[RTL] Mask MLDSA private key writes when KV data is present (#237)

Nitsirks · web-flow · commit a8d6bbdd667e · 2025-11-12T07:08:25.000-08:00
* masks writes to MLDSA private key in API access when mlkem msg data from the keyvault is present
mlkem msg data is stored in part of the SK memory and could potentially be overwritten partially using the MLDSA private key

* MICROSOFT AUTOMATED PIPELINE: Stamp 'user/dev/michnorris/kv_bugfix' with updated timestamp and hash after successful run
diff --git a/.github/workflow_metadata/pr_hash b/.github/workflow_metadata/pr_hash
@@ -1 +1 @@
-9f509918a32aef8928aa0d046adc9000cc660627986d7977e6e72b0fe2ca57f852d96f6a980044075796b22e1fb3a665
+36b15d8b679cff273caa9ec38db99ae9a9b4476879d48f69c81747f082a0a9c800b1def2764c7e220458ae4792d7231e
diff --git a/.github/workflow_metadata/pr_timestamp b/.github/workflow_metadata/pr_timestamp
@@ -1 +1 @@
-1762818050
+1762905412
diff --git a/src/abr_top/rtl/abr_ctrl.sv b/src/abr_top/rtl/abr_ctrl.sv
@@ -913,7 +913,7 @@ always_comb kv_mlkem_msg_write_data = '0;
   always_comb api_sk_raddr = abr_reg_hwif_out.MLDSA_PRIVKEY_OUT.addr[12:2];
 
   always_comb api_sk_reg_wr_dec = abr_reg_hwif_out.MLDSA_PRIVKEY_IN.req & api_sk_waddr inside {[0:31]};
-  always_comb api_keymem_wr_dec = abr_reg_hwif_out.MLDSA_PRIVKEY_IN.req & api_sk_waddr inside {[31:PRIVKEY_NUM_DWORDS-1]};
+  always_comb api_keymem_wr_dec = abr_reg_hwif_out.MLDSA_PRIVKEY_IN.req & api_sk_waddr inside {[31:PRIVKEY_NUM_DWORDS-1]} & ~kv_mlkem_msg_data_present;
 
   always_comb api_sk_reg_rd_dec = abr_reg_hwif_out.MLDSA_PRIVKEY_OUT.req & api_sk_raddr inside {[0:31]};
   always_comb api_keymem_rd_dec = abr_reg_hwif_out.MLDSA_PRIVKEY_OUT.req & api_sk_raddr inside {[32:PRIVKEY_NUM_DWORDS-1]};

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-9f509918a32aef8928aa0d046adc9000cc660627986d7977e6e72b0fe2ca57f852d96f6a980044075796b22e1fb3a665`
	`1`	`+36b15d8b679cff273caa9ec38db99ae9a9b4476879d48f69c81747f082a0a9c800b1def2764c7e220458ae4792d7231e`