Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
e87a100
[pentest] Clean the asym calls
siemen11 May 7, 2026
2582a29
[cryptolib] Remove `montmul` dependency from `run_rsa_key_from_cofactor`
nasahlpa May 8, 2026
ac0c3c9
[crypto/itegrity] Cleanup public header
siemen11 May 6, 2026
6e3f1ef
[crypto/25519] Merge ed25519 and x25519
siemen11 May 6, 2026
07b423d
[pentest] Fix build of sca_asym
nasahlpa May 8, 2026
c42cb3b
[crypto] Add negative tests for p384 check public key function
nasahlpa May 8, 2026
003f6a1
[crypto] Combine `p384_check_isoncurve` and `p384_check_public_key`
nasahlpa May 8, 2026
75a1f61
[cryptotest] Add negative p384 is on curve checks
nasahlpa May 8, 2026
0e8335b
[crypto] Update p384 instruction counter values
nasahlpa May 8, 2026
2fa20d8
[crypto] Replace memset in GCM wih volatile loop
nasahlpa May 11, 2026
8878317
[crypto/25519] Add sideload support for x25519
siemen11 May 6, 2026
e36fa09
[crypto/rsa] Refactor RSA for code size
siemen11 May 8, 2026
43a4062
[crypto] Add CMAC
siemen11 May 7, 2026
c0b9189
[pentest] Connect cmac to pentest
siemen11 May 7, 2026
9869c9c
[cryptotest] Add dummy ACVP RSA sign test vectors
nasahlpa May 7, 2026
e5e73fb
[cryptotest] Rename RSA keygen
nasahlpa May 7, 2026
74985ec
[cryptotest] Add RSA keygen
nasahlpa May 7, 2026
494fe97
[cryptotest] Add RSA CAVP sign testing
nasahlpa May 7, 2026
cd5e41a
[crypto/kdf_ctr] Remove VLA and introduce masking
siemen11 May 11, 2026
6287ada
[crypto/hkdf] Remove the VLAs and apply masking
siemen11 May 11, 2026
a0c9ec8
[crypto] Create a compile time option for NULL checks
siemen11 May 8, 2026
3f1930f
[crypto/ecc] Refactor p256 and p384
siemen11 May 8, 2026
f859dab
[cryptotest] Add Ed25519 ACVP SigVer testing
nasahlpa May 12, 2026
8f8231a
[cryptotest] Restructure Ed25519 firmware to follow other implementat…
nasahlpa May 13, 2026
c8c764b
[cryptotest] Add Ed25519 Sign to cryptotest firmware
nasahlpa May 13, 2026
205f5c0
[cryptotest] Add Ed25519 SigGen ACVP testing
nasahlpa May 13, 2026
4c4394a
[cryptotest] Add Ed25519 KeyGen to cryptotest firmware
nasahlpa May 13, 2026
48c5a91
[cryptotest] Add ACVP testing for Ed25519 KeyGen
nasahlpa May 13, 2026
bff4c7c
[quality] Do not check ACVP test vectors
nasahlpa May 13, 2026
c170834
[crypto] Check length of wrapped key
nasahlpa May 15, 2026
72d5aad
[crypto/hmac] Refactor HMAC
siemen11 May 13, 2026
2e49449
[crypto/ecc] Clear private scalar after use
siemen11 May 18, 2026
834dfc0
[crypto/gcm] Shred subkey after use
siemen11 May 18, 2026
0c3e775
[crypto/gcm] Warn user about releasing plaintext before tag validation
siemen11 May 18, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion doc/security/cryptolib/cryptolib_api.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,19 @@ Moreover, the function also checks the entropy complex health test and alert con

{{#header-snippet sw/device/lib/crypto/include/config.h otcrypto_eval_exit }}

## Build Configurations

The OpenTitan cryptography library provides several compile-time configuration settings via Bazel. These flags allow you to optimize code size, enable deep debugging, or mark the library for release.

You can activate these settings during the build process by passing `--define=<setting>=true` to Bazel.

| Configuration Setting | Internal Define | Description |
|---|---|---|
| `crypto_status_debug` | `OTCRYPTO_STATUS_DEBUG` | Embeds the module ID and line number directly into `otcrypto_status_t` error codes. This significantly aids debugging but increases the footprint and alters standard error structures. |
| `release_build` | `CRYPTOLIB_IS_RELEASED` | Marks the build as a frozen release version. This directly updates the `released` boolean flag retrieved when calling `otcrypto_build_info()`. |
| `disable_null_checks` | `OTCRYPTO_DISABLE_NULL_CHECKS` | Removes `NULL` pointer checks on API inputs throughout the library (e.g., AES-GCM operations). This saves code size, but strictly requires the caller to guarantee no `NULL` pointers are passed. |
| `disable_buf_integrity_checks` | `OTCRYPTO_DISABLE_BUF_INTEGRITY_CHECKS` | Disables runtime integrity verification for data buffers. This bypasses `verify_buf_integrity`, removing the check that compares `ptr_checksum` against the data's calculated checksum. |

## Cryptolib Usage Examples

Examples of how to use the cryptolib API are provided in the [cryptolib test directory][crypto-tests].
Expand Down Expand Up @@ -173,6 +186,7 @@ However, they are essentially scratchpad space for the underlying implementation

{{#header-snippet sw/device/lib/crypto/include/sha2.h otcrypto_sha2_context }}
{{#header-snippet sw/device/lib/crypto/include/hmac.h otcrypto_hmac_context }}
{{#header-snippet sw/device/lib/crypto/include/cmac.h otcrypto_cmac_context }}

## AES

Expand Down Expand Up @@ -335,25 +349,34 @@ Streaming is supported **only for SHA2** hash modes (SHA256, SHA384, SHA512), be
OpenTitan supports two kinds of message authentication codes (MACs):
- HMAC, a simple construction based on cryptographic hash functions
- KMAC, a Keccak-based MAC
- AES-CMAC, a block cipher-based MAC

OpenTitan's [HMAC block][hmac] supports HMAC-SHA256 with a key length of 256 bits.
The [KMAC block][kmac] supports KMAC128 and KMAC256, with a key length of 128, 192, 256, 384, or 512 bits.
AES-CMAC uses the AES block cipher and supports a key length of 128, 192, or 256 bits, as specified in NIST SP 800-38B. The output tag length must be between 64 and 128 bits (2 to 4 words).

### One-shot mode

{{#header-snippet sw/device/lib/crypto/include/hmac.h otcrypto_hmac }}
{{#header-snippet sw/device/lib/crypto/include/kmac.h otcrypto_kmac }}
{{#header-snippet sw/device/lib/crypto/include/cmac.h otcrypto_cmac }}

### Streaming mode

The streaming mode API is used for incremental hashing use-case, where the data to be hashed is split and passed in multiple blocks.

To avoid locking up the KMAC hardware, the streaming mode is supported **only for HMAC**.
To avoid locking up the KMAC hardware, the streaming mode is supported only for HMAC and CMAC.

#### HMAC
{{#header-snippet sw/device/lib/crypto/include/hmac.h otcrypto_hmac_init }}
{{#header-snippet sw/device/lib/crypto/include/hmac.h otcrypto_hmac_update }}
{{#header-snippet sw/device/lib/crypto/include/hmac.h otcrypto_hmac_final }}

#### CMAC
{{#header-snippet sw/device/lib/crypto/include/cmac.h otcrypto_cmac_init }}
{{#header-snippet sw/device/lib/crypto/include/cmac.h otcrypto_cmac_update }}
{{#header-snippet sw/device/lib/crypto/include/cmac.h otcrypto_cmac_final }}

## RSA

RSA (Rivest-Shamir-Adleman) is a family of asymmetric cryptographic algorithms supporting signatures and encryption.
Expand Down Expand Up @@ -741,6 +764,7 @@ The table below summarizes the security strength for the supported [cryptographi
| MAC | HMAC-SHA256 | 256 | |
| MAC | KMAC128 | 128 | |
| MAC | KMAC256 | 256 | |
| MAC | AES-CMAC | `min(k, tag len)` | `k` = AES key length, `tag len` = output MAC length |
| RSA | RSA-2048 | 112 | |
| RSA | RSA-3072 | 128 | |
| RSA | RSA-4096 | \~144 | |
Expand Down Expand Up @@ -773,6 +797,7 @@ The table below is a recommendation from [NIST SP800-57 Part 1][nist-sp800-57] a
2. [IETF RFC 4231][hmac-testvectors-rfc]: Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
3. [IETF RFC 4868][hmac-usage-rfc]: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
4. [NIST SP800-185][sha3-derived-spec]: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
5. [NIST SP800-38B][nist-sp800-38b] Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication

**RSA**
1. [IETF RFC 8017][rsa-rfc]: PKCS #1: RSA Cryptography Specifications Version 2.2
Expand Down Expand Up @@ -833,6 +858,7 @@ The table below is a recommendation from [NIST SP800-57 Part 1][nist-sp800-57] a
[nist-kdf-key-establishment]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
[nist-rng-spec]: https://csrc.nist.gov/CSRC/media/Publications/sp/800-90c/draft/documents/sp800_90c_second_draft.pdf
[nist-sp800-131a]: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
[nist-sp800-38b]: https://www.google.com/search?q=https://csrc.nist.gov/publications/detail/sp/800-38b/final
[nist-sp800-57]: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
[otbn]: ../../../hw/ip/otbn/README.md
[rsa-rfc]: https://datatracker.ietf.org/doc/html/rfc8017
Expand Down
2 changes: 2 additions & 0 deletions quality/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ licence_test(
"hw/ip/otbn/pre_sca/alma/cpp/testbench.h",
"hw/ip/otbn/pre_sca/alma/cpp/verilator_tb_hpc_gadget_impl.h",
"hw/ip/otbn/pre_sca/alma/cpp/verilator_tb_otbn_sec_add_sca_wrapper.cpp",
# ACVP test vectors
"sw/host/cryptotest/testvectors/acvp/*.hjson",
],
licence = """
Copyright lowRISC contributors (OpenTitan project).
Expand Down
1 change: 1 addition & 0 deletions sw/device/lib/crypto/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ ot_static_library(
deps = [
"//sw/device/lib/crypto/impl:aes",
"//sw/device/lib/crypto/impl:aes_gcm",
"//sw/device/lib/crypto/impl:cmac",
"//sw/device/lib/crypto/impl:config",
"//sw/device/lib/crypto/impl:cryptolib_build_info",
"//sw/device/lib/crypto/impl:drbg",
Expand Down
Loading
Loading