54.4.2 Operating Modes
The AES supports the following modes of operation:
- ECB: Electronic Codebook
- CBC: Cipher Block Chaining
- CBC-MAC: Useful for CMAC hardware acceleration
- OFB: Output Feedback
- CFB: Cipher Feedback
- CFB8 (CFB where the length of the data segment is 8 bits)
- CFB16 (CFB where the length of the data segment is 16 bits)
- CFB32 (CFB where the length of the data segment is 32 bits)
- CFB64 (CFB where the length of the data segment is 64 bits)
- CFB128 (CFB where the length of the data segment is 128 bits)
- CTR: Counter
- GCM: Galois/Counter Mode
- XTS: XEX-based Tweaked-codebook Mode
Data pre-processing, data post-processing and data chaining for the concerned modes are performed automatically. Refer to the NIST Special Publication 800-38A and NIST Special Publication 800-38D for more complete information.
Mode selection is done by configuring AES_MR.OPMOD.
When switching from an operating mode requiring the initialization vectors (e.g. CBC, GCM) to another operating mode that does not require initialization vectors (e.g. ECB) and a message of one block has been processed, initialization vector registers (AES_IVRx) must be cleared before switching to the new mode.
In CFB mode, five data sizes are possible (8, 16, 32, 64 or 128 bits), configurable by means of AES_MR.CFBS.
In CTR mode, the size of the block counter embedded in the module is 16 bits. Therefore, there is a rollover after processing 1 Mbyte of data. If the file to be processed is greater than 1 Mbyte, this file must be split into fragments of 1 Mbyte or less for the first fragment if the initial value of the counter is greater than 0. Prior to loading the first fragment into AES_IDATARx, AES_IVRx must be fully programmed with the initial counter value. For any fragment, after the transfer is completed and prior to transferring the next fragment, AES_IVRx must be programmed with the appropriate counter value.
If the initial value of the counter is greater than 0 and the data buffer size to be processed is greater than 1 Mbyte, the size of the first fragment to be processed must be 1 Mbyte minus 16 × (initial value) to prevent a rollover of the internal 16-bit counter.
To have a sequential increment, the counter value must be programmed with the value programmed for the previous fragment + 216 (or less for the first fragment).
All AES_IVRx fields must be programmed to take into account the possible carry propagation.