Closed msfschaffner closed 7 months ago
$ git log Earlgrey-M2.5.2-RC0..HEAD --oneline hw/ip/lc_ctrl
fa5dc8a876 [pre_sca] Convert PROLEAD configuration files to Unix format
66472e257a [pre_syn] Include csrng_pkg.sv to re-enable Yosys synthesis
0891b2f045 [aes,pre_sca] Modify evaluation parameters for PROLEAD
b9afd40c3e [aes,rtl] Switch to Bivium-based masking PRNG implementation
0726a6dd01 [alma, aes] Add README for the verification flow
7e76564213 [aes, alma] Add verification script for AES S-box
82dc6dce1f [alma] Add yosys template for AES S-box flattening
8354636d91 [alma] Add patching tool for techlib
25f488deab [aes,dv] Fix aes_ctrl_cg sample function declaration
61a237e197 [util/reggen] reverse order of substruct generation
de31bdf1c2 [reggen] Remove the devmode input
895c541640 [aes, doc] Clarify availability of sideload, change cryptolib link
ac5a127a9c [aes, pre_sca] Enable masking evaluation of AES with PROLEAD
5be278bb25 [aes, kmac, otbn] Perform final clean -purge
step in Yosys synthesis
2d0887b7a9 [aes,SiVal] Add features of AES module
78abd88092 [aes, doc] Fix broken links
1b16ca2122 [reggen] Add mubi support SWAccess that sets/clears a reg
59f8142826 [doc] Moved badges over to using hosted images
7688e714e8 [reggen] Add initial support for version and cip_id hjson fields
fbd888eea8 Revert "[reggen] Add CIP_IDs and bump all major versions"
ba2ca76ae7 [aes, doc] Mention option of implementing GCM with Ibex and bitmanip
9bc003ca25 [aes, kmac] Replace term aggravate in SCA/FI context
4dc21fb4ec [aes, pre_dv] Add very basic scratch Verilator testbench for cipher core
0ba10b3cd3 [reggen] Add CIP_IDs and bump all major versions
5b12b346dc [aes, dv] Enable aes_stress_all(_with_rand_reset) tests
69fa03aaac [aes, dv] Move end detection of last message from scoreboard to env
3dbbf0b3cb [aes, dv] Rework tracking of good, corrupted, split and skipped messages
af95b78408 [aes, dv] Encapsulate vseqs in fork/join_any and disable fork blocks
30aee10d6f [aes, dv] Add randomization constraints for aes_alert_reset_vseq
f1dcf7ad4d [aes, dv] Reorder test list, add comments to explain grouping
2526b01657 [aes, dv] Fix aes_manual_config_err_vseq
cb90c98960 [aes, dv] Fix cfg_error_type constraint resolution for aes_message_item
e47df29f3e [misc] Use lc_tx_t testing functions at endpoints
6744fe2f94 [aes, dv] Switch from csr_update() to csr_wr() for set_regwen()
f2b781b359 [aes, dv] Move regwen testing into base sequence
9cb2a1c077 [aes, dv] Add alert_test testing to aes_alert_reset_test
9d0f701812 [aes, dv] Increase manual operation percentage for config error test
89f58b3bc7 [aes, dv] Simplify handling of different modes in process_tl_access()
b39259025b [aes, dv] Enable configuration error testing with sideload keys
52551971f4 [aes, dv] Comment and fix usage of status_fsm() task inside send_msg()
bd450974ee [aes, dv] Make sure aes_status_cg.cp_alert_recov is hit
be7bae1ec7 [aes, dv] Always set PRNG reseed rate during setup_dut()
This issue led us to replacing the previous LFSR-based PRNG architecture with a PRNG based on a stream cipher primitive to avoid brute-forcing attacks on the PRNG state. The change is fully transparent to software and full security evaluation has been performed before merging the change.
Closed as not planned as this is potential defense in depth.
Closed as were not going change the behavior of our hardware blocks at this point. An issue to track the creation of guidelines has been created here https://github.com/lowRISC/opentitan/issues/20680
When changing the corresponding configuration flag to a one-hot encoding, we forgot to align the coverage definition. This revealed a little coverage hole now tracked separately in https://github.com/lowRISC/opentitan/issues/20941
Various functional coverage holes got fixed.
Enable previously disabled (and failing) stress_all test
Erroneously created SiVal issue. The feature of interest only be tested with a SCA setup.
Non-AES-specific test failure discovered when requiring lots of entropy. The entropy complex wasn't configured properly.
Some follow-up work related to the PRNG. No area and timing impact but improving SCA hardening, requires a security evaluation again.
Needs to be done by tapeout partner in secure environment close to tapeout.
No changes for Earlgrey A1. We want to keep this feature to ease our own security analysis. The feature can be locked down in ROM_ext.
Fixing a small, uncritical coverage hole.
DV cleanup work, uncritical and very low priority.
Erroneously created SiVal issue. Duplicate of the closed https://github.com/lowRISC/opentitan/issues/19985
The only relevant RTL change in this block was #19091 where we replaced the LFSR-based PRNG with an implementation based on the Bivium stream cipher primitive to prevent brute-forcing attacks on the PRNG state. The change itself is very isolated to the PRNG itself and all SCA experiments (including a newly set up simulation-based tool flow) have been repeated to ensure the change doesn't negatively impact the SCA hardening and the masking off feature still works as expected. The change is very well understood.
The block should still fulfill the D2S criteria.
@msfschaffner and @andreaskurth , would you mind reviewing this please?
Since there was just the isolated PRNG change in the RTL, I didn't downgrade AES to D1/V1. Hence, there is no associated PR for the sign-off. Similarly, the changes are fully transparent to software meaning no version increment is needed.
FYI @johngt
Thanks for the analysis @vogelpi. The analysis that we would have had to perform to go from D2 -> D2S has already been performed in this case, so leaving this at D2S sounds good from my side.
Description
Ensure D2S signoff criteria are fulfilled after focus area changes have landed.