NUCLEO_F439ZI/mbedtls: add SHA256 hw_acceleration

[adustm]

Description

Enable HW acceleration for SHA256 algorithm on STM32F439ZI
is = #3948

Status

READY

Steps to test or reproduce

To test this feature, you have to modify TESTS/mbedtls/selfttest/main.cpp in order to call sha256 self test:
add:
#include "mbedtls/sha256.h"
then

#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SELF_TEST_TEST_CASE(mbedtls_sha256_self_test)
#endif

then

#if defined(MBEDTLS_SHA256_C)
    Case("mbedtls_sha256_self_test", mbedtls_sha256_self_test_test_case),
#endif

Testing

• /morph test-nightly

[adustm]

@sg-

[RonEld]

reviewed and added comments

[RonEld]

what if ilen < 64?
Do you need an accumulation buffer like in SHA1 use case?

[RonEld]

is this include needed? Please check what header file includes can be moved to mbedtls_sha256_alt.c

[RonEld]

no need to define, as it is already defined in sha256.h outside the #ifdef (MBEDTLS_SHA256_ALT) check

[RonEld]

no need to define, as it is already defined in sha256.h outside the #ifdef (MBEDTLS_SHA256_ALT) check

[RonEld]

can be removed

[RonEld]

can be removed

[0xc0170]

retest uvisor

[adustm]

Hello @RonEld
I just implemented SHA256 in the same way it was done for SHA1 and MD5.
Could you handle the review please ?
Cheers
Armelle

[RonEld]

minor comment, other than that, I will approve

[RonEld]

change 64 to MBEDTLS_SHA256_BLOCK_SIZE

[RonEld]

change 64 to MBEDTLS_SHA256_BLOCK_SIZE

[RonEld]

change 64 to MBEDTLS_SHA256_BLOCK_SIZE

[RonEld]

change 64 to MBEDTLS_SHA256_BLOCK_SIZE

[gilles-peskine-arm]

I suggest making this a bool (so that it's clear that only two values are allowed) and moving it to the end of the structure (to avoid wasting a little memory for alignment).

[adustm]

Hello,
This is coming from the official sha256.h.
I suggest that you create a change request to mbedtls official release, where it comes from :
https://github.com/ARMmbed/mbed-os/blob/master/features/mbedtls/inc/mbedtls/sha256.h#L51

[gilles-peskine-arm]

@adustm I know. We're stuck with this in the portable code because we don't want to change types that are visible in the public API (it would break binary compatibility). Here the backward compatibility constraint does not apply. But it's extremely minor anyway, it would save 4 bytes per context at most.

[adustm]

This is a copy from the input parameter from the void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) function.
I prefer to remain aligned with the public api if you don't mind (as you said, minor 4 bytes saving).

[gilles-peskine-arm]

I'm not sure this is correct, but again it might be because I am not familiar with the hardware. After calling the clone function, a user of the crypto library can alternate calls to the two contexts. If the context data is copied, in particular if the clones have the same contents in all the HASH_HandleTypeDef fields, won't they be sharing some resources?

[adustm]

see previous comment

[gilles-peskine-arm]

I guess you mean “to handle MBEDTLS_SHA256_BLOCK_SIZE bytes at a time”? But looking at the code below it's a bit more complicated than that: buffer up to MBEDTLS_SHA256_BLOCK_SIZE bytes; only call the hardware if there are at least MBEDTLS_SHA256_BLOCK_SIZE bytes to process; if there are at least MBEDTLS_SHA256_BLOCK_SIZE bytes then process the largest possible multiple of 4 (not of 64).

[adustm]

correct, I will change the comment

[gilles-peskine-arm]

Is this the right place to reset the hardware? What about a scenario with two hash calculations, fore example: init(ctx1); init(ctx2); starts(ctx1); starts(ctx2); update(ctx1); update(ctx2); finish(ctx1); update(ctx2); free(ctx1); update(ctx2);. The free operation is there to free resources that are associated with a specific calculation, but the hardware is shared between all the hash calculations that are going on.

[adustm]

You are probably right about this. I will create this test to handle the multithread.

[gilles-peskine-arm]

The documentation of HAL_HASHEx_SHA256_Accumulate states: “If the Size is not multiple of 64 bytes, the padding is managed by hardware.” So is it valid to call it with blocks that are not a multiple of 64 bytes (other than the last block)? E.g. with a call mbedtls_sha256_update(ctx, input1, 68); mbedtls_sha256_update(ctx, input2, 60); mbedtls_sha256_finalize(ctx), this code processes all 68 bytes of input1 then some padding?? then buffers the 60 bytes of input2 which are processed by finalize(). Is this correct?

Same remark for SHA224.

[adustm]

Please see my answer here : #4162 (comment)

[gilles-peskine-arm]

Is this the right place to power on the hardware? See my comment about reset in mbedtls_sha256_free.

[adustm]

Powering the hw will have no effect if already done.

[andresag01]

This is equivalent to PR #4162 but for a different target. I have already reviewed that one and left my comments there.

[adustm]

Hello @gilles-peskine-arm @andresag01 ,
I have reworked this branch to allow multiple context.
Let me know if you think it's ok.
Kind regards

[gilles-peskine-arm]

Looks good overall, see my comments in PR #4162

[andresag01]

@adustm: Many thanks for considering our comments and reworking. This PR is is very similar to #4160, please refer to my most recent comments there.

[adustm]

Hello @andresag01 and @yanesca
Could you approve this PR or let me know if anything is missing ?
@0xc0170 could you let me know what is wrong in the Cam-CI uvisor Build & Test script ?

Kind regards
Armelle

[sg-]

Given all the approvals and that mbed TLS 2.5 is part of master can this PR be rebased on master?

[0xc0170]

@adustm Is there any problem to base this on master? It was changed a hour ago

[adustm]

Hello @0xc0170 , forget about it, I have seen just after that it was a modification from Sam.
The rebase on master shows many conflicts. I think I 'd better cherry-pick, isn't it ?

[adustm]

bump ?

[adbridge]

/morph test

[mbed-bot]

Result: SUCCESS

Your command has finished executing! Here's what you wrote!

/morph test

Output

mbed Build Number: 623

All builds and test passed!

[adustm]

It looks like this morph test was lucky and the other were not...

At least this one has a chance to be merged soon
:-s
kind regards
Armelle
cc @screamerbg

[screamerbg]

@0xc0170 @adbridge What is gating this PR?

[0xc0170]

@adustm Can you please rebase? we merged another PR that caused a conflict here, we will then trigger CI

[adustm]

conflict solved

[adbridge]

retest uvisor

[adbridge]

/morph test

[theotherjimmy]

@adustm I have restarted Travis for you. If that does not resolve the issue we fixed on master I will rebase this PR for you to get travis passing.

@Patater You aborted this one too. Do you have plans to restart it?

[mbed-bot]

Result: SUCCESS

Your command has finished executing! Here's what you wrote!

/morph test

Output

mbed Build Number: 662

All builds and test passed!

[adustm]

👍

[adbridge]

This contains a 'merge' commit which should not have been allowed through.

[adbridge]

@adustm Please always use rebase rather than merge in the future :) . I will manually cherry pick changes to pull this through to 5.5.2

[adustm]

Hello @adbridge
Thank you.
For your information, this merge commit ec72ac0 is done through the github web interface when it shows a conflict and suggests to fix it directly there.
If it is a problem to use that option, somebody should remove this possibility.
Cheers
Armelle

[adbridge]

@adustm I agree. We will look into what options we allow from the git gui on these PRs !