blob: 2077d039ea05c568c090648f37334e6f2dfc03e3 [file] [log] [blame]
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
/**
* Wrapper specifically for SCA/formal analysis of p256 keygen.
*
* Normally, the key generation routines called here would be used with key
* manager seeds only. This wrapper uses software-provided seeds for analysis
* purposes and should not be used for production code.
*/
.section .text.start
start:
/* Read mode, then tail-call either p256_gen_secret_key or p256_gen_keypair */
la x2, mode
lw x2, 0(x2)
li x3, 1
beq x2, x3, p256_gen_secret_key
li x3, 2
beq x2, x3, p256_gen_keypair
/* Invalid mode; fail. */
unimp
p256_gen_secret_key:
/* Init all-zero register. */
bn.xor w31, w31, w31
/* Load shares of seed from DMEM.
[w21,w20] <= dmem[seed0]
[w23,w33] <= dmem[seed1] */
li x2, 20
la x3, seed0
bn.lid x2, 0(x3++)
li x2, 21
bn.lid x2++, 0(x3)
la x3, seed1
bn.lid x2, 0(x3++)
li x2, 23
bn.lid x2, 0(x3)
/* Generate the derived secret key.
[w21,w20] <= d0
[w23,w33] <= d1 */
jal x1, p256_key_from_seed
/* Write the results to DMEM.
dmem[d0] <= [w21, w20]
dmem[d1] <= [w23, w22] */
li x2, 20
la x3, d0
bn.sid x2, 0(x3++)
li x2, 21
bn.sid x2++, 0(x3)
la x3, d1
bn.sid x2, 0(x3++)
li x2, 23
bn.sid x2, 0(x3)
ecall
p256_gen_keypair:
/* First, generate the masked secret key d and write to DMEM.
dmem[d0] <= d0
dmem[d1] <= d1 */
jal x1, p256_gen_secret_key
/* Generate the public key Q = d*G.
dmem[x] <= Q.x
dmem[y] <= Q.y */
jal x1, p256_base_mult
ecall
/**
* Note: Technically this could be a .bss section, but it is convenient for
* software to have zeroes already set on the high bits of the seeds.
*/
.data
/* Mode (1 = private key only, 2 = keypair) */
.balign 4
.globl mode
mode:
.word 0x00000001
/* First share of seed (320 bits). */
.balign 32
.globl seed0
seed0:
.word 0x2335f23f
.word 0x3c174a16
.word 0x128c1339
.word 0xc48e8981
.word 0x7843d9a2
.word 0xbb6a0205
.word 0x446984cc
.word 0xa210c4be
.word 0xd7c77320
.word 0x2bac5b0b
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
/* Second share of seed (320 bits). */
.balign 32
.globl seed1
seed1:
.word 0x225596d6
.word 0x2df4bec0
.word 0xbeb67c9e
.word 0x6f2f939a
.word 0xf7d1a873
.word 0x99dd9f5a
.word 0x551f77d1
.word 0x17bcfeef
.word 0x4e67f1f7
.word 0x63e2e86d
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
/* First share of output key (320 bits). */
.balign 32
.globl d0
d0:
.zero 64
/* Second share of output key (320 bits). */
.balign 32
.globl d1
d1:
.zero 64
/* x-coordinate of output public key (256 bits). */
.balign 32
.globl x
x:
.zero 32
/* y-coordinate of output public key (256 bits). */
.balign 32
.globl y
y:
.zero 32