8.9.5.6 Security and Functional Analysis and Reports

Several type of checks are performed when the TRNG is enabled.

The peripheral clock of the TRNG is monitored by specific circuitry to detect abnormal waveforms on the internal clock net that may affect the behavior of the TRNG. Corruption on the triggering edge of the clock or a pulse with a minimum duration may be identified. If the flag TRNG_WPSR.CGD is set, an abnormal condition occurred on the peripheral clock. This flag is not set under normal operating conditions.

The internal sequencer of the TRNG is also monitored and if an abnormal state is detected, the flag TRNG_WPSR.SEQE is set. This flag is not set under normal operating conditions.

The Control register (TRNG_CR) is of high importance for the functional safety, hence the physical implementation of this configuration bit is based on a reinforced safety memory cell with single error correction capability. Thus a single event error is filtered and does not prevent the TRNG from providing random data. Any majority error is monitored and reported in TRNG_ISR.SECE and TRNG_WPSR.SEQE.

The same reinforced safety physical memory cell is implemented for each bit of the TRNG_IMR and for each write protection control bit of the TRNG_WPMR, hence a single event error on each bit is filtered and does not prevent the TRNG from triggering the interrupt line for each new random data. Any majority error is monitored and reported in TRNG_ISR.SECE and TRNG_WPSR.SEQE.

The Mode register (TRNG_MR) is less sensitive than TRNG_CR and TRNG_IMR but is monitored with a parity check and, in case of single or odd error event, the error is reported in TRNG_ISR.SECE and TRNG_WPSR.SEQE.

The TRNG features two health tests intended to monitor the noise source. These health tests are always active and do not interfere with the inherent behavior of the TRNG. The first test monitors important failures of the noise source and corresponds to the standard specification SP800-90B repetitive count test, while the second test corresponds to the adaptive proportional test. In case of failure detection, an interrupt is triggered and the source of the trigger is provided in TRNG_ISR. When the TRNG is disabled, the tests remain active, thus TRNG_ISR.APHT=1 and TRNG_ISR.RCHT=1.

It is possible to inject a single fault in the registers where the safety is reinforced. When one or more faults are injected, the TRNG behaves as if there was no fault (producing random values, protecting access to registers, etc.). The fault can be introduced by writing the TRNG Fault Injection register (TRNG_FIR). When a fault is injected, TRNG_ISR.SECE=1 and TRNG_WPSR.SDEE=1. The software-injected faults must be cleared prior to normal operation to prevent accumulated faults (dual faults are not corrected).

The software accesses to the TRNG are monitored and if an incorrect access is performed, the flag TRNG_WPSR.SWE is set. The type of incorrect/abnormal software access is reported in the TRNG_WPSR.SWETYP field (see TRNG Write Protection Status Register for details). For example, reading the TRNG_ODATA when the TRNG is disabled is an error, as well as reading the TRNG_ODATA, when the TRNG_ISR.DATRDY flag is cleared. TRNG_WPSR.ECLASS is an indicator reporting the criticality of the SWETYP report.

The flags CGD, SEQE, SWE and WPVS are automatically cleared when TRNG_WPSR is read.

If one of these flags is set, the flag TRNG_ISR.SECE is set and can trigger an interrupt if the TRNG_IMR.SECE bit is ‘1’. SECE is cleared by reading TRNG_ISR.