BL1: Update bl_secure_mem(cpy|eql) functions
Remove bl_secure_memcpy. As bl_secure_memeql is never used on secret
data, remove the unnecessary DPA and timing countermeasures and rename
to make clear it is hardened against fault injection only.
Change-Id: I8a1d9209350fad8b282e3aa89f923a4f80e12b24
Signed-off-by: Raef Coles <raef.coles@arm.com>
diff --git a/bl1/bl1_1/shared_lib/interface/util.h b/bl1/bl1_1/shared_lib/interface/util.h
index 1e3a406..7330a7c 100644
--- a/bl1/bl1_1/shared_lib/interface/util.h
+++ b/bl1/bl1_1/shared_lib/interface/util.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -23,18 +23,7 @@
* \param[in] ptr2 Pointer to the second memory region.
* \param[in] size Size of the two memory regions.
*
- * \note This function is hardened against both fault
- * injection and differential power analysis, and is
- * constant time (except for time taken for TRNG
- * invocations).
- *
- * \note The ordering of comparisons in this function is
- * randomised. This is done by comparing in the forward
- * direction for a uniform random number of elements
- * between 1 and 8 inclusive, and then comparing in the
- * reverse direction for a uniform random number of
- * elements between 1 and 8 inclusive. This is repeated
- * until the comparison is done.
+ * \note This function is hardened against fault injection.
*
* \note This function only checks equality, and does not
* return any information about the elements which
@@ -44,32 +33,7 @@
* \retval FIH_FAILURE The two given memory regions are not identical, or a
* failure has occurred and they cannot be compared.
*/
-fih_int bl_secure_memeql(const void *ptr1, const void *ptr2, size_t num);
-
-/**
- * \brief Copies the values in memory at source to the memory
- * at destination, for a given size.
- *
- * \param[in] source Source memory to copy from.
- * \param[in] num Number of bytes to be copied.
- * \param[out] destination Destination memory to copy into.
- *
- * \note This function is hardened against both fault
- * injection and differential power analysis.
- *
- * \note The ordering of copying in this function is
- * randomised. This is done by comparing in the forward
- * direction for a uniform random number of elements
- * between 1 and 8 inclusive, and then copying in the
- * reverse direction for a uniform random number of
- * elements between 1 and 8 inclusive. This is repeated
- * until the copying is done.
- *
- * \retval FIH_SUCCESS The copy completed successfully.
- * \retval FIH_FAILURE A failure has occurred and the copy has not been
- * completed.
- */
-fih_int bl_secure_memcpy(void *destination, const void *source, size_t num);
+fih_int bl_fih_memeql(const void *ptr1, const void *ptr2, size_t num);
#ifdef __cplusplus
}
diff --git a/bl1/bl1_1/shared_lib/util.c b/bl1/bl1_1/shared_lib/util.c
index a4eefc3..a28d943 100644
--- a/bl1/bl1_1/shared_lib/util.c
+++ b/bl1/bl1_1/shared_lib/util.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -7,133 +7,36 @@
#include "util.h"
-#include "trng.h"
#include "fih.h"
+#include <string.h>
-/* The average roll should be 4 by the CLT, and our secrets are usually 32
- * bytes. Do 8 + 3 so there's a bit of extra. Should always be odd so the reseed
- * oscillates between before and after the forward step.
- */
-#define RNG_CHUNK_BYTES (11)
-/* Reverse every between 0 and 7 bytes */
-#define SHUFFLE_MASK (0x7)
-
-fih_int bl_secure_memeql(const void *ptr1, const void *ptr2, size_t num)
+#ifdef TFM_FIH_PROFILE_ON
+fih_int bl_fih_memeql(const void *ptr1, const void *ptr2, size_t num)
{
- fih_int is_equal = FIH_SUCCESS;
- size_t block_start;
- size_t block_end;
- size_t curr = 0;
- uint8_t rnd[RNG_CHUNK_BYTES];
- size_t rnd_curr_idx = sizeof(rnd);
+ size_t idx;
- /* Do comparison. Every n bytes (where n is random between 1 and 9),
- * reverse the direction.
- */
- while (curr < num) {
- /* Only generate more entropy if we've run out */
- if (rnd_curr_idx == sizeof(rnd)) {
- bl1_trng_generate_random(rnd, sizeof(rnd));
- rnd_curr_idx = 0;
+ for (idx = 0; idx < num; idx++) {
+ if (((uint8_t *)ptr1)[idx] != ((uint8_t *)ptr2)[idx]) {
+ FIH_RET(FIH_FAILURE);
}
- /* Forward case. Always at least one byte */
- block_start = curr;
- block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
+ fih_delay();
- if (block_end > num) {
- block_end = num;
+ if (((uint8_t *)ptr1)[idx] != ((uint8_t *)ptr2)[idx]) {
+ FIH_RET(FIH_FAILURE);
}
-
- for (; curr < block_end; curr++) {
- if (((uint8_t *)ptr1)[curr] != ((uint8_t *)ptr2)[curr]) {
- is_equal = FIH_FAILURE;
- }
- }
-
-
- /* Only generate more entropy if we've run out */
- if (rnd_curr_idx == sizeof(rnd)) {
- bl1_trng_generate_random(rnd, sizeof(rnd));
- rnd_curr_idx = 0;
- }
-
- /* Reverse case. Always at least one byte */
- block_start = curr;
- block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
-
- if (block_end > num) {
- block_end = num;
- }
-
- for (curr = block_end - 1; curr >= block_start; curr--) {
- if (((uint8_t *)ptr1)[curr] != ((uint8_t *)ptr2)[curr]) {
- is_equal = FIH_FAILURE;
- }
- }
- curr = block_end;
- }
- if (curr != num) {
- FIH_PANIC;
}
- FIH_RET(is_equal);
-}
-
-fih_int bl_secure_memcpy(void *destination, const void *source, size_t num)
-{
- size_t block_start;
- size_t block_end;
- int64_t curr = 0;
- uint8_t rnd[RNG_CHUNK_BYTES];
- size_t rnd_curr_idx = sizeof(rnd);
-
- /* Do copy. Every n bytes (where n is random between 1 and 17), reverse the
- * direction.
- */
- while (curr < num) {
- /* Only generate more entropy if we've run out */
- if (rnd_curr_idx == sizeof(rnd)) {
- bl1_trng_generate_random(rnd, sizeof(rnd));
- rnd_curr_idx = 0;
- }
-
- /* Forward case */
- bl1_trng_generate_random(rnd, sizeof(rnd));
- block_start = curr;
- block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
-
- if (block_end > num) {
- block_end = num;
- }
-
- for (; curr < block_end; curr++) {
- ((uint8_t *)destination)[curr] = ((uint8_t *)source)[curr];
- }
-
-
- /* Only generate more entropy if we've run out */
- if (rnd_curr_idx == sizeof(rnd)) {
- bl1_trng_generate_random(rnd, sizeof(rnd));
- rnd_curr_idx = 0;
- }
-
- /* Reverse case */
- block_start = curr;
- block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
-
- if (block_end > num) {
- block_end = num;
- }
-
- for (curr = block_end - 1; block_start <= curr; curr--) {
- ((uint8_t *)destination)[curr] = ((uint8_t *)source)[curr];
- }
- curr = block_end;
- }
- if (curr != num) {
- FIH_PANIC;
+ if (idx != num) {
+ FIH_RET(FIH_FAILURE);
}
FIH_RET(FIH_SUCCESS);
}
+#else
+fih_int bl_fih_memeql(const void *ptr1, const void *ptr2, size_t num)
+{
+ /* Only return 1 or 0 */
+ return memcmp(ptr1, ptr2, num) != 0;
+}
+#endif /* TFM_FIH_PROFILE_ON */