[Cryptech Core] auto-zeroise vs integrated mkmif

Joachim Strömbergson joachim at assured.se
Thu Jan 17 12:43:37 UTC 2019


Aloha!

I've now completed the auto-zeroise functionality for the keywrap core.
The functionality works and does not interfere with long wrap/unwrap
operations. Basically the functionality allows SW to:

  1. Set an key expiration time for a loaded key.
  2. Keep a key alive by either performing wrap/unwrap operations, or
  3. Checking status of the core (which resets the timeout counter).
  4. If needed pull zeroise to directly force key zeroisation.

The functionality has low impact on the keywrap core, and crucially does
not change the AES core in any way. (Zeroisation is performed by
initializing AES with an all-zero key.) The changes are ready to be
merged. But I won't merge into keywrap master before Cryptech core has
decided to do so.


Another thing I have been working on in another keywrap branch is the
integration of the master key memory interface (mkmif) into keywrap.
This integration would allow the keywrap to be able to autonomously load
a stored master key from the MKM and use it for wrap/unwrap operations.

The changes to keywrap needed to integrate mkmif turned out to be more
substantial and complex than I anticipated. The changes are basically
done, but needs substantial verification on real HW before I would start
to trust that it works. This change would move the responsibility for
the master key from SW to HW. A single mistake in the HW functionality
could potentially brick a HSM.


So, considering that the auto-zeroise functionality allows SW control of
the master key in the FPGA (control of how long it exists, trust that it
will be wiped when not used and ability to zeroise it when needed), do
we see a pressing need for the integration of mkmif into keywrap?

The big improvement that an integrated mkmif provides is that the master
key is never sent between the FPGA and MCU (after the master key has
been generated by the MCU and sent to the FPGA to be written to the MKM).

This could be achieved in other ways such as the changes to the FPGA
architecture with some core-core transfer support using FPGA internal
data buffers and DMA (which I have previously suggested). In such a
solution the mkmif would continue to be a separate core, but the key
material would be transferred to the keywrap core without leaving the
FPGA. This would basically achieve the same functionality as the
integrated mkmif would provide, but with less severe core changes.


Thoughs? Comments? Suggestions?

-- 
Med vänlig hälsning, Yours

Joachim Strömbergson
========================================================================
                               Assured AB
========================================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/core/attachments/20190117/1aeccc1a/attachment.sig>


More information about the Core mailing list