[crypto] Wipe DMEM also in error cases

When an error occurs, HARDENED_TRY() immediately returns. As we also
want to wipe the OTBN DMEM when an error happens, this commit adds
HARDENED_TRY_WIPE_DMEM() which wipes DMEM on an error before returning.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>

Author: nasahlpa

sw/device/lib/crypto/drivers/otbn.h

@@ -15,6 +15,27 @@
 extern "C" {
 #endif
 
+/**
+ * Hardened version of the `TRY` macro that wipes DMEM() on an error.
+ *
+ * Returns an error if either expr_ represents an error, or if the OK code does
+ * not match the expected hardened value.
+ *
+ * @param expr_ An expression that evaluates to a `status_t`.
+ * @return The enclosed OK value.
+ */
+#define HARDENED_TRY_WIPE_DMEM(expr_)                                   \
+  do {                                                                  \
+    status_t status_ = expr_;                                           \
+    if (launder32(OT_UNSIGNED(status_.value)) != kHardenedBoolTrue) {   \
+      otbn_dmem_sec_wipe();                                             \
+      return (status_t){                                                \
+          .value = (int32_t)(OT_UNSIGNED(status_.value) | 0x80000000)}; \
+    }                                                                   \
+    HARDENED_CHECK_EQ(status_.value, kHardenedBoolTrue);                \
+    status_.value;                                                      \
+  } while (false)
+
 /**
  * Constants related to OTBN wide words
  */

sw/device/lib/crypto/impl/ecc/p256.c

@@ -126,14 +126,16 @@ status_t p256_keygen_finalize(p256_masked_scalar_t *private_key,
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read the masked private key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP256MaskedScalarShareWords, kOtbnVarD0,
-                              private_key->share0));
-  HARDENED_TRY(otbn_dmem_read(kP256MaskedScalarShareWords, kOtbnVarD1,
-                              private_key->share1));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP256MaskedScalarShareWords, kOtbnVarD0,
+                                        private_key->share0));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP256MaskedScalarShareWords, kOtbnVarD1,
+                                        private_key->share1));
 
   // Read the public key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarX, public_key->x));
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarY, public_key->y));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarX, public_key->x));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarY, public_key->y));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -144,8 +146,10 @@ status_t p256_sideload_keygen_finalize(p256_point_t *public_key) {
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read the public key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarX, public_key->x));
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarY, public_key->y));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarX, public_key->x));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarY, public_key->y));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -215,10 +219,12 @@ status_t p256_ecdsa_sign_finalize(p256_ecdsa_signature_t *result) {
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read signature R out of OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP256ScalarWords, kOtbnVarR, result->r));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256ScalarWords, kOtbnVarR, result->r));
 
   // Read signature S out of OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP256ScalarWords, kOtbnVarS, result->s));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256ScalarWords, kOtbnVarS, result->s));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -261,15 +267,16 @@ status_t p256_ecdsa_verify_finalize(const p256_ecdsa_signature_t *signature,
   // Read the status code out of DMEM (false if basic checks on the validity of
   // the signature and public key failed).
   uint32_t ok;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarOk, &ok));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarOk, &ok));
   if (launder32(ok) != kHardenedBoolTrue) {
+    HARDENED_TRY(otbn_dmem_sec_wipe());
     return OTCRYPTO_BAD_ARGS;
   }
   HARDENED_CHECK_EQ(ok, kHardenedBoolTrue);
 
   // Read x_r (recovered R) out of OTBN dmem.
   uint32_t x_r[kP256ScalarWords];
-  HARDENED_TRY(otbn_dmem_read(kP256ScalarWords, kOtbnVarXr, x_r));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP256ScalarWords, kOtbnVarXr, x_r));
 
   *result = hardened_memeq(x_r, signature->r, kP256ScalarWords);
 
@@ -305,15 +312,18 @@ status_t p256_ecdh_finalize(p256_ecdh_shared_key_t *shared_key) {
 
   // Read the code indicating if the public key is valid.
   uint32_t ok;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarOk, &ok));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarOk, &ok));
   if (launder32(ok) != kHardenedBoolTrue) {
+    HARDENED_TRY(otbn_dmem_sec_wipe());
     return OTCRYPTO_BAD_ARGS;
   }
   HARDENED_CHECK_EQ(ok, kHardenedBoolTrue);
 
   // Read the shares of the key from OTBN dmem (at vars x and y).
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarX, shared_key->share0));
-  HARDENED_TRY(otbn_dmem_read(kP256CoordWords, kOtbnVarY, shared_key->share1));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarX, shared_key->share0));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP256CoordWords, kOtbnVarY, shared_key->share1));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();

sw/device/lib/crypto/impl/ecc/p384.c

@@ -167,14 +167,16 @@ status_t p384_keygen_finalize(p384_masked_scalar_t *private_key,
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read the masked private key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP384MaskedScalarShareWords, kOtbnVarD0,
-                              private_key->share0));
-  HARDENED_TRY(otbn_dmem_read(kP384MaskedScalarShareWords, kOtbnVarD1,
-                              private_key->share1));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP384MaskedScalarShareWords, kOtbnVarD0,
+                                        private_key->share0));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP384MaskedScalarShareWords, kOtbnVarD1,
+                                        private_key->share1));
 
   // Read the public key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarX, public_key->x));
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarY, public_key->y));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarX, public_key->x));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarY, public_key->y));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -197,8 +199,10 @@ status_t p384_sideload_keygen_finalize(p384_point_t *public_key) {
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read the public key from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarX, public_key->x));
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarY, public_key->y));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarX, public_key->x));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarY, public_key->y));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -244,10 +248,12 @@ status_t p384_ecdsa_sign_finalize(p384_ecdsa_signature_t *result) {
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read signature R out of OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP384ScalarWords, kOtbnVarR, result->r));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384ScalarWords, kOtbnVarR, result->r));
 
   // Read signature S out of OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(kP384ScalarWords, kOtbnVarS, result->s));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384ScalarWords, kOtbnVarS, result->s));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();
@@ -287,15 +293,16 @@ status_t p384_ecdsa_verify_finalize(const p384_ecdsa_signature_t *signature,
   // Read the status code out of DMEM (false if basic checks on the validity of
   // the signature and public key failed).
   uint32_t ok;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarOk, &ok));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarOk, &ok));
   if (launder32(ok) != kHardenedBoolTrue) {
+    HARDENED_TRY(otbn_dmem_sec_wipe());
     return OTCRYPTO_BAD_ARGS;
   }
   HARDENED_CHECK_EQ(ok, kHardenedBoolTrue);
 
   // Read x_r (recovered R) out of OTBN dmem.
   uint32_t x_r[kP384ScalarWords];
-  HARDENED_TRY(otbn_dmem_read(kP384ScalarWords, kOtbnVarXr, x_r));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(kP384ScalarWords, kOtbnVarXr, x_r));
 
   *result = hardened_memeq(x_r, signature->r, kP384ScalarWords);
 
@@ -329,15 +336,18 @@ status_t p384_ecdh_finalize(p384_ecdh_shared_key_t *shared_key) {
   // Read the status code out of DMEM (false if basic checks on the validity of
   // the signature and public key failed).
   uint32_t ok;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarOk, &ok));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarOk, &ok));
   if (launder32(ok) != kHardenedBoolTrue) {
+    HARDENED_TRY(otbn_dmem_sec_wipe());
     return OTCRYPTO_BAD_ARGS;
   }
   HARDENED_CHECK_EQ(ok, kHardenedBoolTrue);
 
   // Read the shares of the key from OTBN dmem (at vars x and y).
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarX, shared_key->share0));
-  HARDENED_TRY(otbn_dmem_read(kP384CoordWords, kOtbnVarY, shared_key->share1));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarX, shared_key->share0));
+  HARDENED_TRY_WIPE_DMEM(
+      otbn_dmem_read(kP384CoordWords, kOtbnVarY, shared_key->share1));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();

sw/device/lib/crypto/impl/rsa/rsa_3072_verify.c

@@ -140,10 +140,11 @@ status_t rsa_3072_compute_constants(const rsa_3072_public_key_t *public_key,
   HARDENED_TRY(otbn_busy_wait_for_done());
 
   // Read constant rr out of DMEM.
-  HARDENED_TRY(read_rsa_3072_int_from_otbn(kOtbnVarRsaRR, &result->rr));
+  HARDENED_TRY_WIPE_DMEM(
+      read_rsa_3072_int_from_otbn(kOtbnVarRsaRR, &result->rr));
 
   // Read constant m0_inv out of DMEM.
-  HARDENED_TRY(
+  HARDENED_TRY_WIPE_DMEM(
       otbn_dmem_read(kOtbnWideWordNumWords, kOtbnVarRsaM0Inv, result->m0_inv));
 
   // Wipe DMEM.
@@ -201,7 +202,7 @@ status_t rsa_3072_verify_finalize(const rsa_3072_int_t *message,
 
   // Read recovered message out of OTBN dmem.
   rsa_3072_int_t recoveredMessage;
-  HARDENED_TRY(
+  HARDENED_TRY_WIPE_DMEM(
       read_rsa_3072_int_from_otbn(kOtbnVarRsaOutBuf, &recoveredMessage));
 
   // TODO: harden this memory comparison

sw/device/lib/crypto/impl/rsa/rsa_keygen.c

@@ -87,16 +87,17 @@ static status_t keygen_finalize(uint32_t exp_mode, size_t num_words,
 
   // Read the mode from OTBN dmem and panic if it's not as expected.
   uint32_t act_mode = 0;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarRsaMode, &act_mode));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarRsaMode, &act_mode));
   if (act_mode != exp_mode) {
+    HARDENED_TRY(otbn_dmem_sec_wipe());
     return OTCRYPTO_FATAL_ERR;
   }
 
   // Read the public modulus (n) from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(num_words, kOtbnVarRsaN, n));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(num_words, kOtbnVarRsaN, n));
 
   // Read the private exponent (d) from OTBN dmem.
-  HARDENED_TRY(otbn_dmem_read(num_words, kOtbnVarRsaD, d));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(num_words, kOtbnVarRsaD, d));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();

sw/device/lib/crypto/impl/rsa/rsa_modexp.c

@@ -62,7 +62,7 @@ status_t rsa_modexp_wait(size_t *num_words) {
 
   // Read the application mode.
   uint32_t mode;
-  HARDENED_TRY(otbn_dmem_read(1, kOtbnVarRsaMode, &mode));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(1, kOtbnVarRsaMode, &mode));
 
   *num_words = 0;
   if (mode == kMode2048Modexp || mode == kMode2048ModexpF4) {
@@ -94,7 +94,7 @@ status_t rsa_modexp_wait(size_t *num_words) {
 static status_t rsa_modexp_finalize(const size_t num_words, uint32_t *result) {
   // Wait for OTBN to complete and get the result size.
   size_t num_words_inferred;
-  HARDENED_TRY(rsa_modexp_wait(&num_words_inferred));
+  HARDENED_TRY_WIPE_DMEM(rsa_modexp_wait(&num_words_inferred));
 
   // Check that the inferred result size matches expectations.
   if (num_words != num_words_inferred) {
@@ -104,7 +104,7 @@ static status_t rsa_modexp_finalize(const size_t num_words, uint32_t *result) {
   }
 
   // Read the result.
-  HARDENED_TRY(otbn_dmem_read(num_words, kOtbnVarRsaInOut, result));
+  HARDENED_TRY_WIPE_DMEM(otbn_dmem_read(num_words, kOtbnVarRsaInOut, result));
 
   // Wipe DMEM.
   return otbn_dmem_sec_wipe();

sw/device/lib/crypto/impl/sha2/sha256.c

@@ -245,7 +245,7 @@ static status_t process_message(sha256_state_t *state, const uint8_t *msg,
   }
 
   // Read the final state from OTBN dmem.
-  HARDENED_TRY(
+  HARDENED_TRY_WIPE_DMEM(
       otbn_dmem_read(kSha256StateWords, kOtbnVarSha256State, new_state.H));
 
   // Clear OTBN's memory.

sw/device/lib/crypto/impl/sha2/sha512.c

@@ -307,8 +307,9 @@ static status_t process_message(sha512_state_t *state, const uint8_t *msg,
   // boundaries.
   otbn_addr_t state_read_addr = kOtbnVarSha512State;
   for (size_t i = 0; i + 1 < kSha512StateWords; i += 2) {
-    HARDENED_TRY(otbn_dmem_read(1, state_read_addr, &new_state.H[i + 1]));
-    HARDENED_TRY(
+    HARDENED_TRY_WIPE_DMEM(
+        otbn_dmem_read(1, state_read_addr, &new_state.H[i + 1]));
+    HARDENED_TRY_WIPE_DMEM(
         otbn_dmem_read(1, state_read_addr + sizeof(uint32_t), &new_state.H[i]));
     state_read_addr += kOtbnWideWordNumBytes;
   }