[aes] Add AES-GCM model and DPI #4
Conversation
nasahlpa
force-pushed
the
aes-gcm-review
branch
from
fb8ce7a
to
d27fb7e
Compare
hw/ip/aes/model/README.md
Outdated
| @@ -20,7 +20,7 @@ In addition, this directory also contains two example applications. | |||
| 2. `aes_modes`: | |||
| - Shows how to interface the OpenSSL/BoringSSL interface functions. | |||
| - Checks the output of BoringSSL/OpenSSL versus expected results. | |||
| - Supports ECB, CBC, CTR modes. | |||
| - Supports ECB, CBC, CTR, GCM modes. | |||
There was a problem hiding this comment.
also CFB and OFB are supported, I forgot to add that back then.
hw/ip/aes/model/crypto.h
Outdated
| @@ -14,7 +14,8 @@ typedef enum crypto_mode { | |||
| kCryptoAesCfb = 1 << 2, | |||
| kCryptoAesOfb = 1 << 3, | |||
| kCryptoAesCtr = 1 << 4, | |||
| kCryptoAesNone = 1 << 5 | |||
| kCryptoAesGcm = 1 << 5, | |||
| kCryptoAesNone = 1 << 6 | |||
There was a problem hiding this comment.
We've changed this to not alter the software interface of AES and maintain binary compatibility. kCryptoAesNone is now 6'b11_1111 instead of 7'b100_0000 (initial approach) or 6'b10_0000 (original design, now used for GCM).
There was a problem hiding this comment.
I've now changed kCryptoAesNone = 0x3f.
| * @param mode_i Cipher mode: 6'b00_0001 = ECB, 6'00_b0010 = CBC, | ||
| * 6'b00_0100 = CFB, 6'b00_1000 = OFB, | ||
| * 6'b01_0000 = CTR, 6'b10_0000 = NONE | ||
| * @param mode_i Cipher mode: 7'b000_0001 = ECB, 7'000_b0010 = CBC, | ||
| * 7'b000_0100 = CFB, 7'b000_1000 = OFB, | ||
| * 7'b001_0000 = CTR, 7'b010_0000 = GCM, | ||
| * 7'b010_0000 = NONE |
There was a problem hiding this comment.
NONE is now 6'b11_1111. I've also left a comment somewhere else about this.
| * @param data_o Output data, 1D byte array (open array in SV) | ||
| * @param tag_o Output auth. tag, 2D state matrix (3D packed array in SV) |
There was a problem hiding this comment.
The output tag should also be a 1D array.
There was a problem hiding this comment.
Sorry, we discussed before to use the same data format for this as for the key and IV. I.e. in SV it's a 4 x 32-bit packed 2D array.
There was a problem hiding this comment.
Done, @andrea-caforio is testing it and reporting back.
There was a problem hiding this comment.
Checked by @andrea-caforio, it is now working. Thanks!
| * @param data_o Output data, 2D state matrix (3D packed array in SV) | ||
| * @param tag_o Output auth. tag, 2D state matrix (3D packed array in SV) | ||
| */ | ||
| void c_dpi_aes_crypt_block(const unsigned char impl_i, const unsigned char op_i, |
There was a problem hiding this comment.
There is also a call to this function in hw/top_earlgrey/dv/env/seq_lib/chip_sw_keymgr_sideload_aes_vseq.sv which would need to be adjusted.
There was a problem hiding this comment.
Actually, I think we should not change this function at all. Because this is block based anyway. For all the other modes, it's sufficient to pass key, IV, input data to fully define what the output of the next block should be.
This doesn't hold for GCM which also has the internal GHASH state. This is not captured by the IV or any of the other variables.
There was a problem hiding this comment.
So when this function is called with GCM mode as argument, it should just throw an error and abort. WDYT?
There was a problem hiding this comment.
Done, I am now aborting.
| */ | ||
| void c_dpi_aes_crypt_message(unsigned char impl_i, unsigned char op_i, | ||
| const svBitVecVal *mode_i, const svBitVecVal *iv_i, | ||
| const svBitVecVal *key_len_i, | ||
| const svBitVecVal *key_i, | ||
| const svOpenArrayHandle data_i, | ||
| svOpenArrayHandle data_o); | ||
| const svOpenArrayHandle aad_i, | ||
| const svBitVecVal *tag_i, svOpenArrayHandle data_o, |
There was a problem hiding this comment.
Nit: line break between tag_i and data_o for readability?
There was a problem hiding this comment.
Damn, this is actually enforced by lint.
This commit adds support for the AES-GCM mode to the AES models. For the comparison, test vectors specified by NIST are used. Signed-off-by: Pascal Nasahl <[email protected]>
nasahlpa
force-pushed
the
aes-gcm-review
branch
4 times, most recently
from
33d442a
to
d277855
Compare
|
Thanks a lot Pascal! |
| input bit [5:0] mode_i, // 6'b00_0001 = ECB, 6'00_b0010 = CBC, 6'b00_0100 = CFB, | ||
| // 6'b00_1000 = OFB, 6'b01_0000 = CTR, 6'b10_0000 = NONE | ||
| input bit [6:0] mode_i, // 7'b000_0001 = ECB, 7'000_b0010 = CBC, 7'b000_0100 = CFB, | ||
| // 7'b000_1000 = OFB, 7'b001_0000 = CTR, 7'b010_0000 = GCM, | ||
| // 7'b100_0000 = NONE |
There was a problem hiding this comment.
Also this one would need to be changed back.
There was a problem hiding this comment.
Ah thanks, I've missed the sv_dpi_aes_crypt_block function. As this is also a block related function, I am removing the tags/aad as well.
nasahlpa
force-pushed
the
aes-gcm-review
branch
5 times, most recently
from
0e1deb8
to
402127b
Compare
This commit enhances the existing AES DPI model with the GCM mode. Currently, only the OpenSSL/BoringSSL reference implementation is supported. Signed-off-by: Pascal Nasahl <[email protected]>
nasahlpa
force-pushed
the
aes-gcm-review
branch
from
402127b
to
a25cd9a
Compare
This PR consists of two commits: