g: Force word writes for k during ECDSA sign

Functions that take p256_int* parameters may
use byte writes when writing to those parameters.
When writing to DMEM_ecc, we must use word writes;
this change ensures that happens.

BUG=b:131807777
TEST=build and flash to soraka locally,
     ensure k is populated successfully
BRANCH=none

Change-Id: I49462b10aa1203fe875417e9526f06b2efc068fb
Signed-off-by: Louis Collard <louiscollard@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1592990
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

1 files changed, 13 insertions, 4 deletions

diff --git a/chip/g/dcrypto/dcrypto_p256.c b/chip/g/dcrypto/dcrypto_p256.c
index 04b029aacf..7a0f653589 100644
--- a/chip/g/dcrypto/dcrypto_p256.c
+++ b/chip/g/dcrypto/dcrypto_p256.c
@@ -800,6 +800,13 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
 	int i, result;
 	struct DMEM_ecc *pEcc =
 	    (struct DMEM_ecc *) GREG32_ADDR(CRYPTO, DMEM_DUMMY);
+	/*
+	 * We can't allow other functions to write directly into DMEM_ecc,
+	 * as p256_int is a packed struct so those functions may perform
+	 * byte (as opposed to word) writes (in case the ptr operand is
+	 * unaligned), which are not compatible with the peripheral.
+	 */
+	p256_int rnd, k;
 
 	dcrypto_init_and_lock();
 	dcrypto_ecc_init();
@@ -807,14 +814,16 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
 
 	/* Pick uniform 0 < k < R */
 	do {
-		hmac_drbg_generate_p256(drbg, &pEcc->rnd);
-	} while (p256_cmp(&SECP256r1_nMin2, &pEcc->rnd) < 0);
+		hmac_drbg_generate_p256(drbg, &rnd);
+	} while (p256_cmp(&SECP256r1_nMin2, &rnd) < 0);
 	drbg_exit(drbg);
 
-	p256_add_d(&pEcc->rnd, 1, &pEcc->k);
+	p256_add_d(&rnd, 1, &k);
+
+	cp8w(&pEcc->k, &k);
 
 	for (i = 0; i < 8; ++i)
-		pEcc->rnd.a[i] = rand();
+		rnd.a[i] = k.a[i] = pEcc->rnd.a[i] = rand();
 
 	cp8w(&pEcc->msg, message);
 	cp8w(&pEcc->d, key);