summaryrefslogblamecommitdiff
path: root/pelican/content/UpgradeToKSNG.md
blob: d33c8348fe0e6fc7beed619962cf75a7988e8111 (plain) (tree) 
b58c60b
































































































































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
































































































































































































                                                                                       


/*
 * modexp.c
 * ----------
 * Wrapper around Cryptech ModExp core.
 *
 * This doesn't do full RSA, that's another module.  This module's job
 * is just the I/O to get bits in and out of the ModExp core, including
 * compensating for a few known bugs that haven't been resolved yet.
 *
 * If at some point the interface to the ModExp core becomes simple
 * enough that this module is no longer needed, it will go away.
 *
 * Authors: Rob Austein
 * Copyright (c) 2015-2017, NORDUnet A/S
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <stdio.h>
#include <stdint.h>

#include "hal.h"
#include "hal_internal.h"

[[PageOutline]]


Upgrading Cryptech Alpha HSM to "ksng" development package


This page attempts to explain the upgrade procedure for testing out
the new "ksng" development branch of the Cryptech Alpha firmware.


Cavats


This particular upgrade is more complicated than we would have
preferred, due to the interaction of two unrelated factors:


    

  1. As the name (obscurely) implies, the main feature in the ksng
   branch is a completely new HSM keystore implementation, which makes
   better use of the Alpha's keystore flash, allows a much larger
   number of keys, removes the need for an SQL database on the host,
   gets your laundry 25% brighter, and leaves your breath alone.
    2. 



We did not attempt to provide any sort of backwards compatability
   to the old minimalistic keystore implementation, so this upgrade
   process will wipe your keystore.  Sorry.  More importantly (from
   the limited viewpoint of the upgrade process), it will change how
   the HSM stores its PINs, which complicates the upgrade process.


    

  1. The "Device Field Upgrade" (DFU) capability in the Alpha's firmware
   was a last-minute addition before the Berlin workshop in July 2016,
   and, as last minute additions often do, it turned out to be buggy.
   There are three distinct pieces of software involved in the upgrade
   process, and they were all slightly buggy, in different ways.
   Because of this, one must perform the upgrade steps in a particular
   order to avoid bricking the HSM.  The upgrade includes fixes for
   all the (known) bugs in the DFU process, so we hope that this will
   be a one-time annoyance (famous last words).
    2. 



If something goes horribly wrong and you do somehow manage to brick
your Alpha, don't give up, recovery is still possible, it just
requires an ST-LINK debugger and cable (more on this below).


Overview


Because of the tricky nature of this particular upgrade, you must
perform these steps, in the specified order:


    

  • Install the new host software package using APT or Homebrew.
    • 

  • Wipe the HSM keystore to reset PINs back to the "factory" state.
    • 

  • Upgrade the main HSM firmware.
    • 

  • Upgrade the HSM bootloader.
    • 

  • Log in to upgraded HSM to set PINs, etc.
    • 



Upgrading the bootloader before the main firmware will brick your
Alpha.  So don't do that.


All of the operations here use the Alpha's "management" (MGMT) port,
so that cable must be connected to your Linux or OSX host machine.


This upgrade procedure was tested on Debian Jessie, with an Alpha
whose firmware had been rolled back to the version from the Berlin
workshop (APT/Homebrew package version 2.0.1468584175, commit
cd445b69b2caa7205f4e1c368aa2c6bf8c2d7692 in repository
https://git.cryptech.is/releng/alpha.git).


Install cryptech-alpha-ksng package using apt-get or Homebrew


Binaries for the "ksng" branch are available as a separate set of
"cryptech-alpha-ksng" packages, which replace the "cryptech-alpha"
packages for the master branch.  This seemed the simplest way of
letting people experiment with the new code while falling back to the
old if necessary.  The "cryptech-alpha-ksng" packages are declared to
conflict with the "cryptech-alpha" packages, because they install
programs by the same name in the same places and you need the version
of the host software which goes with the HSM firmware your running.


APT handles package conflicts differently from the way that Homebrew
does.  If you have "cryptech-alpha" installed and try to install
"cryptech-alpha-ksng", APT assumes you meant what you said and will
just replace the old package with the new one.  Homebrew, on the other
hand, reports the conflict and refuses to proceed until you sort it out.


The following assumes that you already had the Cryptech APT repository
or Homebrew tap configured; if not, see  [[wiki:BinaryPackages]].


Installing cryptech-alpha-ksng package using apt-get on Debian or Ubuntu Linux


$ sudo apt-get update
$ sudo apt-get install cryptech-alpha-ksng




Installing cryptech-alpha-ksng package using Homebrew on OSX


$ brew update
$ brew uninstall cryptech-alpha
$ brew install cryptech-alpha-ksng




Set usual CRYPTECH_* environment variables


The upgrade process uses the CRYPTECH_CTY_CLIENT_SERIAL_DEVICE
environment variable.  The easiest way to set it is by using the
cryptech_probe script, just as you would for other usage of the
Alpha.


$ eval `cryptech_probe -v`




Clear the keystore flash


Sorry about this.  Yes, we know we need backup and restore, we'll get
there.  But for this upgrade, it's safest to wipe the keystore.


$ cryptech_miniterm

Username: wheel
Password: <your-wheel-pin-goes-here>

cryptech> keystore erase YesIAmSure

^]




Upgrade the main HSM firmware


$ cryptech_upload --firmware --user wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding




Upgrade the bootloader


$ cryptech_upload --bootloader --user wheel --simon-says-whack-my-bootloader
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding




Log in and set PINs, masterkey, etcetera


$ cryptech_miniterm

Username: wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding

cryptech> keystore set pin wheel fnord
cryptech> keystore set pin so    fnord
cryptech> keystore set pin user  fnord
cryptech> masterkey set

^]




What to do if you manage to brick your Alpha


If the above procedure somehow goes horribly wrong and bricks your
alpha, you can still recover, but you'll need an ST-LINK programmer.
There's some discussion of this at [[wiki:GitRepositories/sw/stm32]].


Possible sources for the ST-LINK programmer and a suitable cable:


    

  • http://www.mouser.com/search/ProductDetail.aspx?R=0virtualkey0virtualkeyNUCLEO-F411RE
    • 

  • https://www.sparkfun.com/products/10376
    • 



These are relatively cheap, you'll probably pay as much for the
postage as for the parts themselves.  If you have a better source, go
for it.


The programmer is the important part, you can use any sort of cabling
you like so long as it connects the right pins of the programmer to
the corresponding pins on the Alpha; the SparkFun cable just happens
to be a tidy package which matches the relevant SWD headers.


We'll include a more detailed description of the recovery process here
if anybody needs it, but the short version is:


    

  • Install OpenOCD on your host machine.
    • 

  • Open up the Alpha's case, take the board out.
    • 

  • Connect the programmer and power the board back up.
    • 

  • Use the flash-target script from the sw/stm32 repository to
    • 



stuff the hsm.elf and bootloader.elf files from the binary
  firmware tarball into the HSM.


    

  • Power down, disconnect the programmer, put the Alpha back in its
    • 



case, done.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 09:33:33 +0000
class="n">data_addr + i/4, &value[length - 4 - i], 4)) != HAL_OK) return err; return HAL_OK; } /* * Set value of a data buffer. We reverse the order of 32-bit words * in the buffer during the transfer to match what the modexpa7 core * expects. * * Do we need to zero the portion of the buffer we're not using * explictly (that is, the portion between `length` and the value of * the core's MODEXPA7_ADDR_BUFFER_BITS register)? We've gotten away * without doing this so far, but the core doesn't take an explicit * length parameter for the message itself, instead it assumes that * the message is either as long as or twice as long as the exponent, * depending on the setting of the CRT mode bit. Maybe initializing * the core clears the excess bits so there's no issue? Dunno. Have * never seen a problem with this yet, just dont' know why not. */ static inline hal_error_t set_buffer(const hal_core_t *core, const hal_addr_t data_addr, const uint8_t * const value, const size_t length) { hal_error_t err; size_t i; if (value == NULL || length % 4 != 0) return HAL_ERROR_IMPOSSIBLE; for (i = 0; i < length; i += 4) if ((err = hal_io_write(core, data_addr + i/4, &value[length - 4 - i], 4)) != HAL_OK) return err; return HAL_OK; } /* * Stuff moved out of modexp so we can run two cores in parallel more * easily. We have to return to the jacket routine every time we kick * a core into doing something, since only the jacket routines know * how many cores we're running for any particular calculation. * * In theory we could do something clever where we don't wait for both * cores to finish precalc before starting either of them on the main * computation, but that way probably lies madness. */ static inline hal_error_t check_args(hal_modexp_arg_t *a) { /* * All data pointers must be set, exponent may not be longer than * modulus, message may not be longer than twice the modulus (CRT * mode), result buffer must not be shorter than modulus, and all * input lengths must be a multiple of four bytes (the core is all * about 32-bit words). */ if (a == NULL || a->msg == NULL || a->msg_len > MODEXPA7_OPERAND_BYTES || a->msg_len > a->mod_len * 2 || a->exp == NULL || a->exp_len > MODEXPA7_OPERAND_BYTES || a->exp_len > a->mod_len || a->mod == NULL || a->mod_len > MODEXPA7_OPERAND_BYTES || a->result == NULL || a->result_len > MODEXPA7_OPERAND_BYTES || a->result_len < a->mod_len || a->coeff == NULL || a->coeff_len > MODEXPA7_OPERAND_BYTES || a->mont == NULL || a->mont_len > MODEXPA7_OPERAND_BYTES || ((a->msg_len | a->exp_len | a->mod_len) & 3) != 0) return HAL_ERROR_BAD_ARGUMENTS; return HAL_OK; } static inline hal_error_t setup_precalc(const int precalc, hal_modexp_arg_t *a) { hal_error_t err; /* * Check that operand size is compatabible with the core. */ uint32_t operand_max = 0; if ((err = get_register(a->core, MODEXPA7_ADDR_BUFFER_BITS, &operand_max)) != HAL_OK) return err; operand_max /= 8; if (a->msg_len > operand_max || a->exp_len > operand_max || a->mod_len > operand_max || a->coeff_len > operand_max || a->mont_len > operand_max) return HAL_ERROR_BAD_ARGUMENTS; /* * Set the modulus, then initiate calculation of modulus-dependent * speedup factors if necessary, by edge-triggering the "init" bit, * then return to caller so it can wait for precalc. */ if ((err = set_register(a->core, MODEXPA7_ADDR_MODULUS_BITS, a->mod_len * 8)) != HAL_OK || (err = set_buffer(a->core, MODEXPA7_ADDR_MODULUS, a->mod, a->mod_len)) != HAL_OK || (precalc && (err = hal_io_zero(a->core)) != HAL_OK) || (precalc && (err = hal_io_init(a->core)) != HAL_OK)) return err; return HAL_OK; } static inline hal_error_t setup_calc(const int precalc, hal_modexp_arg_t *a) { hal_error_t err; /* * Select CRT mode if and only if message is longer than exponent. */ const uint32_t mode = a->msg_len > a->mod_len ? MODEXPA7_MODE_CRT : MODEXPA7_MODE_PLAIN; /* * Copy out precalc results if necessary, then load everything and * start the calculation by edge-triggering the "next" bit. If * everything works, return to caller so it can wait for the * calculation to complete. */ if ((precalc && (err = get_buffer(a->core, MODEXPA7_ADDR_MODULUS_COEFF_OUT, a->coeff, a->coeff_len)) != HAL_OK) || (precalc && (err = get_buffer(a->core, MODEXPA7_ADDR_MONTGOMERY_FACTOR_OUT, a->mont, a->mont_len)) != HAL_OK) || (err = set_buffer(a->core, MODEXPA7_ADDR_MODULUS_COEFF_IN, a->coeff, a->coeff_len)) != HAL_OK || (err = set_buffer(a->core, MODEXPA7_ADDR_MONTGOMERY_FACTOR_IN, a->mont, a->mont_len)) != HAL_OK || (err = set_register(a->core, MODEXPA7_ADDR_MODE, mode)) != HAL_OK || (err = set_buffer(a->core, MODEXPA7_ADDR_MESSAGE, a->msg, a->msg_len)) != HAL_OK || (err = set_buffer(a->core, MODEXPA7_ADDR_EXPONENT, a->exp, a->exp_len)) != HAL_OK || (err = set_register(a->core, MODEXPA7_ADDR_EXPONENT_BITS, a->exp_len * 8)) != HAL_OK || (err = hal_io_zero(a->core)) != HAL_OK || (err = hal_io_next(a->core)) != HAL_OK) return err; return HAL_OK; } static inline hal_error_t extract_result(hal_modexp_arg_t *a) { /* * Extract results from the main calculation and we're done. */ return get_buffer(a->core, MODEXPA7_ADDR_RESULT, a->result, a->mod_len); } /* * Run one modexp operation. */ hal_error_t hal_modexp(const int precalc, hal_modexp_arg_t *a) { hal_error_t err; if ((err = check_args(a)) != HAL_OK) return err; const int free_core = a->core == NULL; if ((!free_core || (err = hal_core_alloc(MODEXPA7_NAME, &a->core, NULL)) == HAL_OK) && (err = setup_precalc(precalc, a)) == HAL_OK && (!precalc || (err = hal_io_wait_ready(a->core)) == HAL_OK) && (err = setup_calc(precalc, a)) == HAL_OK && (err = hal_io_wait_valid(a->core)) == HAL_OK && (err = extract_result(a)) == HAL_OK) err = HAL_OK; if (free_core) { hal_core_free(a->core); a->core = NULL; } return err; } /* * Run two modexp operations in parallel. */ hal_error_t hal_modexp2(const int precalc, hal_modexp_arg_t *a1, hal_modexp_arg_t *a2) { int free_core = 0; hal_error_t err; if ((err = check_args(a1)) != HAL_OK || (err = check_args(a2)) != HAL_OK) return err; if (a1->core == NULL && a2->core == NULL) free_core = 1; else if (a1->core == NULL || a2->core == NULL) return HAL_ERROR_BAD_ARGUMENTS; if ((!free_core || (err = hal_core_alloc2(MODEXPA7_NAME, &a1->core, NULL, MODEXPA7_NAME, &a2->core, NULL)) == HAL_OK) && (err = setup_precalc(precalc, a1)) == HAL_OK && (err = setup_precalc(precalc, a2)) == HAL_OK && (!precalc || (err = hal_io_wait_ready2(a1->core, a2->core)) == HAL_OK) && (err = setup_calc(precalc, a1)) == HAL_OK && (err = setup_calc(precalc, a2)) == HAL_OK && (err = hal_io_wait_valid2(a1->core, a2->core)) == HAL_OK && (err = extract_result(a1)) == HAL_OK && (err = extract_result(a2)) == HAL_OK) err = HAL_OK; if (free_core) { hal_core_free(a1->core); hal_core_free(a2->core); a1->core = a2->core = NULL; } return err; } /* * Local variables: * indent-tabs-mode: nil * End: */
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 09:33:33 +0000