Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hmac, rtl] Fix digest reloading bug #23018

Merged
merged 2 commits into from
May 17, 2024
Merged

[hmac, rtl] Fix digest reloading bug #23018

merged 2 commits into from
May 17, 2024

Conversation

ballifatih
Copy link
Contributor

@ballifatih ballifatih commented May 8, 2024
edited
Loading

Fixes #23014 and updates the programmers guide.

The gist is that we need deassert sha_en as a clean-up after HMAC operation/streaming is done. sha_en is only asserted once DIGEST registers are restored.

I tested the streaming with my draft driver implementation, but only with few vectors.

In the doc, I updated the numbering, so this is why the diff looks unnecessarily large.

@ballifatih
[hmac, rtl] Fix indexing bug/typo
2dd00fc 
See lowRISC#23014 for more context.

Signed-off-by: Fatih Balli <[email protected]>
@ballifatih ballifatih mentioned this pull request May 8, 2024
Closed
gdessouky
gdessouky reviewed May 8, 2024
View reviewed changes
hw/ip/hmac/doc/programmers_guide.md Outdated
1. Repeat steps 1-5 for message stream B.
1. Before restoring context, make sure that `sha_en` in `CFG` remains disabled.
1. Restore the context of message stream A by writing the `CFG`, `DIGEST_0`..`15`, and `MSG_LENGTH_`{`LOWER`,`UPPER`} registers.
1. Enable `sha_en` of CFG, which locks down `DIGEST_0`..`15` registers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about "Enable sha_en of CFG, which enables HMAC again and locks down writing to the DIGEST_0..15 registers from SW."?

gdessouky
gdessouky reviewed May 8, 2024
View reviewed changes
hw/ip/hmac/doc/programmers_guide.md
1. Write an arbitrary number of message blocks to HMAC's `MSG_FIFO`.
1. Stop HMAC by setting the `CMD.hash_stop` bit and wait for the `hmac_done` interrupt (or poll the interrupt status register).
1. Save the context by reading the `DIGEST_0`..`15` and `MSG_LENGTH_`{`LOWER`,`UPPER`} registers. (The values in the `CFG` register must also be preserved, but that is purely SW-controlled so doesn't need to be read from HW.)
1. Disable `sha_en` by updating `CFG` register, in order to clear the digest from stream A.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add here that "This is necessary to also prevent leakage of intermediate context of one SW thread to another."

gdessouky
gdessouky approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@gdessouky gdessouky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Fatih, this LGTM! I only left minor comments for more clarification in the programmer's guide.

@ballifatih
Copy link
Contributor Author

Thanks @gdessouky, I made the editorial changes in the doc as you suggested.

martin-velay
martin-velay reviewed May 9, 2024
View reviewed changes
Copy link
Contributor

@martin-velay martin-velay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also mention the possibility to change the secret key between contexts. I feel that's an important feature. See my comments.

Otherwise, the rest LGTM

hw/ip/hmac/doc/programmers_guide.md Outdated
9. Continue this with as many message blocks and parallel message streams as needed. The final hash for any message stream can be obtained at any time (no need for complete blocks) by setting `CMD.hash_process` and waiting for the `hmac_done` interrupt / status bit, finally reading the digest from the `DIGEST` registers.
1. Write an arbitrary number of message blocks to HMAC's `MSG_FIFO`.
1. Stop HMAC by setting the `CMD.hash_stop` bit and wait for the `hmac_done` interrupt (or poll the interrupt status register).
1. Save the context by reading the `DIGEST_0`..`15` and `MSG_LENGTH_`{`LOWER`,`UPPER`} registers. (The values in the `CFG` register must also be preserved, but that is purely SW-controlled so doesn't need to be read from HW.)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the key registers should also be preserved as values can be changed

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're right, because the key not only gets hashed before the message (in the first round) but also after the message (in the second round) before the final digest is computed.

hw/ip/hmac/doc/programmers_guide.md
1. Disable `sha_en` by updating `CFG` register, in order to clear the digest from stream A. This is necessary to also prevent leakage of intermediate context of one SW thread to another.
1. Repeat steps 1-5 for message stream B.
1. Before restoring context, make sure that `sha_en` in `CFG` remains disabled.
1. Restore the context of message stream A by writing the `CFG`, `DIGEST_0`..`15`, and `MSG_LENGTH_`{`LOWER`,`UPPER`} registers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And the key registers?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed, and CFG includes the key_length field.

andreaskurth
andreaskurth approved these changes May 9, 2024
View reviewed changes
Copy link
Contributor

@andreaskurth andreaskurth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo @martin-velay's suggestion. Thx for these improvements / fixes, @ballifatih 👍

@andreaskurth andreaskurth mentioned this pull request May 10, 2024
Closed
@ballifatih
[hmac, doc] Update programmers guide for streaming
e995480 
During streaming, sha_en signal needs to be carefully managed. See lowRISC#23014.

Signed-off-by: Fatih Balli <[email protected]>
@martin-velay martin-velay self-requested a review May 14, 2024 10:05
martin-velay
martin-velay approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@martin-velay martin-velay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your modifications!

@ballifatih
Copy link
Contributor Author

Thanks @martin-velay for pointing out that KEY registers also need to be stored/restored during context switches for keyed HMAC (but not SHA, as far as I see). I updated the doc to clarify that.

@ballifatih ballifatih added the Status:Ready to merge PR is ready to be merged by a committer. label May 16, 2024
@andreaskurth andreaskurth merged commit f189ae8 into lowRISC:master May 17, 2024
33 checks passed
@ballifatih ballifatih deleted the hmac-fix-digest-reloading branch May 17, 2024 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gdessouky gdessouky gdessouky approved these changes

@martin-velay martin-velay martin-velay approved these changes

@andreaskurth andreaskurth andreaskurth approved these changes

Assignees
No one assigned
Labels
Status:Ready to merge PR is ready to be merged by a committer.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[hmac, rtl] Loading SHA-256 back thru DIGEST registers.
4 participants
@ballifatih @andreaskurth @gdessouky @martin-velay