Silicon Labs: Add cryptographic acceleration support

[stevew817]

Initial commit of mbed TLS hardware acceleration drivers for Silicon Labs parts

Description

This commit adds HW acceleration drivers for mbed TLS on Silicon Labs parts.

Hardware support:
EFM32ZG/HG/WG/GG/LG:

• support for AES-128 and AES-256

EFR32MG1/EFM32PG1:

• support for AES-128 and AES-256
• support for ECP acceleration on secp192r1, secp224r1 and secp256r1
• support for SHA1 and SHA-256

EFR32MG12/EFM32PG12:

• two accelerator units available when in threaded mode
• support for hardware TRNG
• support for AES-128 and AES-256
• support for ECP acceleration on secp192r1, secp224r1 and secp256r1
• support for SHA1 and SHA-256

Status

READY

• Tested with TESTS/mbedtls/* on mbed-os master

+---------------------------+-------------------+------------------------+---------------------------+--------+--------+--------+--------------------+
| target                    | platform_name     | test suite             | test case                 | passed | failed | result | elapsed_time (sec) |
+---------------------------+-------------------+------------------------+---------------------------+--------+--------+--------+--------------------+
| EFM32PG12_STK3402-GCC_ARM | EFM32PG12_STK3402 | tests-mbedtls-multi    | Crypto: sha256_multi      | 1      | 0      | OK     | 0.08               |
| EFM32PG12_STK3402-GCC_ARM | EFM32PG12_STK3402 | tests-mbedtls-multi    | Crypto: sha256_split      | 1      | 0      | OK     | 0.04               |
| EFM32PG12_STK3402-GCC_ARM | EFM32PG12_STK3402 | tests-mbedtls-selftest | mbedtls_entropy_self_test | 1      | 0      | OK     | 0.04               |
| EFM32PG12_STK3402-GCC_ARM | EFM32PG12_STK3402 | tests-mbedtls-selftest | mbedtls_sha256_self_test  | 1      | 0      | OK     | 0.12               |
| EFM32PG12_STK3402-GCC_ARM | EFM32PG12_STK3402 | tests-mbedtls-selftest | mbedtls_sha512_self_test  | 1      | 0      | OK     | 8.27               |
+---------------------------+-------------------+------------------------+---------------------------+--------+--------+--------+--------------------+
mbedgt: test case results: 5 OK

• Underlying drivers have been tested on the full mbed TLS test suite
• Effect of hardware acceleration with mbed-os-example-tls / benchmark on EFM32PG12, single threaded.

  SHA-256                  :      12871 KB/s
  SHA-512                  :        209 KB/s
  AES-CBC-128              :       4254 KB/s
  AES-CBC-192              :     560329 KB/s
  AES-CBC-256              :       3740 KB/s
  AES-GCM-128              :        210 KB/s
  AES-GCM-192              :     100927 KB/s
  AES-GCM-256              :        208 KB/s
  AES-CCM-128              :        459 KB/s
  AES-CCM-192              :      69031 KB/s
  AES-CCM-256              :        440 KB/s
  CTR_DRBG (NOPR)          :       1497 KB/s
  CTR_DRBG (PR)            :       1008 KB/s
  HMAC_DRBG SHA-256 (NOPR) :        452 KB/s
  HMAC_DRBG SHA-256 (PR)   :        387 KB/s
  RSA-2048                 :      85 ms/ public
  RSA-2048                 :    3253 ms/private
  RSA-4096                 :     287 ms/ public
  RSA-4096                 :   17465 ms/private
  ECDHE-secp384r1          :    2683 ms/handshake
  ECDHE-secp256r1          :      94 ms/handshake
  ECDHE-Curve25519         :    1433 ms/handshake
  ECDH-secp384r1           :    1320 ms/handshake
  ECDH-secp256r1           :      45 ms/handshake
  ECDH-Curve25519          :     741 ms/handshake

DONE

Todos

• Tests
• Documentation

Deploy notes

None

[stevew817]

CC:
@screamerbg @0xc0170 @yanesca

[amq]

Why is AES-192 much faster than AES-128?

upd: I see, it's unsupported (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH)

[stevew817]

@amq Correct. Sadly, the benchmark application doesn't actually check the validity of the operation. That's why one needs to run the mbed OS tests for mbed TLS in addition (though not a bad idea regardless).

[theotherjimmy]

@stevew817 The travis errors were resolved in #4839. Could you rebase so that travis can pass?

[theotherjimmy]

@stevew817 Thanks for the PR. We use the PR titles in release notes, which are formatted with markdown. The [ and ] characters are markdown syntax for a link, which I don't thin is your intent. Could you replace them with a :?

[stevew817]

@theotherjimmy Rebased and renamed.

[theotherjimmy]

Excelent. Let's do some reviewing!

[screamerbg]

PR is ready for review @RonEld @yanesca @sbutcher-arm @andresag01

[RonEld]

This PR is a mixture of several features and topics. It would have been better if this PR was split to several PRs
There are some recurring comments on the critical section, that probably only needs expanation, but there are other comments that need your addressing.
@hanno-arm please review as well

[RonEld]

If this Macro is undefined, you will probably have link error, because you will have undefined functions - the aes functions will not be compiled in mbedtls/src/aes.c because of the MBEDTLS_AES_ALT , and they will not be compiled in this file because of this macro.

[stevew817]

MBEDTLS_AES_ALT is only defined when CRYPTO_PRESENT is defined (see mbedtls_device.h)

[andresag01]

@stevew817: I think you are correct, but given that the dependency is MBEDTLS_AES_ALT on CRYPTO_PRESENT and not the other way around (as in mbedtls_device.h) I think that this preprocessor check should be around #if defined(MBEDTLS_AES_ALT) and not the other way around. At the moment this is not an issue, but if in the future this changes, then it is much easier to make a mistake...

[yanesca]

Looking at mbedtls_device.h I would think that MBEDTLS_AES_ALT is also defined when AES_PRESENT is defined. And if I understand correctly in this caseCRYPTO_PRESENT can't be defined.

Could you please help me understand

• why are the contents of crypto_aes.c protected by #if defined(CRYPTO_PRESENT) guards, but the contents of aes_aes.c are not protected by #if defined(AES_PRESENT) macros?
• why are mbedtls_aes_decrypt() and mbedtls_aes_encrypt() implemented in aes_aes.c but not in crypto_aes.c?

[stevew817]

• aes_aes.c is protected by AES_PRESENT (line 28)
• mbedtls_aes_encrypt and _decrypt not being present in crypto_aes was an oversight, fixed.

[RonEld]

it is better to do sizeof(temp) rather than 16.

[RonEld]

it is better to do sizeof(temp) rather than 16.
Can you assure that val is of length 16?

[stevew817]

Yes. If you look through the usages, all calls to DataWrite/DataRead happen with buffers that are checked to be 16 bytes. They have to, since the Data registers are 128 bits, and don't accept partial reads/writes.

[RonEld]

ok

[RonEld]

Keep in mind that once Mbed-TLS/mbedtls#964 will be approved and merged, this error should probably be changed to MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE for 192 bit size key.
But since the PR is not merged and fully approved, it is not final yet

[stevew817]

Considering the PR hasn't made it in, I can't return the new error code in my port...

[RonEld]

Of course, this comment was only an FYI, so will know that you will probably need to change this in the future

[RonEld]

I assume this is a critical section.
What resource are you protecting? Is it device? if yes, then you should protect also the device->WAC = 0 and device->CTRL = 0 a few lines before

[stevew817]

The resource we are protecting with critical sections is writing to or reading from 128-bit, 256-bit or 512-bit registers in our accelerator. Since that operation is done with actionable reads/writes from/to a single 32-bit register, they have to be protected against preemption.

The other registers (such as WAC and CTRL) are regular registers, which we get control over by acquiring the device. In the case of preemption, these values will be backed up and put back by the preempting code, so their use is safe.

[RonEld]

ok , thanks

[RonEld]

same comment on the critical section

[stevew817]

Same comment as before on the consecutive reads/writes needed to load a full 128-bit value

[RonEld]

shouldn't ctx->total[0] be decreased with what was processed already?

[stevew817]

ctx->total is an upcounter to count the amount of SHA'd bytes, and it is updated with the total amount of data passed to this function (ilen) earlier in this function.

[RonEld]

have you tested a use case of Doing twice update of 65 bytes, and then finish?
I think I understand what you did.
Isn't it better to have only one counter, that will only tell the size of the "residue buffer"? Once this "counter" will reach 64, you will call crypto_sha_update_state , and set this residue buffer size to zero

[RonEld]

shouldn't ctx->total[0] be decreased with what was processed already?

[stevew817]

ctx->total is an upcounter to count the amount of SHA'd bytes, and it is updated with the total amount of data passed to this function (ilen) earlier in this function.

[RonEld]

I think I understand what you did.
Isn't it better to have only one counter, that will only tell the size of the "residue buffer"? Once this "counter" will reach 64, you will call crypto_sha_update_state , and set this residue buffer size to zero

[RonEld]

this is very much similar as mbedtls_sha256_finish.
Consider combining the two, when possible

[stevew817]

Considering the context struct and output length are different, I don't really see the point of adding yet another function call to the stack for maybe a few bytes of code space gain.

[RonEld]

ok

[RonEld]

This should not be defined in this file. It's configuration specific

[stevew817]

Okay.

[stevew817]

@RonEld I think I answered all of your questions and committed your feedback.

[stevew817]

@0xc0170 why did uvisor CI fail?

[0xc0170]

retest uvisor

[0xc0170]

@0xc0170 why did uvisor CI fail?

Jenkins error, needs restart

[stevew817]

@0xc0170 Did the retest work? It looks to be still failing...

[0xc0170]

@mazimkhan Can you please restart uvisor? Seems like my last comment did not

[stevew817]

@RonEld did I satisfy your concerns?

[RonEld]

@stevew817 I am still not sure why you can't set the key buffer in teh context when you set the key, and when doing the specific cryptographic operation, you set the key in the HW register
Other than that, my questions were answered

[stevew817]

@RonEld This only applies when setting a decryption key. For AES on our parts, the 'key' needs to be pre-processed when you are doing a decryption operation. This pre-processing is what you are seeing in setkey_dec.
See paragraph 27.4.4 (about PlainKey and CipherKey) in https://www.silabs.com/documents/public/reference-manuals/EFR32xG1-ReferenceManual.pdf

[RonEld]

@stevew817 Thanks for the reference
According to your reference:" After one decryption, the resulting key will be the PlainKey."
Is the key in the register still Cipherkey?
What I mean is, will the operation:

mbedtls_aes_setkey_dec
mbedtls_aes_crypt_cbc
mbedtls_aes_crypt_cbc

Work, or will you need to load the Cipher key again between every operation?

[stevew817]

@RonEld We don't read back the key register after aes_crypt_cbc, and the next call will put the key from the context in the keybuf register, so the operation you mentioned will work.

[RonEld]

OK, thanks

[stevew817]

@RonEld Do I need a review from anyone else?

[RonEld]

@stevew817 Yes. I am not hte final gate keeper for mbed TLS

[stevew817]

@adbridge done.

[stevew817]

@adbridge @0xc0170 Anything else keeping this from being merged?

[adbridge]

@mazimkhan @hanno-arm please confirm you are happy with the rework

[hanno-becker]

@adbridge: @Patater is stepping in for @mazimkhan during his paternity leave. I'll synchronize with @sbutcher-arm to see if this needs a third review with @RonEld's still present from the time before the reshuffling.

[hanno-becker]

@adbridge: It was decided by @sbutcher-arm that for this PR, two reviews (by @Patater and @RonEld) are sufficient.

[adbridge]

@Patater Could you give this the final once over then please. This has been outstanding for 3 months

[0xc0170]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 460
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/4825/

Triggering tests

/morph test
/morph uvisor-test

[mbed-ci]

Test : SUCCESS

Build number : 280
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/4825/280

[Patater]

This is looking pretty good to me; it's close. I have a number of questions and style/maintainability suggestions.

In general, the coding style is not consistent in this PR. Please consider using a consistent coding style (preferably Mbed OS style).

[Patater]

Would it be better to use MBEDTLS_AES_BLOCK_SIZE or AES_BLOCKSIZE instead of "16" wherever applicable in this PR? (Might require making a new define in this file)

[stevew817]

Considering the 16 byte size is also hardcoded in the function signature, I think it should be fine hardcoding it here as well. The blocksize is never -ever- going to change.

[Patater]

OK.

The main reason for doing this would be readability and not because we'd want to change it in the future.

[Patater]

It's weird that crypto_management_acquire is called inside the else but crypto_management_release is called outside the else. Due to the use of continue in the if body, consider removing the else or moving the crypto_management_release inside the else body.

[stevew817]

I think you read the code wrong? _acquire and _release are both at the same level inside the else.

[Patater]

OK.

I now see crypto_management_release is inside the else body.

[Patater]

Due to the continue in the if body, consider if this else is really needed.

Similar crypto_management_acquire and crypto_management_release imbalance is here as in mbedtls_aes_crypt_cfb128.

[stevew817]

Similar comment here... Are we looking at different versions of the code? I really do see acquire on line 498, which is inside the else and on the same level as the release on line 543.

[Patater]

OK.

I now see crypto_management_release is inside the else body.

[Patater]

I wish we had a way to avoid these busy loops.

See #5206 to track this issue.

However, even if this was addressed in Mbed OS through, for example, a new Mbed-OS-specific feature, could you make use of it? You mention this code must run on other platforms than Mbed OS, but I'd hate to see potential energy efficiency gains thrown away for the sake of portability.

[stevew817]

This might be a future feature best implemented using the mbedTLS threading primitives (if the api would support semaphores in addition to mutexes, since the release would happen from IRQ).

For this specific case, I doubt it would make a whole lot of sense since an AES block operation only takes about 70 clock cycles anyways. Context-switching away and back again would be more expensive. Halting the core might be an alternative.

For efficiency when using accelerators, how about adding an API for multi-block ECB operations? Setting up and tearing down the accelerator for each block is expensive.

[Patater]

Please place parenthesis around all invoked macro parameters.

- #define EC_BIGINT_COPY(X, Y) memcpy(X, Y, sizeof(ecc_bigint_t));
+ #define EC_BIGINT_COPY(X, Y) memcpy((X), (Y), sizeof(ecc_bigint_t));

[stevew817]

okay

[Patater]

Don't use MBEDTLS prefix here, please.

[stevew817]

okay

[Patater]

Consider making a #define for 64.

[stevew817]

Sure. Can I point out that the mbed TLS 'official' software implementation doesn't use a define for SHA blocksize, either? And the blocksize is hardcoded as part of the API?

[Patater]

Consider making a #define for 32.

[stevew817]

Sure.

[Patater]

Can we put this on EFM32 or do not all EFM32 have hardware support now?

[stevew817]

Sure, it can be moved to the EFM32 generic target.

[Patater]

Why is MBEDTLS_CONFIG_HW_SUPPORT added to extra_labels_add on this target instead of to macros like on other targets?

[stevew817]

Oops. Fixed.

[ashok-rao]

@stevew817 FYI, some new comments received. Could you please check?

[stevew817]

@ashok-rao @Patater Will do.

[Patater]

LGTM

[0xc0170]

Apply feedback by @Patater

The commits looks good but the message does not say much what is it fixing. Can you fix it?

/morph build

[mbed-ci]

Build : FAILURE

Build number : 502
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/4825/

[mbed-ci]

Build : SUCCESS

Build number : 507
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/4825/

Triggering tests

/morph test
/morph uvisor-test
/morph export-build

[theotherjimmy]

/morph test
/morph uvisor-test

[mbed-ci]

Exporter Build : SUCCESS

Build number : 121
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/4825/

[mbed-ci]

Test : SUCCESS

Build number : 317
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/4825/317