Intel® 82802 Firmware Hub

"What is the 82802?" The easiest way for me to answer that is to quote directly from the Datasheet:

The Intel® 82802 Firmware Hub (FWH) discrete component is compatible with several Intel chipset platforms and a variety of applications. The device operates under the LPC/FWH interface/protocol. The hardware features of this device include a Random Number Generator (RNG), five General-Purpose Inputs (GPIs), register-based block locking, and hardware-based locking. This combination of logic features and non-volatile memory enables better protection for the storage and update of platform code and data, adds platform flexibility through additional GPIs, and allows for quicker introduction of new security/manageability features into current and future platforms. The platform RNG, accessed through the Intel® Security Driver and third-party software, enables security features for the PC platform. See the product features listed previously for a list of more key features that the Intel FWH provides.

For my purposes, it is the Random Number Generator that I am interested it. For details on how to use the RNG, see this document.

The Driver

WARNING!!! Use at your own risk! For all I know, use of this driver may cause global warming :-). That said, it works fine for me on my Asus CUSL2 motherboard, running FreeBSD-STABLE, I don't know how it would behave on CURRENT.

The driver currently supports reading directly via /dev/rng, or indirectly via kern_random (/dev/random). See the TODO list to see what I feature I would like to add to this.

To install, follow the steps listed below.

Download the source

Date Release Checksum Notes

2002/09/19 0.0.0 MD5 (rng0-0-0.tgz) = 2f117ecbf11f53fbd15e0c4b0c1d6544 First alpha release

Date	Release	Checksum	Notes
2002/09/19	0.0.0	MD5 (rng0-0-0.tgz) = 2f117ecbf11f53fbd15e0c4b0c1d6544	First alpha release

Unpack the source

# tar xzf rng.tgz
#

Build the KLD

WARNING!!! Only use the KLD, don't compile this driver into the kernel, and don't try to load the KLD from the boot loader. Wait until your kernel is up and running before you load the KLD.

After the source is unpacked, cd to the rng/modules/rng directory and type "make". That should be all there is to it.

# cd rng/modules/rng
# make
Warning: Object directory not changed from original /home/stacy/work/rng/modules
/rng
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
perl @/kern/makeops.pl -h @/kern/bus_if.m
perl @/kern/makeops.pl -h @/pci/pci_if.m
perl @/kern/makeops.pl -h @/kern/device_if.m
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c /home/stacy/work/rng/modules/rng/../../dev/rng/rng.c
/home/stacy/work/rng/modules/rng/../../dev/rng/rng.c:156: warning: initializatio
n makes pointer from integer without a cast
/home/stacy/work/rng/modules/rng/../../dev/rng/rng.c: In function `fips_tests':
/home/stacy/work/rng/modules/rng/../../dev/rng/rng.c:261: warning: unused variab
le `d'
/home/stacy/work/rng/modules/rng/../../dev/rng/rng.c: In function `rng_timeout':
/home/stacy/work/rng/modules/rng/../../dev/rng/rng.c:392: warning: unused variab
le `i'
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c /home/stacy/work/rng/modules/rng/../../dev/rng/monobit.c
/home/stacy/work/rng/modules/rng/../../dev/rng/monobit.c:40: warning: no previou
s prototype for `fips_monobit_test'
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c /home/stacy/work/rng/modules/rng/../../dev/rng/poker.c
/home/stacy/work/rng/modules/rng/../../dev/rng/poker.c:40: warning: no previous 
prototype for `fips_poker_test'
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c /home/stacy/work/rng/modules/rng/../../dev/rng/runs.c
/home/stacy/work/rng/modules/rng/../../dev/rng/runs.c:42: warning: no previous p
rototype for `fips_runs_test'
/home/stacy/work/rng/modules/rng/../../dev/rng/runs.c:88: warning: no previous p
rototype for `fips_long_run_test'
ld  -r -o rng.kld rng.o monobit.o poker.o runs.o
gensetdefs rng.kld
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c setdef0.c
cc -O -pipe  -g  -D_KERNEL -Wall -Wredundant-decls -Wnested-externs -Wstrict-pro
totypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-ext
ensions -ansi -DKLD_MODULE -nostdinc -I-  -I. -I@ -I@/../include -I/usr/include 
-mpreferred-stack-boundary=2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-p
rototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -fformat-e
xtensions -ansi -c setdef1.c
ld -Bshareable  -o rng.ko setdef0.o rng.kld setdef1.o 
#

Create the device node

The driver uses 229 for the device major number.

# mknod /dev/rng c 229 0
# ls -l /dev/rng
crw-r--r--  1 root  wheel  229,   0 Sep  9 16:44 /dev/rng
#

Load the KLD

# kldload ./rng.ko
# dmesg | grep rng
rng0 on motherboard
: rng 20,000 bits in 270087 usec = 74 Kb/sec
rng0: passed fips tests
#

Of course, if you like it and want to keep using it, you will need to copy rng.ko to /modules and modify your rc scripts to load the module on boot up.

Test

There is a command line utility to preform the FIPS 140-1 tests (if you want the gorey details, see here). cd to the rng/dev/rng directory and type make. You should end up with a program called fips.

Without arguments, fips will test /dev/urandom.

# ./fips
/dev/urandom passed
#

You can specify the name of the file you want to test, like /dev/rng

# ./fips /dev/rng
/dev/rng passed
#

Or /dev/zero

# fips /dev/zero
failed monobit test
failed poker test
failed runs test
failed long run test
#

OK, maybe /dev/zero is a bad source of random data :-).

TODO List

These are in the order they popped into my head, not order of importance.

Imporove the identification of the chip.
Implement tuning options
- Size of buffer for random data.
- Whether or not to feed entropy to kern_random (/dev/random)
- Whether or not to abort driver initialization if FIPS 140-1 start up tests fail.
Port to Current.
It is possible to have up to four 82802s on a system, but currently the driver only looks for the first one.
Create a port for this.
other things I can't remember right now :-)

Feed Back

Please send feed back (good, bad or otherwise) to stacy@millions.ca.

Intel is a registered trademark of Intel Corporation in the United States and other countries.