[hmac] Initial implementation of save & restore #21307
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andreaskurth
added
Component:DV
andreaskurth
requested review from
hcallahan-lowrisc,
rswarbrick,
gdessouky,
vogelpi and
msfschaffner
and removed request for
a team
|
@gdessouky As discussed, here's a first implementation of save & restore. I would be super happy to get your feedback on this. Unless you think this is fundamentally broken, I think it would be good to get this merged soon, so that SW folks can write a small test that exercises this to check that it meets their needs. |
andreaskurth
force-pushed
the
hmac-save-and-restore
branch
2 times, most recently
from
a130858 to
dd8b50f
Compare
|
kokoro reported lint errors that I've fixed by now; the remaining flow errors seem to be spurious. |
andreaskurth
force-pushed
the
hmac-save-and-restore
branch
from
996a787 to
9b15e15
Compare
rswarbrick
reviewed
Feb 14, 2024
rswarbrick
reviewed
Feb 14, 2024
| @@ -195,6 +201,24 @@ | |||
| based on currently received message. | |||
| ''' | |||
| } | |||
| { bits: "2", | |||
| name: "hash_stop", | |||
There was a problem hiding this comment.
@moidx @jadephilipoom @ballifatih can you take a look at the API changes to double check this is fulfills the requirements of the cryptolib?
msfschaffner
requested review from
moidx,
jadephilipoom,
ballifatih and
msfschaffner
| 6. Restore the context of message stream A by writing the `CFG`, `DIGEST_0`..`7`, and `MSG_LENGTH_`{`LOWER`,`UPPER`} registers. | ||
| 7. Continue processing message stream A by setting the `CMD.hash_restart` bit. | ||
| 8. Write an arbitrary number of message blocks to HMAC's `MSG_FIFO`. | ||
| 9. Continue this with as many message blocks and parallel message streams as needed. The final hash for any message stream can be obtained at any time (no need for complete blocks) by setting `CMD.hash_process` and waiting for the `hmac_done` interrupt / status bit, finally reading the digest from the `DIGEST` registers. |
There was a problem hiding this comment.
|
Thanks for doing this (and splitting up the work into multiple easy-to-review commits)! |
jadephilipoom
approved these changes
Feb 16, 2024
|
Thanks @andreaskurth, this looks good to me too, but I still hope to go through this in detail later today. Sorry to not have gotten to it yet, but been struggling with DV issues for the extended digest feature at my end :( |
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
The components of the `event_intr` signal can directly be fed into the `prim_intr_hw` modules, so there's no need for this intermediary signal. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
This signals whether the hash computation is actively running -- as opposed to `idle_o`, which also is also false (thus 'busy') when waiting for a FIFO input. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Prior to this commit, *done* would only be signaled when done with processing a full message. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
The chances for doing this save & restore are controlled by the knob introduced in the previous commit. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
andreaskurth
force-pushed
the
hmac-save-and-restore
branch
from
ad6c1ba to
f7bc865
Compare
andreaskurth
added a commit
to andreaskurth/opentitan
that referenced
this pull request
Feb 27, 2024
With the addition of *save & restore* (PR lowRISC#21307) and *wider digest and configurable key length* (PR lowRISC#21604), HMAC will see major changes. For this reason, this commit gives HMAC a major version bump to 2.0.0 and resets its development stages to L1 (Development), D1 (Functional), V0 (*Initial Work* because the DV environment may not be completely functional for some time), and S0 (*Initial Work* because the DIF may not be completely functional for some time). The previous version 1.0.0 got assigned a commit ID for future reference even though it had not reached L2, V3, and S3. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
andreaskurth
added a commit
that referenced
this pull request
Feb 27, 2024
With the addition of *save & restore* (PR #21307) and *wider digest and configurable key length* (PR #21604), HMAC will see major changes. For this reason, this commit gives HMAC a major version bump to 2.0.0 and resets its development stages to L1 (Development), D1 (Functional), V0 (*Initial Work* because the DV environment may not be completely functional for some time), and S0 (*Initial Work* because the DIF may not be completely functional for some time). The previous version 1.0.0 got assigned a commit ID for future reference even though it had not reached L2, V3, and S3. Signed-off-by: Andreas Kurth <adk@lowrisc.org>
This was referenced Feb 27, 2024
|
Awesome, thanks for getting this merged! |
cdgori
reviewed
May 2, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an initial implementation of save & restore for HMAC (issue #49), which should allow SW to switch between different parallel message streams. In short, SW usage follows a pattern like this:
CMD.hash_startbit.MSG_FIFO.CMD.hash_stopbit and wait for thehmac_doneinterrupt (or poll the interrupt status register).DIGEST_0..7andMSG_LENGTH_{LOWER,UPPER} registers. (The values in theCFGregister must also be preserved, but that is purely SW-controlled so doesn't need to be read from HW.)CFG,DIGEST_0..7, andMSG_LENGTH_{LOWER,UPPER} registers.CMD.hash_continuebit.MSG_FIFO.CMD.hash_processand waiting for thehmac_doneinterrupt / status bit, finally reading the digest from theDIGESTregisters.A noteworthy limitation of this implementation is that context can only be switched on complete message blocks (512 bit for SHA-256). This is so that no additional internal state (i.e., working variables and round counter) needs to be exposed to and controlled from SW. As noted in issue #49, this shouldn't be a major limitation for SW, though.
Although this PR adds preliminary DV support for the changes, save & restore does not yet get checked by the tests (the
save_and_restore_pctrandomization knob is currently 0 for all tests). I have manually verified that save & restore works under the basic operating conditions for HMAC and SHA but this needs to be tested much more thoroughly, especially the corner cases. When one enables save & restores in the tests, one will get errors from DV. My first assessment is that these are DV limitations, not RTL bugs, though.I ran a full regression on HMAC to check that this doesn't break existing functionality or DV, and I got the same pass rates as reported in nightlies -- so no breakage of existing RTL & DV expected.
Opens before this PR can be merged:
Opens that can be resolved in a follow-up PR:
burst_wr_msgso this gets correctly checked and fully covered.--> tracked in #21708