the prediction_resistance_flag is not directly supported as a flag. It is the resposibility of the calling application to reseed as needed before the generate command to properly support prediction resistance. Note that additional data is also supported when the clen field is set to non-zero.
Update 0x4 Updates an existing instance in CSRNG. This command does the same function as the reseed command, except that:
  1. only the additional data provided will be used in the update function (i.e. no physical entropy is gathered), and
  2. the update command does not reset the reseed counter.
When the update command is completed, the results will be reflected in the CSRNG working state.
Uninstantiate 0x5 Resets an instance in CSRNG. Values in the instance are zeroed out. When the uninstantiate comand is completed, the active bit in the CSRNG working state will be cleared. Uninstantiating an instance effectively resets it, clearing any errors that it may have encountered due to bad command syntax or entropy source failures.
Reserved 0x0,0x6-0xf Unused and reserved.

Command Response

Once a command has been completed, successfully or unsuccessfully, the CSRNG responds with a single cycle pulse on the csrng_rsp_ack signal associated with the same application interface port. If the command is successful the csrng_rsp_sts signal will indicate the value 0 (CSRNG_OK) in the same cycle. Otherwise the application will receive the value 1 (CSRNG_ERROR) on the csrng_rsp_sts signal. A number of exception cases to be considered are enumerated in NIST SP 800-90A, and may include events such as:

  • Failure of the entropy source
  • Attempts to use an instance which has not been properly instantiated, or
  • Attempts to generate data when an instance has exceeded its maximum seed.life. In such cases, a 32-bit exception message will be propagated to firmware via the hw_exc_sts register, and a cs_hw_inst_exc interrupt will be raised.

Generated Bits (genbits) Interface

In addition to the command response signals there is all the bus for returning the generated bits. This 129-bit bus consists of 128-bits, genbits_bus, for the random bit sequence itself, along with a single bit flag, genbits_fips, indicating whether the bits were considered fully in accordance with FIPS standards.

There are two cases when the sequence will not be FIPS compliant:

  • Early in the boot sequence, the ENTROPY_SRC generates a seed from the first 384 bits pulled from the noise source. This initial seed is tested to ensure some minimum quality for obfuscation use- cases, but this boot seed is not expected to be full-entropy nor do these health checks meet the 1024-bit requirement for start-up health checks required by NIST 800-90B.
  • If flag0 is asserted during instantiation, the resulting DRBG instance will have a fully-deterministic seed, determined only by user input data. Such a seed will be created only using factory-entropy and will lack the physical-entropy required by NIST SP 800-90A, and thus this DRBG instance will not be FIPS compliant.

Handshaking signals

The application command signal csrng_req_bus is accompanied by a csrng_valid_signal, which is asserted by the requester when the command is valid. CSRNG may stall incoming commands by desserting the csrng_req_ready signal. A command is considered received whenever both csrng_req_valid and csrng_req_ready are asserted in the same clock cycle.

Likewise a requester must only consider data on the genbits bus to be valid when the genbits_valid signal is asserted, and should assert genbits_ready whenever it is ready to accept the genbits data. The genbits data is considered successfully transmitted whenever genbits_valid and genbits_ready are asserted in the same clock cycle.

A requester must always be ready to receive csrng_req_sts signals. (There is no “ready” signal for command response messages sent to hardware.)

Waveforms

Application Interface: Instantiate Request
Application Interface: Reseed Request
Application Interface: Generate Request
Application Interface: Update Request
Application Interface: Uninstantiate Request
Entropy Source Hardware Interface

The following waveform shows an example of how the entropy source hardware interface works.

Interrupts

The cs_cmd_req_done interrupt will assert when a csrng command has been completed.

The cs_entropy_req interrupt will assert when csrng requests for entropy from ENTROPY_SRC.

The cs_hw_inst_exc interrupt will assert when any of the hardware-controlled CSRNG instances encounters an exception while executing a command, either due to errors on the command sequencing, or an exception within the ENTROPY_SRC IP.

The cs_fifo_err interrupt will assert when any of the csrng FIFOs has a malfunction. The conditions that cause this to happen are either when there is a push to a full FIFO or a pull from an empty FIFO.

Programmers Guide

Initialization

The following code snippet demonstrates initializing the CSRNG block.

void csrng_init(unsigned int enable) {

  // set the control register enable bit
  *CTRL_REG = enable; // should be 0x1 by default

  // the CSRNG interrupts can optionally be enabled
}

Register Table

csrng.INTR_STATE @ 0x0

Interrupt State Register

Reset default = 0x0, mask 0xf
31302928272625242322212019181716
 
1514131211109876543210
  cs_fatal_err cs_hw_inst_exc cs_entropy_req cs_cmd_req_done
BitsTypeResetNameDescription
0rw1c0x0cs_cmd_req_done

Asserted when a command request is completed.

1rw1c0x0cs_entropy_req

Asserted when a request for entropy has been made.

2rw1c0x0cs_hw_inst_exc

Asserted when a hardware-attached CSRNG instance encounters a command exception

3rw1c0x0cs_fatal_err

Asserted when a FIFO error or a fatal alert occurs. Check the ERR_CODE register to get more information.


csrng.INTR_ENABLE @ 0x4

Interrupt Enable Register

Reset default = 0x0, mask 0xf
31302928272625242322212019181716
 
1514131211109876543210
  cs_fatal_err cs_hw_inst_exc cs_entropy_req cs_cmd_req_done
BitsTypeResetNameDescription
0rw0x0cs_cmd_req_done

Enable interrupt when INTR_STATE.cs_cmd_req_done is set.

1rw0x0cs_entropy_req

Enable interrupt when INTR_STATE.cs_entropy_req is set.

2rw0x0cs_hw_inst_exc

Enable interrupt when INTR_STATE.cs_hw_inst_exc is set.

3rw0x0cs_fatal_err

Enable interrupt when INTR_STATE.cs_fatal_err is set.


csrng.INTR_TEST @ 0x8

Interrupt Test Register

Reset default = 0x0, mask 0xf
31302928272625242322212019181716
 
1514131211109876543210
  cs_fatal_err cs_hw_inst_exc cs_entropy_req cs_cmd_req_done
BitsTypeResetNameDescription
0wo0x0cs_cmd_req_done

Write 1 to force INTR_STATE.cs_cmd_req_done to 1.

1wo0x0cs_entropy_req

Write 1 to force INTR_STATE.cs_entropy_req to 1.

2wo0x0cs_hw_inst_exc

Write 1 to force INTR_STATE.cs_hw_inst_exc to 1.

3wo0x0cs_fatal_err

Write 1 to force INTR_STATE.cs_fatal_err to 1.


csrng.ALERT_TEST @ 0xc

Alert Test Register

Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  fatal_alert recov_alert
BitsTypeResetNameDescription
0wo0x0recov_alert

Write 1 to trigger one alert event of this kind.

1wo0x0fatal_alert

Write 1 to trigger one alert event of this kind.


csrng.REGWEN @ 0x10

Register write enable for all control registers

Reset default = 0x1, mask 0x1
31302928272625242322212019181716
 
1514131211109876543210
  REGWEN
BitsTypeResetNameDescription
0rw0c0x1REGWEN

When true, all writeable registers can be modified. When false, they become read-only.


csrng.CTRL @ 0x14

Control register

Reset default = 0x555, mask 0xfff
Register enable = REGWEN
31302928272625242322212019181716
 
1514131211109876543210
  READ_INT_STATE SW_APP_ENABLE ENABLE
BitsTypeResetNameDescription
3:0rw0x5ENABLE

Setting this field to kMuBi4True will enable the CSRNG module.

7:4rw0x5SW_APP_ENABLE

Setting this field to kMuBi4True will enable reading from the GENBITS register. This application interface for software (register based) will be enabled only if the efuse_sw_app_enable input is set.

11:8rw0x5READ_INT_STATE

Setting this field to kMuBi4True will enable reading from the INT_STATE_VAL register. Reading the internal state of the enable instances will be enabled only if the efuse_sw_app_enable input is set.


csrng.CMD_REQ @ 0x18

Command request register

Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
CMD_REQ...
1514131211109876543210
...CMD_REQ
BitsTypeResetNameDescription
31:0woxCMD_REQ

Writing this request with defined CSRNG commands will initiate all possible CSRNG actions. The application interface must wait for the "ack" to return before issuing new commands.


csrng.SW_CMD_STS @ 0x1c

Application interface command status register

Reset default = 0x1, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  CMD_STS CMD_RDY
BitsTypeResetNameDescription
0ro0x1CMD_RDY

This bit indicates when the command interface is ready to accept commands.

1ro0x0CMD_STS

This one bit field is the status code returned with the application command ack. It is updated each time a command ack is asserted on the internal application interface for software use. 0b0: Request completed successfully 0b1: Request completed with an error


csrng.GENBITS_VLD @ 0x20

Generate bits returned valid register

Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  GENBITS_FIPS GENBITS_VLD
BitsTypeResetNameDescription
0roxGENBITS_VLD

This bit is set when genbits are available on this application interface.

1roxGENBITS_FIPS

This bit is set when genbits are FIPS/CC compliant.


csrng.GENBITS @ 0x24

Generate bits returned register

Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
GENBITS...
1514131211109876543210
...GENBITS
BitsTypeResetNameDescription
31:0roxGENBITS

Reading this register will get the generated bits that were requested with the generate request. This register must be four times for each request number made. For example, a application command generate request with a creq value of 4 requires this register to be read 16 times to get all of the data out of the FIFO path.


csrng.INT_STATE_NUM @ 0x28

Internal state number register

Reset default = 0x0, mask 0xf
31302928272625242322212019181716
 
1514131211109876543210
  INT_STATE_NUM
BitsTypeResetNameDescription
3:0rwxINT_STATE_NUM

Setting this field will set the number for which internal state can be selected for a read access. Up to 16 internal state values can be chosen from this register. The actual number of valid internal state fields is set by parameter NHwApps plus 1 software app. For those selections that point to reserved locations (greater than NHwApps plus 1), the returned value will be zero. Writing this register will also reset the internal read pointer for the INT_STATE_VAL register. Note: This register should be read back after being written to ensure that the INT_STATE_VAL read back is accurate.


csrng.INT_STATE_VAL @ 0x2c

Internal state read access register

Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
INT_STATE_VAL...
1514131211109876543210
...INT_STATE_VAL
BitsTypeResetNameDescription
31:0roxINT_STATE_VAL

Reading this register will dump out the contents of the selected internal state field. Since the internal state field is 448 bits wide, it will require 14 reads from this register to gather the entire field. Once 14 reads have been done, the internal read pointer (selects 32 bits of the 448 bit field) will reset to zero. The INT_STATE_NUM can be re-written at this time (internal read pointer is also reset), and then another internal state field can be read. Also, the life cycle state must be one where the signal "lc_hw_debug_en" is asserted in order to read any internal state field.


csrng.HW_EXC_STS @ 0x30

Hardware instance exception status register

Reset default = 0x0, mask 0x7fff
31302928272625242322212019181716
 
1514131211109876543210
  HW_EXC_STS
BitsTypeResetNameDescription
14:0rw0cxHW_EXC_STS

Reading this register indicates whether one of the CSRNG HW instances has encountered an exception. Each bit corresponds to a particular hardware instance, with bit 0 corresponding to instance HW0, bit 1 corresponding to instance HW1, and so forth. (To monitor the status of requests made to the SW instance, check the CMD_STS register). Writing a zero to this register resets the status bits.


csrng.RECOV_ALERT_STS @ 0x34

Recoverable alert status register

Reset default = 0x0, mask 0x7
31302928272625242322212019181716
 
1514131211109876543210
  READ_INT_STATE_FIELD_ALERT SW_APP_ENABLE_FIELD_ALERT ENABLE_FIELD_ALERT
BitsTypeResetNameDescription
0rw0cxENABLE_FIELD_ALERT

This bit is set when the ENABLE field in the CTRL register is set to a value other than 0x5 or 0xA. Writing a zero resets this status bit.

1rw0cxSW_APP_ENABLE_FIELD_ALERT

This bit is set when the SW_APP_ENABLE field in the CTRL register is set to a value other than 0x5 or 0xA. Writing a zero resets this status bit.

2rw0cxREAD_INT_STATE_FIELD_ALERT

This bit is set when the READ_INT_STATE field in the CTRL register is set to a value other than 0x5 or 0xA. Writing a zero resets this status bit.


csrng.ERR_CODE @ 0x38

Hardware detection of error conditions status register

Reset default = 0x0, mask 0x73f0ffff
31302928272625242322212019181716
  FIFO_STATE_ERR FIFO_READ_ERR FIFO_WRITE_ERR   AES_CIPHER_SM_ERR DRBG_UPDOB_SM_ERR DRBG_UPDBE_SM_ERR DRBG_GEN_SM_ERR MAIN_SM_ERR CMD_STAGE_SM_ERR  
1514131211109876543210
SFIFO_BLKENC_ERR SFIFO_GGENBITS_ERR SFIFO_GADSTAGE_ERR SFIFO_GGENREQ_ERR SFIFO_GRCSTAGE_ERR SFIFO_GBENCACK_ERR SFIFO_FINAL_ERR SFIFO_PDATA_ERR SFIFO_BENCACK_ERR SFIFO_BENCREQ_ERR SFIFO_UPDREQ_ERR SFIFO_KEYVRC_ERR SFIFO_RCSTAGE_ERR SFIFO_CMDREQ_ERR SFIFO_GENBITS_ERR SFIFO_CMD_ERR
BitsTypeResetNameDescription
0roxSFIFO_CMD_ERR

This bit will be set to one when an error has been detected for the command stage command FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

1roxSFIFO_GENBITS_ERR

This bit will be set to one when an error has been detected for the command stage genbits FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

2roxSFIFO_CMDREQ_ERR

This bit will be set to one when an error has been detected for the cmdreq FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

3roxSFIFO_RCSTAGE_ERR

This bit will be set to one when an error has been detected for the rcstage FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

4roxSFIFO_KEYVRC_ERR

This bit will be set to one when an error has been detected for the keyvrc FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

5roxSFIFO_UPDREQ_ERR

This bit will be set to one when an error has been detected for the updreq FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

6roxSFIFO_BENCREQ_ERR

This bit will be set to one when an error has been detected for the bencreq FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

7roxSFIFO_BENCACK_ERR

This bit will be set to one when an error has been detected for the bencack FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

8roxSFIFO_PDATA_ERR

This bit will be set to one when an error has been detected for the pdata FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

9roxSFIFO_FINAL_ERR

This bit will be set to one when an error has been detected for the final FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

10roxSFIFO_GBENCACK_ERR

This bit will be set to one when an error has been detected for the gbencack FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

11roxSFIFO_GRCSTAGE_ERR

This bit will be set to one when an error has been detected for the grcstage FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

12roxSFIFO_GGENREQ_ERR

This bit will be set to one when an error has been detected for the ggenreq FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

13roxSFIFO_GADSTAGE_ERR

This bit will be set to one when an error has been detected for the gadstage FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

14roxSFIFO_GGENBITS_ERR

This bit will be set to one when an error has been detected for the ggenbits FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

15roxSFIFO_BLKENC_ERR

This bit will be set to one when an error has been detected for the blkenc FIFO. The type of error is reflected in the type status bits (bits 28 through 30 of this register). This bit will stay set until firmware clears it.

19:16Reserved
20roxCMD_STAGE_SM_ERR

This bit will be set to one when an illegal state has been detected for the command stage state machine. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

21roxMAIN_SM_ERR

This bit will be set to one when an illegal state has been detected for the main state machine. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

22roxDRBG_GEN_SM_ERR

This bit will be set to one when an illegal state has been detected for the ctr_dbrg gen state machine. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

23roxDRBG_UPDBE_SM_ERR

This bit will be set to one when an illegal state has been detected for the ctr_dbrg update block encode state machine. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

24roxDRBG_UPDOB_SM_ERR

This bit will be set to one when an illegal state has been detected for the ctr_dbrg update out block state machine. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

25roxAES_CIPHER_SM_ERR

This bit will be set to one when an AES fatal error has been detected. This error will signal a fatal alert, and also an interrupt if enabled. This bit will stay set until firmware clears it.

27:26Reserved
28roxFIFO_WRITE_ERR

This bit will be set to one when any of the source bits (bits 0 through 15 of this this register) are asserted as a result of an error pulse generated from any full FIFO that has been recieved a write pulse. This bit will stay set until firmware clears it.

29roxFIFO_READ_ERR

This bit will be set to one when any of the source bits (bits 0 through 15 of this this register) are asserted as a result of an error pulse generated from any empty FIFO that has recieved a read pulse. This bit will stay set until firmware clears it.

30roxFIFO_STATE_ERR

This bit will be set to one when any of the source bits (bits 0 through 15 of this this register) are asserted as a result of an error pulse generated from any FIFO where both the empty and full status bits are set. This bit will stay set until firmware clears it.


csrng.ERR_CODE_TEST @ 0x3c

Test error conditions register

Reset default = 0x0, mask 0x1f
Register enable = REGWEN
31302928272625242322212019181716
 
1514131211109876543210
  ERR_CODE_TEST
BitsTypeResetNameDescription
4:0rwxERR_CODE_TEST

Setting this field will set the bit number for which an error will be forced in the hardware. This bit number is that same one found in the ERR_CODE register. The action of writing this register will force an error pulse. The sole purpose of this register is to test that any error properly propagates to either an interrupt or an alert.


csrng.SEL_TRACKING_SM @ 0x40

Select debug tracking state machine register

Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  SEL_TRACKING_SM
BitsTypeResetNameDescription
1:0woxSEL_TRACKING_SM

These encoded bits will select one of four groups of state machine tracking registers. Each tracking debug field is 8 bits wide, so up to four debug fields can be observed at one time. Each tracking field will follow a per instance csrng application command through the csrng design unit.


csrng.TRACKING_SM_OBS @ 0x44

CSRNG application command tracking state machine observation register

Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
TRACKING_SM_OBS3 TRACKING_SM_OBS2
1514131211109876543210
TRACKING_SM_OBS1 TRACKING_SM_OBS0
BitsTypeResetNameDescription
7:0ro0x0TRACKING_SM_OBS0

This field will hold csrng command tracking state machine status, This field holds tracking information for instance 0 if the SEL_TRACKING_SM register is set to 0. If more than 4 instances are active, then the selection register can be programmed to select up to 3 other groups. The life cycle state must be set to debug state to read this field.

15:8ro0x0TRACKING_SM_OBS1

This field will hold csrng command tracking state machine status, This field holds tracking information for instance 1 if the SEL_TRACKING_SM register is set to 0. If more than 4 instances are active, then the selection register can be programmed to select up to 3 other groups. The life cycle state must be set to debug state to read this field.

23:16ro0x0TRACKING_SM_OBS2

This field will hold csrng command tracking state machine status, This field holds tracking information for instance 2 if the SEL_TRACKING_SM register is set to 0. If more than 4 instances are active, then the selection register can be programmed to select up to 3 other groups. The life cycle state must be set to debug state to read this field.

31:24ro0x0TRACKING_SM_OBS3

This field will hold csrng command tracking state machine status, This field holds tracking information for instance 3 if the SEL_TRACKING_SM register is set to 0. If more than 4 instances are active, then the selection register can be programmed to select up to 3 other groups. The life cycle state must be set to debug state to read this field.