[crypto] Change P-384 pointer handling in top-level OTBN code

This commit removes dptr_<x> variables and adapts the code to function without it. Signed-off-by: Moritz Wettermann <[email protected]>
lowRISC · Jun 4, 2024 · 21ef103 · 21ef103
1 parent a14bf02
commit 21ef103
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 289 deletions.
diff --git a/sw/otbn/crypto/p384_curve_point_valid.s b/sw/otbn/crypto/p384_curve_point_valid.s
@@ -26,6 +26,10 @@ start:
   unimp
 
 validate_point:
+  /* Fill gpp registers with pointers to coordinates */
+  la        x20, x
+  la        x21, y
+
   /* Call curve point validation function */
   jal       x1, p384_curve_point_valid
 

diff --git a/sw/otbn/crypto/p384_ecdh.s b/sw/otbn/crypto/p384_ecdh.s
@@ -59,27 +59,29 @@ start:
  * This routine runs in constant time (except potentially waiting for entropy
  * from RND).
  *
- * @param[in]       w31: all-zero
- * @param[in]   dmem[0]: dptr_d0, pointer to location in dmem containing
- *                       1st private key share d0
- * @param[in]   dmem[4]: dptr_d1, pointer to location in dmem containing
- *                       2nd private key share d1
- * @param[in]  dmem[20]: dptr_x, pointer to result buffer for x-coordinate
- * @param[in]  dmem[24]: dptr_y, pointer to result buffer for y-coordinate
- * @param[out] dmem[d0]: 1st private key share d0
- * @param[out] dmem[d1]: 2nd private key share d1
- * @param[out]  dmem[x]: Public key x-coordinate
- * @param[out]  dmem[y]: Public key y-coordinate
+ * @param[in]        w31: all-zero
+ * @param[out]  dmem[d0]: 1st private key share d0
+ * @param[out]  dmem[d1]: 2nd private key share d1
+ * @param[out]   dmem[x]: Public key x-coordinate
+ * @param[out]   dmem[y]: Public key y-coordinate
  *
  * clobbered registers: x2, x3, x9 to x13, x18 to x21, x26 to x30, w0 to w30
  * clobbered flag groups: FG0
  */
 keypair_random:
+  /* Fill gpp registers with pointers to key shares */
+  la        x20, d0
+  la        x21, d1
+
   /* Generate secret key d in shares.
        dmem[d0] <= d0
        dmem[d1] <= d1 */
   jal       x1, p384_generate_random_key
 
+  /* Fill gpp registers with pointers to key shares */
+  la        x17, d0
+  la        x19, d1
+
   /* Generate public key d*G.
        dmem[x] <= (d*G).x
        dmem[y] <= (d*G).y */
@@ -99,20 +101,26 @@ keypair_random:
  * !!! Attention !!! - before shared key computation p384_curve_point_valid
  * binary has to be executed to check if the provided public key is valid.
  *
- * @param[in]       w31: all-zero
- * @param[in]   dmem[0]: dptr_k0, pointer to location in dmem containing
- *                       1st private key share d0/k0
- * @param[in]   dmem[4]: dptr_k1, pointer to location in dmem containing
- *                       2nd private key share d1/k0
- * @param[in]  dmem[20]: dptr_x, pointer to result buffer for x-coordinate
- * @param[in]  dmem[24]: dptr_y, pointer to result buffer for y-coordinate
- * @param[out]  dmem[x]: x0, first share of shared key.
- * @param[out]  dmem[y]: x1, second share of shared key.
+ * @param[in]        w31: all-zero
+ * @param[in]   dmem[k0]: 1st private key share d0/k0
+ * @param[in]   dmem[k1]: 2nd private key share d1/k0
+ * @param[in]    dmem[x]: x-coordinate of public key
+ * @param[in]    dmem[y]: y-coordinate of public key
+ * @param[out]   dmem[x]: x0, first share of shared key.
+ * @param[out]   dmem[y]: x1, second share of shared key.
  *
  * clobbered registers: x2, x3, x9 to x13, x18 to x21, x26 to x30, w0 to w30
  * clobbered flag groups: FG0
  */
 shared_key:
+  /* Fill gpp registers with pointers to coordinates */
+  la        x20, x
+  la        x21, y
+
+  /* Fill gpp registers with pointers to scalar shares */
+  la        x17, k0
+  la        x19, k1
+
     /* Generate arithmetically masked shared key d*Q.
        dmem[x] <= (d*Q).x - m mod p
        dmem[y] <= m */
@@ -124,13 +132,11 @@ shared_key:
      [w12,w11] <= dmem[x] = x_m
      [w19,w18] <= dmem[y] = m */
   li        x2, 11
-  la        x3, dptr_x
-  lw        x3, 0(x3)
+  la        x3, x
   bn.lid    x2++, 0(x3)
   bn.lid    x2++, 32(x3)
   li        x2, 18
-  la        x3, dptr_y
-  lw        x3, 0(x3)
+  la        x3, y
   bn.lid    x2++, 0(x3)
   bn.lid    x2, 32(x3)
 
@@ -146,8 +152,7 @@ shared_key:
   /* Store arithmetically masked key to DMEM
      dmem[x] <= [w21,w20] = x_m' */
   li        x2, 20
-  la        x3, dptr_x
-  lw        x3, 0(x3)
+  la        x3, x
   bn.sid    x2++, 0(x3)
   bn.sid    x2++, 32(x3)
 
@@ -161,18 +166,6 @@ shared_key:
 mode:
   .zero 4
 
-/* pointer to x-coordinate (dptr_x) */
-.globl dptr_x
-.balign 4
-dptr_x:
-  .zero 4
-
-/* pointer to y-coordinate (dptr_y) */
-.globl dptr_y
-.balign 4
-dptr_y:
-  .zero 4
-
 /* Public key x-coordinate. */
 .globl x
 .balign 32
@@ -191,22 +184,6 @@ y:
    is also used for ECDSA signing and reads from those labels; in the case of
    ECDH, the scalar in `p384_scalar_mult` is always the private key (d). */
 
-/* pointer to d0 (dptr_d0) */
-.globl dptr_k0
-.globl dptr_d0
-.balign 4
-dptr_d0:
-dptr_k0:
-  .zero 4
-
-/* pointer to d1 (dptr_d1) */
-.globl dptr_k1
-.globl dptr_d1
-.balign 4
-dptr_d1:
-dptr_k1:
-  .zero 4
-
 .globl d0
 .globl k0
 .balign 32
@@ -220,5 +197,3 @@ k0:
 d1:
 k1:
   .zero 64
-
-.balign 32
diff --git a/sw/otbn/crypto/p384_ecdsa_keygen.s b/sw/otbn/crypto/p384_ecdsa_keygen.s
@@ -28,24 +28,26 @@ start:
  * Returns public key Q = d*G in affine coordinates (x, y).
  *
  * @param[in]       w31: all-zero
- * @param[in]   dmem[0]: dptr_d0, pointer to location in dmem containing
- *                       1st private key share d0
- * @param[in]   dmem[4]: dptr_d1, pointer to location in dmem containing
- *                       2nd private key share d1
- * @param[in]  dmem[20]: dptr_x, pointer to result buffer for x-coordinate
- * @param[in]  dmem[24]: dptr_y, pointer to result buffer for y-coordinate
  * @param[out] dmem[d0]: 1st private key share d0
  * @param[out] dmem[d1]: 2nd private key share d1
  * @param[out]  dmem[x]: Public key x-coordinate
- * @param[out]  dmem[y]: Public key y-coordinate]
+ * @param[out]  dmem[y]: Public key y-coordinate
 
  */
 random_keygen:
+  /* Fill gpp registers with pointers to key shares */
+  la        x20, d0
+  la        x21, d1
+
   /* Generate secret key d in shares.
        dmem[d0] <= d0
        dmem[d1] <= d1 */
   jal       x1, p384_generate_random_key
 
+  /* Fill gpp registers with pointers to key shares */
+  la        x17, d0
+  la        x19, d1
+
   /* Generate public key d*G.
        dmem[x] <= (d*G).x
        dmem[y] <= (d*G).y */
@@ -55,26 +57,6 @@ random_keygen:
 
 .bss
 
-/* pointer to k0 (dptr_k0) */
-.globl dptr_k0
-dptr_k0:
-  .zero 4
-
-/* pointer to k1 (dptr_k1) */
-.globl dptr_k1
-dptr_k1:
-  .zero 4
-
-/* pointer to d0 (dptr_d0) */
-.globl dptr_d0
-dptr_d0:
-  .zero 4
-
-/* pointer to d1 (dptr_d1) */
-.globl dptr_d1
-dptr_d1:
-  .zero 4
-
 /* random scalar first share */
 .globl k0
 .balign 32
@@ -99,18 +81,6 @@ d0:
 d1:
   .zero 64
 
-/* pointer to x-coordinate (dptr_x) */
-.globl dptr_x
-.balign 4
-dptr_x:
-  .zero 4
-
-/* pointer to y-coordinate (dptr_y) */
-.globl dptr_y
-.balign 4
-dptr_y:
-  .zero 4
-
 /* x-coordinate. */
 .globl x
 .balign 32

diff --git a/sw/otbn/crypto/p384_ecdsa_sca.s b/sw/otbn/crypto/p384_ecdsa_sca.s
@@ -26,55 +26,26 @@ start:
 
 .text
 p384_ecdsa_sign:
-  jal      x1, p384_ecdsa_setup
+  /* Fill gpp registers with pointers to variables required for p384_sign */
+  /* scalar shares */
+  la        x17, k0
+  la        x19, k1
+  /* message */
+  la        x6, msg
+  /* signature values */
+  la        x14, r
+  la        x15, s
+  /* secret key shares */
+  la        x4, d0
+  la        x5, d1
+
   jal      x1, p384_sign
   ecall
 
 p384_ecdsa_verify:
   /*jal      x1, p384_verify*/
   ecall
 
-/**
- * Populate the variables rnd and k with randomness, and setup data pointers.
- */
-p384_ecdsa_setup:
-  /* Point dptr_k0 to k0. */
-  la        x10, k0
-  la        x11, dptr_k0
-  sw        x10, 0(x11)
-
-  /* Point dptr_k1 to k1. */
-  la        x10, k1
-  la        x11, dptr_k1
-  sw        x10, 0(x11)
-
-  /* Point dptr_d0 to d0. */
-  la        x10, d0
-  la        x11, dptr_d0
-  sw        x10, 0(x11)
-
-  /* Point dptr_d1 to d1. */
-  la        x10, d1
-  la        x11, dptr_d1
-  sw        x10, 0(x11)
-
-  /* Point dptr_msg to msg. */
-  la        x10, msg
-  la        x11, dptr_msg
-  sw        x10, 0(x11)
-
-  /* Point dptr_r to sig_r. */
-  la        x10, r
-  la        x11, dptr_r
-  sw        x10, 0(x11)
-
-  /* Point dptr_s to sig_s. */
-  la        x10, s
-  la        x11, dptr_s
-  sw        x10, 0(x11)
-
-  ret
-
 .data
 
 /* Freely available DMEM space. */
@@ -152,53 +123,3 @@ d1:
 .balign 64
 x_r:
   .zero 64
-
-/* pointer to rnd (dptr_rnd) */
-.globl dptr_rnd
-dptr_rnd:
-  .zero 4
-
-/* pointer to k0 (dptr_k0) */
-.globl dptr_k0
-dptr_k0:
-  .zero 4
-
-/* pointer to k1 (dptr_k1) */
-.globl dptr_k1
-dptr_k1:
-  .zero 4
-
-/* pointer to msg (dptr_msg) */
-.globl dptr_msg
-dptr_msg:
-  .zero 4
-
-/* pointer to R (dptr_r) */
-.globl dptr_r
-dptr_r:
-  .zero 4
-
-/* pointer to S (dptr_s) */
-.globl dptr_s
-dptr_s:
-  .zero 4
-
-/* pointer to X (dptr_x) */
-.globl dptr_x
-dptr_x:
-  .zero 4
-
-/* pointer to Y (dptr_y) */
-.globl dptr_y
-dptr_y:
-  .zero 4
-
-/* pointer to d0 (dptr_d0) */
-.globl dptr_d0
-dptr_d0:
-  .zero 4
-
-/* pointer to d1 (dptr_d1) */
-.globl dptr_d1
-dptr_d1:
-  .zero 4