[Cryptech-Commits] [user/js/keywrap] branch auto_zeroise updated: Adding support for SW to keep loaded key alive by reading status. Adding support for SW to trigger zeroisation of a loaded key.

git at cryptech.is git at cryptech.is
Sun Dec 9 10:30:29 UTC 2018


This is an automated email from the git hooks/post-receive script.

joachim at secworks.se pushed a commit to branch auto_zeroise
in repository user/js/keywrap.

The following commit(s) were added to refs/heads/auto_zeroise by this push:
     new 31ccc06  Adding support for SW to keep loaded key alive by reading status. Adding support for SW to trigger zeroisation of a loaded key.
31ccc06 is described below

commit 31ccc060dbd0ba6daa2eedb8911b40603b96a26f
Author: Joachim Strömbergson <joachim at secworks.se>
AuthorDate: Sun Dec 9 11:30:09 2018 +0100

    Adding support for SW to keep loaded key alive by reading status. Adding support for SW to trigger zeroisation of a loaded key.
---
 src/rtl/keywrap.v        | 25 ++++++++++++++++++++++---
 src/rtl/keywrap_core.v   | 16 +++++++++-------
 src/tb/tb_keywrap_core.v | 17 ++++++++++++-----
 3 files changed, 43 insertions(+), 15 deletions(-)

diff --git a/src/rtl/keywrap.v b/src/rtl/keywrap.v
index c03e903..02c20fc 100644
--- a/src/rtl/keywrap.v
+++ b/src/rtl/keywrap.v
@@ -72,6 +72,7 @@ module keywrap #(parameter ADDR_BITS = 13)
   localparam ADDR_CTRL        = 8'h08;
   localparam CTRL_INIT_BIT    = 0;
   localparam CTRL_NEXT_BIT    = 1;
+  localparam CTRL_ZEROISE_BIT = 2;
 
   localparam ADDR_STATUS       = 8'h09;
   localparam STATUS_READY_BIT  = 0;
@@ -136,6 +137,12 @@ module keywrap #(parameter ADDR_BITS = 13)
   reg [31 : 0] timeout_reg;
   reg          timeout_we;
 
+  reg          ping_reg;
+  reg          ping_new;
+
+  reg          zeroise_reg;
+  reg          zeroise_new;
+
   reg [31 : 0] api_rd_delay_reg;
   reg [31 : 0] api_rd_delay_new;
 
@@ -192,6 +199,8 @@ module keywrap #(parameter ADDR_BITS = 13)
                     .loaded(core_loaded),
 
                     .timeout(timeout_reg),
+                    .ping(ping_reg),
+                    .zeroise(zeroise_reg),
 
                     .rlen(rlen_reg),
 
@@ -232,6 +241,8 @@ module keywrap #(parameter ADDR_BITS = 13)
           a1_reg           <= 32'h0;
           api_rd_delay_reg <= 32'h0;
           timeout_reg      <= DEFAULT_TIMEOUT;
+          ping_reg         <= 1'h0;
+          zeroise_reg      <= 1'h0;
         end
       else
         begin
@@ -240,6 +251,8 @@ module keywrap #(parameter ADDR_BITS = 13)
           loaded_reg       <= core_loaded;
           init_reg         <= init_new;
           next_reg         <= next_new;
+          ping_reg         <= ping_new;
+          zeroise_reg      <= zeroise_new;
           api_rd_delay_reg <= api_rd_delay_new;
 
           if (config_we)
@@ -283,6 +296,8 @@ module keywrap #(parameter ADDR_BITS = 13)
       a1_we            = 1'h0;
       tmp_read_data    = 32'h0;
       tmp_error        = 1'h0;
+      ping_new         = 1'h0;
+      zeroise_new      = 1'h0;
       api_rd_delay_new = 32'h0;
 
       // api_mux
@@ -297,8 +312,9 @@ module keywrap #(parameter ADDR_BITS = 13)
             begin
               if (address == {{PAD{1'h0}}, ADDR_CTRL})
                 begin
-                  init_new = write_data[CTRL_INIT_BIT];
-                  next_new = write_data[CTRL_NEXT_BIT];
+                  init_new    = write_data[CTRL_INIT_BIT];
+                  next_new    = write_data[CTRL_NEXT_BIT];
+                  zeroise_new = write_data[CTRL_ZEROISE_BIT];
                 end
 
               if (address == {{PAD{1'h0}}, ADDR_CONFIG})
@@ -339,7 +355,10 @@ module keywrap #(parameter ADDR_BITS = 13)
                 api_rd_delay_new = {28'h0, keylen_reg, encdec_reg, next_reg, init_reg};
 
               if (address == {{PAD{1'h0}}, ADDR_STATUS})
-                api_rd_delay_new = {29'h0, loaded_reg, valid_reg, ready_reg};
+                begin
+                  api_rd_delay_new = {29'h0, loaded_reg, valid_reg, ready_reg};
+                  ping_new = 1'h1;
+                end
 
               if (address == {{PAD{1'h0}}, ADDR_TIMEOUT})
                 api_rd_delay_new = timeout_reg;
diff --git a/src/rtl/keywrap_core.v b/src/rtl/keywrap_core.v
index 5e4173e..41ad531 100644
--- a/src/rtl/keywrap_core.v
+++ b/src/rtl/keywrap_core.v
@@ -54,6 +54,8 @@ module keywrap_core #(parameter MEM_BITS = 11)
                      output wire                      loaded,
 
                      input wire [31 : 0]              timeout,
+                     input wire                       ping,
+                     input wire                       zeroise,
 
                      input wire [(MEM_BITS - 2) : 0]  rlen,
 
@@ -150,7 +152,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
   wire [127 : 0] aes_result;
 
   reg            update_state;
-  reg            zeroise;
+  reg            zero_key;
 
   reg                      core_we;
   reg [(MEM_BITS - 2) : 0] core_addr;
@@ -256,7 +258,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
   //----------------------------------------------------------------
   always @*
     begin : zeroise_mux
-      if (zeroise)
+      if (zero_key)
         begin
           aes_key    = 256'h0;
           aes_keylen = 1'h1;
@@ -392,7 +394,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
       if (key_timeout_ctr_reg == 36'h0)
         key_timeout = 1'h1;
 
-      if (key_timeout_ctr_set)
+      if (key_timeout_ctr_set || ping)
         begin
           key_timeout_ctr_new = {timeout, 4'h0};
           key_timeout_ctr_we  = 1'h1;
@@ -429,7 +431,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
       iteration_ctr_rst     = 1'h0;
       key_timeout_ctr_set   = 1'h0;
       key_timeout_ctr_dec   = 1'h0;
-      zeroise               = 1'h0;
+      zero_key              = 1'h0;
       key_loaded_new        = 1'h0;
       key_loaded_we         = 1'h0;
       keywrap_core_ctrl_new = CTRL_IDLE;
@@ -441,10 +443,10 @@ module keywrap_core #(parameter MEM_BITS = 11)
           begin
             if (key_loaded_reg)
               begin
-                if (key_timeout)
+                if (key_timeout || zeroise)
                   begin
                     aes_init              = 1'h1;
-                    zeroise               = 1'h1;
+                    zero_key              = 1'h1;
                     ready_new             = 1'h0;
                     ready_we              = 1'h1;
                     valid_new             = 1'h0;
@@ -621,7 +623,7 @@ module keywrap_core #(parameter MEM_BITS = 11)
 
         CTRL_ZERO_WAIT:
           begin
-            zeroise = 1'h1;
+            zero_key = 1'h1;
             if (aes_ready)
               begin
                 ready_new             = 1'h1;
diff --git a/src/tb/tb_keywrap_core.v b/src/tb/tb_keywrap_core.v
index 1212ad7..7f9c42d 100644
--- a/src/tb/tb_keywrap_core.v
+++ b/src/tb/tb_keywrap_core.v
@@ -69,6 +69,8 @@ module tb_keywrap_core();
   wire                          tb_valid;
   wire                          tb_loaded;
   reg [31 : 0]                  tb_timeout;
+  reg                           tb_ping;
+  reg                           tb_zeroise;
   reg [(RLEN_BITS - 1) : 0]     tb_rlen;
   reg [255 : 0]                 tb_key;
   reg                           tb_keylen;
@@ -97,6 +99,8 @@ module tb_keywrap_core();
                    .loaded(tb_loaded),
 
                    .timeout(tb_timeout),
+                   .ping(tb_ping),
+                   .zeroise(tb_zeroise),
 
                    .rlen(tb_rlen),
                    .key(tb_key),
@@ -152,14 +156,17 @@ module tb_keywrap_core();
       tb_clk     = 0;
       tb_reset_n = 0;
 
-      tb_init        = 0;
-      tb_next        = 0;
-      tb_encdec      = 0;
+      tb_init        = 1'h0;
+      tb_next        = 1'h0;
+      tb_encdec      = 1'h0;
       tb_rlen        = 13'h0;
       tb_key         = 256'h0;
-      tb_keylen      = 0;
+      tb_keylen      = 1'h0;
+      tb_timeout     = 32'hdeadbeef;
+      tb_ping        = 1'h0;
+      tb_zeroise     = 1'h0;
       tb_a_init      = 64'h0;
-      tb_api_we      = 0;
+      tb_api_we      = 1'h0;
       tb_api_addr    = 14'h0;
       tb_api_wr_data = 32'h0;
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list