 |
Software APIs
|
|
Software APIs
|
KMAC Device Interface Functions More...
#include <stdint.h>#include "sw/device/lib/base/macros.h"#include "sw/device/lib/base/mmio.h"#include "sw/device/lib/dif/dif_base.h"#include "sw/device/lib/dif/autogen/dif_kmac_autogen.h"Go to the source code of this file.
Data Structures | |
| struct | dif_kmac_config |
| Runtime configuration for KMAC. More... | |
| struct | dif_kmac_operation_state |
| A KMAC operation state context. More... | |
| struct | dif_kmac_key |
| A key for KMAC operations. More... | |
| struct | dif_kmac_customization_string |
| An encoded bit string used for customization string (S). More... | |
| struct | dif_kmac_function_name |
| An encoded bit string used for function name (N). More... | |
| struct | dif_kmac_status |
Typedefs | |
| typedef enum dif_kmac_entropy_mode | dif_kmac_entropy_mode_t |
| This API implements an interface for the KMAC hardware. More... | |
| typedef struct dif_kmac_config | dif_kmac_config_t |
| Runtime configuration for KMAC. More... | |
| typedef struct dif_kmac_operation_state | dif_kmac_operation_state_t |
| A KMAC operation state context. | |
| typedef enum dif_kmac_mode_sha3 | dif_kmac_mode_sha3_t |
| Supported SHA-3 modes of operation. | |
| typedef enum dif_kmac_mode_shake | dif_kmac_mode_shake_t |
| Supported SHAKE modes of operation. | |
| typedef enum dif_kmac_mode_cshake | dif_kmac_mode_cshake_t |
| Supported cSHAKE modes of operation. | |
| typedef enum dif_kmac_mode_kmac | dif_kmac_mode_kmac_t |
| Supported KMAC modes of operation. | |
| typedef enum dif_kmac_key_length | dif_kmac_key_length_t |
| Key length. More... | |
| typedef struct dif_kmac_key | dif_kmac_key_t |
| A key for KMAC operations. More... | |
| typedef struct dif_kmac_customization_string | dif_kmac_customization_string_t |
| An encoded bit string used for customization string (S). More... | |
| typedef struct dif_kmac_function_name | dif_kmac_function_name_t |
| An encoded bit string used for function name (N). More... | |
| typedef enum dif_kmac_error | dif_kmac_error_t |
| Error reported by KMAC unit. More... | |
| typedef enum dif_kmac_fifo_state | dif_kmac_fifo_state_t |
| The state of the message FIFO used to buffer absorbed data. More... | |
| typedef enum dif_kmac_sha3_state | dif_kmac_sha3_state_t |
| typedef enum dif_kmac_alert_faults | dif_kmac_alert_faults_t |
| The kmac error faults. More... | |
| typedef struct dif_kmac_status | dif_kmac_status_t |
KMAC Device Interface Functions
Definition in file dif_kmac.h.
| struct dif_kmac_config |
Runtime configuration for KMAC.
This struct describes runtime information for configuration of the hardware.
Definition at line 149 of file dif_kmac.h.
| Data Fields | ||
|---|---|---|
| bool | entropy_fast_process |
Entropy fast process mode when enabled prevents the KMAC unit consuming entropy unless it is processing a secret key. This process should not be used when resistance against side-channel attacks is required, because it may lead to leakage of the secret key in the power trace. |
| uint16_t | entropy_hash_threshold | The number of KMAC invocations that triggers an automatic seed request from EDN. |
| dif_kmac_entropy_mode_t | entropy_mode | Entropy mode specifying the source of entropy (EDN or software). |
| uint16_t | entropy_prescaler | Prescaler value that determines how many clock pulse triggers an increment in the timer counter. |
| uint32_t | entropy_seed[kDifKmacEntropySeedWords] |
Entropy seed. Only used when the source of entropy is software. |
| uint16_t | entropy_wait_timer |
Number of clock cycles to wait for the EDN to reseed the entropy generator before an error is raised (see dif_kmac_get_error). If 0 the unit will wait forever. |
| bool | message_big_endian |
Convert the message to big-endian byte order. Note: this option currently had no effect since the message is sent a byte at a time but will in the future. |
| bool | msg_mask |
Message Masking with PRNG. If true, KMAC applies PRNG to the input messages to the Keccak module when KMAC mode is on. |
| bool | output_big_endian | Convert the output state (digest) to big-endian byte order on a word granularity. |
| bool | sideload | Place kmac inside key sideload mode. |
| struct dif_kmac_operation_state |
A KMAC operation state context.
Definition at line 217 of file dif_kmac.h.
| struct dif_kmac_key |
A key for KMAC operations.
The key is provided in two parts, share0 and share1. These are combined using a bitwise XOR operation in the KMAC unit to produce the real key.
The key shares are encoded in little endian byte order. This is fixed and cannot be changed (unlike the byte order used for the message and state).
Unused words in the key shares must be set to 0.
Definition at line 325 of file dif_kmac.h.
| Data Fields | ||
|---|---|---|
| dif_kmac_key_length_t | length | |
| uint32_t | share0[kDifKmacMaxKeyLenWords] | |
| uint32_t | share1[kDifKmacMaxKeyLenWords] | |
| struct dif_kmac_customization_string |
An encoded bit string used for customization string (S).
Use dif_kmac_customization_string_init to initialize.
Definition at line 336 of file dif_kmac.h.
| Data Fields | ||
|---|---|---|
| char | buffer[kDifKmacMaxCustomizationStringLen+kDifKmacMaxCustomizationStringOverhead] | Encoded S: left_encode(len(S)) || S. |
| uint32_t | length | Length of data in buffer in bytes. |
| struct dif_kmac_function_name |
An encoded bit string used for function name (N).
Use dif_kmac_function_name_init to initialize.
Definition at line 349 of file dif_kmac.h.
| Data Fields | ||
|---|---|---|
| char | buffer[kDifKmacMaxFunctionNameLen+kDifKmacMaxFunctionNameOverhead] | Encoded N: left_encode(len(N)) || N. |
| uint32_t | length | Length of data in buffer in bytes. |
| struct dif_kmac_status |
Definition at line 462 of file dif_kmac.h.
| Data Fields | ||
|---|---|---|
| dif_kmac_alert_faults_t | faults | Kmac faults and errors state. |
| uint32_t | fifo_depth | Message FIFO entry count. |
| dif_kmac_fifo_state_t | fifo_state | Kmac fifo state. |
| dif_kmac_sha3_state_t | sha3_state | Sha3 state. |
| typedef enum dif_kmac_alert_faults dif_kmac_alert_faults_t |
The kmac error faults.
The hardware defined these status in different bit fields, however they work better in the same field. Then the values chosen for this enum allow the conversion from the register bits to this enum without branches.
| typedef struct dif_kmac_config dif_kmac_config_t |
Runtime configuration for KMAC.
This struct describes runtime information for configuration of the hardware.
| typedef struct dif_kmac_customization_string dif_kmac_customization_string_t |
An encoded bit string used for customization string (S).
Use dif_kmac_customization_string_init to initialize.
| typedef enum dif_kmac_entropy_mode dif_kmac_entropy_mode_t |
This API implements an interface for the KMAC hardware.
The KMAC hardware implements the following cryptographic hash and message authentication code (MAC) functions:
The following sequence of operations is required to initialize the KMAC hardware:
If configuration changes are required then dif_kmac_configure can be called again so long as there are no operations in progress.
The following sequence of operations is required to execute an operation:
dif_kmac_{sha3,shake,cshake,kmac}_start()dif_kmac_absorb()dif_kmac_squeeze()dif_kmac_end()This is a streaming API and the dif_kmac_absorb and dif_kmac_squeeze functions may be called multiple times during a single operation. Once dif_kmac_squeeze has been called however no further dif_kmac_absorb calls may be made. See NIST FIPS 202 [1] for more information about the sponge construction and the 'absorbing' and 'squeezing' states.
Please see the following documentation for more information about the KMAC hardware: https://docs.opentitan.org/hw/ip/kmac/doc/
References: [1] - NIST FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions http://dx.doi.org/10.6028/NIST.FIPS.202 [2] - NIST Special Publication 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash https://doi.org/10.6028/NIST.SP.800-185 Supported entropy modes.
Entropy may be provided by the entropy distribution network (EDN) or using a seed provided by software.
| typedef enum dif_kmac_error dif_kmac_error_t |
Error reported by KMAC unit.
Codes taken from hw/ip/kmac/rtl/kmac_pkg.sv:err_code_e
| typedef enum dif_kmac_fifo_state dif_kmac_fifo_state_t |
The state of the message FIFO used to buffer absorbed data.
The hardware defined these status in different bit fields, however they work better in the same field. i.e the fifo can't be empty and full at the same time. That said, the values chosen for this enum allow the conversion from the register bits to this enum without branches.
| typedef struct dif_kmac_function_name dif_kmac_function_name_t |
An encoded bit string used for function name (N).
Use dif_kmac_function_name_init to initialize.
| typedef enum dif_kmac_key_length dif_kmac_key_length_t |
Key length.
The key length is specified in bits.
| typedef struct dif_kmac_key dif_kmac_key_t |
A key for KMAC operations.
The key is provided in two parts, share0 and share1. These are combined using a bitwise XOR operation in the KMAC unit to produce the real key.
The key shares are encoded in little endian byte order. This is fixed and cannot be changed (unlike the byte order used for the message and state).
Unused words in the key shares must be set to 0.
| anonymous enum |
Maximum lengths supported by the KMAC unit.
Definition at line 86 of file dif_kmac.h.
The kmac error faults.
The hardware defined these status in different bit fields, however they work better in the same field. Then the values chosen for this enum allow the conversion from the register bits to this enum without branches.
Definition at line 442 of file dif_kmac.h.
This API implements an interface for the KMAC hardware.
The KMAC hardware implements the following cryptographic hash and message authentication code (MAC) functions:
The following sequence of operations is required to initialize the KMAC hardware:
If configuration changes are required then dif_kmac_configure can be called again so long as there are no operations in progress.
The following sequence of operations is required to execute an operation:
dif_kmac_{sha3,shake,cshake,kmac}_start()dif_kmac_absorb()dif_kmac_squeeze()dif_kmac_end()This is a streaming API and the dif_kmac_absorb and dif_kmac_squeeze functions may be called multiple times during a single operation. Once dif_kmac_squeeze has been called however no further dif_kmac_absorb calls may be made. See NIST FIPS 202 [1] for more information about the sponge construction and the 'absorbing' and 'squeezing' states.
Please see the following documentation for more information about the KMAC hardware: https://docs.opentitan.org/hw/ip/kmac/doc/
References: [1] - NIST FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions http://dx.doi.org/10.6028/NIST.FIPS.202 [2] - NIST Special Publication 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash https://doi.org/10.6028/NIST.SP.800-185 Supported entropy modes.
Entropy may be provided by the entropy distribution network (EDN) or using a seed provided by software.
Definition at line 77 of file dif_kmac.h.
| enum dif_kmac_error |
Error reported by KMAC unit.
Codes taken from hw/ip/kmac/rtl/kmac_pkg.sv:err_code_e
Definition at line 361 of file dif_kmac.h.
| enum dif_kmac_fifo_state |
The state of the message FIFO used to buffer absorbed data.
The hardware defined these status in different bit fields, however they work better in the same field. i.e the fifo can't be empty and full at the same time. That said, the values chosen for this enum allow the conversion from the register bits to this enum without branches.
| Enumerator | |
|---|---|
| kDifKmacFifoStatePartial | The message FIFO is not empty or full. |
| kDifKmacFifoStateEmpty | The message FIFO is empty. |
| kDifKmacFifoStateFull | The message FIFO is full. Further writes will block. |
Definition at line 408 of file dif_kmac.h.
| enum dif_kmac_key_length |
Key length.
The key length is specified in bits.
Definition at line 300 of file dif_kmac.h.
| enum dif_kmac_mode_cshake |
Supported cSHAKE modes of operation.
| Enumerator | |
|---|---|
| kDifKmacModeCshakeLen128 | cSHAKE with 128 bit strength. |
| kDifKmacModeCshakeLen256 | cSHAKE with 256 bit strength. |
Definition at line 278 of file dif_kmac.h.
| enum dif_kmac_mode_kmac |
Supported KMAC modes of operation.
| Enumerator | |
|---|---|
| kDifKmacModeKmacLen128 | KMAC with 128 bit strength. |
| kDifKmacModeKmacLen256 | KMAC with 256 bit strength. |
Definition at line 288 of file dif_kmac.h.
| enum dif_kmac_mode_sha3 |
Supported SHA-3 modes of operation.
Definition at line 254 of file dif_kmac.h.
| enum dif_kmac_mode_shake |
Supported SHAKE modes of operation.
| Enumerator | |
|---|---|
| kDifKmacModeShakeLen128 | SHAKE with 128 bit strength. |
| kDifKmacModeShakeLen256 | SHAKE with 256 bit strength. |
Definition at line 268 of file dif_kmac.h.
| enum dif_kmac_sha3_state |
Definition at line 417 of file dif_kmac.h.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_absorb | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| const void * | msg, | ||
| size_t | len, | ||
| size_t * | processed | ||
| ) |
Absorb bytes from the message provided.
If processed is non-NULL, then this function will write the remaining space in the FIFO and update processed with the number of bytes written. The caller should adjust the msg pointer and len parameters and call again as needed until all input has been written.
If processed is NULL, then this function will block until the entire message has been processed or an error occurs.
If big-endian mode is enabled for messages (message_big_endian) only the part of the message aligned to 32-bit word boundaries will be byte swapped. Unaligned leading and trailing bytes will be written into the message as-is.
| kmac | A KMAC handle. | |
| operation_state | A KMAC operation state context. | |
| msg | Pointer to data to absorb. | |
| len | Number of bytes of data to absorb. | |
| [out] | processed | Number of bytes processed (optional). @preturn The result of the operation. |
Definition at line 612 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_config_is_locked | ( | const dif_kmac_t * | kmac, |
| bool * | is_locked | ||
| ) |
Reports whether or not the KMAC configuration register is locked.
If writes to the KMAC configuration register are disabled (locked) then it is not possible to change any configuration parameters or start a new operation. The configuration register is locked when an operation has been started and is unlocked again when it completes.
| kmac | A KMAC handle. | |
| [out] | is_locked | Out-param reporting the lock state. |
Definition at line 799 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_configure | ( | dif_kmac_t * | kmac, |
| dif_kmac_config_t | config | ||
| ) |
Configures KMAC with runtime information.
| kmac | A KMAC handle. |
| config | Runtime configuration parameters. |
Definition at line 162 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_customization_string_init | ( | const char * | data, |
| size_t | len, | ||
| dif_kmac_customization_string_t * | out | ||
| ) |
Encode a customization string (S).
The length of the string must not exceed kDifKmacMaxCustomizationStringLen.
Note that this function will encode len bytes from data regardless of whether data is null-terminated or not.
See NIST Special Publication 800-185 [2] for more information about the customization string (S) parameter.
| data | String to encode. | |
| len | Length of string to encode. | |
| [out] | out | Encoded customization string. |
Definition at line 36 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_end | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state | ||
| ) |
Ends a squeeze operation and resets the hardware so it is ready for a new operation.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
Definition at line 766 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_function_name_init | ( | const char * | data, |
| size_t | len, | ||
| dif_kmac_function_name_t * | out | ||
| ) |
Encode a function name (N).
The length of the string must not exceed kDifKmacMaxFunctionNameLen.
Note that this function will encode len bytes from data regardless of whether data is null-terminated or not.
See NIST Special Publication 800-185 [2] for more information about the function name (N) parameter.
| data | String to encode. | |
| len | Length of string to encode. | |
| [out] | out | Encoded function name. |
Definition at line 71 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_get_error | ( | const dif_kmac_t * | kmac, |
| dif_kmac_error_t * | error | ||
| ) |
Read the kmac error register to get the error code indicated the interrupt state.
This function should be called in case of any of the start functions returns kDifError.
| kmac | A KMAC handle. | |
| [out] | error | The current error code. |
Definition at line 852 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_get_hash_counter | ( | const dif_kmac_t * | kmac, |
| uint32_t * | hash_ctr | ||
| ) |
Returns the current value of the refresh hash counter.
| kmac | A KMAC handle. |
| hash_ctr | The hash counter value that is returned. |
Definition at line 837 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_get_status | ( | const dif_kmac_t * | kmac, |
| dif_kmac_status_t * | kmac_status | ||
| ) |
Fetch the current status of the message FIFO used to buffer absorbed data.
| kmac | A KMAC handle. | |
| [out] | kmac_status | The kmac status struct. |
Definition at line 811 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_mode_cshake_start | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| dif_kmac_mode_cshake_t | mode, | ||
| const dif_kmac_function_name_t * | n, | ||
| const dif_kmac_customization_string_t * | s | ||
| ) |
Start a cSHAKE operation.
cSHAKE operations have a variable (XOF) output length.
See NIST Special Publication 800-185 [2] for more information about cSHAKE.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
| mode | The mode of operation. |
| n | Function name (optional). |
| s | Customization string (optional). |
Definition at line 377 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_mode_kmac_start | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| dif_kmac_mode_kmac_t | mode, | ||
| size_t | l, | ||
| const dif_kmac_key_t * | k, | ||
| const dif_kmac_customization_string_t * | s | ||
| ) |
Start a KMAC operation.
To use KMAC in eXtendable-Output Function (XOF) mode set the output length (l) to 0. The output length must not be greater than kDifKmacMaxOutputLenWords.
The key provided must have at least as many bits as the security strength of the mode.
See NIST Special Publication 800-185 [2] for more information about KMAC.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
| mode | The mode of operation. |
| l | Output length (number of 32-bit words that will be 'squeezed'). |
| k | Pointer to secret key. |
| s | Customization string (optional). |
Definition at line 477 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_mode_sha3_start | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| dif_kmac_mode_sha3_t | mode | ||
| ) |
Start a SHA-3 operation.
SHA-3 operations have a fixed output length.
See NIST FIPS 202 [1] for more information about SHA-3.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
| mode | The SHA-3 mode of operation. |
Definition at line 262 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_mode_shake_start | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| dif_kmac_mode_shake_t | mode | ||
| ) |
Start a SHAKE operation.
SHAKE operations have a variable (XOF) output length.
See NIST FIPS 202 [1] for more information about SHAKE.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
| mode | The mode of operation. |
Definition at line 328 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_poll_status | ( | const dif_kmac_t * | kmac, |
| uint32_t | flag | ||
| ) |
Poll until a given flag in the status register is set.
| kmac | A KMAC handle. |
| flag | the |
Definition at line 149 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_reset | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state | ||
| ) |
Clear the current error code and reset the state machine to the idle state ready to accept new operations.
The state of any in-progress operation will be lost and the operation will need to be restarted.
| kmac | A KMAC handle. |
| operation_state | A KMAC operation state context. |
Definition at line 862 of file dif_kmac.c.
| OT_WARN_UNUSED_RESULT dif_result_t dif_kmac_squeeze | ( | const dif_kmac_t * | kmac, |
| dif_kmac_operation_state_t * | operation_state, | ||
| uint32_t * | out, | ||
| size_t | len, | ||
| size_t * | processed | ||
| ) |
Squeeze bytes into the output buffer provided.
Requesting a squeeze operation will prevent any further absorption operations from taking place.
If kDifKmacIncomplete is returned then the hardware is currently recomputing the state and the output was only partially written. The output pointer and length should be updated according to the number of bytes processed and the squeeze operation continued at a later time.
If processed is not provided then this function will block until len bytes have been written to out or an error occurs.
| kmac | A KMAC handle. | |
| operation_state | A KMAC operation state context. | |
| [out] | out | Pointer to output buffer. |
| [out] | len | Number of 32-bit words to write to output buffer. |
| [out] | processed | Number of 32-bit words written to output buffer (optional). @preturn The result of the operation. |
Definition at line 663 of file dif_kmac.c.