[ot] hw/opentitan: ot_hmac: Make HMAC outer hash independent of key/digest size

AlexJones0 · AlexJones0 · commit b2ab5f38cbb5 · 2024-12-12T16:53:57.000Z
This commit updates the size of the key and digest registers to their
new maximum sizes in support of HMAC Multi-Mode (SHA-2 256/384/512
Engine), which is 64 bytes for the digest and 128 bytes for the key.

The current HMAC logic which processes the input padding and performs
the outer hash (using the outer padding) by default assumes that the
key length is 64 bytes (512 bits), and that you are hence using the
entire set of registers. They also assume that the digest is 32 bytes
(256 bits), and that you are again hence using the entire register set.

The new logic now uses the key_length and digest_size config register
fields to determine the exact padding and digest sizes that should be
used in the HMAC calculations.
diff --git a/hw/opentitan/ot_hmac.c b/hw/opentitan/ot_hmac.c
@@ -44,11 +44,11 @@
 /* Input FIFO length is 64 bytes (16 x 32 bits) */
 #define OT_HMAC_FIFO_LENGTH 64u
 
-/* Digest length is 32 bytes (256 bits) */
-#define OT_HMAC_DIGEST_LENGTH 32u
+/* (Maximum) digest length is 64 bytes (512 bits) */
+#define OT_HMAC_MAX_DIGEST_LENGTH 64u
 
-/* HMAC key length is 32 bytes (256 bits) */
-#define OT_HMAC_KEY_LENGTH 32u
+/* HMAC (maximum) key length is 128 bytes (1024 bits) */
+#define OT_HMAC_MAX_KEY_LENGTH 128u
 
 #define PARAM_NUM_IRQS 3u
 
@@ -231,8 +231,8 @@ struct OtHMACRegisters {
     uint32_t cmd;
     uint32_t err_code;
     uint32_t wipe_secret;
-    uint32_t key[OT_HMAC_KEY_LENGTH / sizeof(uint32_t)];
-    uint32_t digest[OT_HMAC_DIGEST_LENGTH / sizeof(uint32_t)];
+    uint32_t key[OT_HMAC_MAX_KEY_LENGTH / sizeof(uint32_t)];
+    uint32_t digest[OT_HMAC_MAX_DIGEST_LENGTH / sizeof(uint32_t)];
     uint64_t msg_length;
 };
 typedef struct OtHMACRegisters OtHMACRegisters;
@@ -291,6 +291,41 @@ static inline enum OtHMACDigestSize ot_hmac_get_digest_size(uint32_t cfg_reg)
     }
 }
 
+static inline size_t ot_hmac_get_digest_bytes(OtHMACState *s)
+{
+    switch (ot_hmac_get_digest_size(s->regs->cfg)) {
+    case HMAC_SHA2_256:
+        return 32u;
+    case HMAC_SHA2_384:
+        return 48u;
+    case HMAC_SHA2_512:
+        return 64u;
+    case HMAC_SHA2_NONE:
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Cannot get digest size if it is not set. \n",
+                      __func__);
+        return 0u;
+    }
+}
+
+static inline size_t ot_hmac_get_block_size_bytes(OtHMACState *s)
+{
+    switch (ot_hmac_get_digest_size(s->regs->cfg)) {
+    case HMAC_SHA2_256:
+        return 64u;
+    case HMAC_SHA2_384:
+    case HMAC_SHA2_512:
+        return 128u;
+    case HMAC_SHA2_NONE:
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Cannot get block size if digest size is not set. \n",
+                      __func__);
+        return 0u;
+    }
+}
+
 static inline enum OtHMACKeyLength ot_hmac_get_key_length(uint32_t cfg_reg)
 {
     switch ((cfg_reg & R_CFG_KEY_LENGTH_MASK) >> R_CFG_KEY_LENGTH_SHIFT) {
@@ -310,6 +345,27 @@ static inline enum OtHMACKeyLength ot_hmac_get_key_length(uint32_t cfg_reg)
     }
 }
 
+static inline size_t ot_hmac_get_key_bytes(OtHMACState *s)
+{
+    switch (ot_hmac_get_key_length(s->regs->cfg)) {
+    case HMAC_KEY_128:
+        return 16u;
+    case HMAC_KEY_256:
+        return 32u;
+    case HMAC_KEY_384:
+        return 48u;
+    case HMAC_KEY_512:
+        return 64u;
+    case HMAC_KEY_1024:
+        return 128u;
+    case HMAC_KEY_NONE:
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Cannot get key size if it is not set. \n", __func__);
+        return 0u;
+    }
+}
+
 static inline bool ot_hmac_key_length_supported(
     enum OtHMACDigestSize digest_size, enum OtHMACKeyLength key_length)
 {
@@ -344,8 +400,7 @@ static void ot_hmac_writeback_digest_state(OtHMACState *s)
     /* copy intermediary digest to mock HMAC operation for stop/continue
     behaviour. */
     /* TODO: add support for SHA2-384 and SHA2-512 */
-    unsigned digest_length = OT_HMAC_DIGEST_LENGTH / sizeof(uint32_t);
-    for (unsigned i = 0; i < digest_length; i++) {
+    for (unsigned i = 0; i < 8u; i++) {
         STORE32H(s->ctx->state.sha256.state[i], s->regs->digest + i);
     }
 }
@@ -383,16 +438,22 @@ static void ot_hmac_compute_digest(OtHMACState *s)
     if (s->regs->cfg & R_CFG_HMAC_EN_MASK) {
         ot_hmac_sha_done(s);
 
-        uint64_t opad[8u];
+        size_t key_length_b = ot_hmac_get_key_bytes(s);
+        size_t block_size_b = ot_hmac_get_block_size_bytes(s);
+        /* If the key is smaller than the block size, we must pad it to the
+        right with 0s. */
+        size_t pad_length_b = MAX(key_length_b, block_size_b);
+        size_t pad_length_w = pad_length_b / sizeof(uint32_t);
+        uint32_t opad[OT_HMAC_MAX_KEY_LENGTH / sizeof(uint32_t)];
         memset(opad, 0, sizeof(opad));
-        memcpy(opad, s->regs->key, sizeof(s->regs->key));
-        for (unsigned i = 0; i < ARRAY_SIZE(opad); i++) {
-            opad[i] ^= 0x5c5c5c5c5c5c5c5cull;
+        memcpy(opad, s->regs->key, key_length_b);
+        for (unsigned i = 0; i < pad_length_w; i++) {
+            opad[i] ^= 0x5c5c5c5cul;
         }
         ot_hmac_sha_init(s, false);
-        ot_hmac_sha_process(s, (const uint8_t *)opad, sizeof(opad), false);
+        ot_hmac_sha_process(s, (const uint8_t *)opad, pad_length_b, false);
         ot_hmac_sha_process(s, (const uint8_t *)s->regs->digest,
-                            sizeof(s->regs->digest), true);
+                            ot_hmac_get_digest_bytes(s), true);
     }
     ot_hmac_sha_done(s);
 }
@@ -736,13 +797,19 @@ static void ot_hmac_regs_write(void *opaque, hwaddr addr, uint64_t value,
 
             /* HMAC mode, process input padding */
             if (s->regs->cfg & R_CFG_HMAC_EN_MASK) {
-                uint64_t ipad[8u];
+                size_t key_length_b = ot_hmac_get_key_bytes(s);
+                size_t block_size_b = ot_hmac_get_block_size_bytes(s);
+                /* If the key is smaller than the block size, we must pad it to
+                the right with 0s. */
+                size_t pad_length_b = MAX(key_length_b, block_size_b);
+                size_t pad_length_w = pad_length_b / sizeof(uint32_t);
+                uint32_t ipad[OT_HMAC_MAX_KEY_LENGTH / sizeof(uint32_t)];
                 memset(ipad, 0, sizeof(ipad));
-                memcpy(ipad, s->regs->key, sizeof(s->regs->key));
-                for (unsigned i = 0; i < ARRAY_SIZE(ipad); i++) {
-                    ipad[i] ^= 0x3636363636363636u;
+                memcpy(ipad, s->regs->key, key_length_b);
+                for (unsigned i = 0; i < pad_length_w; i++) {
+                    ipad[i] ^= 0x36363636ul;
                 }
-                ot_hmac_sha_process(s, (const uint8_t *)ipad, sizeof(ipad),
+                ot_hmac_sha_process(s, (const uint8_t *)ipad, pad_length_b,
                                     true);
             }
         }
@@ -794,8 +861,7 @@ static void ot_hmac_regs_write(void *opaque, hwaddr addr, uint64_t value,
             /* Restore SHA256 context */
             s->ctx->state.sha256.curlen = 0;
             s->ctx->state.sha256.length = s->regs->msg_length;
-            unsigned digest_length = OT_HMAC_DIGEST_LENGTH / sizeof(uint32_t);
-            for (unsigned i = 0; i < digest_length; i++) {
+            for (unsigned i = 0; i < 8u; i++) {
                 s->ctx->state.sha256.state[i] = s->regs->digest[i];
             }
 
