Suitability of STM32L432KC?

Terminada gnupg.org at terminada.io
Thu Oct 12 06:14:21 CEST 2023 

On 12/10/23 10:41, NIIBE Yutaka wrote:>
> The code of Gnuk assumes the MCU is *not* that good, that is,
> 
> 	- without (better) branch predictor
> 	- without cache (or flash accelerator)
> 
> In other words, our unique/peculiar approach is: assuming use of
> not-that-good MCU, we can keep the code simpler.
> 
> Please note that, in the code of Gnuk:
> 
> 	- The execution path may depend on secret values.
> 	- It may have table access which depends on secret values.
> 
> This is "feature", not bug.
> 
>> "Core: Arm® 32-bit Cortex®-M4 CPU with FPU,Adaptive real-time
>> accelerator (ART Accelerator™) allowing 0-wait-state execution
>> from Flash memory, frequency up to 80 MHz, MPU, 100DMIPS and DSP
>> instructions"
> 
> My concern is possible side-channel attacks against this accelerator.
> 
> 
> IIUC, GD32F103 (on FST-01SZ) has SRAM and SPI Flash ROM, and the
> contents of Flash are copied into SRAM at boot.  Table access with
> secret values is considered secure on the MCU (against possible
> side-channel attacks).

Very interesting.  I think I understand what you are saying at a high 
level.  But, please explain a bit more.  I am not sure how to word my 
questions given my more limited understanding:

How does the password used to unlock the smartcard (Gnuk) result in the 
secret values being more secure for memory access?

Does STM32L432's ART Accelerator undermine this because the compiler 
will optimise the binary for the ART Accelerator?

Does this mean that the processor used in FST-01SZ is less susceptible 
to side channel attacks compared to a Trezor One device (STM32F10XRXT6) 
or even the more recent Trezor T device (STM32F427VIT6)?  See this link 
about breaking Trezor One: 
https://www.ledger.com/blog/breaking-trezor-one-with-sca

 >
 > In the development history of mine, I tried:
 >
 >       STM32L432
 >       GD32VF103
 >
 > But I don't use them for Gnuk.  Let me explain.
 >

What do you use now?

I am happy with my FST-01SZ boards subject to not knowing how secure 
they are against various attacks.  However, I was unable to re-program 
my FST-01 and FST-01G boards until I realised that I needed to trigger a 
reset by shorting pins NRST and VSSA on the processor whilst trying to 
keep the ST-Link V2 programmer connected.  That was a bit tricky but I 
eventually re-programmed them all to Gnuk version 2.1.

I am motivated to make some Gunk tokens because it is impossible to 
purchase any FST-01SZ or similar from anywhere.  The board design looks 
reasonably simple and I should be able to solder the IC by hand, but if 
I am going to go to the trouble of doing this, I thought I might get the 
most appropriate processor for the task.

So what would you recommend now?  I am particularly concerned to get the 
most secure, least easily attacked, processor chip.  I don't care if it 
will cost a few dollars more.

Another thing I would be very interested in achieving is to be able to 
use my Gnuk token to sign Cardano blockchain transactions.  The keys 
used on Cardano are ed25519 keys and the hashing algorithm used is 
Blake2b.  There would be significant Cardano community support for 
getting this to work and there is funding available to pay for 
development expenses through project Catalyst. (https://projectcatalyst.io/)
This video from one developer illustrates that the missing features, 
from what is already implemented in Gnuk, are likely quite minimal. 
(Maybe only the Blake2b hashing algorithm?): https://youtu.be/rVdpUpavLgM
--

More information about the Gnuk-users mailing list