opentitan icon indicating copy to clipboard operation
opentitan copied to clipboard
verified publisher icon lowRISC

[cryptolib] change implementation of HW backed keys

Open vsukhoml opened this issue 1 year ago • 1 comments

Description

Due to #22283, #22297, #22296 it is unlikely we will be able to claim that output of keymgr is a "key" in the NIST sense. This means we need to revisit implementation of hw backed keys and stop using sideloading from keymgr where FIPS-approved key is needed.

One of the solution would be to use DRBG to mix entropy, keymgr output and additional inputs and use its output as a key or key candidate. We can try to employ CSRNG wherever possible or use SW DRBG.

@ballifatih @jadephilipoom

vsukhoml avatar Mar 28 '24 00:03 vsukhoml

removing Hotlist label since will be discussed in other forum

johannheyszl avatar Jun 04 '24 11:06 johannheyszl

this is superseded by #21936 imo

johannheyszl avatar Oct 31 '25 10:10 johannheyszl