Skip to content

Fix support on CHERI RISC-V architecture #10272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wbeasley-thegoodpenguin wants to merge 3 commits into
base: master
Choose a base branch
from
+31 −39
Open

Fix support on CHERI RISC-V architecture #10272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5c52734
cheri: Use macro for cache line masking
wbeasley-thegoodpenguin Apr 14, 2026
b95c95e
cheri: Fix CHERI tag violation on constant time pointer selection
wbeasley-thegoodpenguin Apr 14, 2026
5e51e7a
cheri: Increase size of argument buffer and align
wbeasley-thegoodpenguin Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions wolfcrypt/src/aes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2151,14 +2151,14 @@ static void XorTable_Multi(const word32* t, word32* t0, byte o0,
word32 e1 = 0;
word32 e2 = 0;
word32 e3 = 0;
byte hi0 = o0 & 0xf0;
byte lo0 = o0 & 0x0f;
byte hi1 = o1 & 0xf0;
byte lo1 = o1 & 0x0f;
byte hi2 = o2 & 0xf0;
byte lo2 = o2 & 0x0f;
byte hi3 = o3 & 0xf0;
byte lo3 = o3 & 0x0f;
byte hi0 = o0 & WC_CACHE_LINE_MASK_HI;
byte lo0 = o0 & WC_CACHE_LINE_MASK_LO;
byte hi1 = o1 & WC_CACHE_LINE_MASK_HI;
byte lo1 = o1 & WC_CACHE_LINE_MASK_LO;
byte hi2 = o2 & WC_CACHE_LINE_MASK_HI;
byte lo2 = o2 & WC_CACHE_LINE_MASK_LO;
byte hi3 = o3 & WC_CACHE_LINE_MASK_HI;
byte lo3 = o3 & WC_CACHE_LINE_MASK_LO;
int i;

for (i = 0; i < 256; i += (1 << WC_CACHE_LINE_BITS)) {
Expand Down
48 changes: 18 additions & 30 deletions wolfcrypt/src/sp_int.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5121,6 +5121,14 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo,
(size_t) 0,
(size_t)-1
};
/* Constant time access here will not work on CHERI so fallback to basic for now */
#ifdef __CHERI_PURE_CAPABILITY__
#define SP_CT_ADDR(t, idx) ((t)[(idx)])
Copy link
Copy Markdown
Contributor

@SparkiDev SparkiDev Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The purpose of the code you had to disable is to make sure both address are loaded into cache even though only one is accessed.

Is there a way to preload t[0] and t[1] with CHERI and then use only one of the addresses?

#else
#define SP_CT_ADDR(t, idx) \
(sp_int*)(((size_t)(t)[0] & sp_off_on_addr[(idx)^1]) + \
((size_t)(t)[1] & sp_off_on_addr[(idx)]))
#endif
#endif
#endif

Expand Down Expand Up @@ -13166,13 +13174,9 @@ static int _sp_exptmod_ex(const sp_int* b, const sp_int* e, int bits,
}
#else
/* 4.1. t[s] = t[s] ^ 2 */
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[s^1]) +
((size_t)t[1] & sp_off_on_addr[s ])),
t[2]);
_sp_copy(SP_CT_ADDR(t, s), t[2]);
err = sp_sqrmod(t[2], m, t[2]);
_sp_copy(t[2],
(sp_int*)(((size_t)t[0] & sp_off_on_addr[s^1]) +
((size_t)t[1] & sp_off_on_addr[s ])));
_sp_copy(t[2], SP_CT_ADDR(t, s));

if (err == MP_OKAY) {
/* 4.2. y = e[i] */
Expand All @@ -13183,13 +13187,9 @@ static int _sp_exptmod_ex(const sp_int* b, const sp_int* e, int bits,
/* 4.4 s = s | y */
s |= y;
/* 4.5. t[j] = t[j] * b */
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[j^1]) +
((size_t)t[1] & sp_off_on_addr[j ])),
t[2]);
_sp_copy(SP_CT_ADDR(t, j), t[2]);
err = _sp_mulmod(t[2], b, m, t[2]);
_sp_copy(t[2],
(sp_int*)(((size_t)t[0] & sp_off_on_addr[j^1]) +
((size_t)t[1] & sp_off_on_addr[j ])));
_sp_copy(t[2], SP_CT_ADDR(t, j));
}
#endif
}
Expand Down Expand Up @@ -13279,9 +13279,7 @@ static int _sp_exptmod_ex(const sp_int* b, const sp_int* e, int bits,
err = sp_mulmod(t[0], t[1], m, t[2]);
/* 3.3. t[3] = t[y] ^ 2 */
if (err == MP_OKAY) {
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[y^1]) +
((size_t)t[1] & sp_off_on_addr[y ])),
t[3]);
_sp_copy(SP_CT_ADDR(t, y), t[3]);
err = sp_sqrmod(t[3], m, t[3]);
}
/* 3.4. t[y] = t[3], t[y^1] = t[2] */
Expand Down Expand Up @@ -13403,16 +13401,12 @@ static int _sp_exptmod_mont_ex(const sp_int* b, const sp_int* e, int bits,
/* 6. For i in (bits-1)...0 */
for (i = bits - 1; (err == MP_OKAY) && (i >= 0); i--) {
/* 6.1. t[s] = t[s] ^ 2 */
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[s^1]) +
((size_t)t[1] & sp_off_on_addr[s ])),
t[3]);
_sp_copy(SP_CT_ADDR(t, s), t[3]);
err = sp_sqr(t[3], t[3]);
if (err == MP_OKAY) {
err = _sp_mont_red(t[3], m, mp, 0);
}
_sp_copy(t[3],
(sp_int*)(((size_t)t[0] & sp_off_on_addr[s^1]) +
((size_t)t[1] & sp_off_on_addr[s ])));
_sp_copy(t[3], SP_CT_ADDR(t, s));

if (err == MP_OKAY) {
/* 6.2. y = e[i] */
Expand All @@ -13424,16 +13418,12 @@ static int _sp_exptmod_mont_ex(const sp_int* b, const sp_int* e, int bits,
s |= y;

/* 6.5. t[j] = t[j] * bm */
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[j^1]) +
((size_t)t[1] & sp_off_on_addr[j ])),
t[3]);
_sp_copy(SP_CT_ADDR(t, j), t[3]);
err = sp_mul(t[3], t[2], t[3]);
if (err == MP_OKAY) {
err = _sp_mont_red(t[3], m, mp, 0);
}
_sp_copy(t[3],
(sp_int*)(((size_t)t[0] & sp_off_on_addr[j^1]) +
((size_t)t[1] & sp_off_on_addr[j ])));
_sp_copy(t[3], SP_CT_ADDR(t, j));
}
}
if (err == MP_OKAY) {
Expand Down Expand Up @@ -13543,9 +13533,7 @@ static int _sp_exptmod_mont_ex(const sp_int* b, const sp_int* e, int bits,
}
/* 4.3. t[3] = t[y] ^ 2 */
if (err == MP_OKAY) {
_sp_copy((sp_int*)(((size_t)t[0] & sp_off_on_addr[y^1]) +
((size_t)t[1] & sp_off_on_addr[y ])),
t[3]);
_sp_copy(SP_CT_ADDR(t, y), t[3]);
err = sp_sqr(t[3], t[3]);
}
if (err == MP_OKAY) {
Expand Down
6 changes: 5 additions & 1 deletion wolfssl/internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5761,15 +5761,19 @@ typedef struct BuildMsgArgs {
#endif

#ifdef WOLFSSL_ASYNC_IO
#define MAX_ASYNC_ARGS 18
#define MAX_ASYNC_ARGS 24
typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs);

struct WOLFSSL_ASYNC {
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WOLFSSL_NO_TLS12)
BuildMsgArgs buildArgs; /* holder for current BuildMessage args */
#endif
FreeArgsCb freeArgs; /* function pointer to cleanup args */
#ifdef __CHERI_PURE_CAPABILITY__
max_align_t args[MAX_ASYNC_ARGS * sizeof(word32) / sizeof(max_align_t)]; /* holder for current args */
#else
word32 args[MAX_ASYNC_ARGS]; /* holder for current args */
#endif
};
#endif

Expand Down
Loading