forked from lowRISC/opentitan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dif_kmac.h
815 lines (732 loc) · 24.1 KB
/
dif_kmac.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
// Copyright lowRISC contributors (OpenTitan project).
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
#ifndef OPENTITAN_SW_DEVICE_LIB_DIF_DIF_KMAC_H_
#define OPENTITAN_SW_DEVICE_LIB_DIF_DIF_KMAC_H_
/**
* @file
* @brief <a href="/hw/ip/kmac/doc/">KMAC</a> Device Interface Functions
*/
#include <stdint.h>
#include "sw/device/lib/base/macros.h"
#include "sw/device/lib/base/mmio.h"
#include "sw/device/lib/dif/dif_base.h"
#include "sw/device/lib/dif/autogen/dif_kmac_autogen.h"
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
/**
* This API implements an interface for the KMAC hardware.
*
* The KMAC hardware implements the following cryptographic hash and message
* authentication code (MAC) functions:
*
* - SHA-3 [1]
* - SHAKE [1]
* - cSHAKE [2]
* - KMAC [2]
*
* The following sequence of operations is required to initialize the KMAC
* hardware:
*
* - `dif_kmac_init()`
* - `dif_kmac_configure()`
*
* If configuration changes are required then `dif_kmac_configure` can be called
* again so long as there are no operations in progress.
*
* The following sequence of operations is required to execute an operation:
*
* - `dif_kmac_{sha3,shake,cshake,kmac}_start()`
* - `dif_kmac_absorb()`
* - `dif_kmac_squeeze()`
* - `dif_kmac_end()`
*
* This is a streaming API and the `dif_kmac_absorb` and `dif_kmac_squeeze`
* functions may be called multiple times during a single operation. Once
* `dif_kmac_squeeze` has been called however no further `dif_kmac_absorb` calls
* may be made. See NIST FIPS 202 [1] for more information about the sponge
* construction and the 'absorbing' and 'squeezing' states.
*
* Please see the following documentation for more information about the KMAC
* hardware:
* https://docs.opentitan.org/hw/ip/kmac/doc/
*
* References:
* [1] - NIST FIPS 202
* SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
* http://dx.doi.org/10.6028/NIST.FIPS.202
* [2] - NIST Special Publication 800-185
* SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash
* https://doi.org/10.6028/NIST.SP.800-185
*/
/**
* Supported entropy modes.
*
* Entropy may be provided by the entropy distribution network (EDN) or using a
* seed provided by software.
*/
typedef enum dif_kmac_entropy_mode {
kDifKmacEntropyModeIdle = 0,
kDifKmacEntropyModeEdn,
kDifKmacEntropyModeSoftware,
} dif_kmac_entropy_mode_t;
/**
* Maximum lengths supported by the KMAC unit.
*/
enum {
/**
* The maximum length in bytes of a customization string (S) before it has
* been encoded.
*/
kDifKmacMaxCustomizationStringLen = 32,
/**
* The maximum number of bytes required to encode the length of the
* customization string.
*
* Assumes maximum customization string length of 32 bytes (256 bits).
*/
kDifKmacMaxCustomizationStringOverhead = 3,
/**
* The maximum length in bytes of a function name (N) before it has been
* encoded.
*/
kDifKmacMaxFunctionNameLen = 4,
/**
* The maximum number of bytes required to encode the length of the function
* name.
*
* Assumes maximum function name length of 4 bytes (32 bits).
*/
kDifKmacMaxFunctionNameOverhead = 2,
/**
* The maximum output length (L) that can be set when starting a KMAC
* operation.
*
* The length is in 32-bit words and is designed to be low enough that the
* length in bits can still be represented by an unsigned 32-bit integer.
*/
kDifKmacMaxOutputLenWords = (UINT32_MAX - 32) / 32,
/**
* The maximum key length supported by the KMAC operation.
*
* The length is in 32-bit words.
*/
kDifKmacMaxKeyLenWords = 512 / 32,
/**
* The length of the software entropy seed.
*
* The length is in 32-bit words.
*/
kDifKmacEntropySeedWords = 6,
/**
* The offset of the second share within the output state register.
*/
kDifKmacStateShareOffset = 0x100,
/**
* The size of the Keccak state in words (i.e. 1600 bits).
*/
kDifKmacStateWords = 1600 / 8 / sizeof(uint32_t),
};
/**
* Runtime configuration for KMAC.
*
* This struct describes runtime information for configuration of the hardware.
*/
typedef struct dif_kmac_config {
/**
* Entropy mode specifying the source of entropy (EDN or software).
*/
dif_kmac_entropy_mode_t entropy_mode;
/**
* Entropy fast process mode when enabled prevents the KMAC unit consuming
* entropy unless it is processing a secret key. This process should not be
* used when resistance against side-channel attacks is required, because
* it may lead to leakage of the secret key in the power trace.
*/
bool entropy_fast_process;
/**
* Entropy seed. Only used when the source of entropy is software.
*/
uint32_t entropy_seed[kDifKmacEntropySeedWords];
/**
* The number of KMAC invocations that triggers an automatic seed request from
* EDN.
*/
uint16_t entropy_hash_threshold;
/**
* Number of clock cycles to wait for the EDN to reseed the entropy generator
* before an error is raised (see `dif_kmac_get_error`). If 0 the unit will
* wait forever.
*/
uint16_t entropy_wait_timer;
/**
* Prescaler value that determines how many clock pulse triggers an increment
* in the timer counter.
*/
uint16_t entropy_prescaler;
/**
* Convert the message to big-endian byte order.
* Note: this option currently had no effect since the message is sent a byte
* at a time but will in the future.
*/
bool message_big_endian;
/**
* Convert the output state (digest) to big-endian byte order on a word
* granularity.
*/
bool output_big_endian;
/**
* Place kmac inside key sideload mode
*/
bool sideload;
/**
* Message Masking with PRNG.
* If true, KMAC applies PRNG to the input messages to the Keccak module when
* KMAC mode is on.
*/
bool msg_mask;
} dif_kmac_config_t;
/**
* A KMAC operation state context.
*/
typedef struct dif_kmac_operation_state {
/**
* Whether the 'squeezing' phase has been started.
*/
bool squeezing;
/**
* Flag indicating whether the output length (d) should be right encoded in
* software and appended to the end of the message. The output length is
* required to be appended to the message as part of a KMAC operation.
*/
bool append_d;
/**
* Offset into the output state.
*/
size_t offset;
/**
* The rate (r) in 32-bit words.
*/
size_t r;
/**
* The output length (d) in 32-bit words.
*
* If the output length is not fixed then this field will be set to 0.
*
* Note: if the output length is fixed length will be modified to ensure that
* `d - offset` always accurately reflects the number of words remaining.
*/
size_t d;
} dif_kmac_operation_state_t;
/**
* Supported SHA-3 modes of operation.
*/
typedef enum dif_kmac_mode_sha3 {
/** SHA-3 with 224 bit strength. */
kDifKmacModeSha3Len224,
/** SHA-3 with 256 bit strength. */
kDifKmacModeSha3Len256,
/** SHA-3 with 384 bit strength. */
kDifKmacModeSha3Len384,
/** SHA-3 with 512 bit strength. */
kDifKmacModeSha3Len512,
} dif_kmac_mode_sha3_t;
/**
* Supported SHAKE modes of operation.
*/
typedef enum dif_kmac_mode_shake {
/** SHAKE with 128 bit strength. */
kDifKmacModeShakeLen128,
/** SHAKE with 256 bit strength. */
kDifKmacModeShakeLen256,
} dif_kmac_mode_shake_t;
/**
* Supported cSHAKE modes of operation.
*/
typedef enum dif_kmac_mode_cshake {
/** cSHAKE with 128 bit strength. */
kDifKmacModeCshakeLen128,
/** cSHAKE with 256 bit strength. */
kDifKmacModeCshakeLen256,
} dif_kmac_mode_cshake_t;
/**
* Supported KMAC modes of operation.
*/
typedef enum dif_kmac_mode_kmac {
/** KMAC with 128 bit strength. */
kDifKmacModeKmacLen128,
/** KMAC with 256 bit strength. */
kDifKmacModeKmacLen256,
} dif_kmac_mode_kmac_t;
/**
* Key length.
*
* The key length is specified in bits.
*/
typedef enum dif_kmac_key_length {
/** Software provided 128 bit key. */
kDifKmacKeyLen128 = 0,
/** Software provided 192 bit key. */
kDifKmacKeyLen192 = 1,
/** Software provided 256 bit key. */
kDifKmacKeyLen256 = 2,
/** Software provided 384 bit key. */
kDifKmacKeyLen384 = 3,
/** Software provided 512 bit key. */
kDifKmacKeyLen512 = 4,
} dif_kmac_key_length_t;
/**
* A key for KMAC operations.
*
* The key is provided in two parts, `share0` and `share1`. These are
* combined using a bitwise XOR operation in the KMAC unit to produce the real
* key.
*
* The key shares are encoded in little endian byte order. This is fixed and
* cannot be changed (unlike the byte order used for the message and state).
*
* Unused words in the key shares must be set to 0.
*/
typedef struct dif_kmac_key {
uint32_t share0[kDifKmacMaxKeyLenWords];
uint32_t share1[kDifKmacMaxKeyLenWords];
dif_kmac_key_length_t length;
} dif_kmac_key_t;
/**
* An encoded bit string used for customization string (S).
*
* Use `dif_kmac_customization_string_init` to initialize.
*/
typedef struct dif_kmac_customization_string {
/** Encoded S: left_encode(len(S)) || S */
char buffer[kDifKmacMaxCustomizationStringLen +
kDifKmacMaxCustomizationStringOverhead];
/** Length of data in buffer in bytes. */
uint32_t length;
} dif_kmac_customization_string_t;
/**
* An encoded bit string used for function name (N).
*
* Use `dif_kmac_function_name_init` to initialize.
*/
typedef struct dif_kmac_function_name {
/** Encoded N: left_encode(len(N)) || N */
char buffer[kDifKmacMaxFunctionNameLen + kDifKmacMaxFunctionNameOverhead];
/** Length of data in buffer in bytes. */
uint32_t length;
} dif_kmac_function_name_t;
/**
* Error reported by KMAC unit.
*
* Codes taken from hw/ip/kmac/rtl/kmac_pkg.sv:err_code_e
*/
typedef enum dif_kmac_error {
/**
* No error has occured.
*/
kDifErrorNone = 0,
/**
* The Key Manager has raised an error because the secret key is not valid.
*/
kDifErrorKeyNotValid = 1,
/**
* An attempt was made to write data into the message FIFO but the KMAC unit
* was not in the correct state to receive the data.
*/
kDifErrorSoftwarePushedMessageFifo = 2,
/**
* SW issued a command while a HW application interface was using KMAC.
*/
kDifErrorSoftwareIssuedCommandWhileAppInterfaceActive = 3,
/**
* The entropy wait timer has expired.
*/
kDifErrorEntropyWaitTimerExpired = 4,
/**
* Incorrect entropy mode when entropy is ready.
*/
kDifErrorEntropyModeIncorrect = 5,
kDifErrorUnexpectedModeStrength = 6,
kDifErrorIncorrectFunctionName = 7,
kDifErrorSoftwareCommandSequence = 8,
kDifErrorSoftwareHashingWithoutEntropyReady = 9,
kDifErrorFatalError = 0xC1,
kDifErrorPackerIntegrity = 0xC2,
kDifErrorMsgFifoIntegrity = 0xC3,
} dif_kmac_error_t;
/**
* The state of the message FIFO used to buffer absorbed data.
*
* The hardware defined these status in different bit fields, however they work
* better in the same field. i.e the fifo can't be empty and full at the same
* time. That said, the values chosen for this enum allow the conversion from
* the register bits to this enum without branches.
*/
typedef enum dif_kmac_fifo_state {
/** The message FIFO is not empty or full. */
kDifKmacFifoStatePartial = 0,
/** The message FIFO is empty. */
kDifKmacFifoStateEmpty = 1 << 0,
/** The message FIFO is full. Further writes will block. */
kDifKmacFifoStateFull = 1 << 1,
} dif_kmac_fifo_state_t;
typedef enum dif_kmac_sha3_state {
/**
* SHA3 hashing engine is in idle state.
*/
kDifKmacSha3StateIdle = 1 << 0,
/**
* SHA3 is receiving message stream and processing it.
*/
kDifKmacSha3StateAbsorbing = 1 << 1,
/**
* SHA3 completes sponge absorbing stage. In this stage, SW can manually run
* the hashing engine.
*/
kDifKmacSha3StateSqueezing = 1 << 2,
} dif_kmac_sha3_state_t;
/**
* The kmac error faults.
*
* The hardware defined these status in different bit fields, however they work
* better in the same field. Then the values chosen for this enum allow the
* conversion from the register bits to this enum without branches.
*/
typedef enum dif_kmac_alert_faults {
/**
* Neither errors nor fault has occurred.
*/
kDifKmacAlertNone = 0,
/**
* A fatal fault has occurred and the KMAC unit needs to be reset (1),
* Examples for such faults include i) TL-UL bus integrity fault ii)
* storage errors in the shadow registers iii) errors in the message,
* round, or key counter iv) any internal FSM entering an invalid state v)
* an error in the redundant lfsr.
*/
kDifKmacAlertFatalFault = 1 << 0,
/**
* An update error has occurred in the shadowed Control Register. KMAC
* operation needs to be restarted by re-writing the Control Register.
*/
kDifKmacAlertRecovCtrlUpdate = 1 << 1,
} dif_kmac_alert_faults_t;
typedef struct dif_kmac_status {
/**
* Sha3 state.
*/
dif_kmac_sha3_state_t sha3_state;
/**
* Message FIFO entry count.
*/
uint32_t fifo_depth;
/**
* Kmac fifo state.
*/
dif_kmac_fifo_state_t fifo_state;
/**
* Kmac faults and errors state.
*/
dif_kmac_alert_faults_t faults;
} dif_kmac_status_t;
/**
* Configures KMAC with runtime information.
*
* @param kmac A KMAC handle.
* @param config Runtime configuration parameters.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_configure(dif_kmac_t *kmac, dif_kmac_config_t config);
/**
* Encode a customization string (S).
*
* The length of the string must not exceed `kDifKmacMaxCustomizationStringLen`.
*
* Note that this function will encode `len` bytes from `data` regardless of
* whether `data` is null-terminated or not.
*
* See NIST Special Publication 800-185 [2] for more information about the
* customization string (S) parameter.
*
* @param data String to encode.
* @param len Length of string to encode.
* @param[out] out Encoded customization string.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_customization_string_init(
const char *data, size_t len, dif_kmac_customization_string_t *out);
/**
* Encode a function name (N).
*
* The length of the string must not exceed `kDifKmacMaxFunctionNameLen`.
*
* Note that this function will encode `len` bytes from `data` regardless of
* whether `data` is null-terminated or not.
*
* See NIST Special Publication 800-185 [2] for more information about the
* function name (N) parameter.
*
* @param data String to encode.
* @param len Length of string to encode.
* @param[out] out Encoded function name.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_function_name_init(const char *data, size_t len,
dif_kmac_function_name_t *out);
/**
* Start a SHA-3 operation.
*
* SHA-3 operations have a fixed output length.
*
* See NIST FIPS 202 [1] for more information about SHA-3.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param mode The SHA-3 mode of operation.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_mode_sha3_start(
const dif_kmac_t *kmac, dif_kmac_operation_state_t *operation_state,
dif_kmac_mode_sha3_t mode);
/**
* Start a SHAKE operation.
*
* SHAKE operations have a variable (XOF) output length.
*
* See NIST FIPS 202 [1] for more information about SHAKE.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param mode The mode of operation.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_mode_shake_start(
const dif_kmac_t *kmac, dif_kmac_operation_state_t *operation_state,
dif_kmac_mode_shake_t mode);
/**
* Start a cSHAKE operation.
*
* cSHAKE operations have a variable (XOF) output length.
*
* See NIST Special Publication 800-185 [2] for more information about cSHAKE.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param mode The mode of operation.
* @param n Function name (optional).
* @param s Customization string (optional).
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_mode_cshake_start(
const dif_kmac_t *kmac, dif_kmac_operation_state_t *operation_state,
dif_kmac_mode_cshake_t mode, const dif_kmac_function_name_t *n,
const dif_kmac_customization_string_t *s);
/**
* Start a KMAC operation.
*
* To use KMAC in eXtendable-Output Function (XOF) mode set the output length
* (`l`) to 0. The output length must not be greater than
* `kDifKmacMaxOutputLenWords`.
*
* The key provided must have at least as many bits as the security strength
* of the `mode`.
*
* See NIST Special Publication 800-185 [2] for more information about KMAC.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param mode The mode of operation.
* @param l Output length (number of 32-bit words that will be 'squeezed').
* @param k Pointer to secret key.
* @param s Customization string (optional).
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_mode_kmac_start(
const dif_kmac_t *kmac, dif_kmac_operation_state_t *operation_state,
dif_kmac_mode_kmac_t mode, size_t l, const dif_kmac_key_t *k,
const dif_kmac_customization_string_t *s);
/**
* Absorb bytes from the message provided.
*
* If `processed` is non-NULL, then this function will write the remaining
* space in the FIFO and update `processed` with the number of bytes written.
* The caller should adjust the `msg` pointer and `len` parameters and call
* again as needed until all input has been written.
*
* If `processed` is NULL, then this function will block until the entire
* message has been processed or an error occurs.
*
* If big-endian mode is enabled for messages (`message_big_endian`) only the
* part of the message aligned to 32-bit word boundaries will be byte swapped.
* Unaligned leading and trailing bytes will be written into the message as-is.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param msg Pointer to data to absorb.
* @param len Number of bytes of data to absorb.
* @param[out] processed Number of bytes processed (optional).
* @preturn The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_absorb(const dif_kmac_t *kmac,
dif_kmac_operation_state_t *operation_state,
const void *msg, size_t len, size_t *processed);
/**
* Squeeze bytes into the output buffer provided.
*
* Requesting a squeeze operation will prevent any further absorption operations
* from taking place.
*
* If `kDifKmacIncomplete` is returned then the hardware is currently
* recomputing the state and the output was only partially written. The output
* pointer and length should be updated according to the number of bytes
* processed and the squeeze operation continued at a later time.
*
* If `processed` is not provided then this function will block until `len`
* bytes have been written to `out` or an error occurs.
*
* Normally, the capacity part of Keccak state is and should not be read
* as part of a regular cryptographic operation. However, this function
* can also read the capacity for testing purposes.
* When `capacity` is a non-NULL pointer, at the end of the operation, the
* capacity part of the Keccak state is also read and written into this buffer.
* The capacity is read for each output round, meaning that if the requested
* digest is larger than a single Keccak round can provide (i.e. the rate), then
* the additional rounds also update this buffer. Hence it should be large
* enough to accommodate `ceil(digest_len/rate_len) * capacity_len`.
* `capacity` can be set to NULL to skip reading the capacity.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @param[out] out Pointer to output buffer.
* @param[out] len Number of 32-bit words to write to output buffer.
* @param[out] processed Number of 32-bit words written to output buffer
* (optional).
* @param[out] capacity Optional buffer to read capacity along with the digest.
* @preturn The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_squeeze(const dif_kmac_t *kmac,
dif_kmac_operation_state_t *operation_state,
uint32_t *out, size_t len, size_t *processed,
uint32_t *capacity);
/**
* Ends a squeeze operation and resets the hardware so it is ready for a new
* operation.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_end(const dif_kmac_t *kmac,
dif_kmac_operation_state_t *operation_state);
/**
* Read the kmac error register to get the error code indicated the interrupt
* state.
*
* This function should be called in case of any of the `start` functions
* returns `kDifError`.
*
* @param kmac A KMAC handle.
* @param[out] error The current error code.
* @param[out] info Optional additional error information.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_get_error(const dif_kmac_t *kmac, dif_kmac_error_t *error,
uint32_t *info);
/**
* Clear the current error code and reset the state machine to the idle state
* ready to accept new operations.
*
* The state of any in-progress operation will be lost and the operation will
* need to be restarted.
*
* @param kmac A KMAC handle.
* @param operation_state A KMAC operation state context.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_reset(const dif_kmac_t *kmac,
dif_kmac_operation_state_t *operation_state);
/**
* Let the KMAC HW know that SW has processed the errors the HW has flagged.
*
* @param kmac A KMAC handle
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_err_processed(const dif_kmac_t *kmac);
/**
* Report whether the hardware currently indicates an error.
*
* @param kmac A KMAC handle.
* @param[out] error Whether hardware currently indicates an error.
* @returns The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_has_error_occurred(const dif_kmac_t *kmac, bool *error);
/**
* Clear the `kmac_err` IRQ.
*
* @param kmac A KMAC handle.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_clear_err_irq(const dif_kmac_t *kmac);
/**
* Fetch the current status of the message FIFO used to buffer absorbed data.
*
* @param kmac A KMAC handle.
* @param[out] kmac_status The kmac status struct.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_get_status(const dif_kmac_t *kmac,
dif_kmac_status_t *kmac_status);
/**
* Returns the current value of the refresh hash counter.
*
* @param kmac A KMAC handle.
* @param hash_ctr The hash counter value that is returned.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_get_hash_counter(const dif_kmac_t *kmac,
uint32_t *hash_ctr);
/**
* Reports whether or not the KMAC configuration register is locked.
*
* If writes to the KMAC configuration register are disabled (locked) then it is
* not possible to change any configuration parameters or start a new operation.
* The configuration register is locked when an operation has been started and
* is unlocked again when it completes.
*
* @param kmac A KMAC handle.
* @param[out] is_locked Out-param reporting the lock state.
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_config_is_locked(const dif_kmac_t *kmac, bool *is_locked);
/**
* Poll until a given flag in the status register is set.
*
* @param kmac A KMAC handle.
* @param flag the
* @return The result of the operation.
*/
OT_WARN_UNUSED_RESULT
dif_result_t dif_kmac_poll_status(const dif_kmac_t *kmac, uint32_t flag);
#ifdef __cplusplus
} // extern "C"
#endif // __cplusplus
#endif // OPENTITAN_SW_DEVICE_LIB_DIF_DIF_KMAC_H_