Skip to content

Backport 27444 ([hsmtool] Add vendor specific AES_KW mechanism)#29249

Merged
pamaury merged 1 commit intolowRISC:masterfrom
pamaury:backport_27444
Feb 12, 2026
Merged

Backport 27444 ([hsmtool] Add vendor specific AES_KW mechanism)#29249
pamaury merged 1 commit intolowRISC:masterfrom
pamaury:backport_27444

Conversation

@pamaury
Copy link
Contributor

@pamaury pamaury commented Feb 4, 2026

Backport #27444

@timothytrippel @pamaury
[hsmtool] Add vendor specific AES_KWP mechanism
9685f85 
The HSM used in provisioning infrastructure uses a custom mechanism
identifier (CKM_AES_KW = (CKM_VENDOR_DEFINED + 0x170)) even though the
implementation follows the RFC 3394 specification. The CKM_AES_KW
implemented by Thales is also equivalent to the KW algorithm specified by
NIST SP 800-38F.

This change adds a custom Wrap::VendorThalesAesKw mechanism to hsmtool to
be able to wrap/unwrap private keys with AES_KW. This is similar to lowRISC#26565.

Signed-off-by: Tim Trippel <ttrippel@google.com>
(cherry picked from commit 38ea01a)
@pamaury pamaury requested a review from a team as a code owner February 4, 2026 14:56
@pamaury pamaury requested review from cfrantz, jwnrt and timothytrippel and removed request for a team February 4, 2026 14:56
@pamaury pamaury added this pull request to the merge queue Feb 12, 2026
Merged via the queue into lowRISC:master with commit 94da6f1 Feb 12, 2026
48 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timothytrippel timothytrippel timothytrippel approved these changes

@jwnrt jwnrt Awaiting requested review from jwnrt jwnrt is a code owner automatically assigned from lowRISC/ot-rust-reviewers

@cfrantz cfrantz Awaiting requested review from cfrantz

Assignees

No one assigned

Labels

MergeBack:1.0.0 to master

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pamaury @timothytrippel