From 09b10710e9f90ba2d482524da113fd860b2ab0c9 Mon Sep 17 00:00:00 2001 From: Alex Jones Date: Tue, 17 Dec 2024 15:48:08 +0000 Subject: [PATCH 1/2] [ot] hw/opentitan: ot_rom_ctrl: Increase PRINCE rounds For Earlgrey, the number of PRINCE cipher half rounds was increased from 2 to 3 (5 effective rounds to 7 effective rounds, including the substitution perm rounds). This was added for improved security, and requires a simple constant change. --- hw/opentitan/ot_rom_ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/opentitan/ot_rom_ctrl.c b/hw/opentitan/ot_rom_ctrl.c index a8dc233c99dd0..8064bef4b99f5 100644 --- a/hw/opentitan/ot_rom_ctrl.c +++ b/hw/opentitan/ot_rom_ctrl.c @@ -107,7 +107,7 @@ static const char *REG_NAMES[REGS_COUNT] = { #define OT_ROM_CTRL_NUM_ADDR_SUBST_PERM_ROUNDS 2u #define OT_ROM_CTRL_NUM_DATA_SUBST_PERM_ROUNDS 2u -#define OT_ROM_CTRL_NUM_PRINCE_HALF_ROUNDS 2u +#define OT_ROM_CTRL_NUM_PRINCE_HALF_ROUNDS 3u #define OT_ROM_CTRL_DATA_BITS (sizeof(uint32_t) * 8u) #define OT_ROM_CTRL_ECC_BITS 7u From 851b94172c0d9d64964765918934a1d3637f6663 Mon Sep 17 00:00:00 2001 From: Alex Jones Date: Tue, 17 Dec 2024 15:49:10 +0000 Subject: [PATCH 2/2] [ot] hw/opentitan: ot_rom_ctrl: Remove S&P from data scrambling In Earlgrey, the S&P layer has been removed from the data scrambling logic, which affects the scrambling of the generated ROM. The functionality is removed entirely from the ROM Control to improve error detection guarantees, interactions with ECC, and timing. This commit removes the now-redundant logic related to the S&P layer, instead directly unscrambling words by XORing the keystream and the `scr`/`in` data. --- hw/opentitan/ot_rom_ctrl.c | 31 +------------------------------ 1 file changed, 1 insertion(+), 30 deletions(-) diff --git a/hw/opentitan/ot_rom_ctrl.c b/hw/opentitan/ot_rom_ctrl.c index 8064bef4b99f5..ca1a1540acab7 100644 --- a/hw/opentitan/ot_rom_ctrl.c +++ b/hw/opentitan/ot_rom_ctrl.c @@ -121,10 +121,6 @@ static const char *REG_NAMES[REGS_COUNT] = { static const uint8_t SBOX4[16u] = { 12u, 5u, 6u, 11u, 9u, 0u, 10u, 13u, 3u, 14u, 15u, 8u, 4u, 7u, 1u, 2u }; - -static const uint8_t SBOX4_INV[16u] = { - 5u, 14u, 15u, 8u, 12u, 1u, 2u, 13u, 11u, 4u, 6u, 3u, 0u, 7u, 9u, 10u -}; /* clang-format on */ static const OtKMACAppCfg KMAC_APP_CFG = @@ -281,36 +277,12 @@ static uint64_t ot_rom_ctrl_subst_perm_enc(uint64_t in, uint64_t key, return state; } -static uint64_t ot_rom_ctrl_subst_perm_dec(uint64_t in, uint64_t key, - unsigned width, unsigned num_rounds) -{ - uint64_t state = in; - - for (unsigned ix = 0; ix < num_rounds; ix++) { - state ^= key; - state = ot_rom_ctrl_perm(state, width, true); - state = ot_rom_ctrl_flip(state, width); - state = ot_rom_ctrl_sbox(state, width, SBOX4_INV); - } - - state ^= key; - - return state; -} - static unsigned ot_rom_ctrl_addr_sp_enc(const OtRomCtrlState *s, unsigned addr) { return ot_rom_ctrl_subst_perm_enc(addr, s->addr_nonce, s->addr_width, OT_ROM_CTRL_NUM_ADDR_SUBST_PERM_ROUNDS); } -static uint64_t ot_rom_ctrl_data_sp_dec(const OtRomCtrlState *s, uint64_t in) -{ - (void)s; - return ot_rom_ctrl_subst_perm_dec(in, 0, OT_ROM_CTRL_WORD_BITS, - OT_ROM_CTRL_NUM_DATA_SUBST_PERM_ROUNDS); -} - static uint64_t ot_rom_ctrl_get_keystream(const OtRomCtrlState *s, unsigned addr) { @@ -438,8 +410,7 @@ static uint64_t ot_rom_ctrl_unscramble_word(const OtRomCtrlState *s, unsigned addr, uint64_t in) { uint64_t keystream = ot_rom_ctrl_get_keystream(s, addr); - uint64_t sp = ot_rom_ctrl_data_sp_dec(s, in); - return keystream ^ sp; + return keystream ^ in; } static uint32_t ot_rom_ctrl_verify_ecc_39_32_u32(