View 5812-DS00-R_9032831.PDF datasheet online --- IC-ON-LINE

Datasheet File OCR Text:

advance data sheet bcm5812 5812-ds01-405-r 16215 alton parkway ? p.o. box 57013 irvine, california 92619-7013 phone: 949-450-8700 fax: 949-450-8710 3/11/03 security processor figure 1: functional block diagram g eneral description f eatures the bcm5812 is a full-feature security processor optimized to provide multi-protocol cryptographic acceleration for cost sensitive vpn and ecommerce applications. the bcm5812 supports all of the symmetric and asymmetric encryption and authentication algorithms popularly used by ipsec and ike, including 3des, aes, rsa, dsa, diffie- hellman, sha-1, md5, hmac-sha-1, and hmac-md5. for ipsec esp processing, the bcm5812 performs single pass encryption combined with hmac authentication. for ssl and tls record processing, the bcm5812 provides arcfour encipherment, and computes the ssl mac and tls hmac. the bcm5812 includes a true random number generator. the bcm5812 offers a complete, single-chip, solution that connects directly to the pci bus with no need for external interface logic or memory. the bcm5812 utilizes 0.18 m semiconductor technology, a high performance bus master interface, and efficient software control structures in an advanced design. single-pass ipsec combined encryption and authentication ssl mac, tls hmac for ssl, tls record layer processing export mode, enables retail export classification. f eatures ? ietf and fips compliant algorithms: - 3des-cbc. des-cbc - aes-cbc, aes-ctr with 128, 192, and 256 bit key sizes - arcfour - md5, sha-1 hmac-md5, hmac-sha-1 - rsa public and private key operations up to 2048 bit modulus - 1024 bit dsa sign and verify - diffie-hellman key generation and agreement up to 2048 bit ietf and fips compliant algorithms: - 3des-cbc. des-cbc - aes-cbc, aes-ctr with 128, 192, and 256 bit key sizes - arcfour - md5, sha-1 hmac-md5, hmac-sha-1 - rsa public and private key operations up to 2048 bit modulus - 1024 bit dsa sign and verify - diffie-hellman key generation and agreement up to 2048 bit true random number generator modular math functions with up to 2048 bit modulus pci v2.2 32 bit 33 mhz bus interface advanced testability features - 100% testability of on-chip ram cells via bist - jtag boundary scan for board level testing low-power 1.8v core, 5v tolerant, 3.3v i/o, power-saving mode small footprint 196-pin fbga package 100% software compatible with the bcm5823 extensive software support - drivers for linux, vxworks, solaris, windows 2000 - full sdk with application library and diagnostics a pplications vpn residential gateways vpn soho firewalls, routers and switches secure wireless access points and gateways master controller (dma, sequencing) public key acceleration true random number generator 3des/des/arcfour/aes encryption sha-1/md5 authentication current context buffer prefetch context buffer pci 2.2 32 bit 33 mhz pci clock
broadcom corporation p.o. box 57013 16215 alton parkway irvine, california 92619-7013 ? 2003 by broadcom corporation all rights reserved printed in the u.s.a. broadcom ? and the pulse logo are registered trademarks of bro adcom corporation and/or its subsidiaries in the united states and certain other countries. all other tra demarks are the property of their respective owners. this data sheet (including, without limitation, the broadcom component(s) identified herein) is not designed, intended, or certified for use in any military, nuclear, medical, mass transportation, aviation, navigations, pollution control, hazardous substances management, or other high risk application. broadcom provides this data sheet "as- is", without warranty of any kind. broadcom disclaims all warranties, expressed and implied, including, without limitation, the im plied warranties of merchantability, fitness for a particular purpose, and non-infringement. r evision h istory revision date change description 5812-ds01-r 3/11/03 corrected caption for figure 41. 5812-DS00-R 2/14/03 initial release.
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r page iii t able of c ontents section 1: functional description ...................................................................................... 1 overview ............................................................................................................................... ........................ 1 programming interface ............................................................................................................................... .1 cryptographic operations ........................................................................................................................... 5 ipsec 3des..................................................................................................................... ........................ 6 ssl mac ........................................................................................................................ ...................... 13 tls hmac ....................................................................................................................... ..................... 16 ssl/tls des/3des ............................................................................................................... .............. 18 arcfour ........................................................................................................................ .................... 19 pure md5/sha-1 hash ............................................................................................................ ........... 22 ipsec aes...................................................................................................................... ....................... 23 diffie-hellman ................................................................................................................. ...................... 26 rsa............................................................................................................................ ........................... 29 dsa............................................................................................................................ ........................... 32 random number generation ....................................................................................................... ......... 34 modular arithmetic ............................................................................................................. ................... 35 interrupt processing ............................................................................................................................... ... 42 export control ............................................................................................................................... ............. 42 endian considerations .............................................................................................................................. 4 2 section 2: hardware .......................................................................................................... 46 signal definition ............................................................................................................................... .......... 46 ballout by ball number .............................................................................................................................. 4 7 ballout by signal name ............................................................................................................................. 50 signal definitions ............................................................................................................................... ........ 53 section 3: register details ................................................................................................55 pci configuration registers ..................................................................................................................... 55 dma control and status registers ........................................................................................................... 59 section 4: electrical a nd timing characteristics ............................................................ 62 section 5: performance .....................................................................................................64 system throughput ............................................................................................................................... .... 64
bcm5812 advance data sheet 3/11/03 broadcom corporation page iv document 5812-ds01-405-r packet performance ............................................................................................................................... ....65 ipsec.......................................................................................................................... ............................65 section 6: mechanical information .................................................................................. 66 package drawing ............................................................................................................................... .........66 section 7: ordering information ...................................................................................... 67 ordering information ............................................................................................................................... ...67 appendix a: references ................................................................................................... 68 referenced standards and texts ..............................................................................................................68 appendix b: progra mming considerations .................................................................... 69 invalid operation conditions .....................................................................................................................69 zero packet lengths ............................................................................................................ .................69 zero fragment lengths in fragment chain entry descriptors..............................................................69 erroneous parameter specifications ............................................................................................. ........69 output fragment addresses for misaligned buffers..............................................................................6 9 output fragment lengths that are not a multiple of 4 ..........................................................................6 9 non-zero offset with null encryption ........................................................................................... ......69 null authentication with null encryption ....................................................................................... ...69 incorrect data size for encryption............................................................................................. ............70 writing to the mcr register with pci master mode disabled ..............................................................70 modular arithmetic operation restrictions .............................................................................................70 chaining operation dependencies ...........................................................................................................70 ssl-mac or tls-hmac followed by arcfour ................................................................................70 arcfour or 3des followed by ssl-mac or tls-hmac .................................................................70 md5 or sha-1 followed by md5 or sha-1.......................................................................................... .71 3des/hmac followed by 3des/hmac ...............................................................................................7 1 ssl-mac or tls-hmac followed by ssl-3des ................................................................................71 alignment restrictions ..............................................................................................................................7 1 appendix c: eeprom information .................................................................................. 73 description ............................................................................................................................... ...................73 programming ............................................................................................................................... ...............73
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r page v l ist of f igures figure 1: functional block diagram ............................................................................................. ........................i figure 2: bcm5812 programming overview......................................................................................... ............. 2 figure 3: master command record format......................................................................................... .............. 3 figure 4: packet descriptor format............................................................................................. ....................... 4 figure 5: ipsec des/3des command context....................................................................................... ........... 7 figure 6: computed hmac inner and outer state.................................................................................. ........... 8 figure 7: cbc mode............................................................................................................. ............................ 10 figure 8: packet description for ipsec des/3des encryption and authentication.......................................... 11 figure 9: ipsec packet description showing input fragments ..................................................................... ... 12 figure 10: ipsec packet description showing output fragments................................................................... .12 figure 11: ssl record structure ................................................................................................ ..................... 13 figure 12: ssl mac computation using md5 ....................................................................................... ......... 14 figure 13: ssl mac computation using sha-1 ..................................................................................... ........ 14 figure 14: ssl mac command context............................................................................................. ............. 15 figure 15: ssl mac authentication output ....................................................................................... .............. 16 figure 16: tls hmac computation................................................................................................ ................. 17 figure 17: tls hmac command context ............................................................................................ ........... 18 figure 18: ssl/tls des/3des command context .................................................................................... .... 19 figure 19: arcfour command context............................................................................................. ........... 20 figure 20: arcfour packet description showing input fragments.............................................................. 21 figure 21: arcfour packet description showing output fragments ........................................................... 22 figure 22: pure md5/sha-1 hash command context ................................................................................. ... 23 figure 23: ipsec aes command context ........................................................................................... ............. 24 figure 24: counter mode........................................................................................................ .......................... 26 figure 25: diffie-hellman public key generate.................................................................................. .............. 28 figure 26: diffie-hellman secret key ........................................................................................... .................... 29 figure 27: rsa public key ...................................................................................................... ......................... 30 figure 28: rsa private key..................................................................................................... ......................... 31 figure 29: dsa sign............................................................................................................ ............................. 33 figure 30: dsa verify.......................................................................................................... ............................. 34 figure 31: random number generation command context ........................................................................... 3 5 figure 32: modular add ......................................................................................................... ........................... 36
bcm5812 advance data sheet 3/11/03 broadcom corporation page vi document 5812-ds01-405-r figure 33: modular subtract .................................................................................................... .........................37 figure 34: modular multiply.................................................................................................... ...........................38 figure 35: modular remainder ................................................................................................... ......................39 figure 36: modular exponentiation .............................................................................................. .....................40 figure 37: double modular exponentiation....................................................................................... ................41 figure 38: typical little endian processor pci bus configuration ............................................................... ....43 figure 39: typical big endian processor pci bus configuration .................................................................. ...44 figure 40: match bit lanes pci bus configuration ............................................................................... ...........45 figure 41: 196-pin fbga pinout diagram ......................................................................................... ...............46 figure 42: 196-pin fbga package drawing ........................................................................................ .............66 figure 43: eeprom connection ................................................................................................... ...................73
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r page vii l ist of t ables table 1: mcr header word (input)............................................................................................... ..................... 2 table 2: mcr header word (output).............................................................................................. ................... 4 table 3: operation types ....................................................................................................... ............................ 5 table 4: flags................................................................................................................. .................................... 7 table 5: ssl mac authentication codes.......................................................................................... ............... 15 table 6: arcfour command context flags ......................................................................................... ........ 20 table 7: pure md5/sha-1 hash command context flags............................................................................. .23 table 8: aes command context sizes by key size................................................................................. ....... 24 table 9: aes command context flags............................................................................................. ............... 24 table 10: allowed public key parameter field size increments................................................................... ... 27 table 11: allowed rsa private key parameter size increments.................................................................... .31 table 12: allowed modular arithmetic parameter field size increments......................................................... 36 table 13: modular arithmetic opcodes ........................................................................................... ................. 41 table 14: endian control flags ................................................................................................. ....................... 44 table 15: ballout by ball number ............................................................................................... ...................... 47 table 16: ballout by signal name ............................................................................................... ..................... 50 table 17: signal definitions................................................................................................... ........................... 53 table 18: pci configuration registers .......................................................................................... ................... 55 table 19: pci configuration register bit fields ................................................................................ ............... 56 table 20: dma control and status register summary .............................................................................. ...... 59 table 21: dma control and status registers..................................................................................... .............. 59 table 22: electrical and timing specifications ................................................................................. ................ 62 table 23: pci pin timing specifications ........................................................................................ .................. 62 table 24: power consumption (bcm5812-200)...................................................................................... ......... 62 table 25: 196-pin fbga package thermal parameters.............................................................................. .... 63 table 26: bcm5812 system throughput ............................................................................................ ............. 64 table 27: bcm5812 3des ipsec performance by packet size ...................................................................... 65 table 28: bcm5812 aes ipsec performance by packet size ........................................................................ 6 5 table 29: bcm5812 ordering information......................................................................................... ............... 67 table 30: alignment restrictions for ipsec/ssl/tls crypto/authentication operations................................. 72 table 31: alignment restrictions for dh/rsa/dsa/modular arithmetic operations ........................................ 72 table 32: eeprom programming ................................................................................................... ................ 74
bcm5812 advance data sheet 3/11/03 broadcom corporation page viii document 5812-ds01-405-r
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r functional description page 1 section 1: functional description o verview the bcm5812 is a low-cost, general purpose security processor that incorporates specialized features for ipsec, ike, ssl, and tls protocol processing. the bcm5812 is a member of broadcom?s security processor family and fully software compatible with the higher performance bcm5821 and bcm5820. the bcm5812 provides bulk cryptographic acceleration fo r the 3des, des, aes, and arcfour symmetric encryption algorithms, for the sha-1 and md5 hash algorithms, and for the hmac-sha-1 and hmac-md5 keyed authentication algorithms. it provides public key acceleration for the rsa, dsa, and diffie-hellman asymmetric algorithms, as well as basic modular math functions. the bcm5812 provides a true random number generator, and can use it to generate on-chip random values for diffie-hellman key generation and dsa signatures. the bcm5812 provides combined encryption and hmac authentication for single pass ipsec processing. it also provides the ssl mac and tls hmac functions needed for ssl and tls record layer processing, respectively. bulk encryption and public key processing are performed in separate processing functions within the bcm5812. these share a common bus interface, but are otherwise independent. the bcm5812 can thus complete multiple bulk encryption operations while simultaneously executing a relatively slower public key operation, without having to stall bulk processing. the bcm5812 is ideal as a single-chip, low-cost security solution for both embedded systems and add-in option modules. it interfaces directly to the pci bus with no need for additional interface logic, operates without external memory, and can derive its clock from the pci bus. it supports all of the algorithms needed for ipsec, ike, ssl, and tls security protocols, and used as well by many other protocols, such as secure rtp. p rogramming i nterface the bcm5812 is a bus master pci device that uses progra mming structures designed to facilitate pre-fetching for high device utilization. these structures are built by the host processor in main memory and accessed by the bcm5812 using dma, as diagrammed in figure 2. the bcm5812 is controlled using a block of five control and status registers (csr). the host processor maps the csr block into pci memory space, usually at system initialization, by writing the start address of the csr block into bcm5812 pci configuration register bar0. host software accesses the bcm5812 csr block by doing pci memory (slave) reads and writes starting at this address. the main programming structure is the master command record (mcr), shown in figure 3 on page 3. the mcr consists of a header word followed by an array of one or more packet descriptors. a single mcr can accommodate up to 65535 packet descriptors. table 1 on page 2 shows the fields in the header word that would be set by the host processor before giving the mcr to the bcm5812. the host software gives an mcr to the bcm5812 by writing the address of the mcr structure to either the mcr1@ or mcr2@ csr, depending on the type of operation (see table 3 on page 5). the bcm5812 provides a four-level fifo behind mcr1@ and mcr2@, which permits the host software to push up to four mcr addresses at a time to each. the
bcm5812 advance data sheet 3/11/03 broadcom corporation page 2 programming inte rface document 5812-ds01-405-r host software can sense the mcr1_full and mcr2_full flags in the dma status csr, bits 30 and 27 respectively. these flags are zero when their respective mcr fifo can accommodate at least one new mcr address. figure 2: bcm5812 programming overview each packet descriptor entry is 32 bytes long, and contains a pointer to a command context structure along with initial input and output fragment chain entries. the chain entry structures are buffer descriptors used to support input and output scatter- gather operations. each provides the address and length, in bytes, of a buffer fragment, and a pointer to a next fragment chain entry. the packet descriptor also supplies the total length of the input. figure 4 on page 4 diagrams the format of a packet descriptor. the command context indicates the actual operation to be performed. the first 32-bit word is common to all command context types, and indicates the operation to be performed and the total length of the command context structure itself, in table 1: mcr header word (input) bits description 31 suppress interrupts 30:16 reserved 15:0 number of packets mcr host memory mcr1@ pci memory space dma control dma status mcr2@ dma error csr device id pci configuration space vendor id memory bar0 pci bus dma command context data buffers
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r progr amming interface page 3 bytes. everything else in a command context is operation specific, as is how the bcm5812 interprets the fragment lists. the operations performed by the bcm5812, along with their command context, input, and output, are described under ?cryptographic operations? on page 5. all reserved fields must be zero and, unless otherwise noted, all lengths are in bytes. figure 3: master command record format 0 number of packets packet descriptor 1 master command record flags 32 bytes ? packet descriptor 2 packet descriptor n-1 31 31 done error error code 17 16 31 0 0 0 17 16 suppress interrupt output input 28 0 header word 0 number of packets packet descriptor 1 master command record flags 32 bytes ? packet descriptor 2 packet descriptor n-1 31 31 done error error code 17 16 31 0 0 0 17 16 suppress interrupt output input 28 0 header word
bcm5812 advance data sheet 3/11/03 broadcom corporation page 4 programming inte rface document 5812-ds01-405-r figure 4: packet descriptor format the packet descriptors within a single mcr structure can be for different cryptographic operations. in some cases, the output of a packet descriptor cannot be used in the input to the immediate following packet descriptor operation in the list, but can always be used for a subsequent packet descriptor input (see ?chaining operation dependencies? on page 70). after it completes processing on all of the packet descriptors in the mcr, the bcm5812 updates the header word as shown in table 2. the done bit (bit 16) is always set. the error code contains an error value if the error bit (bit 17) is one. table 2: mcr header word (output) bits description 31:28 error code: 0000 = normal completion 0001 = unknown opcode 0010 = not enough input data for dsa operations 0011 = not enough input data for public key operations 0100 = not enough output data for public key operations 0101 = input fragment chain too short 0110 = pci read fifo non-empty 27:18 0 17 error 16 done command context address next i nput fragment chai n entry reserved input fragment length i nput fragment address packet length reserved next output fragment chai n entry reserved output buffer length output fragment address next input fragment chain entry reserved fragment length i nput fragment address next i nput fragment chai n entry reserved fragment length i nput fragment address next output fragment chai n entry reserved fragment length output fragment address next output fragment chai n entry reserved fragment length output fragment address command context (operation dependent) packet descriptor command context address next i nput fragment chai n entry reserved input fragment length i nput fragment address packet length reserved next output fragment chai n entry reserved output buffer length output fragment address next input fragment chain entry reserved fragment length i nput fragment address next i nput fragment chai n entry reserved fragment length i nput fragment address next input fragment chain entry reserved fragment length i nput fragment address next i nput fragment chai n entry reserved fragment length i nput fragment address next output fragment chai n entry reserved fragment length output fragment address next output fragment chai n entry reserved fragment length output fragment address next output fragment chai n entry reserved fragment length output fragment address next output fragment chai n entry reserved fragment length output fragment address command context (operation dependent) packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 5 c ryptographic o perations each cryptographic operation performed by the bcm5812 is described in terms of its command context and how it uses input and output buffer fragment lists. table 3 lists the operations performed by the bcm5812. operation type codes depend upon whether the command context is programmed using mcr1 @ or mcr2@. subsequent sections describe the command context for each operation in detail. 15:0 number of packets (unchanged from input) table 3: operation types opcode mcr1@ (symmetric operations) mcr2@ (asymmetric operations) 0x00 ipsec 3des/des combined encryption with authentication reserved 0x01 ssl mac authenticator calculation diffie-hellman public key generation 0x02 tls hmac authenticator calculation diffie-hellman shared key generation 0x03 3des/des encryption (for ssl and tls) rsa public key operation 0x04 arcfour encipherment (for ssl and tls) rsa secret key operation 0x05 hash (pure md5 or sha-1) dsa signing operation 0x06 reserved dsa verification operation 0x40 ipsec aes combined encryption with authentication reserved 0x41 reserved rng direct 0x42 reserved rng sha-1 0x43 reserved modular addition 0x44 reserved modular subtraction 0x45 reserved modular multiplication 0x46 reserved modular reduction 0x47 reserved modular exponentiation 0x48 reserved reserved 0x49 reserved double modular exponentiation table 2: mcr header word (output) (cont.) bits description
bcm5812 advance data sheet 3/11/03 broadcom corporation page 6 cryptographic operat ions document 5812-ds01-405-r programming structures are described relative to a little endian host processor system, where the layout in host memory and on the pci bus is the same. see ?endian considerations? on page 42 for a discussion of the differences on big endian systems. ip sec 3des the bcm5812 performs fips-46-3 [11] compliant des-cbc and 3des-cbc bulk encryption and decryption, combined with rfc-2104 [10] compliant sha-1-hmac or md5-hmac. these algorithms are the primary ones used for the ipsec (rfc2401 [2]) esp and ah security protocols (rfc2406 [7] and rfc2402 [3], respectively). cipher block chaining mode (cbc) is diagrammed in figure 7, taken from nist special publication 800-38a [16]. the sha-1 provides features specifically to support the ipsec use of 3des and des as described in rfc2406 [7], and for hmac-sha-1 (rfc-2404 [5]) and hmac-md5 (rfc2403 [4]). figure 5 shows the command context structure used for combined 3des or des encryption, with hmac-sha-1 or hmac-md5 authentication, for ipsec processing. the flags, detailed in table 4 on page 7, indicate the specific operations to be performed. the command context should always include three des keys, even for single des, so that the length of this structure is always 80 bytes. the command context supplies the keys, initialization vector (iv), and authentication contexts as shown in figure 5. the opcode for this command, which uses mcr1@, is 0x00. authentication contexts are partial hmac calculations pre-computed using the authentication secret. figure 6 on page 8 diagrams the computation for the hmac inner and outer state. a 20 byte field is used for both the hmac-sha-1 and hmac- md5 states. hmac-md5 only uses the first 16 bytes, and the remaining 4 bytes should be set to zeros. note an mcr must contain at least one packet descriptor. the minimum command context length actually read by the bcm5812 is 64 bytes. note broadcom supplies a software routine in the software reference library for computing hmac inner and outer states.
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 7 figure 5: ipsec des/3des command context table 4: flags bits definition 15 encryption: 0 = null 1 = 3des 14 direction 0 = outbound, encrypt then authenticate 1 = inbound, authenticate, then decrypt 13:12 authentication: 00 = null 01 = hmac-md5 10 = hmac-sha1 11 = invalid 11:0 reserved 0 length 31 opcode des key 1 offset reserved flags des key 2 des key 3 hmac inner state hmac outer state 8 bytes 20 bytes 8 bytes 8 bytes 20 bytes iv 8 bytes byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 0 0 0 0 md5 hmac state byte order 31 0 8 16 24 15 14 13 12 encryption reserved 0 flags direction auth byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 des key bit and byte order 132 24 16 8 byte 18 byte 19 byte 16 byte 17 sha-1hmac state byte order 31 0 8 16 24 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 0 length 31 opcode des key 1 offset reserved flags des key 2 des key 3 hmac inner state hmac outer state 8 bytes 20 bytes 8 bytes 8 bytes 20 bytes iv 8 bytes byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 0 0 0 0 md5 hmac state byte order 31 0 8 16 24 15 14 13 12 encryption reserved 0 flags direction auth byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 des key bit and byte order 132 24 16 8 byte 18 byte 19 byte 16 byte 17 sha-1hmac state byte order 31 0 8 16 24 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13
bcm5812 advance data sheet 3/11/03 broadcom corporation page 8 cryptographic operat ions document 5812-ds01-405-r figure 6: computed hmac inner and outer state note authentication without encryption for ah or for esp with the null encryption algorithm is supported, as is null authentication for confidentiality-only esp. however, at least one of encryption or authentication must be defined. null encryption with null authentication is specifically disallowed. note the byte order for 3des keys, iv, and hmac inner and outer states may differ from the host cpu string byte order. des keys in fips-46-3 are numbered left to right, from 1 to 32. the first key byte is in the leftmost byte position of the first 32-bit word of the key. for example, the test key string <0x01, 0x23, 0x4 5, 0x67, 0x89, 0xab, 0xcd, 0xef> is represented in the command context as two 32-bit words, <0x01234567, 0x89abcdef>. single des uses the same command and structures, with all three keys the same. the offset value in the command context is in 32-bit words , not in bytes. key 0 16 or 20 bytes pad to 64 bytes ipad (0x56) pad to 64 bytes md5/sha1 round inner state key 0 16 or 20 bytes pad to 64 bytes opad (0x3c) pad to 64 bytes md5/sha1 round outer state key 0 16 or 20 bytes pad to 64 bytes ipad (0x56) pad to 64 bytes md5/sha1 round inner state key 0 16 or 20 bytes pad to 64 bytes opad (0x3c) pad to 64 bytes md5/sha1 round outer state
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 9 figure 8 on page 11 shows a packet description for combined ipsec esp encryption and authentication. the total packet length is supplied in the packet descriptor. the offset is supplied in the command context in terms of 32-bit words (not bytes) . the iv is also supplied in the command context, copied there from the packet by the host software. figure 9 on page 12 shows an example of a logically contiguous input packet that is physically discontinuous in host memory, requiring the bcm5812 to gather three input fragment s. three input fragment chain entry descriptors are shown, organized as a linked list. each fragment chain entry includes the address and length of the input fragment, along with a next input fragment chain entry pointer. the first input fragment chain entry is supplied in the packet descriptor structure. subsequent input fragment chain entries are read in by the bcm5812 as needed. the length of the data to be encrypted or decrypted is the packet length (from the packet descriptor) minus the offset in bytes (the offset value from the command context must be multiplied by 4). note on some platforms, this may require each 32-bit word to be byte swapped. note the total of the lengths in the input fragment chain entries must match the packet length. input fragment chain entries must be 32-bit aligned in host memory. input fragment buffers can be byte aligned in host memory. the total length of the input for encryption or decr yption must be a multiple of the cipher block size (8 bytes for 3des or des).
bcm5812 advance data sheet 3/11/03 broadcom corporation page 10 cryptographic oper ations document 5812-ds01-405-r figure 7: cbc mode if authentication is performed, it is done over the entire packet length. if encryption is performed (i.e., the direction in table 4 on page 7 is outbound), the packet is encrypted beginning at the offset, and then authentication is performed over the entire packet length, including the ciphertext. if decryption is performed (i.e., the direction is inbound), authentication is performed over the entire packet length, and then the packet is decrypted beginning at the offset. figure 8 on page 11 also shows the position of the iv in an ip packet that is esp-encapsulated according to rfc 2405. figure 8 shows the byte order of the data as little-endian host cpu byte order. the bcm5812 can be configured to interpret these network bytes in big-endian host cpu byte order (see ?endian considerations? on page 42). for 3des, the initialization vector (iv) length is 8 bytes. figure 10 on page 12 shows the corresponding output buffer described using a list of output fragment chain entries. if encryption or decryption is performed, data is written into successive fragment buffers according to each output fragment chain entry?s output fragment length until the total of the encrypted or decrypted length (input packet length minus the offset ) is satisfied. note output fragment chain entries must be 32-bit aligned in host memory. output fragment buffers must be 32-bit aligned in host memory. the total encrypted or decrypted length must be a multiple of the cipher block size (8 bytes for 3des and des)
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 11 the output byte order of encrypted or decrypted data is the same as that specified or configured for the input. if authentication is performed, the hmac value is written to the address specified in the next output fragment chain entry address of the last output fragment chain entry. the full hmac hash output is always written, which for md5 is16 bytes, and for sha-1 is 20 bytes. that is, the returned authentication result is not truncated by the bcm5812 to 12 bytes as used by hmac-md5-96 (rfc 2405) or hmac-sha1-96 (rfc2404). figure 8: packet description for ipsec des/3des encryption and authentication the output byte order for the hmac is the same as that specified or configured for encrypted or decrypted data. if authentication is performed without encryption or decryption, the host software must set the offset in the command context to zero. the bcm5812 writes the hmac starting at the address given in the next output fragment chain entry in the packet descriptor structure. the output fragment a ddress in the packet descriptor is ignored. if encryption is performed without authentication, the host software should set the offset in the command context to zero for backward compatibility with the bcm582x. the bcm5812 ignores the next output fragment chain entry pointer in the last output fragment chain entry. offset encrypted authenticated packet length byte 1 byte 0 byte 3 byte 2 data, iv byte order 0 8 16 24 byte 5 byte 4 byte 7 byte 6 byte 9 byte 8 byte 11 byte 10 byte 13 byte 12 byte 15 byte 14 offset encrypted authenticated packet length byte 1 byte 0 byte 3 byte 2 data, iv byte order 0 8 16 24 byte 5 byte 4 byte 7 byte 6 byte 9 byte 8 byte 11 byte 10 byte 13 byte 12 byte 15 byte 14
bcm5812 advance data sheet 3/11/03 broadcom corporation page 12 cryptographic oper ations document 5812-ds01-405-r figure 9: ipsec packet description showing input fragments figure 10: ipsec packet description showing output fragments 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chai n entry reserved output fragment length output fragment address next input fragment chain entry reserved input fragment length input fragment address next input fragment chain entry reserved input fragment length input fragment address offset in 32-bit words (from context) encrypted authenticated (packet length) fragment 1 length fragment 2 length fragment n length gathered input packet (network byte order) input fragment chain input fragments can be arbitrary byte aligned packet descriptor 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chai n entry reserved output fragment length output fragment address next input fragment chain entry reserved input fragment length input fragment address next input fragment chain entry reserved input fragment length input fragment address offset in 32-bit words (from context) encrypted authenticated (packet length) fragment 1 length fragment 2 length fragment n length gathered input packet (network byte order) input fragment chain input fragments can be arbitrary byte aligned packet descriptor 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next output fragment chain entry reserved output fragment length ouput fragment address next output fragment chain entry reserved output fragment length output fragment address encrypted fragment 1 length fragment 2 length fragment n length scattered output packet (network byte order) hmac (16-20 bytes) output fragment chain output fragments must be 32-bit word aligned packet descriptor 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next output fragment chain entry reserved output fragment length ouput fragment address next output fragment chain entry reserved output fragment length output fragment address encrypted fragment 1 length fragment 2 length fragment n length scattered output packet (network byte order) hmac (16-20 bytes) output fragment chain output fragments must be 32-bit word aligned packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 13 ssl mac the bcm5812 computes the ssl-specific mac function used in processing ssl protocol records. figure 11 shows the ssl record structure, consisting of a five byte header, application data, and an authentication code computed using the ssl mac. normally, the application data and mac are also encrypted. if a block cipher is used, 1 or more pad bytes would follow the mac to ensure that the encrypted data is a multiple of the blocksize. the ssl-specified mac can be computed using either md5 or sha-1. figure 12 diagrams the ssl mac computation using md5. a two level hash scheme is used. first, a buffer is constructed that begins with the mac secret, which for md5 is 16 bytes. the mac secret is followed by 48-pad bytes containing 0x36, followed by a 64-bit record sequence number, followed by the content type from the record header. this is followed by a 16-bit length value, and then the application data payload from the record. the length value is the length of the application data proper, in bytes. figure 11: ssl record structure this buffer is hashed using md5. a second buffer is constructed using the mac secret and a 48-byte pad field, this time using 0x5c as the pad value, followed by the 16 byte output from the first md5 hash. this is then hashed using md5, and the 16-byte output used as the ssl mac. 0 version 31 ssl/tls record pad (block cipher) application data length from header mac content type length (msb) length (lsb) authenticated length (for mac) 0 version 31 ssl/tls record pad (block cipher) application data length from header mac content type length (msb) length (lsb) authenticated length (for mac)
bcm5812 advance data sheet 3/11/03 broadcom corporation page 14 cryptographic oper ations document 5812-ds01-405-r figure 12: ssl mac computation using md5 the computation using sha-1 differs only in the length of the mac secret (20 bytes) and the number of pad bytes (40 rather than 48). figure 13 diagrams the ssl mac computation using sha-1. figure 13: ssl mac computation using sha-1 figure 14 on page 15 shows the command context used for computing the ssl mac. table 5 shows the codes for md5 and sha-1. the ssl mac command context length is always 88 bytes. this command uses mcr1@. the opcode for this command is 0x01. 0 31 ssl mac computation (md5) authenticated length mac secret (16 bytes) content type application data pad1 (48 bytes of 0x36) sequence number (8 bytes) 0 31 mac secret (16 bytes) pad2 (48 bytes of 0x5c) hash value (16 bytes) md5 output md5 output 0 31 ssl mac computation (md5) authenticated length mac secret (16 bytes) content type application data pad1 (48 bytes of 0x36) sequence number (8 bytes) 0 31 mac secret (16 bytes) pad2 (48 bytes of 0x5c) hash value (16 bytes) md5 output md5 output 0 31 ssl mac computation (sha-1) authenticated length mac secret (20 bytes) content type application data pad1 (40 bytes of 0x36) sequence number (8 bytes) 0 31 mac secret (20 bytes) pad2 (40 bytes of 0x5c) hash value (20 bytes) sha-1 output sha-1 output 0 31 ssl mac computation (sha-1) authenticated length mac secret (20 bytes) content type application data pad1 (40 bytes of 0x36) sequence number (8 bytes) 0 31 mac secret (20 bytes) pad2 (40 bytes of 0x5c) hash value (20 bytes) sha-1 output sha-1 output
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 15 the command context includes the content type, s equence number, and authenticated length arguments used in computation of the ssl mac. the byte ordering of the hmac secret is the same as that used for the hmac inner and outer states for ipsec. figure 14: ssl mac command context the mac write secret is used to compute the ssl mac prior to outbound encryption. the mac read secret would be used instead for authenticating inbound packets after decryption. the full 20 byte field is required. for md5, the last four bytes table 5: ssl mac authentication codes bits definition 15:14 reserved 13:12 authentication: 00 = invalid 01 = md5 10 = sha-1 11 = invalid 11:0 reserved 0 length 31 opcode reserved reserved flags pad1 8 bytes 48 bytes byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 byte 11 byte 12 byte 9 byte 10 byte 15 byte 16 byte 13 byte 14 byte 19 byte 20 byte 17 byte 18 mac write secret byte order 31 0 8 16 24 15 14 13 12 reserved reserved 0 flags auth mac write secret 20 bytes sequence number payload data length content type reserved all pad1 bytes set to 0x36 31 24 23 8 7 0 msb lsb 31 0 64-bit sequence number from ssl header content type from ssl header authenticated length 0 length 31 opcode reserved reserved flags pad1 8 bytes 48 bytes byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 byte 11 byte 12 byte 9 byte 10 byte 15 byte 16 byte 13 byte 14 byte 19 byte 20 byte 17 byte 18 mac write secret byte order 31 0 8 16 24 15 14 13 12 reserved reserved 0 flags auth mac write secret 20 bytes sequence number payload data length content type reserved all pad1 bytes set to 0x36 31 24 23 8 7 0 msb lsb 31 0 64-bit sequence number from ssl header content type from ssl header authenticated length
bcm5812 advance data sheet 3/11/03 broadcom corporation page 16 cryptographic oper ations document 5812-ds01-405-r must be zero. the full 48 bytes of pad1 are also required, although only the first 40 are used for sha-1. the sequence number is input as two 32-bit integer values, the first containing the most significant 32-bits of the 64-bit value. one or more input fragment chain entry structures are used to describe the input record application data. the only output is the computed mac, which is written to the address specified in the next output fragment chain entry pointer in the packet descriptor, as shown in figure 15. figure 15: ssl mac authentication output tls hmac tls, specified in rfc 2246 [18], is derived from, and in may respects very similar to, ssl. tls updates the ssl mac by using the standard hmac (rfc2104) instead, and also includes the protocol major and minor version numbers in the authentication. figure 16 shows the input buffer for the tls hmac computation. the mac secret is used to initialize the hmac, and does not appear explicitly in the buffer. the major and minor version numbers are included following the content type and before the authenticated length. note the mac output buffer must be 32-bit aligned in host memory. input fragment buffers must be byte aligned in host memory. the total length of the input fragments must equal the payload data length. 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address authentication code (16-20 bytes) output fragments must be 32-bit word aligned packet descriptor 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address authentication code (16-20 bytes) output fragments must be 32-bit word aligned packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 17 figure 16: tls hmac computation figure 17 diagrams the tls hmac command context, which is always 64 bytes in length. the basic hash algorithm, md5 or sha-1, is set using the authenticator bits in the flags word, and uses the same values as ssl (table 5 on page 15). the opcode for this command, which uses mcr1@, is 0x02. 0 31 tls hmac computation tls version (major, minor) content type application data sequence number (8 bytes) hmac length (msb) length (lsb) 0 31 tls hmac computation tls version (major, minor) content type application data sequence number (8 bytes) hmac length (msb) length (lsb)
bcm5812 advance data sheet 3/11/03 broadcom corporation page 18 cryptographic oper ations document 5812-ds01-405-r figure 17: tls hmac command context the hmac inner and outer state are computed exactly the same as for ipsec (figure 6 on page 8), and the byte ordering in the context is also the same. the tls version consists of the major in the msb, and the minor in the lsb. the input and output fragment processing is the same as for ssl mac, shown in figure 15 on page 16. ssl/tls des/3des the bcm5812 includes a pure des/3des operation for use with ssl and tls. the command context and packet fragment processing is very similar to that for 3des ipsec, except that authentication is not performed. figure 18 shows the command context for ssl/tls des/3des, which is always 64 bytes in length even though only 40 bytes are used. the only control flag, bit 14, indicates direction (zero indicates outbound, the same as in table 4 on page 7). the reserved fields must be zero. the opcode for this command is 0x03. this command uses mcr1@. 0 length 31 tls hmac authentication context opcode reserved reserved flags 8 bytes byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 byte 11 byte 12 byte 9 byte 10 byte 15 byte 16 byte 13 byte 14 byte 19 byte 20 byte 17 byte 18 hmac state byte order 31 0 8 16 24 15 14 13 12 reserved reserved 0 flags auth hmac i nner state 20 bytes sequence number tls version content type length (msb) msb lsb 31 0 64-bit sequence number from tls header content type from tls header hmac outer state 20 bytes reserved length (lsb) length (msb) length (lsb) 0 7 31 24 authenticated length 0 length 31 tls hmac authentication context opcode reserved reserved flags 8 bytes byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 byte 11 byte 12 byte 9 byte 10 byte 15 byte 16 byte 13 byte 14 byte 19 byte 20 byte 17 byte 18 hmac state byte order 31 0 8 16 24 15 14 13 12 reserved reserved 0 flags auth hmac i nner state 20 bytes sequence number tls version content type length (msb) msb lsb 31 0 64-bit sequence number from tls header content type from tls header hmac outer state 20 bytes reserved length (lsb) length (msb) length (lsb) 0 7 31 24 authenticated length
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 19 figure 18: ssl/tls des/3des command context the same packet descriptor and fragment processing formats are used as for ipsec as well. arcfour the bcm5812 provides arcfour, a stream cipher that is compatible with the rsa security rc4 ? algorithm. arcfour is described in applied cryptography, second edition [17], in terms of pseudo-code using a 256 byte arcfour state array and two variables, i and j. 1 initialize the arcfour state array s such that s[n]=n . set variables i and j to 0, 2 initialize another 256 byte array such that k[n] contains the n-th byte of the key. if the key contains fewer than 256 bytes, continue by putting the first key byte in the next k entry, and so forth, until k is filled. 3 perform the following once, to set up the arcfour state using the key, where swap exchanges the byte values for the specified pair of elements: for (i=0; i<256; i++){ j = (j+s[i]+k[i]) & 0xff; swap(s[i],s[j]); } 4 use the arcfour state array to generate the next keystream byte, o : i = (i+1) & 0xff; j = (j+s[i]) & 0xff; swap(s[i],s[j]); o = s[(s[i]+s[j]) & 0xff]; 5 exclusive-or o with input data to encipher the next byte in the cleartext stream, or to decipher the next byte in the ciphertext stream. figure 19 shows the command context used by the bcm5812 for arcfour. the bcm5812 provides sub-operations for combining the initial arcfour state key step along with enci pherment, or just encipherment using a continued arcfour state. options control whether the bcm5812 writes back the arcfour state or generates keystream only, without input data. these options are described in table 6 on page 20. the command context length is always 268 bytes. this command uses mcr1@. the opcode for this command is 0x04. 0 length 31 op co de des key 1 reserved reserved flags des key 2 des key 3 8 bytes 8 bytes 8 bytes iv 8 bytes 15 14 13 reserved reserved 0 flags direction byte 3 byte 4 byte 1 byte 2 byte 7 byte 8 byte 5 byte 6 des key bit and byte order 132 24 16 8
bcm5812 advance data sheet 3/11/03 broadcom corporation page 20 cryptographic oper ations document 5812-ds01-405-r figure 19: arcfour command context figure 20 shows how the input packet fragment list is used. figure 21 on page 22 shows the corresponding output packet fragment list usage. if indicated by the command context flags, the arcfour state at the end of this keystream generation or encipherment operation is written to a fixed-size, 260-byte buffer starting at the output fragment address in the last output fragment chain entry. this can be input directly in the command context of a subsequent arcfour operation to continue the keystream. table 6: arcfour command context flags bits definition 15:13 reserved 12 null data: 0 = normal data encipherment 1 = no input data, just output raw keystream 11 writeback: 0 = don?t write back state, used for last encipherment operation in a keystream. 1 = write back internal state after encipherment. 10 state/key: 0 = context contains continuation arcfour state for keystream 1 = context contains arcfour key input, perform arcfour state initialization first. 9:0 reserved 0 length 31 opcode arcfour state reserved reserved flags 256 bytes 13 12 11 10 9 reserved reserved 0 flags writeback state/key null data 15 reserved index i reserved index j byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 250 byte 251 byte 248 byte 249 byte 254 byte 255 byte 252 byte 253 31 0 8 16 24 0 length 31 opcode arcfour state reserved reserved flags 256 bytes 13 12 11 10 9 reserved reserved 0 flags writeback state/key null data 15 reserved index i reserved index j byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 250 byte 251 byte 248 byte 249 byte 254 byte 255 byte 252 byte 253 31 0 8 16 24
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 21 in null data mode, the input fragment chain entry in the packet descriptor and any chained elements are ignored. only the output fragment chained entry values are used. the number of keystream bytes generated is the packet length, which must equal the total of the output fragment lengths. for normal encipherment, the packet length, total of the input fragment lengths, and total of the output fragment lengths must be equal. figure 20: arcfour packet description showing input fragments 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next input fragment chain entry reserved input fragment length input fragment address next input fragment chain entry reserved input fragment length input fragment address input data (packet length) fragment 1 length fragment 2 length fragment n length gathered input packet (network byte order) input fragment chain input fragments can be arbitrary byte aligned packet descriptor 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next input fragment chain entry reserved input fragment length input fragment address next input fragment chain entry reserved input fragment length input fragment address input data (packet length) fragment 1 length fragment 2 length fragment n length gathered input packet (network byte order) input fragment chain input fragments can be arbitrary byte aligned 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next input fragment chain entry reserved input fragment length input fragment address next input fragment chain entry reserved input fragment length input fragment address input data (packet length) fragment 1 length fragment 2 length fragment n length gathered input packet (network byte order) input fragment chain input fragments can be arbitrary byte aligned packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 22 cryptographic oper ations document 5812-ds01-405-r figure 21: arcfour packet description showing output fragments p ure md5/sha-1 hash the bcm5812 includes basic md5 and sha-1 hash operations. these are useful for various protocol processing functions, such as for computing ssl and tls finished messages. figure 22 shows the command context for pure md5/sha-1 hash. the flags word authentication value is shown in table 7. this command context length should be programmed to 8, even though the bcm5812 always reads 64 bytes. this command uses mcr1@. the opcode for this command is 0x05. note the default byte order for arcfour input and output fragment data is the same as the byte order on a little endian host processor system. the default arcfour state in the command context is byte swapped relative to the input and output fragment data. the arcfour continuation state is output in the same byte order as the command context. enciphered data or keystream 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next output fragment chain entry reserved output fragment length ouput fragment address next output fragment chain entry reserved output fragment length output fragment address fragment 1 length fragment 2 length fragment n length scattered output packet (network byte order) next output fragment chain entry reserved length (not used) ouput fragment address arcfour state output fragment chain output fragments must be 32-bit word aligned index i index j 0 0 packet descriptor enciphered data or keystream 0 command context address next input fragment chain entry reserved input fragment length 31 input fragment address packet length reserved next output fragment chain entry reserved output fragment length output fragment address next output fragment chain entry reserved output fragment length ouput fragment address next output fragment chain entry reserved output fragment length output fragment address fragment 1 length fragment 2 length fragment n length scattered output packet (network byte order) next output fragment chain entry reserved length (not used) ouput fragment address arcfour state output fragment chain output fragments must be 32-bit word aligned index i index j 0 0 packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 23 figure 22: pure md5/sha-1 hash command context the input structures are the same as for arcfour, figure 20 on page 21. the packet length must equal the total of the input fragment lengths. the hash output is written to the address in the next output fragment chained entry in the packet descriptor. the size of the hash written is determined by the algorithm, 16 bytes for md5 and 20 bytes for sha-1. the output fragment length for this descriptor must be zero. ip sec aes the bcm5812 provides fips-197 [15] compliant aes. it supports the 128 bit blocksize, with key sizes of 128, 192, and 256 bits. figure 23 shows the aes command context. aes processing is very similarly to 3des, with the following differences: the block size is always 128 bits, as is the iv the key can be 128, 192, or 256 bits counter mode (ctr) is supported in addition to cbc. the aes command context flags are detailed in table 9 on page 24. the command context size depends on the aes key size, as shown in table 8. this command uses mcr1@. the opcode for this command is 0x40. table 7: pure md5/sha-1 hash command context flags bits definition 15:14 reserved 13:12 authentication: 00 = invalid 01 = md5 10 = sha-1 11 = invalid 11:0 reserved 0 length 31 pure md5/sha-1 hash context opcode reserved reserved flags 15 14 13 12 reserved reserved 0 flags auth 0 length 31 pure md5/sha-1 hash context opcode reserved reserved flags 15 14 13 12 reserved reserved 0 flags auth
bcm5812 advance data sheet 3/11/03 broadcom corporation page 24 cryptographic oper ations document 5812-ds01-405-r figure 23: ipsec aes command context the data input and output fragment formats are identical to 3des (figure 9 on page 12 and figure 10 on page 12), except that the encrypted part must be a multiple of the 128 bit blocksize. the aes iv is also 128 bits, and taken from the command context. for counter mode, the 128-bit iv field is used for the initial counter value. table 8: aes command context sizes by key size key size command context length 128 80 192 88 256 96 table 9: aes command context flags bits definition 15 encryption: 0 = null 1 = aes length 31 aes ipsec context opcode offset reserved flags 0 15 14 13 12 11 10 9 8 encrypiont reserved 0 flags direction auth mode keysize aes key hmac inner state hmac outer state 16-32 bytes 20 bytes 20 bytes aes key and iv byte order 31 0 8 16 24 aes iv or initial counter value 16 bytes byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 0 0 0 0 md5 hmac state byte order 31 0 8 16 24 byte 18 byte 19 byte 16 byte 17 sha-1hmac state byte order 31 0 8 16 24 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 length 31 aes ipsec context opcode offset reserved flags 0 15 14 13 12 11 10 9 8 encrypiont reserved 0 flags direction auth mode keysize aes key hmac inner state hmac outer state 16-32 bytes 20 bytes 20 bytes aes key and iv byte order 31 0 8 16 24 aes iv or initial counter value 16 bytes byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 0 0 0 0 md5 hmac state byte order 31 0 8 16 24 byte 18 byte 19 byte 16 byte 17 sha-1hmac state byte order 31 0 8 16 24 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13 byte 2 byte 3 byte 0 byte 1 byte 6 byte 7 byte 4 byte 5 byte 10 byte 11 byte 8 byte 9 byte 14 byte 15 byte 12 byte 13
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 25 counter mode (ctr) uses a running counter to generate a keystream which is exclusive-ored with the input data, as opposed to cipher block chaining (cbc). ctr is illustrated in figure 24 on page 26, which is taken from nist special publication 800-38a [16]. counter mode is used in a number of protocols, including for wireless security and for streaming media. 14 direction: 0 = outbound 1 = inbound 13:12 authentication: 00 = null 01 = hmac-md5 10 = hmac-sha1 11 = reserved 11:10 mode: 00 = cbc 01 = ctr 10 = reserved 11 = reserved 9:8 keysize: 00 = 128 bits 01 = 192 bits 10 = 256 bits 11 = reserved 7:0 reserved note the total length of the input for encryption or decr yption must be a multiple of the cipher block size (16 bytes for aes). table 9: aes command context flags bits definition
bcm5812 advance data sheet 3/11/03 broadcom corporation page 26 cryptographic oper ations document 5812-ds01-405-r figure 24: counter mode in counter mode, the bcm5812 takes the initial count value from the iv field. each subsequent block is incremented by one in the least significant bit position. d iffie -h ellman the diffie-hellman public key algorithm is used for key agreement in a number of protocols, including ike, ssl, and tls. it is based on the difficulty of calculating discrete logarithms in a finite field, and typically involves the following steps [17 ]: 1 alice and bob agree on parameters for a group, defined in terms of a large prime base, n, and a generator, g. the generator is such that each x less than n generates a different value (y = g x mod n). 2 alice chooses a secret random number, xa and sends bob, y a = g xa mod n over a public channel. 3 bob does the same thing, choosing his secret number xb, and sends alice y b = g xb mod n. 4 alice exponentiates bob?s public number and computes (y b xa mod n), which equals (g xa ) xb mod n 5 bob similarly computes (y a xb mod n), which equals (g xb ) xa mod n, the shared secret. the bcm5812 provides separate diffie-hellman operation codes for generating the public key and for generating the secret key. figure 25 on page 28 shows the command context, packet descriptor structure, input, and output data for diffie- hellman public key generate. this command uses opcode 0x01, and mcr2@.
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 27 the modulus and generator lengths can be between 16 and 2048 bits, and are specified in bits in the command context. the modulus and generator fields in the command context must take on one of the parameter field sizes in table 10. the exponent length is specified in bits in the command context. the bcm5812 can use its internal random number generator to generate a new secret value of length exponent length if generate secret is equal to 0x0001. if generate secret is equal to 0x0000, the host software must supply an exponent length input secret, as a bignum, using the appropriate parameter size increment. generate secret should be one of these two values. figure 25 illustrates the layout of a bignum argument. a modulus or generator that is less than the parameter field size must start with its least significant bit in the first 32-bit word, and be padded with zeros to the parameter field size in its high order bits. note the bcm5812 interprets all large integer arguments as ?bignums,? arrays of 32-bit ?digits? ordered least significant digit first. that is, the digit containing the least significant bit of the large integer is at the lowest ordered index in the array. table 10: allowed public key parameter field size increments modulus length, in bits parameter size in 32-bit words parameter size in bytes 16-512 16 64 513-768 24 96 769-1024 32 128 1025-1536 48 192 1537-2048 64 256
bcm5812 advance data sheet 3/11/03 broadcom corporation page 28 cryptographic oper ations document 5812-ds01-405-r figure 25: diffie-hellman public key generate the generator and modulus parameter field sizes must match their respective number of bits, and the same parameter field size must be used for both. the bcm5812 outputs the public value as a bignum to the first output fragment. this buffer must be the same length in bytes as the modulus parameter field size increment in table 10 on page 27. it must be 32-bit aligned and contiguous. output fragmentation is not used. the secret value is always written to the second output fragment chain entry buffer address, whether supplied by software or generated by the bcm5812. this buffer must be the same length in bytes as the exponent parameter field size increment in table 10. it must be 32-bit aligned and contiguous. output fragmentation is not used. figure 26 on page 29 shows the command context, packet descriptor structure, input, and output for diffie-hellman secret key derivation. this uses mcr2@, and opcode 0x02. length 31 opcode exponent length 0 modulus 64-256 bytes 31 0 generate secret modulus length generator length generator 64-256 bytes least significant 32 bit ?digit? most significant 32 bit ?digit? command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address next output fragment chain entry reserved fragment length output fragment address input secret output public value output secret packet descriptor command context bignum argument if supplied by software (generate secret == 0) length 31 opcode exponent length 0 modulus 64-256 bytes 31 0 generate secret modulus length generator length generator 64-256 bytes least significant 32 bit ?digit? most significant 32 bit ?digit? command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address next output fragment chain entry reserved fragment length output fragment address next output fragment chain entry reserved fragment length output fragment address input secret output public value output secret packet descriptor command context bignum argument if supplied by software (generate secret == 0)
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 29 figure 26: diffie-hellman secret key the modulus must be input in the command context as a bignum in the same manner as for diffie-hellman generate. the first input fragment chain entry buffer address specifies the input secret, and the second input fragment chain entry buffer contains the peer entity?s public value. the shared secret is output to the output fragment address in the packet descriptor structure. all of these are bignum values. all output buffers must be sized for the appropriate parameter argument parameter field size in table 10. the lengths of the diffie-hellman generate and shared secret command contexts depend upon the parameter field sizes, and range from 82 to 524 bytes. rsa the rsa public key algorithm is used for digital signature authentication and key exchange in ike, ssl, and tls. it also widely used in a number of other applications, such as public key infrastructure (pki) products. rsa is a two-key system, with a public key that can be used to either encrypt a value so that only the holder of the private key can decrypt it, or to decrypt a value that only the holder of the private key could have encrypted [17][19]. rsa uses the product of two large primes, p and q, which must remain secret. the public key consists of n = p * q, and a public exponent e that is relatively prime to (p-1)*(q-1). the public key operation encrypts a message m by exponentiating it modulo n, so that the encrypted value x = m e mod n. the private key consists of the modulus and a decrypting exponent, d, that is the inverse of e, d = e -1 mod (p-1)(q-1). knowing p and q, it is straight forward to compute d, but otherwise quite difficult. decryption is simply m = x d mod n. length 31 opcode 0 modulus 64-256 bytes modulus length exponent length command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address next input fragment chain entry reserved fragment length input fragment address input public value input secret output shared secret packet descriptor command context length 31 opcode 0 modulus 64-256 bytes modulus length exponent length command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address next input fragment chain entry reserved fragment length input fragment address next input fragment chain entry reserved fragment length input fragment address input public value input secret output shared secret packet descriptor command context
bcm5812 advance data sheet 3/11/03 broadcom corporation page 30 cryptographic oper ations document 5812-ds01-405-r generally, the public exponent e can be chosen to be short, but the private exponent is derived and should be nearly as long as the modulus. the effort to exponentiate is proportional to the logarithm of the exponent; therefore, the private key operation takes considerably longer than the public key operation. this can be speeded up by taking advantage of the knowledge of p and q, and doing exponential using residue arithmetic according to the chinese remainder theorem (crt). in effect, this breaks d into two components, d p = d mod (p-1) and d q = d mod (q-1), does two, half-sized exponentiations modulo p and modulo q, and combining the result using an inverse constant (q -1 mod p). the bcm5812 provides both rsa public key and crt private key operations. figure 27 shows the command context for the rsa public key operation. as with diffie-hellman, the modulus and exponent are specified in bits, with parameter sizes in the command context, input, and output according to table 10 on page 27. this operation uses mcr2@, and opcode 0x03. figure 27: rsa public key the single input buffer length is given in the input fragment length, in bytes, and must be one of the parameter field sizes in table 10. the input can be byte aligned, and may require padding with zeros to the parameter field size. the output buffer must be the same length, but must be 32-bit aligned. the exponent and modulus parameter field sizes must be the same. the exponent must be smaller than the modulus. figure 28 shows the rsa crt private key operation command context.the five crt parameters, p, q, d p , d q , and q -1 , are each half the size of the public key modulus. table 11 shows the allowed parameter field sizes in 32-bit words and bytes. length 31 command context opcode modulus length 0 modulus 64-256 bytes exponent length exponent 64-256 bytes command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address input (modulus length) output (modulus length) packet descriptor length 31 command context opcode modulus length 0 modulus 64-256 bytes exponent length exponent 64-256 bytes command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address input (modulus length) output (modulus length) packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 31 figure 28: rsa private key the command context lengths depend upon the parameter field sizes, as was the case with diffie-hellman. prime p and prime q lengths are in bits. this command uses mcr2@, and opcode 0x04. table 11: allowed rsa private key parameter size increments modulus length, in bits parameter size in 32-bit words parameter size in bytes 16-256 8 32 257-384 12 48 385-512 16 64 513-768 24 96 769-1024 32 128 command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address input (modulus length) output (modulus length) length 31 command context opcode prime p length 0 prime p 32-128 bytes prime q length prime q 32-128 bytes exponent dq 32-128 bytes exponent dp 32-128 bytes crt cooeficient pinv 32-128 bytes packet descriptor command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address input (modulus length) output (modulus length) length 31 command context opcode prime p length 0 prime p 32-128 bytes prime p 32-128 bytes prime q length prime q 32-128 bytes prime q 32-128 bytes exponent dq 32-128 bytes exponent dq 32-128 bytes exponent dp 32-128 bytes exponent dp 32-128 bytes crt cooeficient pinv 32-128 bytes crt cooeficient pinv 32-128 bytes packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 32 cryptographic oper ations document 5812-ds01-405-r dsa dsa, also known as the digital signature standard (dss), is described in fips-180-2 [19] as follows. 1 p, which is an l-bit long prime modulus, 2 l-1 < p < 2 l , where l is an integer multiple of 64 greater than or equal to 512 and less than or equal to 1024. 2 q is a 160-bit prime factor of (p - 1), in other words, 2 159 < q < 2 160 . 3 g = h (p-1)/q mod p, where h is any integer with 1 < h < (p - 1) such that h (p-1)/q mod p is greater than 1 (g has order q mod p). 4 x is a randomly or pseudo randomly generated integer with 0 < x < q. 5 y = g x mod p 6 k, a... randomly or pseudo randomly generated integer with 0 < k < q. the integers p, q, and g can be public and can be common to a group of users. a user's private and public keys are x and y, respectively. they are normally fixed for a period of time. parameters x and k are used for signature generation only, and must be kept secret. parameter k must be regenerated for each signature. for alice to sign a message m, and bob to verify the message: 1 alice generates a k as above, and uses it to compute r and s, according to the following formula: r = (g k mod p) mod q, and s = (k -1 (sha-1(m) + xr)) mod q alice sends bob the pair (r,s) as the signature on message m. 2 for bob to verify the signature, he uses alice?s public key, y, and message m, along with the public parameters p and q, and performs the following computation: w = s -1 mod q u1 = (sha-1(m) * w) mod q u2 = (r * w) mod q v = ((g u1 * y u2 ) mod p) mod q if v equals r, bob accepts the signature as valid. refer to fips-180-2 for details. the bcm5812 provides separate operations for dsa sign and dsa verify. figure 29 on page 33 shows the command context, input, and output parameter buffers for the dsa sign operation. p, q, and g, and x correspond to p, q, g, and x in the above description, and are provided in the command context. the modulus p length is supplied in bits. dsa sign uses mcr2@, and opcode 0x05. the input message, m, can be supplied directly and hashed by the bcm5812, or it can be supplied as a pre-computed sha- 1 hash value. if supplied as a hash value, it is provided at the first input fragment address, 20 bytes in length, and the hash generated parameter is 0x0000. in this case, the dlength parameter in the packet descriptor is zero. if an explicit message is supplied for the bcm5812 to compute the sha-1 hash, the hash generated parameter should be set to 0x0001. if m is explicitly supplied, the total length in bytes must be supplied in the dlength field of the packet descr iptor structure. m can be supplied in a single fragment of up to 65,535 bytes in length, or in multiple fragments, with the restricti on that intermediate fragments, other than the last, must be exactly 64 bytes (512 bits) in length. hash generated should be one of these two values. the random number can be optionally generated by the bcm5812 or explicitly provided. if it is generated, generate random number is set to 0x0001. if software provides the random number, generate random number should be 0x0000, and the random number is taken from the 20 byte buffer address in the last input fragment chain entry descriptor. figure 29 illustrates
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 33 dsa sign using a single input message fragment and optional explicitly provided random number. generate random number should be one of these two values. the random number is not needed for verification and is usually discarded following creation of the signature. the bcm5812 generates a 20 byte random value, which is not output. the signature values, r and s, are output in two fragment buffers, as shown in figure 29. figure 29: dsa sign figure 30 on page 34 shows the dsa verify operation. as with dsa sign, the message m may be input as a pre-computed sha-1 hash value or explicitly hashed by the bcm5812. if the hash is supplied, the hash generated parameter must be 0x0000. if the message is supplied, hash generated should be set to 0x0001. the same message fragmentation rules must be followed as for dsa sign, with intermediate fragments other than the last 64 bytes long. the signature values, r and s, are input following the hash or message, with s at the buffer address supplied in the last input fragment chain entry. dsa verify uses mcr2@, and opcode 0x06. at least three input fragments must be supplied, and the lengths of the last two (r and s) must be 20 bytes each. the host software can then compare the output v value to the input r value to verify the signature. command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address input message or hash value output r value (20 bytes) length 31 command context opcode reserved 0 modulus q 20 bytes hash generated modulus p 32-128 bytes base g 32-128 bytes modulus p length generate random number private key x 20 bytes next input fragment chain entry reserved fragment length input fragment address input random number (20 bytes) if supplied by software (generate ramdom == 0) next output fragment chain entry reserved fragment length output fragment address output s value (20 bytes) packet descriptor command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address input message or hash value output r value (20 bytes) length 31 command context opcode reserved 0 modulus q 20 bytes hash generated modulus p 32-128 bytes base g 32-128 bytes modulus p length generate random number private key x 20 bytes length 31 command context opcode reserved 0 modulus q 20 bytes modulus q 20 bytes hash generated modulus p 32-128 bytes modulus p 32-128 bytes base g 32-128 bytes base g 32-128 bytes modulus p length generate random number private key x 20 bytes private key x 20 bytes next input fragment chain entry reserved fragment length input fragment address next input fragment chain entry reserved fragment length input fragment address input random number (20 bytes) if supplied by software (generate ramdom == 0) next output fragment chain entry reserved fragment length output fragment address output s value (20 bytes) packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 34 cryptographic oper ations document 5812-ds01-405-r figure 30: dsa verify r andom n umber g eneration the bcm5812 provides true random number generation using thermal noise to generate a random stream of bits that is collected as 32-bit words in a fifo. the fifo feeds into a sha-1 engine, which hashes 512 bits at a time into a new set of 32-bit numbers which are placed in a second fifo. direct rng output passes the fips-140-1 and fips-140-2 requirements for self testing. this shows a sufficient randomness, a uniform distribution of results across the number line, and negligible bias. sha-1 output adds greater assurance that the data is uniformly distributed. the sha-1 rng output is used as the internal random source for diffie-hellman and dsa functions. the raw rng data source or the sha-1 rng data source can be accessed directly using the random number opcodes. the direct opcode, 0x40 using mcr2@, provides the raw output from the random number generator. this is usually used for test or certification purposes, where the raw output needs to be examined. the sha-1 opcode, 0x41 using mcr2@, provides the sha-1 output. the number of bits is controlled by the dlength parameter in the packet descriptor, and must be specified as an integral number of 32-bit words. the output buffer fragment length must be equal to the value of dlength. output is to a single, contiguous buffer indicated by the output fragment address in the packet descriptor. output fragmentation is not performed. command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address input message or hash value output v value (20 bytes) length 31 command context opcode reserved 0 modulus q 20 bytes hash generated modulus p 32-128 bytes base g 32-128 bytes modulus p length reserved private key x 20 bytes next intput fragment chain entry reserved fragment length intput fragment address intput s value (20 bytes) next input fragment chain entry reserved fragment length input fragment address input r value (20 bytes) packet descriptor command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address input message or hash value output v value (20 bytes) length 31 command context opcode reserved 0 modulus q 20 bytes modulus q 20 bytes hash generated modulus p 32-128 bytes modulus p 32-128 bytes base g 32-128 bytes base g 32-128 bytes modulus p length reserved private key x 20 bytes private key x 20 bytes next intput fragment chain entry reserved fragment length intput fragment address next intput fragment chain entry reserved fragment length intput fragment address intput s value (20 bytes) next input fragment chain entry reserved fragment length input fragment address input r value (20 bytes) packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 35 figure 31: random number generation command context m odular a rithmetic the bcm5812 provides basic, large integer modular arithm etic functions for add, subtract, multiply, remainder, and exponentiation. these commands all use mcr2@, and the opcodes listed in table 13 on page 41. with the exception of remainder, all arguments must be less than the modulus. the bcm5812 does not reduce arguments prior to performing the operation. figure 32 shows the command context, input, and output structures for computing (a+b) mod n, for n up to 2048 bits. all input and output values must be supplied in a single buffer fragment. the modulus length, in bits, is supplied in the command context. all fragments must be the same size, which must be one of the parameter sizes in table 13. length 31 opcode 0 command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address output random data (packet length) packet descriptor length 31 opcode 0 command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address dlength reserved next output fragment chain entry reserved output buffer length output fragment address output random data (packet length) packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 36 cryptographic oper ations document 5812-ds01-405-r figure 32: modular add figure 33 on page 37 shows the structure values for computing (a-b) mod n, and figure 34 on page 38 for computing (a * b) mod n. figure 35 on page 39 shows the unary operation a mod n, used to compute the remainder, and figure 36 on page 40 shows a e mod n. in all cases, the parameters are otherwise as described above for modular addition. figure 37 on page 41 shows the command context, input, and output structures for double modular exponentiation. this function is useful for performing the rsa private key operation when the modulus is the product of three or more primes (referred to as multi-prime tm ). in this case, the lengths for the two moduli length, in bits, are supplied in the command context as modulus n1 length and modulus n0 length, respectively. both values, in bits, must be between 16 and 512. all input and output parameters must be supplied in either 256 (32 byte) or 512 bit (64 byte) buffers. table 12: allowed modular arithmetic parameter field size increments modulus length, in bits parameter size in 32-bit words parameter size in bytes 16-256 8 32 257-512 16 64 513-768 24 96 769-1024 32 128 1025-1536 48 192 1537-2048 64 256 next input fragment chain entry reserved fragment length input fragment address addend a (modulus length) addend b (modulus length) a+b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor next input fragment chain entry reserved fragment length input fragment address addend a (modulus length) addend b (modulus length) a+b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 37 figure 33: modular subtract next input fragment chain entry reserved fragment length input fragment address subtrahend a (modulus length) subtractor b (modulus length) a-b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserfved command context packet descriptor next input fragment chain entry reserved fragment length input fragment address subtrahend a (modulus length) subtractor b (modulus length) a-b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserfved command context length 31 opcode 0 modulus n 64-256 bytes modulus length reserfved command context packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 38 cryptographic oper ations document 5812-ds01-405-r figure 34: modular multiply next input fragment chain entry reserved fragment length input fragment address multiplicand a (modulus length) multiplier b (modulus length) a*b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor next input fragment chain entry reserved fragment length input fragment address multiplicand a (modulus length) multiplier b (modulus length) a*b mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 39 figure 35: modular remainder data a (modulus length) a mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor data a (modulus length) a mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context data a (modulus length) a mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context length 31 opcode 0 modulus n 64-256 bytes modulus length reserved command context packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 40 cryptographic oper ations document 5812-ds01-405-r figure 36: modular exponentiation next input fragment chain entry reserved fragment length input fragment address input a (modulus length) exponent e (modulus length) a e mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length exponent length command context packet descriptor next input fragment chain entry reserved fragment length input fragment address input a (modulus length) exponent e (modulus length) a e mod n (modulus length) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n 64-256 bytes modulus length exponent length command context packet descriptor
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r cryptogr aphic operations page 41 figure 37: double modular exponentiation table 13: modular arithmetic opcodes opcode name function 0x43 modular addition (a + b) mod n 0x44 modular subtraction (a - b) mod n 0x45 modular multiplication (a * b) mod n 0x46 modular reduction a mod n 0x47 modular exponentiation a e mod n 0x49 double modular exponentiation a 1 e1 mod n1 a 2 e2 mod n2 next input fragment chain entry reserved fragment length input fragment address input a 0 input a 1 output a 0 e 0 mod n 0 (64 bytes) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n0 64 bytes modulus n1 length modulus n0 length command context modulus n1 64 bytes next input fragment chain entry reserved fragment length input fragment address exponent e 0 next input fragment chain entry reserved fragment length input fragment address exponent e 1 next output fragment chain entry reserved fragment length output fragment address output a 1 e 1 mod n 1 (64 bytes) packet descriptor next input fragment chain entry reserved fragment length input fragment address input a 0 input a 1 output a 0 e 0 mod n 0 (64 bytes) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n0 64 bytes modulus n1 length modulus n0 length command context modulus n1 64 bytes next input fragment chain entry reserved fragment length input fragment address exponent e 0 next input fragment chain entry reserved fragment length input fragment address exponent e 1 next output fragment chain entry reserved fragment length output fragment address output a 1 e 1 mod n 1 (64 bytes) next input fragment chain entry reserved fragment length input fragment address next input fragment chain entry reserved fragment length input fragment address input a 0 input a 1 output a 0 e 0 mod n 0 (64 bytes) command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address command context address next input fragment chain entry reserved input fragment length input fragment address reserved reserved next output fragment chain entry reserved output buffer length output fragment address length 31 opcode 0 modulus n0 64 bytes modulus n1 length modulus n0 length command context modulus n1 64 bytes length 31 opcode 0 modulus n0 64 bytes modulus n1 length modulus n0 length command context modulus n1 64 bytes next input fragment chain entry reserved fragment length input fragment address next input fragment chain entry reserved fragment length input fragment address exponent e 0 next input fragment chain entry reserved fragment length input fragment address next input fragment chain entry reserved fragment length input fragment address exponent e 1 next output fragment chain entry reserved fragment length output fragment address next output fragment chain entry reserved fragment length output fragment address output a 1 e 1 mod n 1 (64 bytes) packet descriptor
bcm5812 advance data sheet 3/11/03 broadcom corporation page 42 interrupt proces sing document 5812-ds01-405-r i nterrupt p rocessing the bcm5812 generates an interrupt after completion of all packet descriptors for a particular mcr structure if the following two conditions hold: interrupts are enabled in the dma control register (see table 20 on page 59) (mcr1int_en enables interrupts for symmetric operations pushed to mcr1@, and mcr2int_en enables interrupts for asymmetric and random number operations pushed to mcr2@), and the suppress interrupts bit in the mcr header word (see table 1 on page 2) is zero. if this bit is set, the bcm5812 does not issue a interrupt upon completion of processing of that mcr structure. the dma status register indicates interrupt status via the mcr1_intr and mcr2_intr bits, respectively. these bits must be explicitly cleared by writing a 1 into the appropriate bit position. the bcm5812 also generates an interrupt when either the mcr1@ or mcr2@ fifo empties, as long as interrupts are enabled for that fifo. this mechanism is intended to deal with the condition where a sequence of mcrs are pushed with interrupts suppressed. the dma status register mcr1_all_empty and mcr2_all_empty bits indicate that their respective interrupt has been issued. these are cleared by explicitly writing a 1 to the bit position, or by writing a 1 to the mcr1_intr or mcr2_intr bit, respectively. the bcm5812 generates an interrupt on dma error if dmaerr_en is set in the dma control register. the dma status register indicates status of this interrupt using dmaerr_intr. e xport c ontrol the bcm5812 export control feature allows strong bulk cryptography to be disabled to facilitate products with retail export classification. export mode is controlled externally by whether the export pin (see table 15 on page 47, table 16 on page 50, and table 17 on page 53) is pulled high or low. if export is high, export mode is enabled, allowing only 56-bit des and disabling arcfour, aes, and 3des. if export is pulled low, all bulk cryptographic functionality is enabled. export is internally pulled high, and enabled by default. e ndian c onsiderations the bcm5812 is designed to work with both little endian and big endian host processors, in both standard and non-standard pci bus configurations. the pci bus is specified to work naturally with little endian host processors. figure 38 on page 43 illustrates a typical little endian 64-bit host processor bus configuration. in figure 38 on page 43, the bytes are labelled from a to f, in the order that they would be addressed by the host processor from memory (i.e., starting with the byte at the little end of the memory word). most big endian host processor systems are configured to swap bytes between the host processor or memory and the pci bus. figure 39 on page 44 illustrates a typical big endian 64-bit host processor bus configuration. in figure 39 on page 44, the bytes are also labelled in the order that they would be addressed by the host processor from memory (i.e., starting from the big end of the memory word).
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r endian considerations page 43 the byte order that is seen at a device on the pci bus is the same in both cases. when used with a big endian host processor, this is sometimes referred to as a match byte lanes policy. unfortunately, this policy produces the wrong result for non-byte stream data, including fields built by the host processor as 16-bit lengths, 32-bit addresses, or 32-bit bignum elements. these appear in the bcm5812 mcr, command context, and fragment chain entry structures. ordinarily, host software would have to byte swap such fields in order to undo the effect of the byte swap. the bcm5812 provides two software enabled endian control flags for adjusting the byte order to match the host processor system configuration and minimize or eliminate the need fo r byte swapping in software. table 14 on page 44 describes these flags. the default setting at reset is for a little endian host processor on a typical pci bus configuration. figure 38: typical little endian processor pci bus configuration h g f e d c b a 7...0 15..8 23..16 31.24 63..56 55.48 47.40 39.32 d c b a h g f e 7...0 15..8 23..16 31.24 pci bus word 0 pci bus word 1 111 110 101 100 011 010 001 000 byte address bit number word in host memory 7...0 15..8 23..16 31.24
bcm5812 advance data sheet 3/11/03 broadcom corporation page 44 endian considerat ions document 5812-ds01-405-r figure 39: typical big endian processor pci bus configuration for a big endian host processor, clearing cryptonet_le enables most host structures to be constructed without the need for software bye swapping. this applies to the structures shown in figure 5 on page 7, and to the arcfour state output. byte stream data is unaffected. normal_pci would be used in non-standard pci bus configurations. figure 40 shows an example of a match bit lanes bus policy. if normal_pci is cleared, the bcm5812 byte swaps everything on its way in or out, whether a master or slave access, including the csrs. table 14: endian control flags name use description default cryptonet_le little endian host processor if zero, swap bytes for mcr, command context, fragment chain entries, bignum data fragments, and arcfour states output using dma bus master access. 1 normal_pci conventional pci configuration if zero, swap bytes for all data read or written over the pci bus, master or slave. 1 a b c d e f g h 7...0 15..8 23..16 31.24 63..56 55.48 47.40 39.32 d c b a h g f e 7...0 15..8 23..16 31.24 7...0 15..8 23..16 31.24 pci bus word 0 pci bus word 1 000 001 010 011 100 101 110 111 byte address bit number word in host memory
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r endian considerations page 45 figure 40: match bit lanes pci bus configuration note at least 50 clock cycles are needed following a change to the cryptonet_le and/or normal_pci setting. a b c d e f g h 7...0 15..8 23..16 31.24 63..56 55.48 47.40 39.32 a b c d e f g h 7...0 15..8 23..16 31.24 7...0 15..8 23..16 31.24 pci bus w ord 0 pci bus w ord 1 000 001 010 011 100 101 110 111 byte address bit number w ord in host memory
bcm5812 advance data sheet 3/11/03 broadcom corporation page 46 hardware document 5812-ds01-405-r section 2: hardware s ignal d efinition figure 41: 196-pin fbga pinout diagram abcdefghjk lmnp 14 vddo gndc gndc gndc gndc gndc gndc gndc gndc gndc gndc gndc gndc gndc 14 13 eep rom # vddo gndc gndc vddc vddc sgnd vio vddc vddc vddc gndc gndc vddo 13 12 ep rom _d ep rom _s vddo vio vddc vddc vddc vddc vddc vddc vddc gndc vddo sgnd 12 11 nc5 ep rom _d ep rom _c vddo vddc vddc vddc vddc vddc vddo vddo vddo vio ad[01] 11 10 nc4 nc8 nc9 nc10 gndc gndc gndc gndc gndc gndc gndc vddc ad[00] ad[02] 10 9 nc3 nc7 rngosc vddc gndc gndc gndc gndc gndc gndc gndc vddc ad[03] ad[04] 9 8 tck test sgnd gndc gndc gndc gndc gndc gndc gndc gndc ad[06] ad[05] ad[07] 8 7 tm s trst# tdi tdo gndc gndc gndc gndc gndc gndc gndc vddo ad[08] c/be#[0] 7 6 nc2 avdd1 agnd1 agnd1 gndc gndc gndc gndc gndc gndc gndc ad[11] ad[10] ad[09] 6 5 avdd1 avdd1 avdd2 avdd2 gndc gndc gndc gndc gndc gndc gndc vddo ad[13] ad[12] 5 4 exp ort nc6 avdd2 vddc gndc ad[28] vddc idsel vddo trdy# vddc par ad[15] ad[14] 4 3 nc1 agnd2 vddc pci_clk rst# a d[27] a d[24] a d[22] a d[19] irdy# lock# vddc serr# c/be#[1] 3 2 a gnd2 vddc vio sgnd a d[30] a d[26] gnt# a d[23] a d[20] a d[17] c/be#[2] devsel# vddc perr# 2 1 gndc vio inta# ad[31] ad[29] ad[25] req# c/be#[3] ad[21] ad[18] ad[16] fram e# stop# vddc 1 abcdefghjk lmnp
bcm5812 advance data sheet 3/11/03 broadcom corporation page 47 ballout by ball number document 5812-ds01-405-r b allout by b all n umber table 15: ballout by ball number ball signal name a1 gndc a2 agnd2 a3 nc1 a4 export a5 avdd1 a6 nc2 a7 tms a8 tck a9 nc3 a10 nc4 a11 nc5 a12 eeprom_di a13 eeprom a14 vddo b1 vio b2 vddc b3 agnd2 b4 nc6 b5 avdd1 b6 avdd1 b7 trst b8 test b9 nc7 b10 nc8 b11 eeprom_do b12 eeprom_sk b13 vddo b14 gndc c1 inta c2 vio c3 vddc c4 avdd2 c5 avdd2 c6 agnd1 c7 tdi c8 sgnd c9 rngosc c10 nc9 c11 eeprom_cs c12 vddo c13 gndc c14 gndc d1 ad[31] d2 sgnd d3 pci_clk d4 vddc d5 avdd2 d6 agnd1 d7 tdo d8 gndc d9 vddc d10 nc10 d11 vddo d12 vio d13 gndc d14 gndc e1 ad[29] e2 ad[30] e3 rst e4 gndc e5 gndc e6 gndc e7 gndc e8 gndc e9 gndc e10 gndc e11 vddc e12 vddc table 15: ballout by ball number ball signal name
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r ballout by ball number page 48 e13 vddc e14 gndc f1 ad[25] f2 ad[26] f3 ad[27] f4 ad[28] f5 gndc f6 gndc f7 gndc f8 gndc f9 gndc f10 gndc f11 vddc f12 vddc f13 vddc f14 gndc g1 req g2 gnt g3 ad[24] g4 vddc g5 gndc g6 gndc g7 gndc g8 gndc g9 gndc g10 gndc g11 vddc g12 vddc g13 sgnd g14 gndc h1 c/be [3] h2 ad[23] h3 ad[22] h4 idsel h5 gndc h6 gndc table 15: ballout by ball number ball signal name h7 gndc h8 gndc h9 gndc h10 gndc h11 vddc h12 vddc h13 vio h14 gndc j1 ad[21] j2 ad[20] j3 ad[19] j4 vddo j5 gndc j6 gndc j7 gndc j8 gndc j9 gndc j10 gndc j11 vddc j12 vddc j13 vddc j14 gndc k1 ad[18] k2 ad[17] k3 irdy k4 trdy k5 gndc k6 gndc k7 gndc k8 gndc k9 gndc k10 gndc k11 vddo k12 vddc k13 vddc k14 gndc table 15: ballout by ball number ball signal name
bcm5812 advance data sheet 3/11/03 broadcom corporation page 49 ballout by ball number document 5812-ds01-405-r l1 ad[16] l2 c/be [2] l3 lock l4 vddc l5 gndc l6 gndc l7 gndc l8 gndc l9 gndc l10 gndc l11 vddo l12 vddc l13 vddc l14 gndc m1 frame m2 devsel m3 vddc m4 par m5 vddo m6 ad[11] m7 vddo m8 ad[06] m9 vddc m10 vddc m11 vddo m12 gndc m13 gndc m14 gndc n1 stop n2 vddc n3 serr n4 ad[15] n5 ad[13] n6 ad[10] n7 ad[08] n8 ad[05] table 15: ballout by ball number ball signal name n9 ad[03] n10 ad[00] n11 vio n12 vddo n13 gndc n14 gndc p1 vddc p2 perr p3 c/be [1] p4 ad[14] p5 ad[12] p6 ad[09] p7 c/be [0] p8 ad[07] p9 ad[04] p10 ad[02] p11 ad[01] p12 sgnd p13 vddo p14 gndc table 15: ballout by ball number ball signal name
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r ballout by signal name page 50 b allout by s ignal n ame table 16: ballout by signal name ball signal name n10 ad[00] p11 ad[01] p10 ad[02] n9 ad[03] p9 ad[04] n8 ad[05] m8 ad[06] p8 ad[07] n7 ad[08] p6 ad[09] n6 ad[10] m6 ad[11] p5 ad[12] n5 ad[13] p4 ad[14] n4 ad[15] l1 ad[16] k2 ad[17] k1 ad[18] j3 ad[19] j2 ad[20] j1 ad[21] h3 ad[22] h2 ad[23] g3 ad[24] f1 ad[25] f2 ad[26] f3 ad[27] f4 ad[28] e1 ad[29] e2 ad[30] d1 ad[31] c6 agnd1 d6 agnd1 a2 agnd2 b3 agnd2 a5 avdd1 b5 avdd1 b6 avdd1 c4 avdd2 c5 avdd2 d5 avdd2 p7 c/be [0] p3 c/be [1] l2 c/be [2] h1 c/be [3] m2 devsel a13 eeprom c11 eeprom_cs a12 eeprom_di b11 eeprom_do b12 eeprom_sk a4 export m1 frame a1 gndc b14 gndc c13 gndc c14 gndc d8 gndc d13 gndc d14 gndc e4 gndc e5 gndc e6 gndc e7 gndc e8 gndc e9 gndc e10 gndc e14 gndc table 16: ballout by signal name (cont.) ball signal name
bcm5812 advance data sheet 3/11/03 broadcom corporation page 51 ballout by signal name document 5812-ds01-405-r f5 gndc f6 gndc f7 gndc f8 gndc f9 gndc f10 gndc f14 gndc g5 gndc g6 gndc g7 gndc g8 gndc g9 gndc g10 gndc g14 gndc h5 gndc h6 gndc h7 gndc h8 gndc h9 gndc h10 gndc h14 gndc j5 gndc j6 gndc j7 gndc j8 gndc j9 gndc j10 gndc j14 gndc k5 gndc k6 gndc k7 gndc k8 gndc k9 gndc k10 gndc k14 gndc l5 gndc table 16: ballout by signal name (cont.) ball signal name l6 gndc l7 gndc l8 gndc l9 gndc l10 gndc l14 gndc m12 gndc m13 gndc m14 gndc n13 gndc n14 gndc p14 gndc g2 gnt h4 idsel c1 inta k3 irdy l3 lock a3 nc1 d10 nc10 a6 nc2 a9 nc3 a10 nc4 a11 nc5 b4 nc6 b9 nc7 b10 nc8 c10 nc9 m4 par d3 pci_clk p2 perr g1 req c9 rngosc e3 rst n3 serr c8 sgnd d2 sgnd table 16: ballout by signal name (cont.) ball signal name
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r ballout by signal name page 52 g13 sgnd p12 sgnd n1 stop a8 tck c7 tdi d7 tdo b8 test a7 tms k4 trdy b7 trst b2 vddc c3 vddc d4 vddc d9 vddc e11 vddc e12 vddc e13 vddc f11 vddc f12 vddc f13 vddc g4 vddc g11 vddc g12 vddc h11 vddc h12 vddc j11 vddc j12 vddc j13 vddc k12 vddc k13 vddc l4 vddc l12 vddc l13 vddc m3 vddc m9 vddc m10 vddc table 16: ballout by signal name (cont.) ball signal name n2 vddc p1 vddc a14 vddo b13 vddo c12 vddo d11 vddo j4 vddo k11 vddo l11 vddo m5 vddo m7 vddo m11 vddo n12 vddo p13 vddo b1 vio c2 vio d12 vio h13 vio n11 vio table 16: ballout by signal name (cont.) ball signal name
bcm5812 advance data sheet 3/11/03 broadcom corporation page 53 signal definitions document 5812-ds01-405-r s ignal d efinitions table 17: signal definitions signal name i/o description ad[31:0] io pci multiplexed address/data bus. pci_clk i pci clock, 33 mhz. gnt i pci bus grant allowing bcm5812 to use the bus. frame io pci frame, indicates the beginning and duration of a master transfer. irdy io pci initiator ready. trdy io pci target ready. devsel io pci device select, asserted by an access target. stop io pci stop, requesting that the current master stop an active transfer. perr io pci parity error. serr o pci system error, open drain. par io pci parity. req o pci bus request. rst i pci reset, tri-states all pci outputs. inta o pci interrupt output, open drain. c/be [3:0] io pci command/byte enable, provides pci bus command and data byte enables. idsel i pci initialization device request, used for pci configuration cycles. lock i pci lock for atomic operation, must be pulled up to vddo. vddc ? core power pins, must be connected to a 1.8v(core) source. vddo ? peripheral power pins, must be connected to a 3.3v(i/o) source. gnd ? core and peripheral ground pins. avcc1 ? analog vcc for pll1, must be connected to a quiet 1.8v source. agnd1 ? analog gnd for pll1. avcc2 ? analog vcc for pll2, must be connected to a quiet 1.8v source. agnd2 ? analog gnd for pll2. vio ? pci clamp voltage bias. connect to 3.3v for 3.3v signaling environments.connect to 5v for 5v signaling environments. sgnd ? clamp ground (substrate ground). export i export pin (high = 56-bit des encryption; disable arcfour; disable aes; low = 3des strong encryption; enable arcfour; enable aes). test i test pin, must be grounded for regular operation. when test is high, all outputs are tri-stated. it is internally pulled down. trst i must be connected to ground for normal operation. used for boundary scan jtag testing. it is internally pulled down. tms i test mode select for jtag boundary scan. must be connected to vddo for normal operation. it is internally pulled up.
bcm5812 advance data sheet 3/11/03 broadcom corporation page 54 signal definitions document 5812-ds01-405-r tck i test mode clock for jtag boundary scan. unused in normal operation; connect to either high or low static level. it is internally pulled up. tdi i test data in for jtag boundary scan. unused in normal operation; connect to either high or low static level. it is internally pulled up. tdo o test data out for jtag boundary scan. unused in normal operation. rngosc i optional random number generator oscillator. it is ex-ored with internal oscillator to provide random number source. it is internally pulled down. eeprom i if eeprom is low, the pci configuration space is loaded from attached eeprom. otherwise, the pci configuration space contains default values. it is internally pulled up. eeprom_cs o chip select for the attached eeprom. it connects to chip select pin of the eeprom. eeprom_sk o serial clock for the attached eeprom. it connects to serial clock pin of the eeprom. eeprom_di i data in for the attached eeprom. it connects to data out pin of the eeprom. eeprom_do o data out for the attached eeprom. it connects to data in pin of the eeprom. nc1... nc10 ? test pins, must be left unconnected (floating). table 17: signal definitions (cont.) signal name i/o description
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r register details page 55 section 3: register details the bcm5812 registers are divided into two categories. 1 pci configuration registers implement control and status information that is specific to the pci bus, as well as registers required by the pci specification rev. 2.2. 2 dma control and status registers pertain to master command, data, and command context fetch and write back operations. unused or reserved bits are initialized to zero. unused bits should be written as zeroes. the following mnemonics are used to describe the types of access allowed for each register bit: rw ? bit is read/write wo ? bit is write only ro ? read only bit (i.e. status flag) rsvd ? reserved bit, ignore upon read, write 0 upon write a value of x upon reset means that the state of the register is undefined and should not be relied upon after a reset occurs. pci c onfiguration r egisters the bcm5812 provides pci 2.2 compliant configuration space registers as shown in table 18. in addition, the bcm5812 uses pci memory as configured in bar0 for all slave control and status registers (csrs). the registers use a total memory space of 64 kb in one memory bar region. this region is non-prefetchable, and must be relocated only in 32-bit space. configuration registers that are not shown in table 18 are reserved. the various registers within pci configuration space are shown in table 19. an optional serial eeprom allows the following pci register parameters to be modified: table 18: pci configuration registers offset 31 bits 16 15 bits 00 0x00 device id vendor id 0x04 status command 0x08 class code rev id 0x0c bist header type master latency timer cache line size 0x10 memory bar0 0x2c subsystem id subsystem vendor id 0x34 reserved capabilities pointer 0x3c max_lat min_gnt interrupt pin interrupt line 0x40 reserved retry timeout trdy timeout 0x48 power management capabilities next capability pointer (end of list) power management capability id 0x4c reserved power management control/status
bcm5812 advance data sheet 3/11/03 broadcom corporation page 56 pci configuration registers document 5812-ds01-405-r vendor id device id subsystem id subsystem vendor id class code revision id header type maximum latency minimum grant interrupt pin in addition, the power management register read-only fields can also be updated by the optional eeprom. for more information, see appendix c ?eeprom information? on page 73. table 19: pci configuration register bit fields bits access reset purpose pci vendor id ? 0x00 15:0 ro 0x14e4 hardwired vendor identifier (0x14e4), assigned by pcisig for broadcom. pci device id ? 0x02 31:16 ro 0x5823 hardwired device identifier (0x5823) pci command register ? 0x04 15:10 rsvd 0x00 reserved 9 rw 0 fast back to back master enable 8 rw 0 system error enable 7 rsvd 0 reserved 6 rw 0 parity error enable 5 rsvd 0 reserved 4 rw 0 memory write and invalidate enable 3 rsvd 0 reserved 2 rw 0 bus master enable 1 rw 0 memory access enable 0 ro 0 i/o access enable pci status register ? 0x04 31 ro 0 detect parity error 30 ro 0 signaled system error 29 ro 0 received master abort status 28 ro 0 received target abort status 27 ro 0 signaled target abort status 26:25 ro 01 device select timing 24 ro 0 data parity detected
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r pci configuration registers page 57 23 ro 1 fast back to back capable status 22:23 rsvd 0 reserved 20 ro 1 capability list 19:16 rsvd 0x00 reserved pci rev id ? 0x08 7:0 ro 0x01/0xe1 hardwired device revision identifier (0x01 for domestic version and 0xe1 for export version) pci class code register ? 0x08 31:8 ro 0x0b4000 class code value (hardwired) ? 0x0b4000 (processor class, coprocessor subclass) bist, header, master latency, pci cache line ? 0x0c 31 ro 0 bist capable, no bist capability 30 rw 0 bist start, writing has no effect 29:24 ro 0x00 bist register, not supported in bcm5812. default to 0x00. 23:16 ro 0x00 header type = 0, single function 15:10 rw 0x0c master latency timer. the value in this register defines the maximum length of the current burst should the pci arbiter logic remove the gnt signal from the bcm5812 device. this value is ignored as long as the gnt signal remains asserted to the bcm5812. once gnt is removed, the latency timer limit is immediately applied. this register can be programmed with values from 0x00 to 0xfc. only the six most significant bits are implemented (two lsbs are hardwired to 0). a value of zero would cause the bcm5812 to perform one data phase. 9:8 ro 0x00 7:0 rw 0x00 cache line size. the value in this register determines what types of pci bus master read cycles are generated by the bcm5812 device. when the intended read burst is smaller than a full cacheline and is completely contained within a single cache line, a mem_read cycle is generated. when the intended read burst is exactly one full cacheline or crosses only one cacheline boundary, a mem_read_line cycle is generated. when the intended burst is exactly two full cachelines or crosses multiple cache line boundaries, a mem_read_multiple cycle is used. setting this register to zero inhibits the bcm5812 from generating any mem_read_line or mem_read_multiple cycles. pci memory bar ? 0x10 31:16 rw 0xffff memory base address register (upper), 64 kb region, non-prefetchable, relocate in 32-bit space only. 15:0 ro 0x0000 memory base address register (lower), 64 kb region, non-prefetchable, relocate in 32-bit space only. subsystem id, subsystem vendor id ? 0x2c 31:16 ro 0x0200 / 0x0500 subsystem id bcm5812-200 = 0x0200 bcm5812-500 = 0x0500 15:0 ro 0x14e4 subsystem vendor id (broadcom pcisig id) table 19: pci configuration register bit fields (cont.) bits access reset purpose
bcm5812 advance data sheet 3/11/03 broadcom corporation page 58 pci configuration registers document 5812-ds01-405-r capabilities pointer ? 0x34 7:0 ro 0x48 points to a linked list of new pci capabilities (point to register 0x48 in the pci space by default) pci max_lat, min_gnt, interrupt ? 0x3c 31:24 ro 0 pci max_lat parameter 23:16 ro 0 length of burst period min_gnt 15:8 ro 0x1 interrupt pin register 7:0 rw 0 interrupt line register pci retry timeout, trdy timeout ? 0x40 15:8 rw 0x80 retry times. the value in this register defines the number of consecutive retries addressing a particular memory address that the bcm5812 attempts before setting the dmaerr_intr bit in the bcm5812 dma status register. this register can be programmed with any value between 0x00 and 0xff. a value of 0x00 disables this register, i.e. the bcm5812 allows an infinite number of retries. 7:0 rw 0x80 trdy timeout. the value in this register defines the number of trdy wait states that the bcm5812 allows before setting the dmaerr_intr bit in the bcm5812 dma status register. this value applies to the number of trdy states encountered before the initial data phase occurs on the pci bus. this register can be programmed with any value between 0x00 and 0xff. a value of 0x00 disables this register, i.e. the bcm5812 allows an infinite amount of trdy wait states. next capabilities pointer, power management capabilities id ? 0x48 15:8 ro 0x0 next capabilities pointer. default to 0x0 because it is end of capabilities list 7:0 ro 0x1 power management capabilities id. power management capabilities register ? 0x4a 15:11 ro 0 pme support. bcm5812 does not support pme pin. 10 ro 0 indicates whether the device supports d2 power management state. bcm5812 does not support this state. 9 ro 0 indicates whether the device supports d1 power management state. bcm5812 does not support this state. 8:6 ro 0 auxiliary current. bcm5812 does not support auxiliary power supply. 5 ro 0 device specification initialization. it is not necessary for 5823. 4 rsvd 0 reserved 3 ro 0 indicates that the device requires the presence of pci clock for pme operation. bcm5812 does not support pme . 2:0 ro 0x2 version of pci power management interface spec supported. 0x2 means version 1.1 of the spec. power management control/status (pmcsr) register ? 0x4c 15 ro 0 pme status. 14:13 ro 0 data scaling factor used when interpreting the value of the data register. bcm5812 does not have data register. 12:9 ro 0 indicates which data is to be reported via the data register. bcm5812 does not have data register. table 19: pci configuration register bit fields (cont.) bits access reset purpose
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r dma control and status registers page 59 dma c ontrol and s tatus r egisters the dma registers control how master command structures, command context, and packet data are fetched and stored back after processing. all of the following registers are located in pci memory starting at the address programmed by the host processor into bar0. the various registers within the dma control and status space are as follows. 8 ro 0 enables the device to generate pme . bcm5812 does not support pme pin. 7:2 rsvd 0 reserved 1:0 rw 0 current power state. can be set by writing to it. 00 = d0 01 = d1 02 = d2 03 = d3 table 20: dma control and status register summary offset 31 bits 16 15 bits 00 0x00 master command record 1@ 0x04 dma control 0x08 dma status 0x0c dma error address 0x10 master command record 2@ table 21: dma control and status registers bits access reset purpose dma master command record 1@ ? 0x00 31:0 rw x writing the address of a valid master command record to this register causes crypto/ authentication processing of the packet descriptors within that record to begin. this register must only be written when the mcr_full bit of the dma status register is 0. this register is double buffered, such that the mcr_full bit goes to zero very quickly after an initial write to this register. this allows the cpu to write a second mcr address value to this register, effectively queuing up to mcr structures for back to back processing with zero latency. reset state is unknown. do not write if pci master mode is disabled. dma control ? 0x04 31 rw 0 reset ? software reset. normally, it is zero. if software detects hanging or other undesirable states of bcm5812, it writes a one to this bit to reset the bcm5812. the bcm5812 can be used after 256 core-clock cycles. table 19: pci configuration register bit fields (cont.) bits access reset purpose
bcm5812 advance data sheet 3/11/03 broadcom corporation page 60 dma control and status registers document 5812-ds01-405-r 30 rw 0 mcr2int_en - enable interrupt per mcr for mcr2@. an interrupt is generated every time an entire mcr completes processing. this is the preferred operational mode. resets to 0. 29 rw 0 mcr1int_en - enable interrupt per mcr for mcr1@. an interrupt is generated every time an entire mcr completes processing. this is the preferred operational mode. resets to 0. 28 rsvd 0 reserved 27 rw 1 le_cryptonet - software structures in dma memory (as seen from the pci bus) are in: 1 = little endian format. 0 = big endian format. bcm5812 uses this bit to correctly interpret the appropriate structures in dma memory during the bcm5812 bus master operations. optimally, this bit configuration should match the endianess of the host cpu. 26 rw 1 normal_pci: 1 = normal pci mode. 0 = swapped pci mode; all pci bus master memory data is internally byte-swapped by the bcm5812. used for testing. this bit should normally be set to 1. 25 rw 0 dmaerr_en - enable interrupt upon dma master access error. 24 rsvd 0 reserved 23 rw 0 rng_mode 0 = 1 bit random number per one slow clock cycle. 1 = 1 bit random number per two slow clock cycles 22 rw 0 modulus normalization 0 = modulus normalization is done by bcm5812. software must not perform modulus normalization function. 1 = modulus normalization must be done by software. provided for backwards compatibility. should always be 0. 21:17 rsvd 0 reserved 16 rw 0 dma master write burst size select 0 = master write burst size is 128 bytes. 1 = master write burst size is 240 bytes. 15:0 rsvd 0 reserved dma status ? 0x08 31 ro 0 master access in progress. resets to 0. 30 ro 0 mcr1_full flag = master command address register is full. when this flag is 1, the cpu must not write to the mcr1@ register. when this flag is 0, the cpu may write a value to the mcr1@ register to request processing of a master command structure. resets to 0. 29 rw 0 mcr1_intr = completion interrupt status of per-mcr interrupt for mcr1@. cleared by writing a 1 to this bit position. this bit accurately reflects processing status even if the corresponding interrupt bit is disabled (in which case a pci interrupt is not generated). this bit is sticky until cleared explicitly. resets to 0. table 21: dma control and status registers (cont.) bits access reset purpose
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r dma control and status registers page 61 28 rw 0 dmaerr_intr = interrupt status for mcr dma master access error. sticky until explicitly cleared by writing a 1 to this bit position. this bit accurately reflects status even if the corresponding interrupt enable bit is off (in which case a pci interrupt is not generated). resets to 0. 27 ro 0 mcr2_full flag = master command address register is full. when this flag is 1, the cpu must not write to the mcr2@ register. when this flag is 0, the cpu may write a value to the mcr2@ register to request processing of a master command structure. resets to 0. 26 rw 0 mcr2_intr = completion interrupt status of per-mcr interrupt for mcr2@. cleared by writing a 1 to this bit position. this bit accurately reflects processing status even if the corresponding interrupt bit is disabled (in which case a pci interrupt is not generated). this bit is sticky until cleared explicitly. resets to 0. 25 ro 0 mcr1_all_empty = all the mcrs in the mcr1@ register are done. cleared by writing a 1 to this bit position or by writing a 1 to mcr1_intr bit position. this bit is sticky until cleared. reset to 0. 24 ro 0 mcr2_all_empty = all the mcrs in the mcr2@ register are done. cleared by writing a 1 to this bit position or by writing a 1 to mcr2_intr bit position. this bit is sticky until cleared. reset to 0. dma error address ? 0x0c 31:2 ro x address of master access that resulted in a pci fault (32b word address). reset state unknown. 1rox 0 = faulted master access was a write. 1 = faulted master access was a read. reset state unknown. dma master command record 2@ ? 0x10 31:0 rw x writing the address of a valid master command record to this register causes key setup processing of the data within that record to begin. this register must only be written when the ?mcr_full? bit of the dma status register is 0. this register is quadruple buffered because bcm5812 can process two key setup mcrs simultaneously, such that the mcr_full bit goes to zero very quickly after two initial writes to this register. this allows the cpu to write third and fourth mcr address values to this register, effectively queuing up four mcr structures for back to back processing with zero latency. reset state is unknown. do not write if pci master mode is disabled. table 21: dma control and status registers (cont.) bits access reset purpose
bcm5812 advance data sheet 3/11/03 broadcom corporation page 62 electrical and timing c haracteristics document 5812-ds01-405-r section 4: electrical and timing characteristics bcm5812 pci pins violate t hd slightly (0.6 ns vs. 0 ns in the pic spec). t val , t su , and t su(ptp) are within the pci timing specifications in the entire operating range. table 22: electrical and timing specifications parameter typical description pci compliance 3.3v and 5v over the range of 25-33 mhz pci clocks supply voltage 3.3v 5% 1.8v 5% for i/o buffers for the core i/o buffers 3.3v operating temperature 0-70c within the commercial temperature range dc characteristics for the i/o pins follows the pci 2.2 dc specifications the bcm5812 works in both 3.3v and 5v environments table 23: pci pin timing specifications symbol parameter 33 mhz units min max t val pci_clk to signal valid delay - bussed signals 2 11 ns t su input setup time to pci_clk - bussed signals 7 ns t su(ptp) input setup time to pci_clk - point to point signals (req and gnt ) 10, 12 ns t hd input hold time from pci_clk 0 ns table 24: power consumption (bcm5812-200) parameter max power max current max voltage (vnominal +5%) peripheral 0.05w 14.4 ma 3.46v core 0.4w 211 ma 1.89v
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r electrical and timing characteristics page 63 table 25: 196-pin fbga package thermal parameters parameter theta ja (junction to amb.) theta jb (junction to board) theta jc (junction to case) max ambient temperature assume in still air, no heat sink 33.75 c/w 16.40 c/w 6.5 c/w 70c
bcm5812 advance data sheet 3/11/03 broadcom corporation page 64 performance document 5812-ds01-405-r section 5: performance s ystem t hroughput system throughput values for the bcm5812 are shown below in table 26. system values represent measured, memory to memory, in-system throughput on an optimal platform using large buffer sizes and maximum pipelining. table 26: bcm5812 system throughput function value ipsec 3des with hmac-md5-96 or hmac-sha-1-96 50 mbps ipsec aes 256-bit key with hmac-md5-96 or hmac-sha-1-96 50 mbps ipsec null with hmac-md5-96 80 mbps ipsec null with hmac-sha-1-96 70 mbps arcfour 80 mbps ssl-mac using md5 80 mbps ssl-mac using sha-1 70 mbps tls-hmac-md5 80 mbps tls-hmac-sha-1 70 mbps diffie-hellman (1024-bit modulus, 180-bit exponent) 50 generate+shared per second dsa sign with 1024-bit public key, 160-bit private key 50 per second dsa verify with 1024-bit public key, 160-bit private key 30 per second rsa private key crt, 1024-bit modulus 65 per second random number generation 100 kbps
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r packet performance page 65 p acket p erformance ip sec table 28 shows in-system performance for the bcm5812, in mbps, for 3des encryption with hmac-sha-1 authentication and different data packet sizes. performance was measured using contiguous data packets (i.e., one input fragment and one output fragment descriptor). each mcr had 64 packet descriptors for packet sizes up to 1024 bytes, 16 packet descriptors for packet sizes 1400, and 2048, and 4 packet descriptors for the two largest sizes. different keys (i.e., security associations) were used on a per packet basis. performance is given for both inbound (decrypt) and outbound (encrypt) directions. table 28 shows the in-system performance for aes under the same conditions. each mcr had 64 packet descriptors for packet sizes up to 512 bytes, 16 packet descriptors for packet sizes 1024, 1400, and 2048, and 4 packet descriptors for the two largest sizes. table 27: bcm5812 3des ipsec performance by packet size pci width (bits) pci clock (mhz) direction packet sizes (bytes) 64 128 256 304 512 1024 1400 2048 5120 10240 32 33 outbound 16 24 35 40 45 53 55 59 62 64 inbound 18294043505657616365 table 28: bcm5812 aes ipsec performance by packet size pci width (bits) pci clock (mhz) direction packet sizes (bytes) 64 128 256 304 512 1024 1400 2048 5120 10240 32 33 outbound 16 25 39 47 58 66 72 76 81 85 inbound 19314650617174798386
bcm5812 advance data sheet 3/11/03 broadcom corporation page 66 mechanical information document 5812-ds01-405-r section 6: mechanical information p ackage d rawing figure 42: 196-pin fbga package drawing
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r ordering information page 67 section 7: orderi ng information o rdering i nformation table 29: bcm5812 ordering information marketing part number ordering part number package ambient temperature bcm5812 bcm5812kfb 196-pin fbga 0 to 70 c
bcm5812 advance data sheet 3/11/03 broadcom corporation page 68 referenced standards and texts document 5812-ds01-405-r appendix a: references r eferenced s tandards and t exts [1] broadcom corporation, software reference library, bcm508x/bcm582x security processors, document num- ber 580x_582x-slr102-r [2] s. kent, r. atkinson. rfc 2401 = security architecture for the internet protocol. november,1998. [3] s. kent, r. atkinson. rfc 2402 = ip authentication header. november, 1998. [4] c. madson, r. glenn, rfc 2403 = use of hmac-md5-96 within esp and ah. november,1998. [5] c. madson, r. glenn, rfc 2404 = use of hmac-sha-1-96 within esp and ah. november,1998. [6] c. madson, n. doraswamy, rfc 2405 = the esp des-cbc cipher algorithm with explicit iv. november, 1998. [7] s. kent, r. atkinson. rfc 2406 = ip encapsulating security payload (esp). november, 1998. [8] r. glenn, s. kent, rfc 2410 = the null encryption algorithm and its use with ipsec. november, 1998. [9] r. periera, r. adams, rfc 2451 = the esp cbc-mode cipher algorithms. november, 1998. [10] h. krawczyk, m. bellare, r. canetti, rfc 2104 = hmac keyed-hashing for message authentication, february, 1997 [11] national institute of standards and technology, fips pub 46-3 = data encryption standard. october 25, 1999 [12] national institute of standards and technology, fips pub 74 = guidelines for implementing and using the nbs data encryption standard. april 1, 1981 [13] national institute of standards and technology, fips pub 81 = des modes of operation. december 1980 [14] national institute of standards and technology, fips pub 180-2 = digital signature standard. april, 1995 [15] national institute of standards and technology, fips pub 197 = advanced encryption standard. november 26, 2001 [16] m. dworkin, national institute of standards and technology special publication 800-38a = recommendation for block cipher modes of operation, methods and techniques, december, 2001 [17] b. schneier, applied cryptography, protocols, algorithms, and source code in c, second edition, john wiley and sons, 1996 [18] dirks, t., and allen, c., rfc2246 = the tls protocol, version 1.0, january, 1999 [19] national institute of standards and technology, fips pub 186-2 = digital signature standard. january, 2000
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r invalid operation conditions page 69 appendix b: programming considerations this appendix summarizes invalid operation conditions, chaining restrictions, and alignment restrictions mentioned in the text. i nvalid o peration c onditions this section summarizes the conditions that cause unpredictab le results being written to memory, or possibly in a hang condition. z ero p acket l engths ipsec operations should never be supplied a zero packet length parameter in the packet descriptor. the offset field in the command context should never be equal to or greater than the packet length. z ero f ragment l engths in f ragment c hain e ntry d escriptors all buffer lengths in input and output fragment chain entries that refer to actual data buffers must contain non-zero values. e rroneous p arameter s pecifications situations such as illegal authentication specifiers, misaligned structure members, or misaligned output packet payload data, should be guaranteed to never occur. o utput f ragment a ddresses for m isaligned b uffers all output data should be aligned on 32-bit boundaries. see ?alignment restrictions? on page 71. o utput f ragment l engths that are n ot a m ultiple of 4 all output data buffers must have a length that is multiple of 32-bits. see ?alignment restrictions? on page 71. n on -z ero o ffset with null e ncryption the offset must be zero with null encryption specified. null a uthentication with null e ncryption at least one of authentication or encryption must be specified.
bcm5812 advance data sheet 3/11/03 broadcom corporation page 70 modular arithmetic operat ion restrictions document 5812-ds01-405-r i ncorrect d ata s ize for e ncryption whenever 3des or aes is enabled, the length of input data to be encrypted or decrypted must be a multiple of the block size, which is eight bytes for 3des and sixteen bytes for aes. the bcm5812 calculates this length as the packet length from the command context minus the number of bytes (specified in 32-bit words) in the offset field in the command context. w riting to the mcr r egister with pci m aster m ode d isabled doing so causes the bcm5812 control microcode to start processing, waiting for a pci master mode access that never begins. m odular a rithmetic o peration r estrictions in modular exponentiation, the exponent length must be less than modulus length. in all modular arithmetic operations, the modulus cannot be less than 16 bits. in all modular arithmetic operations other than remainder, the arguments must be less than the modulus. in remainder, the input parameter size must be equal to modulus parameter size. thus, the input argument must be between the modulus and the maximum parameter size. c haining o peration d ependencies bcm5812 can perform chaining operations (the output of the first operation feeds as the input to the second operation within the same mcr) for the most frequent ssl/tls operations. however, it has limitation how the chaining operations can be done in the other ssl/tls operations. ssl-mac or tls-hmac f ollowed by arcfour figure 12 on page 14 shows the structure of ssl or tls protocol records. for outgoing ssl or tls record layer processing, which typically requires computing the authentication code over the clear text followed by encryption of the data with the authentication code appended, the bcm5812 allows authentication and encryption to be performed in back to back packet descriptors in the same mcr. in other words, it is safe to use the ssl-mac or tls-hmac hash output as the data input to arcfour. the authentication code may need its own fragment chain entry to assure compliance with alignment of the authentication code on a 32-bit boundary (see ?alignment restrictions? on page 71 below). arcfour or 3des f ollowed by ssl-mac or tls-hmac incoming ssl or tls record layer processing typically requires decryption followed by computing the authentication code over the clear text. for the bcm5812, decryption followed by authentication of the decrypted data can be performed in back to back packet descriptors in the same mcr. in other words, it is safe to have the arcfour or 3des data output as input to the ssl-mac or tls-hmac.
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r alignment restrictions page 71 md5 or sha-1 f ollowed by md5 or sha-1 ssl or tls master key and connection key derivations require multiple successive hash operations, with the output of some operations feeding into the input of the next. in general, the bcm5812 should not be used with chained authentication operations where the output of one hash operation is used as input by the immediately following operation in the packet descriptor list. this applies to any of md5 hash, sha-1 hash, ssl-mac, or tls-hmac followed by md5 hash, sha-1 hash, ssl-mac, or tls-hmac. there are three recommendations: interleave an independent operation between two dependent operations. for the ssl key derivation example, perform the sha-1 operations first, followed by the md5 operations. if three operations are required to generate 48 bits of key material, the md5 input would use the sha-1 output from three operations prior. put the dependent operations in separate mcrs. assure that the output of the first operation is not the first 64 bytes input by the next operation. at an operation transition, the bcm5812 may prefetch up to 64 bytes of input while it stages completion of the previous operation. 3des/hmac f ollowed by 3des/hmac the authentication function performed by 3des/hmac-md5 or sha-1 can be used for tls key derivation with the 3des option bit zero in the flags word in the command context. in this case, the same apply comments as under ?md5 or sha-1 followed by md5 or sha-1? on page 71. ssl-mac or tls-hmac f ollowed by ssl-3des in case of a tls-mac or ssl-mac operation followed by an ssl-3des operation, the chip starts prefetching the input data (64 bytes) for the 3des before it writes out the hash of the first operation. the input data read of the second operation is suspended as the bcm5812 writes out the hash of the first operation. it then comes back to complete the data input read for ssl-3des. in this case, the same suggestions as in ?md5 or sha-1 followed by md5 or sha-1? on page 71 should be applied. a lignment r estrictions table 30 shows alignment requirements for all memory-resident data in ipsec, ssl, and tls encryption and authentication operations. the flexibility with respect to input packet payload data allows extreme combinations to be supported. for instance, a packet with 16,000 bytes of input payload data could be described as a chain of 16,000 descriptors, with each descriptor holding one single byte. the bcm5812 handles such an extreme situation correctly from a functional standpoint, albeit with reduced performance from the huge number of descriptor fetches. for arcfour encryption, data can be any length, not necessarily multiple of 32-bit words. in this case, the last word of an output data buffer may contain one, two, three, or four bytes of actual arcfour data. the non-arcfour data in the word could be anything and should be ignored by software. the output fragment length for the data buffer should indicate the actual arcfour data length. it may not be multiple of 4 bytes.
bcm5812 advance data sheet 3/11/03 broadcom corporation page 72 alignment restri ctions document 5812-ds01-405-r table 31 shows alignment requirements for all memory-resident data in dh/rsa/dsa/modular arithmetic operations. table 30: alignment restrictions for ipsec/ssl/tls crypto/authentication operations memory-resident data type alignment requirement, size requirement packet payload data input data buffers (per chain entry) none (byte) none (byte) output data buffers (per chain entry) 32-bit multiple of 32 bits control and command structures chain entry descriptors (input and output) 32-bit fixed (3 words of 32 bits) command context structures 32-bit fixed (depends on operation) 64-bytes minimum is read master command record structures 32-bit (1 + #pkts ? 8) 32-bit words) table 31: alignment restrictions for dh/rsa/dsa/modular arithmetic operations memory-resident data type alignment requirement size requirement packet payload data input data buffers (per chain entry) 32-bit multiple of 32 bits output data buffers (per chain entry) 32-bit multiple of 32 bits control and command structures chain entry descriptors (input and output) 32-bit fixed (3 words of 32 bits) command context structure 32-bit fixed (depends on operation) 64-bytes minimum is read master command record 32-bit (1 + #pkts ? 8) 32-bit words)
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r description page 73 appendix c: eeprom information d escription the bcm5812 optional serial eeprom should be an industry stan dard type 93c46. the part should be configured for 16- bit operation and connected as shown in figure 43. the eeprom must be externally programmed, as the bcm5812 does not support write or erase cycles. figure 43: eeprom connection p rogramming table 32 shows the eeprom locations accessed by the bcm5812 and what information should be programmed into each. for reference, the equivalent default value for that location, which the bcm5812 supplies if no eeprom is present, is also listed. all other locations should be programmed to 0xff. although the bcm5812 makes 16-bit accesses, the eeprom cont ents are shown in table 32 with their respective byte offset, as though for byte programming. bcm5823 93c46 org cs eeprom_cs do di eeprom_di eeprom_do sk eeprom_sk eeprom# vcc bcm5823 93c46 org cs eeprom_cs do di eeprom_di eeprom_do sk eeprom_sk eeprom# vcc
bcm5812 advance data sheet 3/11/03 broadcom corporation page 74 programming document 5812-ds01-405-r if the eeprom is present, the bcm5812 unconditionally uses the value at the specified address to replace the indicated default pci configuration value. table 32: eeprom programming eeprom address (byte, in hex) field pci register offset (bytes) field length (bits) default value (hex) 0x00 vendor id (low byte) 0x00 16 0xe4 0x01 vendor id (high byte) 0x01 0x14 0x02 device id (low byte) 0x02 16 0x23 0x03 device id (high byte) 0x03 0x58 0x08 revision id 0x08 8 0x01 a a. export pulled down or open (default). if export is pulled high, this value is 0xe1 0x09 class code (low byte) 0x09 8 0x00 0x0a class code (middle byte) 0x0a 16 0x40 0x0b class code (high byte) 0x0b 0x0b 0x0c header type 0x0e 8 0x00 0x0d bist capable 0x0f 8 0x00 0x2c subsystem vendor id (low byte) 0x2c 16 0xe4 0x2d subsystem vendor id (high byte) 0x2d 0x14 0x2e subsystem id (low byte) 0x2e 16 0x00 0x2f subsystem id (high byte) 0x2f 0x05 b b. this value is for the bcm5812 -500, the bcm5812-200 reports 0x05 0x34 capabilities pointer 0x34 8 0x48 0x3d interrupt pin 0x3d 8 0x01 0x3e maximum latency 0x3e 8 0x00 0x3f minimum grant 0x3f 8 0x00 0x48 power management capability id 0x48 8 0x00 0x49 next capability pointer (eol) 0x49 8 0x01 0x4a power management capability (low byte) 0x4a 16 0x02 0x4b power management capability (high byte) 0x4b 0x00 0x4c power management control/status (low byte) 0x4c 16 0x00 0x4d power management control/status (high byte) 0x4d 0x00
advance data sheet bcm5812 3/11/03 broadcom corporation document 5812-ds01-405-r programming page 75
document 5812-ds01-405-r broadcom corporation 16215 alton parkway p.o. box 57013 irvine, ca 92619-7013 phone: 949-450-8700 fax: 949-450-8710 broadcom ? corporation reserves the right to make changes without further notice to any products or data herein to improve reliability, f unction, or design. information furnished by broadcom corporation is believed to be accurate and reliable. however, broadcom corporation does not assume any liability arising out of the application or use of this information, nor the application or use of any prod uct or circuit described herein, neither does it convey any license under its patent rights nor the rights of others. bcm5812 advance data sheet 3/11/03

▲Up To Search▲

Price & Availability of 5812-DS00-R

	To Download 5812-DS00-R Datasheet File
If you can't view the Datasheet, Please click here to try to view without PDF Reader .