[pentest] Add markers in pentest framework

siemen11 · siemen11 · commit b0714dc368a5 · 2025-11-03T03:54:12.000-05:00
In order to reliably find the calls of certain functions for GDB testing, we add markers around them which can be found in the dis file. These markers do influence the pentest code as they are function calls.

Signed-off-by: Siemen Dhooghe &lt;sdhooghe@google.com&gt;
diff --git a/sw/device/tests/penetrationtests/firmware/fi/cryptolib_fi_asym_impl.c b/sw/device/tests/penetrationtests/firmware/fi/cryptolib_fi_asym_impl.c
@@ -26,6 +26,9 @@
 
 #define MODULE_ID MAKE_MODULE_ID('f', 'a', 'i')
 
+// Markers in the dis file to be able to trace certain functions
+#define PENTEST_MARKER_LABEL(name) asm volatile(#name ":" ::: "memory")
+
 // OAEP label for testing.
 static const unsigned char kTestLabel[] = "Test label.";
 static const size_t kTestLabelLen = sizeof(kTestLabel) - 1;
@@ -403,12 +406,14 @@ status_t cryptolib_fi_rsa_sign_impl(
 
   // Trigger window.
   if (uj_input.trigger & kPentestTrigger3) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_RSA_SIGN_START);
     pentest_set_trigger_high();
   }
   TRY(otcrypto_rsa_sign(&private_key, msg_digest, padding_mode, sig_buf));
   // Trigger window.
   if (uj_input.trigger & kPentestTrigger3) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_RSA_SIGN_END);
   }
 
   // Return data back to host.
@@ -561,13 +566,16 @@ status_t cryptolib_fi_rsa_verify_impl(
   hardened_bool_t verification_result;
   // Trigger window.
   if (uj_input.trigger & kPentestTrigger3) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_RSA_VERIFY_START);
     pentest_set_trigger_high();
   }
-  TRY(otcrypto_rsa_verify(&public_key, msg_digest, padding_mode, sig,
-                          &verification_result));
+  status_t status = otcrypto_rsa_verify(&public_key, msg_digest, padding_mode,
+                                        sig, &verification_result);
   if (uj_input.trigger & kPentestTrigger3) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_RSA_VERIFY_END);
   }
+  TRY(status);
 
   // Return data back to host.
   uj_output->result = true;
@@ -633,9 +641,11 @@ status_t cryptolib_fi_p256_ecdh_impl(
       .keyblob = shared_secretblob,
   };
 
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_ECDH_START);
   pentest_set_trigger_high();
   TRY(otcrypto_ecdh_p256(&private_key, &public_key, &shared_secret));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_ECDH_END);
 
   uint32_t share0[kPentestP256Words];
   uint32_t share1[kPentestP256Words];
@@ -726,13 +736,15 @@ status_t cryptolib_fi_p256_sign_impl(
 
   // Trigger window 1.
   if (uj_input.trigger == 1) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_SIGN_START);
     pentest_set_trigger_high();
   }
   // Sign the message.
   TRY(otcrypto_ecdsa_p256_sign_verify(&private_key, &public_key, message_digest,
                                       signature_mut));
   if (uj_input.trigger == 1) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_SIGN_END);
   }
 
   // Return data back to host.
@@ -790,10 +802,12 @@ status_t cryptolib_fi_p256_verify_impl(
 
   hardened_bool_t verification_result = kHardenedBoolFalse;
 
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_VERIFY_START);
   pentest_set_trigger_high();
   TRY(otcrypto_ecdsa_p256_verify(&public_key, message_digest, signature,
                                  &verification_result));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P256_VERIFY_END);
 
   // Return data back to host.
   uj_output->result = true;
@@ -859,9 +873,11 @@ status_t cryptolib_fi_p384_ecdh_impl(
       .keyblob = shared_secretblob,
   };
 
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_ECDH_START);
   pentest_set_trigger_high();
   TRY(otcrypto_ecdh_p384(&private_key, &public_key, &shared_secret));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_ECDH_END);
 
   uint32_t share0[kPentestP384Words];
   uint32_t share1[kPentestP384Words];
@@ -952,12 +968,14 @@ status_t cryptolib_fi_p384_sign_impl(
 
   // Trigger window 1.
   if (uj_input.trigger == 1) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_SIGN_START);
     pentest_set_trigger_high();
   }
   TRY(otcrypto_ecdsa_p384_sign_verify(&private_key, &public_key, message_digest,
                                       signature_mut));
   if (uj_input.trigger == 1) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_SIGN_END);
   }
 
   // Return data back to host.
@@ -1015,10 +1033,12 @@ status_t cryptolib_fi_p384_verify_impl(
 
   hardened_bool_t verification_result = kHardenedBoolFalse;
 
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_VERIFY_START);
   pentest_set_trigger_high();
   TRY(otcrypto_ecdsa_p384_verify(&public_key, message_digest, signature,
                                  &verification_result));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_P384_VERIFY_END);
 
   // Return data back to host.
   uj_output->result = true;
diff --git a/sw/device/tests/penetrationtests/firmware/fi/cryptolib_fi_sym_impl.c b/sw/device/tests/penetrationtests/firmware/fi/cryptolib_fi_sym_impl.c
@@ -22,6 +22,9 @@
 
 #define MODULE_ID MAKE_MODULE_ID('c', 'f', 's')
 
+// Markers in the dis file to be able to trace certain functions
+#define PENTEST_MARKER_LABEL(name) asm volatile(#name ":" ::: "memory")
+
 status_t cryptolib_fi_aes_impl(cryptolib_fi_sym_aes_in_t uj_input,
                                cryptolib_fi_sym_aes_out_t *uj_output) {
   // Set the AES mode.
@@ -134,9 +137,11 @@ status_t cryptolib_fi_aes_impl(cryptolib_fi_sym_aes_in_t uj_input,
   };
 
   // Trigger window.
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_AES_START);
   pentest_set_trigger_high();
   TRY(otcrypto_aes(&key, iv, mode, op, input, padding, output));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_AES_END);
 
   // Return data back to host.
   uj_output->data_len = padded_len_bytes;
@@ -168,11 +173,13 @@ status_t cryptolib_fi_drbg_generate_impl(
 
   // Trigger window 0.
   if (uj_input.trigger & kPentestTrigger2) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_DRBG_GENERATE_START);
     pentest_set_trigger_high();
   }
   TRY(otcrypto_drbg_generate(nonce, output));
   if (uj_input.trigger & kPentestTrigger2) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_DRBG_GENERATE_END);
   }
 
   // Return data back to host.
@@ -197,11 +204,13 @@ status_t cryptolib_fi_drbg_reseed_impl(
 
   // Trigger window 0.
   if (uj_input.trigger & kPentestTrigger1) {
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_DRBG_RESEED_START);
     pentest_set_trigger_high();
   }
   TRY(otcrypto_drbg_instantiate(entropy));
   if (uj_input.trigger & kPentestTrigger1) {
     pentest_set_trigger_low();
+    PENTEST_MARKER_LABEL(PENTEST_MARKER_DRBG_RESEED_END);
   }
 
   // Return data back to host.
@@ -298,10 +307,12 @@ status_t cryptolib_fi_gcm_impl(cryptolib_fi_sym_gcm_in_t uj_input,
   }
 
   // Trigger window.
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_GCM_ENCRYPT_START);
   pentest_set_trigger_high();
   TRY(otcrypto_aes_gcm_encrypt(&key, plaintext, iv, aad, tag_len,
                                actual_ciphertext, actual_tag));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_GCM_ENCRYPT_END);
 
   // Return data back to host.
   uj_output->cfg = 0;
@@ -385,9 +396,11 @@ status_t cryptolib_fi_hmac_impl(cryptolib_fi_sym_hmac_in_t uj_input,
   };
 
   // Trigger window.
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_HMAC_START);
   pentest_set_trigger_high();
   TRY(otcrypto_hmac(&key, input_message, tag));
   pentest_set_trigger_low();
+  PENTEST_MARKER_LABEL(PENTEST_MARKER_HMAC_END);
 
   // Return data back to host.
   uj_output->data_len = tag_bytes;
