32. True random number generator (RNG)

32.1 RNG introduction

The RNG is a true random number generator that provides full entropy outputs to the application as 32-bit samples. It is composed of a live entropy source (analog) and an internal conditioning component.

The RNG is an NIST SP 800-90B compliant entropy source that can be used to construct a nondeterministic random bit generator (NDRBG).

The RNG true random number generator can be certified NIST SP 800-90B. It can also be tested using the German BSI statistical tests of AIS-31 (T0 to T8).

32.2 RNG main features

• • The RNG delivers 32-bit true random numbers, produced by an analog entropy source conditioned by an NIST SP800-90B approved conditioning stage.
• • It can be used as the entropy source to construct a non-deterministic random bit generator (NDRBG).
• • In the default configuration, it produces four 32-bit random samples every 412 AHB clock cycles if \( f_{\text{AHB}} < f_{\text{threshold}} \) (256 RNG clock cycles otherwise).
• • Embeds startup and NIST SP800-90B approved continuous health tests (repetition count and adaptive proportion tests), associated with specific error management.
• • Can be disabled to reduce power consumption, or enabled with an automatic low power mode (default configuration).
• • Has an AMBA ^® AHB slave peripheral, accessible through 32-bit word single accesses only (else an AHB bus error is generated, and the write accesses are ignored).

32.3 RNG functional description

32.3.1 RNG block diagram

Figure 311 shows the RNG block diagram.

32.3.2 RNG internal signals

Table 295 describes internal signals available at the RNG level, not at the STM32 product level (on pads).

Table 295. RNG internal input/output signals

32.3.3 Random number generation

The true random number generator (RNG) delivers truly random data through its AHB interface at deterministic intervals.

Within its boundary, it integrates all the required NIST components shown in Figure 312 : an analog noise source, a digitization stage, a conditioning algorithm, a health monitoring block, and two interfaces used to interact with the entropy source (GetEntropy and HealthTest).

Figure 312. NIST SP800-90B entropy source model

graph TD
    subgraph Entropy_source [Entropy source]
        NS[Noise source] -- Raw data --> PP[Post-processing optional]
        PP --> C[Conditioning optional]
    end
    C --> GE[Output GetEntropy]
    C --> HT[Health tests]
    HT --> EM[Error message HealthTest]
  

Noise source

This component contains the nondeterministic, entropy-providing activity, ultimately responsible for the uncertainty associated with the bit string output by the entropy source. This noise source provides 1-bit samples. It is composed of:

• • Multiple analog noise sources (x3), each based on three XOR-ed free-running ring oscillator outputs. It is possible to disable those analog oscillators to save power, as described in Section 32.3.8 . Multiple oscillators are also disabled for configuration A (see Table 297 ).
• • The XOR-ing of all the noise sources into a single analog output.
• • A sampling stage of this output is clocked by a dedicated clock input (rng_clk with integrated divider), delivering a 1-bit raw data output.

This noise source sampling is independent from the AHB interface clock frequency (rng_hclk), with the possibility, for the software, to decrease the sampling frequency by using the integrated divider.

Note: The recommended clock frequencies and associated divider value are detailed in Section 32.6 .

Post processing

In the NIST configuration no post-processing is applied to the sampled noise source. In the non-NIST configuration B (as defined in Section 32.6.2 ) a normalization debiasing is applied: half of the bits are taken from the sampled noise source, the other half from the inverted sampled noise source.

Conditioning

The conditioning component in the RNG is a deterministic function that increases the entropy rate of the resulting fixed-length bit string output (128-bit). The NIST SP800-90B target is full entropy on the output (128-bit).

The time intervals required between two random number generations, and between the RNG initialization and availability of the first sample are detailed in Section 32.5 .

Output buffer

A data output buffer can store up to four 32-bit words that have been output from the conditioning component. When four words have been read from the output FIFO through the RNG_DR register, the content of the 128-bit conditioning output register is pushed into the output FIFO, and a new conditioning round is automatically started. Four new words are added to the conditioning output register after a number of clock cycles specified in Section 32.5 .

Whenever a random number is available through the RNG_DR register, the DRDY flag changes from 0 to 1. This flag remains high until the output buffer becomes empty after reading four words from the RNG_DR register.

Note: When the interrupts are enabled, an interrupt is generated when this flag transitions from 0 to 1. The interrupt is then cleared automatically by the RNG, as explained above.

Health checks

This component ensures that the entire entropy source (with its noise source) starts, then operates as expected, obtaining the assurance that failures are caught quickly, with high probability and reliability.

The RNG implements the following health check features in accordance with NIST SP800-90B. The described thresholds correspond to the default RNG_HTCR0 configuration.

1. 1. Startup health tests, performed after reset and before the first use of the RNG as entropy source:
   • – Repetition count test, flagging an error when the noise source has provided more than 28 consecutive bits at a constant value (0 or 1).
   • – Adaptive proportion test running on a window of 1024 consecutive bits: the RNG verifies that the first bit on the outputs of the noise source is not repeated more than 684 times.
   • – Known-answer tests, to verify the conditioning stage.
2. 2. Continuous health tests, running indefinitely on the outputs of the noise source (XORed output and individual oscillator outputs, see Figure 311: RNG block diagram ):
   • – Repetition count test, similar to the one running in startup tests.
   • – Adaptive proportion test, similar to the one running in startup tests.
3. 3. Vendor specific continuous test:

• – Real-time “too slow” sampling clock detector, flagging an error when one RNG clock cycle (before divider) is smaller than the AHB clock cycle divided by 32.
• 4. On-demand test of digitized noise source (raw data)
  • – Supported by restarting the entropy source and rerunning the startup tests (see software reset sequence in Section 32.3.4 ). Other kinds of on-demand testing (software based) are not supported .

The CECS and SECS status bits in the RNG_SR register indicate when an error condition is detected, as detailed in Section 32.3.7 .

Note: An interrupt can be generated when an error is detected.

The health test thresholds are modified by changing the value in the corresponding RNG_HTCRx registers. See Section 32.6 for details.

32.3.4 RNG initialization

The RNG simplified state machine is shown in Figure 313 .

After enabling the RNG (RNGEN = 1 in RNG_CR), the following chain of events occurs:

1. 1. The analog noise source is enabled, and by default the RNG waits 16 RNG clock cycles (before divider) before starting to sample the analog output and filling the 128-bit conditioning shift register.
2. 2. The conditioning hardware initializes, automatically triggering the startup behavior test on the raw data samples and known-answer tests.
3. 3. Start-up health tests are completed, with the conditioning stage ready to use.
4. 4. The conditioning stage internal input data buffer is filled again with 128-bit and a number of conditioning rounds defined by the RNG configuration (NIST or non-NIST) is performed. The output buffer is then filled with the post processing result.
5. 5. The output buffer is refilled automatically according to the RNG usage.

The associated initialization time can be found in Section 32.5 .

Figure 313. RNG initialization overview

graph TD
    Start(( )) --> Step1[1. Wait for noise source]
    Step1 --> Step2[2. Start-up Health tests]
    Step2 --> Step3[3. Conditioning keys initialization]
    Step3 --> Step4[4. Generate samples]
    Step4 --> Step5((5))
    Step5 --> Step4
    Step2 -- "Start-up test(s) not OK" --> Error[Error state]
    Step4 -- "Continuous test(s) not OK" --> Error
    Error -- "Software reset" --> Step1
    Step2 -- "Software reset" --> Step1
  

Figure 313 also highlights a possible software reset sequence, implemented by:

1. 1. Write RNGEN = 0, then wait for BUSY = 0 in the RNG_SR register.
2. 2. Write bits RNGEN = 0 and CONDRST = 1 in the RNG_CR register with the same RNG configuration and a new CLKDIV if needed.
3. 3. Write RNGEN = 1 and CONDRST = 0 in the RNG_CR register.
4. 4. Wait for a random number to be ready, after initialization completes.

Note: When the RNG is reset by RCC (hardware reset), the configuration for optimal randomness is lost in the registers.

32.3.5 RNG operation

Normal operation

To run the RNG using interrupts, the following steps are recommended:

1. 1. Check in Section 32.6 if a specific RNG configuration is required for the application.
   • – If this is the case, when bits RNGEN and BUSY =0, write in the RNG_CR register bit CONDRST = 1, together with the correct RNG configuration. Then perform a second write with bit CONDRST = 0, interrupt enable bit IE = 1, and RNG enable bit RNGEN = 1.

1. • – If this is not the case, perform a write to the RNG_CR register with interrupt enable bit IE = 1 and RNG enable bit RNGEN = 1.
2. 1. 2. An interrupt is now generated when a random number is ready or when an error occurs. Therefore, at each interrupt, check that:
      • – No error occurred. The SEIS and CEIS bits must be set to 0 in the RNG_SR register.
      • – A random number is ready. The DRDY bit must be set to 1 in the RNG_SR register.
      • – If the above two conditions are true the content of the RNG_DR register can be read up to four consecutive times. If valid data are available in the conditioning output buffer, four additional words can be read by the application (in this case the DRDY bit is still high). If one or both of the above conditions are false, the RNG_DR register must not be read. If an error occurred, the error recovery sequence described in Section 32.3.7 must be used.

To run the RNG in polling mode the following steps are recommended:

1. 1. Check in Section 32.6 if a specific RNG configuration is required for the application.
   • – If this is the case, when bits RNGEN and BUSY = 0, write in the RNG_CR register bit CONDRST = 1, together with the correction RNG configuration. Then perform a second write to the RNG_CR register with bit CONDRST = 0 and the RNG enable bit RNGEN = 1.
   • – If this is not the case, only enable the RNG by setting the RNGEN bit to 1 in the RNG_CR register.
2. 2. Read the RNG_SR register and check that:
   • – No error occurred (the SEIS and CEIS bits must be set to 0)
   • – A random number is ready (the DRDY bit must be set to 1)
3. 3. If the above conditions are true, read the content of the RNG_DR register up to four consecutive times. If valid data are available in the conditioning output buffer, four additional words can be read by the application (in this case the DRDY bit is still high). If one or both of the above conditions are false, the RNG_DR register must not be read. If an error occurred, use the recovery sequence described in Section 32.3.7 .

Note: When data are not ready (DRDY = 0) RNG_DR returns 0. It is recommended to verify that RNG_DR is different from 0. When this happens, a seed error occurred between RNG_SR polling and RND_DR output reading (a rare event).

If the random number generation period is a concern to the application and if NIST compliance is not required, it is possible to select a faster configuration by using the configuration B, described in Section 32.6 . The gain in random number generation speed is summarized in Section 32.5 .

Low-power operation

If power consumption is a concern, low-power strategies can be used, as described in Section 32.3.8 .

Software post-processing

No specific software post-processing/conditioning is expected to meet the AIS-31 or NIST SP800-90B approvals.

Built-in health check functions are described in Section 32.3.3 .

32.3.6 RNG clocking

The RNG runs on two different clocks: the AHB bus clock and a dedicated RNG clock.

The AHB clock is used to clock the AHB banked registers and conditioning component. The RNG clock, coupled with a programmable divider (see CLKDIV bitfield in the RNG_CR register) is used for noise source sampling. Recommended clock configurations are detailed in Section 32.6 .

Note: When the CED bit in the RNG_CR register is set to 0, the RNG clock frequency before the internal divider must be higher than the AHB clock frequency divided by 32 , otherwise the clock checker flags a clock error (CECS = 1 in the RNG_SR register).

See Section 32.3.1 for details (AHB and RNG clock domains).

32.3.7 Error management

In parallel to random number generation a health check block verifies the correct noise source behavior and the frequency of the RNG source clock as detailed in this section. Associated error state is also described.

Clock error detection

When the clock error detection is enabled (CED = 0) and if the RNG clock frequency is too low, the RNG sets to 1 both the CEIS and CECS bits to indicate that a clock error occurred. In this case, the application must check that the RNG clock is configured correctly (see Section 32.3.6 ), and then it must clear the CEIS bit interrupt flag. The CECS bit is automatically cleared when the clocking condition is normal.

When CECS is set, values are available in the RNG_DR register, but it must not be used as described in Section 32.3.5 .

Note: CEIS is set only when CECS is set to 1 by RNG.

Noise source error detection

When a noise source (or seed) error occurs, the RNG stops generating random numbers and sets to 1 both SEIS and SECS bits to indicate that a seed error occurred.

When SECS is set, values are available in the RNG_DR register, but it must not be used as described in Section 32.3.5 .

To manage a seed error, follow the recommended sequence below. It requires the CONFIGLOCK bit to be cleared.

• • When ARDIS is cleared (auto-reset enabled):
  • – Clear the SEIS bit in the RNG_SR register
  • – If SECS is cleared RNG can be used as usual. If SECS is still set in RNG_SR it means a new seed error occurred (unlikely). In this case, executes following step 1)
• • When ARDIS is set (auto-reset disabled) the following sequence must be used to recover from a seed error.
  1. 1. Read both RNG_HTSRx registers. Using the previous HTSR values saved in RAM, compute the accumulated number of errors per oscillator (can be RPERR or ADERR errors). In a nsmr variable, mask the oscillators with accumulated number of errors greater than 3. This variable is used in step 3). Save the updated HTSR values in RAM.
     • – During the first iteration, initialize nsmr variable with the RNG_NSCR value.
  2. 2. If fewer than 6 oscillators are active in the nsmr variable, reinitialize it with the RNG_NSCR value.
     • – When RNG configuration is Configuration B, and the third time you reach this loop, go to Step 3 changing the RNG configuration to Configuration C. Both configurations are defined in Section 32.6.2 .
  3. 3. Write CONDRST at 1 in RNG_CR, then update RNG_NSMR with nsmr value. Refer to Section 32.7.8 for details.
  4. 4. Write CONDRST at 0 to finalize the reset of the RNG conditioning logic.
  5. 5. Wait for the CONDRST bit to be cleared by hardware, or poll for BUSY bit= 0. Then clear the SEIS interrupt status bit in the RNG_SR register.
  6. 6. If SECS is still set in RNG_SR it means a new seed error occurred (unlikely). In this case go back to step 1). If SECS is cleared, restart the generation of random numbers by setting RNGEN in RNG_CR.

If application has set the CONFIGLOCK bit (not recommended), do the following:

• • When ARDIS is cleared (auto-reset enabled) clear the SEIS interrupt status bit in the RNG_SR register before drawing random numbers again.
• • When ARDIS is set (auto-reset disabled), the following sequence must be used to fully recover from a seed error:
  1. 1. Write CONDRST at 1 and at 0 in the RNG_CR register to reset the conditioning logic.
  2. 2. Wait for the CONDRST bit to be cleared by hardware, or poll for BUSY = 0. Then clear the SEIS interrupt status bit in the RNG_SR register.
  3. 3. If SECS is still set in RNG_SR it means a new seed error occurred (unlikely). In this case go back to step 1).

Note: After a seed error RNG restarts generating random numbers when SECS is cleared.

RNG tamper errors

When an unexpected error is found by the RNG, an internal tamper event is triggered in the TAMP peripheral, and the RNG stops delivering random data.

When this event occurs, the secure application needs to reset the RNG peripheral, using the central reset management or the global SoC reset. A proper initialization of the RNG is required again.

Note: Seed errors do not trigger tamper errors.

32.3.8 RNG low-power use

If power consumption is a concern, the RNG can be disabled as soon as the DRDY bit is set to 1 by setting the RNGEN bit to 0 in the RNG_CR register. As the post-processing logic and the output buffer remain operational while the RNGEN = 0, the following features are available to the software:

• • If there are valid words in the output buffer, four random numbers can still be read from the RNG_DR register.
• • If there are valid bits in the conditioning output internal register, four additional random numbers can be still be read from the RNG_DR register. If it is not the case, RNG must be re-enabled by the application until the expected new noise source bits threshold is reached (128-bit in NIST mode), and a complete conditioning round is done. Four new random words are then available only if the expected number of conditioning round is reached (two if NISTC = 0). The overall time can be found in Section 32.5 .

When disabling the RNG, the user deactivates all the analog seed generators, whose power consumption is given in the datasheet electrical characteristics section. The user also gates all the logic clocked by the RNG clock. Note that this strategy is adding latency before a random sample is available on the RNG_DR register, because of the RNG initialization time.

If the RNG block is disabled during initialization (that is well before the DRDY bit rises for the first time), the initialization sequence resumes from where it was stopped when the RNGEN bit is set to 1, unless the application resets the conditioning logic using the CONDRST bit in the RNG_CR register.

When the application wants to gate the RNG kernel clock, the software must issue the following sequence: first, disable the RNG by clearing the RNGEN bit in the RNG_CR register, then wait for the BUSY bit to be cleared in the RNG_SR, and finally, disable the RNG kernel clock using the RCC.

Before entering a power mode where RNG is deactivated (like Stop mode), the software must first disable the RNG by clearing the RNGEN bit in the RNG_CR register, then wait for the BUSY bit to be cleared in the RNG_SR.

Note: The power modes where RNG is deactivated (retained or not available) can be found in the PWR section.

32.4 RNG interrupts

In the RNG an interrupt can be produced on the following events:

• • Data ready flag
• • Seed error, see Section 32.3.7
• • Clock error, see Section 32.3.7

Dedicated interrupt enable control bits are available as shown in Table 296 .

Table 296. RNG interrupt requests

The user can enable or disable the above interrupt sources globally by using the general interrupt control bit IE in the RNG_CR register. The status of the individual interrupt sources can be read from the RNG_SR register.

Note: Interrupts are generated only when RNG is enabled.

32.5 RNG processing time

In the recommended configuration described in Table 297 , the time between two sets of four 32-bit data is either:

• • 206 x N AHB cycles if \( f_{\text{AHB}} < f_{\text{threshold}} \) (conditioning stage is limiting), or
• • 128 x N RNG cycles \( f_{\text{AHB}} \geq f_{\text{threshold}} \) (noise source stage is limiting).

If \( f_{\text{RNG}} = 48 \text{ MHz} \) , \( f_{\text{threshold}} = 1.6 \times f_{\text{RNG}} = 77 \text{ MHz} \) . The value of N is defined in Section 32.6 .

Note: When CLKDIV is different from 0, \( f_{\text{RNG}} \) must take into account the internal divider ratio.

32.6 RNG entropy source validation

32.6.1 Introduction

To assess the amount of entropy available from the RNG, the peripheral has been tested using the German BSI AIS-31 statistical tests (T0 to T8), and NIST SP800-90B test suite.

32.6.2 Validation conditions

The RNG true random number generator has been tested in the following conditions:

• • RNG clock \( \text{rng\_clk} = 48 \text{ MHz} \) , with CED bit cleared in RNG_CR.
• • Configurations are described in Table 297 and Table 298 . Only configuration A can be certified NIST SP800-90B. Refer to Table 299 to select the best configuration for the application.
• • Configuration B or C can be used when configuration A is not present in AN4230, or is not flagged as certified.

Table 297. RNG configurations

1. 1. \( \text{RNG\_CONFIG1}[3:0] = i \) defines the loop number N. If \( i = 0 \) , \( N = 1 \) . If NISTC = 0, \( N = 2 \) regardless of \( i \) .
2. 2. This value can be fixed in the RNG driver (it does not depend upon the STM32 product).
3. 3. The noise source sampling must be 48 MHz or less. If the RNG clock is different from 48 MHz, this value of CLKDIV must be adapted. See the CLKDIV bitfield description in Section 32.7.1 for details.

Table 298. Additional health test configurations

Table 299. Configuration selection

1. 1. For configurations B and C entropy is verified using the AIS-31 test suite (T0 to T8).
2. 2. When the speed is not enough for the application, an NIST compliant DRBG can be used to increase throughput.

For details on data collection and the running of statistical test suites refer to AN4230 “ Introduction to random number generation validation using the NIST statistical test suite for STM32 MCUs and MPUs ”, available on www.st.com .

32.7 RNG registers

The RNG is associated with a control register, a data register, and a status register.

32.7.1 RNG control register (RNG_CR)

Address offset: 0x000

Reset value: 0x0080 0D00

Bit 31 CONFIGLOCK: RNG configuration lock

Set this bit to lock the RNG configuration. Since CONFIGLOCK prevents the implementation of robust seed error management described in Section 32.3.7 , it is recommended not to use it.

0: Writes to the RNG_NSMR, RNG_NSCR, RNG_HTCR and the RNG_CR configuration bits [29:4] are allowed.

1: Writes to the RNG_NSMR, RNG_NSCR, RNG_HTCR and the RNG_CR configuration bits [29:4] are ignored until the next RNG reset.

Once set, this bit can only be cleared when RNG is reset (set once bit).

Bit 30 CONDRST: Conditioning soft reset

Write 1 and then write 0 to reset the conditioning logic, clear all the FIFOs and start a new RNG initialization process, with RNG_SR cleared. Registers RNG_NSMR, RNG_NSCR, RNG_CR and RNG_HTCR are not changed by CONDRST.

This bit must be set to 1 in the same access that sets any configuration bits [29:4]. In other words, when CONDRST bit is set to 1 correct configuration in bits [29:4] must also be written.

Before setting this bit to 1 RNGEN must be set to 0, and BUSY flag must be cleared in RNG_SR.

When CONDRST is set to 0, wait for BUSY flag to be cleared in RNG_SR. CONDRST bit then reads as 0.

Bits 29:28 Reserved, must be kept at reset value.

Bits 27:20 RNG_CONFIG1[7:0]: RNG configuration 1

Reserved to the RNG configuration (bitfield 1). Must be initialized using the recommended value documented in Section 32.6 .

Writing to this bitfield is only effective when CONFIGLOCK = 0. The new value is only taken into account if CONDRST bit is set in the same access.

Bits 19:16 CLKDIV[3:0] : Clock divider factor

This value used to configure an internal programmable divider (from 1 to 16) acting on the incoming RNG clock. These bits can be written only when the core is disabled (RNGEN = 0).

0x0: internal RNG clock after divider is similar to incoming RNG clock.

0x1: two RNG clock cycles per internal RNG clock.

0x2: \( 2^2 \) (= 4) RNG clock cycles per internal RNG clock.

...

0xF: \( 2^{15} \) RNG clock cycles per internal clock (for example. an incoming 48 MHz RNG clock becomes a 1.5 kHz internal RNG clock)

Writing to this bitfield is only effective when CONFIGLOCK = 0. The new value is only taken into account if CONDRST bit is set in the same access.

Bits 15:13 RNG_CONFIG2[2:0] : RNG configuration 2

Reserved to the RNG configuration (bitfield 2). Refer to the RNG_CONFIG1 bitfield for details.

Bit 12 NISTC : NIST custom

0: Hardware default values for NIST compliant RNG. In this configuration for 128-bit output, two conditioning loops are performed and 256 bits of noise source are used.

1: Custom values for NIST compliant RNG. See Section 32.6 for recommended configurations.

Writing to this bit is only effective when CONFIGLOCK = 0. The new value is only taken into account if the CONDRST bit is set in the same access.

Bits 11:8 RNG_CONFIG3[3:0] : RNG configuration 3

Reserved to the RNG configuration (bitfield 3). Refer to RNG_CONFIG1 bitfield for details.

If the NISTC bit is cleared in this register RNG_CONFIG3 bitfield values are ignored by RNG.

Bit 7 ARDIS : Auto reset disable

Set this bit to deactivate the auto-reset feature.

0: Auto-reset is enabled

1: Auto-reset is disabled

Keeping the auto-reset enabled (automatic clearance of the SECS bit) simplifies the management of noise source errors, as described in Section 32.3.7 .

Writing to this bit is only effective when CONFIGLOCK = 0. The new value is only taken into account if the CONDRST bit is set in the same access.

Bit 6 Reserved, must be kept at reset value.

Bit 5 CED : Clock error detection

0: Clock error detection is enabled.

1: Clock error detection is disabled

The clock error detection cannot be enabled nor disabled on-the-fly when the RNG is enabled, that is to enable or disable CED, the RNG must be disabled.

Writing to this bit is only effective when CONFIGLOCK = 0. The new value is only taken into account if the CONDRST bit is set in the same access.

Bit 4 Reserved, must be kept at reset value.

Bit 3 IE : Interrupt enable

0: RNG interrupt is disabled

1: RNG interrupt is enabled. An interrupt is pending as soon as the DRDY, SEIS, or CEIS flag is set in the RNG_SR register.

Bit 2 RNGEN : True random number generator enable

This bit enables/disables the true random number generator.

0: True random number generator disabled.

1: True random number generator enabled.

Clearing RNGEN powers off the analog noise sources and gates the logic clocked by the RNG clock.

When clearing this bit verify that BUSY flag is cleared in RNG_SR before updating this register again.

Bits 1:0 Reserved, must be kept at reset value.

32.7.2 RNG status register (RNG_SR)

Address offset: 0x004

Reset value: 0x0000 0000

Bits 31:7 Reserved, must be kept at reset value.

Bit 6 SEIS : Seed error interrupt status

This bit is set at the same time as SECS. It is cleared by writing 0 (unless CONDRST is used). Writing 1 has no effect.

0: No faulty sequence detected

1: At least one faulty sequence is detected. See SECS bit description for details.

An interrupt is pending if IE = 1 in the RNG_CR register.

Bit 5 CEIS : Clock error interrupt status

This bit is set at the same time as CECS. It is cleared by writing 0. Writing 1 has no effect.

0: The RNG clock is correct ( \( f_{\text{RNGCLK}} > f_{\text{HCLK}}/32 \) )

1: The RNG clock before the internal divider is detected too slow ( \( f_{\text{RNGCLK}} < f_{\text{HCLK}}/32 \) )

An interrupt is pending if IE = 1 in the RNG_CR register.

Bit 4 BUSY : Busy

This flag indicates whether RNG is idle or busy.

0: Idle

1: Busy

RNG is flagged as busy when a conditioning soft reset (using CONDRST) is in progress. It is also flagged busy when RNG is activated by application setting RNGEN bit, or when a connected peripheral fetches randoms via the dedicated RNG hardware bus.

More information on BUSY usage can also be found in Section 32.3.8 .

Bit 3 Reserved, must be kept at reset value.

Bit 2 SECS : Seed error current status

0: No faulty sequence has currently been detected. If the SEIS bit is set, this means that a faulty sequence was detected and the situation has been recovered.

1: At least one of the following faulty sequence has been detected:

• – Start-up or continuous repetition count test on noise source failed.
• – Start-up or continuous adaptive proportion test on noise source failed.
• – Start-up post-processing/conditioning sanity check failed.

After enabling the RNG, SECS bit clears once startup health tests completes successfully. If SECS does not clear, run the software reset sequence with CONDRST described in Section 32.3.4 .

Bit 1 CECS : Clock error current status

0: The RNG clock is correct ( \( f_{\text{RNGCLK}} > f_{\text{HCLK}}/32 \) ). If the CEIS bit is set, this means that a slow clock was detected and the situation has been recovered.

1: The RNG clock is too slow ( \( f_{\text{RNGCLK}} < f_{\text{HCLK}}/32 \) ).

CECS bit is valid only if the CED bit in the RNG_CR register is set to 0.

Bit 0 DRDY : Data ready

This flag is raised to indicate valid (non-0) random data available in the RNG_DR register. It is cleared by hardware upon reading the RNG_DR register (which empties the RNG buffer).

The DRDY flag can also be raised upon disabling RNG (upon clearing the RNGEN bit).

0: No valid random data ready.

1: Valid random data ready.

Raising DRDY generates an interrupt if enabled with the IE bit of the RNG_CR register.

32.7.3 RNG data register (RNG_DR)

Address offset: 0x008

Reset value: 0x0000 0000

This register is a read-only register that delivers a 32-bit random value when read. The content of this register is valid when the DRDY = 1 and the value is not 0x0, even if RNGEN = 0.

Bits 31:0 RNDATA[31:0] : Random data

32-bit random data, valid when DRDY = 1. When DRDY = 0, the RNDATA value is 0.

The 0 value means that a seed error occurred between RNG_SR polling and RND_DR output reading (a rare event).

32.7.4 RNG noise source control register (RNG_NSCR)

Address offset: 0x00C

Reset value: 0x0000 01FF

Writing in RNG_NSCR is taken into account only if the CONDRST bit is set, and the CONFIGLOCK bit is cleared in RNG_CR. Writing to this register is ignored if CONFIGLOCK= 1.

Bits 31:9 Reserved, must be kept at reset value.

Bits 8:6 EN_OSC3[2:0]:

When the RNG is enabled (RNGEN bit set), each bit of this bitfield enables one of the three inputs from the oscillator instance number 3. The bitfield has no effect otherwise.

Bits 5:3 EN_OSC2[2:0]:

When the RNG is enabled (RNGEN bit set), each bit of this bitfield enables one of the three inputs from the oscillator instance number 2. The bitfield has no effect otherwise.

Bits 2:0 EN_OSC1[2:0]:

When the RNG is enabled (RNGEN bit set), each bit of this bitfield enables one of the three inputs from the oscillator instance number 1. The bitfield has no effect otherwise.

32.7.5 RNG health test control register x (RNG_HTCRx)

Address offset: 0x010 + 0x4 * x (x=0 to 3)

Reset value: 0x0000 72AC, 0x0003 FFFF, 0x0003 FFFF, 0x0003 FFFF

Writing in RNG_HTCR is taken into account only if the CONDRST bit is set, and the CONFIGLOCK bit is cleared in the RNG_CR. Writing to this register is ignored if CONFIGLOCK = 1.

Bits 31:0 HTCFG[31:0]: health test configuration

This configuration is used by RNG to configure the health tests (repetition count test, adaptive proportion test) at position x. See Section 32.6 for the recommended value. With its default value, health tests have a very small probability of triggering any error at position x.

Note: The RNG behavior, including the read to this register, is not guaranteed if a different value from the recommended value is written.

32.7.6 RNG health test status register 0 (RNG_HTSR0)

Address offset: 0x020

Reset value: 0x0000 0000

Bits 31:10 Reserved, must be kept at reset value.

Bits 9:1 RPERR{i} : Repetitive error for oscillator i ( i =1 to 9)

This bit is set when the health test logic associated to the oscillator i finds a repetitive test error. The bit is cleared when application clears SEIS bit in RNG_SR. If ARDIS is cleared auto-reset prevents RNG to capture more than one test error. Repetition count test is defined in Health checks section.

0: No repetitive test error found in oscillator i .

1: Repetitive test error found in oscillator i .

Bit 0 RPERRX : Repetitive error after the XOR

This bit is set when the health test logic finds a repetitive test error after the XOR clock tree (see Figure 311 ). The bit is cleared when application clears SEIS bit in RNG_SR. If ARDIS is cleared auto-reset prevents RNG to capture more than one test error.

0: No repetitive test error found after the XOR clock tree.

1: Repetitive test error found after the XOR clock tree.

32.7.7 RNG health test status register 1 (RNG_HTSR1)

Address offset: 0x024

Reset value: 0x0000 0000

Bits 31:10 Reserved, must be kept at reset value.

Bits 9:1 ADERR{i} : Adaptive error for oscillator i ( i =1 to 9)

This bit is set when the health test logic associated to the oscillator i finds an adaptive test error. The bit is cleared when application clears SEIS bit in RNG_SR. If ARDIS is cleared auto-reset prevents RNG to capture more than one test error. Adaptive proportion test is defined in Health checks section.

• 0: No adaptive test error found in oscillator i .
• 1: Adaptive test error found in oscillator i .

Bit 0 ADERRX : Adaptive error after the XOR

This bit is set when the health test logic finds an adaptive test error after the XOR clock tree (see Figure 311 ). The bit is cleared when application clears SEIS bit in RNG_SR. If ARDIS is cleared auto-reset prevents RNG to capture more than one test error.

• 0: No adaptive test error found after the XOR clock tree.
• 1: Adaptive test error found after the XOR clock tree.

32.7.8 RNG noise source mask register (RNG_NSMR)

Address offset: 0x030

Reset value: 0x0000 01FF

Writing to this register is ignored if CONFIGLOCK = 1. It is recommended to have at least 6 oscillators running when loop number N = 3 (or higher). See Section 32.6.2 for details.

Bits 31:9 Reserved, must be kept at reset value.

Bits 8:0 MOSC{i} : Mask oscillator i ( i = 1 to 9)

Clear this bit to masks the oscillator i , and deactivate its related health tests. The bit has no effect if the oscillator i is deactivated with the bit RNG_NSCR[i].

Application can mask an oscillator when it is not contributing to the generation of entropy.

• 0: Oscillator i is masked, and related health tests are deactivated.
• 1: Oscillator i is not masked. Related health tests are running.

32.7.9 RNG register map

Table 300. RNG register map and reset map