STM32L486RG/mbedtls: add aes hw acceleration #4163
Conversation
|
@adustm We have an AES accelerator as well that doesn't support 192 bits. Did you get a signoff on just returning INVALID_KEY_LENGTH for -192 operations when AES_ALT is in use? |
|
@adustm There are conflicts |
| #define __HAL_RCC_CRYP_CLK_ENABLE __HAL_RCC_AES_CLK_ENABLE | ||
| #define __HAL_RCC_CRYP_FORCE_RESET __HAL_RCC_AES_FORCE_RESET | ||
| #define __HAL_RCC_CRYP_RELEASE_RESET __HAL_RCC_AES_RELEASE_RESET | ||
| #define CRYP AES |
There was a problem hiding this comment.
Aren't these implementation specific definitions?
Shouldn't these be in some STM common header file, or in the aes_alt.c file?
mbedtls_device.h should be included only from mbedtls files(specifically platform_mbed.h), so I think these definitions will not be used anywhere
There was a problem hiding this comment.
ok, I move them to aes_alt.h
There was a problem hiding this comment.
Please check if you can define these in aes_alt.c instead. As there are many modified files, I can't check this.
There was a problem hiding this comment.
OK to move to aes_alt.c.
The many modified files were due to a rebase on the master branch. I've fixed it now. Only 3 remaining modified files :)
| break; | ||
| #if defined (TARGET_STM32L486xG) | ||
| return(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH); | ||
| #else |
There was a problem hiding this comment.
The alternative implementation should support the full API. If HW doesn't support, then the SW implementation should be used
There was a problem hiding this comment.
This was true at the time of the comment, but since then it has been decided that AES192 is and exception from this rule and hardware drivers not supporting AES192 can return an error.
| if ((ctx->hcryp_aes.Init.OperatingMode != CRYP_ALGOMODE_KEYDERIVATION_DECRYPT) || \ | ||
| (ctx->hcryp_aes.Init.ChainingMode != CRYP_CHAINMODE_AES_CBC) || \ | ||
| (ctx->hcryp_aes.Init.KeyWriteFlag != CRYP_KEY_WRITE_ENABLE)) { | ||
| /* Re-initialize AES IP with proper parameters */ |
There was a problem hiding this comment.
what if this if statement is false? HAL_CRYP_DeInit will not be called, but HAL_CRYP_Init will still be called. Is there a resource leak risk here?
There was a problem hiding this comment.
Hello,
This if statement tests if we call the function but the HW module has been used for another purpose since its initialization. It launches both HAL_CRYP_Deinit and HAL_CRYP_init.
There is not else because otherwise, the HW module is already well initialized.
There was a problem hiding this comment.
Thanks for the explanation, Why then this check is not done for ECB as well?
There was a problem hiding this comment.
Hi,
In ECB mode, it is done internally in the HAL_CRYP_AESECB_Encrypt and HAL_CRYP_AESECB_Decrypt functions.
| (ctx->hcryp_aes.Init.ChainingMode != CRYP_CHAINMODE_AES_CBC) || \ | ||
| (ctx->hcryp_aes.Init.KeyWriteFlag != CRYP_KEY_WRITE_ENABLE)) { | ||
| /* Re-initialize AES IP with proper parameters */ | ||
| if (HAL_CRYP_DeInit(&ctx->hcryp_aes) != HAL_OK) |
There was a problem hiding this comment.
what if this if statement is false? HAL_CRYP_DeInit will not be called, but HAL_CRYP_Init will still be called. Is there a resource leak risk here?
There was a problem hiding this comment.
The only case where HAL_CRYP_DeInit can return HAL_ERROR is when the ctx->hcryp_aes is NULL.
In this case, HAL_CRYP_Init would also return HAL_ERROR.
It means that either the ctx object has been corrupted or the mbedtls_aes_crypt_xxx function was called without a call to aes_set_key_xxx function.
|
@stevew817 At the moment we still instruct to support the full functionality |
|
@stevew817 : no. One of my next task will be to add the SW implementation in case of 192 key size... |
|
Gotcha. Guess that'll get added to my to-do list as well, then, though it would really make more sense to solve this at the mbedTLS level. |
|
bump @adustm. Could you fix the merge conflicts? |
|
bump @adustm |
| @@ -148,14 +156,46 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, | |||
| if( mode == MBEDTLS_AES_DECRYPT ) | |||
There was a problem hiding this comment.
The common code between the if branch and the else branch is growing, consider factoring them.
| @@ -148,14 +156,46 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, | |||
| if( mode == MBEDTLS_AES_DECRYPT ) | |||
| { | |||
| ctx->hcryp_aes.Init.pInitVect = &iv[0]; // used in process, not in the init | |||
|
|
|||
| #if defined (TARGET_STM32L486xG) | |||
There was a problem hiding this comment.
Is this actually specific to the STM32L486? I'm not familiar with this platform, but looking for documentation online, it seems that those HAL APIs exist for a much broader family. Also, it's odd that the ECB code uses some wrappers (HAL_CRYP_AESECB_Encrypt and HAL_CRYP_AESECB_Decrypt) marked as legacy but the CBC code doesn't. It's hard to figure out when looking at the code whether it's using the hardware correctly, even when a key is used successively with distinct mode. It's also hard to ascertain that the accelerator is properly reset as soon as a key is no longer in use (which is good hygiene so that a security breach does not expose previously-used keys, and is mandated by most security standards).
There was a problem hiding this comment.
@gilles-peskine-arm
I have checked internally what is called 'legacy code'.
I cannot use the legacy code for CBC mode with the STM32L4 family, as it contains a bug (it calls the init function every time, wich is not compatible with the use of the iv buffer). As it is legacy code, it will not be updated soon. That's why I use the suggested non-legacy code.
The provided legacy code for ECB does not show any problem with the tests I did, this is the reason why I use it to simplify the user's readability. If you think we could encounter an issue, do not hesitate to provide me with a use case to test.
Kind regards
Armelle
There was a problem hiding this comment.
@adustm Thanks for investigating! I raised this point because the code looked weird. Since you've found that there's a reason for the weirdness, I have no reason to think that the code is wrong.
There was a problem hiding this comment.
I have reviewed the PR, but didn't find any new issues.
Our rule regarding AES192 has been changed since the last reviews, I left a comment about it, but I am writing it here too. AES192 is an exception to the rule that requires hardware accelerator drivers to support the full mbed TLS API and they can return an error if they encounter AES192.
|
Hello @yanesca
This is great news. I'll rebase and update this PR as soon as I'll have finished with MD5/SHA1/SHA256 of F7 and F4. Thanks ! |
|
Hello @yanesca Kind regards |
|
I did an error in the rebase work, I'll fix that soon |
|
Hello, I think we are ready for this PR, unless anyone has anyelse to add (@RonEld @gilles-peskine-arm @yanesca , could you check if an approval is possible ?) Kind regards |
|
/morph test |
Result: FAILUREYour command has finished executing! Here's what you wrote!
OutputTest failed! |
|
/morph test |
Result: FAILUREYour command has finished executing! Here's what you wrote!
OutputTest failed! |
|
Hi, Kind regards |
|
@adustm I'll rerun the tests, as you are correct, your PR should not be blocked by an unrelated timing failure. /morph test |
|
@Patater Could you restart this one too? |
Result: SUCCESSYour command has finished executing! Here's what you wrote!
OutputAll builds and test passed! |
|
Solving conflict |
|
/morph test |
Result: SUCCESSYour command has finished executing! Here's what you wrote!
OutputAll builds and test passed! |
|
This has an empty commit which probably should have been picked up during the review stage before it was merged! |
Description
Add hw acceleration for mbedTLS/aes on NUCLEO_L486RG
Please be aware that this device does not support 192bit key size.
The aes selftest and gcm selftest shall be modified not to run this key size. As it is located in the official mbedtls stack, I did not touch it.
is #3962
Status
DO NOT MERGESteps to test or reproduce
Run aes seltest from TESTS/mbedtls/selftest/main.cpp