forked from lowRISC/opentitan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hmac.hjson
291 lines (277 loc) · 9.51 KB
/
hmac.hjson
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
{
name: "hmac",
human_name: "HMAC Accelerator",
one_line_desc: "Accelerator for SHA-256-based keyed hash message authentication code and the SHA-256 hash function",
one_paragraph_desc: '''
HMAC Accelerator is a keyed hash based message authentication code generator using [SHA-256][nist-fips-180-4] to check the integrity of an incoming message and optionally a signature signed with the same secret key.
This HMAC implementation is not hardened against side-channel analysis (SCA) or fault injection (FI) attacks; it is meant purely for hashing acceleration.
If hardened MAC operations are required, either KMAC Accelerator or a software implementation should be used.
[nist-fips-180-4]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
'''
design_spec: "../doc",
dv_doc: "../doc/dv",
hw_checklist: "../doc/checklist",
sw_checklist: "/sw/device/lib/dif/dif_hmac",
revisions: [
{
version: "0.5",
life_stage: "L2",
design_stage: "D3",
verification_stage: "V3",
commit_id: "635afdb8dedbb50c235bd772b36002925c499884",
notes: ""
}
{
version: "1.0",
life_stage: "L1",
design_stage: "D3",
verification_stage: "V2",
dif_stage: "S2",
notes: "",
}
]
clocking: [{clock: "clk_i", reset: "rst_ni", idle: "idle_o"}],
bus_interfaces: [
{ protocol: "tlul", direction: "device" }
],
interrupt_list: [
{ name: "hmac_done",
desc: "HMAC-256 completes a message with key"
}
{ name: "fifo_empty",
desc: "Message FIFO empty condition"
}
{ name: "hmac_err",
desc: "HMAC error occurred. ERR_CODE register shows which error occurred"
}
],
alert_list: [
{ name: "fatal_fault",
desc: '''
This fatal alert is triggered when a fatal TL-UL bus integrity fault is detected.
'''
}
],
inter_signal_list: [
{ name: "idle",
type: "uni",
act: "req",
package: "prim_mubi_pkg",
struct: "mubi4",
width: "1"
}
],
param_list: [
{ name: "NumWords",
type: "int",
default: "8",
desc: "Number of words for digest/ key",
local: "true"
}
],
countermeasures: [
{ name: "BUS.INTEGRITY",
desc: "End-to-end bus integrity scheme."
}
]
regwidth: "32",
registers: [
{ name: "CFG",
desc: '''HMAC Configuration register.
The register is updated when the engine is in Idle.
If the software updates the register while the engine computes the hash,
the updated value is discarded.
''',
hwext: "true",
hwqe: "true",
swaccess: "rw",
hwaccess: "hrw",
fields: [
{ bits: "0",
name: "hmac_en",
desc: '''HMAC datapath enable.
If this bit is 1, HMAC operates when `hash_start` toggles.
''',
tags: [// don't enable hmac and sha data paths - we will do that in functional tests
"excl:CsrNonInitTests:CsrExclWrite"]
}
{ bits: "1",
name: "sha_en",
desc: '''SHA256 enable. If 0, SHA engine won't initiate compression,
this is used to stop operation of the SHA engine until configuration
has been done. When the SHA engine is disabled the digest is cleared.'''
tags: [// don't enable hmac and sha data paths - we will do that in functional tests
"excl:CsrNonInitTests:CsrExclWrite"]
}
{ bits: "2",
name: "endian_swap",
desc: '''Endian swap.
If 0, each value will be added to the message in little-endian
byte order. The value is written to MSG_FIFO same to the SW writes.
If 1, then each individual multi-byte value, regardless of its
alignment, written to !!MSG_FIFO will be added to the message
in big-endian byte order.
A message written to !!MSG_FIFO one byte at a time will not be
affected by this setting.
From a hardware perspective byte swaps are performed on a TL-UL
word granularity.
''',
resval: "0",
}
{ bits: "3",
name: "digest_swap",
desc: '''Digest register byte swap.
If 1 the value contained in each digest output register is
converted to big-endian byte order.
This setting does not affect the order of the digest output
registers, !!DIGEST_0 still contains the first 4 bytes of
the digest.
''',
resval: "0",
}
]
}
{ name: "CMD",
desc: "HMAC command register",
swaccess: "r0w1c",
hwaccess: "hro",
hwext: "true",
hwqe: "true",
tags: [// design assertion : after hash_start sets, can only wr msg or set hash_process
// design assertion : hash_process can be set only after hash_start is set
"excl:CsrAllTests:CsrExclWrite"]
fields: [
{ bits: "0",
name: "hash_start",
desc: '''If writes 1 into this field, SHA256 or HMAC begins its operation.
CPU should configure relative information first, such as message_length,
secret_key.
''',
}
{ bits: "1",
name: "hash_process",
desc: '''If writes 1 into this field, SHA256 or HMAC calculates the digest or signing
based on currently received message.
'''
}
],
}
{ name: "STATUS",
desc: "HMAC Status register",
swaccess: "ro",
hwaccess: "hwo",
hwext: "true",
fields: [
{ bits: "0",
name: "fifo_empty",
desc: "FIFO empty",
resval: "1"
}
{ bits: "1",
name: "fifo_full",
desc: "FIFO full. Data written to the FIFO whilst it is full will cause back-pressure on the interconnect"
}
{ bits: "8:4",
name: "fifo_depth",
desc: "FIFO entry count."
}
]
}
{ name: "ERR_CODE",
desc: "HMAC Error Code",
swaccess: "ro",
hwaccess: "hwo",
fields: [
{ bits: "31:0",
name: "err_code",
desc: '''If error interrupt occurs, this register has information of error cause.
Please take a look at `hw/ip/hmac/rtl/hmac_pkg.sv:err_code_e enum type.
'''
tags: [// Randomly write mem will cause this reg updated by design
"excl:CsrNonInitTests:CsrExclCheck"]
}
]
}
{ name: "WIPE_SECRET",
desc: '''Randomize internal secret registers.
If CPU writes value into the register, the value is used to randomize internal
variables such as secret key, internal state machine, or hash value.
''',
swaccess: "wo",
hwaccess: "hro",
hwext: "true",
hwqe: "true",
fields: [
{ bits: "31:0", name:"secret", desc: "Secret value" }
]
}
{ multireg: {
name: "KEY",
desc: '''HMAC Secret Key
SHA256 assumes secret key is hashed 256bit key.
Order of the secret key is:
key[255:0] = {KEY0, KEY1, KEY2, ... , KEY7};
The registers are allowed to be updated when the engine is in Idle state.
If the engine computes the hash, it discards any attempts to update the secret keys
and report an error.
''',
count: "NumWords",
cname: "HMAC",
hwext: "true",
hwqe : "true",
swaccess: "wo",
hwaccess: "hrw",
fields: [
{ bits: "31:0", name: "key", desc: "32-bit chunk of 256-bit Secret Key" }
],
}
}
{ multireg: {
name: "DIGEST",
desc: '''Digest output. If HMAC is disabled, the register shows result of SHA256
Order of the digest is:
digest[255:0] = {DIGEST0, DIGEST1, DIGEST2, ... , DIGEST7};
''',
count: "NumWords",
cname: "HMAC",
swaccess: "ro",
hwaccess: "hwo",
hwext: "true",
fields: [
{ bits: "31:0", name: "digest", desc: "32-bit chunk of 256-bit Digest" }
]
}
}
{ name: "MSG_LENGTH_LOWER",
desc: '''Received Message Length calculated by the HMAC in bits [31:0]
Message is byte granularity.
lower 3bits [2:0] are ignored.''',
swaccess: "ro",
hwaccess: "hwo",
fields: [
{ bits: "31:0", name: "v", desc: "Message Length [31:0]" }
]
}
{ name: "MSG_LENGTH_UPPER",
desc: "Received Message Length calculated by the HMAC in bits [63:32]",
swaccess: "ro",
hwaccess: "hwo",
fields: [
{ bits: "31:0", name: "v", desc: "Message Length [63:32]" }
]
}
{ skipto: "0x800" }
{ window: {
name: "MSG_FIFO"
items: "512" // 2kB
swaccess: "wo",
byte-write: "true",
desc: '''Message FIFO. Any write to this window will be appended to the FIFO. Only the lower [1:0] bits of the address matter to writes within the window (for correctly dealing with non 32-bit writes)
'''
}
}
],
}