Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory zeroize #58

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
+756 −605
Open

memory zeroize #58

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f94ccdc
fixe issue 48 for leaking privkey
Dec 16, 2024
3fcdbb7
fixed issue 55 for zeroiize sequencers
Dec 16, 2024
0f2120b
added zeroize to mldsa_top regs
Dec 16, 2024
48c6820
added zeroize and rst to sib_mem
Dec 16, 2024
5fb9a3c
added memory zeroize
Dec 18, 2024
72d36f7
Merge branch 'main' into mojtaba-zeroize
Dec 18, 2024
012c379
fixed zeroize and synced valid/ready flags
Dec 19, 2024
ebdb54a
merged with main
Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/mldsa_sampler_top/rtl/mldsa_sampler_top.sv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -510,6 +510,7 @@ end
sib_mem_inst
(
.clk_i(clk),
.rst_b(rst_b),
upadhyayulakiran marked this conversation as resolved.
Show resolved Hide resolved
.zeroize(zeroize_sib_mem),
.cs_i(sib_mem_cs_mux),
.we_i(sib_mem_we),
Expand Down
165 changes: 129 additions & 36 deletions src/mldsa_top/rtl/mldsa_ctrl.sv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ module mldsa_ctrl
output logic lfsr_enable_o,
output logic [1:0][LFSR_W-1:0] lfsr_seed_o,

output mem_if_t zeroize_mem_o,

`ifdef CALIPTRA
// KV interface
output kv_read_t kv_read,
Expand Down Expand Up @@ -215,15 +217,24 @@ module mldsa_ctrl
);

always_ff @(posedge clk or negedge rst_b) begin : mldsa_kv_reg
if (!rst_b) begin
if (!rst_b)
kv_seed_data_present <= '0;
end else begin
else if (zeroize)
kv_seed_data_present <= '0;
else begin
kv_seed_data_present <= kv_seed_data_present_set ? '1 :
kv_seed_data_present_reset ? '0 : kv_seed_data_present;
end
end

always_comb mldsa_privkey_lock = kv_seed_data_present;
always_ff @(posedge clk or negedge rst_b) begin : mldsa_privkey_lock_reg
if (!rst_b)
mldsa_privkey_lock <= '0;
else if (zeroize)
mldsa_privkey_lock <= '0;
else if (kv_seed_data_present_set)
mldsa_privkey_lock <= '1;
end

`else
always_comb begin: mldsa_kv_ctrl_reg
Expand Down Expand Up @@ -251,6 +262,7 @@ always_comb mldsa_privkey_lock = '0;
logic keygen_done;
logic signature_done;
logic verify_done;
logic signature_validity_chk_done;

//assign appropriate data to msg interface
logic [MLDSA_OPR_WIDTH-1:0] sampler_src;
Expand Down Expand Up @@ -316,12 +328,18 @@ always_comb mldsa_privkey_lock = '0;
logic set_entropy;
logic [7:0][63:0] lfsr_entropy_reg;
logic [MsgWidth-1:0] counter_reg;

logic zeroize_mem_we;
logic [MLDSA_MEM_ADDR_WIDTH-1:0] zeroize_mem_addr;
logic [MLDSA_MEM_DATA_WIDTH-1:0] zeroize_mem_wr_data;
logic zeroize_mem_done;

assign mldsa_reg_hwif_in_o = mldsa_reg_hwif_in;
assign mldsa_reg_hwif_out = mldsa_reg_hwif_out_i;

always_comb mldsa_ready = (prim_prog_cntr == MLDSA_RESET);

//without zeroize to make it more complex
always_ff @(posedge clk or negedge rst_b) begin
if (!rst_b)
counter_reg <= '0;
Expand Down Expand Up @@ -454,15 +472,17 @@ always_comb mldsa_privkey_lock = '0;
pwr2rnd_keymem_we_bank[i] = (pwr2rnd_keymem_if_i[i].rd_wr_en == RW_WRITE);
api_keymem_we_bank[i] = mldsa_reg_hwif_in.MLDSA_PRIVKEY_IN.wr_ack & mldsa_ready & api_keymem_wr_dec & (api_sk_mem_waddr[0] == i);

sk_ram_we_bank[i] = skencode_keymem_we_bank[i] | pwr2rnd_keymem_we_bank[i] | api_keymem_we_bank[i];
sk_ram_we_bank[i] = skencode_keymem_we_bank[i] | pwr2rnd_keymem_we_bank[i] | api_keymem_we_bank[i] | zeroize_mem_we;

sk_ram_waddr_bank[i] = ({SK_MEM_ADDR_W{skencode_keymem_we_bank[i]}} & skencode_keymem_if_i.addr[SK_MEM_ADDR_W:1]) |
({SK_MEM_ADDR_W{pwr2rnd_keymem_we_bank[i]}} & pwr2rnd_keymem_if_i[i].addr[SK_MEM_ADDR_W:1] ) |
({SK_MEM_ADDR_W{api_keymem_we_bank[i]}} & api_sk_mem_waddr[SK_MEM_ADDR_W:1]);
({SK_MEM_ADDR_W{api_keymem_we_bank[i]}} & api_sk_mem_waddr[SK_MEM_ADDR_W:1]) |
({SK_MEM_ADDR_W{zeroize_mem_we}} & zeroize_mem_addr[SK_MEM_ADDR_W-1:0]);

sk_ram_wdata[i] = ({DATA_WIDTH{skencode_keymem_we_bank[i]}} & skencode_wr_data_i) |
({DATA_WIDTH{pwr2rnd_keymem_we_bank[i]}} & pwr2rnd_wr_data_i[i]) |
({DATA_WIDTH{api_keymem_we_bank[i]}} & mldsa_reg_hwif_out.MLDSA_PRIVKEY_IN.wr_data);
({DATA_WIDTH{api_keymem_we_bank[i]}} & mldsa_reg_hwif_out.MLDSA_PRIVKEY_IN.wr_data) |
({DATA_WIDTH{zeroize_mem_we}} & zeroize_mem_wr_data[DATA_WIDTH-1:0]);
end
end

Expand Down Expand Up @@ -579,6 +599,11 @@ always_comb mldsa_privkey_lock = '0;
signature_rd_ack <= 0;
pubkey_rd_ack <= 0;
end
else if (zeroize) begin
privkey_out_rd_ack <= 0;
signature_rd_ack <= 0;
pubkey_rd_ack <= 0;
end
else begin
privkey_out_rd_ack <= mldsa_reg_hwif_out.MLDSA_PRIVKEY_OUT.req & ~mldsa_reg_hwif_out.MLDSA_PRIVKEY_OUT.req_is_wr;
signature_rd_ack <= mldsa_reg_hwif_out.MLDSA_SIGNATURE.req & ~mldsa_reg_hwif_out.MLDSA_SIGNATURE.req_is_wr;
Expand Down Expand Up @@ -606,9 +631,11 @@ always_comb mldsa_privkey_lock = '0;


always_ff @(posedge clk or negedge rst_b) begin
if (!rst_b) begin
if (!rst_b)
api_sig_z_re_f <= '0;
end else begin
else if (zeroize)
api_sig_z_re_f <= '0;
else begin
api_sig_z_re_f <= api_sig_z_re;
end
end
Expand Down Expand Up @@ -651,16 +678,19 @@ always_comb mldsa_privkey_lock = '0;
always_comb mldsa_reg_hwif_in.MLDSA_SIGNATURE.rd_data = api_sig_z_re_f ? sig_z_ram_rdata[api_sig_z_addr.offset] : signature_reg_rdata;

//write requests
always_comb sig_z_ram_we = (sigencode_wr_req_i.rd_wr_en == RW_WRITE) | api_sig_z_we;
always_comb sig_z_ram_we = (sigencode_wr_req_i.rd_wr_en == RW_WRITE) | api_sig_z_we | zeroize_mem_we;
always_comb sig_z_ram_waddr = ({SIG_Z_MEM_ADDR_W{(sigencode_wr_req_i.rd_wr_en == RW_WRITE)}} & sigencode_wr_req_i.addr[SIG_Z_MEM_ADDR_W:1]) |
({SIG_Z_MEM_ADDR_W{api_sig_z_we}} & api_sig_z_addr.addr);
({SIG_Z_MEM_ADDR_W{api_sig_z_we}} & api_sig_z_addr.addr) |
({SIG_Z_MEM_ADDR_W{zeroize_mem_we}} & zeroize_mem_addr[SIG_Z_MEM_ADDR_W-1:0]);

always_comb sig_z_ram_wstrobe = ({SIG_Z_MEM_WSTROBE_W{(sigencode_wr_req_i.rd_wr_en == RW_WRITE)}}) |
({SIG_Z_MEM_WSTROBE_W{api_sig_z_we}} & ('hF << api_sig_z_addr.offset*4));
({SIG_Z_MEM_WSTROBE_W{api_sig_z_we}} & ('hF << api_sig_z_addr.offset*4)) |
({SIG_Z_MEM_WSTROBE_W{zeroize_mem_we}});


always_comb sig_z_ram_wdata = ({SIG_Z_MEM_DATA_W{(sigencode_wr_req_i.rd_wr_en == RW_WRITE)}} & sigencode_wr_data_i) |
({SIG_Z_MEM_DATA_W{(api_sig_z_we)}} & SIG_Z_MEM_DATA_W'(mldsa_reg_hwif_out.MLDSA_SIGNATURE.wr_data << api_sig_z_addr.offset*32));
({SIG_Z_MEM_DATA_W{(api_sig_z_we)}} & SIG_Z_MEM_DATA_W'(mldsa_reg_hwif_out.MLDSA_SIGNATURE.wr_data << api_sig_z_addr.offset*32)) |
({SIG_Z_MEM_DATA_W{zeroize_mem_we}} & SIG_Z_MEM_DATA_W'(zeroize_mem_wr_data)) ;

//signature reg read flop
always_ff @(posedge clk or negedge rst_b) begin
Expand Down Expand Up @@ -733,6 +763,11 @@ always_comb mldsa_privkey_lock = '0;
sampler_pk_rd_en_f <= '0;
sampler_src_offset_f <= '0;
pkdecode_rd_offset_f <= '0;
end else if (zeroize) begin
api_pubkey_re_f <= '0;
sampler_pk_rd_en_f <= '0;
sampler_src_offset_f <= '0;
pkdecode_rd_offset_f <= '0;
end else begin
api_pubkey_re_f <= api_pubkey_re;
sampler_pk_rd_en_f <= msg_hold ? sampler_pk_rd_en_f : sampler_pk_rd_en;
Expand Down Expand Up @@ -795,16 +830,19 @@ always_comb mldsa_privkey_lock = '0;
always_comb mldsa_reg_hwif_in.MLDSA_PUBKEY.rd_data = api_pubkey_re_f ? pubkey_ram_rdata[api_pubkey_mem_addr.offset] : pk_reg_rdata;

//write requests
always_comb pubkey_ram_we = (pk_t1_wren_i) | api_pubkey_we;
always_comb pubkey_ram_we = (pk_t1_wren_i) | api_pubkey_we | zeroize_mem_we;
always_comb pubkey_ram_waddr = ({PK_MEM_ADDR_W{pk_t1_wren_i}} & pk_t1_wr_addr_i[PK_MEM_ADDR_W+1:2]) |
({PK_MEM_ADDR_W{api_pubkey_we}} & api_pubkey_mem_addr.addr);
({PK_MEM_ADDR_W{api_pubkey_we}} & api_pubkey_mem_addr.addr) |
({PK_MEM_ADDR_W{zeroize_mem_we}} & zeroize_mem_addr[PK_MEM_ADDR_W-1:0]);

always_comb pubkey_ram_wstrobe = ({PK_MEM_WSTROBE_W{pk_t1_wren_i}} & 'h3FF << pk_t1_wr_addr_i[1:0]*10) |
({PK_MEM_WSTROBE_W{api_pubkey_we}} & ('hF << api_pubkey_mem_addr.offset*4));
({PK_MEM_WSTROBE_W{api_pubkey_we}} & ('hF << api_pubkey_mem_addr.offset*4)) |
({PK_MEM_WSTROBE_W{zeroize_mem_we}});


always_comb pubkey_ram_wdata = ({PK_MEM_DATA_W{pk_t1_wren_i}} & PK_MEM_DATA_W'(pk_t1_wrdata_i << pk_t1_wr_addr_i[1:0]*80)) |
({PK_MEM_DATA_W{(api_pubkey_we)}} & PK_MEM_DATA_W'(mldsa_reg_hwif_out.MLDSA_SIGNATURE.wr_data << api_pubkey_mem_addr.offset*32));
({PK_MEM_DATA_W{(api_pubkey_we)}} & PK_MEM_DATA_W'(mldsa_reg_hwif_out.MLDSA_SIGNATURE.wr_data << api_pubkey_mem_addr.offset*32)) |
({PK_MEM_DATA_W{zeroize_mem_we}} & PK_MEM_DATA_W'(zeroize_mem_wr_data));


//pk reg read flop
Expand Down Expand Up @@ -844,6 +882,8 @@ always_comb mldsa_privkey_lock = '0;
always_ff @(posedge clk or negedge rst_b) begin
if (!rst_b) begin
msg_data <= '0;
end else if (zeroize) begin
msg_data <= '0;
end else begin
if (msg_hold) begin
msg_data <= msg_data;
Expand Down Expand Up @@ -1008,7 +1048,7 @@ always_comb mldsa_privkey_lock = '0;
prim_prog_cntr <= MLDSA_RESET;
end
else if(zeroize) begin
prim_prog_cntr <= MLDSA_RESET;
prim_prog_cntr <= MLDSA_ZEROIZE;
end
else begin
if (error_flag_edge) begin
Expand All @@ -1026,6 +1066,7 @@ always_comb mldsa_privkey_lock = '0;
verifying_process_nxt = 0;
keygen_signing_process_nxt = 0;
keygen_done = 0;
signature_done = 0;
verify_done = 0;
set_y_valid = 0;
set_w0_valid = 0;
Expand All @@ -1034,7 +1075,7 @@ always_comb mldsa_privkey_lock = '0;
set_verify_valid = 0;
set_entropy = 0;
prim_prog_cntr_nxt = MLDSA_RESET;
prim_seq_en = 1;
prim_seq_en = !zeroize;

unique case (prim_prog_cntr) inside
MLDSA_RESET : begin
Expand Down Expand Up @@ -1065,7 +1106,14 @@ always_comb mldsa_privkey_lock = '0;
prim_seq_en = 0;
end
endcase
end
end
MLDSA_ZEROIZE : begin
if (zeroize_mem_done)
prim_prog_cntr_nxt = MLDSA_RESET;
else
prim_prog_cntr_nxt = MLDSA_ZEROIZE;
prim_seq_en = 0;
end
MLDSA_KG_JUMP_SIGN : begin
//Jump to signing process
if (keygen_signing_process) begin
Expand All @@ -1082,7 +1130,9 @@ always_comb mldsa_privkey_lock = '0;
end
//START of Y access - check if Y is still valid
MLDSA_SIGN_CHECK_Y_CLR : begin
if (y_valid | w0_valid) begin //Stalled until Y and w0 can be overwritten
if (signature_validity_chk_done)
prim_prog_cntr_nxt = MLDSA_SIGN_E;
else if (y_valid | w0_valid) begin //Stalled until Y and w0 can be overwritten
prim_prog_cntr_nxt = prim_prog_cntr;
end
else begin
Expand All @@ -1096,7 +1146,9 @@ always_comb mldsa_privkey_lock = '0;
end
//START of W0 access - check if W0 is still valid
MLDSA_SIGN_CHECK_W0_CLR : begin
if (w0_valid) begin //Stalled until W0 can be overwritten
if (signature_validity_chk_done)
prim_prog_cntr_nxt = MLDSA_SIGN_E;
else if (w0_valid) begin //Stalled until W0 can be overwritten
prim_prog_cntr_nxt = prim_prog_cntr;
end
else begin
Expand All @@ -1122,17 +1174,26 @@ always_comb mldsa_privkey_lock = '0;
set_c_valid = 1;
prim_prog_cntr_nxt = prim_prog_cntr + 1;
end
MLDSA_SIGN_E : begin // end of challenge generation
//increment kappa value
update_kappa = 1;
//restart challenge generation
prim_prog_cntr_nxt = MLDSA_SIGN_CHECK_Y_CLR;
MLDSA_SIGN_CHL_E : begin // end of challenge generation
if (signature_validity_chk_done)
prim_prog_cntr_nxt = MLDSA_SIGN_E;
else begin
//increment kappa value
update_kappa = 1;
//restart challenge generation
prim_prog_cntr_nxt = MLDSA_SIGN_CHECK_Y_CLR;
end
end
MLDSA_SIGN_E : begin // end of signature
signature_done = 1;
end
MLDSA_VERIFY_E : begin // end of verify flow
verify_done = 1;
end
default : begin
if (subcomponent_busy) begin //Stalled until sub-component is done
if (signature_validity_chk_done)
prim_prog_cntr_nxt = MLDSA_SIGN_E;
else if (subcomponent_busy) begin //Stalled until sub-component is done
prim_prog_cntr_nxt = prim_prog_cntr;
end
else begin
Expand Down Expand Up @@ -1329,8 +1390,6 @@ end
mldsa_seq_prim mldsa_seq_prim_inst
(
.clk(clk),
.rst_b(rst_b),
.zeroize(zeroize),

.en_i(prim_seq_en),
.addr_i(prim_prog_cntr_nxt),
Expand All @@ -1346,7 +1405,7 @@ mldsa_seq_prim mldsa_seq_prim_inst
sec_prog_cntr <= MLDSA_RESET;
end
else if(zeroize) begin
sec_prog_cntr <= MLDSA_RESET;
sec_prog_cntr <= MLDSA_ZEROIZE;
end
else begin
if (error_flag_edge) begin
Expand All @@ -1365,8 +1424,8 @@ mldsa_seq_prim mldsa_seq_prim_inst
clear_y_valid = 0;
clear_w0_valid = 0;
set_signature_valid = 0;
signature_done = 0;
sec_seq_en = 1;
signature_validity_chk_done = 0;
sec_seq_en = !zeroize;

unique case (sec_prog_cntr) inside
MLDSA_RESET : begin
Expand All @@ -1393,9 +1452,15 @@ mldsa_seq_prim mldsa_seq_prim_inst
endcase
if (keygen_signing_process & (prim_prog_cntr == MLDSA_KG_JUMP_SIGN)) begin
sec_prog_cntr_nxt = MLDSA_SIGN_INIT_S;
sec_seq_en = 1;
end
end
MLDSA_ZEROIZE : begin
if (zeroize_mem_done)
sec_prog_cntr_nxt = MLDSA_RESET;
else
sec_prog_cntr_nxt = MLDSA_ZEROIZE;
sec_seq_en = 0;
end
//START of C access - check if C is valid
MLDSA_SIGN_CHECK_C_VLD : begin
if (c_valid) begin
Expand Down Expand Up @@ -1450,7 +1515,11 @@ mldsa_seq_prim mldsa_seq_prim_inst
end
end
MLDSA_SIGN_GEN_E : begin // Successful signature generation
signature_done = 1;
signature_validity_chk_done = 1;
if (signature_done)
sec_prog_cntr_nxt = MLDSA_RESET;
else
sec_prog_cntr_nxt = sec_prog_cntr;
end
default : begin
if (sign_subcomponent_busy) begin //Stalled until sub-component is done
Expand Down Expand Up @@ -1553,15 +1622,39 @@ end
mldsa_seq_sec mldsa_seq_sec_inst
(
.clk(clk),
.rst_b(rst_b),
.zeroize(zeroize),

.en_i(sec_seq_en),
.addr_i(sec_prog_cntr_nxt),
.data_o(sec_instr)
);

always_ff @(posedge clk or negedge rst_b) begin
if (!rst_b) begin
zeroize_mem_addr <= 0;
zeroize_mem_done <= 0;
end
else if (zeroize) begin
zeroize_mem_addr <= 0;
zeroize_mem_done <= 0;
end
else if (prim_prog_cntr == MLDSA_ZEROIZE) begin
if (zeroize_mem_addr == MLDSA_MEM_MAX_DEPTH) begin
zeroize_mem_addr <= 0;
zeroize_mem_done <= 1;
end else begin
zeroize_mem_addr <= zeroize_mem_addr + 1;
end
end else begin
zeroize_mem_addr <= 0;
zeroize_mem_done <= 0;
end
end

always_comb zeroize_mem_we = (prim_prog_cntr == MLDSA_ZEROIZE);
always_comb zeroize_mem_wr_data = '0;

always_comb zeroize_mem_o.rd_wr_en = zeroize_mem_we? RW_WRITE : RW_IDLE;
always_comb zeroize_mem_o.addr = zeroize_mem_addr;

`ifdef RV_FPGA_SCA
//===========================================================================
Expand Down
Loading
Loading