From ca83009b1e72dd58013109e4060460db26a1685c Mon Sep 17 00:00:00 2001 From: Moritz Wettermann Date: Tue, 30 Apr 2024 15:27:25 +0200 Subject: [PATCH] [crypto] Load variable addresses in functions (not in wrapper code) This commit puts `la` instructions for variable address loading inside of functions, so that address loading doesn't need to be done in wrapper functions. Signed-off-by: Moritz Wettermann --- sw/otbn/crypto/p384_base_mult.s | 26 ++++-- sw/otbn/crypto/p384_curve_point_valid.s | 4 - sw/otbn/crypto/p384_ecdh.s | 22 +---- sw/otbn/crypto/p384_ecdsa_keygen.s | 8 -- sw/otbn/crypto/p384_ecdsa_sca.s | 17 +--- sw/otbn/crypto/p384_ecdsa_sign.s | 12 +-- sw/otbn/crypto/p384_ecdsa_verify.s | 12 --- sw/otbn/crypto/p384_isoncurve.s | 26 +++++- sw/otbn/crypto/p384_keygen.s | 52 ++++++++++-- sw/otbn/crypto/p384_scalar_mult.s | 50 +++++++++-- sw/otbn/crypto/p384_sign.s | 85 ++++++++++++++++--- sw/otbn/crypto/p384_verify.s | 69 +++++++++++++-- sw/otbn/crypto/tests/p384_base_mult_test.s | 4 - .../tests/p384_curve_point_valid_test.s | 4 - .../crypto/tests/p384_ecdh_shared_key_test.s | 2 +- sw/otbn/crypto/tests/p384_ecdsa_sign_test.s | 16 ++-- sw/otbn/crypto/tests/p384_ecdsa_verify_test.s | 14 ++- sw/otbn/crypto/tests/p384_isoncurve_test.s | 2 +- sw/otbn/crypto/tests/p384_keygen_test.s | 4 - sw/otbn/crypto/tests/p384_scalar_mult_test.s | 16 +--- 20 files changed, 294 insertions(+), 151 deletions(-) diff --git a/sw/otbn/crypto/p384_base_mult.s b/sw/otbn/crypto/p384_base_mult.s index 23d4c9e26eb6d8..3db8618a4f120f 100644 --- a/sw/otbn/crypto/p384_base_mult.s +++ b/sw/otbn/crypto/p384_base_mult.s @@ -19,10 +19,8 @@ * Sets up context and calls the internal scalar multiplication routine. * This routine runs in constant time. * - * @param[in] x17: dptr_d0, pointer to location in dmem containing - * 1st private key share d0 - * @param[in] x19: dptr_d1, pointer to location in dmem containing - * 2nd private key share d1 + * @param[in] dmem[d0]: 1st private key share d0 in dmem + * @param[in] dmem[d1]: 2nd private key share d1 in dmem * @param[out] dmem[x]: x-coordinate in dmem * @param[out] dmem[y]: y-coordinate in dmem * @@ -32,7 +30,7 @@ * Flags: When leaving this subroutine, the M, L and Z flags of FG0 correspond * to the computed affine y-coordinate. * - * clobbered registers: x2, x3, x9 to x13, x18 to x21, x26 to x30 + * clobbered registers: x2, x3, x9 to x13, x17 to x21, x26 to x30 * w0 to w30 * clobbered flag groups: FG0 */ @@ -51,6 +49,12 @@ p384_base_mult: /* set dmem pointer to scratchpad */ la x30, scratchpad + /* set dmem pointer to 1st private key share d0 */ + la x17, d0 + + /* set dmem pointer to 1st private key share d0 */ + la x19, d1 + /* load domain parameter n (order of base point) [w11, w10] = n = dmem[p384_n] */ li x2, 10 @@ -95,6 +99,18 @@ p384_base_mult: .balign 32 +/* 1st private key share d0 */ +.globl d0 +.weak d0 +d0: + .zero 64 + +/* 2nd private key share d1 */ +.globl d1 +.weak d1 +d1: + .zero 64 + /* buffer for x-coordinate */ .globl x .weak x diff --git a/sw/otbn/crypto/p384_curve_point_valid.s b/sw/otbn/crypto/p384_curve_point_valid.s index fda40879248c8e..0f28e29bb8d126 100644 --- a/sw/otbn/crypto/p384_curve_point_valid.s +++ b/sw/otbn/crypto/p384_curve_point_valid.s @@ -26,10 +26,6 @@ start: unimp validate_point: - /* Fill gpp registers with pointers to coordinates */ - la x20, x - la x21, y - /* Call curve point validation function */ jal x1, p384_curve_point_valid diff --git a/sw/otbn/crypto/p384_ecdh.s b/sw/otbn/crypto/p384_ecdh.s index 07252af35eb0b0..a717bbf432b2bf 100644 --- a/sw/otbn/crypto/p384_ecdh.s +++ b/sw/otbn/crypto/p384_ecdh.s @@ -69,19 +69,11 @@ start: * clobbered flag groups: FG0 */ keypair_random: - /* Fill gpp registers with pointers to key shares */ - la x20, d0 - la x21, d1 - /* Generate secret key d in shares. dmem[d0] <= d0 dmem[d1] <= d1 */ jal x1, p384_generate_random_key - /* Fill gpp registers with pointers to key shares */ - la x17, d0 - la x19, d1 - /* Generate public key d*G. dmem[x] <= (d*G).x dmem[y] <= (d*G).y */ @@ -113,17 +105,9 @@ keypair_random: * clobbered flag groups: FG0 */ shared_key: - /* Fill gpp registers with pointers to coordinates */ - la x20, x - la x21, y - - /* Fill gpp registers with pointers to scalar shares */ - la x17, k0 - la x19, k1 - - /* Generate arithmetically masked shared key d*Q. - dmem[x] <= (d*Q).x - m mod p - dmem[y] <= m */ + /* Generate arithmetically masked shared key d*Q. + dmem[x] <= (d*Q).x - m mod p + dmem[y] <= m */ jal x1, p384_scalar_mult /* Arithmetic-to-boolean conversion*/ diff --git a/sw/otbn/crypto/p384_ecdsa_keygen.s b/sw/otbn/crypto/p384_ecdsa_keygen.s index 088b7a228d2f41..eeaf5122bc9401 100644 --- a/sw/otbn/crypto/p384_ecdsa_keygen.s +++ b/sw/otbn/crypto/p384_ecdsa_keygen.s @@ -35,19 +35,11 @@ start: */ random_keygen: - /* Fill gpp registers with pointers to key shares */ - la x20, d0 - la x21, d1 - /* Generate secret key d in shares. dmem[d0] <= d0 dmem[d1] <= d1 */ jal x1, p384_generate_random_key - /* Fill gpp registers with pointers to key shares */ - la x17, d0 - la x19, d1 - /* Generate public key d*G. dmem[x] <= (d*G).x dmem[y] <= (d*G).y */ diff --git a/sw/otbn/crypto/p384_ecdsa_sca.s b/sw/otbn/crypto/p384_ecdsa_sca.s index b57314d8f02570..5f41cad27cffbd 100644 --- a/sw/otbn/crypto/p384_ecdsa_sca.s +++ b/sw/otbn/crypto/p384_ecdsa_sca.s @@ -26,19 +26,6 @@ start: .text p384_ecdsa_sign: - /* Fill gpp registers with pointers to variables required for p384_sign */ - /* scalar shares */ - la x17, k0 - la x19, k1 - /* message */ - la x6, msg - /* signature values */ - la x14, r - la x15, s - /* secret key shares */ - la x4, d0 - la x5, d1 - jal x1, p384_sign ecall @@ -65,13 +52,13 @@ k0: .zero 64 /* random scalar k1*/ -.global k1 +.globl k1 .balign 64 k1: .zero 64 /* randomness for blinding */ -.global rnd +.globl rnd .balign 64 rnd: .zero 64 diff --git a/sw/otbn/crypto/p384_ecdsa_sign.s b/sw/otbn/crypto/p384_ecdsa_sign.s index 6378423f6e28cb..a06633c1d53f0e 100644 --- a/sw/otbn/crypto/p384_ecdsa_sign.s +++ b/sw/otbn/crypto/p384_ecdsa_sign.s @@ -34,10 +34,6 @@ start: * @param[out] dmem[s]: s component of signature */ ecdsa_sign: - /* Fill gpp registers with pointers to scalar shares */ - la x20, k0 - la x21, k1 - /* Generate a fresh random scalar for signing. dmem[k0] <= first share of k dmem[k1] <= second share of k */ @@ -45,15 +41,15 @@ ecdsa_sign: /* Fill gpp registers with pointers to variables required for p384_sign */ /* scalar shares */ - la x17, k0 + /*la x17, k0 la x19, k1 /* message */ - la x6, msg + /*la x6, msg /* signature values */ - la x14, r + /*la x14, r la x15, s /* secret key shares */ - la x4, d0 + /*la x4, d0 la x5, d1 /* Generate the signature. */ diff --git a/sw/otbn/crypto/p384_ecdsa_verify.s b/sw/otbn/crypto/p384_ecdsa_verify.s index 639b0413881572..4dbe77dec4b663 100644 --- a/sw/otbn/crypto/p384_ecdsa_verify.s +++ b/sw/otbn/crypto/p384_ecdsa_verify.s @@ -45,18 +45,6 @@ start: * */ ecdsa_verify: - /* Fill gpp registers with pointers to variables required for p384_verify */ - /* signature values */ - la x6, r - la x7, s - /* reduced x1-coordinate */ - la x8, rnd - /* message */ - la x9, msg - /* public key coordinates*/ - la x13, x - la x14, y - /* Verify the signature (compute x1). */ jal x1, p384_verify diff --git a/sw/otbn/crypto/p384_isoncurve.s b/sw/otbn/crypto/p384_isoncurve.s index 0b9f6d8d0abc7e..f329e0de7dfc63 100644 --- a/sw/otbn/crypto/p384_isoncurve.s +++ b/sw/otbn/crypto/p384_isoncurve.s @@ -131,10 +131,8 @@ p384_isoncurve: * This routine raises a software error and halts operation if the curve point * is invalid. * - * @param[in] x20: dptr_x, pointer to dmem location containing affine - * x-coordinate of input point - * @param[in] x21: dptr_y, pointer to dmem location containing affine - * y-coordinate of input point + * @param[in] dmem[x]: affine x-coordinate of input point in dmem + * @param[in] dmem[y]: affine y-coordinate of input point in dmem * * Flags: Flags have no meaning beyond the scope of this subroutine. * @@ -146,6 +144,12 @@ p384_curve_point_valid: /* Init all-zero register. */ bn.xor w31, w31, w31 + /* set dmem pointer to point x-coordinate */ + la x20, x + + /* set dmem pointer to point y-coordinate */ + la x21, y + /* load domain parameter p (modulus) [w13, w12] = p = dmem[p384_p] */ li x2, 12 @@ -245,6 +249,20 @@ p384_curve_point_valid: .data +/* x-coordinate */ +.globl x +.weak x +.balign 32 +x: + .zero 64 + +/* y-coordinate */ +.globl y +.weak y +.balign 32 +y: + .zero 64 + /* Right side of Weierstrass equation */ .globl rhs .weak rhs diff --git a/sw/otbn/crypto/p384_keygen.s b/sw/otbn/crypto/p384_keygen.s index 5ee2f95bb69338..6bbfad0e313273 100644 --- a/sw/otbn/crypto/p384_keygen.s +++ b/sw/otbn/crypto/p384_keygen.s @@ -151,10 +151,10 @@ p384_random_scalar: * * Flags: Flags have no meaning beyond the scope of this subroutine. * - * @param[in] x20: dptr_d0, pointer to bufffer of 1st private key share d0 - * @param[in] x21: dptr_d1, pointer to bufffer of 2nd private key share d1 + * @param[out] dmem[d0]: 1st private key share d0 + * @param[out] dmem[d1]: 2nd private key share d1 * - * clobbered registers: x2, x3, x20, w4 to w11, w14, w16 to w28 + * clobbered registers: x2, x3, x20, x21, w4 to w11, w14, w16 to w28 * clobbered flag groups: FG0 */ .globl p384_generate_random_key @@ -162,6 +162,12 @@ p384_generate_random_key: /* Init all-zero register. */ bn.xor w31, w31, w31 + /* set dmem pointer to 1st private key share d0 */ + la x20, d0 + + /* set dmem pointer to 1st private key share d1 */ + la x21, d1 + /* Generate a random scalar in two 448-bit shares. [w7,w6] <= d0 [w9,w8] <= d1 */ @@ -185,10 +191,10 @@ p384_generate_random_key: * * Flags: Flags have no meaning beyond the scope of this subroutine. * - * @param[in] x20: dptr_k0, pointer to bufffer of 1st scalar share k0 - * @param[in] x21: dptr_k1, pointer to bufffer of 2nd scalar share k1 + * @param[out] dmem[k0]: 1st scalar share k0 + * @param[out] dmem[k1]: 2nd scalar share k1 * - * clobbered registers: x2, x3, x20, w4 to w11, w14, w16 to w28 + * clobbered registers: x2, x3, x20, x21, w4 to w11, w14, w16 to w28 * clobbered flag groups: FG0 */ .globl p384_generate_k @@ -196,6 +202,12 @@ p384_generate_k: /* Init all-zero register. */ bn.xor w31, w31, w31 + /* set dmem pointer to 1st scalar share k0 */ + la x20, k0 + + /* set dmem pointer to 1st scalar share k1 */ + la x21, k1 + /* Generate a random scalar in two 448-bit shares. [w7,w6] <= k0 [w9,w8] <= k1 */ @@ -213,3 +225,31 @@ p384_generate_k: bn.sid x2++, 32(x21) ret + +.section .data + +.balign 32 + +/* 1st scalar share d0 */ +.globl k0 +.weak k0 +k0: + .zero 64 + +/* 2nd scalar share d1 */ +.globl k1 +.weak k1 +k1: + .zero 64 + +/* 1st private key share d0 */ +.globl d0 +.weak d0 +d0: + .zero 64 + +/* 2nd private key share d1 */ +.globl d1 +.weak d1 +d1: + .zero 64 diff --git a/sw/otbn/crypto/p384_scalar_mult.s b/sw/otbn/crypto/p384_scalar_mult.s index 891215a4ee9c45..ac7b0a5b7c06ee 100644 --- a/sw/otbn/crypto/p384_scalar_mult.s +++ b/sw/otbn/crypto/p384_scalar_mult.s @@ -19,12 +19,10 @@ * Sets up context and calls the internal scalar multiplication routine. * This routine runs in constant time. * - * @param[in] x20: dptr_x, pointer to affine x-coordinate in dmem - * @param[in] x21: dptr_y, pointer to affine y-coordinate in dmem - * @param[in] x17: dptr_k0, pointer to location in dmem containing - * 1st scalar share k0 - * @param[in] x19: dptr_k1, pointer to location in dmem containing - * 2nd scalar share k1 + * @param[in] dmem[x]: affine x-coordinate in dmem + * @param[in] dmem[y]: affine y-coordinate in dmem + * @param[in] dmem[k0]: 1st scalar share k0 in dmem + * @param[in] dmem[k1]: 2nd scalar share k1 in dmem * @param[out] dmem[x]: masked x coordinate of R * @param[out] dmem[y]: corresponding mask * @@ -34,7 +32,7 @@ * Flags: When leaving this subroutine, the M, L and Z flags of FG0 depend on * the computed affine y-coordinate. * - * clobbered registers: x2, x3, x9 to x13, x18 to x21, x26 to x30 + * clobbered registers: x2, x3, x9 to x13, x17 to x21, x26 to x30 * w0 to w30 * clobbered flag groups: FG0 */ @@ -50,6 +48,18 @@ p384_scalar_mult: /* set dmem pointer to scratchpad */ la x30, scratchpad + /* set dmem pointer to point to x-coordinate */ + la x20, x + + /* set dmem pointer to point to y-coordinate */ + la x21, y + + /* set dmem pointer to point to 1st scalar share k0 */ + la x17, k0 + + /* set dmem pointer to point to 2nd scalar share k1 */ + la x19, k1 + /* load domain parameter p (modulus) [w13, w12] = p = dmem[p384_p] */ li x2, 12 @@ -165,6 +175,32 @@ p384_scalar_mult: /* scratchpad memory */ .section .data +.balign 32 + +/* 1st scalar share d0 */ +.globl k0 +.weak k0 +k0: + .zero 64 + +/* 2nd scalar share d1 */ +.globl k1 +.weak k1 +k1: + .zero 64 + +/* x-coordinate */ +.globl x +.weak x +x: + .zero 64 + +/* y-coordinate */ +.globl y +.weak y +y: + .zero 64 + /* 704 bytes of scratchpad memory */ .balign 32 scratchpad: diff --git a/sw/otbn/crypto/p384_sign.s b/sw/otbn/crypto/p384_sign.s index cddd0adcd3ac73..d2c3c84d82ca9d 100644 --- a/sw/otbn/crypto/p384_sign.s +++ b/sw/otbn/crypto/p384_sign.s @@ -22,19 +22,13 @@ * * This routine runs in constant time. * - * @param[in] x17: dptr_k0, pointer to location in dmem containing - * 1st scalar share k0 - * @param[in] x19: dptr_k1, pointer to location in dmem containing - * 2nd scalar share k1 - * @param[in] x6: dptr_msg, pointer to the message to be signed in dmem - * @param[in] x14: dptr_r, pointer to dmem location where s component - * of signature will be placed - * @param[in] x15: dptr_s, pointer to dmem location where r component - * of signature will be placed - * @param[in] x4: dptr_d0, pointer to location in dmem containing - * 1st private key share d0 - * @param[in] x5: dptr_d1, pointer to location in dmem containing - * 2nd private key share d1 + * @param[in] dmem[k0]: 1st scalar share k0 in dmem + * @param[in] dmem[k1]: 2nd scalar share k1 in dmem + * @param[in] dmem[msg]: message to be signed in dmem + * @param[in] dmem[d0]: 1st private key share d0 in dmem + * @param[in] dmem[d1]: 2nd private key share d1 in dmem + * @param[out] dmem[r]: r component of signature + * @param[out] dmem[s]: s component of signature * * Flags: Flags have no meaning beyond the scope of this subroutine. * @@ -59,6 +53,27 @@ p384_sign: /* get dmem pointer of scratchpad */ la x30, scratchpad + /* get dmem pointer of 1st scalar share k0 */ + la x17, k0 + + /* get dmem pointer of 1st scalar share k1 */ + la x19, k1 + + /* get dmem pointer of message */ + la x6, msg + + /* get dmem pointer of r component */ + la x14, r + + /* get dmem pointer of s component */ + la x15, s + + /* get dmem pointer of 1st private key share d0 */ + la x4, d0 + + /* get dmem pointer of 1st private key share d0 */ + la x5, d1 + /* load domain parameter p (modulus) [w13, w12] <= p = dmem[dptr_p] */ li x2, 12 @@ -241,6 +256,50 @@ p384_sign: /* scratchpad memory */ .section .data +.balign 32 + +/* message to be signed */ +.globl msg +.weak msg +msg: + .zero 64 + +/* r component of signature */ +.globl r +.weak r +r: + .zero 64 + +/* s component of signature */ +.globl s +.weak s +s: + .zero 64 + +/* 1st scalar share d0 */ +.globl k0 +.weak k0 +k0: + .zero 64 + +/* 2nd scalar share d1 */ +.globl k1 +.weak k1 +k1: + .zero 64 + +/* 1st private key share d0 */ +.globl d0 +.weak d0 +d0: + .zero 64 + +/* 2nd private key share d1 */ +.globl d1 +.weak d1 +d1: + .zero 64 + /* 704 bytes of scratchpad memory */ .balign 32 .globl scratchpad diff --git a/sw/otbn/crypto/p384_verify.s b/sw/otbn/crypto/p384_verify.s index 1783907ac2a003..80c008407660d3 100644 --- a/sw/otbn/crypto/p384_verify.s +++ b/sw/otbn/crypto/p384_verify.s @@ -95,13 +95,12 @@ store_proj: * host side. The signature is valid if x1 == r. * This routine runs in variable time. * - * @param[in] x6: dptr_r, pointer to r of signature in dmem - * @param[in] x7: dptr_s, pointer to s of signature in dmem - * @param[in] x8: dptr_rnd, pointer to dmem location where the reduced - * affine x1-coordinate will be stored - * @param[in] x9: dptr_msg, pointer to the message to be verified in dmem - * @param[in] x13: dptr_x, pointer to x-coordinate of public key in dmem - * @param[in] x14: dptr_y, pointer to y-coordinate of public key in dmem + * @param[in] dmem[r]: r component of signature in dmem + * @param[in] dmem[s]: s component of signature in dmem + * @param[in] dmem[msg]: message to be verified in dmem + * @param[in] dmem[x]: x-coordinate of public key in dmem + * @param[in] dmem[y]: y-coordinate of public key in dmem + * @param[out] dmem[rnd]: verification result: reduced affine x1-coordinate * * Scratchpad memory layout: * The routine expects at least 896 bytes of scratchpad memory at dmem @@ -125,6 +124,24 @@ p384_verify: /* init all-zero reg */ bn.xor w31, w31, w31 + /* get dmem pointer of r component */ + la x6, r + + /* get dmem pointer of s component */ + la x7, s + + /* get dmem pointer of verification result (x1-coordinate) */ + la x8, rnd + + /* get dmem pointer of message */ + la x9, msg + + /* get dmem pointer of public key x-coordinate */ + la x13, x + + /* get dmem pointer of public key y-coordinate */ + la x14, y + /* load domain parameter n (order of base point) [w13, w12] <= n = dmem[p384_n] */ li x2, 12 @@ -407,6 +424,44 @@ fail: /* scratchpad memory */ .section .data +.balign 32 + +/* message to be signed */ +.globl msg +.weak msg +msg: + .zero 64 + +/* r component of signature */ +.globl r +.weak r +r: + .zero 64 + +/* s component of signature */ +.globl s +.weak s +s: + .zero 64 + +/* public key x-coordinate */ +.globl x +.weak x +x: + .zero 64 + +/* public key y-coordinate */ +.globl y +.weak y +y: + .zero 64 + +/* verification result (x1-coordinate) */ +.globl rnd +.weak rnd +rnd: + .zero 64 + /* Scratchpad memory */ .balign 32 .globl scratchpad diff --git a/sw/otbn/crypto/tests/p384_base_mult_test.s b/sw/otbn/crypto/tests/p384_base_mult_test.s index 7af44b7d41ec6c..2728da1b50490a 100644 --- a/sw/otbn/crypto/tests/p384_base_mult_test.s +++ b/sw/otbn/crypto/tests/p384_base_mult_test.s @@ -15,10 +15,6 @@ .section .text.start p384_base_mult_test: - /* Fill gpp registers with pointers to variables */ - la x17, d0 - la x19, d1 - /* call base point multiplication routine in P-384 lib */ jal x1, p384_base_mult diff --git a/sw/otbn/crypto/tests/p384_curve_point_valid_test.s b/sw/otbn/crypto/tests/p384_curve_point_valid_test.s index 9808061b2d3b1d..c3ac0b820a68eb 100644 --- a/sw/otbn/crypto/tests/p384_curve_point_valid_test.s +++ b/sw/otbn/crypto/tests/p384_curve_point_valid_test.s @@ -15,10 +15,6 @@ p384_curve_point_valid_test: /* Init all-zero register. */ bn.xor w31, w31, w31 - /* Fill gpp registers with pointers to variables */ - la x20, x - la x21, y - jal x1, p384_curve_point_valid ecall diff --git a/sw/otbn/crypto/tests/p384_ecdh_shared_key_test.s b/sw/otbn/crypto/tests/p384_ecdh_shared_key_test.s index 8cbd66808e1e28..9402cda6724689 100644 --- a/sw/otbn/crypto/tests/p384_ecdh_shared_key_test.s +++ b/sw/otbn/crypto/tests/p384_ecdh_shared_key_test.s @@ -24,7 +24,7 @@ p384_ecdh_shared_key_test: bn.xor w31, w31, w31 /* fill gpp registers with pointers to relevant variables */ - la x17, k0 + /*la x17, k0 la x19, k1 la x20, x la x21, y diff --git a/sw/otbn/crypto/tests/p384_ecdsa_sign_test.s b/sw/otbn/crypto/tests/p384_ecdsa_sign_test.s index c0346087b0b677..fe8fee1a15f872 100644 --- a/sw/otbn/crypto/tests/p384_ecdsa_sign_test.s +++ b/sw/otbn/crypto/tests/p384_ecdsa_sign_test.s @@ -14,15 +14,6 @@ .section .text.start p384_ecdsa_sign_test: - /* Fill gpp registers with pointers to variables */ - la x17, k0 - la x19, k1 - la x6, msg - la x14, r - la x15, s - la x4, d0 - la x5, d1 - /* call ECDSA signing subroutine in P-384 lib */ jal x1, p384_sign @@ -42,6 +33,7 @@ p384_ecdsa_sign_test: .data /* 1st scalar share k0 (448-bit) */ +.globl k0 k0: .word 0x5c832a51 .word 0x3eb17c27 @@ -60,6 +52,7 @@ k0: .zero 8 /* 2nd scalar share k1 (448-bit) */ +.globl k1 k1: .word 0xe50b5e8e .word 0x776ad076 @@ -94,6 +87,7 @@ nonce_k: .zero 16 /* 1st private key share d0 (448-bit) */ +.globl d0 d0: .word 0x5c832a51 .word 0x3eb17c27 @@ -112,6 +106,7 @@ d0: .zero 8 /* 2nd private key share d1 (448-bit) */ +.globl d1 d1: .word 0x33eae098 .word 0xd31b18d5 @@ -146,6 +141,7 @@ priv_key_d: .zero 16 /* message */ +.globl msg msg: .word 0x55555555 .word 0x55555555 @@ -162,9 +158,11 @@ msg: .zero 16 /* signature R */ +.globl r r: .zero 64 /* signature S */ +.globl s s: .zero 64 diff --git a/sw/otbn/crypto/tests/p384_ecdsa_verify_test.s b/sw/otbn/crypto/tests/p384_ecdsa_verify_test.s index b127fc5a19556c..fb3b7b4e1ac31f 100644 --- a/sw/otbn/crypto/tests/p384_ecdsa_verify_test.s +++ b/sw/otbn/crypto/tests/p384_ecdsa_verify_test.s @@ -14,14 +14,6 @@ .section .text.start p384_ecdsa_verify_test: - /* Fill gpp registers with pointers to variables */ - la x6, r - la x7, s - la x8, rnd - la x9, msg - la x13, x - la x14, y - /* call ECDSA signature verification subroutine in P-384 lib */ jal x1, p384_verify @@ -37,6 +29,7 @@ p384_ecdsa_verify_test: .data /* message */ +.globl msg msg: .word 0x55555555 .word 0x55555555 @@ -53,6 +46,7 @@ msg: .zero 16 /* signature R */ +.globl r r: .word 0xb68c28d8 .word 0x2b23ce3a @@ -69,6 +63,7 @@ r: .zero 16 /* signature S */ +.globl s s: .word 0x24bc1bf9 .word 0x752042f5 @@ -85,6 +80,7 @@ s: .zero 16 /* public key x-coordinate */ +.globl x x: .word 0x4877f3d1 .word 0x7b829460 @@ -101,6 +97,7 @@ x: .zero 16 /* public key y-coordinate */ +.globl y y: .word 0xc181f90f .word 0xc31ef079 @@ -117,5 +114,6 @@ y: .zero 16 /* signature verification result x_res (rnd) */ +.globl rnd rnd: .zero 64 diff --git a/sw/otbn/crypto/tests/p384_isoncurve_test.s b/sw/otbn/crypto/tests/p384_isoncurve_test.s index 2b754276f4a9ab..40a93fc369f362 100644 --- a/sw/otbn/crypto/tests/p384_isoncurve_test.s +++ b/sw/otbn/crypto/tests/p384_isoncurve_test.s @@ -20,7 +20,7 @@ p384_oncurve_test: bn.lid x2++, 0(x3) bn.lid x2++, 32(x3) - /* Fill gpp registers with pointers to variables */ + /* Fill gpr registers with pointers to variables */ la x20, x la x21, y la x22, rhs diff --git a/sw/otbn/crypto/tests/p384_keygen_test.s b/sw/otbn/crypto/tests/p384_keygen_test.s index 452ee6d90c8e50..b93ac17c790179 100644 --- a/sw/otbn/crypto/tests/p384_keygen_test.s +++ b/sw/otbn/crypto/tests/p384_keygen_test.s @@ -25,13 +25,9 @@ p384_keygen_test: bn.xor w31, w31, w31 /* generate 4 random 448-bit values and write them to d0, d1 */ - la x20, d0 - la x21, d1 jal x1, p384_generate_random_key /* generate 4 random 448-bit values and write them to k0, k1 */ - la x20, k0 - la x21, k1 jal x1, p384_generate_k /* load generated values into WDRs for range/distinctiveness check */ diff --git a/sw/otbn/crypto/tests/p384_scalar_mult_test.s b/sw/otbn/crypto/tests/p384_scalar_mult_test.s index f9a2054541be63..2a6819dc7ad070 100644 --- a/sw/otbn/crypto/tests/p384_scalar_mult_test.s +++ b/sw/otbn/crypto/tests/p384_scalar_mult_test.s @@ -20,18 +20,6 @@ p384_scalar_mult_test: /* Init all-zero register. */ bn.xor w31, w31, w31 - /* set dmem pointer to point to x-coordinate */ - la x20, x - - /* set dmem pointer to point to y-coordinate */ - la x21, y - - /* set dmem pointer to point to 1st scalar share k0 */ - la x17, k0 - - /* set dmem pointer to point to 2nd scalar share k1 */ - la x19, k1 - /* call scalar point multiplication routine in P-384 lib */ jal x1, p384_scalar_mult @@ -70,6 +58,7 @@ p384_scalar_mult_test: .balign 32 /* point 1 x-cooridante p1_x */ +.globl x x: .word 0x1a11808b .word 0x02e3d5a9 @@ -86,6 +75,7 @@ x: .zero 16 /* point 1 y-cooridante p1_y*/ +.globl y y: .word 0xa9f8b96e .word 0x82f268be @@ -102,6 +92,7 @@ y: .zero 16 /* 1st scalar share k0 (448-bit) */ +.globl k0 k0: .word 0x5c832a51 .word 0x3eb17c27 @@ -120,6 +111,7 @@ k0: .zero 8 /* 2nd scalar share k1 (448-bit) */ +.globl k1 k1: .word 0x33eae098 .word 0xd31b18d5