aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-05-20Clean up parallel signature test script.Rob Austein
Aside from not really needing to use every crayon in the box, using a simpler control structure makes exceptions behave more as one expects.
2018-05-20Add small cache for RSA blinding factors.Rob Austein
Generating new RSA blinding factors turns out to be relatively expensive, but we can amortize that cost by maintaining a small cache and simply mutating old values after each use with a cheaper operation. Squaring works, pretty much by definition. Blinding factors are only sort-of-sensitive: we don't want them to leak out of the HSM, but they're only based on the public modulus, not the private key components, and we're only using them to foil side channel attacks, so the risk involved in caching them seems small. For the moment, the cache is very small, since we only care about this for bulk signature operations. Tune this later if it becomes an issue.
2018-05-20Silence compiler warning in revised hal_ks_fetch().Rob Austein
2018-05-19Release keystore lock before unwrapping key.Rob Austein
hal_ks_fetch() was written as lock-at-the-top, unlock-at-the-bottom to keep it as simple as possible, but this turns out to have bad performance implications when unwrapping the key is slow. So now we grab the wrapped key, release the lock, then unwrap, which should be safe enough given that hal_ks_fetch() is read-only. This lets us make better use of multiple AES cores to unwrap in parallel when we have multiple active clients.
2018-05-01Add some yields to try to improve responsiveness during hashsig key ↵Paul Selkirk
generation and deletion.
2018-04-19Merge branch 'profiling' into hashsigPaul Selkirk
2018-04-19Rebase hashsig from masterPaul Selkirk
2018-04-19Reconstruct the hashsig hash tree(s) on device restart.Paul Selkirk
2018-04-19Update to draft-10: clarifications and Test Case 2;Paul Selkirk
add ability to export public key to xdr for interop testing
2018-04-19For 2^w and 2^h, replace hard-coded w2 and h2 values with 1<<w and 1<<h.Paul Selkirk
2018-04-19Add Test Case 2 from draft-mcgrew-09Paul Selkirk
2018-04-19Fold the coef* functions into a single function, because that really was ↵Paul Selkirk
premature optimization.
2018-04-19Fix coef4, which was swapping digitsPaul Selkirk
2018-04-19Implement hash-based signatures, per draft-mcgrew-hash-sigs-08.txtPaul Selkirk
2018-04-19Add hal_ks_availablePaul Selkirk
2018-04-19Encode/decode uint32_t and octet stringsPaul Selkirk
2018-04-19Clean up RPC code, track changes to XDR API.Paul Selkirk
2018-04-19Refactor XDR code, add support for fixed-length opaque data.Paul Selkirk
2018-04-19Reconstruct the hashsig hash tree(s) on device restart.Paul Selkirk
2018-04-14Clean up definition of HAL_KS_WRAPPED_KEYSIZE.Rob Austein
2018-03-30More accurate timing.Rob Austein
2018-03-30Tweak report output.Rob Austein
Copy ContextManagedUnpacker from latest version of libhal.py so that this script won't depend on the current development code.
2018-03-30First cut at parallel signature timing test.Rob Austein
At the moment this only handles RSA keys, and can only handle one size of key at a time. More bells and whistles will follow eventually, now that the basic asynchronous API to our RPC protocol works.
2018-03-25Clear search state variables in rsa.c's find_prime().Rob Austein
Failing to clear the temporary buffer used to transfer bits from the TRNG into a bignum was a real leak of something very close to keying material, albeit only onto the local stack where it was almost certain to have been overwritten by subsequent operations (generation of other key components, wrap and PKCS #8 encoding) before pkey_generate_rsa() ever returned to its caller. Still, bad coder, no biscuit. Failing to clear the remainders array was probably harmless, but doctrine says clear it anyway.
2018-03-21Supply our own context manager instead of using contextlib.Rob Austein
contextlib is cute, but incompatible with other coroutine schemes like Tornado, so just write our own context manager for xdrlib.Unpacker.
2018-03-15Update to draft-10: clarifications and Test Case 2;Paul Selkirk
add ability to export public key to xdr for interop testing
2018-03-10For 2^w and 2^h, replace hard-coded w2 and h2 values with 1<<w and 1<<h.Paul Selkirk
2018-03-10Add Test Case 2 from draft-mcgrew-09Paul Selkirk
2018-03-10Fold the coef* functions into a single function, because that really was ↵Paul Selkirk
premature optimization.
2018-03-10Fix coef4, which was swapping digitsPaul Selkirk
2018-02-27Implement hash-based signatures, per draft-mcgrew-hash-sigs-08.txtPaul Selkirk
2018-02-27Add hal_ks_availablePaul Selkirk
2018-02-27Encode/decode uint32_t and octet stringsPaul Selkirk
2018-02-27Clean up RPC code, track changes to XDR API.Paul Selkirk
2018-02-27Refactor XDR code, add support for fixed-length opaque data.Paul Selkirk
2018-01-04Add hal_core_alloc2() to fix a dining philosophers problem in hal_modexp2().Paul Selkirk
Uncoordinated attempts to allocate two modexpa7 cores leads to deadlock if multiple clients try to do concurrent RSA signing operations. The simplest solution (back off and retry) could theoretically lead to resource starvation, but we haven't seen it in actual testing.
2017-12-13Merge branch systolic_crt into master.Rob Austein
This branch was sitting for long enough that master had been through a cleanup pass, so beware of accidental reversions.
2017-10-27~0 is actually more correct, or more portablePaul Selkirk
2017-10-23Cleanup signed/unsigned mismatches, mostly in loop countersPaul Selkirk
2017-10-15Correctly mark "unsecure" KEK as erased.Paul Selkirk
2017-10-15Cleanup: keystore driver functions return HAL_StatusTypeDef instead of magic ↵Paul Selkirk
values.
2017-10-11Cleanup: Remove "const" qualifiers from function return types.Paul Selkirk
2017-09-154096-bit RSA keys working again, with 8k keystore "blocks".Rob Austein
2017-09-13Oops, forgot hal_io.c.Rob Austein
2017-09-13Preliminary support for parallel core RSA CRT.Rob Austein
2017-09-13Sort-of-working, large (4096-bit) RSA keys broken.Rob Austein
Snapshot of mostly but not entirely working code to include the extra ModExpA7 key components in the keystore. Need to investigate whether a more compact representation is practical for these components, as the current one bloats the key object so much that a bare 4096-bit key won't fit in a single hash block, and there may not be enough room for PKCS #11 attributes even for smaller keys. If more compact representation not possible or insufficient, the other option is to double the size of a keystore object, making it two flash subsectors for a total of 8192 octets. Which would of course halve the number of keys we can store and require a bunch of little tweaks all through the ks code (particularly flash erase), so definitely worth trying for a more compact representation first.
2017-09-12Silly macro bugs.Rob Austein
2017-09-12Untested ASN.1 support for ModExpA7 private speedup factors.Rob Austein
2017-09-11Reverse the polarity of the neutron flowRob Austein
2017-09-09Far too much fun with modexpa7 operand lengths and locations.Rob Austein