Software APIs
key_transport.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/key_transport.h"
6 
7 #include "sw/device/lib/base/hardened_memory.h"
8 #include "sw/device/lib/base/memory.h"
9 #include "sw/device/lib/crypto/impl/aes_kwp/aes_kwp.h"
10 #include "sw/device/lib/crypto/impl/integrity.h"
11 #include "sw/device/lib/crypto/impl/keyblob.h"
12 #include "sw/device/lib/crypto/impl/status.h"
13 #include "sw/device/lib/crypto/include/datatypes.h"
14 #include "sw/device/lib/crypto/include/drbg.h"
15 
16 // Module ID for status codes.
17 #define MODULE_ID MAKE_MODULE_ID('k', 't', 'r')
18 
19 otcrypto_status_t otcrypto_symmetric_keygen(
20  otcrypto_const_byte_buf_t perso_string, otcrypto_blinded_key_t *key) {
21  if (key == NULL || key->keyblob == NULL) {
22  return OTCRYPTO_BAD_ARGS;
23  }
24 
25  // Ensure that the key material is masked with XOR; this will fail on
26  // hardware-backed or non-symmetric keys.
27  HARDENED_TRY(keyblob_ensure_xor_masked(key->config));
28 
29  // Get pointers to the shares within the keyblob. Fails if the key length
30  // doesn't match the mode.
31  uint32_t *share0;
32  uint32_t *share1;
33  HARDENED_TRY(keyblob_to_shares(key, &share0, &share1));
34 
35  // Construct buffers to direct the DRBG output into the keyblob.
36  otcrypto_word32_buf_t share0_buf = {
37  .data = share0,
38  .len = keyblob_share_num_words(key->config),
39  };
40  otcrypto_word32_buf_t share1_buf = {
41  .data = share1,
42  .len = keyblob_share_num_words(key->config),
43  };
44 
45  // Construct an empty buffer for the "additional input" to the DRBG generate
46  // function.
47  otcrypto_const_byte_buf_t empty = {.data = NULL, .len = 0};
48 
49  // Generate each share of the key independently.
50  HARDENED_TRY(otcrypto_drbg_instantiate(perso_string));
51  HARDENED_TRY(otcrypto_drbg_generate(empty, share0_buf));
52  HARDENED_TRY(otcrypto_drbg_generate(empty, share1_buf));
53 
54  // Populate the checksum and return.
55  key->checksum = integrity_blinded_checksum(key);
56  return OTCRYPTO_OK;
57 }
58 
59 otcrypto_status_t otcrypto_hw_backed_key(uint32_t version,
60  const uint32_t salt[7],
61  otcrypto_blinded_key_t *key) {
62  if (key == NULL || key->keyblob == NULL) {
63  return OTCRYPTO_BAD_ARGS;
64  }
65  if (key->keyblob_length != 8 * sizeof(uint32_t) ||
66  key->config.hw_backed != kHardenedBoolTrue) {
67  return OTCRYPTO_BAD_ARGS;
68  }
69 
70  // Get the key type from the top 16 bits of the full mode and ensure that it
71  // is not RSA. All other key types are acceptable for hardware-backed keys.
72  otcrypto_key_type_t key_type =
73  (otcrypto_key_type_t)(key->config.key_mode >> 16);
74  if (key_type == kOtcryptoKeyTypeRsa) {
75  return OTCRYPTO_BAD_ARGS;
76  }
77 
78  // Copy the version and salt into the keyblob.
79  key->keyblob[0] = version;
80  memcpy(&key->keyblob[1], salt, 7 * sizeof(uint32_t));
81 
82  // Set the checksum.
83  key->checksum = integrity_blinded_checksum(key);
84 
85  return OTCRYPTO_OK;
86 }
87 
88 otcrypto_status_t otcrypto_wrapped_key_len(const otcrypto_key_config_t config,
89  size_t *wrapped_num_words) {
90  // Check that the total wrapped key length will fit in 32 bits.
91  size_t config_num_words = sizeof(otcrypto_key_config_t) / sizeof(uint32_t);
92  if (keyblob_num_words(config) > UINT32_MAX - config_num_words - 2) {
93  return OTCRYPTO_BAD_ARGS;
94  }
95 
96  // A wrapped key includes:
97  // - The full key configuration
98  // - The key checksum (32 bits)
99  // - The keyblob length (in words) as a 32-bit word
100  // - The keyblob
101  *wrapped_num_words = config_num_words + 2 + keyblob_num_words(config);
102 
103  // We need to add 64 bits for the AES-KWP prefix.
104  *wrapped_num_words += 2;
105 
106  // The number of words needs to be rounded up to the next multiple of 64 bits.
107  if (*wrapped_num_words % 2 == 1) {
108  *wrapped_num_words += 1;
109  }
110 
111  return OTCRYPTO_OK;
112 }
113 
114 /**
115  * Extract an AES-KWP key encryption key from the blinded key struct.
116  *
117  * Also checks the key's integrity and mode.
118  *
119  * @param key_kek Blinded key encryption key.
120  * @param[out] aes_key Destination AES key struct.
121  * @return Result of the operation.
122  */
123 static status_t aes_kwp_key_construct(const otcrypto_blinded_key_t *key_kek,
124  aes_key_t *aes_key) {
125  // Key integrity check.
126  if (launder32(integrity_blinded_key_check(key_kek)) != kHardenedBoolTrue) {
127  return OTCRYPTO_BAD_ARGS;
128  }
129  HARDENED_CHECK_EQ(integrity_blinded_key_check(key_kek), kHardenedBoolTrue);
130 
131  // Check the key mode.
132  if (launder32((uint32_t)key_kek->config.key_mode) != kOtcryptoKeyModeAesKwp) {
133  return OTCRYPTO_BAD_ARGS;
134  }
135  HARDENED_CHECK_EQ(key_kek->config.key_mode, kOtcryptoKeyModeAesKwp);
136 
137  // Set the mode of the underlying AES key to ECB (since this is the
138  // underlying block cipher mode for KWP).
139  aes_key->mode = kAesCipherModeEcb;
140 
141  if (key_kek->config.hw_backed == kHardenedBoolTrue) {
142  // Call keymgr to sideload the key into AES.
143  keymgr_diversification_t diversification;
144  HARDENED_TRY(keyblob_to_keymgr_diversification(key_kek, &diversification));
145  HARDENED_TRY(keymgr_generate_key_aes(diversification));
146  } else if (key_kek->config.hw_backed != kHardenedBoolFalse) {
147  return OTCRYPTO_BAD_ARGS;
148  }
149  aes_key->sideload = key_kek->config.hw_backed;
150 
151  // Set the AES key length (in words).
152  aes_key->key_len = keyblob_share_num_words(key_kek->config);
153 
154  // Get pointers to the individual shares.
155  uint32_t *share0;
156  uint32_t *share1;
157  HARDENED_TRY(keyblob_to_shares(key_kek, &share0, &share1));
158  aes_key->key_shares[0] = share0;
159  aes_key->key_shares[1] = share1;
160 
161  return OTCRYPTO_OK;
162 }
163 
164 otcrypto_status_t otcrypto_key_wrap(const otcrypto_blinded_key_t *key_to_wrap,
165  const otcrypto_blinded_key_t *key_kek,
166  otcrypto_word32_buf_t wrapped_key) {
167  if (key_to_wrap == NULL || key_to_wrap->keyblob == NULL || key_kek == NULL ||
168  key_kek->keyblob == NULL || wrapped_key.data == NULL) {
169  return OTCRYPTO_BAD_ARGS;
170  }
171 
172  // Check the integrity of the key material we are wrapping.
173  if (launder32(integrity_blinded_key_check(key_to_wrap)) !=
174  kHardenedBoolTrue) {
175  return OTCRYPTO_BAD_ARGS;
176  }
177  HARDENED_CHECK_EQ(integrity_blinded_key_check(key_to_wrap),
178  kHardenedBoolTrue);
179 
180  // Check the length of the output buffer.
181  size_t exp_len;
182  HARDENED_TRY(otcrypto_wrapped_key_len(key_to_wrap->config, &exp_len));
183  if (wrapped_key.len != exp_len) {
184  return OTCRYPTO_BAD_ARGS;
185  }
186 
187  // Check the integrity/lengths/mode of the key encryption key, and construct
188  // an internal AES key.
189  aes_key_t kek;
190  HARDENED_TRY(aes_kwp_key_construct(key_kek, &kek));
191 
192  // Check the keyblob length.
193  uint32_t keyblob_words = keyblob_num_words(key_to_wrap->config);
194  if (key_to_wrap->keyblob_length != keyblob_words * sizeof(uint32_t)) {
195  return OTCRYPTO_BAD_ARGS;
196  }
197 
198  // Check that the configuration is aligned.
199  if (misalignment32_of((uintptr_t)&key_to_wrap->config) != 0) {
200  return OTCRYPTO_BAD_ARGS;
201  }
202 
203  // Create the plaintext by copying the key configuration, checksum, keyblob
204  // length, and keyblob into a buffer.
205  uint32_t config_words = sizeof(otcrypto_key_config_t) / sizeof(uint32_t);
206  size_t plaintext_num_words = config_words + 2 + keyblob_words;
207  uint32_t plaintext[plaintext_num_words];
208  hardened_memcpy(plaintext, (uint32_t *)&key_to_wrap->config, config_words);
209  plaintext[config_words] = key_to_wrap->checksum;
210  plaintext[config_words + 1] = keyblob_words;
211  hardened_memcpy(plaintext + config_words + 2, key_to_wrap->keyblob,
212  keyblob_words);
213 
214  // Wrap the key.
215  return aes_kwp_wrap(kek, plaintext, sizeof(plaintext), wrapped_key.data);
216 }
217 
218 otcrypto_status_t otcrypto_key_unwrap(otcrypto_const_word32_buf_t wrapped_key,
219  const otcrypto_blinded_key_t *key_kek,
220  hardened_bool_t *success,
221  otcrypto_blinded_key_t *unwrapped_key) {
222  *success = kHardenedBoolFalse;
223 
224  if (wrapped_key.data == NULL || key_kek == NULL || key_kek->keyblob == NULL ||
225  success == NULL || unwrapped_key == NULL ||
226  unwrapped_key->keyblob == NULL) {
227  return OTCRYPTO_BAD_ARGS;
228  }
229 
230  // Check the integrity/lengths/mode of the key encryption key, and construct
231  // an internal AES key.
232  aes_key_t kek;
233  HARDENED_TRY(aes_kwp_key_construct(key_kek, &kek));
234 
235  // Check that the configuration is aligned.
236  if (misalignment32_of((uintptr_t)&unwrapped_key->config) != 0) {
237  return OTCRYPTO_BAD_ARGS;
238  }
239 
240  // Unwrap the key.
241  uint32_t plaintext[wrapped_key.len];
242  HARDENED_TRY(aes_kwp_unwrap(kek, wrapped_key.data,
243  wrapped_key.len * sizeof(uint32_t), success,
244  plaintext));
245 
246  if (launder32(*success) != kHardenedBoolTrue) {
247  *success = kHardenedBoolFalse;
248  return OTCRYPTO_OK;
249  }
250  HARDENED_CHECK_EQ(*success, kHardenedBoolTrue);
251 
252  // Set back to false while we check other conditions.
253  *success = kHardenedBoolFalse;
254 
255  // Extract the key configuration.
256  uint32_t config_words = sizeof(otcrypto_key_config_t) / sizeof(uint32_t);
257  hardened_memcpy((uint32_t *)&unwrapped_key->config, plaintext, config_words);
258 
259  // Extract the checksum and keyblob length.
260  unwrapped_key->checksum = plaintext[config_words];
261  uint32_t keyblob_words = plaintext[config_words + 1];
262  if (keyblob_words != keyblob_num_words(unwrapped_key->config)) {
263  *success = kHardenedBoolFalse;
264  return OTCRYPTO_OK;
265  }
266 
267  // Extract the keyblob.
268  if (unwrapped_key->keyblob_length != keyblob_words * sizeof(uint32_t)) {
269  return OTCRYPTO_BAD_ARGS;
270  }
271  hardened_memcpy(unwrapped_key->keyblob, plaintext + config_words + 2,
272  keyblob_words);
273 
274  // Finally, check the integrity of the key material we unwrapped.
275  *success = integrity_blinded_key_check(unwrapped_key);
276  return OTCRYPTO_OK;
277 }
278 
279 otcrypto_status_t otcrypto_import_blinded_key(
280  const otcrypto_const_word32_buf_t key_share0,
281  const otcrypto_const_word32_buf_t key_share1,
282  otcrypto_blinded_key_t *blinded_key) {
283  if (blinded_key == NULL || blinded_key->keyblob == NULL ||
284  key_share0.data == NULL || key_share1.data == NULL) {
285  return OTCRYPTO_BAD_ARGS;
286  }
287 
288  // Ensure the key is symmetric and not hardware-backed.
289  HARDENED_TRY(keyblob_ensure_xor_masked(blinded_key->config));
290 
291  // Check the lengths of the shares.
292  size_t share_words = launder32(keyblob_share_num_words(blinded_key->config));
293  if (launder32(key_share0.len) != share_words ||
294  launder32(key_share1.len) != share_words) {
295  return OTCRYPTO_BAD_ARGS;
296  }
297  HARDENED_CHECK_EQ(key_share0.len,
298  keyblob_share_num_words(blinded_key->config));
299  HARDENED_CHECK_EQ(key_share1.len,
300  keyblob_share_num_words(blinded_key->config));
301 
302  // Check the length of the keyblob.
303  size_t keyblob_words = launder32(keyblob_num_words(blinded_key->config));
304  if ((blinded_key->keyblob_length % sizeof(uint32_t) != 0) ||
305  (blinded_key->keyblob_length / sizeof(uint32_t) != keyblob_words)) {
306  return OTCRYPTO_BAD_ARGS;
307  }
308  HARDENED_CHECK_EQ(blinded_key->keyblob_length,
309  keyblob_words * sizeof(uint32_t));
310 
311  // Construct the blinded key.
312  keyblob_from_shares(key_share0.data, key_share1.data, blinded_key->config,
313  blinded_key->keyblob);
314  blinded_key->checksum = integrity_blinded_checksum(blinded_key);
315  return OTCRYPTO_OK;
316 }
317 
318 otcrypto_status_t otcrypto_export_blinded_key(
319  const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t key_share0,
320  otcrypto_word32_buf_t key_share1) {
321  if (blinded_key.keyblob == NULL || key_share0.data == NULL ||
322  key_share1.data == NULL) {
323  return OTCRYPTO_BAD_ARGS;
324  }
325 
326  // Check key integrity.
327  if (launder32(integrity_blinded_key_check(&blinded_key)) !=
328  kHardenedBoolTrue) {
329  return OTCRYPTO_BAD_ARGS;
330  }
331  HARDENED_CHECK_EQ(integrity_blinded_key_check(&blinded_key),
332  kHardenedBoolTrue);
333 
334  // Ensure the key is symmetric and not hardware-backed.
335  HARDENED_TRY(keyblob_ensure_xor_masked(blinded_key.config));
336 
337  // Check that key is exportable.
338  if (launder32(blinded_key.config.exportable) != kHardenedBoolTrue) {
339  return OTCRYPTO_BAD_ARGS;
340  }
341  HARDENED_CHECK_EQ(blinded_key.config.exportable, kHardenedBoolTrue);
342 
343  // Check the lengths of the shares.
344  size_t share_words = launder32(keyblob_share_num_words(blinded_key.config));
345  if (launder32(key_share0.len) != share_words ||
346  launder32(key_share1.len) != share_words) {
347  return OTCRYPTO_BAD_ARGS;
348  }
349  HARDENED_CHECK_EQ(key_share0.len,
350  keyblob_share_num_words(blinded_key.config));
351  HARDENED_CHECK_EQ(key_share1.len,
352  keyblob_share_num_words(blinded_key.config));
353 
354  // Check the length of the keyblob.
355  size_t keyblob_words = launder32(keyblob_num_words(blinded_key.config));
356  if ((blinded_key.keyblob_length % sizeof(uint32_t) != 0) ||
357  (blinded_key.keyblob_length / sizeof(uint32_t) != keyblob_words)) {
358  return OTCRYPTO_BAD_ARGS;
359  }
360  HARDENED_CHECK_EQ(blinded_key.keyblob_length,
361  keyblob_words * sizeof(uint32_t));
362 
363  // Get pointers to the internal shares and copy them into output buffers.
364  uint32_t *keyblob_share0;
365  uint32_t *keyblob_share1;
366  HARDENED_TRY(
367  keyblob_to_shares(&blinded_key, &keyblob_share0, &keyblob_share1));
368  hardened_memcpy(key_share0.data, keyblob_share0, key_share0.len);
369  hardened_memcpy(key_share1.data, keyblob_share1, key_share1.len);
370  return OTCRYPTO_OK;
371 }
Return to OpenTitan Documentation