Skip to content

Backport 26565 ([hsmtool] Add vendor specific AES_KWP mechanism) #29006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pamaury wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Backport 26565 ([hsmtool] Add vendor specific AES_KWP mechanism) #29006

pamaury wants to merge 2 commits into from
+75 −14

Conversation

@pamaury
Copy link
Contributor

@pamaury pamaury commented Dec 27, 2025

Backport #26565

@moidx @pamaury
[hsmtool] Add vendor specific AES_KWP.
cdccc56 
The HSM used in provisioning infrastructure uses a custom mechanism
identifier (`CKM_AES_KWP = (CKM_VENDOR_DEFINED + 0x171)`) even though
the implementation follows the RFC 3394 and 5649 specifations.

The `CKM_AES_KWP` implemented by Thales is also equivalent to the KWP
algorithm specified by NIST SP 800-38F.

This change adds a custom `Wrap::VendorThalesAesKwp` mechanism to
`hsmtool` to be able to wrap/unwrap private keys with `AES_KWP`.

Signed-off-by: Miguel Osorio <miguelosorio@google.com>
(cherry picked from commit a1feef4)
@pamaury pamaury requested a review from a team as a code owner December 27, 2025 10:51
@pamaury pamaury requested review from jwnrt and removed request for a team December 27, 2025 10:51
jwnrt
jwnrt approved these changes Jan 5, 2026
View reviewed changes
sw/host/hsmtool/src/commands/ecdsa/export.rs Outdated
let wrapper = Wrap::AesKeyWrapPad;
let wrapper: Wrap = self
.wrap_mechanism
.ok_or(anyhow!("wrap_mechanism is required when wrap is specified"))?
Copy link
Contributor

@jwnrt jwnrt Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: normally written .context("wrap_mechanism is required when wrap is specified")?

Copy link
Contributor Author

@pamaury pamaury Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I added a commit to make the code more idiomatic

@pamaury
[hsmtool] Make rust code more idiomatic
c2d4f45 
Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org>
@pamaury pamaury requested review from cfrantz and moidx January 5, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwnrt jwnrt jwnrt approved these changes

@cfrantz cfrantz Awaiting requested review from cfrantz

@moidx moidx Awaiting requested review from moidx

Assignees

No one assigned

Labels

MergeBack:1.0.0 to master

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pamaury @jwnrt @moidx