19. AES hardware accelerator (AES)

19.1 Introduction

The AES hardware accelerator (AES) encrypts or decrypts data, using an algorithm and implementation fully compliant with the advanced encryption standard (AES) defined in Federal information processing standards (FIPS) publication 197.

Multiple chaining modes are supported (ECB, CBC, CTR), for key size of 128 bits.

The AES accelerator is a 32-bit AHB peripheral. It supports DMA single transfers for incoming and outgoing data (two DMA channels required).

The AES peripheral provides hardware acceleration to AES cryptographic algorithms packaged in STM32 cryptographic library.

AES is an AMBA AHB slave peripheral, accessible through 32-bit word single accesses only (otherwise an AHB bus error is generated and write accesses are ignored).

19.2 AES main features

19.3 AES implementation

The device has a single instance of AES peripheral.

19.4 AES functional description

19.4.1 AES block diagram

Figure 84 shows the block diagram of AES.

AES block diagram showing internal components: AHB interface, Banked registers (AES_KEYRx, AES_IVRx, AES_SR, AES_CR, AES_DINR, AES_DOUTR), DMA interface, IRQ interface, Control Logic, and AES Core (AEA) with a swap block. External signals include 32-bit AHB bus, aes_hclk, aes_in_dma, aes_out_dma, and aes_it.

Figure 84. AES block diagram

The diagram illustrates the internal architecture of the AES peripheral. On the left, external signals connect to internal interfaces: a 32-bit AHB bus and aes_hclk connect to the AHB interface; aes_in_dma, aes_out_dma, and aes_it connect to the DMA and IRQ interfaces. The AHB interface connects to a set of 'Banked registers' via '32-bit access' lines labeled 'key', 'IV, counter', 'status', and 'control'. These registers are AES_KEYRx, AES_IVRx, AES_SR, AES_CR, AES_DINR, and AES_DOUTR. The registers connect to the 'AES Core (AEA)' via internal signals: 'KEY', 'IVI', 'DIN', and 'DOUT'. A 'swap' block is positioned between the registers and the AES Core. Below the registers, 'Control Logic' is connected to the DMA and IRQ interfaces and has bidirectional connections to the AES Core. The diagram is labeled 'MSv42155V1' in the bottom right corner.

AES block diagram showing internal components: AHB interface, Banked registers (AES_KEYRx, AES_IVRx, AES_SR, AES_CR, AES_DINR, AES_DOUTR), DMA interface, IRQ interface, Control Logic, and AES Core (AEA) with a swap block. External signals include 32-bit AHB bus, aes_hclk, aes_in_dma, aes_out_dma, and aes_it.

19.4.2 AES internal signals

Table 87 describes the user relevant internal signals interfacing the AES peripheral.

Table 87. AES internal input/output signals

Signal nameSignal typeDescription
aes_hclkdigital inputAHB bus clock
aes_itdigital outputAES interrupt request
aes_in_dmadigital input/outputInput DMA single request/acknowledge
aes_out_dmadigital input/outputOutput DMA single request/acknowledge

19.4.3 AES cryptographic core

Overview

The AES cryptographic core consists of the following components:

The AES core works on 128-bit data blocks (four words) with 128-bit key length. Depending on the chaining mode, the AES requires zero or one 96-bit initialization vector IV (and a 32-bit counter field).

The AES features the following modes of operation:

Note: Mode 2 and mode 4 are only used when performing ECB and CBC decryption.

When Mode 4 is selected only one decryption can be done, therefore usage of Mode 2 and Mode 3 is recommended instead.

The operating mode is selected by programming the MODE[1:0] bitfield of the AES_CR register. It may be done only when the AES peripheral is disabled.

Typical data processing

Typical usage of the AES is described in Section 19.4.4: AES procedure to perform a cipher operation on page 437 .

Note: The outputs of the intermediate AEA stages are never revealed outside the cryptographic boundary, with the exclusion of the IVI bitfield.

Chaining modes

The following chaining modes are supported by AES, selected through the CHMOD[1:0] bitfield of the AES_CR register:

Note: The chaining mode may be changed only when AES is disabled (bit EN of the AES_CR register set).

Principle of each AES chaining mode is provided in the following subsections.

Detailed information is in dedicated sections, starting from Section 19.4.8: AES basic chaining modes (ECB, CBC) .

Electronic codebook (ECB) mode

Figure 85. ECB encryption and decryption principle

Diagram illustrating the ECB encryption and decryption principle. The diagram is divided into two sections: Encryption and Decryption. In the Encryption section, three plaintext blocks (Plaintext block 1, 2, and 3) are shown as input (light gray boxes) entering 'Encrypt' blocks. Each 'Encrypt' block also receives a 'key' (indicated by a horizontal arrow) and produces a ciphertext block (Ciphertext block 1, 2, and 3) as output (dark gray boxes). In the Decryption section, three ciphertext blocks (Ciphertext block 1, 2, and 3) are shown as input (light gray boxes) entering 'Decrypt' blocks. Each 'Decrypt' block also receives a 'key' and produces a plaintext block (Plaintext block 1, 2, and 3) as output (dark gray boxes). A legend indicates that light gray boxes represent 'input', dark gray boxes represent 'output', and a circular arrow represents 'key scheduling'. The diagram is labeled MSv42140V1 in the bottom right corner.

Encryption

Plaintext block 1 → [Encrypt] → Ciphertext block 1

Plaintext block 2 → [Encrypt] → Ciphertext block 2

Plaintext block 3 → [Encrypt] → Ciphertext block 3

Decryption

Ciphertext block 1 → [Decrypt] → Plaintext block 1

Ciphertext block 2 → [Decrypt] → Plaintext block 2

Ciphertext block 3 → [Decrypt] → Plaintext block 3

Legend

MSv42140V1

Diagram illustrating the ECB encryption and decryption principle. The diagram is divided into two sections: Encryption and Decryption. In the Encryption section, three plaintext blocks (Plaintext block 1, 2, and 3) are shown as input (light gray boxes) entering 'Encrypt' blocks. Each 'Encrypt' block also receives a 'key' (indicated by a horizontal arrow) and produces a ciphertext block (Ciphertext block 1, 2, and 3) as output (dark gray boxes). In the Decryption section, three ciphertext blocks (Ciphertext block 1, 2, and 3) are shown as input (light gray boxes) entering 'Decrypt' blocks. Each 'Decrypt' block also receives a 'key' and produces a plaintext block (Plaintext block 1, 2, and 3) as output (dark gray boxes). A legend indicates that light gray boxes represent 'input', dark gray boxes represent 'output', and a circular arrow represents 'key scheduling'. The diagram is labeled MSv42140V1 in the bottom right corner.

ECB is the simplest mode of operation. There are no chaining operations, and no special initialization stage. The message is divided into blocks and each block is encrypted or decrypted separately.

Note: For decryption, a special key scheduling is required before processing the first block.

Cipher block chaining (CBC) mode

Figure 86. CBC encryption and decryption principle

Diagram illustrating CBC encryption and decryption with three blocks. Encryption: Plaintext blocks 1, 2, and 3 are XORed with the previous ciphertext (or IV for the first block) and then passed through an 'Encrypt' block with a key to produce ciphertext blocks 1, 2, and 3. Decryption: Ciphertext blocks 1, 2, and 3 are passed through a 'Decrypt' block with a key, and the output is XORed with the previous ciphertext (or IV for the first block) to produce plaintext blocks 1, 2, and 3. A legend indicates input, output, and key scheduling symbols.

The diagram illustrates the CBC encryption and decryption process across three blocks. In the Encryption section, 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3' are shown. For the first block, an 'initialization vector' is XORed with the plaintext. For subsequent blocks, the previous 'Ciphertext block' is XORed with the current plaintext. Each XOR result is then processed by an 'Encrypt' block using a 'key' to produce 'Ciphertext block 1', 'Ciphertext block 2', and 'Ciphertext block 3'. In the Decryption section, the 'Ciphertext blocks' are processed by 'Decrypt' blocks using the same 'key'. The output of each decrypt block is XORed with the previous ciphertext block (or the 'initialization vector' for the first block) to recover the original 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3'. A 'Legend' identifies the symbols for 'input' (white box), 'output' (grey box), and 'key scheduling' (circular arrow).

Diagram illustrating CBC encryption and decryption with three blocks. Encryption: Plaintext blocks 1, 2, and 3 are XORed with the previous ciphertext (or IV for the first block) and then passed through an 'Encrypt' block with a key to produce ciphertext blocks 1, 2, and 3. Decryption: Ciphertext blocks 1, 2, and 3 are passed through a 'Decrypt' block with a key, and the output is XORed with the previous ciphertext (or IV for the first block) to produce plaintext blocks 1, 2, and 3. A legend indicates input, output, and key scheduling symbols.

MSv42141V1

In CBC mode the output of each block chains with the input of the following block. To make each message unique, an initialization vector is used during the first block processing.

Note: For decryption, a special key scheduling is required before processing the first block.

Counter (CTR) mode

Figure 87. CTR encryption and decryption principle

Figure 87. CTR encryption and decryption principle. The diagram illustrates the Counter (CTR) mode of operation for AES. It is divided into two horizontal sections: 'Encryption' and 'Decryption'. In the 'Encryption' section, a sequence of three 'Counter' blocks is shown. Each counter block outputs a 'value' (labeled 'value', 'value + 1', and 'value + 2') to an 'Encrypt' block. Each 'Encrypt' block also receives a 'key' and its output is XORed (indicated by a circle with a cross) with a 'Plaintext block' (labeled 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3'). The result of the XOR operation is a 'Ciphertext block' (labeled 'Ciphertext block 1', 'Ciphertext block 2', and 'Ciphertext block 3'). The counters are chained, with each counter block receiving an increment of +1 from the previous one. In the 'Decryption' section, the process is reversed. The same sequence of three 'Counter' blocks and 'Decrypt' blocks is shown. Each 'Decrypt' block receives a 'key' and the output of its counter block. Its output is XORed with a 'Ciphertext block' (labeled 'Ciphertext block 1', 'Ciphertext block 2', and 'Ciphertext block 3') to produce a 'Plaintext block' (labeled 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3'). A 'Legend' is provided in the bottom left corner, showing a white rectangle for 'input', a grey rectangle for 'output', and a circle with a cross for 'XOR'. The diagram is labeled 'MSv42142V1' in the bottom right corner.
Figure 87. CTR encryption and decryption principle. The diagram illustrates the Counter (CTR) mode of operation for AES. It is divided into two horizontal sections: 'Encryption' and 'Decryption'. In the 'Encryption' section, a sequence of three 'Counter' blocks is shown. Each counter block outputs a 'value' (labeled 'value', 'value + 1', and 'value + 2') to an 'Encrypt' block. Each 'Encrypt' block also receives a 'key' and its output is XORed (indicated by a circle with a cross) with a 'Plaintext block' (labeled 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3'). The result of the XOR operation is a 'Ciphertext block' (labeled 'Ciphertext block 1', 'Ciphertext block 2', and 'Ciphertext block 3'). The counters are chained, with each counter block receiving an increment of +1 from the previous one. In the 'Decryption' section, the process is reversed. The same sequence of three 'Counter' blocks and 'Decrypt' blocks is shown. Each 'Decrypt' block receives a 'key' and the output of its counter block. Its output is XORed with a 'Ciphertext block' (labeled 'Ciphertext block 1', 'Ciphertext block 2', and 'Ciphertext block 3') to produce a 'Plaintext block' (labeled 'Plaintext block 1', 'Plaintext block 2', and 'Plaintext block 3'). A 'Legend' is provided in the bottom left corner, showing a white rectangle for 'input', a grey rectangle for 'output', and a circle with a cross for 'XOR'. The diagram is labeled 'MSv42142V1' in the bottom right corner.

The CTR mode uses the AES core to generate a key stream. The keys are then XORed with the plaintext to obtain the ciphertext as specified in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation .

Note: Unlike with ECB and CBC modes, no key scheduling is required for the CTR decryption, since in this chaining scheme the AES core is always used in encryption mode for producing the key stream, or counter blocks.

19.4.4 AES procedure to perform a cipher operation

Introduction

A typical cipher operation is explained below. Detailed information is provided in sections starting from Section 19.4.8: AES basic chaining modes (ECB, CBC) .

The flowcharts shown in Figure 88 describe the way STM32 cryptographic library implements the AES algorithm. AES accelerates the execution of the AES-128 cryptographic algorithm in ECB, CBC, and CTR operating modes.

Note: For more details on the cryptographic library, refer to the UM1924 user manual “STM32 crypto library” available from www.st.com .

Figure 88. STM32 cryptolib AES flowchart example

Figure 88. STM32 cryptolib AES flowchart example. The diagram shows two flowcharts: Encryption and Decryption. Both start with 'Begin', followed by an initialization step (AES_x encrypt init or AES_x decrypt init). They then enter a loop: 'Error status' -> 'success' -> 'AES_x encrypt append' (or 'AES_x decrypt append') -> 'Data to append' -> 'Error status' -> 'success' -> 'AES_x encrypt finish/final' (or 'AES_x decrypt finish/final') -> 'Error status' -> 'success' -> 'End'. Error status diamonds have 'success' paths leading down and 'error' paths leading to the 'End' node.
graph TD
    subgraph Encryption
        E1([Begin]) --> E2[AES_x encrypt init]
        E2 --> E3{Error status}
        E3 -- success --> E4[AES_x encrypt append]
        E4 --> E5[Data to append]
        E5 --> E6{Error status}
        E6 -- success --> E7[AES_x encrypt finish/final]
        E7 --> E8{Error status}
        E8 -- success --> E9([End])
        E3 -- error --> E9
        E6 -- error --> E9
        E8 -- error --> E9
    end
    subgraph Decryption
        D1([Begin]) --> D2[AES_x decrypt init]
        D2 --> D3{Error status}
        D3 -- success --> D4[AES_x decrypt append]
        D4 --> D5[Data to append]
        D5 --> D6{Error status}
        D6 -- success --> D7[AES_x decrypt finish/final]
        D7 --> D8{Error status}
        D8 -- success --> D9([End])
        D3 -- error --> D9
        D6 -- error --> D9
        D8 -- error --> D9
    end
Figure 88. STM32 cryptolib AES flowchart example. The diagram shows two flowcharts: Encryption and Decryption. Both start with 'Begin', followed by an initialization step (AES_x encrypt init or AES_x decrypt init). They then enter a loop: 'Error status' -> 'success' -> 'AES_x encrypt append' (or 'AES_x decrypt append') -> 'Data to append' -> 'Error status' -> 'success' -> 'AES_x encrypt finish/final' (or 'AES_x decrypt finish/final') -> 'Error status' -> 'success' -> 'End'. Error status diamonds have 'success' paths leading down and 'error' paths leading to the 'End' node.

Initialization of AES

To initialize AES, first disable it by clearing the EN bit of the AES_CR register. Then perform the following steps in any order:

Data append

This section describes different ways of appending data for processing, where the size of data to process is not a multiple of 128 bits.

For ECB or CBC mode, refer to Section 19.4.6: AES ciphertext stealing and data padding . The second-last and the last block management in these cases is more complex than in the sequence described in this section.

Data append through polling

This method uses flag polling to control the data append.

For all other cases, the data is appended through the following sequence:

  1. 1. Enable the AES peripheral by setting the EN bit of the AES_CR register.
  2. 2. Repeat the following sub-sequence until the payload is entirely processed:
    1. a) Write four input data words into the AES_DINR register.
    2. b) Wait until the status flag CCF is set in the AES_SR, then read the four data words from the AES_DOUTR register.
    3. c) Clear the CCF flag, by setting the CCFC bit of the AES_CR register.
    4. d) If the data block just processed is the second-last block of the message and the significant data in the last block to process is inferior to 128 bits, pad the remainder of the last block with zeros
  3. 3. Discard the data that is not part of the payload, then disable the AES peripheral by clearing the EN bit of the AES_CR register.

Note: Up to three wait cycles are automatically inserted between two consecutive writes to the AES_DINR register, to allow sending the key to the AES processor.

Data append using interrupt

The method uses interrupt from the AES peripheral to control the data append, through the following sequence:

  1. 1. Enable interrupts from AES by setting the CCFIE bit of the AES_CR register.
  2. 2. Enable the AES peripheral by setting the EN bit of the AES_CR register.
  3. 3. Write first four input data words into the AES_DINR register.
  4. 4. Handle the data in the AES interrupt service routine, upon interrupt:
    1. a) Read four output data words from the AES_DOUTR register.
    2. b) Clear the CCF flag and thus the pending interrupt, by setting the CCFC bit of the AES_CR register
    3. c) If the data block just processed is the second-last block of an message and the significant data in the last block to process is inferior to 128 bits, pad the remainder of the last block with zeros. Then proceed with point 4e).
    4. d) If the data block just processed is the last block of the message, discard the data that is not part of the payload, then disable the AES peripheral by clearing the EN bit of the AES_CR register and quit the interrupt service routine.
    5. e) Write next four input data words into the AES_DINR register and quit the interrupt service routine.

Note: AES is tolerant of delays between consecutive read or write operations, which allows, for example, an interrupt from another peripheral to be served between two AES computations.

Data append using DMA

With this method, all the transfers and processing are managed by DMA and AES. To use the method, proceed as follows:

  1. 1. Prepare the last four-word data block (if the data to process does not fill it completely), by padding the remainder of the block with zeros.
  2. 2. Configure the DMA controller so as to transfer the data to process from the memory to the AES peripheral input and the processed data from the AES peripheral output to the memory, as described in Section 19.4.13: AES DMA interface . Configure the DMA controller so as to generate an interrupt on transfer completion.
  3. 3. Enable the AES peripheral by setting the EN bit of the AES_CR register
  4. 4. Enable DMA requests by setting the DMAINEN and DMAOUTEN bits of the AES_CR register.
  5. 5. Upon DMA interrupt indicating the transfer completion, get the AES-processed data from the memory.

Note: The CCF flag has no use with this method, because the reading of the AES_DOUTR register is managed by DMA automatically, without any software action, at the end of the computation phase.

19.4.5 AES decryption key preparation

For an ECB or CBC decryption, a key for the first round of decryption must be derived from the key of the last round of encryption. This is why a complete key schedule of encryption is required before performing the decryption. This key preparation is not required for AES decryption in modes other than ECB or CBC.

Recommended method is to select the Mode 2 by setting to 01 the MODE[1:0] bitfield of the AES_CR (key process only), then proceed with the decryption by setting MODE[1:0] to 10 (Mode 3, decryption only). Mode 2 usage is described below:

  1. 1. Disable the AES peripheral by clearing the EN bit of the AES_CR register.
  2. 2. Select Mode 2 by setting to 01 the MODE[1:0] bitfield of the AES_CR. The CHMOD[1:0] bitfield is not significant in this case because this key derivation mode is independent of the chaining algorithm selected.
  3. 3. Write the AES_KEYRx registers (128bits) with encryption key, as shown in Figure 89 . Writes to the AES_IVRx registers have no effect.
  4. 4. Enable the AES peripheral, by setting the EN bit of the AES_CR register.
  5. 5. Wait until the CCF flag is set in the AES_SR register.
  6. 6. Derived key is available in AES core, ready to use for decryption. Application can also read the AES_KEYRx register to obtain the derived key if needed, as shown in Figure 89 (the processed key is loaded automatically into the AES_KEYRx registers).

Note: The AES is disabled by hardware when the derivation key is available.
To restart a derivation key computation, repeat steps 3, 4, 5 and 6 .

Figure 89. Encryption key derivation for ECB/CBC decryption (Mode 2)

Figure 89: Encryption key derivation for ECB/CBC decryption (Mode 2). The diagram shows three phases: Input phase, Computation phase, and Output phase (optional).

The diagram illustrates the key derivation process for ECB/CBC decryption (Mode 2). It is divided into three main phases:

Below the diagram, a note states: "128-bit derivation key stored into AES_KEYRx".

Legend:

Reference code: MS18937V2

Figure 89: Encryption key derivation for ECB/CBC decryption (Mode 2). The diagram shows three phases: Input phase, Computation phase, and Output phase (optional).

If the software stores the initial key prepared for decryption, it is enough to do the key schedule operation only once for all the data to be decrypted with a given cipher key.

Note: Alternative key preparation is to select Mode 4 by setting to 11 the MODE[1:0] bitfield of the AES_CR register. In this case Mode 3 cannot be used.

19.4.6 AES ciphertext stealing and data padding

When using AES in ECB or CBC modes to manage messages the size of which is not a multiple of the block size (128 bits), ciphertext stealing techniques are used, such as those described in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode . Since the AES peripheral on the device does not support such techniques, the last two blocks of input data must be handled in a special way by the application.

Note: Ciphertext stealing techniques are not documented in this reference manual.

Similarly, when AES is used in other modes than ECB or CBC, an incomplete input data block (that is, block with input data shorter than 128 bits) must be padded with zeros prior to encryption (that is, extra bits must be appended to the trailing end of the data string). After decryption, the extra bits must be discarded. As AES does not implement automatic data padding operation to the last block , the application must follow the recommendation given in Section 19.4.4: AES procedure to perform a cipher operation on page 437 to manage messages the size of which is not a multiple of 128 bits.

Note: Padding data are swapped in a similar way as normal data, according to the DATATYPE[1:0] field of the AES_CR register (see Section 19.4.10: AES data registers and data swapping on page 450 for details).

19.4.7 AES task suspend and resume

A message can be suspended if another message with a higher priority must be processed. When this highest priority message is sent, the suspended message can resume in both encryption or decryption mode.

Suspend/resume operations do not break the chaining operation and the message processing can resume as soon as AES is enabled again to receive the next data block.

Figure 90 gives an example of suspend/resume operation: Message 1 is suspended in order to send a shorter and higher-priority Message 2.

Figure 90. Example of suspend mode management

Flowchart showing Message 1 (blocks 1-6) and Message 2 (blocks 1-2) with suspend and resume sequences.

The diagram illustrates suspend mode management for two messages. Message 1 consists of 128-bit blocks 1 through 6. After block 3, an 'AES suspend sequence' is triggered, saving the state. A callout indicates 'New higher-priority message 2 to be processed'. Message 2 consists of 128-bit blocks 1 and 2. After block 2, an 'AES resume sequence' is triggered, restoring the state for Message 1 to continue with block 4. The diagram is labeled MSV42148V1.

Flowchart showing Message 1 (blocks 1-6) and Message 2 (blocks 1-2) with suspend and resume sequences.

A detailed description of suspend/resume operations is in the sections dedicated to each AES mode.

19.4.8 AES basic chaining modes (ECB, CBC)

Overview

This section gives a brief explanation of the four basic operation modes provided by the AES computing core: ECB encryption, ECB decryption, CBC encryption and CBC decryption. For detailed information, refer to the FIPS publication 197 from November 26, 2001.

Figure 91 illustrates the electronic codebook (ECB) encryption.

Figure 91. ECB encryption

Detailed diagram of ECB encryption for Block 1 and Block 2 showing data flow through swap management, encryption, and back to swap management.

The diagram shows the internal data flow for ECB encryption of two blocks. For Block 1, plaintext P1 from AES_DINR is processed by 'Swap management' (controlled by DATATYPE[1:0]) to produce I1, which is then encrypted by the 'Encrypt' core (using AES_KEYRx) to produce O1. O1 is processed by another 'Swap management' block to produce ciphertext C1 in the AES_DOUTR register. The same process is shown for Block 2 with P2, I2, O2, and C2. A legend indicates that white boxes represent 'input' and grey boxes represent 'output'. The diagram is labeled MSV19105V2.

Detailed diagram of ECB encryption for Block 1 and Block 2 showing data flow through swap management, encryption, and back to swap management.

In ECB encrypt mode, the 128-bit plaintext input data block Px in the AES_DINR register first goes through bit/byte/half-word swapping. The swap result Ix is processed with the AES core set in encrypt mode, using a 128-bit key. The encryption result Ox goes through bit/byte/half-word swapping, then is stored in the AES_DOUTR register as 128-bit ciphertext

output data block \( C_x \) . The ECB encryption continues in this way until the last complete plaintext block is encrypted.

Figure 92 illustrates the electronic codebook (ECB) decryption.

Diagram of ECB decryption showing two blocks, Block 1 and Block 2. Each block consists of an input register (AES_DINR), a swap management block, a decrypt block, and an output register (AES_DOUTr). The process for Block 1: AES_DINR (ciphertext C1) is input to Swap management (controlled by DATATYPE[1:0]), producing I1. I1 is input to Decrypt (controlled by AES_KEYRx (KEY)), producing O1. O1 is input to another Swap management block (controlled by DATATYPE[1:0]), producing AES_DOUTr (plaintext P1). The same process is shown for Block 2, producing P2. A legend indicates that white boxes are input and grey boxes are output. MSV19106V2 is noted at the bottom right.

Figure 92. ECB decryption

Diagram of ECB decryption showing two blocks, Block 1 and Block 2. Each block consists of an input register (AES_DINR), a swap management block, a decrypt block, and an output register (AES_DOUTr). The process for Block 1: AES_DINR (ciphertext C1) is input to Swap management (controlled by DATATYPE[1:0]), producing I1. I1 is input to Decrypt (controlled by AES_KEYRx (KEY)), producing O1. O1 is input to another Swap management block (controlled by DATATYPE[1:0]), producing AES_DOUTr (plaintext P1). The same process is shown for Block 2, producing P2. A legend indicates that white boxes are input and grey boxes are output. MSV19106V2 is noted at the bottom right.

To perform an AES decryption in the ECB mode, the secret key has to be prepared by collecting the last-round encryption key (which requires to first execute the complete key schedule for encryption), and using it as the first-round key for the decryption of the ciphertext. This preparation is supported by the AES core.

In ECB decrypt mode, the 128-bit ciphertext input data block \( C_1 \) in the \( AES\_DINR \) register first goes through bit/byte/half-word swapping. The keying sequence is reversed compared to that of the ECB encryption. The swap result \( I_1 \) is processed with the AES core set in decrypt mode, using the formerly prepared decryption key. The decryption result goes through bit/byte/half-word swapping, then is stored in the \( AES\_DOUTr \) register as 128-bit plaintext output data block \( P_1 \) . The ECB decryption continues in this way until the last complete ciphertext block is decrypted.

Figure 93 illustrates the cipher block chaining (CBC) encryption mode.

Diagram of CBC encryption showing two blocks, Block 1 and Block 2. Each block consists of an input register (AES_DINR), a swap management block, an XOR block, a block cipher encryption block, and an output register (AES_DOUTr). The process for Block 1: AES_DINR (plaintext P1) is input to Swap management (controlled by DATATYPE[1:0]), producing P1'. P1' is input to XOR (controlled by AES_IVRx (init. vector)), producing I1. I1 is input to Block cipher encryption (controlled by AES_KEYRx (KEY)), producing O1. O1 is input to another Swap management block (controlled by DATATYPE[1:0]), producing AES_DOUTr (ciphertext C1). The O1 output is also fed into the XOR block for Block 2. The same process is shown for Block 2, producing C2. A legend indicates that white boxes are input, grey boxes are output, and a circle with a cross is XOR. MSV19107V2 is noted at the bottom right.

Figure 93. CBC encryption

Diagram of CBC encryption showing two blocks, Block 1 and Block 2. Each block consists of an input register (AES_DINR), a swap management block, an XOR block, a block cipher encryption block, and an output register (AES_DOUTr). The process for Block 1: AES_DINR (plaintext P1) is input to Swap management (controlled by DATATYPE[1:0]), producing P1'. P1' is input to XOR (controlled by AES_IVRx (init. vector)), producing I1. I1 is input to Block cipher encryption (controlled by AES_KEYRx (KEY)), producing O1. O1 is input to another Swap management block (controlled by DATATYPE[1:0]), producing AES_DOUTr (ciphertext C1). The O1 output is also fed into the XOR block for Block 2. The same process is shown for Block 2, producing C2. A legend indicates that white boxes are input, grey boxes are output, and a circle with a cross is XOR. MSV19107V2 is noted at the bottom right.

In CBC encrypt mode, the first plaintext input block, after bit/byte/half-word swapping ( \( P_1' \) ), is XOR-ed with a 128-bit \( IVI \) bitfield (initialization vector and counter), producing the \( I_1 \) input data for encrypt with the AES core, using a 128- key. The resulting 128-bit output block \( O_1 \) , after swapping operation, is used as ciphertext \( C_1 \) . The \( O_1 \) data is then XOR-ed with the

second-block plaintext data P2' to produce the I2 input data for the AES core to produce the second block of ciphertext data. The chaining of data blocks continues in this way until the last plaintext block in the message is encrypted.

If the message size is not a multiple of 128 bits, the final partial data block is encrypted in the way explained in Section 19.4.6: AES ciphertext stealing and data padding .

Figure 94 illustrates the cipher block chaining (CBC) decryption mode.

Diagram of CBC decryption showing two blocks, Block 1 and Block 2. Block 1 takes AES_DINR (ciphertext C1) through a Swap management block to produce I1, which is then decrypted using AES_KEYRx (KEY) to produce O1. O1 is XORed with AES_IVRx (IV) to produce P1', which is then swapped back to produce AES_DOUTR (plaintext P1). Block 2 takes AES_DINR (ciphertext C2) through a Swap management block to produce I2, which is then decrypted using AES_KEYRx (KEY) to produce O2. O2 is XORed with I1 (from Block 1) to produce P2', which is then swapped back to produce AES_DOUTR (plaintext P2). A legend indicates that white boxes are input, grey boxes are output, and a circle with a cross is XOR.

Figure 94. CBC decryption

MSv19104V2

Diagram of CBC decryption showing two blocks, Block 1 and Block 2. Block 1 takes AES_DINR (ciphertext C1) through a Swap management block to produce I1, which is then decrypted using AES_KEYRx (KEY) to produce O1. O1 is XORed with AES_IVRx (IV) to produce P1', which is then swapped back to produce AES_DOUTR (plaintext P1). Block 2 takes AES_DINR (ciphertext C2) through a Swap management block to produce I2, which is then decrypted using AES_KEYRx (KEY) to produce O2. O2 is XORed with I1 (from Block 1) to produce P2', which is then swapped back to produce AES_DOUTR (plaintext P2). A legend indicates that white boxes are input, grey boxes are output, and a circle with a cross is XOR.

In CBC decrypt mode, like in ECB decrypt mode, the secret key must be prepared to perform an AES decryption.

After the key preparation process, the decryption goes as follows: the first 128-bit ciphertext block (after the swap operation) is used directly as the AES core input block I1 for decrypt operation, using the 128-bit key. Its output O1 is XOR-ed with the 128-bit IVI field (that must be identical to that used during encryption) to produce the first plaintext block P1.

The second ciphertext block is processed in the same way as the first block, except that the I1 data from the first block is used in place of the initialization vector.

The decryption continues in this way until the last complete ciphertext block is decrypted.

If the message size is not a multiple of 128 bits, the final partial data block is decrypted in the way explained in Section 19.4.6: AES ciphertext stealing and data padding .

For more information on data swapping, refer to Section 19.4.10: AES data registers and data swapping .

ECB/CBC encryption sequence

The sequence of events to perform an ECB/CBC encryption (more detail in Section 19.4.4 ):

  1. 1. Disable the AES peripheral by clearing the EN bit of the AES_CR register.
  2. 2. Select the Mode 1 by to 00 the MODE[1:0] bitfield of the AES_CR register and select ECB or CBC chaining mode by setting the CHMOD[1:0] bitfield of the AES_CR register to 00 or 01, respectively. Data type can also be defined, using DATATYPE[1:0] bitfield.
  3. 3. Write the AES_KEYRx registers (128 bits) with encryption key. Fill the AES_IVRx registers with the initialization vector data if CBC mode has been selected.
  4. 4. Enable the AES peripheral by setting the EN bit of the AES_CR register.
  5. 5. Write the AES_DINR register four times to input the plaintext (MSB first), as shown in Figure 95 .
  6. 6. Wait until the CCF flag is set in the AES_SR register.
  7. 7. Read the AES_DOUTR register four times to get the ciphertext (MSB first) as shown in Figure 95 . Then clear the CCF flag by setting the CCFC bit of the AES_CR register.
  8. 8. Repeat steps 5,6,7 to process all the blocks with the same encryption key.

Figure 95. ECB/CBC encryption (Mode 1)

Diagram of ECB/CBC encryption sequence showing input, computation, and output phases.

The diagram illustrates the ECB/CBC encryption sequence in Mode 1, divided into three main phases:

The diagram is labeled with MS18936V3 in the bottom right corner.

Diagram of ECB/CBC encryption sequence showing input, computation, and output phases.

ECB/CBC decryption sequence

The sequence of events to perform an AES ECB/CBC decryption is as follows (more detail in Section 19.4.4 ):

  1. 1. Follow the steps described in Section 19.4.5: AES decryption key preparation on page 440 , in order to prepare the decryption key in AES core.
  2. 2. Disable the AES peripheral by clearing the EN bit of the AES_CR register.
  3. 3. Select the Mode 3 by setting to 10 the MODE[1:0] bitfield of the AES_CR register and select ECB or CBC chaining mode by setting the CHMOD[1:0] bitfield of the AES_CR register to 00 or 01, respectively. Data type can also be defined, using DATATYPE[1:0] bitfield.
  4. 4. Write the AES_IVRx registers with the initialization vector (required in CBC mode only).
  5. 5. Enable AES by setting the EN bit of the AES_CR register.
  6. 6. Write the AES_DINR register four times to input the cipher text (MSB first), as shown in Figure 96 .
  7. 7. Wait until the CCF flag is set in the AES_SR register.
  8. 8. Read the AES_DOUTR register four times to get the plain text (MSB first), as shown in Figure 96 . Then clear the CCF flag by setting the CCFC bit of the AES_CR register.
  1. Repeat steps 6,7,8 to process all the blocks encrypted with the same key.

Figure 96. ECB/CBC decryption (Mode 3)

Diagram of ECB/CBC decryption (Mode 3) showing input, computation, and output phases.

The diagram illustrates the ECB/CBC decryption process in Mode 3, divided into three main phases:

MS18938V3

Diagram of ECB/CBC decryption (Mode 3) showing input, computation, and output phases.

Suspend/resume operations in ECB/CBC modes

To suspend the processing of a message, proceed as follows:

  1. If DMA is used, stop the AES DMA transfers to the IN FIFO by clearing the DMAINEN bit of the AES_CR register.
  2. If DMA is not used, read four times the AES_DOUTR register to save the last processed block. If DMA is used, wait until the CCF flag is set in the AES_SR register then stop the DMA transfers from the OUT FIFO by clearing the DMAOUTEN bit of the AES_CR register.
  3. If DMA is not used, poll the CCF flag of the AES_SR register until it becomes 1 (computation completed).
  4. Clear the CCF flag by setting the CCFC bit of the AES_CR register.
  5. Save initialization vector registers (only required in CBC mode as AES_IVRx registers are altered during the data processing).
  6. Disable the AES peripheral by clearing the bit EN of the AES_CR register.
  7. Save the current AES configuration in the memory (except AES initialization vector values).
  8. If DMA is used, save the DMA controller status (pointers for IN and OUT data transfers, number of remaining bytes, and so on).

Note: In point 7, the derived key information stored in AES_KEYRx registers can optionally be saved in memory if the interrupted process is a decryption. Otherwise those registers do not need to be saved as the original key value is known by the application

To resume the processing of a message , proceed as follows:

  1. 1. If DMA is used, configure the DMA controller so as to complete the rest of the FIFO IN and FIFO OUT transfers.
  2. 2. Ensure that AES is disabled (the EN bit of the AES_CR must be 0).
  3. 3. Restore the AES_CR and AES_KEYRx register setting, using the values of the saved configuration. In case of decryption, derived key information can be written in AES_KEYRx register instead of the original key value.
  4. 4. Prepare the decryption key as described in Section 19.4.5: AES decryption key preparation (only required for ECB or CBC decryption). This step is not necessary if derived key information has been loaded in AES_KEYRx registers.
  5. 5. Restore AES_IVRx registers using the saved configuration (only required in CBC mode).
  6. 6. Enable the AES peripheral by setting the EN bit of the AES_CR register.
  7. 7. If DMA is used, enable AES DMA transfers by setting the DMAINEN and DMAOUTEN bits of the AES_CR register.

Alternative single ECB/CBC decryption using Mode 4

The sequence of events to perform a single round of ECB/CBC decryption using Mode 4 is:

  1. 1. Disable the AES peripheral by clearing the EN bit of the AES_CR register.
  2. 2. Select the Mode 4 by setting to 11 the MODE[1:0] bitfield of the AES_CR register and select ECB or CBC chaining mode by setting the CHMOD[21:0] bitfield of the AES_CR register to 000 or 001, respectively.
  3. 3. Select key length of 128 or 256 bits via KEYSIZE bitfield of the AES_CR register.
  4. 4. Write the AES_KEYRx registers with the encryption key. Write the AES_IVRx registers if the CBC mode is selected.
  5. 5. Enable the AES peripheral by setting the EN bit of the AES_CR register.
  6. 6. Write the AES_DINR register four times to input the cipher text (MSB first).
  7. 7. Wait until the CCF flag is set in the AES_SR register.
  8. 8. Read the AES_DOUTR register four times to get the plain text (MSB first). Then clear the CCF flag by setting the CCFC bit of the AES_CR register.

Note: When mode 4 is selected mode 3 cannot be used.

In mode 4, the AES_KEYRx registers contain the encryption key during all phases of the processing. No derivation key is stored in these registers. It is stored internally in AES.

19.4.9 AES counter (CTR) mode

Overview

The counter mode (CTR) uses AES as a key-stream generator. The generated keys are then XOR-ed with the plaintext to obtain the ciphertext.

CTR chaining is defined in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation . A typical message construction in CTR mode is given in Figure 97 .

Figure 97. Message construction in CTR mode

Diagram of message construction in CTR mode showing the ICB (Initialization vector and Counter) and Ciphertext (C) with zero padding.

The diagram illustrates the structure of a message in CTR mode. It shows a 16-byte Initial Counter Block (ICB) followed by Ciphertext (C). The ICB is composed of two fields: an Initialization vector (IV) and a Counter. The IV is a 96-bit value, and the Counter is a 32-bit big-endian integer. The Ciphertext (C) is followed by zero padding. The diagram also shows the relationship between 4-byte boundaries and 16-byte boundaries. A 'decrypt' arrow points from the Ciphertext (C) to the Plaintext (P). The identifier MSv42156V1 is present in the bottom right corner.

Diagram of message construction in CTR mode showing the ICB (Initialization vector and Counter) and Ciphertext (C) with zero padding.

The structure of this message is:

CTR encryption and decryption

Figure 98 and Figure 99 describe the CTR encryption and decryption process, respectively, as implemented in the AES peripheral. The CTR mode is selected by writing 10 to the CHMOD[1:0] bitfield of AES_CR register.

Figure 98. CTR encryption

Detailed diagram of CTR encryption process for Block 1 and Block 2, showing the flow from AES_IVRx to Encrypt, then XOR with plaintext to produce ciphertext.

This diagram details the CTR encryption process for two blocks. For Block 1, the AES_IVRx (IV + 32-bit counter) is input to an 'Encrypt' block along with the AES_KEYRx (KEY). The output O1 is XORed with the AES_DINR (plaintext P1) after swap management to produce the ciphertext C1 (AES_DOUTR). The counter is incremented (+1) to form the input for Block 2. For Block 2, the AES_IVRx (Nonce + 32-bit counter (+1)) is input to the 'Encrypt' block. The output O2 is XORed with the AES_DINR (plaintext P2) after swap management to produce the ciphertext C2 (AES_DOUTR). A legend indicates that white boxes represent inputs, grey boxes represent outputs, and a circle with an XOR symbol represents the XOR operation. The identifier MSv19102V2 is present in the bottom right corner.

Detailed diagram of CTR encryption process for Block 1 and Block 2, showing the flow from AES_IVRx to Encrypt, then XOR with plaintext to produce ciphertext.

Figure 99. CTR decryption

Block diagram of CTR decryption showing two blocks. Block 1: AES_IVRx (Nonce + 32-bit counter) goes to Encrypt block with AES_KEYRx (KEY) to produce O1. AES_DINR (ciphertext C1) goes through Swap management (DATATYPE[1:0]) to produce C1'. C1' is XORed with O1 to produce P1'. P1' goes through Swap management to produce AES_DOUTR (plaintext P1). Block 2: Counter is incremented (+1), and the process repeats for C2 to produce P2.

The diagram illustrates the CTR decryption process for two blocks, Block 1 and Block 2. In Block 1, the AES_IVRx register (containing a Nonce and a 32-bit counter) provides input I1 to the Encrypt block along with the key ( AES_KEYRx ). The Encrypt block produces a keystream O1. The ciphertext C1 from AES_DINR is processed by a Swap management block (controlled by DATATYPE[1:0]) to produce C1'. C1' is XOR-ed with O1 to produce P1'. P1' is then processed by another Swap management block (controlled by DATATYPE[1:0]) to produce the plaintext P1 in AES_DOUTR . For Block 2, the counter is incremented by 1. The process is identical: I2 (Nonce + 32-bit counter + 1) is input to the Encrypt block to produce O2. Ciphertext C2 is processed by Swap management to produce C2', which is XOR-ed with O2 to produce P2'. P2' is processed by Swap management to produce the plaintext P2 in AES_DOUTR . A legend indicates that light gray boxes are inputs, dark gray boxes are outputs, and the circle with a cross symbol represents an XOR operation.

Block diagram of CTR decryption showing two blocks. Block 1: AES_IVRx (Nonce + 32-bit counter) goes to Encrypt block with AES_KEYRx (KEY) to produce O1. AES_DINR (ciphertext C1) goes through Swap management (DATATYPE[1:0]) to produce C1'. C1' is XORed with O1 to produce P1'. P1' goes through Swap management to produce AES_DOUTR (plaintext P1). Block 2: Counter is incremented (+1), and the process repeats for C2 to produce P2.

In CTR mode, the cryptographic core output (also called keystream) O x is XOR-ed with relevant input block (P x ' for encryption, C x ' for decryption), to produce the correct output block (C x ' for encryption, P x ' for decryption). Initialization vectors in AES must be initialized as shown in Table 88 .

Table 88. CTR mode initialization vector definition

AES_IVR3[31:0]AES_IVR2[31:0]AES_IVR1[31:0]AES_IVR0[31:0]
Nonce[31:0]Nonce[63:32]Nonce[95:64]32-bit counter = 0x0001

Unlike in CBC mode that uses the AES_IVRx registers only once when processing the first data block, in CTR mode AES_IVRx registers are used for processing each data block, and the AES peripheral increments the counter bits of the initialization vector (leaving the nonce bits unchanged).

CTR decryption does not differ from CTR encryption, since the core always encrypts the current counter block to produce the key stream that is then XOR-ed with the plaintext (CTR encryption) or ciphertext (CTR decryption) input. In CTR mode, the MODE[1:0] bitfield settings 11, 10 or 00 default all to encryption mode, and the setting 01 (key derivation) is forbidden.

The sequence of events to perform an encryption or a decryption in CTR chaining mode:

  1. 1. Ensure that AES is disabled (the EN bit of the AES_CR must be 0).
  2. 2. Select CTR chaining mode by setting to 10 the CHMOD[1:0] bitfield of the AES_CR register. Set MODE[1:0] bitfield to any value other than 01.
  3. 3. Initialize the AES_KEYRx registers, and load the AES_IVRx registers as described in Table 88 .
  4. 4. Set the EN bit of the AES_CR register, to start encrypting the current counter (EN is automatically reset when the calculation finishes).
  5. 5. If it is the last block, pad the data with zeros to have a complete block, if needed.
  6. 6. Append data in AES, and read the result. The three possible scenarios are described in Section 19.4.4: AES procedure to perform a cipher operation .
  7. 7. Repeat the previous step till the second-last block is processed. For the last block, apply the two previous steps and discard the bits that are not part of the payload (if the size of the significant data in the last input block is less than 16 bytes).

Suspend/resume operations in CTR mode

Like for the CBC mode, it is possible to interrupt a message to send a higher priority message, and resume the message that was interrupted. Detailed CBC suspend/resume sequence is described in Section 19.4.8: AES basic chaining modes (ECB, CBC) .

Note: Like for CBC mode, the AES_IVRx registers must be reloaded during the resume operation.

19.4.10 AES data registers and data swapping

Data input and output

A 128-bit data block is entered into the AES peripheral with four successive 32-bit word writes into the AES_DINR register (bitfield DIN[127:0]), the most significant word (bits [127:96]) first, the least significant word (bits [31:0]) last.

A 128-bit data block is retrieved from the AES peripheral with four successive 32-bit word reads from the AES_DOUTR register (bitfield DOUT[127:0]), the most significant word (bits [127:96]) first, the least significant word (bits [31:0]) last.

The 32-bit data word for AES_DINR register or from AES_DOUTR register is organized in big endian order, that is:

For using DMA for input data block write into AES, the four words of the input block must be stored in the memory consecutively and in big-endian order, that is, the most significant word on the lowest address. See Section 19.4.13: AES DMA interface .

Data swapping

The AES peripheral can be configured to perform a bit-, a byte-, a half-word-, or no swapping on the input data word in the AES_DINR register, before loading it to the AES processing core, and on the data output from the AES processing core, before sending it to the AES_DOUTR register. The choice depends on the type of data. For example, a byte swapping is used for an ASCII text stream.

The data swap type is selected through the DATATYPE[1:0] bitfield of the AES_CR register. The selection applies both to the input and the output of the AES core.

For different data swap types, Figure 100 shows the construction of AES processing core input buffer data P127..0, from the input data entered through the AES_DINR register, or the construction of the output data available through the AES_DOUTR register, from the AES processing core output buffer data P127..0.

Figure 100. 128-bit block construction with respect to data swap

increasing memory address

byte 3 | byte 2 | byte 1 | byte 0
D63 D56 | D55 D48 | D47 D40 | D39 D32

DATATYPE[1:0] = 00: no swapping

MSB Word 3 D127...D96 | Word 2 D95...D64 | Word 1 D63...D32 | Word 0 D31...D0 LSB

1 2 3 4

D127...D96 | D95...D64 | D63...D32 | D31...D0

MSB LSB

DATATYPE[1:0] = 01: 16-bit (half-word) swapping

MSB Word 3 D127...D112 | D111...D96 | Word 2 D95...D80 | D79...D64 | Word 1 D63...D48 | D47...D32 | Word 0 D31...D16 | D15...D0 LSB

1 2 3 4

D111...D96 | D127...D112 | D79...D64 | D95...D80 | D47...D32 | D63...D48 | D15...D0 | D31...D16

MSB LSB

DATATYPE[1:0] = 10: 8-bit (byte) swapping

MSB Word 3 D127...D120 | D119...D112 | D111...D104 | D103...D96 | D95...D88 | D87...D80 | D79...D72 | D71...D64 | D63...D56 | D55...D48 | D47...D40 | D39...D32 | D31...D24 | D23...D16 | D15...D8 | D7...D0 LSB

1 2 3 4

D103...D96 | D111...D104 | D119...D112 | D127...D120 | D71...D64 | D79...D72 | D87...D80 | D95...D88 | D39...D32 | D47...D40 | D55...D48 | D63...D56 | D7...D0 | D15...D8 | D23...D16 | D31...D24

MSB LSB

DATATYPE[1:0] = 11: bit swapping

MSB Word 3 D127 | D126 | D125 | D124 | D123 | D122 | D121 | D120 | D119 | D118 | D117 | D116 | D115 | D114 | D113 | D112 | D111 | D110 | D109 | D108 | D107 | D106 | D105 | D104 | D103 | D102 | D101 | D100 | D99 | D98 | D97 | D96 | Word 2 D95 | D94 | D93 | D92 | D91 | D90 | D89 | D88 | D87 | D86 | D85 | D84 | D83 | D82 | D81 | D80 | D79 | D78 | D77 | D76 | D75 | D74 | D73 | D72 | D71 | D70 | D69 | D68 | D67 | D66 | D65 | D64 | Word 1 D63 | D62 | D61 | D60 | D59 | D58 | D57 | D56 | D55 | D54 | D53 | D52 | D51 | D50 | D49 | D48 | D47 | D46 | D45 | D44 | D43 | D42 | D41 | D40 | D39 | D38 | D37 | D36 | D35 | D34 | D33 | D32 | Word 0 D31 | D30 | D29 | D28 | D27 | D26 | D25 | D24 | D23 | D22 | D21 | D20 | D19 | D18 | D17 | D16 | D15 | D14 | D13 | D12 | D11 | D10 | D9 | D8 | D7 | D6 | D5 | D4 | D3 | D2 | D1 | D0 LSB

1 2 3 4

D96 | D97 | D98 | D99 | D100 | D101 | D102 | D103 | D104 | D105 | D106 | D107 | D108 | D109 | D110 | D111 | D112 | D113 | D114 | D115 | D116 | D117 | D118 | D119 | D120 | D121 | D122 | D123 | D124 | D125 | D126 | D127 | D64 | D65 | D66 | D67 | D68 | D69 | D70 | D71 | D72 | D73 | D74 | D75 | D76 | D77 | D78 | D79 | D80 | D81 | D82 | D83 | D84 | D85 | D86 | D87 | D88 | D89 | D90 | D91 | D92 | D93 | D94 | D95 | D32 | D33 | D34 | D35 | D36 | D37 | D38 | D39 | D40 | D41 | D42 | D43 | D44 | D45 | D46 | D47 | D48 | D49 | D50 | D51 | D52 | D53 | D54 | D55 | D56 | D57 | D58 | D59 | D60 | D61 | D62 | D63 | D0 | D1 | D2 | D3 | D4 | D5 | D6 | D7 | D8 | D9 | D10 | D11 | D12 | D13 | D14 | D15 | D16 | D17 | D18 | D19 | D20 | D21 | D22 | D23 | D24 | D25 | D26 | D27 | D28 | D29 | D30 | D31

MSB LSB

Legend:

MSV42153V2

Note: The data in AES key registers (AES_KEYRx) and initialization registers (AES_IVRx) are not sensitive to the swap mode selection.

Data padding

Figure 100 also gives an example of memory data block padding with zeros such that the zeroed bits after the data swap form a contiguous zone at the MSB end of the AES core input buffer. The example shows the padding of an input data block containing:

19.4.11 AES key registers

The AES_KEYRx registers store the encryption or decryption key bitfield KEY[127:0]. The data to write to or to read from each register is organized in the memory in little-endian order, that is, with most significant byte on the highest address.

The key is spread over the four registers in little-endian configuration, as shown on Table 89.

Table 89. Key endianness in AES_KEYRx registers

AES_KEYR3[31:0]AES_KEYR2[31:0]AES_KEYR1[31:0]AES_KEYR0[31:0]
KEY[127:96]KEY[95:64]KEY[63:32]KEY[31:0]

The key for encryption or decryption may be written into these registers when the AES peripheral is disabled.

The key registers are not affected by the data swapping controlled by DATATYPE[1:0] bitfield of the AES_CR register.

19.4.12 AES initialization vector registers

The four AES_IVRx registers keep the initialization vector input bitfield IVI[127:0]. The data to write to or to read from each register is organized in the memory in little-endian order, that is, with most significant byte on the highest address. The registers are also ordered from lowest address (AES_IVR0) to highest address (AES_IVR3).

The signification of data in the bitfield depends on the chaining mode selected. When used, the bitfield is updated upon each computation cycle of the AES core.

Write operations to the AES_IVRx registers when the AES peripheral is enabled have no effect to the register contents. For modifying the contents of the AES_IVRx registers, the EN bit of the AES_CR register must first be cleared.

Reading the AES_IVRx registers returns the latest counter value (useful for managing suspend mode) when the AES peripheral is disabled and returns zeros when it is enabled.

The AES_IVRx registers are not affected by the data swapping feature controlled by the DATATYPE[1:0] bitfield of the CRYP_CR register.

19.4.13 AES DMA interface

The AES peripheral provides an interface to connect to the DMA (direct memory access) controller. The DMA operation is controlled through the AES_CR register.

Data input using DMA

Setting the DMAINEN bit of the AES_CR register enables DMA writing into AES. The AES peripheral then initiates a DMA request during the input phase each time it requires a word to be written to the AES_DINR register. It asserts four DMA requests to transfer one 128-bit (four-word) input data block from memory, as shown in Figure 101 .

See Table 90 for recommended DMA configuration.

Table 90. DMA channel configuration for memory-to-AES data transfer

DMA channel control register fieldRecommended configuration
Transfer sizeMessage length: a multiple of 128 bits.
According to the algorithm and the mode selected, special padding/ciphertext stealing might be required.
Source burst size (memory)Single
Destination burst size (peripheral)Single
DMA FIFO sizeAES_FIFO_size = 4 bytes.
Source transfer width (memory)32-bit words
Destination transfer width (peripheral)32-bit words
Source address increment (memory)Yes, after each 32-bit transfer
Destination address increment (peripheral)Fixed address of AES_DINR (no increment)

Figure 101. DMA transfer of a 128-bit data block during input phase

Diagram illustrating the DMA transfer of a 128-bit data block during the input phase. The diagram shows four 32-bit words (Word3, Word2, Word1, Word0) being transferred from memory to the AES_DINR register. The transfer is initiated by four DMA requests (DMA req N, DMA req N+1, DMA req N+2, DMA req N+3) from the AES peripheral. Each request triggers a 'DMA single write' operation. The data is written into the AES_DINR register, which is then read by the AES core input buffer. The order of write to the AES_DINR register is indicated by numbers 1, 2, 3, and 4, corresponding to Word3, Word2, Word1, and Word0 respectively. The diagram also shows the bit positions (D127 to D0) and the internal buffer structure (I127 to I0).

The diagram illustrates the DMA transfer of a 128-bit data block during the input phase. At the top, a horizontal arrow indicates 'Chronological order' and 'Increasing address'. Below this, a section titled 'Memory accessed through DMA' shows four 32-bit words: Word3 (D127 to D96), Word2 (D95 to D64), Word1 (D63 to D32), and Word0 (D31 to D0). Below each word, a DMA request is shown: 'DMA req N', 'DMA req N+1', 'DMA req N+2', and 'DMA req N+3'. Each request is followed by a 'DMA single write' box. Arrows from these boxes point down to a register labeled 'AES_DINR'. From the 'AES_DINR' register, arrows point down to an 'AES core input buffer'. The buffer is shown as a long horizontal bar with bit positions: I127, I96, I95, I64, I63, I32, I31, I0. Circled numbers 1, 2, 3, and 4 are placed under the buffer, corresponding to the four words. A legend at the bottom left shows '1...4' and 'Order of write to AES_DINR'. The text '(No swapping)' is also present. The diagram is labeled 'MSV42160V1' at the bottom right.

Diagram illustrating the DMA transfer of a 128-bit data block during the input phase. The diagram shows four 32-bit words (Word3, Word2, Word1, Word0) being transferred from memory to the AES_DINR register. The transfer is initiated by four DMA requests (DMA req N, DMA req N+1, DMA req N+2, DMA req N+3) from the AES peripheral. Each request triggers a 'DMA single write' operation. The data is written into the AES_DINR register, which is then read by the AES core input buffer. The order of write to the AES_DINR register is indicated by numbers 1, 2, 3, and 4, corresponding to Word3, Word2, Word1, and Word0 respectively. The diagram also shows the bit positions (D127 to D0) and the internal buffer structure (I127 to I0).

Data output using DMA

Setting the DMAOUTEN bit of the AES_CR register enables DMA reading from AES. The AES peripheral then initiates a DMA request during the Output phase each time it requires a

word to be read from the AES_DOUTR register. It asserts four DMA requests to transfer one 128-bit (four-word) output data block to memory, as shown in Figure 102.

See Table 91 for recommended DMA configuration.

Table 91. DMA channel configuration for AES-to-memory data transfer

DMA channel control register fieldRecommended configuration
Transfer sizeIt is the message length multiple of AES block size (4 words). According to the case extra bytes will have to be discarded.
Source burst size (peripheral)Single
Destination burst size (memory)Single
DMA FIFO sizeAES_FIFO_size = 4 bytes
Source transfer width (peripheral)32-bit words
Destination transfer width (memory)32-bit words
Source address increment (peripheral)Fixed address of AES_DINR (no increment)
Destination address increment (memory)Yes, after each 32-bit transfer

Figure 102. DMA transfer of a 128-bit data block during output phase

Diagram illustrating the DMA transfer of a 128-bit data block during the output phase. It shows the flow of data from the AES core output buffer through the AES_DOUTR register to memory via four DMA single reads. The memory addresses increase chronologically from Word0 to Word3. The diagram includes bit ranges for each word (D127-D96 for Word3, D95-D64 for Word2, D63-D32 for Word1, D31-D0 for Word0) and the corresponding output buffer slots (O127-O96, O95-O64, O63-O32, O31-O0). Arrows indicate the order of DMA requests (N, N+1, N+2, N+3) and the order of reads from the AES_DOUTR register (1, 2, 3, 4).
Diagram illustrating the DMA transfer of a 128-bit data block during the output phase. It shows the flow of data from the AES core output buffer through the AES_DOUTR register to memory via four DMA single reads. The memory addresses increase chronologically from Word0 to Word3. The diagram includes bit ranges for each word (D127-D96 for Word3, D95-D64 for Word2, D63-D32 for Word1, D31-D0 for Word0) and the corresponding output buffer slots (O127-O96, O95-O64, O63-O32, O31-O0). Arrows indicate the order of DMA requests (N, N+1, N+2, N+3) and the order of reads from the AES_DOUTR register (1, 2, 3, 4).

DMA operation in different operating modes

DMA operations are usable when Mode 1 (encryption) or Mode 3 (decryption) are selected via the MODE[1:0] bitfield of the register AES_CR. As in Mode 2 (key derivation) the AES_KEYRx registers must be written by software, enabling the DMA transfer through the DMAINEN and DMAOUTEN bits of the AES_CR register have no effect in that mode.

DMA single requests are generated by AES until it is disabled. So, after the data output phase at the end of processing of a 128-bit data block, AES switches automatically to a new data input phase for the next data block, if any.

When the data transferring between AES and memory is managed by DMA, the CCF flag is not relevant and can be ignored (left set) by software. It must only be cleared when transiting back to data transferring managed by software. See Suspend/resume operations in ECB/CBC modes in Section 19.4.8: AES basic chaining modes (ECB, CBC) as example.

19.4.14 AES error management

The read error flag (RDERR) and write error flag (WRERR) of the AES_SR register are set when an unexpected read or write operation, respectively, is detected. An interrupt can be generated if the error interrupt enable (ERRIE) bit of the AES_CR register is set. For more details, refer to Section 19.5: AES interrupts .

Note: AES is not disabled after an error detection and continues processing.

AES can be re-initialized at any moment by clearing then setting the EN bit of the AES_CR register.

Read error flag (RDERR)

When an unexpected read operation is detected during the computation phase or during the input phase, the AES read error flag (RDERR) is set in the AES_SR register. An interrupt is generated if the ERRIE bit of the AES_CR register is set.

The RDERR flag is cleared by setting the corresponding ERRC bit of the AES_CR register.

Write error flag (WDERR)

When an unexpected write operation is detected during the computation phase or during the output phase, the AES write error flag (WRERR) is set in the AES_SR register. An interrupt is generated if the ERRIE bit of the AES_CR register is set.

The WDERR flag is cleared by setting the corresponding ERRC bit of the AES_CR register.

19.5 AES interrupts

There are three individual maskable interrupt sources generated by the AES peripheral, to signal the following events:

These three sources are combined into a common interrupt signal aes_it that connects to NVIC (nested vectored interrupt controller).

Figure 103. AES interrupt signal generation

Logic diagram showing AES interrupt signal generation. It features three AND gates. The first AND gate takes 'CCF' (from AES_SR register) and 'CCFIE' (from AES_CR register) as inputs. The second AND gate takes 'WRERR' (from AES_SR register) and 'ERRIE' (from AES_CR register) as inputs. The third AND gate takes 'RDERR' (from AES_SR register) and 'ERRIE' (from AES_CR register) as inputs. The outputs of these three AND gates are connected to a single OR gate. The output of the OR gate is labeled 'aes_it (goes to NVIC)'. A bracket on the left groups the inputs as 'Flags in AES_SR register' and 'Bits of AES_CR register'. The diagram is labeled 'MSV42162V1' in the bottom right corner.
Logic diagram showing AES interrupt signal generation. It features three AND gates. The first AND gate takes 'CCF' (from AES_SR register) and 'CCFIE' (from AES_CR register) as inputs. The second AND gate takes 'WRERR' (from AES_SR register) and 'ERRIE' (from AES_CR register) as inputs. The third AND gate takes 'RDERR' (from AES_SR register) and 'ERRIE' (from AES_CR register) as inputs. The outputs of these three AND gates are connected to a single OR gate. The output of the OR gate is labeled 'aes_it (goes to NVIC)'. A bracket on the left groups the inputs as 'Flags in AES_SR register' and 'Bits of AES_CR register'. The diagram is labeled 'MSV42162V1' in the bottom right corner.

Each AES interrupt source can individually be enabled/disabled, by setting/clearing the corresponding enable bit of the AES_CR register. See Figure 103.

The status of the individual maskable interrupt sources can be read from the AES_SR register.

Table 92 gives a summary of the interrupt sources, their event flags and enable bits.

Table 92. AES interrupt requests

AES interrupt eventEvent flagEnable bit
computation completed flagCCFCCFIE
read error flagRDERRERRIE
write error flagWRERRERRIE

19.6 AES processing latency

The tables below summarize the latency to process a 128-bit block for each mode of operation.

Table 93. Processing latency (in clock cycle)

Mode of operationAlgorithmInput phaseComputation phaseOutput phaseTotal
Mode 1: EncryptionECB, CBC, CTR82024214
Mode 2: Key derivation for decryptionECB, CBC-80-80
Mode 3: DecryptionECB, CBC, CTR82024214
Mode 4: Key derivation then decryptionECB, CBC82764288

19.7 AES registers

19.7.1 AES control register (AES_CR)

Address offset: 0x00

Reset value: 0x0000 0000

31302928272625242322212019181716
Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.
1514131211109876543210
Res.Res.Res.DMAOUTENDMAINENERRIECCFIEERRCCCFCCHMOD[1:0]MODE[1:0]DATATYPE[1:0]EN
rwrwrwrwrwrwrwrwrwrwrwrwrw

Bit 31:13 Reserved, must be kept at zero

Bit 12 DMAOUTEN : DMA output enable

This bit enables/disables data transferring with DMA, in the output phase:

0: Disable

1: Enable

When the bit is set, DMA requests are automatically generated by AES during the output data phase. This feature is only effective when Mode 1 or Mode 3 is selected through the MODE[1:0] bitfield. It is not effective for Mode 2 (key derivation).

Usage of DMA with Mode 4 (single decryption) is not recommended.

Bit 11 DMAINEN : DMA input enable

This bit enables/disables data transferring with DMA, in the input phase:

0: Disable

1: Enable

When the bit is set, DMA requests are automatically generated by AES during the input data phase. This feature is only effective when Mode 1 or Mode 3 is selected through the MODE[1:0] bitfield. It is not effective for Mode 2 (key derivation).

Usage of DMA with Mode 4 (single decryption) is not recommended.

Bit 10 ERRIE : Error interrupt enable

This bit enables or disables (masks) the AES interrupt generation when RDERR and/or WRERR is set:

0: Disable (mask)

1: Enable

Bit 9 CCFIE : CCF interrupt enable

This bit enables or disables (masks) the AES interrupt generation when CCF (computation complete flag) is set:

0: Disable (mask)

1: Enable

Bit 8 ERRC: Error flag clear

Upon written to 1, this bit clears the RDERR and WRERR error flags in the AES_SR register:

0: No effect

1: Clear RDERR and WRERR flags

Reading the flag always returns zero.

Bit 7 CCFC: Computation complete flag clear

Upon written to 1, this bit clears the computation complete flag (CCF) in the AES_SR register:

0: No effect

1: Clear CCF

Reading the flag always returns zero.

Bits 6:5 CHMOD[1:0]: Chaining mode selection

This bitfield selects the AES chaining mode:

00: Electronic codebook (ECB)

01: Cipher-Block Chaining (CBC)

10: Counter Mode (CTR)

11: Reserved

The bitfield value change is allowed only when AES is disabled, so as to avoid an unpredictable behavior.

Bits 4:3 MODE[1:0]: AES operating mode

This bitfield selects the AES operating mode:

00: Mode 1: encryption

01: Mode 2: key derivation (or key preparation for ECB/CBC decryption)

10: Mode 3: decryption

11: Mode 4: key derivation then single decryption

The bitfield value change is allowed only when AES is disabled, so as to avoid an unpredictable behavior. Any attempt to selecting Mode 4 while either ECB or CBC chaining mode is not selected, defaults to effective selection of Mode 3. It is not possible to select a Mode 3 following a Mode 4.

Bits 2:1 DATATYPE[1:0]: Data type selection

This bitfield defines the format of data written in the AES_DINR register or read from the AES_DOUTR register, through selecting the mode of data swapping:

00: None

01: Half-word (16-bit)

10: Byte (8-bit)

11: Bit

For more details, refer to Section 19.4.10: AES data registers and data swapping .

The bitfield value change is allowed only when AES is disabled, so as to avoid an unpredictable behavior.

Bit 0 EN: AES enable

This bit enables/disables the AES peripheral:

0: Disable

1: Enable

At any moment, clearing then setting the bit re-initializes the AES peripheral.

This bit is automatically cleared by hardware when the key preparation process ends (Mode 2).

19.7.2 AES status register (AES_SR)

Address offset: 0x04

Reset value: 0x0000 0000

31302928272625242322212019181716
Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.
rrrrrrrrrrrrrrrr
1514131211109876543210
Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.WRERRRDERRCCF
rrrrrrrrrrrrrrrr

Bits 31:3 Reserved, must be kept at zero

Bit 2 WRERR: Write error

This flag indicates the detection of an unexpected write operation to the AES_DINR register (during computation or data output phase):

0: Not detected

1: Detected

The flag is set by hardware. It is cleared by software upon setting the ERRRC bit of the AES_CR register.

Upon the flag setting, an interrupt is generated if enabled through the ERRRIE bit of the AES_CR register.

The flag setting has no impact on the AES operation.

The flag is not effective when key derivation mode is selected.

Bit 1 RDERR: Read error flag

This flag indicates the detection of an unexpected read operation from the AES_DOUTR register (during computation or data input phase):

0: Not detected

1: Detected

The flag is set by hardware. It is cleared by software upon setting the ERRRC bit of the AES_CR register.

Upon the flag setting, an interrupt is generated if enabled through the ERRRIE bit of the AES_CR register.

The flag setting has no impact on the AES operation.

The flag is not effective when key derivation mode is selected.

Bit 0 CCF: Computation completed flag

This flag indicates whether the computation is completed:

0: Not completed

1: Completed

The flag is set by hardware upon the completion of the computation. It is cleared by software, upon setting the CCFC bit of the AES_CR register.

Upon the flag setting, an interrupt is generated if enabled through the CCFIE bit of the AES_CR register.

The flag is significant only when the DMAOUTEN bit is 0. It may stay high when DMA_EN is 1.

19.7.3 AES data input register (AES_DINR)

Address offset: 0x08

Reset value: 0x0000 0000

Only 32-bit access type is supported.

31302928272625242322212019181716
DIN[x+31:x+16]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
DIN[x+15:x]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 This bitfield feeds a 32-bit input buffer. A 4-fold sequential write to this bitfield during the input phase virtually writes a complete 128-bit block of input data to the AES peripheral. Upon each write, the data from the input buffer are handled by the data swap block according to the DATATYPE[1:0] bitfield, then written into the AES core 128-bit input buffer.

The substitution for “x”, from the first to the fourth write operation, is: 96, 64, 32, and 0. In other words, data from the first to the fourth write operation are: DIN[127:96], DIN[95:64], DIN[63:32], and DIN[31:0].

The data signification of the input data block depends on the AES operating mode:

The data swap operation is described in Section 19.4.10: AES data registers and data swapping on page 450 .

19.7.4 AES data output register (AES_DOUTR)

Address offset: 0x0C

Reset value: 0x0000 0000

Only 32-bit access type is supported.

31302928272625242322212019181716
DOUT[x+31:x+16]
rrrrrrrrrrrrrrrr
1514131211109876543210
DOUT[x+15:0]
rrrrrrrrrrrrrrrr

Bits 31:0 DOUT[x+31:x] : One of four 32-bit words of a 128-bit output data block being read from the peripheral

This bitfield fetches a 32-bit output buffer. A 4-fold sequential read of this bitfield, upon the computation completion (CCF set), virtually reads a complete 128-bit block of output data from the AES peripheral. Before reaching the output buffer, the data produced by the AES core are handled by the data swap block according to the DATATYPE[1:0] bitfield.

The substitution for DOUT[x+31:x], from the first to the fourth read operation, is: 96, 64, 32, and 0. In other words, data from the first to the fourth read operation are: DOUT[127:96], DOUT[95:64], DOUT[63:32], and DOUT[31:0].

The data signification of the output data block depends on the AES operating mode:

The data swap operation is described in Section 19.4.10: AES data registers and data swapping on page 450 .

19.7.5 AES key register 0 (AES_KEYR0)

Address offset: 0x10

Reset value: 0x0000 0000

31302928272625242322212019181716
KEY[31:16]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
KEY[15:0]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 KEY[31:0] : Cryptographic key, bits [31:0]

This bitfield contains the bits [31:0] of the AES encryption or decryption key, depending on the operating mode:

Note: In mode 4 (key derivation then single decryption) the bitfield always contains the encryption key.

The AES_KEYRx registers may be written only when the AES peripheral is disabled.

Refer to Section 19.4.11: AES key registers on page 452 for more details.

19.7.6 AES key register 1 (AES_KEYR1)

Address offset: 0x14

Reset value: 0x0000 0000

31302928272625242322212019181716
KEY[63:48]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
KEY[47:32]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 KEY[63:32] : Cryptographic key, bits [63:32]

Refer to the AES_KEYR0 register for description of the KEY[127:0] bitfield.

19.7.7 AES key register 2 (AES_KEYR2)

Address offset: 0x18

Reset value: 0x0000 0000

31302928272625242322212019181716
KEY[95:80]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
KEY[79:64]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 KEY[95:64] : Cryptographic key, bits [95:64]

Refer to the AES_KEYR0 register for description of the KEY[127:0] bitfield.

19.7.8 AES key register 3 (AES_KEYR3)

Address offset: 0x1C

Reset value: 0x0000 0000

31302928272625242322212019181716
KEY[127:112]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
KEY[111:96]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 KEY[127:96] : Cryptographic key, bits [127:96]

Refer to the AES_KEYR0 register for description of the KEY[127:0] bitfield.

19.7.9 AES initialization vector register 0 (AES_IVR0)

Address offset: 0x20

Reset value: 0x0000 0000

31302928272625242322212019181716
IVI[31:16]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
IVI[15:0]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 IVI[31:0] : Initialization vector input, bits [31:0]

Refer to Section 19.4.12: AES initialization vector registers on page 452 for description of the IVI[127:0] bitfield.

The initialization vector is only used in chaining modes other than ECB.

The initialization vector may be written only when the AES peripheral is disabled.

Reading this bitfield while AES is enabled returns 0x0000 0000.

19.7.10 AES initialization vector register 1 (AES_IVR1)

Address offset: 0x24

Reset value: 0x0000 0000

31302928272625242322212019181716
IVI[63:48]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
IVI[47:32]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 IVI[63:32] : Initialization vector input, bits [63:32]

Refer to Section 19.4.12: AES initialization vector registers on page 452 for description of the IVI[127:0] bitfield.

The initialization vector is only used in chaining modes other than ECB.

The initialization vector may be written only when the AES peripheral is disabled.

Reading this bitfield while AES is enabled returns 0x0000 0000.

19.7.11 AES initialization vector register 2 (AES_IVR2)

Address offset: 0x28

Reset value: 0x0000 0000

31302928272625242322212019181716
IVI[95:80]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
IVI[79:64]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 IVI[95:64] : Initialization vector input, bits [95:64]

Refer to Section 19.4.12: AES initialization vector registers on page 452 for description of the IVI[127:0] bitfield.

The initialization vector is only used in chaining modes other than ECB.

The initialization vector may be written only when the AES peripheral is disabled.

Reading this bitfield while AES is enabled returns 0x0000 0000.

19.7.12 AES initialization vector register 3 (AES_IVR3)

Address offset: 0x2C

Reset value: 0x0000 0000

31302928272625242322212019181716
IVI[127:112]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
IVI[111:96]
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 IVI[127:96] : Initialization vector input, bits [127:96]

Refer to Section 19.4.12: AES initialization vector registers on page 452 for description of the IVI[127:0] bitfield.

The initialization vector is only used in chaining modes other than ECB.

The initialization vector may be written only when the AES peripheral is disabled.

Reading this bitfield while AES is enabled returns 0x0000 0000.

19.7.13 AES register map

Table 94. AES register map and reset values

OffsetRegister313029282726252423222120191817161514131211109876543210
0x0000AES_CRRes.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.DMAOUTENDMAINENERRIECCFIEERRCCCFCCHMOD[1:0]MODE[1:0]DATATYPE[1:0]EN
Reset value000000000000

Table 94. AES register map and reset values (continued)

OffsetRegister313029282726252423222120191817161514131211109876543210
0x0004AES_SRRes.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.Res.WRERRRDERRCCF
Reset value000
0x0008AES_DINR
x=96,64,32,0		DIN[x+31:x]
Reset value00000000000000000000000000000000
0x000CAES_DOUTR
x=96,64,32,0		DOUT[x+31:x]
Reset value00000000000000000000000000000000
0x0010AES_KEYR0KEY[31:0]
Reset value00000000000000000000000000000000
0x0014AES_KEYR1KEY[63:32]
Reset value00000000000000000000000000000000
0x0018AES_KEYR2KEY[95:64]
Reset value00000000000000000000000000000000
0x001CAES_KEYR3KEY[127:96]
Reset value00000000000000000000000000000000
0x0020AES_IVR0IVI[31:0]
Reset value00000000000000000000000000000000
0x0024AES_IVR1IVI[63:32]
Reset value00000000000000000000000000000000
0x0028AES_IVR2IVI[95:64]
Reset value00000000000000000000000000000000
0x002CAES_IVR3IVI[127:96]
Reset value00000000000000000000000000000000

Refer to Section 2.2 on page 58 for the register boundary addresses.