Skip to content

[crypto] Manual backport from eg100 to master#30320

Merged
nasahlpa merged 38 commits into
lowRISC:masterfrom
nasahlpa:backport_cl_prs_8
Jun 9, 2026
Merged

[crypto] Manual backport from eg100 to master#30320
nasahlpa merged 38 commits into
lowRISC:masterfrom
nasahlpa:backport_cl_prs_8

Conversation

siemen11 and others added 30 commits June 8, 2026 17:45
Add the randomization of inputs in the pentest framework.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 2f1c710)
Add documentation on the FIPS build and the PIC test.

Collateral: we no longer call the cryptolib under development.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit a77e30e)
The the transitive_features option with opentitan_binary_blob to allow
compiler flags to be applied to the dependencies from the target.
Then move no-jump-tables to this feature.

With thanks to Yi-Hsuan Deng <yhdeng@google.com>

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit be4e6be)
Add a sign and verify test vector for 25519 in kats.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit c3e93e2)
Get the arithmetic_to_boolean and boolean_to_arithmetic to be in their
own files and resrtucture p256. This should have no impact on p256
itself.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit df8a84a)
Propagate the masking of the keys in x25519 to the OTBN and use the
masked scalar multiplication from ed25519.
Change the sc_blind subroutine to blind with a clamped blinding factor
(adding 3 bits to the size).

Use the s2b and b2a from p256.
Note that due to the sharing change (additive versus substraction) we
switch the masking by adding a new mask B.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit b64522c)
Use the cleanup attribute in order to attach a guard to cleanup the hardware.
These functions are called when the variables go out of scope.
Hence, we clear the hardware on both the succesful execution (as it was before) and on bad status
output (which is new).

Apply this new setting to the AES, CMAC, and GCM where we split the driver to no longer
clean the HW when calling aes_end. Instead, we always call it from impl
(and users using the drivers still can manually call the clean in
drivers).

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit ac0fd14)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
Clean the HMAC and KMAC also on errors by using a cleanup attribute.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit d8d4fb3)
The previous cherry-picked commit used the old approach without
the DT.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
As ACVP sends unhashed messages to the device, add a new handler to ECDSA
that enables us to hash the message before calling the ECDSA functions.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 9ead434)
This commit enables signature verification testing using ACVP
test vectors for ECDSA.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 747f4f0)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 984c9b6)
Generates and returns the keys.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 4c5a42a)
For each test group, create a key pair. Use this key pair
to sign the message given in the test vector file. Store the
signature as well as the public key in the output json file.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 0211b2d)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 2213183)
Create a key on the device and store the public and private key in
the user specified JSON file.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit f908adf)
Add the FIPS self-integrity check of the cryptolib to the otcrypto_init
when the library is compiled with HASH_SELF_CHECK_ENABLE (such as with
--config=crypto_fips_all).
Remove the self-integrity test in the hash test since it is called in
the init now.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit e8ce85e)
For now, only add ECB test vectors to build up the test framework.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit c98b080)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 0c00bff)
Send the test vectors to the cryptotest firmware and compare the
output to the expected ones. Also enable the user to write the
output to a JSON file that can be transmitted to the ACVP server.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit e2855fe)
Previously, main.rs determined which algorithm we want to test by
simply looking into the JSON file format. However, if two JSON files
for different algorithms would be identical, this parsing causes
issues.

Hence, read the algorithm field in the JSON file to determine which algo
we want to test.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit e573fe0)
Update the comments for x25519 in the OTBN code.
Rename the run_curve25519 symbols to make it clear which the symbols are
for the wrapper and for the internal calls (previously we had x25519 and
X25519).

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 3b13bc5)
Replace regular uint8, or uint32 arrays by otcrypto_byte_buf_t and
otcrypto_word32_buf_t to propagate the integrity on them.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 6fd328e)
For the test vectors itself, use Wycheproof test vectors. The reason
for this is that the existing ACVP test vectors are not compatible
with the OT cryptolib implementation. However, when having access to
the ACVP server, one can request fitting test vectors using the
registration configuration possibility.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit fa5c803)
Read the test vector file, send the test vector to the device,
check if the response matches the expected test vector. If needed,
the test output can be stored in a JSON file.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 209eeee)
Add the minsize feature (-Oz flag) for minimum code size.
This saves 2k bytes.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 7ee88cc)
Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
(cherry picked from commit 518ddd8)
Only use test vectors where the message len is 2048 bits or below.
This limit was choosen as transmitting data from the host to the
device is quite slow. If needed, this limit can be increased.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 2e12751)
nasahlpa added 8 commits June 8, 2026 17:55
Integrate SHA into the cryptotest device firmware.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 42251f1)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit f31f107)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit b0b56e5)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit c4bb6b7)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit 17c18d1)
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
(cherry picked from commit e793594)
The changed code line triggered a clippy RUST error:
`error: manually reimplementing `div_ceil``
Fix it.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
The master branch automatically computes a module ID if none is
provided. Currently, sha does not have one, creating a conflicting
module ID. Hence, manually assign one to resolve the conflict.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
@nasahlpa nasahlpa marked this pull request as ready for review June 8, 2026 18:21
@nasahlpa nasahlpa requested review from a team, cfrantz and vogelpi as code owners June 8, 2026 18:22
@nasahlpa nasahlpa requested review from moidx and removed request for a team June 8, 2026 18:22

@siemen11 siemen11 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good thank you Pascal!

@vogelpi vogelpi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @nasahlpa !

@nasahlpa

nasahlpa commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Merging as the failing jobs are DV jobs that are unrelated.

@nasahlpa nasahlpa added this pull request to the merge queue Jun 9, 2026
Merged via the queue into lowRISC:master with commit aad8304 Jun 9, 2026
69 of 80 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants