feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

feat(hal/aes): Enable pseudo rounds function during AES operations

Browse Source
This commit is contained in:
harshal.patil
2024-09-18 12:18:51 +05:30
parent bcd80c92f3
commit c6ea979efa
11 changed files with 196 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
components/hal/aes_hal.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -39,8 +39,15 @@ void aes_hal_transform_block(const void *input_block, void *output_block)
aes_ll_read_block(output_block);
}
#if SOC_AES_SUPPORT_DMA
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
aes_ll_enable_pseudo_rounds(enable, base, increment, key_rng_cnt);
}
#endif // SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
#if SOC_AES_SUPPORT_DMA
void aes_hal_transform_dma_start(size_t num_blocks)
{
@ -61,7 +68,7 @@ void aes_hal_transform_dma_finish(void)
void aes_hal_mode_init(esp_aes_mode_t mode)
{
/* Set the algorith mode CBC, CFB ... */
/* Set the algorithm mode CBC, CFB ... */
aes_ll_set_block_mode(mode);
/* Presently hard-coding the INC function to 32 bit */
if (mode == ESP_AES_BLOCK_MODE_CTR) {
@ -83,8 +90,6 @@ void aes_hal_wait_done()
{
while (aes_ll_get_state() != ESP_AES_STATE_DONE) {}
}
#endif //SOC_AES_SUPPORT_DMA
#if SOC_AES_SUPPORT_GCM

24
components/hal/esp32c5/include/hal/aes_ll.h
View File

@ -8,7 +8,7 @@
#include <stdbool.h>
#include <string.h>
#include "soc/hwcrypto_reg.h"
#include "soc/aes_reg.h"
#include "soc/pcr_struct.h"
#include "hal/aes_types.h"
@ -241,6 +241,28 @@ static inline void aes_ll_interrupt_clear(void)
REG_WRITE(AES_INT_CLEAR_REG, 1);
}
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void aes_ll_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_EN, enable);
if (enable) {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, base);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, increment);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, key_rng_cnt);
} else {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, 0);
}
}
#ifdef __cplusplus
}

17
components/hal/include/hal/aes_hal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -45,6 +45,18 @@ uint8_t aes_hal_setkey(const uint8_t *key, size_t key_bytes, int mode);
*/
void aes_hal_transform_block(const void *input_block, void *output_block);
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt);
#endif /* SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Inits the AES mode of operation
@ -102,6 +114,7 @@ void aes_hal_transform_dma_finish(void);
*/
#define aes_hal_interrupt_clear() aes_ll_interrupt_clear()
#if SOC_AES_SUPPORT_GCM
/**
* @brief Calculates the Hash sub-key H0 needed to start AES-GCM
@ -114,7 +127,7 @@ void aes_hal_gcm_calc_hash(uint8_t *gcm_hash);
* @brief Initializes the AES hardware for AES-GCM
*
* @param aad_num_blocks the number of Additional Authenticated Data (AAD) blocks
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/cipertext
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/ciphertext
*/
void aes_hal_gcm_init(size_t aad_num_blocks, size_t num_valid_bit);

36
components/mbedtls/Kconfig
View File

@ -416,6 +416,42 @@ menu "mbedTLS"
priority level and any level from 1 to 3 can be selected (based on the availability).
Note: Higher value indicates high interrupt priority.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
bool "Enable AES hardware's pseudo round function"
default n
depends on SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
help
Enables the pseudo round function of the AES peripheral.
Enabling this would impact the performance of the AES operations.
For more info regarding the performance impact, please checkout the pseudo round function section of the
security guide.
choice MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
prompt "Strength of the pseudo rounds function"
depends on MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
default MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
help
The strength of the pseudo rounds functions can be configured to low, medium and high.
You can configure the strength of the pseudo rounds functions according to your use cases,
for example, increasing the strength would provide higher security but would slow down the
hardware AES encryption/decryption operations.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
bool "Low"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
bool "Medium"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
bool "High"
endchoice
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
int
default 1 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
default 2 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
default 3 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
config MBEDTLS_HARDWARE_GCM
bool "Enable partially hardware accelerated GCM"
depends on SOC_AES_SUPPORT_GCM && MBEDTLS_HARDWARE_AES

5
components/mbedtls/port/aes/block/esp_aes.c
View File

@ -31,6 +31,7 @@
#include "esp_log.h"
#include "aes/esp_aes.h"
#include "soc/hwcrypto_periph.h"
#include "soc/soc_caps.h"
#include <sys/lock.h>
#include "hal/aes_hal.h"
#include "hal/aes_ll.h"
@ -105,6 +106,10 @@ static int esp_aes_block(esp_aes_context *ctx, const void *input, void *output)
i2 = input_words[2];
i3 = input_words[3];
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
aes_hal_transform_block(input, output);
/* Physical security check: Verify the AES accelerator actually ran, and wasn't

16
components/mbedtls/port/aes/dma/esp_aes_dma_core.c
View File

@ -610,6 +610,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(input_desc, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -829,6 +833,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
@ -1084,6 +1092,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -1262,6 +1274,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");

29
components/mbedtls/port/aes/esp_aes_common.c
View File

@ -6,7 +6,7 @@
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2016-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileContributor: 2016-2024 Espressif Systems (Shanghai) CO LTD
*/
/*
* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@ -76,3 +76,30 @@ int esp_aes_setkey( esp_aes_context *ctx, const unsigned char *key,
ctx->key_in_hardware = 0;
return 0;
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/* The total number of pseudo-rounds randomly inserted in an AES operation are controlled by
* configuring the AES_PSEUDO_BASE, AES_PSEUDO_INC parameters.
* Users can also set the frequency of random key updates by configuring the AES_PSEUDO_RNG_CNT.
* Here, we would be using some pre-decided values for these parameters corresponding to the security needed.
* For more information regarding these parameters please refer the TRM.
*/
#define AES_PSEUDO_ROUNDS_BASE_LOW 4
#define AES_PSEUDO_ROUNDS_BASE_MEDIUM 7
#define AES_PSEUDO_ROUNDS_BASE_HIGH 15
#define AES_PSEUDO_ROUNDS_INC 3
#define AES_PSEUDO_ROUNDS_RNG_CNT 7
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state)
{
if (state == ESP_AES_PSEUDO_ROUNDS_DISABLE) {
aes_hal_enable_pseudo_rounds(false, 0, 0, 0);
} else if (state == ESP_AES_PSEUDO_ROUNDS_LOW) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_LOW, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else if (state == ESP_AES_PSEUDO_ROUNDS_MEDIUM) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_MEDIUM, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_HIGH, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
}
}
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */

15
components/mbedtls/port/aes/include/esp_aes_internal.h
View File

@ -9,6 +9,7 @@
#include <stdbool.h>
#include "aes/esp_aes.h"
#include "soc/soc_caps.h"
#include "hal/aes_hal.h"
#include "esp_crypto_dma.h"
#ifdef __cplusplus
@ -17,6 +18,20 @@ extern "C" {
bool valid_key_length(const esp_aes_context *ctx);
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/**
* @brief Default pseudo rounds configs of the AES accelerator
*/
typedef enum {
ESP_AES_PSEUDO_ROUNDS_DISABLE = 0,
ESP_AES_PSEUDO_ROUNDS_LOW,
ESP_AES_PSEUDO_ROUNDS_MEDIUM,
ESP_AES_PSEUDO_ROUNDS_HIGH,
} esp_aes_psuedo_rounds_state_t;
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Run a AES operation using DMA

4
components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
View File

@ -267,6 +267,10 @@ config SOC_AES_SUPPORT_AES_256
bool
default y
config SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
bool
default y
config SOC_ADC_DIG_CTRL_SUPPORTED
bool
default y

2
components/soc/esp32c5/include/soc/soc_caps.h
View File

@ -97,6 +97,8 @@
#define SOC_AES_SUPPORT_AES_128 (1)
#define SOC_AES_SUPPORT_AES_256 (1)
#define SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION (1)
/*-------------------------- ADC CAPS -------------------------------*/
/*!< SAR ADC Module*/
#define SOC_ADC_DIG_CTRL_SUPPORTED 1

49
docs/en/security/security.rst
View File

@ -114,18 +114,53 @@ Flash Encryption Best Practices
This feature can help to prevent the possibility of remote code injection due to the existing vulnerabilities in the software.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED or SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
DPA (Differential Power Analysis) Protection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Protection Against Side-Channel Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the TRM for more details on this topic.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
DPA (Differential Power Analysis) Protection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note::
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the TRM for more details on this topic.
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
.. note::
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
.. only:: SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
AES peripheral's Pseudo-Round Function
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} incorporates a pseudo-round function in the AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
:ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the encrryption/decryption operations.
.. list-table:: Performance impact on AES operations per strength level
:widths: 10 10
:header-rows: 1
:align: center
* - **Strength**
- **Performance Impact** [#]_
* - Low
- 20.9 %
* - Medium
- 47.6 %
* - High
- 72.4 %
.. [#] The above performance numbers have been calculated using the AES performance test of the mbedtls test application :component_file:`test_aes_perf.c <mbedtls/test_apps/main/test_aes_perf.c>`.
Considering the above performance impact, ESP-IDF by-default does not enable the pseudo-round function to avoid any performance-related degrade. But it is recommended to enable the pseudo-round function for better security.
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
Debug Interfaces
~~~~~~~~~~~~~~~~