[crypto] Manual backport from eg100 to master#30320
Merged
Merged
Conversation
Add the randomization of inputs in the pentest framework. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 2f1c710)
Add documentation on the FIPS build and the PIC test. Collateral: we no longer call the cryptolib under development. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit a77e30e)
The the transitive_features option with opentitan_binary_blob to allow compiler flags to be applied to the dependencies from the target. Then move no-jump-tables to this feature. With thanks to Yi-Hsuan Deng <yhdeng@google.com> Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit be4e6be)
Add a sign and verify test vector for 25519 in kats. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit c3e93e2)
Get the arithmetic_to_boolean and boolean_to_arithmetic to be in their own files and resrtucture p256. This should have no impact on p256 itself. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit df8a84a)
Propagate the masking of the keys in x25519 to the OTBN and use the masked scalar multiplication from ed25519. Change the sc_blind subroutine to blind with a clamped blinding factor (adding 3 bits to the size). Use the s2b and b2a from p256. Note that due to the sharing change (additive versus substraction) we switch the masking by adding a new mask B. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit b64522c)
Use the cleanup attribute in order to attach a guard to cleanup the hardware. These functions are called when the variables go out of scope. Hence, we clear the hardware on both the succesful execution (as it was before) and on bad status output (which is new). Apply this new setting to the AES, CMAC, and GCM where we split the driver to no longer clean the HW when calling aes_end. Instead, we always call it from impl (and users using the drivers still can manually call the clean in drivers). Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit ac0fd14)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
Clean the HMAC and KMAC also on errors by using a cleanup attribute. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit d8d4fb3)
The previous cherry-picked commit used the old approach without the DT. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
As ACVP sends unhashed messages to the device, add a new handler to ECDSA that enables us to hash the message before calling the ECDSA functions. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 9ead434)
This commit enables signature verification testing using ACVP test vectors for ECDSA. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 747f4f0)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 984c9b6)
Generates and returns the keys. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 4c5a42a)
For each test group, create a key pair. Use this key pair to sign the message given in the test vector file. Store the signature as well as the public key in the output json file. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 0211b2d)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 2213183)
Create a key on the device and store the public and private key in the user specified JSON file. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit f908adf)
Add the FIPS self-integrity check of the cryptolib to the otcrypto_init when the library is compiled with HASH_SELF_CHECK_ENABLE (such as with --config=crypto_fips_all). Remove the self-integrity test in the hash test since it is called in the init now. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit e8ce85e)
For now, only add ECB test vectors to build up the test framework. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit c98b080)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 0c00bff)
Send the test vectors to the cryptotest firmware and compare the output to the expected ones. Also enable the user to write the output to a JSON file that can be transmitted to the ACVP server. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit e2855fe)
Previously, main.rs determined which algorithm we want to test by simply looking into the JSON file format. However, if two JSON files for different algorithms would be identical, this parsing causes issues. Hence, read the algorithm field in the JSON file to determine which algo we want to test. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit e573fe0)
Update the comments for x25519 in the OTBN code. Rename the run_curve25519 symbols to make it clear which the symbols are for the wrapper and for the internal calls (previously we had x25519 and X25519). Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 3b13bc5)
Replace regular uint8, or uint32 arrays by otcrypto_byte_buf_t and otcrypto_word32_buf_t to propagate the integrity on them. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 6fd328e)
For the test vectors itself, use Wycheproof test vectors. The reason for this is that the existing ACVP test vectors are not compatible with the OT cryptolib implementation. However, when having access to the ACVP server, one can request fitting test vectors using the registration configuration possibility. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit fa5c803)
Read the test vector file, send the test vector to the device, check if the response matches the expected test vector. If needed, the test output can be stored in a JSON file. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 209eeee)
Add the minsize feature (-Oz flag) for minimum code size. This saves 2k bytes. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 7ee88cc)
Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 518ddd8)
Only use test vectors where the message len is 2048 bits or below. This limit was choosen as transmitting data from the host to the device is quite slow. If needed, this limit can be increased. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 2e12751)
Integrate SHA into the cryptotest device firmware. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 42251f1)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit f31f107)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit b0b56e5)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit c4bb6b7)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 17c18d1)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit e793594)
The changed code line triggered a clippy RUST error: `error: manually reimplementing `div_ceil`` Fix it. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
The master branch automatically computes a module ID if none is provided. Currently, sha does not have one, creating a conflicting module ID. Hence, manually assign one to resolve the conflict. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
siemen11
approved these changes
Jun 8, 2026
siemen11
left a comment
Contributor
There was a problem hiding this comment.
Looks good thank you Pascal!
Contributor
Author
|
Merging as the failing jobs are DV jobs that are unrelated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport the following PRs from earlgrey_1.0.0 to master: