blob: b1283a8cd307b9b535e2e7485f9adbb275b7739c [file] [log] [blame]
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
.section .text.start
/**
* Standalone embeddable wrapper for 3072 bit RSA signature verification.
*
* Computes msg = (sig^65537) mod M, where
* sig is the signature
* M is the public key modulus
*
* Uses the OTBN RSA 3072-bit only modular exponentiation implementation to
* obtain the message (digest) from an input signature. Assumes that the
* Montgomery constant m0_inv is provided, but computes the RR constant on the
* fly.
*
* The only exponent supported is e=65537.
*
* @param[in] dmem[in_mod]: Modulus of the RSA public key
* @param[in] dmem[in_buf]: Signature to check against
* @param[in] dmem[m0inv]: Montgomery constant (-(M^-1)) mod 2^256
* @param[out] dmem[out_buf]: Recovered message digest
*/
run_rsa_verify_3072:
/* Compute R^2 (same for both exponents): dmem[rr] <= R^2 */
jal x1, compute_rr
/* Set pointers to buffers for modexp. */
la x24, out_buf
la x16, in_mod
la x23, in_buf
la x26, rr
la x17, m0inv
/* run modular exponentiation */
jal x1, modexp_var_3072_f4
ecall
.bss
/* Modulus of RSA-3072 key */
.globl in_mod
.balign 32
in_mod:
.zero 384
/* Montgomery constant m0' */
.globl m0inv
.balign 32
m0inv:
.zero 32
/* Squared Mongomery Radix RR = (2^3072)^2 mod N */
.globl rr
.balign 32
rr:
.zero 384
/* signature */
.globl in_buf
.balign 32
in_buf:
.zero 384
/* Output buffer. */
.globl out_buf
.balign 32
out_buf:
.zero 384