[aes/rtl] Span permutation inside masking PRNG across all LFSRs
The AES masking PRNG uses multiple parallel LFSR chunks. Previously,
the same permuatation was applied to the output of all LFSRs. This
commit changes the implementation to use a single, but wider permutation
that is applied to the concatenated outputs of all LFSRs.
This is related to lowRISC/OpenTitan#1920.
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
diff --git a/hw/ip/aes/data/aes.hjson b/hw/ip/aes/data/aes.hjson
index 0671547..f26f450 100644
--- a/hw/ip/aes/data/aes.hjson
+++ b/hw/ip/aes/data/aes.hjson
@@ -107,12 +107,12 @@
randcount: "160",
randtype: "data"
},
- { name: "RndCnstMskgChunkLfsrPerm",
- type: "aes_pkg::mskg_chunk_lfsr_perm_t",
+ { name: "RndCnstMaskingLfsrPerm",
+ type: "aes_pkg::masking_lfsr_perm_t",
desc: '''
- Permutation applied to the LFSR chunks of the PRNG used for masking.
+ Permutation applied to the concatenated LFSRs of the PRNG used for masking.
'''
- randcount: "32",
+ randcount: "160",
randtype: "perm"
},
# Note: All parameters below are local, they are not actually configurable.
diff --git a/hw/ip/aes/rtl/aes.sv b/hw/ip/aes/rtl/aes.sv
index 699c93c..a67828b 100644
--- a/hw/ip/aes/rtl/aes.sv
+++ b/hw/ip/aes/rtl/aes.sv
@@ -30,11 +30,11 @@
// need to skip reseeding requests.
// Useful for SCA only.
parameter logic [NumAlerts-1:0] AlertAsyncOn = {NumAlerts{1'b1}},
- parameter clearing_lfsr_seed_t RndCnstClearingLfsrSeed = RndCnstClearingLfsrSeedDefault,
- parameter clearing_lfsr_perm_t RndCnstClearingLfsrPerm = RndCnstClearingLfsrPermDefault,
- parameter clearing_lfsr_perm_t RndCnstClearingSharePerm = RndCnstClearingSharePermDefault,
- parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
- parameter mskg_chunk_lfsr_perm_t RndCnstMskgChunkLfsrPerm = RndCnstMskgChunkLfsrPermDefault
+ parameter clearing_lfsr_seed_t RndCnstClearingLfsrSeed = RndCnstClearingLfsrSeedDefault,
+ parameter clearing_lfsr_perm_t RndCnstClearingLfsrPerm = RndCnstClearingLfsrPermDefault,
+ parameter clearing_lfsr_perm_t RndCnstClearingSharePerm = RndCnstClearingSharePermDefault,
+ parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
+ parameter masking_lfsr_perm_t RndCnstMaskingLfsrPerm = RndCnstMaskingLfsrPermDefault
) (
input logic clk_i,
input logic rst_ni,
@@ -157,7 +157,7 @@
.RndCnstClearingLfsrPerm ( RndCnstClearingLfsrPerm ),
.RndCnstClearingSharePerm ( RndCnstClearingSharePerm ),
.RndCnstMaskingLfsrSeed ( RndCnstMaskingLfsrSeed ),
- .RndCnstMskgChunkLfsrPerm ( RndCnstMskgChunkLfsrPerm )
+ .RndCnstMaskingLfsrPerm ( RndCnstMaskingLfsrPerm )
) u_aes_core (
.clk_i ( clk_i ),
.rst_ni ( rst_ni ),
diff --git a/hw/ip/aes/rtl/aes_cipher_core.sv b/hw/ip/aes/rtl/aes_cipher_core.sv
index 364c121..da6cef4 100644
--- a/hw/ip/aes/rtl/aes_cipher_core.sv
+++ b/hw/ip/aes/rtl/aes_cipher_core.sv
@@ -103,8 +103,8 @@
localparam int NumShares = Masking ? 2 : 1, // derived parameter
- parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
- parameter mskg_chunk_lfsr_perm_t RndCnstMskgChunkLfsrPerm = RndCnstMskgChunkLfsrPermDefault
+ parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
+ parameter masking_lfsr_perm_t RndCnstMaskingLfsrPerm = RndCnstMaskingLfsrPermDefault
) (
input logic clk_i,
input logic rst_ni,
@@ -290,13 +290,13 @@
// - the pseudo-random data (PRD) required by SubBytes,
// - the PRD required by the key expand module (has 4 S-Boxes internally).
aes_prng_masking #(
- .Width ( WidthPRDMasking ),
- .ChunkSize ( ChunkSizePRDMasking ),
- .EntropyWidth ( EntropyWidth ),
- .SecAllowForcingMasks ( SecAllowForcingMasks ),
- .SecSkipPRNGReseeding ( SecSkipPRNGReseeding ),
- .RndCnstLfsrSeed ( RndCnstMaskingLfsrSeed ),
- .RndCnstChunkLfsrPerm ( RndCnstMskgChunkLfsrPerm )
+ .Width ( WidthPRDMasking ),
+ .ChunkSize ( ChunkSizePRDMasking ),
+ .EntropyWidth ( EntropyWidth ),
+ .SecAllowForcingMasks ( SecAllowForcingMasks ),
+ .SecSkipPRNGReseeding ( SecSkipPRNGReseeding ),
+ .RndCnstLfsrSeed ( RndCnstMaskingLfsrSeed ),
+ .RndCnstLfsrPerm ( RndCnstMaskingLfsrPerm )
) u_aes_prng_masking (
.clk_i ( clk_i ),
.rst_ni ( rst_ni ),
diff --git a/hw/ip/aes/rtl/aes_core.sv b/hw/ip/aes/rtl/aes_core.sv
index ba8b097..ea4944c 100644
--- a/hw/ip/aes/rtl/aes_core.sv
+++ b/hw/ip/aes/rtl/aes_core.sv
@@ -20,11 +20,11 @@
localparam int NumShares = Masking ? 2 : 1, // derived parameter
- parameter clearing_lfsr_seed_t RndCnstClearingLfsrSeed = RndCnstClearingLfsrSeedDefault,
- parameter clearing_lfsr_perm_t RndCnstClearingLfsrPerm = RndCnstClearingLfsrPermDefault,
- parameter clearing_lfsr_perm_t RndCnstClearingSharePerm = RndCnstClearingSharePermDefault,
- parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
- parameter mskg_chunk_lfsr_perm_t RndCnstMskgChunkLfsrPerm = RndCnstMskgChunkLfsrPermDefault
+ parameter clearing_lfsr_seed_t RndCnstClearingLfsrSeed = RndCnstClearingLfsrSeedDefault,
+ parameter clearing_lfsr_perm_t RndCnstClearingLfsrPerm = RndCnstClearingLfsrPermDefault,
+ parameter clearing_lfsr_perm_t RndCnstClearingSharePerm = RndCnstClearingSharePermDefault,
+ parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeed = RndCnstMaskingLfsrSeedDefault,
+ parameter masking_lfsr_perm_t RndCnstMaskingLfsrPerm = RndCnstMaskingLfsrPermDefault
) (
input logic clk_i,
input logic rst_ni,
@@ -394,13 +394,13 @@
// Cipher core
aes_cipher_core #(
- .AES192Enable ( AES192Enable ),
- .Masking ( Masking ),
- .SBoxImpl ( SBoxImpl ),
- .SecAllowForcingMasks ( SecAllowForcingMasks ),
- .SecSkipPRNGReseeding ( SecSkipPRNGReseeding ),
- .RndCnstMaskingLfsrSeed ( RndCnstMaskingLfsrSeed ),
- .RndCnstMskgChunkLfsrPerm ( RndCnstMskgChunkLfsrPerm )
+ .AES192Enable ( AES192Enable ),
+ .Masking ( Masking ),
+ .SBoxImpl ( SBoxImpl ),
+ .SecAllowForcingMasks ( SecAllowForcingMasks ),
+ .SecSkipPRNGReseeding ( SecSkipPRNGReseeding ),
+ .RndCnstMaskingLfsrSeed ( RndCnstMaskingLfsrSeed ),
+ .RndCnstMaskingLfsrPerm ( RndCnstMaskingLfsrPerm )
) u_aes_cipher_core (
.clk_i ( clk_i ),
.rst_ni ( rst_ni ),
diff --git a/hw/ip/aes/rtl/aes_pkg.sv b/hw/ip/aes/rtl/aes_pkg.sv
index bb96302..6662e42 100644
--- a/hw/ip/aes/rtl/aes_pkg.sv
+++ b/hw/ip/aes/rtl/aes_pkg.sv
@@ -47,21 +47,21 @@
};
// Masking PRNG default LFSR seed and permutation
-// We use a single seed that is split down into chunks internally. All LFSR chunks use the same
-// permutation.
+// We use a single seed that is split down into chunks internally.
// These LFSR parameters have been generated with
// $ util/design/gen-lfsr-seed.py --width 160 --seed 31468618 --prefix "Masking"
parameter int MaskingLfsrWidth = 160; // = WidthPRDMasking = WidthPRDSBox * (16 + 4)
typedef logic [MaskingLfsrWidth-1:0] masking_lfsr_seed_t;
+typedef logic [MaskingLfsrWidth-1:0][$clog2(MaskingLfsrWidth)-1:0] masking_lfsr_perm_t;
parameter masking_lfsr_seed_t RndCnstMaskingLfsrSeedDefault =
160'hc132b5723c5a4cf4743b3c7c32d580f74f1713a;
-
-// These LFSR parameters have been generated with
-// $ util/design/gen-lfsr-seed.py --width 32 --seed 31468618 --prefix "MskgChunk"
-parameter int MskgChunkLfsrWidth = 32; // = ChunkSizePRDMasking = WidthPRDMasking/5
-typedef logic [MskgChunkLfsrWidth-1:0][$clog2(MskgChunkLfsrWidth)-1:0] mskg_chunk_lfsr_perm_t;
-parameter mskg_chunk_lfsr_perm_t RndCnstMskgChunkLfsrPermDefault =
- 160'heb3749dc187e7434d7f62a3d251e1c5b8cd10491;
+parameter masking_lfsr_perm_t RndCnstMaskingLfsrPermDefault = {
+ 256'h17261943423e4c5c03872194050c7e5f8497081d96666d406f4b606473303469,
+ 256'h8e7c721c8832471f59919e0b128f067b25622768462e554d8970815d490d7f44,
+ 256'h048c867d907a239b20220f6c79071a852d76485452189f14091b1e744e396737,
+ 256'h4f785b772b352f6550613c58130a8b104a3f28019c9a380233956b00563a512c,
+ 256'h808d419d63982a16995e0e3b57826a36718a9329452492533d83115a75316e15
+};
typedef enum integer {
SBoxImplLut, // Unmasked LUT-based S-Box
diff --git a/hw/ip/aes/rtl/aes_prng_masking.sv b/hw/ip/aes/rtl/aes_prng_masking.sv
index f838bcd..3b24366 100644
--- a/hw/ip/aes/rtl/aes_prng_masking.sv
+++ b/hw/ip/aes/rtl/aes_prng_masking.sv
@@ -4,9 +4,10 @@
//
// AES high-bandwidth pseudo-random number generator for masking
//
-// This module uses multiple parallel LFSRs each one of them followed by an aligned permutation,
-// a non-linear layer (PRINCE S-Boxes) and another permutation to generate pseudo-random data for
-// masking the AES cipher core. The LFSRs can be reseeded using an external interface.
+// This module uses multiple parallel LFSRs each one of them followed by an aligned permutation, a
+// non-linear layer (PRINCE S-Boxes) and another permutation layer spanning across all LFSRs to
+// generate pseudo-random data for masking the AES cipher core. The LFSRs can be reseeded using an
+// external interface.
///////////////////////////////////////////////////////////////////////////////////////////////////
// IMPORTANT NOTE: //
@@ -34,8 +35,8 @@
localparam int unsigned NumChunks = Width/ChunkSize, // derived parameter
- parameter masking_lfsr_seed_t RndCnstLfsrSeed = RndCnstMaskingLfsrSeedDefault,
- parameter mskg_chunk_lfsr_perm_t RndCnstChunkLfsrPerm = RndCnstMskgChunkLfsrPermDefault
+ parameter masking_lfsr_seed_t RndCnstLfsrSeed = RndCnstMaskingLfsrSeedDefault,
+ parameter masking_lfsr_perm_t RndCnstLfsrPerm = RndCnstMaskingLfsrPermDefault
) (
input logic clk_i,
input logic rst_ni,
@@ -59,7 +60,8 @@
logic [Width-1:0] seed;
logic [NumChunks-1:0][ChunkSize-1:0] prng_seed;
logic prng_en;
- logic [NumChunks-1:0][ChunkSize-1:0] prng_state;
+ logic [NumChunks-1:0][ChunkSize-1:0] prng_state, perm;
+ logic [Width-1:0] prng_b, perm_b;
logic phase_q;
// Upsizing of entropy input to correct width for PRNG reseeding.
@@ -118,8 +120,7 @@
.LfsrDw ( ChunkSize ),
.StateOutDw ( ChunkSize ),
.DefaultSeed ( RndCnstLfsrSeed[c * ChunkSize +: ChunkSize] ),
- .StatePermEn ( 1'b1 ),
- .StatePerm ( RndCnstChunkLfsrPerm ),
+ .StatePermEn ( 1'b0 ),
.NonLinearOut ( 1'b1 )
) u_lfsr_chunk (
.clk_i ( clk_i ),
@@ -132,6 +133,13 @@
);
end
+ // Add a permutation layer spanning across all LFSRs to break linear shift patterns.
+ assign prng_b = prng_state;
+ for (genvar b = 0; b < Width; b++) begin : gen_perm
+ assign perm_b[b] = prng_b[RndCnstLfsrPerm[b]];
+ end
+ assign perm = perm_b;
+
/////////////
// Outputs //
/////////////
@@ -139,9 +147,8 @@
// To achieve independence of input and output masks (the output mask of round X is the input
// mask of round X+1), we assign the scrambled chunks to the output data in alternating fashion.
assign data_o =
- (SecAllowForcingMasks && force_zero_masks_i) ? '0 :
- phase_q ? {prng_state[0], prng_state[NumChunks-1:1]} :
- prng_state;
+ (SecAllowForcingMasks && force_zero_masks_i) ? '0 :
+ phase_q ? {perm[0], perm[NumChunks-1:1]} : perm;
if (!SecAllowForcingMasks) begin : gen_unused_force_masks
logic unused_force_zero_masks;
@@ -165,4 +172,19 @@
// Width must be divisible by 8
`ASSERT_INIT(AesPrngMaskingWidthBy8, Width % 8 == 0)
+// the code below is not meant to be synthesized,
+// but it is intended to be used in simulation and FPV
+`ifndef SYNTHESIS
+ // Check that the supplied permutation is valid.
+ logic [Width-1:0] perm_test;
+ initial begin : p_perm_check
+ perm_test = '0;
+ for (int k = 0; k < Width; k++) begin
+ perm_test[RndCnstLfsrPerm[k]] = 1'b1;
+ end
+ // All bit positions must be marked with 1.
+ `ASSERT_I(PermutationCheck_A, &perm_test)
+ end
+`endif
+
endmodule
diff --git a/hw/top_earlgrey/data/autogen/top_earlgrey.gen.hjson b/hw/top_earlgrey/data/autogen/top_earlgrey.gen.hjson
index 57f3a00..72b5dec 100644
--- a/hw/top_earlgrey/data/autogen/top_earlgrey.gen.hjson
+++ b/hw/top_earlgrey/data/autogen/top_earlgrey.gen.hjson
@@ -4734,14 +4734,14 @@
randwidth: 160
}
{
- name: RndCnstMskgChunkLfsrPerm
- desc: Permutation applied to the LFSR chunks of the PRNG used for masking.
- type: aes_pkg::mskg_chunk_lfsr_perm_t
- randcount: 32
+ name: RndCnstMaskingLfsrPerm
+ desc: Permutation applied to the concatenated LFSRs of the PRNG used for masking.
+ type: aes_pkg::masking_lfsr_perm_t
+ randcount: 160
randtype: perm
- name_top: RndCnstAesMskgChunkLfsrPerm
- default: 0x46fa4bd6dc82beb0a4e30305aa371e9c64e2bf26
- randwidth: 160
+ name_top: RndCnstAesMaskingLfsrPerm
+ default: 0x48471325031d5221111a8324677530639812274a7d966b575b6c5a2f2a59091c23868f4b80147837293c815d993d0d3642686d28443b974190390e330a3a8e1f79177b043f859b5c4e2b7f53712666450f354f73554c762d6288919500728258748d227c8a6a5f153289603e40439a64500c011e460b92316e024d16707a182087340508543851849c9d2e49565e06616f199e9f07651094698b8c93772c7e1b
+ randwidth: 1280
}
]
inter_signal_list:
@@ -4974,7 +4974,7 @@
randcount: 64
randtype: perm
name_top: RndCnstKmacLfsrPerm
- default: 0x6a2ff34254a73bc530784bb425dbc3e641f24f8b356f7af1aaded15ca6567e0fa81803e317663a98b308f4d042a5585c
+ default: 0xcd0aae78d94f80cbf6fd17c6e662adf35e1911b1629c3b28c52de4c97556d3a7188eb22907b0a127d00e4c774bc14f9a
randwidth: 384
}
]
@@ -5128,7 +5128,7 @@
randcount: 256
randtype: data
name_top: RndCnstOtbnUrndLfsrSeed
- default: 0xf9e20b072b46413fea8f46c61a39ebb93e4ef606d8cefa03d0ec61b1bdcbc0e3
+ default: 0x8745ae400e4aee8385f157b88ab8ed1fce7408f7be58b7d21102be301eb1a8d0
randwidth: 256
}
{
@@ -5138,7 +5138,7 @@
randcount: 64
randtype: perm
name_top: RndCnstOtbnUrndChunkLfsrPerm
- default: 0xe25a640354ea467d232e123f0f1b7d55b822406c1ac8264f252726bc578c518f2c2be06b38ded6eb7d84a1fcc75eee5d
+ default: 0xb5abde2c9cd73a2eea3e9c2edb9d040dbf9c47fe80959f0a4025138521d5b18ae6805c417ddf56d4d3271a3e37a08ca4
randwidth: 384
}
{
@@ -5148,7 +5148,7 @@
randcount: 128
randtype: data
name_top: RndCnstOtbnOtbnKey
- default: 0x4f5a0a911c1bcafe7663f6d1fbe7e440
+ default: 0x54125d61930d203f199a87c123c074e0
randwidth: 128
}
{
@@ -5158,7 +5158,7 @@
randcount: 64
randtype: data
name_top: RndCnstOtbnOtbnNonce
- default: 0x34816103a781d0a
+ default: 0x1b143b74476e5767
randwidth: 64
}
]
@@ -5317,7 +5317,7 @@
randcount: 64
randtype: data
name_top: RndCnstKeymgrLfsrSeed
- default: 0x2761603352213b7a
+ default: 0x85eaa2e073e5bc25
randwidth: 64
}
{
@@ -5327,7 +5327,7 @@
randcount: 64
randtype: perm
name_top: RndCnstKeymgrLfsrPerm
- default: 0x430a9ebcd7da3ffda144ca00831dd90e7e476caebd513cfb8a6d46138f9294ebadf24097556274b1d718ca3ac8a412c5
+ default: 0x223af531dc56bb4e2fc9e97b914855a1f03915c9bea5264d1e088613dc0a436b0f07c0fafe7ddb4da2426335ce44baad
randwidth: 384
}
{
@@ -5337,7 +5337,7 @@
randcount: 32
randtype: perm
name_top: RndCnstKeymgrRandPerm
- default: 0xae95d648fe096166a7e2c81ee22ef834c71e6e88
+ default: 0xc4aa63b1c5de840ca2f1a42cae0e7ef852b793ad
randwidth: 160
}
{
@@ -5347,7 +5347,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrRevisionSeed
- default: 0x17a9838dd4cd7f1bdce673b937a6d75202fedbf893bf7d52c8a744ad83d2630b
+ default: 0xbfafcbebd7c3361357bee83e46164c82a0c86b9c1ef6117215c2e6fcb683d3a9
randwidth: 256
}
{
@@ -5357,7 +5357,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrCreatorIdentitySeed
- default: 0xc20c05a20251023541544776930be76bfbb22e1d8aaa4783f2b5e094e3e8d3f8
+ default: 0xdf2a87abf7c57a6d06f2e1721e3a5f3b217d62acf1c966c712691421cef76350
randwidth: 256
}
{
@@ -5367,7 +5367,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrOwnerIntIdentitySeed
- default: 0x93cdb1d9a6a60050ef0d8a166d91200dc6757907237df4401908799dfa1fe8f2
+ default: 0x5910642e0f9946cb60f5f7d233a13b89bfc3162d205b4d60c9b16a8eb0aa75fa
randwidth: 256
}
{
@@ -5377,7 +5377,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrOwnerIdentitySeed
- default: 0xa88601ca1695a7c8c5d32486aac4e086628d6c8ca138f65d25dfa5f9c912f354
+ default: 0x30ac79eec48e320bdcfa32f724f82840fdaced02da0253d803d1cdf325afff8b
randwidth: 256
}
{
@@ -5387,7 +5387,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrSoftOutputSeed
- default: 0xdf273097a573a411332efd86009bd0a175f08814ecc17ab02cc1e3404e1cd8bf
+ default: 0x8db302ed56b78538c92ba96fe7ba5d882e53c3844212490ced20e7e16f71067e
randwidth: 256
}
{
@@ -5397,7 +5397,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrHardOutputSeed
- default: 0x69582e71443c8be0fc00de9d9734c3fe7f4266d10a752de74814f2a3079f69a3
+ default: 0xb00fe9a3a2be362bc57ce4588424f90946b441fa5e08b2317fb3e9032db9eddf
randwidth: 256
}
{
@@ -5407,7 +5407,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrAesSeed
- default: 0x73e5bc251b143b74476e576754125d61930d203f199a87c123c074e020fd5028
+ default: 0xd05781d31c4b4dab379c12b6681950e6d52654489a981b7bdc91865141701fd5
randwidth: 256
}
{
@@ -5417,7 +5417,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrKmacSeed
- default: 0xce44cbff5e09e6dd3ae54e9e45da6e662fb69c3aab936b415a0d6e7185eaa2e0
+ default: 0x1aeca9607328c3621ee7fd88c63032eb50ee437eeda142fce033c343e179c299
randwidth: 256
}
{
@@ -5427,7 +5427,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrOtbnSeed
- default: 0xfcc581b66ae11d33f678e7d227881bcfe58a331208f189de6265edc8fde06db0
+ default: 0x45a488652c63c1f68cecf9596cda21a8d5398ced8676e230226a9635bea51c6e
randwidth: 256
}
{
@@ -5437,7 +5437,7 @@
randcount: 256
randtype: data
name_top: RndCnstKeymgrNoneSeed
- default: 0xb76a8aff9e4da0e3ff9f3036fd9c13ac08496db56fbc4894d38bd8674f4b542d
+ default: 0x4dfb68eaea920c1e6c7b2dc4b639ba1ae564b19dd8235c2f90c064c4849172a2
randwidth: 256
}
]
@@ -5643,7 +5643,7 @@
randcount: 384
randtype: data
name_top: RndCnstCsrngCsKeymgrDivNonProduction
- default: 0x4093f0ec256b2646079c10f2f41f73af3fc6afbec695054a0407221fb798ab7845c3feab0d2f4c7cf730a5675d7717a4
+ default: 0xb8e9f2147556a5bca2e5f635e555c46c406d9d57c967eaa9fc47e9e7507d72b87001fa7b0eb63a613068d71d5186d12d
randwidth: 384
}
{
@@ -5653,7 +5653,7 @@
randcount: 384
randtype: data
name_top: RndCnstCsrngCsKeymgrDivProduction
- default: 0x1f44b085a363cb599df4de1e830f93658a789bdc189f345cf4e341f211c9d00beefa4d4c2e269435471a7a682a6260eb
+ default: 0x19a51f55617306d35c573898670c91f2491024562d76da13a1276809927dc4d31864d4febc9def4f7c50b1e1906ebcb1
randwidth: 384
}
{
@@ -6116,7 +6116,7 @@
randcount: 128
randtype: data
name_top: RndCnstSramCtrlMainSramKey
- default: 0x37f67765a0d2eb0cb514e4199cf3de67
+ default: 0xacebe93343ed6321c82c19be70b04c05
randwidth: 128
}
{
@@ -6126,7 +6126,7 @@
randcount: 128
randtype: data
name_top: RndCnstSramCtrlMainSramNonce
- default: 0xc9e673e4db3fee8922d1f0bcdd09153
+ default: 0x8bac50ef39daf7229cf1edb4fedb1e5
randwidth: 128
}
{
@@ -6136,7 +6136,7 @@
randcount: 32
randtype: data
name_top: RndCnstSramCtrlMainLfsrSeed
- default: 0xf45740eb
+ default: 0xed700c07
randwidth: 32
}
{
@@ -6146,7 +6146,7 @@
randcount: 32
randtype: perm
name_top: RndCnstSramCtrlMainLfsrPerm
- default: 0x8dfe6ebd18cd97c1a58a179d524a9a3ee0d004b3
+ default: 0x327418551e20e7d92cb4b89b6fe540c478c71f6f
randwidth: 160
}
{
@@ -6316,7 +6316,7 @@
randcount: 64
randtype: data
name_top: RndCnstRomCtrlScrNonce
- default: 0xebad9424ae5e2cf
+ default: 0xfbd120f152a9ef95
randwidth: 64
}
{
@@ -6326,7 +6326,7 @@
randcount: 128
randtype: data
name_top: RndCnstRomCtrlScrKey
- default: 0x1893c0ce9e8e5600260058176d17f366
+ default: 0x18d5a1fe3b04ff09932a2605b23cb7a
randwidth: 128
}
{
@@ -6493,7 +6493,7 @@
randcount: 32
randtype: data
name_top: RndCnstRvCoreIbexLfsrSeed
- default: 0x7b99dcc9
+ default: 0x2599381c
randwidth: 32
}
{
@@ -6503,7 +6503,7 @@
randcount: 32
randtype: perm
name_top: RndCnstRvCoreIbexLfsrPerm
- default: 0xb3918eb0d96c66b3d0572f8322007c4efef86955
+ default: 0x67321029fe8dceea175830be45dab386e4d1a51d
randwidth: 160
}
{
diff --git a/hw/top_earlgrey/rtl/autogen/top_earlgrey.sv b/hw/top_earlgrey/rtl/autogen/top_earlgrey.sv
index fdf4067..ffa855c 100644
--- a/hw/top_earlgrey/rtl/autogen/top_earlgrey.sv
+++ b/hw/top_earlgrey/rtl/autogen/top_earlgrey.sv
@@ -2112,7 +2112,7 @@
.RndCnstClearingLfsrPerm(RndCnstAesClearingLfsrPerm),
.RndCnstClearingSharePerm(RndCnstAesClearingSharePerm),
.RndCnstMaskingLfsrSeed(RndCnstAesMaskingLfsrSeed),
- .RndCnstMskgChunkLfsrPerm(RndCnstAesMskgChunkLfsrPerm)
+ .RndCnstMaskingLfsrPerm(RndCnstAesMaskingLfsrPerm)
) u_aes (
// [36]: recov_ctrl_update_err
// [37]: fatal_fault
diff --git a/hw/top_earlgrey/rtl/autogen/top_earlgrey_rnd_cnst_pkg.sv b/hw/top_earlgrey/rtl/autogen/top_earlgrey_rnd_cnst_pkg.sv
index 38a0c61..ea1b7c8 100644
--- a/hw/top_earlgrey/rtl/autogen/top_earlgrey_rnd_cnst_pkg.sv
+++ b/hw/top_earlgrey/rtl/autogen/top_earlgrey_rnd_cnst_pkg.sv
@@ -127,9 +127,13 @@
160'hD6E49C544BA9DCDFF0245E84D6F5F03ECAEF7217
};
- // Permutation applied to the LFSR chunks of the PRNG used for masking.
- parameter aes_pkg::mskg_chunk_lfsr_perm_t RndCnstAesMskgChunkLfsrPerm = {
- 160'h46FA4BD6DC82BEB0A4E30305AA371E9C64E2BF26
+ // Permutation applied to the concatenated LFSRs of the PRNG used for masking.
+ parameter aes_pkg::masking_lfsr_perm_t RndCnstAesMaskingLfsrPerm = {
+ 256'h48471325031D5221111A8324677530639812274A7D966B575B6C5A2F2A59091C,
+ 256'h23868F4B80147837293C815D993D0D3642686D28443B974190390E330A3A8E1F,
+ 256'h79177B043F859B5C4E2B7F53712666450F354F73554C762D6288919500728258,
+ 256'h748D227C8A6A5F153289603E40439A64500C011E460B92316E024D16707A1820,
+ 256'h87340508543851849C9D2E49565E06616F199E9F07651094698B8C93772C7E1B
};
////////////////////////////////////////////
@@ -137,8 +141,8 @@
////////////////////////////////////////////
// Compile-time random permutation for LFSR output
parameter kmac_pkg::lfsr_perm_t RndCnstKmacLfsrPerm = {
- 128'h6A2FF34254A73BC530784BB425DBC3E6,
- 256'h41F24F8B356F7AF1AADED15CA6567E0FA81803E317663A98B308F4D042A5585C
+ 128'hCD0AAE78D94F80CBF6FD17C6E662ADF3,
+ 256'h5E1911B1629C3B28C52DE4C97556D3A7188EB22907B0A127D00E4C774BC14F9A
};
////////////////////////////////////////////
@@ -146,23 +150,23 @@
////////////////////////////////////////////
// Default seed of the PRNG used for URND.
parameter otbn_pkg::urnd_lfsr_seed_t RndCnstOtbnUrndLfsrSeed = {
- 256'hF9E20B072B46413FEA8F46C61A39EBB93E4EF606D8CEFA03D0EC61B1BDCBC0E3
+ 256'h8745AE400E4AEE8385F157B88AB8ED1FCE7408F7BE58B7D21102BE301EB1A8D0
};
// Permutation applied to the LFSR chunks of the PRNG used for URND.
parameter otbn_pkg::urnd_chunk_lfsr_perm_t RndCnstOtbnUrndChunkLfsrPerm = {
- 128'hE25A640354EA467D232E123F0F1B7D55,
- 256'hB822406C1AC8264F252726BC578C518F2C2BE06B38DED6EB7D84A1FCC75EEE5D
+ 128'hB5ABDE2C9CD73A2EEA3E9C2EDB9D040D,
+ 256'hBF9C47FE80959F0A4025138521D5B18AE6805C417DDF56D4D3271A3E37A08CA4
};
// Compile-time random reset value for IMem/DMem scrambling key.
parameter otp_ctrl_pkg::otbn_key_t RndCnstOtbnOtbnKey = {
- 128'h4F5A0A911C1BCAFE7663F6D1FBE7E440
+ 128'h54125D61930D203F199A87C123C074E0
};
// Compile-time random reset value for IMem/DMem scrambling nonce.
parameter otp_ctrl_pkg::otbn_nonce_t RndCnstOtbnOtbnNonce = {
- 64'h034816103A781D0A
+ 64'h1B143B74476E5767
};
////////////////////////////////////////////
@@ -170,68 +174,68 @@
////////////////////////////////////////////
// Compile-time random bits for initial LFSR seed
parameter keymgr_pkg::lfsr_seed_t RndCnstKeymgrLfsrSeed = {
- 64'h2761603352213B7A
+ 64'h85EAA2E073E5BC25
};
// Compile-time random permutation for LFSR output
parameter keymgr_pkg::lfsr_perm_t RndCnstKeymgrLfsrPerm = {
- 128'h430A9EBCD7DA3FFDA144CA00831DD90E,
- 256'h7E476CAEBD513CFB8A6D46138F9294EBADF24097556274B1D718CA3AC8A412C5
+ 128'h223AF531DC56BB4E2FC9E97B914855A1,
+ 256'hF03915C9BEA5264D1E088613DC0A436B0F07C0FAFE7DDB4DA2426335CE44BAAD
};
// Compile-time random permutation for entropy used in share overriding
parameter keymgr_pkg::rand_perm_t RndCnstKeymgrRandPerm = {
- 160'hAE95D648FE096166A7E2C81EE22EF834C71E6E88
+ 160'hC4AA63B1C5DE840CA2F1A42CAE0E7EF852B793AD
};
// Compile-time random bits for revision seed
parameter keymgr_pkg::seed_t RndCnstKeymgrRevisionSeed = {
- 256'h17A9838DD4CD7F1BDCE673B937A6D75202FEDBF893BF7D52C8A744AD83D2630B
+ 256'hBFAFCBEBD7C3361357BEE83E46164C82A0C86B9C1EF6117215C2E6FCB683D3A9
};
// Compile-time random bits for creator identity seed
parameter keymgr_pkg::seed_t RndCnstKeymgrCreatorIdentitySeed = {
- 256'hC20C05A20251023541544776930BE76BFBB22E1D8AAA4783F2B5E094E3E8D3F8
+ 256'hDF2A87ABF7C57A6D06F2E1721E3A5F3B217D62ACF1C966C712691421CEF76350
};
// Compile-time random bits for owner intermediate identity seed
parameter keymgr_pkg::seed_t RndCnstKeymgrOwnerIntIdentitySeed = {
- 256'h93CDB1D9A6A60050EF0D8A166D91200DC6757907237DF4401908799DFA1FE8F2
+ 256'h5910642E0F9946CB60F5F7D233A13B89BFC3162D205B4D60C9B16A8EB0AA75FA
};
// Compile-time random bits for owner identity seed
parameter keymgr_pkg::seed_t RndCnstKeymgrOwnerIdentitySeed = {
- 256'hA88601CA1695A7C8C5D32486AAC4E086628D6C8CA138F65D25DFA5F9C912F354
+ 256'h30AC79EEC48E320BDCFA32F724F82840FDACED02DA0253D803D1CDF325AFFF8B
};
// Compile-time random bits for software generation seed
parameter keymgr_pkg::seed_t RndCnstKeymgrSoftOutputSeed = {
- 256'hDF273097A573A411332EFD86009BD0A175F08814ECC17AB02CC1E3404E1CD8BF
+ 256'h8DB302ED56B78538C92BA96FE7BA5D882E53C3844212490CED20E7E16F71067E
};
// Compile-time random bits for hardware generation seed
parameter keymgr_pkg::seed_t RndCnstKeymgrHardOutputSeed = {
- 256'h69582E71443C8BE0FC00DE9D9734C3FE7F4266D10A752DE74814F2A3079F69A3
+ 256'hB00FE9A3A2BE362BC57CE4588424F90946B441FA5E08B2317FB3E9032DB9EDDF
};
// Compile-time random bits for generation seed when aes destination selected
parameter keymgr_pkg::seed_t RndCnstKeymgrAesSeed = {
- 256'h73E5BC251B143B74476E576754125D61930D203F199A87C123C074E020FD5028
+ 256'hD05781D31C4B4DAB379C12B6681950E6D52654489A981B7BDC91865141701FD5
};
// Compile-time random bits for generation seed when kmac destination selected
parameter keymgr_pkg::seed_t RndCnstKeymgrKmacSeed = {
- 256'hCE44CBFF5E09E6DD3AE54E9E45DA6E662FB69C3AAB936B415A0D6E7185EAA2E0
+ 256'h1AECA9607328C3621EE7FD88C63032EB50EE437EEDA142FCE033C343E179C299
};
// Compile-time random bits for generation seed when otbn destination selected
parameter keymgr_pkg::seed_t RndCnstKeymgrOtbnSeed = {
- 256'hFCC581B66AE11D33F678E7D227881BCFE58A331208F189DE6265EDC8FDE06DB0
+ 256'h45A488652C63C1F68CECF9596CDA21A8D5398CED8676E230226A9635BEA51C6E
};
// Compile-time random bits for generation seed when no destination selected
parameter keymgr_pkg::seed_t RndCnstKeymgrNoneSeed = {
- 256'hB76A8AFF9E4DA0E3FF9F3036FD9C13AC08496DB56FBC4894D38BD8674F4B542D
+ 256'h4DFB68EAEA920C1E6C7B2DC4B639BA1AE564B19DD8235C2F90C064C4849172A2
};
////////////////////////////////////////////
@@ -239,14 +243,14 @@
////////////////////////////////////////////
// Compile-time random bits for csrng state group diversification value
parameter csrng_pkg::cs_keymgr_div_t RndCnstCsrngCsKeymgrDivNonProduction = {
- 128'h4093F0EC256B2646079C10F2F41F73AF,
- 256'h3FC6AFBEC695054A0407221FB798AB7845C3FEAB0D2F4C7CF730A5675D7717A4
+ 128'hB8E9F2147556A5BCA2E5F635E555C46C,
+ 256'h406D9D57C967EAA9FC47E9E7507D72B87001FA7B0EB63A613068D71D5186D12D
};
// Compile-time random bits for csrng state group diversification value
parameter csrng_pkg::cs_keymgr_div_t RndCnstCsrngCsKeymgrDivProduction = {
- 128'h1F44B085A363CB599DF4DE1E830F9365,
- 256'h8A789BDC189F345CF4E341F211C9D00BEEFA4D4C2E269435471A7A682A6260EB
+ 128'h19A51F55617306D35C573898670C91F2,
+ 256'h491024562D76DA13A1276809927DC4D31864D4FEBC9DEF4F7C50B1E1906EBCB1
};
////////////////////////////////////////////
@@ -254,22 +258,22 @@
////////////////////////////////////////////
// Compile-time random reset value for SRAM scrambling key.
parameter otp_ctrl_pkg::sram_key_t RndCnstSramCtrlMainSramKey = {
- 128'h37F67765A0D2EB0CB514E4199CF3DE67
+ 128'hACEBE93343ED6321C82C19BE70B04C05
};
// Compile-time random reset value for SRAM scrambling nonce.
parameter otp_ctrl_pkg::sram_nonce_t RndCnstSramCtrlMainSramNonce = {
- 128'h0C9E673E4DB3FEE8922D1F0BCDD09153
+ 128'h08BAC50EF39DAF7229CF1EDB4FEDB1E5
};
// Compile-time random bits for initial LFSR seed
parameter sram_ctrl_pkg::lfsr_seed_t RndCnstSramCtrlMainLfsrSeed = {
- 32'hF45740EB
+ 32'hED700C07
};
// Compile-time random permutation for LFSR output
parameter sram_ctrl_pkg::lfsr_perm_t RndCnstSramCtrlMainLfsrPerm = {
- 160'h8DFE6EBD18CD97C1A58A179D524A9A3EE0D004B3
+ 160'h327418551E20E7D92CB4B89B6FE540C478C71F6F
};
////////////////////////////////////////////
@@ -277,12 +281,12 @@
////////////////////////////////////////////
// Fixed nonce used for address / data scrambling
parameter bit [63:0] RndCnstRomCtrlScrNonce = {
- 64'h0EBAD9424AE5E2CF
+ 64'hFBD120F152A9EF95
};
// Randomised constant used as a scrambling key for ROM data
parameter bit [127:0] RndCnstRomCtrlScrKey = {
- 128'h1893C0CE9E8E5600260058176D17F366
+ 128'h018D5A1FE3B04FF09932A2605B23CB7A
};
////////////////////////////////////////////
@@ -290,12 +294,12 @@
////////////////////////////////////////////
// Default seed of the PRNG used for random instructions.
parameter ibex_pkg::lfsr_seed_t RndCnstRvCoreIbexLfsrSeed = {
- 32'h7B99DCC9
+ 32'h2599381C
};
// Permutation applied to the LFSR of the PRNG used for random instructions.
parameter ibex_pkg::lfsr_perm_t RndCnstRvCoreIbexLfsrPerm = {
- 160'hB3918EB0D96C66B3D0572F8322007C4EFEF86955
+ 160'h67321029FE8DCEEA175830BE45DAB386E4D1A51D
};
endpackage : top_earlgrey_rnd_cnst_pkg
