lowRISC · luismarques · Jan 16, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
diff --git a/hw/opentitan/ot_aes.c b/hw/opentitan/ot_aes.c
@@ -122,7 +122,7 @@ REG32(STATUS, 0x84u)
 
 #define OT_AES_DATA_SIZE (PARAM_NUM_REGS_DATA * sizeof(uint32_t))
 #define OT_AES_KEY_SIZE  (PARAM_NUM_REGS_KEY * sizeof(uint32_t))
-#define OT_AES_IV_SIZE   (PARAM_NUM_REGS_KEY * sizeof(uint32_t))
+#define OT_AES_IV_SIZE   (PARAM_NUM_REGS_IV * sizeof(uint32_t))
 
 /* arbitrary value long enough to give back execution to vCPU */
 #define OT_AES_RETARD_DELAY_NS 10000u /* 10 us */
@@ -754,6 +754,28 @@ static void ot_aes_finalize(OtAESState *s, enum OtAESMode mode)
     c->do_full = false;
 }
 
+static void ot_aes_compute_ctr_iv(OtAESState *s, uint8_t *iv)
+{
+    OtAESContext *c = s->ctx;
+    uint8_t liv[OT_AES_IV_SIZE];
+
+    unsigned long length = OT_AES_IV_SIZE;
+    ctr_getiv(liv, &length, &c->ctr);
+
+    g_assert(c->ctr.mode == CTR_COUNTER_BIG_ENDIAN);
+    g_assert(c->ctr.ctrlen == 0);
+
+    unsigned ix = OT_AES_IV_SIZE - 1u;
+    do {
+        liv[ix] = liv[ix] + 0x1u;
+        if (liv[ix] != 0) {
+            break;
+        }
+    } while (ix--);
+
+    memcpy(iv, liv, sizeof(liv));
+}
+
 static void ot_aes_pop(OtAESState *s)
 {
     OtAESRegisters *r = s->regs;
@@ -854,7 +876,7 @@ static void ot_aes_process(OtAESState *s)
             memcpy(c->iv, c->ofb.IV, sizeof(c->iv));
             break;
         case AES_CTR:
-            memcpy(c->iv, c->ctr.ctr, sizeof(c->iv));
+            ot_aes_compute_ctr_iv(s, (uint8_t *)&c->iv[0]);
             break;
         default:
             break;
@@ -1009,7 +1031,7 @@ static uint64_t ot_aes_read(void *opaque, hwaddr addr, unsigned size)
     case R_IV_1:
     case R_IV_2:
     case R_IV_3:
-        val32 = r->keyshare[reg - R_IV_0];
+        val32 = r->iv[reg - R_IV_0];
         break;
     case R_DATA_OUT_0:
     case R_DATA_OUT_1: