Datasheet
3. Generating the Tag using length of AAD, length of C and J
0
(refer to NIST documentation for details).
The T
ag generation can be done either automatically, after the end of AAD/C processing if AES_MR.GTAGEN is set,
or manually using AES_GHASHRx.GHASH (see subsections Processing a Complete Message with Tag Generation
and Manual GCM Tag Generation for details).
57.4.4.3.1 Processing a Complete Message with Tag Generation
Use this procedure only if J0 four LSB bytes ≠ 0xFFFFFFFF.
Note: If J
0
four LSB bytes = 0xFFFFFFFF or if the value is unknown, use the procedure described in Processing a
Complete Message without Tag Generation followed by the procedure in Manual GCM Tag Generation.
Figure 57-6. Full Message Alignment
AAD
C (Text)
16-byte Boundaries
Padding Padding
AADLEN CLEN
To process a complete message with Tag generation, the sequence is as follows:
1.
Set AES_MR.OPMOD to GCM and AES_MR.GTAGEN to ‘1’.
2. Set the AES Key Register and wait until AES_ISR.DATRDY is set (GCM hash subkey generation complete);
use interrupt if needed. See Key Writing and Automatic Hash Subkey Calculation.
3. Calculate the J
0
value as described in NIST documentation J
0
= IV || 0
31
|| 1 when len(IV) = 96 and J
0
=
GHASH
H
(IV || 0
s+64
|| [len(IV)]64) if len(IV) ≠ 96. See Processing a Message with only AAD (GHASHH) for J
0
generation.
4. Set AES_IVRx.IV with inc32(J
0
) (J
0
+ 1 on 32 bits).
5. Configure AES_AADLENR.AADLEN and AES_CLENR.CLEN.
6. Fill AES_IDATARx.IDATA with the message to process according to the SMOD configuration used. If Manual
Mode or Auto Mode is used, the DATRDY bit indicates when the data have been processed (however, no
output data are generated when processing AAD).
7. Wait for TAGRDY to be set (use interrupt if needed), then read AES_TAGRx.TAG to obtain the authentication
tag of the message.
57.4.4.3.2 Processing a Complete Message without Tag Generation
Processing a message without generating the Tag can be used to customize the Tag generation, or to process a
fragmented message. To manually generate the GCM Tag, see Manual GCM Tag Generation.
To process a complete message without Tag generation, the sequence is as follows:
1. Set AES_MR.OPMOD to GCM and AES_MR.GTAGEN to ‘0’.
2. Set the AES Key Register and wait until AES_ISR.DATRDY is set (GCM hash subkey generation complete);
use interrupt if needed. After the GCM hash subkey generation is complete the GCM hash subkey can be read
or overwritten with specific value in AES_GCMHRx. See Key Writing and Automatic Hash Subkey Calculation.
3. Calculate the J0 value as described in NIST documentation J
0
= IV || 0
31
|| 1 when len(IV) = 96 and J
0
=
GHASH
H
(IV || 0
s+64
|| [len(IV)]64) if len(IV) ≠ 96. See Processing a Message with only AAD (GHASHH) for J
0
generation example when len(IV) ≠ 96.
4. Set AES_IVRx.IV with inc32(J
0
) (J
0
+ 1 on 32 bits).
5. Configure AES_AADLENR.AADLEN and AES_CLENR.CLEN.
6. Fill AES_IDATARx.IDATA with the message to process according to the SMOD configuration used. If Manual
Mode or Auto Mode is used, the DATRDY bit indicates when the data have been processed (however, no
output data are generated when processing AAD).
7. Make sure the last output data have been read if AES_CLENR.CLEN ≠ 0 (or wait for DATRDY), then read
AES_GHASHRx.GHASH to obtain the hash value after the last processed data.
57.4.4.3.3 Processing a Fragmented Message without Tag Generation
If needed, a message can be processed by fragments, in such case automatic GCM Tag generation is not supported.
SAM E70/S70/V70/V71 Family
Advanced Encryption Standard (AES)
© 2019 Microchip T
echnology Inc.
Datasheet
DS60001527D-page 1792