Software APIs
aes_sca.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_TESTS_PENETRATIONTESTS_FIRMWARE_SCA_AES_SCA_H_
6 #define OPENTITAN_SW_DEVICE_TESTS_PENETRATIONTESTS_FIRMWARE_SCA_AES_SCA_H_
7 
8 #include "sw/device/lib/base/status.h"
9 #include "sw/device/lib/ujson/ujson.h"
10 
11 /**
12  * Simple serial 'a' (alternative batch encrypt) command handler.
13  *
14  * This command is designed to maximize the capture rate for side-channel
15  * attacks. It uses the first supplied plaintext and repeats AES encryptions
16  * by using every ciphertext as next plaintext with a constant key. This
17  * minimizes the overhead of UART communication and significantly improves the
18  * capture rate.
19 
20  * Packet payload must be a `uint32_t` representation of the number of
21  * encryptions to perform. Since generated plaintexts are not cached, there is
22  * no limit on the number of encryptions.
23  *
24  * The key should also be set using 'k' (key set) command.
25  *
26  * The host can verify the operation by checking the last 'r' (ciphertext)
27  * packet that is sent at the end.
28  *
29  * The uJSON data contains:
30  * - data: The number of encryptions.
31  *
32  * @param uj An initialized uJSON context.
33  * @return OK or error.
34  */
35 status_t handle_aes_sca_batch_alternative_encrypt(ujson_t *uj);
36 
37 /**
38  * Batch encrypt command handler.
39  *
40  * This command is designed to maximize the capture rate for side-channel
41  * attacks. Instead of expecting a plaintext and sending the resulting
42  * ciphertext from and to the host for each encryption, this command repeatedly
43  * encrypts random plaintexts that are generated on the device. This minimizes
44  * the overhead of UART communication and significantly improves the capture
45  * rate. The host must use the same PRNG to be able to compute the plaintext and
46  * the ciphertext of each trace.
47  *
48  * Packet payload must be a `uint32_t` representation of the number of
49  * encryptions to perform. Since generated plaintexts are not cached, there is
50  * no limit on the number of encryptions.
51  *
52  * The PRNG should be initialized using the seed PRNG command before
53  * starting batch encryption. In addition, the key should also be set
54  * using key set command before starting batch captures.
55  *
56  * Note that the host can partially verify this operation by checking the
57  * contents of UART reponse that is sent at the end.
58  *
59  * The uJSON data contains:
60  * - data: The number of encryptions.
61  *
62  * @param uj An initialized uJSON context.
63  * @return OK or error.
64  */
65 status_t handle_aes_sca_batch_encrypt(ujson_t *uj);
66 
67 /**
68  * Batch encrypt random command handler.
69  *
70  * This command is designed to maximize the capture rate for side-channel
71  * attacks. Instead of expecting a plaintext and sending the resulting
72  * ciphertext from and to the host for each encryption, this command repeatedly
73  * encrypts random plaintexts that are generated on the device. This minimizes
74  * the overhead of UART communication and significantly improves the capture
75  * rate. The host must use the same PRNG to be able to compute the plaintext and
76  * the ciphertext of each trace.
77  *
78  * Packet payload must be a `uint32_t` representation of the number of
79  * encryptions to perform. Since generated plaintexts are not cached, there is
80  * no limit on the number of encryptions.
81  *
82  * The PRNG should be initialized using the seed PRNG command before
83  * starting batch encryption. In addition, the key should also be set
84  * using key set command before starting batch captures.
85  *
86  * Note that the host can partially verify this operation by checking the
87  * contents of UART reponse that is sent at the end.
88  *
89  * The uJSON data contains:
90  * - data: The number of encryptions.
91  *
92  * @param uj An initialized uJSON context.
93  * @return OK or error.
94  */
95 status_t handle_aes_sca_batch_encrypt_random(ujson_t *uj);
96 
97 /**
98  * Batch plaintext command handler.
99  *
100  * This command is designed to set the initial plaintext for
101  * aes_serial_batch_alternative_encrypt.
102  *
103  * The plaintext must be `kAesTextLength` bytes long.
104  *
105  * * The uJSON data contains:
106  * - text: The plaintext.
107  * - text_length: Plaintext length.
108  *
109  * @param uj An initialized uJSON context.
110  * @return OK or error.
111  */
112 status_t handle_aes_sca_batch_plaintext_set(ujson_t *uj);
113 
114 /**
115  * Fixed vs random data batch encrypt and generate command handler.
116  *
117  * This command is designed to maximize the capture rate for side-channel
118  * attacks. Instead of expecting a plaintext and sending the resulting
119  * ciphertext from and to the host for each encryption, this command repeatedly
120  * encrypts plaintexts that are generated on the device. The data
121  * collection method is based on the derived test requirements (DTR) for TVLA:
122  * https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf
123  * The measurements are taken by using either fixed or randomly selected
124  * plaintexts. In order to simplify the analysis, the first encryption has to
125  * use fixed plaintext. This minimizes the overhead of UART communication and
126  * significantly improves the capture rate. The host must use the same PRNG to
127  * be able to compute the random plaintext and the ciphertext of each trace.
128  *
129  * Packet payload must be a `uint32_t` representation of the number of
130  * encryptions to perform. Number of operations of a batch should not be greater
131  * than the 'kNumBatchOpsMax' value.
132  *
133  * Note that the host can partially verify this operation by checking the
134  * contents of the 'r' (last ciphertext) packet that is sent at the end of every
135  * batch.
136  *
137  * The uJSON data contains:
138  * - data: The number of encryptions.
139  *
140  * @param uj An initialized uJSON context.
141  * @return OK or error.
142  */
143 status_t handle_aes_sca_fvsr_data_batch_encrypt(ujson_t *uj);
144 
145 /**
146  * Fixed vs random key batch encrypt and generate command handler.
147  *
148  * This command is designed to maximize the capture rate for side-channel
149  * attacks. Instead of expecting a plaintext and sending the resulting
150  * ciphertext from and to the host for each encryption, this command repeatedly
151  * encrypts random plaintexts that are generated on the device. The data
152  * collection method is based on the derived test requirements (DTR) for TVLA:
153  * https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf
154  * The measurements are taken by using either fixed or randomly selected keys.
155  * In order to simplify the analysis, the first encryption has to use fixed key.
156  * In addition, a PRNG is used for random key and plaintext generation instead
157  * of AES algorithm as specified in the TVLA DTR.
158  * This minimizes the overhead of UART communication and significantly improves
159  * the capture rate. The host must use the same PRNG to be able to compute the
160  * random plaintext, random key and the ciphertext of each trace.
161  *
162  * Packet payload must be a `uint32_t` representation of the number of
163  * encryptions to perform. Number of operations of a batch should not be greater
164  * than the 'kNumBatchOpsMax' value.
165  *
166  * The PRNG should be initialized using the 's' (seed PRNG) command before
167  * starting batch encryption. In addition, the fixed key should also be set
168  * using 't' (fvsr key set) command before starting batch encryption.
169  *
170  * Note that the host can partially verify this operation by checking the
171  * contents of the 'r' (last ciphertext) packet that is sent at the end of every
172  * batch.
173  *
174  * The uJSON data contains:
175  * - data: The number of encryptions.
176  *
177  * @param uj An initialized uJSON context.
178  * @return OK or error.
179  */
180 status_t handle_aes_sca_fvsr_key_batch_encrypt(ujson_t *uj);
181 
182 /**
183  * Fixed vs random key batch generate command handler.
184  *
185  * The uJSON data contains:
186  * - data: The number of encryptions.
187  *
188  * @param uj An initialized uJSON context.
189  * @return OK or error.
190  */
191 status_t handle_aes_sca_fvsr_key_batch_generate(ujson_t *uj);
192 
193 /**
194  * Fvsr key set command handler.
195  *
196  * This command is designed to set the fixed key which is used for fvsr key TVLA
197  * captures.
198  *
199  * The key must be `kAesKeyLength` bytes long.
200  *
201  * The uJSON data contains:
202  * - key: The key to use.
203  * - key_length: The length of the key.
204  *
205  * @param uj An initialized uJSON context.
206  * @return OK or error.
207  */
208 status_t handle_aes_sca_fvsr_key_set(ujson_t *uj);
209 
210 /**
211  * Set starting values command handler.
212  *
213  * This function sets starting values for FvsR data generation
214  * if the received value is 1.
215  * These values are specified in DTR for AES TVLA.
216  *
217  * The uJSON data contains:
218  * - seed: A buffer holding the seed.
219  *
220  * @param uj An initialized uJSON context.
221  * @return OK or error.
222  */
223 status_t handle_aes_sca_fvsr_key_start_batch_generate(ujson_t *uj);
224 
225 /**
226  * Initialize AES command handler.
227  *
228  * This command is designed to setup the AES.
229  *
230  * @param uj An initialized uJSON context.
231  * @return OK or error.
232  */
233 status_t handle_aes_pentest_init(ujson_t *uj);
234 
235 /**
236  * Key set command handler.
237  *
238  * This command is designed to set the fixed_key variable and in addition also
239  * configures the key into the AES peripheral.
240  *
241  * The key must be `kAesKeyLength` bytes long.
242  *
243  * The uJSON data contains:
244  * - key: The key to use.
245  * - key_length: The length of the key.
246  *
247  * @param uj An initialized uJSON context.
248  * @return OK or error.
249  */
250 status_t handle_aes_sca_key_set(ujson_t *uj);
251 
252 /**
253  * Seed lfsr command handler.
254  *
255  * This function only supports 4-byte seeds.
256  * Enables/disables masking depending on seed value, i.e. 0 for disable.
257  *
258  * The uJSON data contains:
259  * - seed: A buffer holding the seed.
260  *
261  * @param uj An initialized uJSON context.
262  * @return OK or error.
263  */
264 status_t handle_aes_pentest_seed_lfsr(ujson_t *uj);
265 
266 /**
267  * Seed lfsr command handler.
268  *
269  * This function only supports 4-byte seeds.
270  * Sets the seed for the LFSR used to determine the order of measurements
271  * in fixed-vs-random-data dataset.
272  *
273  * The uJSON data contains:
274  * - seed: A buffer holding the seed.
275  *
276  * @param uj An initialized uJSON context.
277  * @return OK or error.
278  */
279 status_t handle_aes_pentest_seed_lfsr_order(ujson_t *uj);
280 
281 /**
282  * Single encrypt command handler.
283  *
284  * Encrypts a `kAesTextLength` bytes long plaintext using the AES peripheral and
285  * sends the ciphertext over UART. This function also handles the trigger
286  * signal.
287  *
288  * The uJSON data contains:
289  * - text: The plaintext.
290  * - text_length: The length of the plaintext.
291  *
292  * @param uj An initialized uJSON context.
293  * @return OK or error.
294  */
295 status_t handle_aes_sca_single_encrypt(ujson_t *uj);
296 
297 /**
298  * HMAC SCA command handler.
299  *
300  * Command handler for the HMAC SCA command.
301  *
302  * @param uj An initialized uJSON context.
303  * @return OK or error.
304  */
305 status_t handle_aes_sca(ujson_t *uj);
306 
307 #endif // OPENTITAN_SW_DEVICE_TESTS_PENETRATIONTESTS_FIRMWARE_SCA_AES_SCA_H_
Return to OpenTitan Documentation