Skip to content

Commit 92c25e7

Browse files
nasahlpavogelpi
nasahlpa
authored and
vogelpi
committed
[crypto] Add rv_core_ibex function that checks CPUCTRL config
The CPUCTRL Ibex register contains two security-relevant entries (dummy_instr_en and data_ind_timing). As these two security features should be enabled when using CryptoLib, the newly added function checks whether they are enabled. Signed-off-by: Pascal Nasahl <[email protected]>
1 parent 770657c commit 92c25e7

File tree

2 files changed

+42
-0
lines changed

2 files changed

+42
-0
lines changed

sw/device/lib/crypto/drivers/rv_core_ibex.c

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,37 @@ enum {
2525
* CSR_REG_CPUCTRL[0] is the iCache configuration field.
2626
*/
2727
kCpuctrlICacheMask = 1,
28+
/**
29+
* Mask for extracting cpuctrl_csr[1] and cpuctrl_csr[2] is 0b11.
30+
*/
31+
kMask = 0x3,
32+
/**
33+
* The first item is cpuctrl_csr[1].
34+
*/
35+
kIdx = 0x1,
36+
/**
37+
* cpuctrl_csr[1] and cpuctrl_csr[2] should be set to 0b11.
38+
*/
39+
kExpectedConfig = 0x3,
2840
};
2941

42+
hardened_bool_t ibex_check_security_config(void) {
43+
uint32_t cpuctrl_csr;
44+
CSR_READ(CSR_REG_CPUCTRL, &cpuctrl_csr);
45+
46+
// Check if cpuctrl_csr[1] (data_ind_timing) and cpuctrl_csr[2]
47+
// (dummy_instr_en) is set to 1 (enabled).
48+
bitfield_field32_t cpuctrl_mask = {.mask = kMask, .index = kIdx};
49+
uint32_t cpuctrl_cfg = bitfield_field32_read(cpuctrl_csr, cpuctrl_mask);
50+
51+
if (launder32(cpuctrl_cfg) != kExpectedConfig) {
52+
return kHardenedBoolFalse;
53+
}
54+
HARDENED_CHECK_EQ(cpuctrl_cfg, kExpectedConfig);
55+
56+
return kHardenedBoolTrue;
57+
}
58+
3059
/**
3160
* Blocks until data is ready in the RND register.
3261
*/

sw/device/lib/crypto/drivers/rv_core_ibex.h

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,19 @@ status_t ibex_disable_icache(hardened_bool_t *icache_enabled);
3131
*/
3232
void ibex_restore_icache(hardened_bool_t icache_enabled);
3333

34+
/**
35+
* Checks if the expected Ibex Security Features are enabled.
36+
*
37+
* This function reads Ibex cpuctrl register and checks, whether the following
38+
* security features are enabled:
39+
* - data_ind_timing
40+
* - dummy_instr_en
41+
*
42+
* @returns Whether the config matches the expected secure config.
43+
*/
44+
OT_WARN_UNUSED_RESULT
45+
hardened_bool_t ibex_check_security_config(void);
46+
3447
/**
3548
* Get random data from the EDN0 interface.
3649
*

0 commit comments

Comments
 (0)