[Cryptech-Commits] [user/js/keywrap] branch auto_zeroise updated: Adding untested code to implement timer controlled automatic zeroisation of key loaded into the aes core.
git at cryptech.is
git at cryptech.is
Fri Dec 7 12:27:51 UTC 2018
This is an automated email from the git hooks/post-receive script.
joachim at secworks.se pushed a commit to branch auto_zeroise
in repository user/js/keywrap.
The following commit(s) were added to refs/heads/auto_zeroise by this push:
new f1e48a9 Adding untested code to implement timer controlled automatic zeroisation of key loaded into the aes core.
f1e48a9 is described below
commit f1e48a9e98fdf99a1bb4acede331b0cc6be45863
Author: Joachim Strömbergson <joachim at secworks.se>
AuthorDate: Fri Dec 7 13:27:36 2018 +0100
Adding untested code to implement timer controlled automatic zeroisation of key loaded into the aes core.
---
src/rtl/keywrap_core.v | 156 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 133 insertions(+), 23 deletions(-)
diff --git a/src/rtl/keywrap_core.v b/src/rtl/keywrap_core.v
index b16e05d..5e4173e 100644
--- a/src/rtl/keywrap_core.v
+++ b/src/rtl/keywrap_core.v
@@ -86,6 +86,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
localparam CTRL_NEXT_WCHECK = 4'h8;
localparam CTRL_NEXT_UCHECK = 4'h9;
localparam CTRL_NEXT_FINALIZE = 4'ha;
+ localparam CTRL_ZERO_WAIT = 4'hb;
//----------------------------------------------------------------
@@ -120,6 +121,17 @@ module keywrap_core #(parameter MEM_BITS = 11)
reg iteration_ctr_set;
reg iteration_ctr_rst;
+ reg [35 : 0] key_timeout_ctr_reg;
+ reg [35 : 0] key_timeout_ctr_new;
+ reg key_timeout_ctr_we;
+ reg key_timeout_ctr_set;
+ reg key_timeout_ctr_dec;
+ reg key_timeout;
+
+ reg key_loaded_reg;
+ reg key_loaded_new;
+ reg key_loaded_we;
+
reg [3 : 0] keywrap_core_ctrl_reg;
reg [3 : 0] keywrap_core_ctrl_new;
reg keywrap_core_ctrl_we;
@@ -132,10 +144,13 @@ module keywrap_core #(parameter MEM_BITS = 11)
reg aes_next;
wire aes_ready;
wire aes_valid;
+ reg [255 : 0] aes_key;
+ reg aes_keylen;
reg [127 : 0] aes_block;
wire [127 : 0] aes_result;
reg update_state;
+ reg zeroise;
reg core_we;
reg [(MEM_BITS - 2) : 0] core_addr;
@@ -170,8 +185,8 @@ module keywrap_core #(parameter MEM_BITS = 11)
.init(aes_init),
.next(aes_next),
- .key(key),
- .keylen(keylen),
+ .key(aes_key),
+ .keylen(aes_keylen),
.block(aes_block),
@@ -187,6 +202,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
assign a_result = a_reg;
assign ready = ready_reg;
assign valid = valid_reg;
+ assign loaded = key_loaded_reg;
//----------------------------------------------------------------
@@ -201,6 +217,8 @@ module keywrap_core #(parameter MEM_BITS = 11)
valid_reg <= 1'h1;
block_ctr_reg <= {(MEM_BITS - 1){1'h0}};
iteration_ctr_reg <= 3'h0;
+ key_timeout_ctr_reg <= 36'h0;
+ key_loaded_reg <= 1'h0;
keywrap_core_ctrl_reg <= CTRL_IDLE;
end
@@ -221,12 +239,36 @@ module keywrap_core #(parameter MEM_BITS = 11)
if (iteration_ctr_we)
iteration_ctr_reg <= iteration_ctr_new;
+ if (key_timeout_ctr_we)
+ key_timeout_ctr_reg <= key_timeout_ctr_new;
+
+ if (key_loaded_we)
+ key_loaded_reg <= key_loaded_new;
+
if (keywrap_core_ctrl_we)
keywrap_core_ctrl_reg <= keywrap_core_ctrl_new;
end
end // reg_update
+ //----------------------------------------------------------------
+ // zeroise_mux
+ //----------------------------------------------------------------
+ always @*
+ begin : zeroise_mux
+ if (zeroise)
+ begin
+ aes_key = 256'h0;
+ aes_keylen = 1'h1;
+ end
+ else
+ begin
+ aes_key = key;
+ aes_keylen = keylen;
+ end
+ end
+
+
//----------------------------------------------------------------
// keywrap_logic
//
@@ -338,6 +380,32 @@ module keywrap_core #(parameter MEM_BITS = 11)
end
+ //----------------------------------------------------------------
+ // key_timeout_ctr
+ //----------------------------------------------------------------
+ always @*
+ begin : key_timeout_ctr
+ key_timeout_ctr_new = 36'h0;
+ key_timeout_ctr_we = 1'h0;
+ key_timeout = 1'h0;
+
+ if (key_timeout_ctr_reg == 36'h0)
+ key_timeout = 1'h1;
+
+ if (key_timeout_ctr_set)
+ begin
+ key_timeout_ctr_new = {timeout, 4'h0};
+ key_timeout_ctr_we = 1'h1;
+ end
+
+ if (key_timeout_ctr_dec)
+ begin
+ key_timeout_ctr_new = key_timeout_ctr_reg - 1'h1;
+ key_timeout_ctr_we = 1'h1;
+ end
+ end
+
+
//----------------------------------------------------------------
// keywrap_core_ctrl
//----------------------------------------------------------------
@@ -359,6 +427,11 @@ module keywrap_core #(parameter MEM_BITS = 11)
iteration_ctr_dec = 1'h0;
iteration_ctr_set = 1'h0;
iteration_ctr_rst = 1'h0;
+ key_timeout_ctr_set = 1'h0;
+ key_timeout_ctr_dec = 1'h0;
+ zeroise = 1'h0;
+ key_loaded_new = 1'h0;
+ key_loaded_we = 1'h0;
keywrap_core_ctrl_new = CTRL_IDLE;
keywrap_core_ctrl_we = 1'h0;
@@ -366,30 +439,50 @@ module keywrap_core #(parameter MEM_BITS = 11)
case (keywrap_core_ctrl_reg)
CTRL_IDLE:
begin
- if (init)
+ if (key_loaded_reg)
begin
- aes_init = 1'h1;
- ready_new = 1'h0;
- ready_we = 1'h1;
- valid_new = 1'h0;
- valid_we = 1'h1;
- keywrap_core_ctrl_new = CTRL_INIT_WAIT;
- keywrap_core_ctrl_we = 1'h1;
+ if (key_timeout)
+ begin
+ aes_init = 1'h1;
+ zeroise = 1'h1;
+ ready_new = 1'h0;
+ ready_we = 1'h1;
+ valid_new = 1'h0;
+ valid_we = 1'h1;
+ keywrap_core_ctrl_new = CTRL_ZERO_WAIT;
+ keywrap_core_ctrl_we = 1'h0;
+ end
+ else
+ begin
+ key_timeout_ctr_dec = 1'h1;
+ end
end
-
- if (next)
+ else
begin
- ready_new = 1'h0;
- ready_we = 1'h1;
- valid_new = 1'h0;
- valid_we = 1'h1;
- init_a = 1'h1;
-
- if (encdec)
- keywrap_core_ctrl_new = CTRL_NEXT_WSTART;
- else
- keywrap_core_ctrl_new = CTRL_NEXT_USTART;
- keywrap_core_ctrl_we = 1'h1;
+ if (init)
+ begin
+ aes_init = 1'h1;
+ ready_new = 1'h0;
+ ready_we = 1'h1;
+ valid_new = 1'h0;
+ valid_we = 1'h1;
+ keywrap_core_ctrl_new = CTRL_INIT_WAIT;
+ keywrap_core_ctrl_we = 1'h1;
+ end
+
+ if (next)
+ begin
+ ready_new = 1'h0;
+ ready_we = 1'h1;
+ valid_new = 1'h0;
+ valid_we = 1'h1;
+ init_a = 1'h1;
+ if (encdec)
+ keywrap_core_ctrl_new = CTRL_NEXT_WSTART;
+ else
+ keywrap_core_ctrl_new = CTRL_NEXT_USTART;
+ keywrap_core_ctrl_we = 1'h1;
+ end
end
end
@@ -400,6 +493,9 @@ module keywrap_core #(parameter MEM_BITS = 11)
begin
ready_new = 1'h1;
ready_we = 1'h1;
+ key_loaded_new = 1'h1;
+ key_loaded_we = 1'h1;
+ key_timeout_ctr_set = 1'h1;
keywrap_core_ctrl_new = CTRL_IDLE;
keywrap_core_ctrl_we = 1'h1;
end
@@ -517,10 +613,24 @@ module keywrap_core #(parameter MEM_BITS = 11)
ready_we = 1'h1;
valid_new = 1'h1;
valid_we = 1'h1;
+ key_timeout_ctr_set = 1'h1;
keywrap_core_ctrl_new = CTRL_IDLE;
keywrap_core_ctrl_we = 1'h1;
end
+
+ CTRL_ZERO_WAIT:
+ begin
+ zeroise = 1'h1;
+ if (aes_ready)
+ begin
+ ready_new = 1'h1;
+ ready_we = 1'h1;
+ keywrap_core_ctrl_new = CTRL_IDLE;
+ keywrap_core_ctrl_we = 1'h1;
+ end
+ end
+
default:
begin
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Commits
mailing list