[cryptolib] HMAC driver TODO list

[ballifatih]

Description

(this issue is WIP)

• [ ] Consider whether we want to have a timeout value for polling for interrupt signal. HMAC does not use EDN, so we should be able to determine a reasonable timeout value.
• [ ] Use a random 32-bit values from EDN to wipe HMAC, instead of fixed 32'b1. We can read a value from RV_CORE_IBEX_RND_STATUS_REG_OFFSET.
• [x] Write message bits in 32-bit blocks instead of 8-bit blocks, as much as possible.
• [ ] Determine if we need to handle back-pressure when SW is writing too many message bytes in a row without a break. (We probably do not need this because there is no asynchronous EDN interaction in HMAC, unlike KMAC.)
• [x] Implement oneshot driver calls and connect them to cryptolib functions.
• [ ] Revisit docs of driver functions and improve its quality (i.e. there might be missing parameters in the comment blocks, or the current descriptions might not be explaining what the caller needs to do).
• [ ] Remove old sha256/sha512 files related to OTBN.
• [ ] For programmer's guide: add a line stating that during streaming, SW can only feed message blocks that are multiples of internal block size. What is missing is 0 block feeding is not allowed, there needs to be at least one block.

And potential improvement suggestions for SCA/FI hardening:

• [ ] Use randomized copying (similar to hardened_memcpy) for KEY and DIGEST registers. This can also be extended to message inputs if message bits are also sensitive, depending on the use case (e.g. HMAC-DRBG).
• [ ] Use multi-bit encoding for hw_started flag.
• [ ] Determine if cleaning the values of ctx after the final call makes sense. If so, the values could be populated with random values. The suggestion is to zeroise or randomly populate ctx struct during init.
• [x] Improve copying function between otcrypto and driver ctx structs, by copying at word granularity.
• [ ] Add hardened flags to context struct, such as hmac_en and use it to skip key writing etc. https://github.com/lowRISC/opentitan/pull/23196#discussion_r1609013103

[martin-velay]

The following is addressed by both of these PRs (once merged): https://github.com/lowRISC/opentitan/pull/24839 and https://github.com/lowRISC/opentitan/pull/24944

"Consider whether we want to have a timeout value for polling for interrupt signal. HMAC does not use EDN, so we should be able to determine a reasonable timeout value."