diff --git a/core/embed/bootloader/main.c b/core/embed/bootloader/main.c index 043e76f47b..d076a54ba2 100644 --- a/core/embed/bootloader/main.c +++ b/core/embed/bootloader/main.c @@ -359,7 +359,7 @@ int bootloader_main(void) { system_init(&rsod_panic_handler); - rdi_init(); + random_delays_init(); #if defined TREZOR_MODEL_T set_core_clock(CLOCK_180_MHZ); diff --git a/core/embed/bootloader_ci/main.c b/core/embed/bootloader_ci/main.c index 2d2339bbc6..d44584f663 100644 --- a/core/embed/bootloader_ci/main.c +++ b/core/embed/bootloader_ci/main.c @@ -181,7 +181,7 @@ static secbool check_vendor_header_lock(const vendor_header *const vhdr) { int main(void) { system_init(&rsod_panic_handler); - rdi_init(); + random_delays_init(); #ifdef USE_TOUCH touch_init(); #endif diff --git a/core/embed/kernel/main.c b/core/embed/kernel/main.c index 376f3d2dca..d960dda178 100644 --- a/core/embed/kernel/main.c +++ b/core/embed/kernel/main.c @@ -77,10 +77,10 @@ void drivers_init() { tamper_init(); #endif - rdi_init(); + random_delays_init(); #ifdef RDI - rdi_start(); + random_delays_start_rdi(); #endif #ifdef SYSTEM_VIEW diff --git a/core/embed/trezorhal/random_delays.h b/core/embed/trezorhal/random_delays.h index ecdd6d44bd..46d6e0e482 100644 --- a/core/embed/trezorhal/random_delays.h +++ b/core/embed/trezorhal/random_delays.h @@ -22,17 +22,48 @@ #include +/* +Random delay interrupts (RDI) is a contermeasure against side channel attacks. +It consists of an interrupt handler that is supposed to be called every +millisecond or so. The handler waits for a random number of cpu ticks that is a +sample of so called floating mean distribution. That means that the number is +the sum of two numbers generated uniformly at random in the interval [0, 255]. +The first number is generated freshly for each call of the handler, the other +number is supposed to be refreshed when the device performs an operation that +leaks the current state of the execution flow, such as sending or receiving an +usb packet. + +See Differential Power Analysis in the Presence of Hardware Countermeasures by +Christophe Clavier, Jean-Sebastien Coron, Nora Dabbous and Efficient Use of +Random Delays in Embedded Software by Michael Tunstall, Olivier Benoit: +https://link.springer.com/content/pdf/10.1007%2F3-540-44499-8_20.pdf +https://link.springer.com/content/pdf/10.1007%2F978-3-540-72354-7_3.pdf +*/ + #ifdef KERNEL_MODE -void rdi_init(void); +// Initializes the random number generator for `wait_random()` and the RDI +// +// RDI is stopped by default and can be started by calling +// `random_delays_start_rdi()`. +void random_delays_init(void); -void rdi_start(void); -void rdi_stop(void); +// Starts the RDI, introducing small random delays every millisecond via +// systimer callback. +void random_delays_start_rdi(void); -#endif +// Stops the RDI +void random_delays_stop_rdi(void); -void rdi_refresh_session_delay(void); +// Refreshes the second random number in the floating mean distribution. +// (see the module description above) +void random_delays_refresh_rdi(void); +// Waits for a random number (0-255) of CPU ticks. +// +// This function is independent of the RDI and can be used in any context. void wait_random(void); +#endif // KERNEL_MODE + #endif // TREZORHAL_RANDOM_DELAYS_H diff --git a/core/embed/trezorhal/stm32f4/random_delays.c b/core/embed/trezorhal/stm32f4/random_delays.c index 9dbbe0a9d5..3861c1f8d8 100644 --- a/core/embed/trezorhal/stm32f4/random_delays.c +++ b/core/embed/trezorhal/stm32f4/random_delays.c @@ -17,24 +17,6 @@ * along with this program. If not, see . */ -/* -Random delay interrupts (RDI) is a contermeasure against side channel attacks. -It consists of an interrupt handler that is supposed to be called every -millisecond or so. The handler waits for a random number of cpu ticks that is a -sample of so called floating mean distribution. That means that the number is -the sum of two numbers generated uniformly at random in the interval [0, 255]. -The first number is generated freshly for each call of the handler, the other -number is supposed to be refreshed when the device performs an operation that -leaks the current state of the execution flow, such as sending or receiving an -usb packet. - -See Differential Power Analysis in the Presence of Hardware Countermeasures by -Christophe Clavier, Jean-Sebastien Coron, Nora Dabbous and Efficient Use of -Random Delays in Embedded Software by Michael Tunstall, Olivier Benoit: -https://link.springer.com/content/pdf/10.1007%2F3-540-44499-8_20.pdf -https://link.springer.com/content/pdf/10.1007%2F978-3-540-72354-7_3.pdf -*/ - #include "random_delays.h" #include @@ -157,15 +139,15 @@ static void wait(uint32_t delay) { // forward declaration static void rdi_handler(void *context); -void rdi_init() { +void random_delays_init() { drbg_init(); systimer_t *timer = systimer_create(rdi_handler, NULL); - ensure(sectrue * (timer != NULL), "rdi_init failed"); + ensure(sectrue * (timer != NULL), "random_delays_init failed"); systimer_set_periodic(timer, 1); } -void rdi_start(void) { +void random_delays_start_rdi(void) { ensure(drbg_initialized, NULL); if (rdi_disabled == sectrue) { // if rdi disabled @@ -174,14 +156,14 @@ void rdi_start(void) { } } -void rdi_stop(void) { +void random_delays_stop_rdi(void) { if (rdi_disabled == secfalse) { // if rdi enabled rdi_disabled = sectrue; session_delay = 0; } } -void rdi_refresh_session_delay(void) { +void random_delays_refresh_rdi(void) { if (rdi_disabled == secfalse) // if rdi enabled refresh_session_delay = true; } diff --git a/core/embed/trezorhal/stm32f4/usb/usb.c b/core/embed/trezorhal/stm32f4/usb/usb.c index b4e7a974fd..4875f34cc0 100644 --- a/core/embed/trezorhal/stm32f4/usb/usb.c +++ b/core/embed/trezorhal/stm32f4/usb/usb.c @@ -644,7 +644,7 @@ static uint8_t usb_class_data_in(USBD_HandleTypeDef *dev, uint8_t ep_num) { usb_driver_t *drv = &g_usb_driver; #ifdef RDI - rdi_refresh_session_delay(); + random_delays_refresh_rdi(); #endif for (int i = 0; i < USBD_MAX_NUM_INTERFACES; i++) { @@ -664,7 +664,7 @@ static uint8_t usb_class_data_out(USBD_HandleTypeDef *dev, uint8_t ep_num) { usb_driver_t *drv = &g_usb_driver; #ifdef RDI - rdi_refresh_session_delay(); + random_delays_refresh_rdi(); #endif for (int i = 0; i < USBD_MAX_NUM_INTERFACES; i++) { diff --git a/core/embed/trezorhal/unix/random_delays.c b/core/embed/trezorhal/unix/random_delays.c index b9bcbe5ca4..075cb5ea3c 100644 --- a/core/embed/trezorhal/unix/random_delays.c +++ b/core/embed/trezorhal/unix/random_delays.c @@ -19,6 +19,6 @@ #include "random_delays.h" -void wait_random(void) {} +void random_delays_init(void) {} -void rdi_init(void) {} +void wait_random(void) {} diff --git a/core/embed/trezorhal/unix/random_delays.h b/core/embed/trezorhal/unix/random_delays.h deleted file mode 100644 index 01191b24cf..0000000000 --- a/core/embed/trezorhal/unix/random_delays.h +++ /dev/null @@ -1,26 +0,0 @@ -/* - * This file is part of the Trezor project, https://trezor.io/ - * - * Copyright (c) SatoshiLabs - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef __TREZORHAL_RANDOM_DELAYS_H__ -#define __TREZORHAL_RANDOM_DELAYS_H__ - -void rdi_init(void); -void wait_random(void); - -#endif