[cryptotest] Determine security level

Randomly select a security level for the cryptotests as for some
security levels, the implementation might be different.

Signed-off-by: Pascal Nasahl <[email protected]>

Author: nasahlpa

sw/device/tests/crypto/BUILD

@@ -195,6 +195,7 @@ cc_library(
         "//sw/device/lib/runtime:log",
         "//sw/device/lib/testing:profile",
         "//sw/device/lib/testing/test_framework:check",
+        "//sw/device/tests/crypto/lib:crypto_test_lib",
     ],
 )
 

sw/device/tests/crypto/aes_gcm_testutils.c

@@ -14,6 +14,7 @@
 #include "sw/device/lib/runtime/log.h"
 #include "sw/device/lib/testing/profile.h"
 #include "sw/device/lib/testing/test_framework/check.h"
+#include "sw/device/tests/crypto/lib/crypto_test_lib.h"
 
 #define MODULE_ID MAKE_MODULE_ID('a', 'g', 't')
 
@@ -123,13 +124,17 @@ static status_t stream_gcm(otcrypto_aes_gcm_context_t *ctx,
 
 status_t aes_gcm_testutils_encrypt(const aes_gcm_test_t *test, bool streaming,
                                    uint32_t *cycles) {
+  // Determine the security level.
+  otcrypto_key_security_level_t sec_level;
+  TRY(determine_security_level(&sec_level));
+
   // Construct the blinded key configuration.
   otcrypto_key_config_t config = {
       .version = kOtcryptoLibVersion1,
       .key_mode = kOtcryptoKeyModeAesGcm,
       .key_length = test->key_len * sizeof(uint32_t),
       .hw_backed = kHardenedBoolFalse,
-      .security_level = kOtcryptoKeySecurityLevelHigh,
+      .security_level = sec_level,
   };
 
   // Construct blinded key from the key and testing mask.
@@ -220,13 +225,17 @@ status_t aes_gcm_testutils_encrypt(const aes_gcm_test_t *test, bool streaming,
 status_t aes_gcm_testutils_decrypt(const aes_gcm_test_t *test,
                                    hardened_bool_t *tag_valid, bool streaming,
                                    uint32_t *cycles) {
+  // Determine the security level.
+  otcrypto_key_security_level_t sec_level;
+  TRY(determine_security_level(&sec_level));
+
   // Construct the blinded key configuration.
   otcrypto_key_config_t config = {
       .version = kOtcryptoLibVersion1,
       .key_mode = kOtcryptoKeyModeAesGcm,
       .key_length = test->key_len * sizeof(uint32_t),
       .hw_backed = kHardenedBoolFalse,
-      .security_level = kOtcryptoKeySecurityLevelHigh,
+      .security_level = sec_level,
   };
 
   // Construct blinded key from the key and testing mask.

sw/device/tests/crypto/cryptotest/firmware/BUILD

@@ -22,10 +22,10 @@ cc_library(
         "//sw/device/lib/crypto/impl:keyblob",
         "//sw/device/lib/crypto/include:datatypes",
         "//sw/device/lib/runtime:log",
-        "//sw/device/lib/testing:rand_testutils",
         "//sw/device/lib/testing/test_framework:ujson_ottf",
         "//sw/device/lib/ujson",
         "//sw/device/tests/crypto/cryptotest/json:aes_commands",
+        "//sw/device/tests/crypto/lib:crypto_test_lib",
     ],
 )
 
@@ -137,10 +137,10 @@ cc_library(
         "//sw/device/lib/crypto/impl:integrity",
         "//sw/device/lib/crypto/impl:key_transport",
         "//sw/device/lib/runtime:log",
-        "//sw/device/lib/testing:rand_testutils",
         "//sw/device/lib/testing/test_framework:ujson_ottf",
         "//sw/device/lib/ujson",
         "//sw/device/tests/crypto/cryptotest/json:hmac_commands",
+        "//sw/device/tests/crypto/lib:crypto_test_lib",
     ],
 )
 

sw/device/tests/crypto/cryptotest/firmware/aes.c

@@ -10,10 +10,10 @@
 #include "sw/device/lib/crypto/impl/keyblob.h"
 #include "sw/device/lib/crypto/include/datatypes.h"
 #include "sw/device/lib/runtime/log.h"
-#include "sw/device/lib/testing/rand_testutils.h"
 #include "sw/device/lib/testing/test_framework/ujson_ottf.h"
 #include "sw/device/lib/ujson/ujson.h"
 #include "sw/device/tests/crypto/cryptotest/json/aes_commands.h"
+#include "sw/device/tests/crypto/lib/crypto_test_lib.h"
 
 enum {
   kAesBlockBytes = 128 / 8,
@@ -28,13 +28,6 @@ static const uint32_t kKeyMask[8] = {
     0x8acdcb7e, 0x15e76440, 0x8459b2ce, 0xdc2110cc,
 };
 
-// Available security levels. The test randomly chooses one.
-static const otcrypto_key_security_level_t security_level[3] = {
-    kOtcryptoKeySecurityLevelLow,
-    kOtcryptoKeySecurityLevelMedium,
-    kOtcryptoKeySecurityLevelHigh,
-};
-
 status_t handle_aes_block(ujson_t *uj) {
   cryptotest_aes_mode_t uj_mode;
   cryptotest_aes_operation_t uj_op;
@@ -117,15 +110,16 @@ status_t handle_aes_block(ujson_t *uj) {
   };
 
   // Select a random security level.
-  size_t sec_lvl_idx = rand_testutils_gen32_range(
-      /*min=*/0, /*max=*/ARRAYSIZE(security_level) - 1);
+  otcrypto_key_security_level_t sec_level;
+  TRY(determine_security_level(&sec_level));
+
   // Build the key configuration
   otcrypto_key_config_t config = {
       .version = kOtcryptoLibVersion1,
       .key_mode = key_mode,
       .key_length = uj_data.key_length,
       .hw_backed = kHardenedBoolFalse,
-      .security_level = security_level[sec_lvl_idx],
+      .security_level = sec_level,
   };
   // Create buffer to store key
   uint32_t key_buf[kAesMaxKeyWords];

sw/device/tests/crypto/cryptotest/firmware/hmac.c

@@ -11,10 +11,10 @@
 #include "sw/device/lib/crypto/include/datatypes.h"
 #include "sw/device/lib/crypto/include/key_transport.h"
 #include "sw/device/lib/runtime/log.h"
-#include "sw/device/lib/testing/rand_testutils.h"
 #include "sw/device/lib/testing/test_framework/ujson_ottf.h"
 #include "sw/device/lib/ujson/ujson.h"
 #include "sw/device/tests/crypto/cryptotest/json/hmac_commands.h"
+#include "sw/device/tests/crypto/lib/crypto_test_lib.h"
 
 const unsigned int kOtcryptoHmacTagBytesSha256 = 32;
 const unsigned int kOtcryptoHmacTagBytesSha384 = 48;
@@ -36,13 +36,6 @@ static const uint32_t kTestMask[48] = {
     0xA5D39BD2, 0xAB479AD5, 0x5786D029, 0x2E4B7CD7, 0xB77A3D76, 0xE2A09962,
 };
 
-// Available security levels. The test randomly chooses one.
-static const otcrypto_key_security_level_t security_level[3] = {
-    kOtcryptoKeySecurityLevelLow,
-    kOtcryptoKeySecurityLevelMedium,
-    kOtcryptoKeySecurityLevelHigh,
-};
-
 status_t handle_hmac(ujson_t *uj) {
   // Declare test arguments
   cryptotest_hmac_hash_alg_t uj_hash_alg;
@@ -72,16 +65,18 @@ status_t handle_hmac(ujson_t *uj) {
       LOG_ERROR("Unsupported HMAC key mode: %d", uj_hash_alg);
       return INVALID_ARGUMENT();
   }
+
   // Select a random security level.
-  size_t sec_lvl_idx = rand_testutils_gen32_range(
-      /*min=*/0, /*max=*/ARRAYSIZE(security_level) - 1);
+  otcrypto_key_security_level_t sec_level;
+  TRY(determine_security_level(&sec_level));
+
   // Build the key configuration
   otcrypto_key_config_t config = {
       .version = kOtcryptoLibVersion1,
       .key_mode = key_mode,
       .key_length = uj_key.key_len,
       .hw_backed = kHardenedBoolFalse,
-      .security_level = security_level[sec_lvl_idx],
+      .security_level = sec_level,
   };
   // Create key shares.
   uint32_t key_buf[ceil_div(uj_key.key_len, sizeof(uint32_t))];

sw/device/tests/crypto/lib/BUILD

@@ -0,0 +1,15 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
+
+cc_library(
+    name = "crypto_test_lib",
+    srcs = ["crypto_test_lib.c"],
+    hdrs = ["crypto_test_lib.h"],
+    deps = [
+        "//sw/device/lib/crypto/include:datatypes",
+        "//sw/device/lib/testing:rand_testutils",
+    ],
+)

sw/device/tests/crypto/lib/crypto_test_lib.c

@@ -0,0 +1,22 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/lib/base/status.h"
+#include "sw/device/lib/crypto/include/datatypes.h"
+#include "sw/device/lib/testing/rand_testutils.h"
+
+// Available security levels. The test randomly chooses one.
+static const otcrypto_key_security_level_t available_security_levels[3] = {
+    kOtcryptoKeySecurityLevelLow,
+    kOtcryptoKeySecurityLevelMedium,
+    kOtcryptoKeySecurityLevelHigh,
+};
+
+status_t determine_security_level(
+    otcrypto_key_security_level_t *security_level) {
+  uint32_t sec_lvl_idx = rand_testutils_gen32_range(
+      /*min=*/0, /*max=*/ARRAYSIZE(available_security_levels) - 1);
+  *security_level = available_security_levels[sec_lvl_idx];
+  return OK_STATUS();
+}

sw/device/tests/crypto/lib/crypto_test_lib.h

@@ -0,0 +1,25 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_TESTS_CRYPTO_LIB_CRYPTO_TEST_LIB_H_
+#define OPENTITAN_SW_DEVICE_TESTS_CRYPTO_LIB_CRYPTO_TEST_LIB_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif  // __cplusplus
+
+/**
+ * Determine a random security level.
+ *
+ * @param[out] security_level Cycle count for the decrypt() call
+ * @return OK or error.
+ */
+status_t determine_security_level(
+    otcrypto_key_security_level_t *security_level);
+
+#ifdef __cplusplus
+}  // extern "C"
+#endif  // __cplusplus
+
+#endif  // OPENTITAN_SW_DEVICE_TESTS_CRYPTO_LIB_CRYPTO_TEST_LIB_H_