[crypto] Add a counter to the main loop of ECDSA-P256 verify. #23921
Conversation
jadephilipoom
requested review from
cfrantz,
timothytrippel,
vogelpi and
johannheyszl
There was a problem hiding this comment.
Thanks @jadephilipoom this is great. I have reviewed the code - it looks effective and correct!
There was a problem hiding this comment.
Thanks @jadephilipoom and @johannheyszl ! The change looks good to me.
IMO, we don't need to further harden the newly added counter: if an adversary managed to glitch the counter, they would still need to glitch other stuff to actually exploit this. But if there is a very easy way to further improve things I also wouldn't say no :-)
jadephilipoom
force-pushed
the
p256-verify-counter
branch
from
724bb55
to
e989230
Compare
Challenge accepted 🙂 After a little thought and taking a look at the code again, I added a new commit that expands on the idea just a little bit. Instead of using |
|
Thank @jadephilipoom you this is very nice. I support keeping it. |
There was a problem hiding this comment.
Thanks @jadephilipoom , this is great! Let's get this in once CI passes, and hopefully tonight's or tomorrow's nightly regression can run with the change.
|
One thing: you will probably have to update the rom self hash test since it will fail on the fpga if the rom changes at all now that it is running in CI. See the instructions here: https://cs.opensource.google/opentitan/opentitan/+/master:sw/device/silicon_creator/rom/e2e/release/rom_e2e_self_hash_test.c;drc=9d2140b0ad00c7337454f85edb7772d611a5615b;l=31 |
Thanks for the tip, should be updated now! |
This is a lightweight hardening measure against fault-injection attacks on the loop control flow in OTBN. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
Make the counter increments dependent on some should-be-noop instructions throughout the control flowof the main loop. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
Updates the golden hashes to incorporate the new counter in P256 verify. Signed-off-by: Jade Philipoom <jadep@zerorisc.com>
jadephilipoom
force-pushed
the
p256-verify-counter
branch
from
67acf16
to
812fd66
Compare
This is a simple, lightweight hardening measure against fault-injection attacks on the loop control flow in OTBN, just in case the hardware hardening measures don't hold up as well as we'd like.
The OTBN ECDSA-P256 verification program returns two results: an "OK" value that's either
kHardenedBoolTrueorkHardenedBoolFalse, and the recovered "r" value that should be equal to "r" from the signature if the signature was valid. Ibex needs to check both values.The new counter basically just piggybacks on the existing "OK" value; instead of directly writing
kHardenedBoolTrueinto the "OK" buffer, we load the constantkHardenedBoolTrue ^ 256and then XOR it with a counter that gets incremented on every loop iteration. If the counter says 256 iterations, we get the right value, but if not we'll get something else and Ibex will detect that something is wrong in the code here:opentitan/sw/device/silicon_creator/lib/otbn_boot_services.c
Lines 269 to 278 in 5655312
If we wanted to be even more strict, we could cause a more catastrophic error if
ok != kHardenedBoolFalse. We could also consider starting the counter at2^32-1instead of 0, so that the expected value is 255, which would just give us more bits that the counter flips. Open to opinions on more advanced strategies, but for now I just went with the simplest version.