Software APIs
kmac.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_DRIVERS_KMAC_H_
5 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_DRIVERS_KMAC_H_
6 
7 #include <stdbool.h>
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #include "sw/device/lib/base/macros.h"
12 #include "sw/device/lib/crypto/impl/status.h"
13 
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17 
18 /**
19  * The exposed costants to caller functions.
20  */
21 enum {
22  // The total size of prefix registers (in bytes), after removing len encodings
23  kKmacPrefixMaxSize = 36,
24  // The max size of customization string for KMAC.
25  kKmacCustStrMaxSize = 32,
26  // The size of the sideload key. This parameter is not exposed by KMAC or
27  // Keymgr hjson files from HW, so we need to hardcode it for the moment.
28  kKmacSideloadKeyLength = 256,
29  // Length of a SHA3-224 digest in bytes.
30  kSha3_224DigestBytes = 224 / 8,
31  // Length of a SHA3-224 digest in 32-bit words.
32  kSha3_224DigestWords = kSha3_224DigestBytes / sizeof(uint32_t),
33  // Length of a SHA3_256 digest in bytes.
34  kSha3_256DigestBytes = 256 / 8,
35  // Length of a SHA3_256 digest in 32-bit words.
36  kSha3_256DigestWords = kSha3_256DigestBytes / sizeof(uint32_t),
37  // Length of a SHA3_384 digest in bytes.
38  kSha3_384DigestBytes = 384 / 8,
39  // Length of a SHA3_384 digest in 32-bit words.
40  kSha3_384DigestWords = kSha3_384DigestBytes / sizeof(uint32_t),
41  // Length of a SHA3_512 digest in bytes.
42  kSha3_512DigestBytes = 512 / 8,
43  // Length of a SHA3_512 digest in 32-bit words.
44  kSha3_512DigestWords = kSha3_512DigestBytes / sizeof(uint32_t),
45 };
46 
47 /**
48  * Simplified key struct to pass blinded key internally.
49  */
50 typedef struct kmac_blinded_key {
51  uint32_t *share0;
52  uint32_t *share1;
53  // The length of single share (in bytes)
54  size_t len;
55  // Whether the key should be provided by keymgr through sideload port.
56  // If `hw_backed` is true, `share0/1` pointers and `len` are ignored.
57  hardened_bool_t hw_backed;
58 } kmac_blinded_key_t;
59 
60 /**
61  * Check whether given key length is valid for KMAC.
62 
63  * @param key_len Key length as input.
64  * @return Return OTCRYPTO_OK if valid and otherwise an error.
65  */
66 OT_WARN_UNUSED_RESULT
67 status_t kmac_key_length_check(size_t key_len);
68 
69 /**
70  * Set the "global" config of HWIP
71  *
72  * For the moment, we have a number of configuation options needs to be
73  * configured at session level. This functions serves as a temporary
74  * solution by setting default values to this configuration.
75  * TODO: Define config struct and pass it as argument.
76  * TODO: see #14832
77  *
78  * Warning: This function sets `entropy_ready`, which triggers kmac_entropy's
79  * FSM to jump to next step. Therefore, the caller of this function should make
80  * sure that entropy is configured properly beforehand.
81  *
82  * It enforces the following as the default configuration:
83  * It touches the following fields of CSRs:
84  * CFG register:
85  * endianness, entropy_mode, fast_process, msg_mask, ent_ready,
86  * en_unsup_mode EDN refresh settings: hash threshold refresh
87  * counter entropy seed -> ignore? INTR_ENABLE: all disabled
88  *
89  * @return Error code.
90  */
91 OT_WARN_UNUSED_RESULT
92 status_t kmac_hwip_default_configure(void);
93 
94 /**
95  * Compute SHA-3-224 in one-shot.
96  *
97  * The caller must ensure that there is at least 224 bits = 28 bytes of space
98  * available at the location pointed to by `digest`.
99  *
100  * @param message The input message.
101  * @param message_len The input message length in bytes.
102  * @param[out] digest Output buffer for the result.
103  * @return Error status.
104  */
105 OT_WARN_UNUSED_RESULT
106 status_t kmac_sha3_224(const uint8_t *message, size_t message_len,
107  uint32_t *digest);
108 
109 /**
110  * Compute SHA-3-256 in one-shot.
111  *
112  * The caller must ensure that there is at least 256 bits = 32 bytes of space
113  * available at the location pointed to by `digest`.
114  *
115  * @param message The input message.
116  * @param message_len The input message length in bytes.
117  * @param[out] digest Output buffer for the result.
118  * @return Error status.
119  */
120 OT_WARN_UNUSED_RESULT
121 status_t kmac_sha3_256(const uint8_t *message, size_t message_len,
122  uint32_t *digest);
123 
124 /**
125  * Compute SHA-3-384 in one-shot.
126  *
127  * The caller must ensure that there is at least 384 bits = 48 bytes of space
128  * available at the location pointed to by `digest`.
129  *
130  * @param message The input message.
131  * @param message_len The input message length in bytes.
132  * @param[out] digest Output buffer for the result.
133  * @return Error status.
134  */
135 OT_WARN_UNUSED_RESULT
136 status_t kmac_sha3_384(const uint8_t *message, size_t message_len,
137  uint32_t *digest);
138 
139 /**
140  * Compute SHA-3-512 in one-shot.
141  *
142  * The caller must ensure that there is at least 512 bits = 64 bytes of space
143  * available at the location pointed to by `digest`.
144  *
145  * @param message The input message.
146  * @param message_len The input message length in bytes.
147  * @param[out] digest Output buffer for the result.
148  * @return Error status.
149  */
150 OT_WARN_UNUSED_RESULT
151 status_t kmac_sha3_512(const uint8_t *message, size_t message_len,
152  uint32_t *digest);
153 
154 /**
155  * Compute SHAKE-128 in one-shot.
156  *
157  * The caller must ensure that `digest_len` words are allocated at the location
158  * pointed to by `digest`.
159  *
160  * @param message The input message.
161  * @param message_len The input message length in bytes.
162  * @param[out] digest Output buffer for the result.
163  * @param digest_len Requested digest length in 32-bit words.
164  * @return Error status.
165  */
166 OT_WARN_UNUSED_RESULT
167 status_t kmac_shake_128(const uint8_t *message, size_t message_len,
168  uint32_t *digest, size_t digest_len);
169 
170 /**
171  * Compute SHAKE-256 in one-shot.
172  *
173  * The caller must ensure that `digest_len` words are allocated at the location
174  * pointed to by `digest`.
175  *
176  * @param message The input message.
177  * @param message_len The input message length in bytes.
178  * @param[out] digest Output buffer for the result.
179  * @param digest_len Requested digest length in 32-bit words.
180  * @return Error status.
181  */
182 OT_WARN_UNUSED_RESULT
183 status_t kmac_shake_256(const uint8_t *message, size_t message_len,
184  uint32_t *digest, size_t digest_len);
185 
186 /**
187  * Compute CSHAKE-128 in one-shot.
188  *
189  * The caller must ensure that `digest_len` words are allocated at the location
190  * pointed to by `digest`.
191  *
192  * @param message The input message.
193  * @param message_len The input message length in bytes.
194  * @param func_name The function name.
195  * @param func_name_len The function name length in bytes.
196  * @param cust_str The customization string.
197  * @param cust_str_len The customization string length in bytes.
198  * @param[out] digest Output buffer for the result.
199  * @param digest_len Requested digest length in 32-bit words.
200  * @return Error status.
201  */
202 OT_WARN_UNUSED_RESULT
203 status_t kmac_cshake_128(const uint8_t *message, size_t message_len,
204  const unsigned char *func_name, size_t func_name_len,
205  const unsigned char *cust_str, size_t cust_str_len,
206  uint32_t *digest, size_t digest_len);
207 
208 /**
209  * Compute CSHAKE-256 in one-shot.
210  *
211  * The caller must ensure that `digest_len` words are allocated at the location
212  * pointed to by `digest`.
213  *
214  * @param message The input message.
215  * @param message_len The input message length in bytes.
216  * @param func_name The function name.
217  * @param func_name_len The function name length in bytes.
218  * @param cust_str The customization string.
219  * @param cust_str_len The customization string length in bytes.
220  * @param[out] digest Output buffer for the result.
221  * @param digest_len Requested digest length in 32-bit words.
222  * @return Error status.
223  */
224 OT_WARN_UNUSED_RESULT
225 status_t kmac_cshake_256(const uint8_t *message, size_t message_len,
226  const unsigned char *func_name, size_t func_name_len,
227  const unsigned char *cust_str, size_t cust_str_len,
228  uint32_t *digest, size_t digest_len);
229 
230 /**
231  * Compute KMAC-128 in one-shot.
232  *
233  * This function also supports sideloading the key from the Keymgr through a
234  * peripheral port inaccessible to SW. In order to sideload the key, the caller
235  * needs to set `key->hw_backed` to `kHardenedBoolTrue`. When sideloading,
236  * `key->length` must correspond to the sideload key size
237  * `kKmacSideloadKeyLength / 8` and `share` pointers must be set to NULL.
238  *
239  * With SW-provided keys, `key->hw_backed` must be `kHardenedBoolFalse`, `share`
240  * pointers must be correctly configured and `len` must match the key length.
241  *
242  * The caller must ensure that `digest_len` words are allocated at the location
243  * pointed to by `digest`. `cust_str_len` must not exceed `kKmacCustStrMaxSize`.
244  *
245  * @param message The input message.
246  * @param message_len The input message length in bytes.
247  * @param cust_str The customization string.
248  * @param cust_str_len The customization string length in bytes.
249  * @param[out] digest Output buffer for the result.
250  * @param digest_len Requested digest length in 32-bit words.
251  * @return Error status.
252  */
253 OT_WARN_UNUSED_RESULT
254 status_t kmac_kmac_128(kmac_blinded_key_t *key, const uint8_t *message,
255  size_t message_len, const unsigned char *cust_str,
256  size_t cust_str_len, uint32_t *digest,
257  size_t digest_len);
258 
259 /**
260  * Compute KMAC-256 in one-shot.
261  *
262  * This function also supports sideloading the key from the Keymgr through a
263  * peripheral port inaccessible to SW. In order to sideload the key, the caller
264  * needs to set `key->hw_backed` to `kHardenedBoolTrue`. When sideloading,
265  * `key->length` must correspond to the sideload key size
266  * `kKmacSideloadKeyLength / 8` and `share` pointers must be set to NULL.
267  *
268  * With SW-provided keys, `key->hw_backed` must be `kHardenedBoolFalse`, `share`
269  * pointers must be correctly configured and `len` must match the key length.
270  *
271  * The caller must ensure that `digest_len` words are allocated at the location
272  * pointed to by `digest`. `cust_str_len` must not exceed `kKmacCustStrMaxSize`.
273  *
274  * @param message The input message.
275  * @param message_len The input message length in bytes.
276  * @param cust_str The customization string.
277  * @param cust_str_len The customization string length in bytes.
278  * @param[out] digest Output buffer for the result.
279  * @param digest_len Requested digest length in 32-bit words.
280  * @return Error status.
281  */
282 OT_WARN_UNUSED_RESULT
283 status_t kmac_kmac_256(kmac_blinded_key_t *key, const uint8_t *message,
284  size_t message_len, const unsigned char *cust_str,
285  size_t cust_str_len, uint32_t *digest,
286  size_t digest_len);
287 
288 #ifdef __cplusplus
289 }
290 #endif
291 
292 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_DRIVERS_KMAC_H_
Return to OpenTitan Documentation