Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cryptolib] HMAC driver TODO list #23191

Open
4 of 13 tasks
ballifatih opened this issue May 19, 2024 · 1 comment
Open
4 of 13 tasks

[cryptolib] HMAC driver TODO list #23191

ballifatih opened this issue May 19, 2024 · 1 comment
Assignees
Labels
SW:cryptolib Crypto library
Milestone

Comments

@ballifatih
Copy link
Contributor

ballifatih commented May 19, 2024

Description

(this issue is WIP)

  • Consider whether we want to have a timeout value for polling for interrupt signal. HMAC does not use EDN, so we should be able to determine a reasonable timeout value. -> [hmac, sw] Revert hash stop hang workaround #25594
  • Use a random 32-bit values from EDN to wipe HMAC, instead of fixed 32'b1. We can read a value from RV_CORE_IBEX_RND_STATUS_REG_OFFSET.
  • Write message bits in 32-bit blocks instead of 8-bit blocks, as much as possible.
  • Determine if we need to handle back-pressure when SW is writing too many message bytes in a row without a break. (We probably do not need this because there is no asynchronous EDN interaction in HMAC, unlike KMAC.)
  • Implement oneshot driver calls and connect them to cryptolib functions.
  • Revisit docs of driver functions and improve its quality (i.e. there might be missing parameters in the comment blocks, or the current descriptions might not be explaining what the caller needs to do).
  • Remove old sha256/sha512 files related to OTBN.
  • For programmer's guide: add a line stating that during streaming, SW can only feed message blocks that are multiples of internal block size. What is missing is 0 block feeding is not allowed, there needs to be at least one block.

And potential improvement suggestions for SCA/FI hardening:

  • Use randomized copying (similar to hardened_memcpy) for KEY and DIGEST registers. This can also be extended to message inputs if message bits are also sensitive, depending on the use case (e.g. HMAC-DRBG).
  • Use multi-bit encoding for hw_started flag.
  • Determine if cleaning the values of ctx after the final call makes sense. If so, the values could be populated with random values. The suggestion is to zeroise or randomly populate ctx struct during init.
  • Improve copying function between otcrypto and driver ctx structs, by copying at word granularity.
  • Add hardened flags to context struct, such as hmac_en and use it to skip key writing etc. [cryptolib, hmac] Update HMAC driver #23196 (comment)
@martin-velay
Copy link
Contributor

martin-velay commented Oct 24, 2024

The following is addressed by both of these PRs (once merged): #24839 and #24944

"Consider whether we want to have a timeout value for polling for interrupt signal. HMAC does not use EDN, so we should be able to determine a reasonable timeout value."

andrea-caforio added a commit to andrea-caforio/opentitan that referenced this issue Dec 13, 2024
The previously reverted commit f591bea (later refined in e869152)
contained a desirable timeout implementation for the HMAC idle
polling (see lowRISC#23191). This commit reinstantiates it.

Signed-off-by: Andrea Caforio <[email protected]>
Co-authored-by: Martin Velay <[email protected]>
vogelpi pushed a commit that referenced this issue Dec 16, 2024
The previously reverted commit f591bea (later refined in e869152)
contained a desirable timeout implementation for the HMAC idle
polling (see #23191). This commit reinstantiates it.

Signed-off-by: Andrea Caforio <[email protected]>
Co-authored-by: Martin Velay <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SW:cryptolib Crypto library
Projects
None yet
Development

No branches or pull requests

2 participants