1
2
3
4
5
6
7#ifndef USE_HOSTCC
8#include <common.h>
9#include <fdtdec.h>
10#include <asm/types.h>
11#include <asm/byteorder.h>
12#include <asm/errno.h>
13#include <asm/types.h>
14#include <asm/unaligned.h>
15#else
16#include "fdt_host.h"
17#include "mkimage.h"
18#include <fdt_support.h>
19#endif
20#include <u-boot/rsa.h>
21#include <u-boot/rsa-mod-exp.h>
22
23#define UINT64_MULT32(v, multby) (((uint64_t)(v)) * ((uint32_t)(multby)))
24
25#define get_unaligned_be32(a) fdt32_to_cpu(*(uint32_t *)a)
26#define put_unaligned_be32(a, b) (*(uint32_t *)(b) = cpu_to_fdt32(a))
27
28
29#define RSA_DEFAULT_PUBEXP 65537
30
31
32
33
34
35
36
37static void subtract_modulus(const struct rsa_public_key *key, uint32_t num[])
38{
39 int64_t acc = 0;
40 uint i;
41
42 for (i = 0; i < key->len; i++) {
43 acc += (uint64_t)num[i] - key->modulus[i];
44 num[i] = (uint32_t)acc;
45 acc >>= 32;
46 }
47}
48
49
50
51
52
53
54
55
56static int greater_equal_modulus(const struct rsa_public_key *key,
57 uint32_t num[])
58{
59 int i;
60
61 for (i = (int)key->len - 1; i >= 0; i--) {
62 if (num[i] < key->modulus[i])
63 return 0;
64 if (num[i] > key->modulus[i])
65 return 1;
66 }
67
68 return 1;
69}
70
71
72
73
74
75
76
77
78
79
80
81static void montgomery_mul_add_step(const struct rsa_public_key *key,
82 uint32_t result[], const uint32_t a, const uint32_t b[])
83{
84 uint64_t acc_a, acc_b;
85 uint32_t d0;
86 uint i;
87
88 acc_a = (uint64_t)a * b[0] + result[0];
89 d0 = (uint32_t)acc_a * key->n0inv;
90 acc_b = (uint64_t)d0 * key->modulus[0] + (uint32_t)acc_a;
91 for (i = 1; i < key->len; i++) {
92 acc_a = (acc_a >> 32) + (uint64_t)a * b[i] + result[i];
93 acc_b = (acc_b >> 32) + (uint64_t)d0 * key->modulus[i] +
94 (uint32_t)acc_a;
95 result[i - 1] = (uint32_t)acc_b;
96 }
97
98 acc_a = (acc_a >> 32) + (acc_b >> 32);
99
100 result[i - 1] = (uint32_t)acc_a;
101
102 if (acc_a >> 32)
103 subtract_modulus(key, result);
104}
105
106
107
108
109
110
111
112
113
114
115
116static void montgomery_mul(const struct rsa_public_key *key,
117 uint32_t result[], uint32_t a[], const uint32_t b[])
118{
119 uint i;
120
121 for (i = 0; i < key->len; ++i)
122 result[i] = 0;
123 for (i = 0; i < key->len; ++i)
124 montgomery_mul_add_step(key, result, a[i], b);
125}
126
127
128
129
130
131
132
133static int num_public_exponent_bits(const struct rsa_public_key *key,
134 int *num_bits)
135{
136 uint64_t exponent;
137 int exponent_bits;
138 const uint max_bits = (sizeof(exponent) * 8);
139
140 exponent = key->exponent;
141 exponent_bits = 0;
142
143 if (!exponent) {
144 *num_bits = exponent_bits;
145 return 0;
146 }
147
148 for (exponent_bits = 1; exponent_bits < max_bits + 1; ++exponent_bits)
149 if (!(exponent >>= 1)) {
150 *num_bits = exponent_bits;
151 return 0;
152 }
153
154 return -EINVAL;
155}
156
157
158
159
160
161
162
163static int is_public_exponent_bit_set(const struct rsa_public_key *key,
164 int pos)
165{
166 return key->exponent & (1ULL << pos);
167}
168
169
170
171
172
173
174
175static int pow_mod(const struct rsa_public_key *key, uint32_t *inout)
176{
177 uint32_t *result, *ptr;
178 uint i;
179 int j, k;
180
181
182 if (key->len > RSA_MAX_KEY_BITS / 32) {
183 debug("RSA key words %u exceeds maximum %d\n", key->len,
184 RSA_MAX_KEY_BITS / 32);
185 return -EINVAL;
186 }
187
188 uint32_t val[key->len], acc[key->len], tmp[key->len];
189 uint32_t a_scaled[key->len];
190 result = tmp;
191
192
193 for (i = 0, ptr = inout + key->len - 1; i < key->len; i++, ptr--)
194 val[i] = get_unaligned_be32(ptr);
195
196 if (0 != num_public_exponent_bits(key, &k))
197 return -EINVAL;
198
199 if (k < 2) {
200 debug("Public exponent is too short (%d bits, minimum 2)\n",
201 k);
202 return -EINVAL;
203 }
204
205 if (!is_public_exponent_bit_set(key, 0)) {
206 debug("LSB of RSA public exponent must be set.\n");
207 return -EINVAL;
208 }
209
210
211 montgomery_mul(key, acc, val, key->rr);
212
213 memcpy(a_scaled, acc, key->len * sizeof(a_scaled[0]));
214
215 for (j = k - 2; j > 0; --j) {
216 montgomery_mul(key, tmp, acc, acc);
217
218 if (is_public_exponent_bit_set(key, j)) {
219
220 montgomery_mul(key, acc, tmp, a_scaled);
221 } else {
222
223 memcpy(acc, tmp, key->len * sizeof(acc[0]));
224 }
225 }
226
227
228 montgomery_mul(key, tmp, acc, acc);
229 montgomery_mul(key, acc, tmp, val);
230 memcpy(result, acc, key->len * sizeof(result[0]));
231
232
233 if (greater_equal_modulus(key, result))
234 subtract_modulus(key, result);
235
236
237 for (i = key->len - 1, ptr = inout; (int)i >= 0; i--, ptr++)
238 put_unaligned_be32(result[i], ptr);
239 return 0;
240}
241
242static void rsa_convert_big_endian(uint32_t *dst, const uint32_t *src, int len)
243{
244 int i;
245
246 for (i = 0; i < len; i++)
247 dst[i] = fdt32_to_cpu(src[len - 1 - i]);
248}
249
250int rsa_mod_exp_sw(const uint8_t *sig, uint32_t sig_len,
251 struct key_prop *prop, uint8_t *out)
252{
253 struct rsa_public_key key;
254 int ret;
255
256 if (!prop) {
257 debug("%s: Skipping invalid prop", __func__);
258 return -EBADF;
259 }
260 key.n0inv = prop->n0inv;
261 key.len = prop->num_bits;
262
263 if (!prop->public_exponent)
264 key.exponent = RSA_DEFAULT_PUBEXP;
265 else
266 key.exponent =
267 fdt64_to_cpu(*((uint64_t *)(prop->public_exponent)));
268
269 if (!key.len || !prop->modulus || !prop->rr) {
270 debug("%s: Missing RSA key info", __func__);
271 return -EFAULT;
272 }
273
274
275 if (key.len > RSA_MAX_KEY_BITS || key.len < RSA_MIN_KEY_BITS) {
276 debug("RSA key bits %u outside allowed range %d..%d\n",
277 key.len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);
278 return -EFAULT;
279 }
280 key.len /= sizeof(uint32_t) * 8;
281 uint32_t key1[key.len], key2[key.len];
282
283 key.modulus = key1;
284 key.rr = key2;
285 rsa_convert_big_endian(key.modulus, (uint32_t *)prop->modulus, key.len);
286 rsa_convert_big_endian(key.rr, (uint32_t *)prop->rr, key.len);
287 if (!key.modulus || !key.rr) {
288 debug("%s: Out of memory", __func__);
289 return -ENOMEM;
290 }
291
292 uint32_t buf[sig_len / sizeof(uint32_t)];
293
294 memcpy(buf, sig, sig_len);
295
296 ret = pow_mod(&key, buf);
297 if (ret)
298 return ret;
299
300 memcpy(out, buf, sig_len);
301
302 return 0;
303}
304
305
306
307
308
309
310
311int zynq_pow_mod(uint32_t *keyptr, uint32_t *inout)
312{
313 uint32_t *result, *ptr;
314 uint i;
315 struct rsa_public_key *key;
316
317 key = (struct rsa_public_key *)keyptr;
318
319
320 if (key->len > RSA_MAX_KEY_BITS / 32) {
321 debug("RSA key words %u exceeds maximum %d\n", key->len,
322 RSA_MAX_KEY_BITS / 32);
323 return -EINVAL;
324 }
325
326 uint32_t val[key->len], acc[key->len], tmp[key->len];
327 result = tmp;
328
329 for (i = 0, ptr = inout; i < key->len; i++, ptr++)
330 val[i] = *(ptr);
331
332 montgomery_mul(key, acc, val, key->rr);
333 for (i = 0; i < 16; i += 2) {
334 montgomery_mul(key, tmp, acc, acc);
335 montgomery_mul(key, acc, tmp, tmp);
336 }
337 montgomery_mul(key, result, acc, val);
338
339
340 if (greater_equal_modulus(key, result))
341 subtract_modulus(key, result);
342
343 for (i = 0, ptr = inout; i < key->len; i++, ptr++)
344 *ptr = result[i];
345
346 return 0;
347}
348