Software APIs
hardened_memory.c
1// Copyright lowRISC contributors (OpenTitan project).
2// Licensed under the Apache License, Version 2.0, see LICENSE for details.
3// SPDX-License-Identifier: Apache-2.0
4
6
10
11// NOTE: The three hardened_mem* functions have similar contents, but the parts
12// that are shared between them are commented only in `memcpy()`.
13status_t hardened_memcpy(uint32_t *restrict dest, const uint32_t *restrict src,
14 size_t word_len) {
15 random_order_t order;
16 random_order_init(&order, word_len);
17
18 size_t count = 0;
19
20 // Immediately convert `src` and `dest` to addresses, which erases their
21 // provenance and causes their addresses to be exposed (in the provenance
22 // sense).
23 uintptr_t src_addr = (uintptr_t)src;
24 uintptr_t dest_addr = (uintptr_t)dest;
25
26 // We need to launder `count`, so that the SW.LOOP-COMPLETION check is not
27 // deleted by the compiler.
28 for (; launderw(count) < word_len; count = launderw(count) + 1) {
29 // The order values themselves are in units of words, but we need `byte_idx`
30 // to be in units of bytes.
31 //
32 // The value obtained from `advance()` is laundered, to prevent
33 // implementation details from leaking across procedures.
34 size_t byte_idx = launderw(random_order_advance(&order)) * sizeof(uint32_t);
35
36 // Prevent the compiler from reordering the loop; this ensures a
37 // happens-before among indices consistent with `order`.
38 barrierw(byte_idx);
39
40 // Calculate pointers.
41 void *src = (void *)launderw(src_addr + byte_idx);
42 void *dest = (void *)launderw(dest_addr + byte_idx);
43
44 // Perform the copy, without performing a typed dereference operation.
45 write_32(read_32(src), dest);
46 }
48 HARDENED_CHECK_EQ(count, word_len);
49
50 return OTCRYPTO_OK;
51}
52
53status_t hardened_memshred(uint32_t *dest, size_t word_len) {
54 random_order_t order;
55 random_order_init(&order, word_len);
56
57 size_t count = 0;
58
59 uintptr_t data_addr = (uintptr_t)dest;
60
61 for (; count < word_len; count = launderw(count) + 1) {
62 size_t byte_idx = launderw(random_order_advance(&order)) * sizeof(uint32_t);
63 barrierw(byte_idx);
64
65 // Calculate pointer.
66 void *data = (void *)launderw(data_addr + byte_idx);
67
68 // Write a freshly-generated random word to `*data`.
69 write_32(hardened_memshred_random_word(), data);
70 }
72
73 HARDENED_CHECK_EQ(count, word_len);
74
75 return OTCRYPTO_OK;
76}
77
78hardened_bool_t hardened_memeq(const uint32_t *lhs, const uint32_t *rhs,
79 size_t word_len) {
80 random_order_t order;
81 random_order_init(&order, word_len);
82
83 size_t count = 0;
84
85 uintptr_t lhs_addr = (uintptr_t)lhs;
86 uintptr_t rhs_addr = (uintptr_t)rhs;
87
88 uint32_t zeros = 0;
89 uint32_t ones = UINT32_MAX;
90
91 // The loop is almost token-for-token the one above, but the copy is
92 // replaced with something else.
93 for (; count < word_len; count = launderw(count) + 1) {
94 size_t byte_idx = launderw(random_order_advance(&order)) * sizeof(uint32_t);
95 barrierw(byte_idx);
96
97 // Calculate pointers.
98 void *av = (void *)launderw(lhs_addr + byte_idx);
99 void *bv = (void *)launderw(rhs_addr + byte_idx);
100
101 uint32_t a = read_32(av);
102 uint32_t b = read_32(bv);
103
104 // Launder one of the operands, so that the compiler cannot cache the result
105 // of the xor for use in the next operation.
106 //
107 // We launder `zeroes` so that compiler cannot learn that `zeroes` has
108 // strictly more bits set at the end of the loop.
109 zeros = launder32(zeros) | (launder32(a) ^ b);
110
111 // Same as above. The compiler can cache the value of `a[offset]`, but it
112 // has no chance to strength-reduce this operation.
113 ones = launder32(ones) & (launder32(a) ^ ~b);
114 }
116
117 HARDENED_CHECK_EQ(count, word_len);
118 if (launder32(zeros) == 0) {
119 HARDENED_CHECK_EQ(ones, UINT32_MAX);
120 return kHardenedBoolTrue;
121 }
122
123 HARDENED_CHECK_NE(ones, UINT32_MAX);
124 return kHardenedBoolFalse;
125}
126
127hardened_bool_t consttime_memeq_byte(const void *lhs, const void *rhs,
128 size_t len) {
129 uint32_t zeros = 0;
130 uint32_t ones = UINT32_MAX;
131
132 size_t it = 0;
133 const unsigned char *lh = (const unsigned char *)lhs;
134 const unsigned char *rh = (const unsigned char *)rhs;
135 for (; it < len; ++it, ++lh, ++rh) {
136 const unsigned char a = *lh;
137 const unsigned char b = *rh;
138
139 // Launder one of the operands, so that the compiler cannot cache the result
140 // of the xor for use in the next operation.
141 //
142 // We launder `zeroes` so that compiler cannot learn that `zeroes` has
143 // strictly more bits set at the end of the loop.
144 zeros = launder32(zeros) | (launder32((uint32_t)a) ^ b);
145
146 // Same as above. The compiler can cache the value of `a[offset]`, but it
147 // has no chance to strength-reduce this operation.
148 ones = launder32(ones) & (launder32((uint32_t)a) ^ ~b);
149 }
150
151 HARDENED_CHECK_EQ(it, len);
152
153 if (launder32(zeros) == 0) {
154 HARDENED_CHECK_EQ(ones, UINT32_MAX);
155 return kHardenedBoolTrue;
156 }
157
158 HARDENED_CHECK_NE(ones, UINT32_MAX);
159 return kHardenedBoolFalse;
160}
161
162status_t hardened_xor(const uint32_t *restrict x, const uint32_t *restrict y,
163 size_t word_len, uint32_t *restrict dest) {
164 // Randomize the content of the output buffer before writing to it.
165 hardened_memshred(dest, word_len);
166
167 // Create a random variable rand.
168 uint32_t rand[word_len];
169 hardened_memshred(rand, word_len);
170
171 // Cast pointers to `uintptr_t` to erase their provenance.
172 uintptr_t x_addr = (uintptr_t)x;
173 uintptr_t y_addr = (uintptr_t)y;
174 uintptr_t dest_addr = (uintptr_t)dest;
175 uintptr_t rand_addr = (uintptr_t)&rand;
176
177 // Generate a random ordering.
178 random_order_t order;
179 random_order_init(&order, word_len);
180 size_t count = 0;
181
182 // XOR the mask with the first share. This loop is modelled off the one in
183 // `hardened_memcpy`; see the comments there for more details.
184 for (; launderw(count) < word_len; count = launderw(count) + 1) {
185 size_t byte_idx = launderw(random_order_advance(&order)) * sizeof(uint32_t);
186
187 // Prevent the compiler from re-ordering the loop.
188 barrierw(byte_idx);
189
190 // Calculate pointers.
191 uintptr_t xp = x_addr + byte_idx;
192 uintptr_t yp = y_addr + byte_idx;
193 uintptr_t destp = dest_addr + byte_idx;
194 uintptr_t randp = rand_addr + byte_idx;
195
196 // Set the pointers.
197 void *xv = (void *)launderw(xp);
198 void *yv = (void *)launderw(yp);
199 void *destv = (void *)launderw(destp);
200 void *randv = (void *)launderw(randp);
201
202 // Perform the XORs: dest = ((x ^ rand) ^ y) ^ rand
203 write_32(read_32(xv) ^ read_32(randv), destv);
204 write_32(read_32(destv) ^ read_32(yv), destv);
205 write_32(read_32(destv) ^ read_32(randv), destv);
206 }
208 HARDENED_CHECK_EQ(count, word_len);
209
210 return OTCRYPTO_OK;
211}
212
213status_t hardened_xor_in_place(uint32_t *restrict x, const uint32_t *restrict y,
214 size_t word_len) {
215 // Generate a random ordering.
216 random_order_t order;
217 random_order_init(&order, word_len);
218 size_t count = 0;
219
220 // Cast pointers to `uintptr_t` to erase their provenance.
221 uintptr_t x_addr = (uintptr_t)x;
222 uintptr_t y_addr = (uintptr_t)y;
223
224 // XOR the mask with the first share. This loop is modelled off the one in
225 // `hardened_memcpy`; see the comments there for more details.
226 for (; launderw(count) < word_len; count = launderw(count) + 1) {
227 size_t byte_idx = launderw(random_order_advance(&order)) * sizeof(uint32_t);
228
229 // Prevent the compiler from re-ordering the loop.
230 barrierw(byte_idx);
231
232 // Calculate pointers.
233 void *xv = (void *)launderw(x_addr + byte_idx);
234 void *yv = (void *)launderw(y_addr + byte_idx);
235
236 // Perform an XOR in the array.
237 write_32(read_32(xv) ^ read_32(yv), xv);
238 }
240 HARDENED_CHECK_EQ(count, word_len);
241
242 return OTCRYPTO_OK;
243}