Support randomized Wycheproof signing vectors#18
Open
fegge wants to merge 2 commits into
Open
Conversation
Verify that each assembly kernel preserves the callee-saved registers
its platform calling convention requires:
- AArch64 (AAPCS64): x19-x28, x29/FP, lower 64 bits of d8-d15.
- x86_64 (System V): rbx, rbp, r12-r15. No SIMD register callee-saved.
- Armv8.1-M (AAPCS32): r4-r11 plus MVE Q4-Q7 (= D8-D15).
A per-arch assembly call stub loads a random register state, calls the
kernel, and captures the result; a checker then confirms the callee-saved
set is intact. Pointer arguments are backed by correctly-sized buffers
whose layout comes from a per-kernel YAML block; scripts/autogen turns
that YAML into the per-kernel checks. A self-test of hand-written
corrupters confirms the checker actually fires before kernel verdicts
are trusted.
Run via `make run_abicheck OPT=1` or `scripts/tests abicheck`. It needs no
library build, so `scripts/tests all` runs it by default.
Ported from mlkem-native, with the following deviations:
- No PowerPC64/ELFv2 backend, which mldsa-native does not ship.
- Fresh ABI YAML for the ML-DSA kernel set and signatures.
- Fixed the FIPS202 Keccak YAML Name fields to match the exported
symbols (e.g. keccak_f1600_x1_scalar_aarch64_asm, not
keccak_f1600_x1_scalar_asm), which the generator maps to mld_<Name>.
- The build force-undefines MLD_CONFIG_NO_{KEYPAIR,SIGN,VERIFY}_API so
every kernel is present; many ML-DSA kernels are otherwise gated out
by reduced-API configs, unlike any mlkem kernel.
- Adds MLD_SYS_CAP_MVE to sys.h (mlkem already has MLK_SYS_CAP_MVE), as
the Armv8.1-M check needs it for its runtime capability gate.
AArch64 ABI YAML lives in dev/aarch64_clean/src/, not dev/aarch64_opt/src/,
which scripts/autogen regenerates from clean.
See test/abicheck/README.md for details.
Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
|
|
Collaborator
Author
|
Upstream issue: pq-code-package#1219 |
Collaborator
Author
|
Replacement upstream PR with DCO-signed commits from an upstream repository branch: pq-code-package#1235 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rndvalues to the local signing driver.rnd=HEXfor the three signing subcommands while preserving the existing all-zero fallback whenrndis absent.Source Finding
ptp/reported/wycheproof-randomized-signing-vectors-uncovered.mdptp/fixes/fix-wycheproof-randomized-signing-vectors-uncovered.mdValidation
ruff format test/wycheproof/wycheproof_client.py: passedclang-format -i test/wycheproof/wycheproof_mldsa.c: passedruff check test/wycheproof/wycheproof_client.py: passedpython3 -m py_compile test/wycheproof/wycheproof_client.py: passedgit diff --check -- test/wycheproof/wycheproof_client.py test/wycheproof/wycheproof_mldsa.c: passedmake wycheproof -j4: passedmake run_wycheproof -j4: passed, including refreshed randomized signing vectors such as ML-DSA-44tcId=90rndand malformedrndacrosssigGenSeedDeterministic,sigGenDeterministic, andsigGenInternalDeterministic: passed./scripts/format: not run to completion locally becausenixpkgs-fmtis not installed./scripts/lint: not run to completion locally becauseshfmtis not installedUpstream Plan
After Trail of Bits review is complete, submit this branch upstream to
pq-code-package/mldsa-native.