Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aes,dv] Recalculate aad/ptx length when splitting message #28

Merged
merged 1 commit into from
Feb 24, 2025
Merged

[aes,dv] Recalculate aad/ptx length when splitting message #28

merged 1 commit into from
Feb 24, 2025

Conversation

nasahlpa
Copy link
Collaborator

When performing alert or FI tests, the try_recover() function in the base sequence splits up messages.
E.g.:
|AAD|AAD|PTX|PTX|TAG|
could be split up into
|AAD|PTX|PTX|TAG
when there is an error injected at the first AAD block.

This is problematic as now len(aad) || len(data, which is the data_in of the TAG block, does not match anymore. Hence, the tag comparison fails.

@nasahlpa nasahlpa requested a review from vogelpi February 21, 2025 18:06
vogelpi
vogelpi reviewed Feb 24, 2025
View reviewed changes
hw/ip/aes/dv/env/aes_message_item.sv Outdated
len_aad_data = {<<8{len_aad_data_conc}};
// Check if the calculated len(aad) || len(data) matches the length we wrote
// into the DUT.
if (len_aad_data != item.data_in) begin
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is reasonable but I have a question: in case we split messages due to FI testing, which one is the length accounting for the splitting? Is it item.data_in (the value passed to the DUT) or is it aad_length | message_length (I see this value is randomized in this file and then extended upon adding more stuff).

Depending on that, we may want to perform the tag comparison but update the DPI call. Because what the try_recover() verifies, is that after a fault, the DUT can be reset and successfully do an encryption/decryption.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review, @vogelpi.

I've actually found a more elegant solution that does not ignore the tag check for those messages. Instead, the new len(aad) || len(data) now gets re-computed in the base sequence where we split up the message and we're now updating the AES_GCM_TAG aes_seq_item . Now, the tag comparison can be conducted even though we are splitting up messages in the try_recover() function.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is great!

@nasahlpa
[aes,dv] Recalculate aad/ptx length when splitting message
593ae92 
When performing alert or FI tests, the try_recover() function in
the base sequence splits up messages.
E.g.:
|AAD|AAD|PTX|PTX|TAG|
could be split up into
|AAD|PTX|PTX|TAG
when there is an error injected at the first AAD block.

This is problematic as now len(aad) || len(data), which is the
data_in of the TAG block, does not match anymore. Hence, the
tag comparison fails.

This commit now recomputes len(aad) || len(data) at puts it into
the correct AES_GCM_TAG item.

Signed-off-by: Pascal Nasahl <[email protected]>
@nasahlpa nasahlpa changed the title [aes,dv] Ignore tag comparison in alert/FI tests. [aes,dv] Recalculate aad/ptx length when splitting message Feb 24, 2025
@nasahlpa nasahlpa merged commit af99a08 into vogelpi:aes-gcm-review Feb 24, 2025
7 of 9 checks passed
@nasahlpa nasahlpa deleted the aes_gcm_dv_fix_fi branch February 24, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vogelpi vogelpi vogelpi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nasahlpa @vogelpi