Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[kmac] D2S Signoff #20978

Closed
msfschaffner opened this issue Jan 25, 2024 · 5 comments · Fixed by #21982
Closed

[kmac] D2S Signoff #20978

msfschaffner opened this issue Jan 25, 2024 · 5 comments · Fixed by #21982

Comments

@msfschaffner
Copy link
Contributor

msfschaffner commented Jan 25, 2024

Description

Ensure D2S signoff criteria are fulfilled after focus area changes have landed.

@msfschaffner msfschaffner added this to the Earlgrey-PROD.M2 milestone Jan 25, 2024
@vogelpi vogelpi changed the title [kmac] D2 Signoff [kmac] D2S Signoff Mar 11, 2024
@vogelpi
Copy link
Contributor

vogelpi commented Mar 11, 2024

Commits since Earlgrey-ES tapeout

git rev-parse --short HEAD

3d21fe7

git log Earlgrey-M2.5.2-RC0..HEAD --oneline hw/ip/kmac

15f75fa [kmac, sha3] Add REQ/ACK interface to delay Keccak operations
5cb6b89 [kmac] Rework fifo_empty interrupt, change type to status
adf455d [kmac] Add separate FuseSoc core file for kmac_reduced.sv
ddc64ed [kmac] Fix driving conflict in kmac_reduced.sv used for SCA evaluation
642d7a9 [kmac] Switch to Trivium-based PRNG implementation
4414aaa [kmac] Add param to keccak_round/2share to only use external randomness
0237c23 [kmac] Add buffer stage to PRNG output
365dfd2 [kmac] Make DOM multiplier I/O muxing glitch free
dd4b689 [kmac] Move DOM multiplier control from keccak_2share to keccak_round
043b0e0 [kmac] Simplify randomness update requests and PRNG control logic
fa5dc8a [pre_sca] Convert PROLEAD configuration files to Unix format
deb7ee1 [kmac,pre_dv] Check digests produced by kmac_reduced_tb using DPI model
72c05a2 [kmac] Add missing CM annotation
178e088 [kmac, pre_sca] Add PROLEAD setup
b56df44 [kmac,pre_dv] Add scratch Verilator testbench for kmac_reduced module
bf71a0f [kmac,rtl] Add kmac_reduced module suitable for SCA e.g. using PROLEAD
66472e2 [pre_syn] Include csrng_pkg.sv to re-enable Yosys synthesis
5639924 Revert "[edn] Move prim_edn_req out of prim"
c721c51 [rtl, prim] Add 'commit' functionality to prim_count
61a237e [util/reggen] reverse order of substruct generation
fc84846 [reggen,hw] Create index parameter for registers windows
3b4e36e [edn] Move prim_edn_req out of prim
de31bdf [reggen] Remove the devmode input
963a500 [doc] Minor tweak to md sanitisation code
5be278b [aes, kmac, otbn] Perform final clean -purge step in Yosys synthesis
2257a72 [kmac/pre_syn] Re-enable Yosys synthesis flow
975a6eb [adc_ctrl,dv] Tidy up access to intr_state in env_cfg files
1b16ca2 [reggen] Add mubi support SWAccess that sets/clears a reg
b968a16 [kmac,doc] Correct performance numbers
f96f3dc [kmac, doc] Update doc with cmdgen.py
3c02ff2 [kmac, doc] Update MSG_FIFO description
59f8142 [doc] Moved badges over to using hosted images
9efb9cc [doc] kmac registers and interfaces now use CMDGEN
8ef4c55 [chip-test] SiVal test plan updates for KMAC
7688e71 [reggen] Add initial support for version and cip_id hjson fields
fbd888e Revert "[reggen] Add CIP_IDs and bump all major versions"
2db7ac4 [kmac, rtl] Advance LFSR upon randomness consumption during reseeding
e53fe26 [kmac, rtl] Tweak SVA checking that the Keccak core only uses valdi PRD
37314cd [kmac, doc] Fix broken references
9bc003c [aes, kmac] Replace term aggravate in SCA/FI context
b0044a4 [kmac, rtl] Hold entropy_req until it's acknowledged
b156e6d [kmac, rtl] Keep advancing LFSR in StRandErr as during normal operation
0ba10b3 [reggen] Add CIP_IDs and bump all major versions
e47df29 [misc] Use lc_tx_t testing functions at endpoints

Issues closed since the Earlgrey-ES tapeout

DD & DV

Doc

SW

SiVal / Chip-level tests

Misc

Currently open issues

DD / DV

DV

Doc

SiVal / Chip-level tests

Misc

Summary

Since Earlgrey-M2.5.2-RC0, there have been two notable RTL changes to KMAC (besides some minor bug fixes):

  • The change of the PRNG (together with optimizing the masking SCA countermeasure)
  • The change of the interrupt type for the fifo_empty interrupt
    Both changes are reflected in the documentation and DV has been aligned where possible. A full security evaluation has been performed for the masking / PRNG change. The fifo_empty interrupt isn't verified (but it wasn't before the change) and software currently does not use it. Based on this, I feel confident to declare D2S.

For M3, there three minor security improvements outstanding (see open issues). But none of this is going to be a major change. Thus, I am still in favor of declaring D2S (the block was D2S before) but I'd also be okay to go to D2 first. PLMK @msfschaffner , @andreaskurth .

@andreaskurth
Copy link
Contributor

I agree that D2S is still fulfilled. I reviewed the following commits, which change kmac's RTL code (commit list obtained with git log --oneline Earlgrey-M2.5.2-RC0..HEAD -- hw/ip/kmac/rtl):

  • 15f75fa [kmac, sha3] Add REQ/ACK interface to delay Keccak operations
  • 5cb6b89 [kmac] Rework fifo_empty interrupt, change type to status
  • ddc64ed [kmac] Fix driving conflict in kmac_reduced.sv used for SCA evaluation
  • 642d7a9 [kmac] Switch to Trivium-based PRNG implementation
  • 4414aaa [kmac] Add param to keccak_round/2share to only use external randomness
  • 0237c23 [kmac] Add buffer stage to PRNG output
  • 365dfd2 [kmac] Make DOM multiplier I/O muxing glitch free
  • dd4b689 [kmac] Move DOM multiplier control from keccak_2share to keccak_round
  • 043b0e0 [kmac] Simplify randomness update requests and PRNG control logic
  • 72c05a2 [kmac] Add missing CM annotation
  • bf71a0f [kmac,rtl] Add kmac_reduced module suitable for SCA e.g. using PROLEAD
  • c721c51 [rtl, prim] Add 'commit' functionality to prim_count
  • 61a237e [util/reggen] reverse order of substruct generation
  • fc84846 [reggen,hw] Create index parameter for registers windows
  • de31bdf [reggen] Remove the devmode input
  • 1b16ca2 [reggen] Add mubi support SWAccess that sets/clears a reg
  • fbd888e Revert "[reggen] Add CIP_IDs and bump all major versions"
  • 2db7ac4 [kmac, rtl] Advance LFSR upon randomness consumption during reseeding
  • e53fe26 [kmac, rtl] Tweak SVA checking that the Keccak core only uses valdi PRD
  • 9bc003c [aes, kmac] Replace term aggravate in SCA/FI context
  • b0044a4 [kmac, rtl] Hold entropy_req until it's acknowledged
  • b156e6d [kmac, rtl] Keep advancing LFSR in StRandErr as during normal operation
  • 0ba10b3 [reggen] Add CIP_IDs and bump all major versions
  • e47df29 [misc] Use lc_tx_t testing functions at endpoints

The main RTL changes are in the following PRs:

The first three PRs have been thoroughly reviewed, resulting in approval by multiple committers. I scanned the changes again and did not notice problems that would prevent D2S sign-off in my view. The bottom two PRs have not been scrutinized to the same degree, so I reviewed them again in detail and didn't find problems there either. With the security evaluation done as part of #21624, we should be able to maintain the maturity level of the countermeasures.

Thus I think we should proceed with signing KMAC off at D2S.

@andreaskurth
Copy link
Contributor

I justed noticed that KMAC is still at D2S and didn't have its version number increased:

version: "1.0.0",
life_stage: "L1",
design_stage: "D2S",
verification_stage: "V2S",
dif_stage: "S2",
commit_id: "c2a8c64ccbca39707be7883dfd2f8c1100813730",

Given the PRNG reworking, the type change of the fifo_empty interrupt, and the fixing of the CS AES Halt interface, I think we should bump at least the minor version (i.e., 1.1.0) (and remove the outdated commit_id). WDYT @vogelpi @msfschaffner ?

@andreaskurth
Copy link
Contributor

andreaskurth commented Mar 12, 2024

As just discussed in the WG meeting, @msfschaffner recommends a major version bump due to the SW-visible interface change (interrupt type), and I agree. I created PR #21982 to do this.

@vogelpi
Copy link
Contributor

vogelpi commented Mar 12, 2024

Speaking of SW-visible interface, I've now realized that already the PRNG change (#21624) was software visible because KMAC features a way for SW to reseed the PRNG initially. Since the state size of the PRNG changed, the number of words to be written needed to be changed and to streamline things, I've switched from 5 registers written once each to 1 register written 9 times. So, the major version bump definitely makes sense to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants