50.4.4.3.4 Manual GCM Tag Generation

This section describes the last steps of the GCM Tag generation.

The Manual GCM Tag Generation is used to complete the GCM Tag Generation when the message has been processed without Tag Generation.

Note: The Message Processing without Tag Generation must be finished before processing the Manual GCM Tag Generation.

To generate a GCM Tag manually, the sequence is as follows:

Processing S = GHASHH (AAD || 0v || C || 0u || [len(AAD)]64 || [len(C)]64):

  1. Set AES_MR.OPMOD to GCM and AES_MR.GTAGEN to ‘0’.
  2. Write the key and wait for AES_ISR.DATRDY to be set (GCM hash subkey generation complete); use interrupt if needed. After the GCM hash subkey generation is complete the GCM hash subkey can be read or overwritten with specific value in AES_GCMHRx. See Key Writing and Automatic Hash Subkey Calculation.
  3. Configure AES_AADLENR.AADLEN to 0x10 (16 bytes) and AES_CLENR.CLEN to ‘0’. This will allow running a single GHASHH on a 16-byte input data (see the following figure).
  4. Fill AES_GHASHRx.GHASH with the state of the GHASH field stored at the end of the message processing.
  5. Fill AES_IDATARx.IDATA according to the SMOD configuration used with ‘len(AAD)64 || len(C)64’ value as described in the NIST documentation and wait for DATRDY to be set; use interrupt if needed.
  6. Read AES_GHASHRx.GHASH to obtain the current value of the hash.

Processing T = GCTRK(J0, S):

  1. Set AES_MR.OPMOD to CTR.
  2. Set AES_IVRx.IV with ‘J0’ value.
  3. Fill AES_IDATARx.IDATA with the GHASH value read at step 6 and wait for DATRDY to be set (use interrupt if needed).
  4. Read AES_ODATARx.ODATA to obtain the GCM Tag value.
Note: Step 4 is optional if the GHASH field is to be filled with value ‘0’ (0 length packet for instance).