capsules: Add support for AES GCM #3092
Conversation
github-actions
bot
added
the
WG-OpenTitan
| static mut AES: Option< | ||
| &virtual_aes_gcm::VirtualAES128GCM< | ||
| 'static, | ||
| virtual_aes_ccm::VirtualAES128CCM<'static, earlgrey::aes::Aes<'static>>, |
There was a problem hiding this comment.
Why is GCM building on top of CCM? They are different algorithms.
There was a problem hiding this comment.
@alistair23 Can you explain your intended relationship between CCM and GCM?
This has been discussed in the core call. The general consensus is that Tock should not have any cipher implementations used for confidentiality. E.g., there should not be Tock-specific implementations of AES or RSA. However, having simple software implementations of integrity primitives (e.g., hashes and CRCs) is OK. The expectation is that these are included to allow software testing without introducing dependencies. The point you bring up, though, that some Tock boards are going to need software implementations of encryption/decryption and we should pull in crates to do so, is a good one. I will put it on the core call agenda. |
This PR only adds a software hash implementation. Does that mean you agree this should be added? Or do you mean Tock is ok with writing it's own implementations?
I was thinking a bit more about this. Once we have verified AppIDs I could see a future where the default research loading mechanism is to try loading signed apps, with an allow fallback. This way we wouldn't break any users (if it's not signed we still load the app) but also provides a lot more test coverage on signed app loading. We can then update the tools to handle this as transparently as possible. As well as that, there are lots of good Tock use cases that need crypto. LoRaWAN and other wireless communication stacks all use crypto by default. These would only work if we had a default software crypto implementation though. So I think it's something worth considering |
It does not mean that I agree it should be added. It means that it's something we need to discuss to explore all of the issues in play. Tock (so far) is OK writing its own software implementations of integrity primitives, such as hashes, checksums, and CRCs. However, that doesn't mean that it's the preferred thing to do.
This is already supported in the API. But the policies are more complex than this; there's a question of what signing keys are allowed. The current API requires the checker know something about the key, due to the exponent being implicit. We might make the exponent explicit, depending on requirements.
True. Most chips (LoRa being an exception) have cryptographic support, though. The issue here is introducing external dependencies into the kernel for narrow use cases. We've resisted external dependencies for a long time, for simplicity. That doesn't mean the kernel won't ever use them, but for now it doesn't. |
|
Notes from the OT call: A The fact that the current AES-CCM virtualizer isn't decomposed this way and combines translation and virtualization shouldn't be taken as a reference design. The current code started with an early, 5-year-old AES-CCM implementation and extended the capsule to add virtualization. |
|
@alistair23 Any progress on this? |
|
I'm still waiting for an Ack or Nack about adding external crypto crates |
|
@alistair23 I will bring it up on Friday just to be sure, but I am very confident that Tock will allow external (high quality, vetted) implementations of cryptographic primitives. |
alistair23
force-pushed
the
alistair/aes-gcm
branch
from
6ffd9f9
to
5b986d4
Compare
|
Ok, updated to remove the virtuliser part from this. Once this is merged we can then look at adding a single AES virtuliser (while also removing the virtulisation from |
|
Any more comments? I can rebase this if it will be accepted |
3312: doc: Add ExternalDependencies.md r=hudson-ayers a=alistair23 ### Pull Request Overview This adds a document that describes some of the requirements of adding external crates. Once this is accepted the idea is then to add an external crate with #3092 ### Testing Strategy ### TODO or Help Wanted ### Documentation Updated - [X] Updated the relevant files in `/docs`, or no updates are required. ### Formatting - [X] Ran `make prepush`. Co-authored-by: Alistair Francis <alistair.francis@wdc.com> Co-authored-by: Brad Campbell <bradjc5@gmail.com> Co-authored-by: Leon Schuermann <leon@is.currently.online>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
alistair23
force-pushed
the
alistair/aes-gcm
branch
2 times, most recently
from
5f3b018
to
0264fbc
Compare
|
I have rebased this now that the |
Initial commit of a GCM capsule. This implements AES GCM support using an underlying AES CTR engine and the external GHash crate. Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
Done! |
alistair23
force-pushed
the
alistair/aes-gcm
branch
from
0264fbc
to
c155d68
Compare
|
bors r+ |
|
Build succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page.
|
Pull Request Overview
This PR adds a new aes_gcm capsule. This capsule exposes AES-GCM support if the hardware doesn't actually have it.
We implement AES GCM using other supported AES operations and with a software implementation of ghash.
This is similar to the existing virtual_aes_ccm capsule, except without virtulisation.
AES-GCM is commonly used in TLS. It isn't commonly used in embedded systems, but it's still a good example I think.
Testing Strategy
Running the OpenTitan tests
TODO or Help Wanted
This PR adds an external dependency!
This PR adds a dependency on the ghash crate as part of Rust-crypto.
We are seeing more and more requirements for cryptographic operations in Tock, which means we are also seeing more and more software implementations of them.
Tock already has a SHA256 and CRC32 software implementation. It's not unreasonable that RSA becomes more common with the cryptographic app IDs as well.
I wanted to start the discussion about allowing Rust-crypto crates as capsules. Re-implementing a crypto library ourselves seem very risky, so if we do want software implementations Rust-crypto would be the way to go. I'm not convinced one way or the other, I just wanted to get some feedback on how people feel.
The Rust-crypto crates are well respected, have been audited and match the Tock software license
Documentation Updated
/docs, or no updates are required.Formatting
make prepush.