aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2017-07-24 11:40:12 -0400
committerRob Austein <sra@hactrn.net>2017-07-24 11:40:12 -0400
commit19f92790c2f9fc7f4e019d7b20663453606f210f (patch)
treed787e42fcb1cf7ed6b06b7ea36bc910bbbb47416
parentc669159880c4b9564b8176c113e3c0778ca55851 (diff)
Split compile-time control of RSA ModExp.
At least for now, the speed tradeoff between software ModExp and our Verilog ModExp core differs significantly between signature and key generation. We don't really know why, but since key generation does not need to be constant time, we split out control over whether to use the software or FPGA implementation, so that we can use the FPGA for signature while using software for key generation. Revisit this if and when we figure out what the bottleneck is, as well as any time that the FPGA core itself changes significantly.
-rw-r--r--Makefile8
-rw-r--r--rsa.c63
2 files changed, 42 insertions, 29 deletions
diff --git a/Makefile b/Makefile
index 866cb2b..ae6888d 100644
--- a/Makefile
+++ b/Makefile
@@ -175,28 +175,28 @@ endif
ifeq "${RPC_MODE}" "none"
OBJ += ${CORE_OBJ}
- CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+ CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=${RSA_USE_MODEXP_CORE}
CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
else ifeq "${RPC_MODE}" "server"
OBJ += ${CORE_OBJ} ${RPC_SERVER_OBJ}
CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL
- CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+ CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=${RSA_USE_MODEXP_CORE}
CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
else ifeq "${RPC_MODE}" "client-simple"
OBJ += ${RPC_CLIENT_OBJ}
CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE
- CFLAGS += -DHAL_RSA_USE_MODEXP=0
+ CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=0
CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
else ifeq "${RPC_MODE}" "client-mixed"
OBJ += ${RPC_CLIENT_OBJ}
CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED
- CFLAGS += -DHAL_RSA_USE_MODEXP=0
+ CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=0
CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
diff --git a/rsa.c b/rsa.c
index 6fde683..eeb611c 100644
--- a/rsa.c
+++ b/rsa.c
@@ -78,12 +78,15 @@
#include "asn1_internal.h"
/*
- * Whether to use ModExp core. It works, but at the moment it's so
- * slow that a full test run can take more than an hour.
+ * Whether to use ModExp core. It works, but it's painfully slow.
*/
-#ifndef HAL_RSA_USE_MODEXP
-#define HAL_RSA_USE_MODEXP 1
+#ifndef HAL_RSA_SIGN_USE_MODEXP
+#define HAL_RSA_SIGN_USE_MODEXP 1
+#endif
+
+#ifndef HAL_RSA_KEYGEN_USE_MODEXP
+#define HAL_RSA_KEYGEN_USE_MODEXP 0
#endif
#if defined(RPC_CLIENT) && RPC_CLIENT != RPC_CLIENT_LOCAL
@@ -182,7 +185,7 @@ static hal_error_t unpack_fp(const fp_int * const bn, uint8_t *buffer, const siz
return err;
}
-#if HAL_RSA_USE_MODEXP
+#if HAL_RSA_SIGN_USE_MODEXP
/*
* Unwrap bignums into byte arrays, feed them into hal_modexp(), and
@@ -236,27 +239,13 @@ static hal_error_t modexp(hal_core_t *core,
return err;
}
-/*
- * Wrapper to let us export our modexp function as a replacement for
- * TFM's, to avoid dragging in all of the TFM montgomery code when we
- * use TFM's Miller-Rabin test code.
- *
- * This code is here rather than in a separate module because of the
- * error handling: TFM's error codes aren't really capable of
- * expressing all the things that could go wrong here.
- */
-
-int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
-{
- return modexp(NULL, a, b, c, d) == HAL_OK ? FP_OKAY : FP_VAL;
-}
-
-#else /* HAL_RSA_USE_MODEXP */
+#else /* HAL_RSA_SIGN_USE_MODEXP */
/*
- * Workaround to let us use TFM's software implementation of modular
- * exponentiation when we want to test other things and don't want to
- * wait for the slow FPGA implementation.
+ * Use libtfm's software implementation of modular exponentiation.
+ * Now that the ModExpA7 core performs about as well as the software
+ * implementation, there's probably no need to use this, but we're
+ * still tuning things, so leave the hook here for now.
*/
static hal_error_t modexp(const hal_core_t *core, /* ignored */
@@ -271,7 +260,31 @@ static hal_error_t modexp(const hal_core_t *core, /* ignored */
return err;
}
-#endif /* HAL_RSA_USE_MODEXP */
+#endif /* HAL_RSA_SIGN_USE_MODEXP */
+
+/*
+ * Wrapper to let us export our modexp function as a replacement for
+ * libtfm's when running libtfm's Miller-Rabin test code.
+ *
+ * At the moment, the libtfm software implementation performs
+ * disproportionately better than our core does for the specific case
+ * of Miller-Rabin tests, for reasons we don't really understand.
+ * So there's not much point in enabling this, except as a test to
+ * confirm this behavior.
+ *
+ * This code is here rather than in a separate module because of the
+ * error handling: libtfm's error codes aren't really capable of
+ * expressing all the things that could go wrong here.
+ */
+
+#if HAL_RSA_SIGN_USE_MODEXP && HAL_RSA_KEYGEN_USE_MODEXP
+
+int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
+{
+ return modexp(NULL, a, b, c, d) == HAL_OK ? FP_OKAY : FP_VAL;
+}
+
+#endif /* HAL_RSA_SIGN_USE_MODEXP && HAL_RSA_KEYGEN_USE_MODEXP */
/*
* Create blinding factors. There are various schemes for amortizing