[aes/doc] Document Galois/Counter Mode (GCM) implementation + hardening #31
+5,136
−390
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@nasahlpa would you mind taking a look at this please? I need this to link the SCA hardening evaluation against. You can generate the full documentation using |
nasahlpa
approved these changes
Mar 6, 2025
hw/ip/aes/doc/programmers_guide.md
Outdated
| Internally, this configures the AES block in ECB mode. | ||
| After configuring the encryption key, software writes the 96-bit IV to the IV registers [`IV_0`](registers.md#iv) - [`IV_2`](registers.md#iv) and `0` to IV register [`IV_3`](registers.md#iv). | ||
| The hardware will then perform two operations: | ||
| 1. It encrypts the all-zero vector and stores the result in the hash subkey `H` registers internal to the GHASH module and increment the counter value (content of the IV Registers) using the inc32 function. |
There was a problem hiding this comment.
Suggested change
| 1. It encrypts the all-zero vector and stores the result in the hash subkey `H` registers internal to the GHASH module and increment the counter value (content of the IV Registers) using the inc32 function. | |
| 1. It encrypts the all-zero vector and stores the result in the hash subkey `H` registers internal to the GHASH module and increments the counter value (content of the IV Registers) using the inc32 function. |
hw/ip/aes/doc/programmers_guide.md
Outdated
| To see if the AES unit is ready to accept the next block, software can query the [`STATUS.INPUT_READY`](registers.md#status) bit. | ||
|
|
||
| For the last block and in case the block is not full, software first waits for the AES unit to become idle by querying the [`STATUS.IDLE`](registers.md#status) bit, and then sets the [`CTRL_GCM_SHADOWED.NUM_VALID_BYTES`](registers.md#ctrl_gcm_shadowed) field to the number of valid bytes. | ||
| For all other blocks, software sets this field to the value `16`. |
There was a problem hiding this comment.
The last sentence is a bit confusing to me. For all other blocks between the first and last software does not do anything? Do you mean: All blocks just must be 16 bytes? Then we can maybe say. The block size of blocks between the first and last block must be 16 bytes.
There was a problem hiding this comment.
Thanks, that's resolved now.
hw/ip/aes/doc/programmers_guide.md
Outdated
|
|
||
| 1. Software needs to wait for the AES unit to become idle (see [`STATUS.IDLE`](registers.md#status)). | ||
|
|
||
| 1. Software configures the [`CTRL_GCM_SHADOWED.PHASE`](registers.md#ctrl_gcm_shadowed) to `GCM_TAG` and the `NUM_VALID_BYTES` field to `16`. |
There was a problem hiding this comment.
Sure that this should be GCM_TAG and not GCM_SAVE?
hw/ip/aes/doc/theory_of_operation.md
Outdated
|
|
||
| There are two parallel paths, each featuring their own Galois Field GF(2^128) multiplier to separate the processing of the two shares H<sub>0</sub> and H<sub>1</sub> of the hash subkey H to prevent SPA on the multiplication. | ||
| Using two separate multipliers allows to prevent unmasking H at any point during the execution, incl. e.g., due to accidental leakage occurring due to multiplexing H<sub>0</sub> and H<sub>1</sub>. | ||
| The multipliers are implemented in a serial-parallel fashion to trade of area vs. performance. |
There was a problem hiding this comment.
Suggested change
| The multipliers are implemented in a serial-parallel fashion to trade of area vs. performance. | |
| The multipliers are implemented in a serial-parallel fashion to trade off area vs. performance. |
vogelpi
force-pushed
the
aes-gcm-spec
branch
2 times, most recently
from
3dbf79a to
601fbd1
Compare
Signed-off-by: Pirmin Vogel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.