From 8e7edf9c6b4e7f391307872c65070a802798bde6 Mon Sep 17 00:00:00 2001 From: Jade Philipoom Date: Wed, 11 Dec 2024 09:58:15 +0100 Subject: [PATCH] [crypto] Harden RSA modexp subroutine. Add some SCA hardening measures to the modexp subroutine that selects either the squared or squared-and-multiplied result in square-and-multiply-always modular exponentiation. Although the rest of the code is not hardened, the hardening for RSA will likely preserve this subroutine, so hardening it is still useful. Signed-off-by: Jade Philipoom (cherry picked from commit 8c638309857e08ef5b4002d91315d4971f1f0872) --- sw/otbn/crypto/modexp.s | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/sw/otbn/crypto/modexp.s b/sw/otbn/crypto/modexp.s index fec8b142fca2a..9bec6829b1e71 100644 --- a/sw/otbn/crypto/modexp.s +++ b/sw/otbn/crypto/modexp.s @@ -28,23 +28,29 @@ * @param[in] x11: pointer to temp reg, must be set to 2 * * clobbered registers: x8, x21, w0, w2 - * clobbered Flag Groups: none + * clobbered Flag Groups: FG1 */ sel_sqr_or_sqrmul: /* iterate over all limbs */ - loop x30, 4 + loop x30, 8 /* load limb from dmem */ bn.lid x9, 0(x21) /* load limb from regfile buffer */ bn.movr x11, x8++ - /* conditional select: w0 = FG0.C?w[x8+i]:dmem[x21+i] */ - bn.sel w0, w2, w3, C + /* randomize dmem with value from URND (one extra dummy call to clear) */ + bn.addi w31, w31, 0, FG1 /* dummy */ + bn.wsrr w0, URND + bn.sid x0, 0(x21) - /* store selected limb to dmem */ + /* select a limb and store to dmem */ + bn.sel w0, w2, w3, FG0.C bn.sid x0, 0(x21++) + /* dummy call to clear */ + bn.addi w31, w31, 0, FG1 + ret