aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile73
-rw-r--r--ecdsa.c141
-rw-r--r--hal.h6
-rw-r--r--verilog_constants.h30
4 files changed, 234 insertions, 16 deletions
diff --git a/Makefile b/Makefile
index c0a136b..c360c6a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2016, NORDUnet A/S
+# Copyright (c) 2015-2017, NORDUnet A/S
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -41,24 +41,28 @@ LIB = libhal.a
# Error checking on known control options, some of which allow the user entirely too much rope.
-USAGE := "usage: ${MAKE} [IO_BUS=eim|i2c|fmc] [RPC_MODE=none|server|client-simple|client-mixed] [KS=mmap|flash] [RPC_TRANSPORT=none|loopback|serial|daemon] [MODEXP_CORE=no|yes]"
+USAGE := "usage: ${MAKE} [IO_BUS=eim|i2c|fmc] [RPC_MODE=none|server|client-simple|client-mixed] [KS=mmap|flash] [RPC_TRANSPORT=none|loopback|serial|daemon] [MODEXP_CORE=no|yes] [HASH_CORES=no|yes] [ECDSA_CORES=no|yes]"
IO_BUS ?= none
KS ?= flash
RPC_MODE ?= none
RPC_TRANSPORT ?= none
MODEXP_CORE ?= no
+HASH_CORES ?= no
+ECDSA_CORES ?= yes
ifeq (,$(and \
$(filter none eim i2c fmc ,${IO_BUS}),\
$(filter none server client-simple client-mixed ,${RPC_MODE}),\
$(filter mmap flash ,${KS}),\
$(filter none loopback serial daemon ,${RPC_TRANSPORT}),\
- $(filter no yes ,${MODEXP_CORE})))
+ $(filter no yes ,${MODEXP_CORE}),\
+ $(filter no yes ,${HASH_CORES}),\
+ $(filter no yes ,${ECDSA_CORES})))
$(error ${USAGE})
endif
-$(info Building libhal with configuration IO_BUS=${IO_BUS} RPC_MODE=${RPC_MODE} KS=${KS} RPC_TRANSPORT=${RPC_TRANSPORT} MODEXP_CORE=${MODEXP_CORE})
+$(info Building libhal with configuration IO_BUS=${IO_BUS} RPC_MODE=${RPC_MODE} KS=${KS} RPC_TRANSPORT=${RPC_TRANSPORT} MODEXP_CORE=${MODEXP_CORE} HASH_CORES=${HASH_CORES} ECDSA_CORES=${ECDSA_CORES})
# Whether the RSA code should use the ModExp | ModExpS6 | ModExpA7 core.
@@ -68,6 +72,24 @@ else
RSA_USE_MODEXP_CORE := 0
endif
+# Whether the hash code should use the SHA-1 / SHA-256 / SHA-512 cores.
+
+ifeq "${HASH_CORES}" "yes"
+ HASH_ONLY_USE_SOFT_CORES := 0
+else
+ HASH_ONLY_USE_SOFT_CORES := 1
+endif
+
+# Whether the ECDSA code should use the ECDSA256 and ECDSA384 cores.
+
+ifeq "${ECDSA_CORES}" "yes"
+ ECDSA_USE_ECDSA256_CORE := 1
+ ECDSA_USE_ECDSA384_CORE := 1
+else
+ ECDSA_USE_ECDSA256_CORE := 0
+ ECDSA_USE_ECDSA384_CORE := 0
+endif
+
# Object files to build, initialized with ones we always want.
# There's a balance here between skipping files we don't strictly
# need and reducing the number of unnecessary conditionals in this
@@ -169,15 +191,30 @@ endif
ifeq "${RPC_MODE}" "none"
OBJ += ${CORE_OBJ}
CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+ CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
else ifeq "${RPC_MODE}" "server"
OBJ += ${CORE_OBJ} ${RPC_SERVER_OBJ}
- CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+ CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL
+ CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+ CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
else ifeq "${RPC_MODE}" "client-simple"
OBJ += ${RPC_CLIENT_OBJ}
- CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE -DHAL_RSA_USE_MODEXP=0 -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
+ CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE
+ CFLAGS += -DHAL_RSA_USE_MODEXP=0
+ CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
else ifeq "${RPC_MODE}" "client-mixed"
OBJ += ${RPC_CLIENT_OBJ}
- CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED -DHAL_RSA_USE_MODEXP=0 -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
+ CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED
+ CFLAGS += -DHAL_RSA_USE_MODEXP=0
+ CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
+ CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
endif
ifndef CRYPTECH_ROOT
@@ -206,12 +243,19 @@ CFLAGS += -I${LIBTFM_BLD}
CFLAGS += -DHAL_ENABLE_SOFTWARE_HASH_CORES=1
-export CFLAGS
+# We used to "export CFLAGS" here, but for some reason that causes GNU
+# make to duplicate its value, sometimes with conflicting settings.
+# Weird, but this is complicated enough already, so we just pass
+# CFLAGS explicitly in the small number of cases where we run a
+# sub-make, below.
+
+#export CFLAGS
+
export RPC_MODE
all: ${LIB}
- cd tests; ${MAKE} $@
- cd utils; ${MAKE} $@
+ ${MAKE} -C tests $@ CFLAGS='${CFLAGS}'
+ ${MAKE} -C utils $@ CFLAGS='${CFLAGS}'
client:
${MAKE} RPC_MODE=client-simple RPC_TRANSPORT=daemon
@@ -247,13 +291,12 @@ last_gasp_pin_internal.h:
./utils/last_gasp_default_pin >$@
test: all
- export RPC_MODE
- cd tests; ${MAKE} -k $@
+ ${MAKE} -C tests -k $@ CFLAGS='${CFLAGS}'
clean:
- rm -f *.o ${LIB} cryptech_rpcd
- cd tests; ${MAKE} $@
- cd utils; ${MAKE} $@
+ rm -f *.o ${LIB}
+ ${MAKE} -C tests $@ CFLAGS='${CFLAGS}'
+ ${MAKE} -C utils $@ CFLAGS='${CFLAGS}'
distclean: clean
rm -f TAGS
diff --git a/ecdsa.c b/ecdsa.c
index 04e67b8..16d2b27 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -89,6 +89,18 @@
#endif
/*
+ * Whether to use the Verilog point multipliers.
+ */
+
+#ifndef HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER
+#define HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER 1
+#endif
+
+#ifndef HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER
+#define HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER 1
+#endif
+
+/*
* Whether we want debug output.
*/
@@ -124,6 +136,7 @@ typedef struct {
fp_digit rho; /* Montgomery reduction value */
const uint8_t *oid; /* OBJECT IDENTIFIER */
size_t oid_len; /* Length of OBJECT IDENTIFIER */
+ hal_curve_name_t curve; /* Curve name */
} ecdsa_curve_t;
/*
@@ -206,6 +219,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve)
fp_montgomery_calc_normalization(curve_p256.mu, curve_p256.q);
curve_p256.oid = p256_oid;
curve_p256.oid_len = sizeof(p256_oid);
+ curve_p256.curve = HAL_CURVE_P256;
fp_read_unsigned_bin(curve_p384.q, unconst_uint8_t(p384_q), sizeof(p384_q));
fp_read_unsigned_bin(curve_p384.b, unconst_uint8_t(p384_b), sizeof(p384_b));
@@ -218,6 +232,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve)
fp_montgomery_calc_normalization(curve_p384.mu, curve_p384.q);
curve_p384.oid = p384_oid;
curve_p384.oid_len = sizeof(p384_oid);
+ curve_p384.curve = HAL_CURVE_P384;
fp_read_unsigned_bin(curve_p521.q, unconst_uint8_t(p521_q), sizeof(p521_q));
fp_read_unsigned_bin(curve_p521.b, unconst_uint8_t(p521_b), sizeof(p521_b));
@@ -230,6 +245,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve)
fp_montgomery_calc_normalization(curve_p521.mu, curve_p521.q);
curve_p521.oid = p521_oid;
curve_p521.oid_len = sizeof(p521_oid);
+ curve_p521.curve = HAL_CURVE_P521;
initialized = 1;
}
@@ -749,6 +765,113 @@ static inline hal_error_t get_random(void *buffer, const size_t length)
#endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */
/*
+ * Use experimental Verilog base point multiplier cores to calculate
+ * public key given a private key. point_pick_random() has already
+ * selected a suitable private key for us, we just need to calculate
+ * the corresponding public key.
+ */
+
+#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER || HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER
+
+typedef struct {
+ size_t bytes;
+ const char *name;
+ hal_addr_t k_addr;
+ hal_addr_t x_addr;
+ hal_addr_t y_addr;
+} verilog_ecdsa_driver_t;
+
+static hal_error_t verilog_point_pick_random(const verilog_ecdsa_driver_t * const driver,
+ fp_int *k,
+ ec_point_t *P)
+{
+ assert(k != NULL && P != NULL);
+
+ const size_t len = fp_unsigned_bin_size(k);
+ uint8_t b[driver->bytes];
+ const uint8_t zero[4] = {0, 0, 0, 0};
+ hal_core_t *core = NULL;
+ hal_error_t err;
+
+ if (len > sizeof(b))
+ return HAL_ERROR_RESULT_TOO_LONG;
+
+ if ((err = hal_core_alloc(driver->name, &core)) != HAL_OK)
+ goto fail;
+
+#define check(_x_) do { if ((err = (_x_)) != HAL_OK) goto fail; } while (0)
+
+ memset(b, 0, sizeof(b));
+ fp_to_unsigned_bin(k, b + sizeof(b) - len);
+
+ for (int i = 0; i < sizeof(b); i += 4)
+ check(hal_io_write(core, driver->k_addr + i/4, &b[sizeof(b) - 4 - i], 4));
+
+ check(hal_io_write(core, ADDR_CTRL, zero, sizeof(zero)));
+ check(hal_io_next(core));
+ check(hal_io_wait_valid(core));
+
+ for (int i = 0; i < sizeof(b); i += 4)
+ check(hal_io_read(core, driver->x_addr + i/4, &b[sizeof(b) - 4 - i], 4));
+ fp_read_unsigned_bin(P->x, b, sizeof(b));
+
+ for (int i = 0; i < sizeof(b); i += 4)
+ check(hal_io_read(core, driver->y_addr + i/4, &b[sizeof(b) - 4 - i], 4));
+ fp_read_unsigned_bin(P->y, b, sizeof(b));
+
+ fp_set(P->z, 1);
+
+#undef check
+
+ err = HAL_OK;
+
+ fail:
+ hal_core_free(core);
+ memset(b, 0, sizeof(b));
+ return err;
+}
+
+#endif
+
+static inline hal_error_t verilog_p256_point_pick_random(fp_int *k, ec_point_t *P)
+{
+#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER
+
+ static const verilog_ecdsa_driver_t p256_driver = {
+ .name = ECDSA256_NAME,
+ .bytes = ECDSA256_OPERAND_BITS / 8,
+ .k_addr = ECDSA256_ADDR_K,
+ .x_addr = ECDSA256_ADDR_X,
+ .y_addr = ECDSA256_ADDR_Y
+ };
+
+ return verilog_point_pick_random(&p256_driver, k, P);
+
+#endif
+
+ return HAL_ERROR_CORE_NOT_FOUND;
+}
+
+static inline hal_error_t verilog_p384_point_pick_random(fp_int *k, ec_point_t *P)
+{
+#if HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER
+
+ static const verilog_ecdsa_driver_t p384_driver = {
+ .name = ECDSA384_NAME,
+ .bytes = ECDSA384_OPERAND_BITS / 8,
+ .k_addr = ECDSA384_ADDR_K,
+ .x_addr = ECDSA384_ADDR_X,
+ .y_addr = ECDSA384_ADDR_Y
+ };
+
+ return verilog_point_pick_random(&p384_driver, k, P);
+
+#endif
+
+ return HAL_ERROR_CORE_NOT_FOUND;
+}
+
+/*
* Pick a random point on the curve, return random scalar and
* resulting point.
*/
@@ -792,6 +915,24 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve,
memset(k_buf, 0, sizeof(k_buf));
+#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER || HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER
+ switch (curve->curve) {
+
+ case HAL_CURVE_P256:
+ if ((err = verilog_p256_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND)
+ return err;
+ break;
+
+ case HAL_CURVE_P384:
+ if ((err = verilog_p384_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND)
+ return err;
+ break;
+
+ default:
+ break;
+ }
+#endif
+
/*
* Calculate P = kG and return.
*/
diff --git a/hal.h b/hal.h
index 72b1d58..29b4dab 100644
--- a/hal.h
+++ b/hal.h
@@ -103,6 +103,12 @@
#define MKMIF_NAME "mkmif "
#define MKMIF_VERSION "0.10"
+#define ECDSA256_NAME "ecdsa256"
+#define ECDSA256_VERSION "0.11"
+
+#define ECDSA384_NAME "ecdsa384"
+#define ECDSA384_VERSION "0.11"
+
/*
* C API error codes. Defined in this form so we can keep the tokens
* and error strings together. See errorstrings.c.
diff --git a/verilog_constants.h b/verilog_constants.h
index f0ae070..c9bb566 100644
--- a/verilog_constants.h
+++ b/verilog_constants.h
@@ -8,7 +8,7 @@
* hand-edited.
*
* Authors: Joachim Strombergson, Paul Selkirk, Rob Austein
- * Copyright (c) 2015-2016, NORDUnet A/S All rights reserved.
+ * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -241,6 +241,34 @@
#define MODEXPA7_ADDR_RESULT (MODEXPA7_ADDR_OPERANDS + 3 * MODEXPA7_OPERAND_WORDS)
/*
+ * ECDSA P-256 point multiplier core. ECDSA256_OPERAND_BITS is size
+ * in bits of the (only) supported operand size (256 bits, imagine that).
+ *
+ * (Not sure which category EC Point Mulitiplier will end up in, but
+ * let's pretend it's "math".)
+ */
+
+#define ECDSA256_OPERAND_BITS (256)
+#define ECDSA256_ADDR_REGISTERS (0x00)
+#define ECDSA256_ADDR_K (0x20)
+#define ECDSA256_ADDR_X (0x28)
+#define ECDSA256_ADDR_Y (0x30)
+
+/*
+ * ECDSA P-384 point multiplier core. ECDSA384_OPERAND_BITS is size
+ * in bits of the (only) supported operand size (384 bits, imagine that).
+ *
+ * (Not sure which category EC Point Mulitiplier will end up in, but
+ * let's pretend it's "math".)
+ */
+
+#define ECDSA384_OPERAND_BITS (384)
+#define ECDSA384_ADDR_REGISTERS (0x00)
+#define ECDSA384_ADDR_K (0x40)
+#define ECDSA384_ADDR_X (0x50)
+#define ECDSA384_ADDR_Y (0x60)
+
+/*
* Utility cores.
*/