-
Notifications
You must be signed in to change notification settings - Fork 746
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[crypto] Add a counter to the main loop of ECDSA-P256 verify. #23921
[crypto] Add a counter to the main loop of ECDSA-P256 verify. #23921
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jadephilipoom this is great. I have reviewed the code - it looks effective and correct!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jadephilipoom and @johannheyszl ! The change looks good to me.
IMO, we don't need to further harden the newly added counter: if an adversary managed to glitch the counter, they would still need to glitch other stuff to actually exploit this. But if there is a very easy way to further improve things I also wouldn't say no :-)
724bb55
to
e989230
Compare
Challenge accepted 🙂 After a little thought and taking a look at the code again, I added a new commit that expands on the idea just a little bit. Instead of using |
Thank @jadephilipoom you this is very nice. I support keeping it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jadephilipoom , this is great! Let's get this in once CI passes, and hopefully tonight's or tomorrow's nightly regression can run with the change.
One thing: you will probably have to update the rom self hash test since it will fail on the fpga if the rom changes at all now that it is running in CI. See the instructions here: https://cs.opensource.google/opentitan/opentitan/+/master:sw/device/silicon_creator/rom/e2e/release/rom_e2e_self_hash_test.c;drc=9d2140b0ad00c7337454f85edb7772d611a5615b;l=31 |
Thanks for the tip, should be updated now! |
This is a lightweight hardening measure against fault-injection attacks on the loop control flow in OTBN. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
Make the counter increments dependent on some should-be-noop instructions throughout the control flowof the main loop. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
Updates the golden hashes to incorporate the new counter in P256 verify. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
67acf16
to
812fd66
Compare
This is a simple, lightweight hardening measure against fault-injection attacks on the loop control flow in OTBN, just in case the hardware hardening measures don't hold up as well as we'd like.
The OTBN ECDSA-P256 verification program returns two results: an "OK" value that's either
kHardenedBoolTrue
orkHardenedBoolFalse
, and the recovered "r" value that should be equal to "r" from the signature if the signature was valid. Ibex needs to check both values.The new counter basically just piggybacks on the existing "OK" value; instead of directly writing
kHardenedBoolTrue
into the "OK" buffer, we load the constantkHardenedBoolTrue ^ 256
and then XOR it with a counter that gets incremented on every loop iteration. If the counter says 256 iterations, we get the right value, but if not we'll get something else and Ibex will detect that something is wrong in the code here:opentitan/sw/device/silicon_creator/lib/otbn_boot_services.c
Lines 269 to 278 in 5655312
If we wanted to be even more strict, we could cause a more catastrophic error if
ok != kHardenedBoolFalse
. We could also consider starting the counter at2^32-1
instead of 0, so that the expected value is 255, which would just give us more bits that the counter flips. Open to opinions on more advanced strategies, but for now I just went with the simplest version.