From 2e962c76286c740d94c600e42a3bec33a8f53d7d Mon Sep 17 00:00:00 2001
From: patrick <patrick@openbsd.org>
Date: Fri, 31 Dec 2021 09:24:18 +0000
Subject: [PATCH] Newer Apple firmware on chipsets without a hardware RNG
 require the host to provide a buffer of random bytes to the device on
 initialization.

---
 sys/dev/pci/if_bwfm_pci.c | 26 ++++++++++++++++++++++----
 sys/dev/pci/if_bwfm_pci.h | 10 +++++++++-
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/sys/dev/pci/if_bwfm_pci.c b/sys/dev/pci/if_bwfm_pci.c
index 9b9164b2a5a..e3949448b95 100644
--- a/sys/dev/pci/if_bwfm_pci.c
+++ b/sys/dev/pci/if_bwfm_pci.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bwfm_pci.c,v 1.64 2021/12/27 17:56:03 patrick Exp $	*/
+/*	$OpenBSD: if_bwfm_pci.c,v 1.65 2021/12/31 09:24:18 patrick Exp $	*/
 /*
  * Copyright (c) 2010-2016 Broadcom Corporation
  * Copyright (c) 2017 Patrick Wildt <patrick@blueri.se>
@@ -782,7 +782,9 @@ bwfm_pci_load_microcode(struct bwfm_pci_softc *sc, const u_char *ucode, size_t s
 {
 	struct bwfm_softc *bwfm = (void *)sc;
 	struct bwfm_core *core;
-	uint32_t shared, written;
+	struct bwfm_pci_random_seed_footer footer;
+	uint32_t addr, shared, written;
+	uint8_t *rndbuf;
 	int i;
 
 	if (bwfm->sc_chip.ch_chip == BRCM_CC_43602_CHIP_ID) {
@@ -806,10 +808,26 @@ bwfm_pci_load_microcode(struct bwfm_pci_softc *sc, const u_char *ucode, size_t s
 	    bwfm->sc_chip.ch_rambase + bwfm->sc_chip.ch_ramsize - 4, 0);
 
 	if (nvram) {
+		addr = bwfm->sc_chip.ch_rambase + bwfm->sc_chip.ch_ramsize -
+		    nvlen;
 		for (i = 0; i < nvlen; i++)
 			bus_space_write_1(sc->sc_tcm_iot, sc->sc_tcm_ioh,
-			    bwfm->sc_chip.ch_rambase + bwfm->sc_chip.ch_ramsize
-			    - nvlen  + i, nvram[i]);
+			    addr + i, nvram[i]);
+
+		footer.length = htole32(BWFM_RANDOM_SEED_MAGIC);
+		footer.magic = htole32(BWFM_RANDOM_SEED_LENGTH);
+		addr -= sizeof(footer);
+		for (i = 0; i < sizeof(footer); i++)
+			bus_space_write_1(sc->sc_tcm_iot, sc->sc_tcm_ioh,
+			    addr + i, ((uint8_t *)&footer)[i]);
+
+		rndbuf = malloc(BWFM_RANDOM_SEED_LENGTH, M_TEMP, M_WAITOK);
+		arc4random_buf(rndbuf, BWFM_RANDOM_SEED_LENGTH);
+		addr -= BWFM_RANDOM_SEED_LENGTH;
+		for (i = 0; i < BWFM_RANDOM_SEED_LENGTH; i++)
+			bus_space_write_1(sc->sc_tcm_iot, sc->sc_tcm_ioh,
+			    addr + i, rndbuf[i]);
+		free(rndbuf, M_TEMP, BWFM_RANDOM_SEED_LENGTH);
 	}
 
 	written = bus_space_read_4(sc->sc_tcm_iot, sc->sc_tcm_ioh,
diff --git a/sys/dev/pci/if_bwfm_pci.h b/sys/dev/pci/if_bwfm_pci.h
index f0502ac1f70..b9edacf2bed 100644
--- a/sys/dev/pci/if_bwfm_pci.h
+++ b/sys/dev/pci/if_bwfm_pci.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bwfm_pci.h,v 1.7 2021/08/31 23:05:11 patrick Exp $	*/
+/*	$OpenBSD: if_bwfm_pci.h,v 1.8 2021/12/31 09:24:18 patrick Exp $	*/
 /*
  * Copyright (c) 2010-2016 Broadcom Corporation
  * Copyright (c) 2017 Patrick Wildt <patrick@blueri.se>
@@ -147,6 +147,14 @@
 #define BWFM_CONSOLE_BUFSIZE			0x0c
 #define BWFM_CONSOLE_WRITEIDX			0x10
 
+#define BWFM_RANDOM_SEED_MAGIC			0xfeedc0de
+#define BWFM_RANDOM_SEED_LENGTH			0x100
+
+struct bwfm_pci_random_seed_footer {
+	uint32_t		length;
+	uint32_t		magic;
+};
+
 struct bwfm_pci_ringinfo {
 	uint32_t		ringmem;
 	uint32_t		h2d_w_idx_ptr;
-- 
2.20.1