rsa: Optimization of multiplications for Cortex-M0

We multiply 2 32-bit numbers (and not 64-bit numbers), and then add
another 32-bit number, which makes it possible to optimize the
assembly and save a few instructions.

With -O3, 3072-bit exponent, lower verification time from 122 ms to
104 ms on STM32F072 @48Mhz.

Optimized mac function from Dmitry Grinberg <dmitrygr@google.com>.

BRANCH=poppy
BUG=b:35647963
BUG=b:77608104
TEST=On staff, flash, verification successful
TEST=make test-rsa, make test-rsa3
TEST=Flash test-utils and test-rsa to hammer => pass

Change-Id: I584c54c631a3f59f691849a279b308e8d4b4b22d
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/449024
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

3 files changed, 49 insertions, 1 deletions

diff --git a/core/cortex-m0/build.mk b/core/cortex-m0/build.mk
index 6a0f44b367..2023bd9607 100644
--- a/core/cortex-m0/build.mk
+++ b/core/cortex-m0/build.mk
@@ -18,7 +18,7 @@ CFLAGS_CPU+=-flto
 LDFLAGS_EXTRA+=-flto
 endif
 
-core-y=cpu.o init.o thumb_case.o div.o lmul.o ldivmod.o uldivmod.o
+core-y=cpu.o init.o thumb_case.o div.o lmul.o ldivmod.o mula.o uldivmod.o
 core-$(CONFIG_COMMON_PANIC_OUTPUT)+=panic.o
 core-$(CONFIG_COMMON_RUNTIME)+=switch.o task.o
 
diff --git a/core/cortex-m0/config_core.h b/core/cortex-m0/config_core.h
index 389ed8edec..19a22bc333 100644
--- a/core/cortex-m0/config_core.h
+++ b/core/cortex-m0/config_core.h
@@ -15,4 +15,6 @@
 #define CONFIG_SOFTWARE_CTZ
 #define CONFIG_SOFTWARE_PANIC
 
+#define CONFIG_ASSEMBLY_MULA32
+
 #endif /* __CROS_EC_CONFIG_CORE_H */
diff --git a/core/cortex-m0/mula.S b/core/cortex-m0/mula.S
new file mode 100644
index 0000000000..fc0a6f3ee0
--- /dev/null
+++ b/core/cortex-m0/mula.S
@@ -0,0 +1,46 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Cortex-M0 multiply-accumulate functions
+ */
+
+	.syntax unified
+	.text
+	.thumb
+
+@ uint64_t mula32(uint32_t a, uint32_t b, uint32_t c)
+@
+@ Multiply a (r0) and b (r1), add c (r2) and return the product in r1:r0
+@
+	.thumb_func
+	.section .text.mula32
+	.global mula32
+mula32:
+
+	push	{r4, r5}
+	uxth	r4, r0		/* r4 = a.lo16 */
+	uxth	r5, r1		/* r5 = b.lo16 */
+	uxth	r3, r2		/* r3 = c.lo16 */
+	muls	r4, r5		/* r4 = a.lo16 * b.lo16 */
+	adds	r4, r3		/* r4 = a.lo16 * b.lo16 + c.lo16 == r.lo32 */
+	lsrs	r3, r0, 16	/* r3 = a.hi16 */
+	lsrs	r2, r2, 16	/* r2 = c.hi16 */
+	muls	r5, r3		/* r5 = a.hi16 * b.lo16 */
+	adds	r5, r2		/* r5 = a.hi16 * b.lo16 + c.hi16 == r.mid32.1 */
+	uxth	r2, r0		/* r2 = a.lo16 */
+	lsrs	r1, r1, 16	/* r1 = b.hi16 */
+	muls	r2, r1		/* r2 = a.lo16 * b.hi16 == r.mid32.2 */
+	muls	r1, r3		/* r1 = b.hi16 * a.hi16 == r.hi32 */
+	movs	r3, 0		/* r3 = 0 */
+	adds	r5, r2		/* r5 = (r.mid32.1 + r.mid32.2).lo32 == r.mid.lo32 */
+	adcs	r3, r3		/* r3 = (r.mid32.1 + r.mid32.2).hi32 == r.mid.hi32 */
+	lsls	r0, r5, 16	/* r0 = r.mid.lo32.lo16 << 16 == r.mid.inpos.lo32 */
+	lsrs	r5, r5, 16	/* r5 = r.mid.lo32.hi16 >> 16 */
+	lsls	r3, r3, 16	/* r3 = r.mid.hi.lo16 << 16 */
+	adds	r3, r5		/* r3 = r5 + r3 = r.mid.inpos.hi32 */
+	adds	r0, r4		/* r0 = r.lo32 */
+	adcs	r1, r3		/* r1 = r.hi32 */
+	pop	{r4, r5}
+	bx	lr
+