Skip to content

[crypto] Manual backport from eg100 to master #30280

Merged
andrea-caforio merged 34 commits into
lowRISC:masterfrom
nasahlpa:backport_cl_prs_6
Jun 3, 2026
Merged

[crypto] Manual backport from eg100 to master #30280
andrea-caforio merged 34 commits into
lowRISC:masterfrom
nasahlpa:backport_cl_prs_6

Conversation

siemen11 and others added 30 commits June 3, 2026 16:08
The following changes are made
- Remove the prime and secp calls
- Connect the base point multiplications for ecc
- Update the test vectors
- Include python tests for the new calls

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 99eb63b)
As this code is not used, lets remove it to save some bytes.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit eda54a8)
Change the public functions for the user to have the otcrypto_ prefix in
the name. Change the OTCRYPTO_MAKE_BUF macro to ingest the inline
function. Include the new public functions to otcrypto_interface.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 1529671)
Merge the OTBN code of x25519 into the one from ed25519 and re-use the
scalar multiplication from ed25519.
Adapt the tests of x25519 such that they are in the test suite, cehck
for failures, and are adapted to work again.

Warning: The new x25519 code now works for non-twist points, it rejects
twist points. This means we follows
https://datatracker.ietf.org/doc/html/rfc7748#section-4 but not
https://datatracker.ietf.org/doc/html/rfc7748#section-5.

The x25519.s OTBN app is left in the repo which does implement section
5, but it is left unconnected to the cryptolib.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit d69995c)
Recently, `integrity_blinded_checksum` was renamed to
`otcrypto_integrity_blinded_checksum` - we've missed one spot.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 5fba06c)
Cover more error cases for the p384 check public key function.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 32fdeb3)
As there should be no reason to not combine those two functions, put them
into one function.

That fixes also a bug in the previous `p384_check_public_key`
function.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit bb71ab5)
Also test the other conditions when a point check could fail.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 1b9fe4c)
Adapt the instruction counter values to reflect the current impl.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit aa64e22)
The compiler could get rid of the memset when aggressive compiler
optimizations are enabled. Although this wouldn't be a big problem
(the API documentation states that the result only should be used
when the CL reports back a success), switch to a volatile loop to
guarantee that we always return a zero buffer independent of the
compiler optimiziations we use or don't use.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 682aafd)
Add sideload support for the keygen and ecdh for x25519 and include a
new functest for it.

Switch the keymgr tests to the new 25519 apps.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit e8ccf53)
Bundle the 2k, 3k, and 4k calls in RSA with a size input (though leave
the API unchanged). In order to save code size.

At the time of writing, this saves 1.3k bytes.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit f0bea42)
Add cmac functionality to the cryptolib and add its functest.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit ef1f7ef)
Connect the cmac cryptolib call to the pentest framework and add tests
for the new calls.
Added the new function's explanation to cryptolib_api.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit b43cf89)
Extend the existing file with some dummy values.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit b4bfce2)
As this function checks afterwards whether the key can be used, rename
this function to make this behaviour clear.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 8baa51d)
Add a function that performs the RSA keygen and returns the key to the host.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 5212ce2)
Read the RSA CAVP sign test vector and perform:
- per group, one key generation on the device
- per test case in a group: use the keys and sign the
  message on the device. Verify the signature afterwards
  on the device

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 62b527a)
Change the loop logic in kdf_ctr such that we process the hmac maximum
digest size block at a time.
Introduce randomization into the masking of the key.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 36233b8)
Use streaming for the hmac to stream into the user provided buffer and
apply masking to the keys.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit d84cc08)
When running the cryptolib with `--define=disable_null_checks=true`, one
can disable all the API's NULL checks on the input allowing to save code
size.

At the time of writing this option saves 3.4k bytes.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 70b16b4)
Refactor p256 and p384 to save on code size by making subroutines which
are used accross multiple functions.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 1719213)
This commit adds ACVP testing for the Ed25519 signature verification
to the cryptotest framework.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 117d459)
…ions

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit a3d0516)
Return the signature as well as the public key.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 78fa08f)
Read the ACVP Ed25519 SigGen test vector that contains a message. The device
signs the message and returns the signature as well as the public key. The
ACVP server then can use this information to check if the signature is valid.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 3fe3db0)
Create d, split it up into two shares, compute q, return q and d.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 1967ee4)
Trigger a key generation on the device, store the returned q and d into
a json file that can be validated by the ACVP server.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 8cf9681)
As we include the NIST copyright header, do not check those files.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 403947e)
Previously, an attacker would have been able to provide an arbitrary
length for the wrapped key length. As this is dangerous, limit the
size to the max key length we currently have (RSA 4096).

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 7bf5ac7)
siemen11 added 4 commits June 3, 2026 16:08
Make a hmac_redundant_core function in the hmac driver with a size input
such that the code can be re-used over all SHA sizes.
Create dispatch functions in the hmac API to squash code size for
different SHA sizes.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit a869752)
The private_scalar local variable in p256 and p384 should be shredded
after use.
The arithmetic share private key routines in p256 and p384 create a
private variable that should be shredded after use.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 4e3f4cc)
Shred the subkey after its creation and use in gcm.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 182a811)
 Warn the user that the plaintext nullification does not happen in the streaming API when the tag is invalid.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit acb2179)
@nasahlpa nasahlpa force-pushed the backport_cl_prs_6 branch 3 times, most recently from d6fa7a3 to 0c3e775 Compare June 3, 2026 14:33
@nasahlpa nasahlpa marked this pull request as ready for review June 3, 2026 14:41
@nasahlpa nasahlpa requested review from a team and vogelpi as code owners June 3, 2026 14:41
@nasahlpa nasahlpa requested review from a team, andrea-caforio, cfrantz, pamaury and siemen11 and removed request for a team, cfrantz, pamaury and vogelpi June 3, 2026 14:42

@andrea-caforio andrea-caforio left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nasahlpa.

@andrea-caforio andrea-caforio added this pull request to the merge queue Jun 3, 2026
Merged via the queue into lowRISC:master with commit 641be10 Jun 3, 2026
81 of 82 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants