BulkECB Mode - 1.0 English

Versal Adaptive SoC Integrated 400G High Speed Channelized Cryptography Engine Subsystem Product Guide (PG372)

Document ID
PG372
Release Date
2024-01-30
Version
1.0 English

When configured for BulkECB mode, the HSC Subsystem implements the AES-ECB encryption function. In this mode, each message is divided into 128-bit blocks and each block is encrypted separately using the given key for that message. The BulkECB mode does not support authentication. Furthermore, the BulkECB mode supports only the encryption (not decryption) function on both the encryption and decryption paths. Each packet is processed according to the following parameters:

  • Secure Association (SA) index associated with the packet
  • SA Key
  • Cipher suite
    • AES-128
    • AES-256
  • Confidentiality offset (0 to 63 bytes)
  • Bypass selection

On the encryption path, the SA index is set using the enc_igr_prtif_crypto_sa_index_p0 through enc_igr_prtif_crypto_sa_index_p3 input ports, which are sampled during the first cycle of the packet. Similarly, dec_igr_prtif_crypto_sa_index_p0 through dec_igr_prtif_crypto_sa_index_p3 are used on the decryption path.

The SA key may be provided (in the same cycle as SOP on the AXI4-Stream interface) by user logic that is external to the HSC Subsystem. Alternatively, the core retrieves the key from its internal table based on the SA index. Internal keys use SA index value of 0 to 1023, while external keys use the remaining SA index values.

In the encryption path, the cipher suite is selecting using the enc_igr_prtif_crypto_cipher_suite_p0 through enc_igr_prtif_crypto_cipher_suite_p3 input ports, which are sampled during the first cycle of the packet. Similarly, dec_igr_prtif_crypto_cipher_suite_p0 through dec_igr_prtif_crypto_cipher_suite_p3 are used on the decryption path.

The confidentiality offset determines the length of the unencrypted portion of the packet. In BulkECB mode the offset can be set to any value from 0 to 63 bytes, counting from the start of the packet. In the encryption path, the confidentiality offset is set using the enc_igr_prtif_crypto_conf_offset_p0 through enc_igr_prtif_crypto_conf_offset_p3 input ports, which are sampled during the first cycle of the packet. Similarly, dec_igr_prtif_crypto_conf_offset_p0 through dec_igr_prtif_crypto_conf_offset_p3 are used on the decryption path.

In BulkECB mode, the part of the packet that is encrypted must be a multiple of 128 bits.

In BulkECB mode, the bypass indication signal is used to indicate that the corresponding packet must bypass the encryption function and path through the HSC Subsystem unchanged. On the encryption path, the bypass indication is set using enc_igr_prtif_crypto_byp_p0 through enc_igr_prtif_crypto_byp_p3 inputs, which are sampled during the first cycle of the packet. Similarly, dec_igr_prtif_crypto_byp_p0 through dec_igr_prtif_crypto_byp_p3 inputs are used ion the decryption path.