Software APIs
keyblob.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_KEYBLOB_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_KEYBLOB_H_
7 
8 #include "sw/device/lib/crypto/drivers/keymgr.h"
9 #include "sw/device/lib/crypto/impl/status.h"
10 #include "sw/device/lib/crypto/include/datatypes.h"
11 
12 #ifdef __cplusplus
13 extern "C" {
14 #endif // __cplusplus
15 
16 enum {
17  /**
18  * Number of 32-bit words in a hardware-backed key's keyblob.
19  */
20  kKeyblobHwBackedWords = kKeymgrSaltNumWords,
21  /**
22  * Number of bytes in a hardware-backed key's keyblob.
23  */
24  kKeyblobHwBackedBytes = kKeyblobHwBackedWords * sizeof(uint32_t),
25 };
26 
27 /**
28  * Get the word-length of the full blinded keyblob for a given key length.
29  *
30  * @param config Key configuration.
31  * @returns Word-length of the blinded keyblob.
32  */
33 size_t keyblob_num_words(const otcrypto_key_config_t config);
34 
35 /**
36  * Get the word-length of a single key share for a given key length.
37  *
38  * Essentially, this just rounds `config.key_length` up to the next word.
39  * The results assume that the key is not hardware-backed, since
40  * hardware-backed keys do not have shares within the keyblob.
41  *
42  * @param config Key configuration.
43  * @returns Word-length of one key share (or unblinded key).
44  */
45 size_t keyblob_share_num_words(const otcrypto_key_config_t config);
46 
47 /**
48  * Return pointers to the separate shares within the blinded key.
49  *
50  * Returns an error if the keyblob length does not match the expectations from
51  * the key configuration.
52  *
53  * @param key Blinded key from which to extract shares.
54  * @param[out] share0 Pointer to direct to the first share.
55  * @param[out] share1 Pointer to direct to the second share.
56  * @return Result of the operation.
57  */
58 OT_WARN_UNUSED_RESULT
59 status_t keyblob_to_shares(const otcrypto_blinded_key_t *key, uint32_t **share0,
60  uint32_t **share1);
61 
62 /**
63  * Construct a blinded keyblob from the given shares.
64  *
65  * The size of each share should be at least `key_len` rounded up to the next
66  * word (so if `key_len` is 10 bytes, each share should be 3 words or 12
67  * bytes). The size of the destination buffer should be sufficient to fit
68  * both shares; if `key_len` is 10 bytes, it must have 6 words, even though
69  * 20 bytes would technically fit in 5. This is to preserve word-alignment of
70  * the shares.
71  *
72  * @param share0 First share.
73  * @param share1 Second share.
74  * @param config Key configuration.
75  * @param[out] keyblob Destination buffer.
76  */
77 void keyblob_from_shares(const uint32_t *share0, const uint32_t *share1,
78  const otcrypto_key_config_t config, uint32_t *keyblob);
79 
80 /**
81  * Construct key manager diversification data from a raw keyblob.
82  *
83  * The keyblob must be exactly 8 32-bit words long. The first word is the
84  * version and subsequent words are the salt. The key mode is appended to the
85  * salt to prevent key manager keys being used for different modes.
86  *
87  * @param keyblob Pointer to the keyblob.
88  * @param mode Key mode to use in the diversification.
89  * @param[out] Destination key manager diversification struct.
90  */
91 OT_WARN_UNUSED_RESULT
92 status_t keyblob_buffer_to_keymgr_diversification(
93  const uint32_t *keyblob, otcrypto_key_mode_t mode,
94  keymgr_diversification_t *diversification);
95 
96 /**
97  * Construct key manager diversification data from a blinded key.
98  *
99  * The keyblob for a hardware-backed key must be exactly 8 32-bit words long.
100  * The first word is the version and subsequent words are the salt. The key
101  * mode is appended to the salt to prevent key manager keys being used for
102  * different modes.
103  *
104  * If the key configuration states that the key is not hardware-backed, or if
105  * the keyblob is the wrong length, this function will return an error.
106  *
107  * @param key Blinded key to use.
108  * @param[out] Destination key manager diversification struct.
109  */
110 OT_WARN_UNUSED_RESULT
111 status_t keyblob_to_keymgr_diversification(
112  const otcrypto_blinded_key_t *key,
113  keymgr_diversification_t *diversification);
114 
115 /**
116  * Checks that the configuration represents a key masked with XOR.
117  *
118  * Returns false if the key is for an algorithm that uses a different masking
119  * method (e.g. arithmetic masking for asymmetric crypto) or if the key is
120  * hardware-backed.
121  *
122  * @param config Key configuration.
123  * @return OK if `config` represents an XOR-masked key, BAD_ARGS otherwise.
124  */
125 OT_WARN_UNUSED_RESULT
126 status_t keyblob_ensure_xor_masked(const otcrypto_key_config_t config);
127 
128 /**
129  * Construct a blinded keyblob from the given key and mask.
130  *
131  * The size of the key and mask should be `key_len` rounded up to the next
132  * word (so if `key_len` is 10 bytes, each share should be 3 words or 12
133  * bytes). The size of the destination buffer should be sufficient to fit
134  * both shares; if `key_len` is 10 bytes, it must have 6 words, even though
135  * 20 bytes would technically fit in 5. This is to preserve word-alignment of
136  * the shares.
137  *
138  * Returns an error if called for an asymmetric key configuration; asymmetric
139  * keys are likely to be masked with arithmetic rather than boolean (XOR)
140  * schemes, and this function cannot be used for them.
141  *
142  * @param key Plaintext key.
143  * @param mask Blinding value.
144  * @param config Key configuration.
145  * @param[out] keyblob Destination buffer.
146  * @return Result of the operation.
147  */
148 OT_WARN_UNUSED_RESULT
149 status_t keyblob_from_key_and_mask(const uint32_t *key, const uint32_t *mask,
150  const otcrypto_key_config_t config,
151  uint32_t *keyblob);
152 
153 /**
154  * Incorporate a fresh mask into the blinded key.
155  *
156  * Returns an error if called for an asymmetric key configuration; asymmetric
157  * keys are likely to be masked with arithmetic rather than boolean (XOR)
158  * schemes, and this function cannot be used for them.
159  *
160  * @param key Blinded key to re-mask. Modified in-place.
161  * @param mask Blinding parameter (fresh random mask).
162  * @return Result of the operation.
163  */
164 OT_WARN_UNUSED_RESULT
165 status_t keyblob_remask(otcrypto_blinded_key_t *key, const uint32_t *mask);
166 
167 /**
168  * Unmask and return the effective key from blinded key struct.
169  *
170  * This function should be used only for situations where the underlying
171  * implementation does not support shared computations (e.g. HMAC HWIP).
172  *
173  * `key` must not be NULL and must be large enough to accommodate the unmasked
174  * key. This function compares `unmasked_key_len` against the key length implied
175  * by `key->config`. `unmasked_key_len` is the length of the unmasked key in
176  * words.
177  *
178  * @param key The input blinded key.
179  * @param unmasked_key_len The length of `unmasked_key` in words.
180  * @param[out] unmasked_key The computed unmasked key.
181  * @return Result of the operation.
182  */
183 OT_WARN_UNUSED_RESULT
184 status_t keyblob_key_unmask(const otcrypto_blinded_key_t *key,
185  size_t unmasked_key_len, uint32_t *unmasked_key);
186 
187 #ifdef __cplusplus
188 } // extern "C"
189 #endif // __cplusplus
190 
191 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_KEYBLOB_H_
Return to OpenTitan Documentation