[sw/rom] Remove generic otbn modexp subroutine.
Leave only modexp_65537 to save on flash space.
Signed-off-by: Miguel Osorio <miguelosorio@google.com>
diff --git a/sw/device/silicon_creator/otbn/modexp.s b/sw/device/silicon_creator/otbn/modexp.s
index eaff5e9..37f926c 100644
--- a/sw/device/silicon_creator/otbn/modexp.s
+++ b/sw/device/silicon_creator/otbn/modexp.s
@@ -772,178 +772,6 @@
ret
-
-/**
- * Conditionally overwrite bigint in dmem
- *
- * Depending on state of FG0.C overwrites a bigint in dmem with one from
- * a buffer in the wide reg file.
- *
- * Flags: Does not set any flags, does not use flags except FG0.C
- *
- * @param[in] x21: dptr, pointer to first limb of bigint in dmem
- * @param[in] x8: rptr, pointer to first limb of bigint in regfile buffer
- * @param[in] FG.C: selection condition, overwrite dmem when FG0.C==1
- * @param[in] x30: number of limbs
- * @param[in] x9: pointer to temp reg, must be set to 3
- * @param[in] x11: pointer to temp reg, must be set to 2
- *
- * clobbered registers: x8, x21, w0, w2
- * clobbered Flag Groups: none
- */
-sel_sqr_or_sqrmul:
- /* iterate over all limbs */
- loop x30, 6
-
- /* load limb from dmem */
- bn.lid x9, 0(x21)
-
- /* store limb to dmem */
- bn.sid x11, 0(x21)
-
- /* load limb from regfile buffer */
- bn.movr x11, x8++
- bn.mov w0, w2
-
- /* conditional select: w2 = FG0.C?w[x8+i]:dmem[x21+i] */
- bn.sel w2, w0, w3, C
-
- /* store selected limb to dmem */
- bn.sid x11, 0(x21++)
-
- ret
-
-
-/**
- * Constant-time bigint modular exponentiation
- *
- * Returns: C = modexp(A,E) = A^E mod M
- *
- * This implements the square and multiply algorithm, i.e. for each bit of the
- * exponent both the squared only and the squared with multiply results are
- * computed but one result is discarded.
- * Computation is carried out in the Montgomery domain, by using the montmul
- * primitive.
- * The squared Montgomery modulus RR and the Montgomery constant m0' have to
- * be precomputed and provided at the appropriate locations in dmem.
- *
- * Flags: The states of both FG0 and FG1 depend on intermediate values and are
- * not usable after return.
- *
- * The base bignum A is expected in the input buffer, the exponent E in the
- * exp buffer, the result C is written to the output buffer.
- * Note, that the content of both, the input buffer and the exp buffer is
- * modified during execution.
- *
- * @param[in] dmem[2] dptr_rr: pointer to RR in dmem
- * @param[in] dmem[4] N: Number of limbs per bignum
- * @param[in] dmem[8] dptr_m0d: pointer to m0' in dmem
- * @param[in] dmem[12] dptr_rr: pointer to RR in dmem
- * @param[in] dmem[16] dptr_m: pointer to first limb of modulus in dmem
- * @param[in] dmem[20] dptr_in: pointer to input/base buffer
- * @param[in] dmem[20] dptr_exp: pointer to exp buffer
- * @param[in] dmem[28] dptr_out: pointer to output/result buffer
- *
- * clobbered registers: x3 to x13, x16 to x31
- * w0 to w3, w24 to w30
- * w4 to w[4+N-1]
- * clobbered Flag Groups: FG0, FG1
- */
-modexp:
- /* prepare pointers to temp regs */
- li x8, 4
- li x9, 3
- li x10, 4
- li x11, 2
-
- /* load pointer to modulus */
- lw x16, 16(x0)
-
- /* load pointer to m0' */
- lw x17, 8(x0)
-
- /* load number of limbs */
- lw x30, 4(x0)
- addi x31, x30, -1
-
- /* convert to montgomery domain montmul(A,RR)
- in = montmul(A,RR) montmul(A,RR) = C*R mod M */
- lw x19, 20(x0)
- lw x20, 12(x0)
- lw x21, 20(x0)
- jal x1, montmul
- /* Store result in dmem starting at dmem[dptr_c] */
- loop x30, 2
- bn.sid x8, 0(x21++)
- addi x8, x8, 1
-
- /* zeroize w2 and reset flags */
- bn.sub w2, w2, w2
-
- /* initialize the output buffer with -M */
- lw x16, 16(x0)
- lw x21, 28(x0)
- loop x30, 3
- /* load limb from modulus */
- bn.lid x11, 0(x16++)
-
- /* subtract limb from 0 */
- bn.subb w2, w31, w2
-
- /* store limb in dmem */
- bn.sid x11, 0(x21++)
-
- /* reload pointer to modulus */
- lw x16, 16(x0)
-
- /* compute bit length of current bigint size */
- slli x24, x30, 8
-
- /* iterate over all bits of bigint */
- loop x24, 20
- /* square: out = montmul(out,out) */
- lw x19, 28(x0)
- lw x20, 28(x0)
- lw x21, 28(x0)
- jal x1, montmul
- /* Store result in dmem starting at dmem[dptr_c] */
- loop x30, 2
- bn.sid x8, 0(x21++)
- addi x8, x8, 1
-
- /* multiply: out = montmul(in,out) */
- lw x19, 20(x0)
- lw x20, 28(x0)
- lw x21, 28(x0)
- jal x1, montmul
-
- /* w2 <= w2 << 1 */
- bn.add w2, w2, w2
-
- /* the loop performs a 1-bit left shift of the exponent. Last MSB moves
- to FG0.C, such that it can be used for selection */
- lw x20, 24(x0)
- loop x30, 3
- bn.lid x11, 0(x20)
- /* w2 <= w2 << 1 */
- bn.addc w2, w2, w2
- bn.sid x11, 0(x20++)
-
- /* select squared or squared+multiplied result */
- lw x21, 28(x0)
- jal x1, sel_sqr_or_sqrmul
-
- nop
-
- /* convert back from montgomery domain */
- /* out = montmul(out,1) = out/R mod M */
- lw x19, 28(x0)
- lw x21, 28(x0)
- jal x1, montmul_mul1
-
- ret
-
-
/**
* Bigint modular exponentiation with fixed exponent of 65537
*
diff --git a/sw/device/silicon_creator/otbn/rsa.s b/sw/device/silicon_creator/otbn/rsa.s
index e1205fd..294fcfd 100644
--- a/sw/device/silicon_creator/otbn/rsa.s
+++ b/sw/device/silicon_creator/otbn/rsa.s
@@ -12,9 +12,6 @@
li x3, 1
beq x2, x3, rsa_encrypt
- li x3, 2
- beq x2, x3, rsa_decrypt
-
/* Mode is neither 1 (= encrypt) nor 2 (= decrypt). Fail. */
unimp
@@ -27,14 +24,6 @@
jal x1, modexp_65537
ecall
-/**
- * RSA decryption
- */
-rsa_decrypt:
- jal x1, modload
- jal x1, modexp
- ecall
-
.data
/*
