[ot] hw/opentitan: ot_aes: fix IV updates in CFB mode #107
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rivos-eblot
requested changes
Jan 20, 2025
There was a problem hiding this comment.
Could you also update something I missed from the previous AES MR circa line 441:
trace_ot_aes_init("iv");
if (randomize) {
ot_aes_randomize(s, r->iv, ARRAY_SIZE(r->iv));
}with something like
if (randomize) {
trace_ot_aes_init("iv randomize");
ot_aes_randomize(s, r->iv, ARRAY_SIZE(r->iv));
} else {
trace_ot_aes_init("iv");
}to differentiate both kinds. Thanks
|
Might be worth updating the file header as well? from * Copyright (c) 2022-2024 Rivos, Inc.to * Copyright (c) 2022-2024 Rivos, Inc.
* Copyright (c) 2025 lowRISC contributors.or the like |
luismarques
changed the title
luismarques
force-pushed
the
cfb-iv
branch
2 times, most recently
from
b5c2edb to
e8b3509
Compare
|
I've checked that OpenSSL returns the expected output IV value, so this seems to be a libtomcrypt oddity. |
rivos-eblot
reviewed
Feb 7, 2025
rivos-eblot
reviewed
Feb 7, 2025
No changes in libtomcrypt AES implementation for about 1.5 years. |
In AES CFB mode after a block operation the IV registers are updated with the ciphertext from the previous block operation. See: - https://opentitan.org/book/hw/ip/aes/doc/theory_of_operation.html#datapath-architecture-and-operation - https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_feedback_(CFB) LibTomCrypt does not provide this, so we just read it directly from our own data. Previously, we were using the updated IV value that LibTomCrypt provides, which is instead updated to be the output of the block operation (without the XOR with the plaintext). This fix allows the aes_functest to pass. Signed-off-by: Luís Marques <[email protected]>
luismarques
changed the base branch from
ot-earlgrey-9.1.0
to
ot-earlgrey-9.2.0
|
The QEMU CI is broken. Let's merge this after fixing it and letting it run. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In AES CFB mode after a block operation the IV registers are updated with the ciphertext from the previous block operation. See:
LibTomCrypt does not provide this, so we just read it directly from our own data. Previously, we were using the updated IV value that LibTomCrypt provides, which is instead updated to be the output of the block operation (without the XOR with the plaintext).
This fix allows the aes_functest to pass.