1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
|
/* Copyright 2015 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#ifndef __EC_CHIP_G_DCRYPTO_INTERNAL_H
#define __EC_CHIP_G_DCRYPTO_INTERNAL_H
#include <stddef.h>
#include <string.h>
#include "common.h"
#include "crypto_common.h"
#include "util.h"
#include "hmacsha2.h"
#ifdef __cplusplus
extern "C" {
#endif
/*
* SHA.
*/
#define CTRL_CTR_BIG_ENDIAN (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
#define CTRL_ENABLE 1
#define CTRL_ENCRYPT 1
#define CTRL_NO_SOFT_RESET 0
#define SHA_DIGEST_WORDS (SHA_DIGEST_SIZE / sizeof(uint32_t))
#define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / sizeof(uint32_t))
#ifdef CONFIG_UPTO_SHA512
#define SHA_DIGEST_MAX_BYTES SHA512_DIGEST_SIZE
#else
#define SHA_DIGEST_MAX_BYTES SHA256_DIGEST_SIZE
#endif
#ifndef CHAR_BIT
#define CHAR_BIT 8
#endif
enum sha_mode {
SHA1_MODE = 0,
SHA256_MODE = 1
};
/*
* Use this structure to avoid alignment problems with input and output
* pointers.
*/
struct access_helper {
uint32_t udata;
} __packed;
#ifndef SECTION_IS_RO
int dcrypto_grab_sha_hw(void);
void dcrypto_release_sha_hw(void);
#endif
/*
* BIGNUM.
*/
#define LITE_BN_BITS2 32
#define LITE_BN_BYTES 4
struct LITE_BIGNUM {
uint32_t dmax; /* Size of d, in 32-bit words. */
struct access_helper *d; /* Word array, little endian format ... */
};
#define BN_DIGIT(b, i) ((b)->d[(i)].udata)
void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len);
#define bn_size(b) ((b)->dmax * LITE_BN_BYTES)
#define bn_words(b) ((b)->dmax)
#define bn_bits(b) ((b)->dmax * LITE_BN_BITS2)
int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b);
int bn_check_topbit(const struct LITE_BIGNUM *N);
int bn_modexp(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
const struct LITE_BIGNUM *exp,
const struct LITE_BIGNUM *N);
int bn_modexp_word(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
uint32_t pubexp,
const struct LITE_BIGNUM *N);
int bn_modexp_blinded(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
const struct LITE_BIGNUM *exp,
const struct LITE_BIGNUM *N,
uint32_t pubexp);
uint32_t bn_add(struct LITE_BIGNUM *c,
const struct LITE_BIGNUM *a);
uint32_t bn_sub(struct LITE_BIGNUM *c,
const struct LITE_BIGNUM *a);
int bn_modinv_vartime(struct LITE_BIGNUM *r,
const struct LITE_BIGNUM *e,
const struct LITE_BIGNUM *MOD);
int bn_is_bit_set(const struct LITE_BIGNUM *a, int n);
/*
* Accelerated bn.
*/
int dcrypto_modexp(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
const struct LITE_BIGNUM *exp,
const struct LITE_BIGNUM *N);
int dcrypto_modexp_word(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
uint32_t pubexp,
const struct LITE_BIGNUM *N);
int dcrypto_modexp_blinded(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *input,
const struct LITE_BIGNUM *exp,
const struct LITE_BIGNUM *N,
uint32_t pubexp);
struct drbg_ctx {
uint32_t k[SHA256_DIGEST_WORDS];
uint32_t v[SHA256_DIGEST_WORDS];
uint32_t reseed_counter;
};
/*
* NIST SP 800-90A HMAC DRBG.
*/
enum hmac_result {
HMAC_DRBG_SUCCESS = 0,
HMAC_DRBG_INVALID_PARAM = 1,
HMAC_DRBG_RESEED_REQUIRED = 2
};
/* Standard initialization. */
void hmac_drbg_init(struct drbg_ctx *ctx,
const void *p0, size_t p0_len,
const void *p1, size_t p1_len,
const void *p2, size_t p2_len);
/* Initialize with at least nbits of random entropy. */
void hmac_drbg_init_rand(struct drbg_ctx *ctx, size_t nbits);
void hmac_drbg_reseed(struct drbg_ctx *ctx,
const void *p0, size_t p0_len,
const void *p1, size_t p1_len,
const void *p2, size_t p2_len);
enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
size_t out_len, const void *input,
size_t input_len);
void drbg_exit(struct drbg_ctx *ctx);
/* Set seed for fast random number generator using LFSR. */
void set_fast_random_seed(uint32_t seed);
/* Generate week pseudorandom using LFSR for blinding purposes. */
uint32_t fast_random(void);
/*
* Accelerated p256. FIPS PUB 186-4
*/
#define P256_BITSPERDIGIT 32
#define P256_NDIGITS 8
#define P256_NBYTES 32
typedef uint32_t p256_digit;
typedef int32_t p256_sdigit;
typedef uint64_t p256_ddigit;
typedef int64_t p256_sddigit;
#define P256_DIGITS(x) ((x)->a)
#define P256_DIGIT(x, y) ((x)->a[y])
/**
* P-256 integers internally represented as little-endian 32-bit integer
* digits in platform-specific format. On little-endian platform this would
* be regular 256-bit little-endian unsigned integer. On big-endian platform
* it would big-endian 32-bit digits in little-endian order.
*
* Defining p256_int as struct to leverage struct assignment.
*/
typedef struct p256_int {
union {
p256_digit a[P256_NDIGITS];
uint8_t b8[P256_NBYTES];
};
} p256_int;
extern const p256_int SECP256r1_nMin2;
/* Clear a p256_int to zero. */
void p256_clear(p256_int *a);
/* Check p256 is a zero. */
int p256_is_zero(const p256_int *a);
/* Check p256 is odd. */
int p256_is_odd(const p256_int *a);
/* c := a + (single digit)b, returns carry 1 on carry. */
int p256_add_d(const p256_int *a, p256_digit b, p256_int *c);
/* Returns -1, 0 or 1. */
int p256_cmp(const p256_int *a, const p256_int *b);
/* Return -1 if a < b. */
int p256_lt_blinded(const p256_int *a, const p256_int *b);
/* Outputs big-endian binary form. No leading zero skips. */
void p256_to_bin(const p256_int *src, uint8_t dst[P256_NBYTES]);
/**
* Reads from big-endian binary form, thus pre-pad with leading
* zeros if short. Input length is assumed P256_NBYTES bytes.
*/
void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int *dst);
/**
* Reads from big-endian binary form of given size, add padding with
* zeros if short. Check that leading digits beyond P256_NBYTES are zeroes.
*
* @return true if provided big-endian fits into p256.
*/
bool p256_from_be_bin_size(const uint8_t *src, size_t len, p256_int *dst);
/**
* Raw sign with provided nonce (k). Used internally and for testing.
*
* @param k - valid nonce for ECDSA sign
* @param key - valid private key for ECDSA sign
* @param message - message to sign encoded as p-256 int
* @param r - generated signature
* @param s - generated signature
* @return !0 if success
*/
int dcrypto_p256_ecdsa_sign_raw(const p256_int *k, const p256_int *key,
const p256_int *message, p256_int *r,
p256_int *s);
int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
const p256_int *message, p256_int *r, p256_int *s)
__attribute__((warn_unused_result));
int dcrypto_p256_base_point_mul(const p256_int *k, p256_int *x, p256_int *y)
__attribute__((warn_unused_result));
int dcrypto_p256_point_mul(const p256_int *k,
const p256_int *in_x, const p256_int *in_y,
p256_int *x, p256_int *y)
__attribute__((warn_unused_result));
int dcrypto_p256_ecdsa_verify(const p256_int *key_x, const p256_int *key_y,
const p256_int *message, const p256_int *r,
const p256_int *s)
__attribute__((warn_unused_result));
enum dcrypto_result dcrypto_p256_is_valid_point(const p256_int *x,
const p256_int *y)
__attribute__((warn_unused_result));
/* Wipe content of rnd with pseudo-random values. */
void p256_fast_random(p256_int *rnd);
/* Generate a p256 number between 1 < k < |p256| using provided DRBG. */
enum hmac_result p256_hmac_drbg_generate(struct drbg_ctx *ctx, p256_int *k_out);
/**
* Sign using provided DRBG. Reseed DRBG with entropy from verified TRNG if
* needed.
*
* @param drbg DRBG to use
* @param key P-256 private key
* @param message - Message to sign as P-256 (in little-endian)
* @param r - Generated signature
* @param s - Generated signature
* @return int
*/
int dcrypto_p256_fips_sign_internal(struct drbg_ctx *drbg, const p256_int *key,
const p256_int *message, p256_int *r,
p256_int *s);
/* Initialize for use as RFC6979 DRBG. */
void hmac_drbg_init_rfc6979(struct drbg_ctx *ctx,
const p256_int *key,
const p256_int *message);
/*
* Accelerator runtime.
*
* Note dcrypto_init_and_lock grabs a mutex and dcrypto_unlock releases it.
* Do not use dcrypto_call, dcrypto_imem_load or dcrypto_dmem_load w/o holding
* the mutex.
*/
void dcrypto_init_and_lock(void);
void dcrypto_unlock(void);
uint32_t dcrypto_call(uint32_t adr) __attribute__((warn_unused_result));
void dcrypto_imem_load(size_t offset, const uint32_t *opcodes,
size_t n_opcodes);
/*
* Returns 0 iff no difference was observed between existing and new content.
*/
uint32_t dcrypto_dmem_load(size_t offset, const void *words, size_t n_words);
/**
* An implementation of memset that ought not to be optimized away;
* useful for scrubbing security sensitive buffers.
*/
void *always_memset(void *s, int c, size_t n);
#ifndef __alias
#define __alias(func) __attribute__((alias(#func)))
#endif
/**
* Macro to control optimization at function level. Typically used in
* very tight and critical loops to override -Os and get a better code.
* Only supported by gcc, so ignore it for clang.
*/
#ifndef __optimize
#ifndef __clang__
#define __optimize(a) __attribute__((optimize(a)))
#else
#define __optimize(a)
#endif
#endif
/* rotate 32-bit value right */
static inline uint32_t ror(uint32_t value, int bits)
{
/* return __builtin_rotateright32(value, bits); */
return (value >> bits) | (value << (32 - bits));
}
/* rotate 64-bit value right */
static inline uint64_t ror64(uint64_t value, int bits)
{
/* return __builtin_rotateright64(value, bits); */
return (value >> bits) | (value << (64 - bits));
}
/* rotate 32-bit value left */
static inline uint32_t rol(uint32_t value, int bits)
{
/* return __builtin_rotateleft32(value, bits); */
return (value << bits) | (value >> (32 - bits));
}
/* rotate 64-bit value left */
static inline uint64_t rol64(uint64_t value, int bits)
{
/* return __builtin_rotateleft64(value, bits); */
return (value << bits) | (value >> (64 - bits));
}
/* stack based allocation */
#ifndef alloca
#define alloca __builtin_alloca
#endif
/* Define machine word alignment mask. */
#define WORD_MASK (sizeof(uintptr_t) - 1)
/**
* @brief Launders the machine register sized value `val`.
*
* It returns a value identical to the input, while introducing an optimization
* barrier that prevents the compiler from learning new information about the
* original value, based on operations on the laundered value. For example
* with code:
* temp = b - a;
* c = (cond)? temp + a : a;
* compiler will reduce code to:
* c = (cond)? b : a;
* Which may not be desirable.
* making temp = value_barrier(b-a) prevents compiler from such optimization.
*
* Another case is for double checks against fault injection:
* if (cond == 0) { if (value_barrier(cond) != 0 ) panic(); }
* Without value_barrier the nested check will be removed.
*
* @param val A machine register size integer to launder.
* @return An integer which will happen to have the same value as `val` at
* runtime.
*/
static inline uintptr_t value_barrier(uintptr_t val)
{
/**
* The +r constraint tells the compiler that this is an "inout"
* parameter: it means that not only does the black box depend on `val`,
* but it also mutates it in an unspecified way. This ensures that the
* laundering operation occurs in the right place in the dependency
* ordering.
*/
asm("" : "+r"(val));
return val;
}
static inline void *value_barrier_ptr(void *val)
{
/**
* The +r constraint tells the compiler that this is an "inout"
* parameter: it means that not only does the black box depend on `val`,
* but it also mutates it in an unspecified way. This ensures that the
* laundering operation occurs in the right place in the dependency
* ordering.
*/
asm("" : "+r"(val));
return val;
}
/**
* Hardened select of word without branches.
*
* @param test the value to test
* @param a the value returned if 'test' is not 0
* @param b the value returned if 'test' is zero
*
* @return b if test==0 and a otherwise;
*
* This function is mostly useful when test == 0 is a good result and
* hardening is required to prevent easy generation of 'b'.
*
* Example:
* hardened_select_if_zero(test, CRYPTO_FAIL, CRYPTO_OK)
*/
static inline __attribute__((always_inline))
uintptr_t hardened_select_if_zero(uintptr_t test, uintptr_t a, uintptr_t b)
{
uintptr_t bma = value_barrier(b - a);
/* For test == 0, does nothing, otherwise damage bma. */
bma &= value_barrier(~test);
return (test == 0) ? bma + a : a;
}
/* Convenience wrapper to return DCRYPTO_OK iff val == 0. */
static inline enum dcrypto_result dcrypto_ok_if_zero(uintptr_t val)
{
return (enum dcrypto_result)hardened_select_if_zero(val, DCRYPTO_FAIL,
DCRYPTO_OK);
}
/*
* Key ladder.
*/
#ifndef __cplusplus
enum dcrypto_appid; /* Forward declaration. */
int dcrypto_ladder_compute_usr(enum dcrypto_appid id,
const uint32_t usr_salt[8]);
int dcrypto_ladder_derive(enum dcrypto_appid appid, const uint32_t salt[8],
const uint32_t input[8], uint32_t output[8]);
#endif
#ifdef __cplusplus
}
#endif
#endif /* ! __EC_CHIP_G_DCRYPTO_INTERNAL_H */
|
