core: Use PRNG when generating random delays.

core/SConscript.bootloader

@@ -26,7 +26,9 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/ed25519-donna/ed25519-donna-32bit-tables.c',
     'vendor/trezor-crypto/ed25519-donna/ed25519-donna-impl-base.c',
     'vendor/trezor-crypto/ed25519-donna/modm-donna-32bit.c',
+    'vendor/trezor-crypto/hmac_drbg.c',
     'vendor/trezor-crypto/memzero.c',
+    'vendor/trezor-crypto/rand.c',
     'vendor/trezor-crypto/sha2.c',
 ]
 

core/SConscript.prodtest

@@ -12,7 +12,10 @@ CPPPATH_MOD += [
     'vendor/trezor-crypto',
 ]
 SOURCE_MOD += [
+    'vendor/trezor-crypto/hmac_drbg.c',
     'vendor/trezor-crypto/memzero.c',
+    'vendor/trezor-crypto/rand.c',
+    'vendor/trezor-crypto/sha2.c',
 ]
 
 # modtrezorui

core/embed/bootloader/main.c

@@ -234,6 +234,7 @@ static void check_bootloader_version(void) {
 #endif
 
 int main(void) {
+  drbg_init();
   touch_init();
   touch_power_on();
 

core/embed/firmware/main.c

@@ -43,6 +43,9 @@
 #include "touch.h"
 
 int main(void) {
+  // initialize pseudo-random number generator
+  drbg_init();
+
   // reinitialize HAL for Trezor One
 #if TREZOR_MODEL == 1
   HAL_Init();

core/embed/prodtest/main.c

@@ -371,6 +371,7 @@ static secbool startswith(const char *s, const char *prefix) {
 
 int main(void) {
   display_orientation(0);
+  drbg_init();
   sdcard_init();
   touch_init();
   sbu_init();

core/embed/trezorhal/common.c

@@ -25,13 +25,15 @@
 #include "display.h"
 #include "flash.h"
 #include "rand.h"
-#include "rng.h"
+#include "hmac_drbg.h"
 
 #include "stm32f4xx_ll_utils.h"
 
 // from util.s
 extern void shutdown(void);
 
+static HMAC_DRBG_CTX drbg_ctx;
+
 #define COLOR_FATAL_ERROR RGB16(0x7F, 0x00, 0x00)
 
 void __attribute__((noreturn))
@@ -121,7 +123,7 @@ void __assert_func(const char *file, int line, const char *func,
 void hal_delay(uint32_t ms) { HAL_Delay(ms); }
 
 void delay_random(void) {
-  int wait = rng_get() & 0xff;
+  int wait = drbg_random32() & 0xff;
   volatile int i = 0;
   volatile int j = wait;
   while (i < wait) {
@@ -185,3 +187,23 @@ void collect_hw_entropy(void) {
                         FLASH_OTP_BLOCK_SIZE),
          NULL);
 }
+
+void drbg_init() {
+  uint8_t entropy[48];
+  random_buffer(entropy, sizeof(entropy));
+  hmac_drbg_init(&drbg_ctx, entropy, sizeof(entropy), NULL, 0);
+}
+
+void drbg_reseed(const uint8_t *entropy, size_t len) {
+  hmac_drbg_reseed(&drbg_ctx, entropy, len, NULL, 0);
+}
+
+void drbg_generate(uint8_t *buf, size_t len) {
+  hmac_drbg_generate(&drbg_ctx, buf, len);
+}
+
+uint32_t drbg_random32(void) {
+  uint32_t value;
+  drbg_generate((uint8_t *)&value, sizeof(value));
+  return value;
+}

core/embed/trezorhal/common.h

@@ -20,6 +20,7 @@
 #ifndef __TREZORHAL_COMMON_H__
 #define __TREZORHAL_COMMON_H__
 
+#include <stddef.h>
 #include <stdint.h>
 #include "secbool.h"
 
@@ -75,6 +76,11 @@ void collect_hw_entropy(void);
 #define HW_ENTROPY_LEN (12 + 32)
 extern uint8_t HW_ENTROPY_DATA[HW_ENTROPY_LEN];
 
+void drbg_init();
+void drbg_reseed(const uint8_t *entropy, size_t len);
+void drbg_generate(uint8_t *buf, size_t len);
+uint32_t drbg_random32(void);
+
 // the following functions are defined in util.s
 
 void memset_reg(volatile void *start, volatile void *stop, uint32_t val);