Software APIs
aes_gcm.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/aes_gcm.h"
6 
7 #include "sw/device/lib/base/hardened.h"
8 #include "sw/device/lib/base/hardened_memory.h"
9 #include "sw/device/lib/base/math.h"
10 #include "sw/device/lib/base/memory.h"
11 #include "sw/device/lib/crypto/drivers/aes.h"
12 #include "sw/device/lib/crypto/drivers/keymgr.h"
13 #include "sw/device/lib/crypto/impl/aes_gcm/aes_gcm.h"
14 #include "sw/device/lib/crypto/impl/aes_gcm/ghash.h"
15 #include "sw/device/lib/crypto/impl/integrity.h"
16 #include "sw/device/lib/crypto/impl/keyblob.h"
17 #include "sw/device/lib/crypto/impl/status.h"
18 #include "sw/device/lib/crypto/include/datatypes.h"
19 
20 // Module ID for status codes.
21 #define MODULE_ID MAKE_MODULE_ID('a', 'g', 'c')
22 
23 // Check GHASH context size against the underlying implementation.
24 static_assert(sizeof(otcrypto_aes_gcm_context_t) >= sizeof(aes_gcm_context_t),
25  "Size of AES-GCM context object for top-level API must be at "
26  "least as large as the context for the "
27  "underlying implementation.");
28 static_assert(alignof(aes_gcm_context_t) >= alignof(uint32_t),
29  "Internal AES-GCM context object must be word-aligned for use "
30  "with `hardened_memcpy`.");
31 static_assert(sizeof(otcrypto_key_config_t) % sizeof(uint32_t) == 0,
32  "Key configuration size should be a multiple of 32 bits");
33 
34 // Ensure the internal AES-GCM context size is a multiple of the word size and
35 // calculate the number of words.
36 static_assert(sizeof(aes_gcm_context_t) % sizeof(uint32_t) == 0,
37  "Internal AES-GCM context object must be a multiple of the word "
38  "size for use with `hardened_memcpy`.");
39 enum {
40  kAesGcmContextNumWords = sizeof(aes_gcm_context_t) / sizeof(uint32_t),
41 };
42 
43 /**
44  * Save an AES-GCM context.
45  *
46  * @param internal_ctx Internal context object to save.
47  * @param[out] api_ctx Resulting API-facing context object.
48  */
49 static inline void gcm_context_save(aes_gcm_context_t *internal_ctx,
50  otcrypto_aes_gcm_context_t *api_ctx) {
51  hardened_memcpy(api_ctx->data, (uint32_t *)internal_ctx,
52  kAesGcmContextNumWords);
53 }
54 
55 /**
56  * Restore an AES-GCM context.
57  *
58  * @param api_ctx API-facing context object to restore from.
59  * @param[out] internal_ctx Resulting internal context object.
60  */
61 static inline void gcm_context_restore(otcrypto_aes_gcm_context_t *api_ctx,
62  aes_gcm_context_t *internal_ctx) {
63  hardened_memcpy((uint32_t *)internal_ctx, api_ctx->data,
64  kAesGcmContextNumWords);
65 }
66 
67 /**
68  * Construct the underlying AES key for AES-GCM.
69  *
70  * Also performs integrity, mode, and null-pointer checks on the key.
71  *
72  * @param blinded_key Blinded key struct.
73  * @param[out] aes_key Destination AES key struct.
74  * @return Result of the operation.
75  */
76 static status_t aes_gcm_key_construct(const otcrypto_blinded_key_t *blinded_key,
77  aes_key_t *aes_key) {
78  // Key integrity check.
79  if (launder32(integrity_blinded_key_check(blinded_key)) !=
80  kHardenedBoolTrue) {
81  return OTCRYPTO_BAD_ARGS;
82  }
83  HARDENED_CHECK_EQ(integrity_blinded_key_check(blinded_key),
84  kHardenedBoolTrue);
85 
86  // Check the key mode.
87  if (launder32((uint32_t)blinded_key->config.key_mode) !=
88  kOtcryptoKeyModeAesGcm) {
89  return OTCRYPTO_BAD_ARGS;
90  }
91  HARDENED_CHECK_EQ(blinded_key->config.key_mode, kOtcryptoKeyModeAesGcm);
92 
93  // Set the mode of the underlying AES key to CTR (since this is the
94  // underlying block cipher mode for GCM).
95  aes_key->mode = kAesCipherModeCtr;
96 
97  // Set the AES key length (in words).
98  aes_key->key_len = keyblob_share_num_words(blinded_key->config);
99 
100  // Check for null pointer.
101  if (blinded_key->keyblob == NULL) {
102  return OTCRYPTO_BAD_ARGS;
103  }
104 
105  if (launder32(blinded_key->config.hw_backed) == kHardenedBoolTrue) {
106  // In this case, we use an implementation-specific representation; the
107  // first "share" is the keyblob and the second share is ignored.
108  if (launder32(blinded_key->keyblob_length) != kKeyblobHwBackedBytes) {
109  return OTCRYPTO_BAD_ARGS;
110  }
111  HARDENED_CHECK_EQ(blinded_key->keyblob_length, kKeyblobHwBackedBytes);
112  aes_key->key_shares[0] = blinded_key->keyblob;
113  aes_key->key_shares[1] = NULL;
114  aes_key->sideload = launder32(kHardenedBoolTrue);
115  } else if (launder32(blinded_key->config.hw_backed) == kHardenedBoolFalse) {
116  HARDENED_CHECK_EQ(blinded_key->config.hw_backed, kHardenedBoolFalse);
117  // Get pointers to the individual shares.
118  uint32_t *share0;
119  uint32_t *share1;
120  HARDENED_TRY(keyblob_to_shares(blinded_key, &share0, &share1));
121  aes_key->key_shares[0] = share0;
122  aes_key->key_shares[1] = share1;
123  aes_key->sideload = launder32(kHardenedBoolFalse);
124  } else {
125  return OTCRYPTO_BAD_ARGS;
126  }
127  HARDENED_CHECK_EQ(aes_key->sideload, blinded_key->config.hw_backed);
128 
129  return OTCRYPTO_OK;
130 }
131 
132 /**
133  * Checks if the given byte-length matches the tag length enum value.
134  *
135  * @param word_len Allocated tag length in 32-bit words.
136  * @param tag_len Tag length enum value.
137  * @return OK if the tag length is acceptable, BAD_ARGS otherwise.
138  */
139 status_t aes_gcm_check_tag_length(size_t word_len,
140  otcrypto_aes_gcm_tag_len_t tag_len) {
141  size_t bit_len = 0;
142  switch (launder32(tag_len)) {
143  case kOtcryptoAesGcmTagLen128:
144  HARDENED_CHECK_EQ(tag_len, kOtcryptoAesGcmTagLen128);
145  bit_len = 128;
146  break;
147  case kOtcryptoAesGcmTagLen96:
148  HARDENED_CHECK_EQ(tag_len, kOtcryptoAesGcmTagLen96);
149  bit_len = 96;
150  break;
151  case kOtcryptoAesGcmTagLen64:
152  HARDENED_CHECK_EQ(tag_len, kOtcryptoAesGcmTagLen64);
153  bit_len = 64;
154  break;
155  case kOtcryptoAesGcmTagLen32:
156  HARDENED_CHECK_EQ(tag_len, kOtcryptoAesGcmTagLen32);
157  bit_len = 32;
158  break;
159  default:
160  // Invalid tag length.
161  return OTCRYPTO_BAD_ARGS;
162  }
163  HARDENED_CHECK_GT(bit_len, 0);
164  HARDENED_CHECK_EQ(bit_len % 32, 0);
165 
166  if (launder32(word_len) != bit_len / 32) {
167  return OTCRYPTO_BAD_ARGS;
168  }
169  HARDENED_CHECK_EQ(word_len, bit_len / 32);
170 
171  // Extra hardening checks; the word length must be nonzero and at most the
172  // size of an AES block.
173  HARDENED_CHECK_LT(0, word_len);
174  HARDENED_CHECK_LE(word_len, kAesBlockNumWords);
175 
176  return OTCRYPTO_OK;
177 }
178 
179 /**
180  * Actuate the key manager to generate a sideloaded AES-GCM key.
181  *
182  * The AES driver will not load or clear sideloaded keys by itself, so we need
183  * to do it separately at each stage of the AES-GCM operation.
184  *
185  * Sideloaded keys are stored in the `aes_key_t` struct in a format specific to
186  * this AES-GCM implementation: the first "key share" is the diversification
187  * data as it would be stored in a blinded keyblob, and the second "share" is
188  * completely ignored.
189  *
190  * If the key is not a sideloaded key, this function does nothing.
191  *
192  * @param key Key to load.
193  * @return OK or errror.
194  */
195 static status_t load_key_if_sideloaded(const aes_key_t key) {
196  if (launder32(key.sideload) == kHardenedBoolFalse) {
197  return OTCRYPTO_OK;
198  } else if (key.sideload != kHardenedBoolTrue) {
199  return OTCRYPTO_BAD_ARGS;
200  }
201  HARDENED_CHECK_EQ(key.sideload, kHardenedBoolTrue);
202  keymgr_diversification_t diversification;
203  HARDENED_TRY(keyblob_buffer_to_keymgr_diversification(
204  key.key_shares[0], kOtcryptoKeyModeAesGcm, &diversification));
205  return keymgr_generate_key_aes(diversification);
206 }
207 
208 /**
209  * Clear the sideload slot if the AES key was sideloaded.
210  *
211  * It is important to clear the sideload slot before returning to the caller so
212  * that other applications can't access the key in between operations.
213  *
214  * If the key is not a sideloaded key, this function does nothing.
215  *
216  * @param key Key that was possibly loaded.
217  * @return OK or errror.
218  */
219 static status_t clear_key_if_sideloaded(const aes_key_t key) {
220  if (launder32(key.sideload) == kHardenedBoolFalse) {
221  HARDENED_CHECK_EQ(key.sideload, kHardenedBoolFalse);
222  return OTCRYPTO_OK;
223  } else if (launder32(key.sideload) != kHardenedBoolTrue) {
224  return OTCRYPTO_BAD_ARGS;
225  }
226  HARDENED_CHECK_EQ(key.sideload, kHardenedBoolTrue);
227  return keymgr_sideload_clear_aes();
228 }
229 
230 otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key,
231  otcrypto_const_byte_buf_t plaintext,
232  otcrypto_const_word32_buf_t iv,
233  otcrypto_const_byte_buf_t aad,
234  otcrypto_aes_gcm_tag_len_t tag_len,
235  otcrypto_byte_buf_t ciphertext,
236  otcrypto_word32_buf_t auth_tag) {
237  // Check for NULL pointers in input pointers and required-nonzero-length data
238  // buffers.
239  if (key == NULL || iv.data == NULL || auth_tag.data == NULL) {
240  return OTCRYPTO_BAD_ARGS;
241  }
242 
243  // Conditionally check for null pointers in data buffers that may be
244  // 0-length.
245  if ((aad.len != 0 && aad.data == NULL) ||
246  (ciphertext.len != 0 && ciphertext.data == NULL) ||
247  (plaintext.len != 0 && plaintext.data == NULL)) {
248  return OTCRYPTO_BAD_ARGS;
249  }
250 
251  // Ensure the plaintext and ciphertext lengths match.
252  if (launder32(ciphertext.len) != plaintext.len) {
253  return OTCRYPTO_BAD_ARGS;
254  }
255  HARDENED_CHECK_EQ(ciphertext.len, plaintext.len);
256 
257  // Check the tag length.
258  HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len));
259 
260  // Construct the AES key.
261  aes_key_t aes_key;
262  HARDENED_TRY(aes_gcm_key_construct(key, &aes_key));
263  HARDENED_TRY(load_key_if_sideloaded(aes_key));
264 
265  // Call the core encryption operation.
266  HARDENED_TRY(aes_gcm_encrypt(aes_key, iv.len, iv.data, plaintext.len,
267  plaintext.data, aad.len, aad.data, auth_tag.len,
268  auth_tag.data, ciphertext.data));
269 
270  HARDENED_TRY(clear_key_if_sideloaded(aes_key));
271  return OTCRYPTO_OK;
272 }
273 
274 otcrypto_status_t otcrypto_aes_gcm_decrypt(
275  const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t ciphertext,
276  otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad,
277  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_const_word32_buf_t auth_tag,
278  otcrypto_byte_buf_t plaintext, hardened_bool_t *success) {
279  // Check for NULL pointers in input pointers and required-nonzero-length data
280  // buffers.
281  if (key == NULL || iv.data == NULL || auth_tag.data == NULL) {
282  return OTCRYPTO_BAD_ARGS;
283  }
284 
285  // Conditionally check for null pointers in data buffers that may be
286  // 0-length.
287  if ((aad.len != 0 && aad.data == NULL) ||
288  (ciphertext.len != 0 && ciphertext.data == NULL) ||
289  (plaintext.len != 0 && plaintext.data == NULL)) {
290  return OTCRYPTO_BAD_ARGS;
291  }
292 
293  // Construct the AES key.
294  aes_key_t aes_key;
295  HARDENED_TRY(aes_gcm_key_construct(key, &aes_key));
296  HARDENED_TRY(load_key_if_sideloaded(aes_key));
297 
298  // Ensure the plaintext and ciphertext lengths match.
299  if (launder32(ciphertext.len) != plaintext.len) {
300  return OTCRYPTO_BAD_ARGS;
301  }
302  HARDENED_CHECK_EQ(ciphertext.len, plaintext.len);
303 
304  // Check the tag length.
305  HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len));
306 
307  // Call the core decryption operation.
308  HARDENED_TRY(aes_gcm_decrypt(aes_key, iv.len, iv.data, ciphertext.len,
309  ciphertext.data, aad.len, aad.data, auth_tag.len,
310  auth_tag.data, plaintext.data, success));
311 
312  HARDENED_TRY(clear_key_if_sideloaded(aes_key));
313  return OTCRYPTO_OK;
314 }
315 
316 otcrypto_status_t otcrypto_aes_gcm_encrypt_init(
317  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
318  otcrypto_aes_gcm_context_t *ctx) {
319  if (key == NULL || key->keyblob == NULL || iv.data == NULL || ctx == NULL) {
320  return OTCRYPTO_BAD_ARGS;
321  }
322 
323  // Construct the AES key.
324  aes_key_t aes_key;
325  HARDENED_TRY(aes_gcm_key_construct(key, &aes_key));
326  HARDENED_TRY(load_key_if_sideloaded(aes_key));
327 
328  // Call the internal init operation.
329  aes_gcm_context_t internal_ctx;
330  HARDENED_TRY(aes_gcm_encrypt_init(aes_key, iv.len, iv.data, &internal_ctx));
331 
332  // Save the context and clear the key if needed.
333  gcm_context_save(&internal_ctx, ctx);
334  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
335  return OTCRYPTO_OK;
336 }
337 
338 otcrypto_status_t otcrypto_aes_gcm_decrypt_init(
339  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
340  otcrypto_aes_gcm_context_t *ctx) {
341  if (key == NULL || key->keyblob == NULL || iv.data == NULL || ctx == NULL) {
342  return OTCRYPTO_BAD_ARGS;
343  }
344 
345  // Construct the AES key.
346  aes_key_t aes_key;
347  HARDENED_TRY(aes_gcm_key_construct(key, &aes_key));
348  HARDENED_TRY(load_key_if_sideloaded(aes_key));
349 
350  // Call the internal init operation.
351  aes_gcm_context_t internal_ctx;
352  HARDENED_TRY(aes_gcm_decrypt_init(aes_key, iv.len, iv.data, &internal_ctx));
353 
354  // Save the context and clear the key if needed.
355  gcm_context_save(&internal_ctx, ctx);
356  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
357  return OTCRYPTO_OK;
358 }
359 
360 otcrypto_status_t otcrypto_aes_gcm_update_aad(otcrypto_aes_gcm_context_t *ctx,
361  otcrypto_const_byte_buf_t aad) {
362  if (ctx == NULL || aad.data == NULL) {
363  return OTCRYPTO_BAD_ARGS;
364  }
365 
366  if (aad.len == 0) {
367  // Nothing to do.
368  return OTCRYPTO_OK;
369  }
370 
371  // Restore the AES-GCM context object and load the key if needed.
372  aes_gcm_context_t internal_ctx;
373  gcm_context_restore(ctx, &internal_ctx);
374  HARDENED_TRY(load_key_if_sideloaded(internal_ctx.key));
375 
376  // Call the internal update operation.
377  HARDENED_TRY(aes_gcm_update_aad(&internal_ctx, aad.len, aad.data));
378 
379  // Save the context and clear the key if needed.
380  gcm_context_save(&internal_ctx, ctx);
381  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
382  return OTCRYPTO_OK;
383 }
384 
385 otcrypto_status_t otcrypto_aes_gcm_update_encrypted_data(
386  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_byte_buf_t input,
387  otcrypto_byte_buf_t output, size_t *output_bytes_written) {
388  if (ctx == NULL || input.data == NULL || output.data == NULL ||
389  output_bytes_written == NULL) {
390  return OTCRYPTO_BAD_ARGS;
391  }
392  *output_bytes_written = 0;
393 
394  if (input.len == 0) {
395  // Nothing to do.
396  return OTCRYPTO_OK;
397  }
398 
399  // Restore the AES-GCM context object and load the key if needed.
400  aes_gcm_context_t internal_ctx;
401  gcm_context_restore(ctx, &internal_ctx);
402  HARDENED_TRY(load_key_if_sideloaded(internal_ctx.key));
403 
404  // The output buffer must be long enough to hold all full blocks that will
405  // exist after `input` is added.
406  size_t partial_block_len = internal_ctx.input_len % kAesBlockNumBytes;
407  if (input.len > UINT32_MAX - partial_block_len) {
408  return OTCRYPTO_BAD_ARGS;
409  }
410  size_t min_output_blocks =
411  (partial_block_len + input.len) / kAesBlockNumBytes;
412  size_t min_output_len = min_output_blocks * kAesBlockNumBytes;
413  if (output.len < min_output_len) {
414  return OTCRYPTO_BAD_ARGS;
415  }
416 
417  // Call the internal update operation.
418  HARDENED_TRY(aes_gcm_update_encrypted_data(
419  &internal_ctx, input.len, input.data, output_bytes_written, output.data));
420 
421  // Save the context and clear the key if needed.
422  gcm_context_save(&internal_ctx, ctx);
423  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
424  return OTCRYPTO_OK;
425 }
426 
427 otcrypto_status_t otcrypto_aes_gcm_encrypt_final(
428  otcrypto_aes_gcm_context_t *ctx, otcrypto_aes_gcm_tag_len_t tag_len,
429  otcrypto_byte_buf_t ciphertext, size_t *ciphertext_bytes_written,
430  otcrypto_word32_buf_t auth_tag) {
431  if (ctx == NULL || ciphertext_bytes_written == NULL ||
432  auth_tag.data == NULL) {
433  return OTCRYPTO_BAD_ARGS;
434  }
435  if (ciphertext.len != 0 && ciphertext.data == NULL) {
436  return OTCRYPTO_BAD_ARGS;
437  }
438  *ciphertext_bytes_written = 0;
439 
440  // Check the tag length.
441  HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len));
442 
443  // Restore the AES-GCM context object and load the key if needed.
444  aes_gcm_context_t internal_ctx;
445  gcm_context_restore(ctx, &internal_ctx);
446  HARDENED_TRY(load_key_if_sideloaded(internal_ctx.key));
447 
448  // If the partial block is nonempty, the output must be at least as long as
449  // the partial block.
450  size_t partial_block_len = internal_ctx.input_len % kAesBlockNumBytes;
451  if (ciphertext.len < partial_block_len) {
452  return OTCRYPTO_BAD_ARGS;
453  }
454 
455  // Call the internal final operation.
456  HARDENED_TRY(aes_gcm_encrypt_final(&internal_ctx, auth_tag.len, auth_tag.data,
457  ciphertext_bytes_written,
458  ciphertext.data));
459 
460  // Clear the context and the key if needed.
461  hardened_memshred(ctx->data, ARRAYSIZE(ctx->data));
462  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
463  return OTCRYPTO_OK;
464 }
465 
466 otcrypto_status_t otcrypto_aes_gcm_decrypt_final(
467  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_word32_buf_t auth_tag,
468  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t plaintext,
469  size_t *plaintext_bytes_written, hardened_bool_t *success) {
470  if (ctx == NULL || plaintext_bytes_written == NULL || auth_tag.data == NULL ||
471  success == NULL) {
472  return OTCRYPTO_BAD_ARGS;
473  }
474  if (plaintext.len != 0 && plaintext.data == NULL) {
475  return OTCRYPTO_BAD_ARGS;
476  }
477  *plaintext_bytes_written = 0;
478  *success = kHardenedBoolFalse;
479 
480  // Check the tag length.
481  HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len));
482 
483  // Restore the AES-GCM context object and load the key if needed.
484  aes_gcm_context_t internal_ctx;
485  gcm_context_restore(ctx, &internal_ctx);
486  HARDENED_TRY(load_key_if_sideloaded(internal_ctx.key));
487 
488  // If the partial block is nonempty, the output must be at least as long as
489  // the partial block.
490  size_t partial_block_len = internal_ctx.input_len % kAesBlockNumBytes;
491  if (plaintext.len < partial_block_len) {
492  return OTCRYPTO_BAD_ARGS;
493  }
494 
495  // Call the internal final operation.
496  HARDENED_TRY(aes_gcm_decrypt_final(&internal_ctx, auth_tag.len, auth_tag.data,
497  plaintext_bytes_written, plaintext.data,
498  success));
499 
500  // Clear the context and the key if needed.
501  hardened_memshred(ctx->data, ARRAYSIZE(ctx->data));
502  HARDENED_TRY(clear_key_if_sideloaded(internal_ctx.key));
503  return OTCRYPTO_OK;
504 }
Return to OpenTitan Documentation