diff --git a/hw/ip/entropy_src/data/entropy_src.hjson b/hw/ip/entropy_src/data/entropy_src.hjson index 7025fca19ff5af..030de5685b1d26 100644 --- a/hw/ip/entropy_src/data/entropy_src.hjson +++ b/hw/ip/entropy_src/data/entropy_src.hjson @@ -414,8 +414,6 @@ mubi: true, desc: ''' Setting this field to `kMultiBitBool4True` enables the single RNG bit mode, where only one bit is sampled. - Note that the ENTROPY_SRC block can only generate FIPS qualified entropy if this field is set to `kMultiBitBool4False`. - Additional requirements to generate FIPS qualified entropy are i) that !!CONF.FIPS_ENABLE is set to `kMultiBitBool4True`, and ii) that at most one of the !!ENTROPY_CONTROL.ES_ROUTE and !!ENTROPY_CONTROL.ES_TYPE fields but not both are set to `kMultiBitBool4True`. ''' resval: false }, @@ -458,10 +456,8 @@ When this field is `kMultiBitBool4False`, the hardware conditioning inside the ENTROPY_SRC block is enabled. Setting this field to `kMultiBitBool4True` will bypass the hardware conditioning. For this to work, also !!ENTROPY_CONTROL.ES_ROUTE needs to be set to `kMultiBitBool4True` to route the unconditioned, raw entropy to the !!ENTROPY_DATA register. - Alternatively, the hardware conditioning can be bypassed by setting !!CONF.FIPS_ENABLE to `kMultiBitBool4False` to disable FIPS mode and enable bypass / boot-time mode. - In both cases, the ENTROPY_SRC block will not generate FIPS qualified entropy. - - To generate FIPS qualified entropy, i) !!CONF.FIPS_ENABLE needs to be set to `kMultiBitBool4True`, ii) !!CONF.RNG_BIT_ENABLE needs to be set to `kMultiBitBool4False`, and iii) at most one of the !!ENTROPY_CONTROL.ES_ROUTE and !!ENTROPY_CONTROL.ES_TYPE fields needs to be set to `kMultiBitBool4True` but not both. + Alternatively, the hardware conditioning can be bypassed by setting !!CONF.FIPS_ENABLE to `kMultiBitBool4False`. + This enables the bypass / boot-time mode. ''' resval: false }, diff --git a/hw/ip/entropy_src/doc/registers.md b/hw/ip/entropy_src/doc/registers.md index 940d71e0b3e588..7de22440abcd30 100644 --- a/hw/ip/entropy_src/doc/registers.md +++ b/hw/ip/entropy_src/doc/registers.md @@ -269,8 +269,6 @@ This two bit field selects the RNG bit stream: ### CONF . RNG_BIT_ENABLE Setting this field to `kMultiBitBool4True` enables the single RNG bit mode, where only one bit is sampled. -Note that the ENTROPY_SRC block can only generate FIPS qualified entropy if this field is set to `kMultiBitBool4False`. -Additional requirements to generate FIPS qualified entropy are i) that [`CONF.FIPS_ENABLE`](#conf) is set to `kMultiBitBool4True`, and ii) that at most one of the [`ENTROPY_CONTROL.ES_ROUTE`](#entropy_control) and [`ENTROPY_CONTROL.ES_TYPE`](#entropy_control) fields but not both are set to `kMultiBitBool4True`. ### CONF . THRESHOLD_SCOPE This field controls the scope (either by-line or by-sum) of the health checks. @@ -314,10 +312,8 @@ Entropy control register When this field is `kMultiBitBool4False`, the hardware conditioning inside the ENTROPY_SRC block is enabled. Setting this field to `kMultiBitBool4True` will bypass the hardware conditioning. For this to work, also [`ENTROPY_CONTROL.ES_ROUTE`](#entropy_control) needs to be set to `kMultiBitBool4True` to route the unconditioned, raw entropy to the [`ENTROPY_DATA`](#entropy_data) register. -Alternatively, the hardware conditioning can be bypassed by setting [`CONF.FIPS_ENABLE`](#conf) to `kMultiBitBool4False` to disable FIPS mode and enable bypass / boot-time mode. -In both cases, the ENTROPY_SRC block will not generate FIPS qualified entropy. - -To generate FIPS qualified entropy, i) [`CONF.FIPS_ENABLE`](#conf) needs to be set to `kMultiBitBool4True`, ii) [`CONF.RNG_BIT_ENABLE`](#conf) needs to be set to `kMultiBitBool4False`, and iii) at most one of the [`ENTROPY_CONTROL.ES_ROUTE`](#entropy_control) and [`ENTROPY_CONTROL.ES_TYPE`](#entropy_control) fields needs to be set to `kMultiBitBool4True` but not both. +Alternatively, the hardware conditioning can be bypassed by setting [`CONF.FIPS_ENABLE`](#conf) to `kMultiBitBool4False`. +This enables the bypass / boot-time mode. ### ENTROPY_CONTROL . ES_ROUTE When this field is `kMultiBitBool4False`, the generated entropy will be forwarded out of this module to the hardware interface. diff --git a/hw/ip/entropy_src/doc/theory_of_operation.md b/hw/ip/entropy_src/doc/theory_of_operation.md index 7272a00734ad7c..ff7d944cbc6a11 100644 --- a/hw/ip/entropy_src/doc/theory_of_operation.md +++ b/hw/ip/entropy_src/doc/theory_of_operation.md @@ -12,6 +12,8 @@ After a reset, the ENTROPY_SRC block will start up in boot-time / bypass mode by This feature is designed to provide an initial seed's worth of entropy with lower latency than the normal FIPS/CC compliant health check process. Health testing will still be performed on boot-time mode entropy, but the window of checking is, by default, 384 bits instead of 2048 bits. When entropy is delivered to the downstream hardware block, a signal will indicate what type of entropy it is - FIPS/CC compliant or not. +This signal is determined by the `FIPS_FLAG` field in the [`CONF`](registers.md#conf). +When `FIPS_FLAG` is set to `kMultiBitBool4True`, the entropy_src will request high quality entropy from the noise source and set the entropy type signal at the output to high. Once the initial boot-time mode phase has completed, the ENTROPY_SRC block can be switched to FIPS/CC compliant mode (for simplicity referred to as FIPS mode) by setting the `FIPS_ENABLE` field in the [`CONF`](registers.md#conf) register to `kMultiBitBool4True`. In this mode, once the raw entropy has been health checked, it will be passed into a conditioner block.