firmware/2lib/2modpow_neon.c

*8617a60dSAndroid Build Coastguard Worker/* Copyright 2024 The ChromiumOS Authors
*8617a60dSAndroid Build Coastguard Worker * Use of this source code is governed by a BSD-style license that can be
*8617a60dSAndroid Build Coastguard Worker * found in the LICENSE file.
*8617a60dSAndroid Build Coastguard Worker */
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker#include "2common.h"
*8617a60dSAndroid Build Coastguard Worker#include "2rsa.h"
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker/**
*8617a60dSAndroid Build Coastguard Worker * Montgomery c[] = d[] - e[] if d[] > e[], c[] = d[] - e[] + n[] otherwise.
*8617a60dSAndroid Build Coastguard Worker * Uses "Subtract with Carry" and "Add with Carry" instructions to optimize BigNum
*8617a60dSAndroid Build Coastguard Worker * arithmetic. e[] will be overwritten with intermediate results.
*8617a60dSAndroid Build Coastguard Worker */
*8617a60dSAndroid Build Coastguard Workerstatic void sub_mod(uint32_t *c, uint32_t *ed, const uint32_t *n, const uint32_t arrsize)
*8617a60dSAndroid Build Coastguard Worker{
*8617a60dSAndroid Build Coastguard Worker	uint32_t borrow, tmp1, tmp2, i;
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	/* e[] = d[] - e[] */
*8617a60dSAndroid Build Coastguard Worker	uint32_t size_clobber = arrsize;
*8617a60dSAndroid Build Coastguard Worker	uint32_t *ed_clobber = ed;
*8617a60dSAndroid Build Coastguard Worker	asm (
*8617a60dSAndroid Build Coastguard Worker		"subs	wzr, wzr, wzr\n\t"	/* init carry flag for subtraction */
*8617a60dSAndroid Build Coastguard Worker		"1:\n\t"
*8617a60dSAndroid Build Coastguard Worker		"ldp	%w[e], %w[d], [%[ed_ptr]]\n\t"
*8617a60dSAndroid Build Coastguard Worker		"sbcs	%w[e], %w[d], %w[e]\n\t"
*8617a60dSAndroid Build Coastguard Worker		"str	%w[e], [%[ed_ptr]], #8\n\t"
*8617a60dSAndroid Build Coastguard Worker		"sub	%w[size], %w[size], #1\n\t"
*8617a60dSAndroid Build Coastguard Worker		"cbnz	%w[size], 1b\n\t"
*8617a60dSAndroid Build Coastguard Worker		"cset	%w[e], cc\n\t"		/* "borrow" = carry flag is 0 (cleared) */
*8617a60dSAndroid Build Coastguard Worker		: [e] "=r" (borrow),
*8617a60dSAndroid Build Coastguard Worker		  [d] "=r" (tmp1),
*8617a60dSAndroid Build Coastguard Worker		  [size] "+r" (size_clobber),
*8617a60dSAndroid Build Coastguard Worker		  [ed_ptr] "+r" (ed_clobber)
*8617a60dSAndroid Build Coastguard Worker		:: "cc", "memory"
*8617a60dSAndroid Build Coastguard Worker	);
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	if (borrow) {
*8617a60dSAndroid Build Coastguard Worker		/* e[] = e[] + n[] */
*8617a60dSAndroid Build Coastguard Worker		size_clobber = arrsize;
*8617a60dSAndroid Build Coastguard Worker		ed_clobber = ed;
*8617a60dSAndroid Build Coastguard Worker		asm volatile (
*8617a60dSAndroid Build Coastguard Worker			"adds	wzr, wzr, wzr\n\t"	/* init carry flag for addition */
*8617a60dSAndroid Build Coastguard Worker			"1:\n\t"
*8617a60dSAndroid Build Coastguard Worker			"ldr	%w[e], [%[ed_ptr]]\n\t"
*8617a60dSAndroid Build Coastguard Worker			"ldr	%w[n], [%[n_ptr]], #4\n\t"
*8617a60dSAndroid Build Coastguard Worker			"adcs	%w[e], %w[e], %w[n]\n\t"
*8617a60dSAndroid Build Coastguard Worker			"str	%w[e], [%[ed_ptr]], #8\n\t"
*8617a60dSAndroid Build Coastguard Worker			"sub	%w[size], %w[size], #1\n\t"
*8617a60dSAndroid Build Coastguard Worker			"cbnz	%w[size], 1b\n\t"
*8617a60dSAndroid Build Coastguard Worker			: [e] "=r" (tmp1),
*8617a60dSAndroid Build Coastguard Worker			  [n] "=r" (tmp2),
*8617a60dSAndroid Build Coastguard Worker			  [size] "+r" (size_clobber),
*8617a60dSAndroid Build Coastguard Worker			  [ed_ptr] "+r" (ed_clobber),
*8617a60dSAndroid Build Coastguard Worker			  [n_ptr] "+r" (n)
*8617a60dSAndroid Build Coastguard Worker			:: "cc", "memory"
*8617a60dSAndroid Build Coastguard Worker		);
*8617a60dSAndroid Build Coastguard Worker	}
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	/* c[] = e[] */
*8617a60dSAndroid Build Coastguard Worker	for (i = 0; i < arrsize; i++)
*8617a60dSAndroid Build Coastguard Worker		c[i] = ed[i * 2];
*8617a60dSAndroid Build Coastguard Worker}
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker/**
*8617a60dSAndroid Build Coastguard Worker * Montgomery c[] = a[] * b[] / R % mod	(`ed` is a local scratch buffer)
*8617a60dSAndroid Build Coastguard Worker *
*8617a60dSAndroid Build Coastguard Worker * Algorithm according to https://eprint.iacr.org/2013/519.pdf and
*8617a60dSAndroid Build Coastguard Worker * https://chromium-review.googlesource.com/5055251.
*8617a60dSAndroid Build Coastguard Worker */
*8617a60dSAndroid Build Coastguard Workerstatic void mont_mult(uint32_t *c,
*8617a60dSAndroid Build Coastguard Worker		      const uint32_t *a,
*8617a60dSAndroid Build Coastguard Worker		      const uint32_t *b,
*8617a60dSAndroid Build Coastguard Worker		      const uint32_t *n,
*8617a60dSAndroid Build Coastguard Worker		      uint32_t *ed,
*8617a60dSAndroid Build Coastguard Worker		      const uint32_t mu,
*8617a60dSAndroid Build Coastguard Worker		      const uint32_t arrsize)
*8617a60dSAndroid Build Coastguard Worker{
*8617a60dSAndroid Build Coastguard Worker	const uint32_t mub0 = mu * b[0];
*8617a60dSAndroid Build Coastguard Worker	uint32_t i;
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	memset(ed, 0, arrsize * sizeof(uint32_t) * 2);
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	for (i = 0; i < arrsize; i++) {
*8617a60dSAndroid Build Coastguard Worker		const uint32_t c0 = ed[1] - ed[0];
*8617a60dSAndroid Build Coastguard Worker		const uint32_t muc0 = mu * c0;
*8617a60dSAndroid Build Coastguard Worker		const uint32_t a_i = a[i];
*8617a60dSAndroid Build Coastguard Worker		const uint32_t q = muc0 + mub0 * a_i;
*8617a60dSAndroid Build Coastguard Worker		const uint32_t *n_clobber = n;
*8617a60dSAndroid Build Coastguard Worker		const uint32_t *b_clobber = b;
*8617a60dSAndroid Build Coastguard Worker		void *ed_clobber = ed;
*8617a60dSAndroid Build Coastguard Worker		uint32_t size_clobber = arrsize - 1;
*8617a60dSAndroid Build Coastguard Worker		asm volatile (
*8617a60dSAndroid Build Coastguard Worker			/* v4.2d = always contains [0, 0] (for idempotent Add High Narrow) */
*8617a60dSAndroid Build Coastguard Worker			"movi	v4.2d, #0\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v3.2s = "mul" = [q, a[i]] */
*8617a60dSAndroid Build Coastguard Worker			"fmov	s3, %w[q]\n\t"
*8617a60dSAndroid Build Coastguard Worker			"mov	v3.s[1], %w[a_i]\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v1.2s = "bmod" = [n[0], b[0]] */
*8617a60dSAndroid Build Coastguard Worker			"ldr	s1, [%[n]], #4\n\t"
*8617a60dSAndroid Build Coastguard Worker			"ld1	{v1.s}[1], [%[b]], #4\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v2.2s = [e, d] */
*8617a60dSAndroid Build Coastguard Worker			"ldr	d2, [%[ed]]\n\t"
*8617a60dSAndroid Build Coastguard Worker			"uxtl	v2.2d, v2.2s\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v2.2d = "p01" = ed + bmod * mul */
*8617a60dSAndroid Build Coastguard Worker			"umlal	v2.2d, v1.2s, v3.2s\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v2.2d = "t01" = MSB-half(p01) */
*8617a60dSAndroid Build Coastguard Worker			"addhn	v2.2s, v2.2d, v4.2d\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* for (j = 1; j < arrsize - 1; j++) */
*8617a60dSAndroid Build Coastguard Worker			"1:"
*8617a60dSAndroid Build Coastguard Worker			/* v0.2d = zero-extend(ed + t01) */
*8617a60dSAndroid Build Coastguard Worker			"ldr	d0, [%[ed], #8]\n\t"
*8617a60dSAndroid Build Coastguard Worker			"uaddl	v0.2d, v0.2s, v2.2s\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v1.2s = "bmod" = [n[j], b[j]] */
*8617a60dSAndroid Build Coastguard Worker			"ldr	s1, [%[n]], #4\n\t"
*8617a60dSAndroid Build Coastguard Worker			"ld1	{v1.s}[1], [%[b]], #4\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v0.2d = "p01" = ed[j] + t01 + bmod * mul */
*8617a60dSAndroid Build Coastguard Worker			"umlal	v0.2d, v1.2s, v3.2s\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* v2.2s = "t01" = MSB-half(p01) */
*8617a60dSAndroid Build Coastguard Worker			"addhn	v2.2s, v0.2d, v4.2d\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* store ed[j - 1] = LSB-half(p01) */
*8617a60dSAndroid Build Coastguard Worker			"xtn	v0.2s, v0.2d\n\t"
*8617a60dSAndroid Build Coastguard Worker			"str	d0, [%[ed]], #8\n\t"
*8617a60dSAndroid Build Coastguard Worker			"subs	%w[size], %w[size], #1\n\t"
*8617a60dSAndroid Build Coastguard Worker			"b.hi	1b\n\t"
*8617a60dSAndroid Build Coastguard Worker			/* store ed[arrsize - 1] = final t01 */
*8617a60dSAndroid Build Coastguard Worker			"str	d2, [%[ed]]\n\t"
*8617a60dSAndroid Build Coastguard Worker			: [ed] "+r" (ed_clobber),
*8617a60dSAndroid Build Coastguard Worker			  [n] "+r" (n_clobber),
*8617a60dSAndroid Build Coastguard Worker			  [b] "+r" (b_clobber),
*8617a60dSAndroid Build Coastguard Worker			  [size] "+r" (size_clobber)
*8617a60dSAndroid Build Coastguard Worker			: [q] "r" (q),
*8617a60dSAndroid Build Coastguard Worker			  [a_i] "r" (a_i)
*8617a60dSAndroid Build Coastguard Worker			: "v0", "v1","v2", "v3", "v4", "cc", "memory"
*8617a60dSAndroid Build Coastguard Worker		);
*8617a60dSAndroid Build Coastguard Worker	}
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	sub_mod(c, ed, n, arrsize);
*8617a60dSAndroid Build Coastguard Worker}
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Workerstatic void swap_bignumber_endianness(const void *in, void *out, size_t size_bytes)
*8617a60dSAndroid Build Coastguard Worker{
*8617a60dSAndroid Build Coastguard Worker	const void *in_end = in + size_bytes;
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	/* REV64 can only swap within each 8-byte half of the 16-byte register, so use a
*8617a60dSAndroid Build Coastguard Worker	   transposed STP to do the final swap of the two halves afterwards. */
*8617a60dSAndroid Build Coastguard Worker	asm volatile (
*8617a60dSAndroid Build Coastguard Worker		"1:\n\t"
*8617a60dSAndroid Build Coastguard Worker		"ldr	q0, [%[in], #-16]!\n\t"
*8617a60dSAndroid Build Coastguard Worker		"rev64	v0.16b, v0.16b\n\t"
*8617a60dSAndroid Build Coastguard Worker		"mov	d1, v0.d[1]\n\t"
*8617a60dSAndroid Build Coastguard Worker		"stp	d1, d0, [%[out]], #16\n\t"
*8617a60dSAndroid Build Coastguard Worker		"subs	%[size], %[size], #16\n\t"
*8617a60dSAndroid Build Coastguard Worker		"b.hi	1b\n\t"
*8617a60dSAndroid Build Coastguard Worker		: [in] "+r" (in_end),
*8617a60dSAndroid Build Coastguard Worker		  [out] "+r" (out),
*8617a60dSAndroid Build Coastguard Worker		  [size] "+r" (size_bytes)
*8617a60dSAndroid Build Coastguard Worker		:: "v0", "v1", "cc", "memory"
*8617a60dSAndroid Build Coastguard Worker	);
*8617a60dSAndroid Build Coastguard Worker}
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Workervb2_error_t vb2ex_hwcrypto_modexp(const struct vb2_public_key *key,
*8617a60dSAndroid Build Coastguard Worker				  uint8_t *inout, void *workbuf,
*8617a60dSAndroid Build Coastguard Worker				  size_t workbuf_size, int exp)
*8617a60dSAndroid Build Coastguard Worker{
*8617a60dSAndroid Build Coastguard Worker	const uint32_t mu = -key->n0inv;
*8617a60dSAndroid Build Coastguard Worker	const uint32_t *n = key->n;
*8617a60dSAndroid Build Coastguard Worker	const uint32_t arrsize = key->arrsize;
*8617a60dSAndroid Build Coastguard Worker	uint32_t *a = workbuf;
*8617a60dSAndroid Build Coastguard Worker	uint32_t *aR = (void *)inout;	/* Re-use location. */
*8617a60dSAndroid Build Coastguard Worker	uint32_t *aaR = a + arrsize;
*8617a60dSAndroid Build Coastguard Worker	uint32_t *aaa = aaR;	/* Re-use location. */
*8617a60dSAndroid Build Coastguard Worker	uint32_t *ed = aaR + arrsize;	/* 8-byte align guaranteed by VB2_WORKBUF_ALIGN */
*8617a60dSAndroid Build Coastguard Worker	uint32_t i;
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	if (exp != 65537 || arrsize % 16 != 0 ||
*8617a60dSAndroid Build Coastguard Worker	    (void *)&ed[arrsize * 2] - workbuf > workbuf_size)
*8617a60dSAndroid Build Coastguard Worker		return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED;
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	/* Convert from big endian byte array to little endian word array. */
*8617a60dSAndroid Build Coastguard Worker	swap_bignumber_endianness(inout, a, arrsize * sizeof(uint32_t));
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	mont_mult(aR, a, key->rr, n, ed, mu, arrsize);	/* aR = a * RR / R mod M   */
*8617a60dSAndroid Build Coastguard Worker	for (i = 0; i < 16; i += 2) {
*8617a60dSAndroid Build Coastguard Worker		mont_mult(aaR, aR, aR, n, ed, mu, arrsize);	/* aaR = aR * aR / R mod M */
*8617a60dSAndroid Build Coastguard Worker		mont_mult(aR, aaR, aaR, n, ed, mu, arrsize);	/* aR = aaR * aaR / R mod M */
*8617a60dSAndroid Build Coastguard Worker	}
*8617a60dSAndroid Build Coastguard Worker	mont_mult(aaa, aR, a, n, ed, mu, arrsize);	/* aaa = aR * a / R mod M */
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	/* Convert back to bigendian byte array */
*8617a60dSAndroid Build Coastguard Worker	swap_bignumber_endianness(aaa, inout, arrsize * sizeof(uint32_t));
*8617a60dSAndroid Build Coastguard Worker
*8617a60dSAndroid Build Coastguard Worker	return VB2_SUCCESS;
*8617a60dSAndroid Build Coastguard Worker}