Skip to content

[crypto] Wipe OTBN's DMEM in failure cases #27650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[crypto] Wipe OTBN's DMEM in failure cases #27650

wants to merge 2 commits into from

Conversation

nasahlpa
Copy link
Member

This commit:

  • Adds a couple of calls to otbn_dmem_sec_wipe()
  • Adds a new HARDENED_TRY_WIPE_DMEM() macro that wipes the DMEM before returning

Closes #20050.

@nasahlpa
[crypto] Add OTBN DMEM wipes to RSA code
aa54b60 
Always wipe the DMEM once the OTBN execution has been finished.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
@nasahlpa nasahlpa requested a review from johannheyszl July 17, 2025 14:02
@nasahlpa nasahlpa marked this pull request as ready for review July 17, 2025 17:11
@nasahlpa nasahlpa requested a review from a team as a code owner July 17, 2025 17:11
@nasahlpa nasahlpa requested review from alees24, felixmiller, vogelpi, h-filali, andrea-caforio, moidx and cfrantz and removed request for a team and alees24 July 17, 2025 17:11
@nasahlpa nasahlpa added the CherryPick:earlgrey_1.0.0 This PR should be cherry-picked to earlgrey_1.0.0 label Jul 17, 2025
moidx
moidx reviewed Jul 23, 2025
View reviewed changes
sw/device/lib/crypto/impl/ecc/p256.c Outdated
@@ -215,10 +219,12 @@ status_t p256_ecdsa_sign_finalize(p256_ecdsa_signature_t *result) {
HARDENED_TRY(otbn_busy_wait_for_done());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should calls to otbn_busy_wait_for_done also result in WIPE DMEM?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your feedback!

Yes, this would make sense. I was initially against doing it as OTBN needs to be IDLE when calling otbn_dmem_sec_wipe() and otbn_busy_wait_for_done() can fail with leaving OTBN not IDLE. However otbn_busy_wait_for_done() can also fail with leaving OTBN IDLE (e.g., some error bits are set), then we should wipe it.

I've modified the code that now DMEM gets wiped when otbn_busy_wait_for_done() fails. When otbn_busy_wait_for_done() fails with leaving OTBN not IDLE, the DMEM will not be wiped though.

@moidx moidx self-requested a review July 23, 2025 06:02
@nasahlpa
[crypto] Wipe DMEM also in error cases
b3ee06b 
When an error occurs, HARDENED_TRY() immediately returns. As we also
want to wipe the OTBN DMEM when an error happens, this commit adds
HARDENED_TRY_WIPE_DMEM() which wipes DMEM on an error before returning.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johannheyszl johannheyszl johannheyszl approved these changes

@felixmiller felixmiller Awaiting requested review from felixmiller

@vogelpi vogelpi Awaiting requested review from vogelpi

@h-filali h-filali Awaiting requested review from h-filali

@andrea-caforio andrea-caforio Awaiting requested review from andrea-caforio

@cfrantz cfrantz Awaiting requested review from cfrantz

@moidx moidx Awaiting requested review from moidx

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
CherryPick:earlgrey_1.0.0 This PR should be cherry-picked to earlgrey_1.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[crypto] Wipe OTBN's DMEM in failure cases.
3 participants
@nasahlpa @moidx @johannheyszl