drivers/at86rf2xx; spi security module (AES)

[fabian18]

Contribution description

The at86rf2xx IEEE 802.15.4 transceivers are capable to perform AES in hardware and support block cipher modes ECB and CBC.

This PR adds a pseudomodule in the at86rf2xx driver. You will be able to perform hardware encryption and decryption of blocks of data using ECB and CBC block ciphers. Nothing is changed from the actual driver.

Only SPI transceivers are supported, for now. Although for MCU integrated transceivers atmega128rfa1 and atmega256rfr2 it is even simpler and could be added later.
The SPI security module supports fast SPI, which means that you will read output block i, if you write input block i + 1 to the SPI bus.

Testing procedure

I provided a test in tests/driver_at86rf2xx_aes/.
Test vectors are taken from: RFC3602

Issues/PRs references

None

[benpicco]

Looks good!
Neat to have this feature.
Just a few questions:

• do we need to take the radio state into account?
• if we want to encrypt payload, do we really have to write the plaintext onto the device, read it back, and then send it? I would have imagined it would have a mode where it would handle encryption / decryption transparently.

[benpicco]

You could move those to at86rf2xx_internal.h if you want.
But might also be done in a later patch. I was wondering why you didn't just use at86rf2xx_sram_read() and friends, but I guess the problem there is that they will all acquire and release the bus.

Only recently I have learned that this is a bad idea (and even more so after the recent power optimizations after release() on sam0), so the right courser of action would be to convert the driver to not acquire() and release() the bus, just like you did here.

But that would be another PR.

[fabian18]

but I guess the problem there is that they will all acquire and release the bus.

Yes.
And further at86rf2xx_sram_read() writes dummy bytes to the transceiver, while
at86rf2xx_sram_write() does not care what it reads from the transceiver.
For fast SPI, you read the result from the last block operation, while you write the next block.

[jia200x]

do we need to take the radio state into account?

No. The AES component is independent of the transceiver. It's indeed possible to encrypt/decrypt while sending/receiving (assuming the device is not sleeping).

if we want to encrypt payload, do we really have to write the plaintext onto the device, read it back, and then send it? I would have imagined it would have a mode where it would handle encryption / decryption transparently.

Yes :(. It's required to write the plaintext packet and then read it from SRAM since it's a "generic" AES crypto accelerator (intended to be used with IEEE802.15.4, but other use cases are also possible)

[jia200x]

can't this be replaced with the at86rf2xx_sram_xxx functions (from 'at86rf2xx_internal.c`)?

[benpicco]

See https://github.com/RIOT-OS/RIOT/pull/14113/files#r433510445

[jia200x]

ditto

[jia200x]

ditto

[fabian18]

I cannot reuse them because, they acquire / release the bus in each call and at86rf2xx_sram_write() ignores what is read from the transceiver, which is important for fast SPI.

[jia200x]

hmmm I would say that these are "presentation layer" functions (not specific to AES). Maybe they can be added as generic functions? What do you think?

[fabian18]

Generally I agree, they could be moved to at86rf2xx_internal because they are not related to the security module. But I am not sure if I should do this because nothing else uses it, so far.

On the one side it touches the actual driver, and I think this should be done, if some day someone decides to modify the at86rf2xx SPI functions in a way that they do not acquire / release the SPI bus for every call. Right now I see no benefit of moving them.

On the other side it doesn´t harm because it is a small change.

I would keep them in place for now.

[fabian18]

Git is showing a weird diff for 39c23ac.
But it just does the

    if (!nblocks) {
        return 0;
    }

thing.

[benpicco]

Would be good if the test would print SUCCESS at the end.
Then you can also add a tests/01-run.py with

#!/usr/bin/env python3

import sys
from testrunner import run

def testfunc(child):
    child.expect('START')
    child.expect('ECB test 1 done')
    child.expect('ECB test 2 done')
    child.expect('CBC test 1 done')
    child.expect('CBC test 2 done')
    child.expect('CBC test 3 done')
    child.expect('SUCCESS')

if __name__ == "__main__":
    sys.exit(run(testfunc))

so we can have make test work for automatic tests.

[fabian18]

Ok

[benpicco]

Hm looks like you'll have to add a puts("START"); at the beginning of the test too.
This and chmod a+x tests/01-run.py.

Then make test will work.

[fjmolinas]

Or just remove matching start, test_utilis_interactive_sync will already match the start for you.

[fabian18]

ups forgot that ...

[benpicco]

What's that mirror about?

[fabian18]

The mirror must be the same value as the cfg and is transfered to the slave to start an AES operation, if AT86RF2XX_AES_CTRL_MIRROR_MASK__AES_REQUEST is set.

[benpicco]

Could we still get the AT86RF2XX_AES_STATUS_MASK__AES_ER bit set here?

[fabian18]

No the error bit is set before the transceiver has processed a data block. There are two cases:

1. The delay between initiating an AES operation and sending the next cfg to AT86RF2XX_REG__AES_CTRL was too short. Meaning the transceiver did not have enough time to process the current block.
2. Less then 16 bytes of data have been sent to the transceiver. This never happens in the code, so this case cannot arrive.

[benpicco]

Better add that as a comment so in the future this question doesn't come up again :)

[fabian18]

Actually the first case should not arrive either because I am polling if the operation is complete.
I could make an assert() that the error bit is never set and change the return types of all functions to be void because that was the only thing that I expected that could go wrong. Every time I witnessed the error bit was set, there was a mistake in the code.
Or there may be something that I am not aware of and the current implementation would be a little safer.
But I don´t think so. Even when I reduce AT86RF2XX_AES_DELAY_US, the error is not set because the polling is safe.
So I would like to turn it into an assert()

[benpicco]

This looks pretty good.
Some more comments would be nice as the code is pretty dense.

I'd like to have this, though it's not a requirement, it would sure encourage the work on MAC layer security. :)

[fabian18]

Now I think it´s time to squash.

[benpicco]

Looks good to me and the automatic test is also working.
Please squash.

[benpicco]

Do we actually need the base driver here?

[fabian18]

for this in main.c:

    at86rf2xx_setup(&dev, &at86rf2xx_params[0]);
    dev.netdev.netdev.event_callback = _event_cb;
    if (dev.netdev.netdev.driver->init(&dev.netdev.netdev) != 0) {
        return EXIT_FAILURE;
    }

[benpicco]

Yea but do we need it?
I mean if we have to init the radio to use crypto that's fine.
But if we just init it and then never use it, we might as well drop it.

[fabian18]

I don´t think we need the driver capability but it initializes the params, SPI and checks if SPI is working.
You mean I can copy the params and init SPI manually? Then the driver is not needed. Is this better?

[fabian18]

Then I would have to make an own driver rather then a pseudomodule, right?

[benpicco]

A never mind then.
A separate init function would be possible, but that's not worth the hassle now.

If someone really wants to use the crypto without the radio, that could be added later.

[fabian18]

I am going to insert two empty lines in the python script to make travis happy and squash right away.

[fabian18]

Then I am going to add a Makefile.ci, to make murdock happy.

[fabian18]

Hooray 🎉 , thanks for merging.