Skip to content

Commit 128401a

Browse files
authored
Add nat20crypto module to linux examples (#100)
The nat20crypto module implements the libnat20 crypto interface in terms of linux kernel crypto primitives. The module implements - deterministic ECDSA with curves P256 and P384. - Bytewise SHA-2 224/256/384/512 - HMAC - HKDF ED25519 is currently not supported.
1 parent 68b24a9 commit 128401a

11 files changed

Lines changed: 1087 additions & 1 deletion

File tree

.github/workflows/linux-kmod-build.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,3 +106,18 @@ jobs:
106106
find ${{ runner.temp }}/buildroot.build -name 'nat20device.ko' | grep -q nat20device.ko
107107
echo "nat20device.ko built successfully:"
108108
find ${{ runner.temp }}/buildroot.build -name 'nat20device.ko' -exec ls -la {} \;
109+
110+
- name: Build nat20crypto kernel module
111+
env:
112+
NAT20LIB_OVERRIDE_SRCDIR: ${{ github.workspace }}
113+
NAT20CRYPTO_OVERRIDE_SRCDIR: ${{ github.workspace }}
114+
run: |
115+
cd ${{ runner.temp }}/buildroot.build/buildroot
116+
make nat20crypto-dirclean
117+
make nat20crypto -j $(( $(nproc) + 1 ))
118+
119+
- name: Verify nat20crypto.ko was produced
120+
run: |
121+
find ${{ runner.temp }}/buildroot.build -name 'nat20crypto.ko' | grep -q nat20crypto.ko
122+
echo "nat20crypto.ko built successfully:"
123+
find ${{ runner.temp }}/buildroot.build -name 'nat20crypto.ko' -exec ls -la {} \;

examples/linux/br_external/Config.in

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,5 +33,6 @@
3333
# along with this program; if not, see
3434
# <https://www.gnu.org/licenses/>.
3535

36+
source "$BR2_EXTERNAL_NAT20_PATH/package/nat20crypto/Config.in"
3637
source "$BR2_EXTERNAL_NAT20_PATH/package/nat20device/Config.in"
3738
source "$BR2_EXTERNAL_NAT20_PATH/package/nat20lib/Config.in"

examples/linux/br_external/configs/qemu_br_defconfig

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3976,5 +3976,6 @@ BR2_TARGET_UBOOT_CUSTOM_PATCH_DIR=""
39763976
#
39773977
# Provides NAT20 related packages.
39783978
#
3979+
BR2_PACKAGE_NAT20CRYPTO=y
39793980
BR2_PACKAGE_NAT20DEVICE=y
39803981
BR2_PACKAGE_NAT20LIB=y
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Copyright 2026 Aurora Operations, Inc.
2+
#
3+
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
4+
#
5+
# This work is dual licensed.
6+
# You may use it under Apache-2.0 or GPL-2.0 at your option.
7+
#
8+
# Licensed under the Apache License, Version 2.0 (the "License");
9+
# you may not use this file except in compliance with the License.
10+
# You may obtain a copy of the License at
11+
#
12+
# http://www.apache.org/licenses/LICENSE-2.0
13+
#
14+
# Unless required by applicable law or agreed to in writing, software
15+
# distributed under the License is distributed on an "AS IS" BASIS,
16+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17+
# See the License for the specific language governing permissions and
18+
# limitations under the License.
19+
#
20+
# OR
21+
#
22+
# This program is free software; you can redistribute it and/or
23+
# modify it under the terms of the GNU General Public License
24+
# as published by the Free Software Foundation; either version 2
25+
# of the License, or (at your option) any later version.
26+
#
27+
# This program is distributed in the hope that it will be useful,
28+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
29+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30+
# GNU General Public License for more details.
31+
#
32+
# You should have received a copy of the GNU General Public License
33+
# along with this program; if not, see
34+
# <https://www.gnu.org/licenses/>.
35+
36+
config BR2_PACKAGE_NAT20CRYPTO
37+
bool "nat20crypto"
38+
depends on BR2_PACKAGE_NAT20LIB
39+
help
40+
Add the nat20crypto kernel module. It implements
41+
the libnat20 crypto interface in terms of linux
42+
kernel crypto primitives.
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# Copyright 2026 Aurora Operations, Inc.
2+
#
3+
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
4+
#
5+
# This work is dual licensed.
6+
# You may use it under Apache-2.0 or GPL-2.0 at your option.
7+
#
8+
# Licensed under the Apache License, Version 2.0 (the "License");
9+
# you may not use this file except in compliance with the License.
10+
# You may obtain a copy of the License at
11+
#
12+
# http://www.apache.org/licenses/LICENSE-2.0
13+
#
14+
# Unless required by applicable law or agreed to in writing, software
15+
# distributed under the License is distributed on an "AS IS" BASIS,
16+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17+
# See the License for the specific language governing permissions and
18+
# limitations under the License.
19+
#
20+
# OR
21+
#
22+
# This program is free software; you can redistribute it and/or
23+
# modify it under the terms of the GNU General Public License
24+
# as published by the Free Software Foundation; either version 2
25+
# of the License, or (at your option) any later version.
26+
#
27+
# This program is distributed in the hope that it will be useful,
28+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
29+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30+
# GNU General Public License for more details.
31+
#
32+
# You should have received a copy of the GNU General Public License
33+
# along with this program; if not, see
34+
# <https://www.gnu.org/licenses/>.
35+
36+
NAT20CRYPTO_VERSION = origin/main
37+
NAT20CRYPTO_SITE = https://github.com/aurora-opensource/libnat20.git
38+
NAT20CRYPTO_SITE_METHOD = git
39+
NAT20CRYPTO_LICENSE = Apache-2.0 OR GPL-2.0
40+
NAT20CRYPTO_LICENSE_FILES = LICENSE-Apache-2.0.txt LICENSE-GPL-2.0.txt
41+
42+
NAT20CRYPTO_DEPENDENCIES += nat20lib
43+
NAT20CRYPTO_MODULE_MAKE_OPTS += NAT20CRYPTO_NAT20LIB_DIR=$(NAT20LIB_DIR)/examples/linux/nat20lib
44+
45+
NAT20CRYPTO_MODULE_SUBDIRS = examples/linux/nat20crypto
46+
47+
$(eval $(kernel-module))
48+
$(eval $(generic-package))

examples/linux/br_external/utils/envsetup.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ fi
4646

4747
source .env
4848

49+
export NAT20CRYPTO_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
4950
export NAT20DEVICE_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
5051
export NAT20LIB_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
5152

@@ -69,6 +70,7 @@ function brrebuild() {
6970
echo "Available targets:"
7071
echo " all - Rebuild all components"
7172
echo " linux - Rebuild the linux kernel"
73+
echo " nat20crypto - Rebuild the nat20crypto module"
7274
echo " nat20device - Rebuild the nat20device module"
7375
echo " nat20lib - Rebuild the nat20lib library"
7476
popd
@@ -77,7 +79,7 @@ function brrebuild() {
7779

7880
case "$1" in
7981
all)
80-
ensure_popd make linux-rebuild nat20device-rebuild nat20lib-rebuild all
82+
ensure_popd make linux-rebuild nat20crypto-rebuild nat20device-rebuild nat20lib-rebuild all
8183
;;
8284
*)
8385
ensure_popd make $1-rebuild all

examples/linux/nat20crypto/Kbuild

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Copyright 2026 Aurora Operations, Inc.
2+
#
3+
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
4+
#
5+
# This work is dual licensed.
6+
# You may use it under Apache-2.0 or GPL-2.0 at your option.
7+
#
8+
# Licensed under the Apache License, Version 2.0 (the "License");
9+
# you may not use this file except in compliance with the License.
10+
# You may obtain a copy of the License at
11+
#
12+
# http://www.apache.org/licenses/LICENSE-2.0
13+
#
14+
# Unless required by applicable law or agreed to in writing, software
15+
# distributed under the License is distributed on an "AS IS" BASIS,
16+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17+
# See the License for the specific language governing permissions and
18+
# limitations under the License.
19+
#
20+
# OR
21+
#
22+
# This program is free software; you can redistribute it and/or
23+
# modify it under the terms of the GNU General Public License
24+
# as published by the Free Software Foundation; either version 2
25+
# of the License, or (at your option) any later version.
26+
#
27+
# This program is distributed in the hope that it will be useful,
28+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
29+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30+
# GNU General Public License for more details.
31+
#
32+
# You should have received a copy of the GNU General Public License
33+
# along with this program; if not, see
34+
# <https://www.gnu.org/licenses/>.
35+
36+
KBUILD_EXTRA_SYMBOLS := $(NAT20CRYPTO_NAT20LIB_DIR)/Module.symvers
37+
38+
obj-m := nat20crypto.o
39+
40+
# The following path is added to allow the module to include
41+
# crypto/ecc.h (or crypto/internal/ecc.h for 6.0+).
42+
ccflags-y := -I $(src)/include
43+
ccflags-y += -I $(srctree)
44+
ccflags-y += -I $(NAT20CRYPTO_NAT20LIB_DIR)/include
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
# Copyright 2026 Aurora Operations, Inc.
2+
#
3+
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
4+
#
5+
# This work is dual licensed.
6+
# You may use it under Apache-2.0 or GPL-2.0 at your option.
7+
#
8+
# Licensed under the Apache License, Version 2.0 (the "License");
9+
# you may not use this file except in compliance with the License.
10+
# You may obtain a copy of the License at
11+
#
12+
# http://www.apache.org/licenses/LICENSE-2.0
13+
#
14+
# Unless required by applicable law or agreed to in writing, software
15+
# distributed under the License is distributed on an "AS IS" BASIS,
16+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17+
# See the License for the specific language governing permissions and
18+
# limitations under the License.
19+
#
20+
# OR
21+
#
22+
# This program is free software; you can redistribute it and/or
23+
# modify it under the terms of the GNU General Public License
24+
# as published by the Free Software Foundation; either version 2
25+
# of the License, or (at your option) any later version.
26+
#
27+
# This program is distributed in the hope that it will be useful,
28+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
29+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30+
# GNU General Public License for more details.
31+
#
32+
# You should have received a copy of the GNU General Public License
33+
# along with this program; if not, see
34+
# <https://www.gnu.org/licenses/>.
35+
36+
KDIR ?= /lib/modules/`uname -r`/build
37+
INSTALL_MOD_PATH ?= /lib/modules/`uname -r`/extra
38+
39+
NAT20CRYPTO_NAT20LIB_DIR ?= $(PWD)/../nat20lib
40+
41+
all: modules
42+
43+
modules:
44+
$(MAKE) -C $(KDIR) M=$$PWD NAT20CRYPTO_NAT20LIB_DIR="$(NAT20CRYPTO_NAT20LIB_DIR)" modules
45+
46+
modules_install:
47+
$(MAKE) -C $(KDIR) M=$$PWD INSTALL_MOD_PATH="$(INSTALL_MOD_PATH)" modules_install
48+
49+
clean:
50+
$(MAKE) -C $(KDIR) M=$$PWD clean
51+
52+
.PHONY: all modules modules_install clean
Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
# Security Assessment - nat20crypto
2+
3+
This module implements the libnat20 crypto interface in terms of
4+
kernel-provided primitives. It attempts to provide a functionally correct
5+
implementation and makes an effort to clean sensitive key material from
6+
memory. But it is **not suitable for production**, specifically the ECC
7+
signing operation is not constant-time and susceptible to leaking private
8+
key information through timing side channels.
9+
10+
## Key Material Leak Analysis
11+
12+
### Addressed
13+
14+
- **`nat20crypto_sign`** — stack buffers `z`, `k`, `k_inv`, `rs` are wiped via
15+
`memzero_explicit` on all exit paths. This covers the nonce, the inverted
16+
nonce, the byte-swapped private key (in `k_inv` via the `key_bytes` alias),
17+
and intermediate signature values.
18+
- **`nat20crypto_key_destroy`** — uses `memzero_explicit` before `kfree`.
19+
- **`nat20crypto_make_secret`** — the input `secret_in` buffer is caller-owned;
20+
the output key is heap-allocated and properly zeroed on free.
21+
22+
### Outstanding issues
23+
24+
#### `n20_rfc6979_k_generation` internal state
25+
26+
This function (from nat20lib) uses HMAC internally with the private key as
27+
input. Whether its internal buffers are zeroed depends on its implementation.
28+
Out of scope for this module but noted as a dependency.
29+
30+
## Timing Side Channel Analysis
31+
32+
### Threat model
33+
34+
In a DICE boot-time context where signing happens once during module init with
35+
no concurrent attacker (single-threaded init, no network, no user interaction),
36+
timing side channels are not practically exploitable. For a general-purpose
37+
signing oracle accessible from userspace, the issues below would be exploitable.
38+
39+
### High risk
40+
41+
#### `vli_mod_inv` — variable-time modular inverse
42+
43+
The kernel's `vli_mod_inv` computes the modular inverse of `k` using a binary
44+
extended GCD with data-dependent branches and loop counts. The number of
45+
iterations depends on the value of `k`, leaking nonce information through
46+
timing. Partial nonce knowledge enables private key recovery via lattice
47+
attacks.
48+
49+
#### `ecc_make_pub_key` — variable-time point multiplication
50+
51+
The kernel's ECC point multiplication uses a double-and-add algorithm. Older
52+
kernels (pre-6.10) use a naive implementation with data-dependent
53+
doublings/additions, leaking the scalar `k` through timing.
54+
55+
### Medium risk
56+
57+
#### `vli_mod_mult_slow` — conditional subtraction
58+
59+
The kernel's `vli_mod_mult_slow` is a shift-and-add modular multiplication.
60+
The loop count is constant, but the conditional subtraction after each shift
61+
(`if (result >= mod) result -= mod`) is data-dependent. This leaks
62+
intermediate state of `d_A * r` and `k_inv * s`, exposing bits of the private
63+
key and nonce inverse.
64+
65+
#### Conditional mod-n reduction branches
66+
67+
```c
68+
if (vli_cmp(k, s, ndigits) <= 0) {
69+
vli_sub(s, s, k, ndigits);
70+
} else {
71+
/* addition path */
72+
}
73+
```
74+
75+
The branch taken depends on `s` which embeds `d_A * r`, leaking information
76+
about the private key.
77+
78+
### Low risk
79+
80+
#### RFC 6979 / HMAC-SHA
81+
82+
The kernel's SHA implementations are generally constant-time for the
83+
compression function. HMAC processes fixed-size blocks. Low timing risk.
84+
85+
#### `ecc_swap_digits` / `memcpy` / simple copies
86+
87+
These process a fixed number of bytes regardless of value. Constant-time.
88+
89+
### Summary table
90+
91+
| Operation | Timing risk | Impact |
92+
|---|---|---|
93+
| `vli_mod_inv(k_inv, k, ...)` | Variable-time | Nonce leak, key recovery |
94+
| `ecc_make_pub_key(k * G)` | Variable-time (pre-6.10) | Nonce leak, key recovery |
95+
| `vli_mod_mult_slow(s, d_A, r)` | Conditional subtract | Private key leak |
96+
| Conditional mod-n reduction | Branch on secret | Minor info leak |
97+
| RFC 6979 / HMAC-SHA | Constant-time | Safe |
98+
| `ecc_swap_digits` / copies | Constant-time | Safe |

0 commit comments

Comments
 (0)