[ot] Add STOP/CONTINUE commands to HMAC

AlexJones0 · AlexJones0 · commit fef055722b97 · 2024-12-10T14:41:30.000Z
Adds the STOP/CONTINUE commands to the OpenTitan HMAC model. These
commands allow you to stop a SHA/HMAC hash after the next full round of
hashing/compression, and retrieve the partial digest so that this
context can be restored later and computation can continue. This lets
users stop/start the HMAC as needed, and better cache hash computations.

To correctly implement these commands, in addition to writing back the
partial intermediary digests of the `sha_process` operations, additional
conditional logic is introduced on stop commands for only processing the
FIFO until the next hash block boundary, and an additional check is
added to the `process` call for the hash being completed.

Note that this commit still hard-codes for SHA256, and does not update
the corresponding DIGEST / MESSAGE LENGTH registers to be writable.

Signed-off-by: Alex Jones &lt;alex.jones@lowrisc.org&gt;
diff --git a/hw/opentitan/ot_hmac.c b/hw/opentitan/ot_hmac.c
@@ -342,17 +342,34 @@ static void ot_hmac_process_fifo(OtHMACState *s)
 {
     trace_ot_hmac_debug(s->ot_id, __func__);
 
-    if (!fifo8_is_empty(&s->input_fifo)) {
-        while (!fifo8_is_empty(&s->input_fifo)) {
+    const bool stop = s->regs->cmd & R_CMD_HASH_STOP_MASK;
+    const bool process = s->regs->cmd & R_CMD_HASH_PROCESS_MASK;
+
+    if (!fifo8_is_empty(&s->input_fifo) &&
+        (!stop || s->ctx->state.sha256.curlen != 0)) {
+        while (!fifo8_is_empty(&s->input_fifo) &&
+               (!stop || s->ctx->state.sha256.curlen != 0)) {
             uint8_t value = fifo8_pop(&s->input_fifo);
             ot_hmac_sha_process(s, &value, 1, false);
         }
 
+        /* write back updated digest state */
+        if (fifo8_is_empty(&s->input_fifo) || stop) {
+            ot_hmac_writeback_digest_state(s);
+        }
+
         /* assert FIFO Empty IRQ */
-        s->regs->intr_state |= INTR_FIFO_EMPTY_MASK;
+        if (fifo8_is_empty(&s->input_fifo)) {
+            s->regs->intr_state |= INTR_FIFO_EMPTY_MASK;
+        }
+    }
+
+    if (stop && s->ctx->state.sha256.curlen == 0) {
+        s->regs->intr_state |= INTR_HMAC_DONE_MASK;
+        s->regs->cmd = 0;
     }
 
-    if (s->regs->cmd & R_CMD_HASH_PROCESS_MASK) {
+    if (process && s->ctx->state.sha256.length >= 512) {
         ot_hmac_compute_digest(s);
         s->regs->intr_state |= INTR_HMAC_DONE_MASK;
         s->regs->cmd = 0;
@@ -631,7 +648,8 @@ static void ot_hmac_regs_write(void *opaque, hwaddr addr, uint64_t value,
         }
 
         if (val32 & R_CMD_HASH_PROCESS_MASK) {
-            if (!(s->regs->cmd & R_CMD_HASH_START_MASK)) {
+            if (!(s->regs->cmd &
+                  (R_CMD_HASH_START_MASK | R_CMD_HASH_CONTINUE_MASK))) {
                 qemu_log_mask(
                     LOG_GUEST_ERROR,
                     "%s: CMD.PROCESS requested but hash not started yet\n",
@@ -651,6 +669,40 @@ static void ot_hmac_regs_write(void *opaque, hwaddr addr, uint64_t value,
             ibex_irq_set(&s->clkmgr, true);
             ot_hmac_process_fifo(s);
         }
+
+        if (val32 & R_CMD_HASH_STOP_MASK) {
+            s->regs->cmd = R_CMD_HASH_STOP_MASK;
+
+            /* trigger delayed processing of FIFO until the next block is processed. */
+            ibex_irq_set(&s->clkmgr, true);
+            ot_hmac_process_fifo(s);
+        }
+
+        if (val32 & R_CMD_HASH_CONTINUE_MASK) {
+            if (!(s->regs->cfg & R_CFG_SHA_EN_MASK)) {
+                ot_hmac_report_error(s,
+                                     R_ERR_CODE_HASH_START_WHEN_SHA_DISABLED);
+                break;
+            }
+            if (s->regs->cmd) {
+                ot_hmac_report_error(s, R_ERR_CODE_HASH_START_WHEN_ACTIVE);
+                break;
+            }
+
+            s->regs->cmd = R_CMD_HASH_CONTINUE_MASK;
+
+            // Restore SHA256 context
+            s->ctx->state.sha256.curlen = 0;
+            s->ctx->state.sha256.length = s->regs->msg_length;
+            for (uint8_t i = 0; i < 8; i++) {
+                s->ctx->state.sha256.state[i] = s->regs->digest[i];
+            }
+
+            /* trigger delayed processing of FIFO */
+            ibex_irq_set(&s->clkmgr, true);
+            ot_hmac_process_fifo(s);
+        }
+
         break;
     case R_WIPE_SECRET:
         /* TODO ignore write if engine is not idle? */
