Software APIs
hardened_memory.h
Go to the documentation of this file.
1
// Copyright lowRISC contributors (OpenTitan project).
2
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
3
// SPDX-License-Identifier: Apache-2.0
4
5
#ifndef OPENTITAN_SW_DEVICE_LIB_BASE_HARDENED_MEMORY_H_
6
#define OPENTITAN_SW_DEVICE_LIB_BASE_HARDENED_MEMORY_H_
7
8
/**
9
* @file
10
* @brief Hardened memory operations for constant power buffer manipulation.
11
*/
12
13
#include <stddef.h>
14
#include <stdint.h>
15
16
#include "
sw/device/lib/base/hardened.h
"
17
#include "
sw/device/lib/base/macros.h
"
18
#include "sw/device/lib/crypto/impl/status.h"
19
20
#ifdef __cplusplus
21
extern
"C"
{
22
#endif
// __cplusplus
23
24
/**
25
* Expects some external implementation of randomness to be linked.
26
*
27
* @return A fresh random word.
28
*/
29
extern
uint32_t
hardened_memshred_random_word
(
void
);
30
31
/**
32
* Copies 32-bit words between non-overlapping regions.
33
*
34
* Unlike `memcpy()`, this function has important differences:
35
* - It is significantly slower, since it mitigates power-analysis attacks.
36
* - It performs operations on 32-bit words, rather than bytes.
37
* - It returns a status.
38
*
39
* Input pointers *MUST* be 32-bit aligned, although they do not need to
40
* actually point to memory declared as `uint32_t` per the C aliasing rules.
41
* Internally, this function is careful to not dereference its operands
42
* directly, and instead uses dedicated load/store intrinsics.
43
*
44
* @param dest The destination of the copy.
45
* @param src The source of the copy.
46
* @param word_len The number of words to copy.
47
* @return OK or error.
48
*/
49
status_t
hardened_memcpy
(uint32_t *
OT_RESTRICT
dest,
50
const
uint32_t *
OT_RESTRICT
src,
size_t
word_len);
51
52
/**
53
* Fills a 32-bit aligned region of memory with random data.
54
*
55
* Unlike `memset()`, this function has important differences:
56
* - It is significantly slower, since it mitigates power-analysis attacks.
57
* - It performs operations on 32-bit words, rather than bytes.
58
* - A fill value cannot be specified.
59
* - It returns a status.
60
*
61
* Input pointers *MUST* be 32-bit aligned, although they do not need to
62
* actually point to memory declared as `uint32_t` per the C aliasing rules.
63
* Internally, this function is careful to not dereference its operands
64
* directly, and instead uses dedicated load/store intrinsics.
65
*
66
* @param dest The destination of the set.
67
* @param word_len The number of words to write.
68
* @return OK or error.
69
*/
70
status_t
hardened_memshred
(uint32_t *dest,
size_t
word_len);
71
72
/**
73
* Compare two potentially-overlapping 32-bit aligned regions of memory for
74
* equality.
75
*
76
* Unlike `memcmp()`, this function has important differences:
77
* - It is significantly slower, since it mitigates power-analysis attacks.
78
* - It performs operations on 32-bit words, rather than bytes.
79
* - It only computes equality, not lexicographic ordering, which would be even
80
* slower.
81
* - It returns a `hardened_bool_t`.
82
* - It is constant-time.
83
*
84
* Input pointers *MUST* be 32-bit aligned, although they do not need to
85
* actually point to memory declared as `uint32_t` per the C aliasing rules.
86
* Internally, this function is careful to not dereference its operands
87
* directly, and instead uses dedicated load/store intrinsics.
88
*
89
* @param lhs The first buffer to compare.
90
* @param rhs The second buffer to compare.
91
* @param word_len The number of words to compare.
92
*/
93
hardened_bool_t
hardened_memeq
(
const
uint32_t *lhs,
const
uint32_t *rhs,
94
size_t
word_len);
95
96
/**
97
* Constant time memeq implementation that can also handle non 32-bit aligned
98
* buffers.
99
*
100
* SCA protection is provided by choosing a random start index for the
101
* comparison.
102
*
103
* CAUTION! This function is not considered as secure as `hardened_memeq` due to
104
* the byte-sized memory accesses vs. 32b word accesses.
105
*
106
* @param lhs The first buffer to compare.
107
* @param rhs The second buffer to compare.
108
* @param word_len The number of bytes to compare.
109
*/
110
hardened_bool_t
consttime_memeq_byte
(
const
void
*lhs,
const
void
*rhs,
111
size_t
len);
112
113
/**
114
* Combines two word buffers with XOR and store the result in the dest. buffer.
115
*
116
* Performs dest = ((rand ^ x) ^ y) ^ rand
117
*
118
* Callers should ensure the entropy complex is up before calling this
119
* function. The implementation uses random-order hardening primitives for
120
* side-channel defense. Moreover, calles should ensure that the dest. buffer
121
* is different from the source buffers.
122
*
123
* @param x Pointer to the first operand.
124
* @param y Pointer to the second operand.
125
* @param word_len Length in words of each operand.
126
* @param dest[out] Pointer to the output buffer.
127
* @return OK or error.
128
*/
129
status_t
hardened_xor
(
const
uint32_t *
OT_RESTRICT
x,
130
const
uint32_t *
OT_RESTRICT
y,
size_t
word_len,
131
uint32_t *
OT_RESTRICT
dest);
132
133
/**
134
* Combines two word buffers with XOR in-place.
135
*
136
* Callers should ensure the entropy complex is up before calling this
137
* function. The implementation uses random-order hardening primitives for
138
* side-channel defense.
139
*
140
* @param[in,out] x Pointer to the first operand (modified in-place).
141
* @param y Pointer to the second operand.
142
* @param word_len Length in words of each operand.
143
* @return OK or error.
144
*/
145
status_t
hardened_xor_in_place
(uint32_t *
OT_RESTRICT
x,
146
const
uint32_t *
OT_RESTRICT
y,
size_t
word_len);
147
148
/**
149
* Copy memory between non-overlapping regions with a randomized byte traversal.
150
*
151
* CAUTION! This function is not considered as secure as `hardened_memcpy` due
152
* to the byte-sized memory accesses vs. 32b word accesses. After this function,
153
* a `consttime_memeq_byte(src, dest, byte_len)` should follow to check if the
154
* bytecopy was successful (see lowRISC/opentitan#8815). Switch the function
155
* arguments as shown in the example to also cover faults directly on the
156
* pointers.
157
*
158
* @param dest the region to copy to.
159
* @param src the region to copy from.
160
* @param byte_len, the number of bytes to copy.
161
* @return Result of the operation (OK or error).
162
*/
163
status_t
randomized_bytecopy
(
void
*
OT_RESTRICT
dest,
164
const
void
*
OT_RESTRICT
src,
size_t
byte_len);
165
166
/**
167
* In-place XOR of two non-overlapping memory regions with a randomized byte
168
* traversal.
169
*
170
* CAUTION! This function is not considered as secure as `hardened_xor_in_place`
171
* due to the byte-sized memory accesses vs. 32b word accesses.
172
*
173
* @param x Pointer to the first operand (modified in-place).
174
* @param y Pointer to the second operand.
175
* @param byte_len, the number of bytes to XOR.
176
* @return Result of the operation (OK or error).
177
*/
178
status_t
randomized_bytexor_in_place
(
void
*
OT_RESTRICT
x,
179
const
void
*
OT_RESTRICT
y,
180
size_t
byte_len);
181
182
#ifdef __cplusplus
183
}
// extern "C"
184
#endif
// __cplusplus
185
186
#endif
// OPENTITAN_SW_DEVICE_LIB_BASE_HARDENED_MEMORY_H_
sw
device
lib
base
hardened_memory.h
Return to
OpenTitan Documentation
