Security Module (AES)
This section describes the control and usage of the AES hardware acceleration unit. For more details refer to section 9.1 (Security Module (AES)) of the AT86RF212 datasheet.The security module can be accessed with SRAM read/write commands (see section SRAM Access Mode) in any of the [ACTIVE] states. The functions trx_aes_read(), trx_aes_wrrd(), trx_aes_write() are adapted SRAM read/write functions, which take the memory organization of the security module into consideration. The fast SRAM access method is described in detail in section AES Block Access and Fast SRAM Access. The following picture shows the memory map of the security module.
+----+--------------------+ |0x82| AES_STATUS | (status SRAM register) +----+--------------------+ |0x83| AES_CTRL | (configuration SRAM register) +----+--------------------+ |0x84| | | | AES_STATE_KEY | (128 bit data SRAM block) |0x93| | +----+--------------------+ |0x94| AES_CTRL_MIRROR | (configuration mirror SRAM register) +----+--------------------+
Performing an AES operation requires the following steps:
- Configure the security key with use case AES_SET_KEY.
- Set the AES mode and direction with use case AES_ECB_SINGLE_BLOCK.
- Transfer the data for the security operation to the security engine (see AES_ECB_SINGLE_BLOCK).
- Start the security operation by setting AES_REQUEST bit at SRAM register 0x94 (AES_CTRL_MIRROR).
- The processed data are stored at the SRAM addresses 0x84 - 0x93.
- Note:
- Using the security module in TRX_OFF state requires enabling of CLKM, see section CLKM Frequency Change.
- The configuration steps 2 - 4 can be combined into one single SRAM access.
- Using consecutive AES operations (like CBC) allows reading of the previously processed data during a SRAM write access, for details refer to AES Block Access and Fast SRAM Access.
- An AES run requires t12, which further defines the wait time between AES accesses, refer to AES_ECB_MULTIPLE_BLOCKS, AES_CBC.
- All configurations of the security module, the SRAM content and keys are reset during SLEEP or after a TRX_RESET.
- Parameters:
-
aesmode This parameter configures the AES operational mode, which can be {AES_MODE_KEY, AES_MODE_ECB, AES_MODE_CBC}. All other values are reserved. aesdir The parameter configures the AES operation direction {AES_DIR_ENCRYPT, AES_DIR_DECRYPT}. aeskey a data block of size TRX_AES_BLOCK_SIZE, storing the 128 bit AES key. idata an input data block of size TRX_AES_BLOCK_SIZE, which can be either plain text or cypher text. idata1 1st input data block. idata2 2nd input data block.
...idataN Nth input data block.
- Return values:
-
aesdone value that indicates the current status of the AES module. {0}: operation is not finished, {1}: operation is finished. aeserror value that indicates the error status of the AES module. {0}: no error has occured, {1}: an error has occured. odata an output data block of size TRX_AES_BLOCK_SIZE, which can be either plain text or cypher text. odata1 1st output data block. odata2 2nd output data block.
...odataN Nth output data block.
AES_GET_STATUS
The current status information of the security module (aesdone, aeserror) can be retrieved from SRAM register AES_STATUS.
- Code example
/* AT86RF212::[ACTIVE] */ trx_sram_read(AES_STATUS, 1, stat); aesdone=stat & 1; aeserror=(stat>>7) & 1;
AES_SET_KEY
The key is configured by the following steps:- by configuring aesmode to AES_MODE_KEY and
- store the key (aeskey) with a length of 128 bit to SRAM register AES_STATE_KEY.
This steps can be combined using a single SRAM access, implemented with the function trx_aes_write() (for details refer to section AES Block Access and Fast SRAM Access).
- Code example
/* AT86RF212::[ACTIVE] */ trx_aes_write(AES_MODE_KEY, 0, aeskey);
AES_GET_KEY
The current 128 bit AES key (aeskey) can be retrieved from SRAM register AES_STATE_KEY of the security module, e.g. after the current AES operation is finished (see AES_GET_STATUS).
- Code example
/* AT86RF212::[ACTIVE] */ trx_aes_read(AES_MODE_KEY, aeskey);
AES_ECB_SINGLE_BLOCK
The ECB mode is the default operating mode of the security module. The use case illustrates the processing of a single data block while using the following parameters:- aesmode=AES_MODE_ECB
- aesdir direction of the AES operation
- idata input data block
- odata result data block
- Code example
/* AT86RF212::[ACTIVE] */ aesctl = AES_MODE_ECB | aesdir; trx_aes_write(aesctl, 1, idata); delay(t12); trx_aes_read(aesctl, odata);
AES_ECB_MULTIPLE_BLOCKS
The use case illustrates the processing of several data blocks in the ECB operational mode with the following parameters:
- aesmode=AES_MODE_ECB
- aesdir direction of the AES operation
- idata1,...,idataN input data blocks
- odata1,...,odataN result data blocks
- Code example
/* AT86RF212::[ACTIVE] */ aesctl = AES_MODE_ECB | aesdir; trx_aes_write(aesctl, 1, idata1); delay(t12); trx_aes_wrrd(aesctl, 1, idata2, odata1); delay(t12); trx_aes_wrrd(aesctl, 1, idata3, odata2); proc_other_blocks(); delay(t12); trx_aes_read(aesctl, odataN);
AES_CBC
The CBC mode of the security module is based on the ECB operating mode. The use case illustrates the processing of several data blocks in the CBC operational mode with the following parameters:
- aesmode = AES_MODE_CBC
- aesdir direction of the AES operation
- idata1,...,idataN input data blocks
- odata1,...,odataN result data blocks
- Code example
/* AT86RF212::[ACTIVE] */ aesctl = AES_MODE_ECB | aesdir; trx_aes_write(aesctl, 1, idata1); aesctl = AES_MODE_CBC | aesdir; trx_aes_wrrd(aesctl, 1, idata2, odata1); delay(t12); trx_aes_wrrd(aesctl, 1, idata3, odata2); proc_other_blocks(); delay(t12); trx_aes_read(aesctl, odataN);
