diff options
author | Louis Collard <louiscollard@chromium.org> | 2019-05-02 16:51:43 +0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-07-31 09:04:51 +0000 |
commit | dfad1da08151579ef7692e1f860c1cfb480ea24e (patch) | |
tree | d452dbf159170a8b261c33037cfc726a39c01768 | |
parent | bef4cc466bdca22eb2140c100f9704060c028315 (diff) | |
download | chrome-ec-dfad1da08151579ef7692e1f860c1cfb480ea24e.tar.gz |
g: Force word writes for k during ECDSA sign
Functions that take p256_int* parameters may
use byte writes when writing to those parameters.
When writing to DMEM_ecc, we must use word writes;
this change ensures that happens.
BUG=b:131807777
TEST=build and flash to soraka locally,
ensure k is populated successfully
BRANCH=none
Change-Id: I49462b10aa1203fe875417e9526f06b2efc068fb
Signed-off-by: Louis Collard <louiscollard@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1592990
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
-rw-r--r-- | chip/g/dcrypto/dcrypto_p256.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/chip/g/dcrypto/dcrypto_p256.c b/chip/g/dcrypto/dcrypto_p256.c index 04b029aacf..7a0f653589 100644 --- a/chip/g/dcrypto/dcrypto_p256.c +++ b/chip/g/dcrypto/dcrypto_p256.c @@ -800,6 +800,13 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key, int i, result; struct DMEM_ecc *pEcc = (struct DMEM_ecc *) GREG32_ADDR(CRYPTO, DMEM_DUMMY); + /* + * We can't allow other functions to write directly into DMEM_ecc, + * as p256_int is a packed struct so those functions may perform + * byte (as opposed to word) writes (in case the ptr operand is + * unaligned), which are not compatible with the peripheral. + */ + p256_int rnd, k; dcrypto_init_and_lock(); dcrypto_ecc_init(); @@ -807,14 +814,16 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key, /* Pick uniform 0 < k < R */ do { - hmac_drbg_generate_p256(drbg, &pEcc->rnd); - } while (p256_cmp(&SECP256r1_nMin2, &pEcc->rnd) < 0); + hmac_drbg_generate_p256(drbg, &rnd); + } while (p256_cmp(&SECP256r1_nMin2, &rnd) < 0); drbg_exit(drbg); - p256_add_d(&pEcc->rnd, 1, &pEcc->k); + p256_add_d(&rnd, 1, &k); + + cp8w(&pEcc->k, &k); for (i = 0; i < 8; ++i) - pEcc->rnd.a[i] = rand(); + rnd.a[i] = k.a[i] = pEcc->rnd.a[i] = rand(); cp8w(&pEcc->msg, message); cp8w(&pEcc->d, key); |