[crypto] add non-blocking rsa_3072_verify function

Previously, only a blocking version of the `rsa_3072_verify` function existed. For the power virus test (see #14814), however, we want the ability to initiate OTBN operations, and then free up the CPU to complete other tasks. This adds a non-blocking version of the `rsa_3072_verify` function to the crypto library to support this use case. Signed-off-by: Timothy Trippel <[email protected]>
lowRISC · Feb 8, 2023 · 12ce221 · 12ce221
1 parent f94a11a
commit 12ce221
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 12 deletions.
diff --git a/sw/device/lib/crypto/impl/rsa_3072/rsa_3072_verify.c b/sw/device/lib/crypto/impl/rsa_3072/rsa_3072_verify.c
@@ -148,17 +148,9 @@ otbn_error_t rsa_3072_compute_constants(const rsa_3072_public_key_t *public_key,
  return kOtbnErrorOk;
 }
 
-// TODO: This implementation waits while OTBN is processing; it should be
-// modified to be non-blocking.
-otbn_error_t rsa_3072_verify(const rsa_3072_int_t *signature,
- const rsa_3072_int_t *message,
- const rsa_3072_public_key_t *public_key,
- const rsa_3072_constants_t *constants,
- hardened_bool_t *result) {
- // Initially set the result to false in case of early returns due to invalid
- // arguments.
- *result = kHardenedBoolFalse;
-
+otbn_error_t rsa_3072_verify_start(const rsa_3072_int_t *signature,
+ const rsa_3072_public_key_t *public_key,
+ const rsa_3072_constants_t *constants) {
  // Only the F4 modulus is supported.
  if (public_key->e != 65537) {
  return kOtbnErrorInvalidArgument;
@@ -195,6 +187,15 @@ otbn_error_t rsa_3072_verify(const rsa_3072_int_t *signature,
  // Start the OTBN routine.
  OTBN_RETURN_IF_ERROR(otbn_execute());
 
+ return kOtbnErrorOk;
+}
+
+otbn_error_t rsa_3072_verify_finalize(const rsa_3072_int_t *message,
+ hardened_bool_t *result) {
+ // Initially set the result to false in case of early returns due to invalid
+ // arguments.
+ *result = kHardenedBoolFalse;
+
  // Spin here waiting for OTBN to complete.
  OTBN_RETURN_IF_ERROR(otbn_busy_wait_for_done());
 
@@ -214,3 +215,21 @@ otbn_error_t rsa_3072_verify(const rsa_3072_int_t *signature,
 
  return kOtbnErrorOk;
 }
+
+otbn_error_t rsa_3072_verify(const rsa_3072_int_t *signature,
+ const rsa_3072_int_t *message,
+ const rsa_3072_public_key_t *public_key,
+ const rsa_3072_constants_t *constants,
+ hardened_bool_t *result) {
+ // Initially set the result to false in case of early returns due to invalid
+ // arguments.
+ *result = kHardenedBoolFalse;
+
+ // Initiate OTBN signature verification.
+ OTBN_RETURN_IF_ERROR(rsa_3072_verify_start(signature, public_key, constants));
+
+ // Wait for OTBN operations to complete and signature to be verified.
+ OTBN_RETURN_IF_ERROR(rsa_3072_verify_finalize(message, result));
+
+ return kOtbnErrorOk;
+}
diff --git a/sw/device/lib/crypto/impl/rsa_3072/rsa_3072_verify.h b/sw/device/lib/crypto/impl/rsa_3072/rsa_3072_verify.h
@@ -109,13 +109,41 @@ status_t rsa_3072_encode_sha256(const uint8_t *msg, size_t msgLen,
  rsa_3072_int_t *result);
 
 /**
- * Verifies an RSA-3072 signature.
+ * Starts an RSA-3072 signature verification; returns immediately.
+ *
+ * The key exponent must be 65537; no other exponents are supported.
+ *
+ * @param signature Signature to be verified.
+ * @param public_key Key to check the signature against.
+ * @param constants Precomputed Montgomery constants for the public_key.
+ * @return Result of the operation (OK or error).
+ */
+otbn_error_t rsa_3072_verify_start(const rsa_3072_int_t *signature,
+ const rsa_3072_public_key_t *public_key,
+ const rsa_3072_constants_t *constants);
+
+/**
+ * Waits for an RSA-3072 signature verification to complete.
+ *
+ * Should be invoked after `rsa_3072_verify_async`. The encoded `message`
+ * parameter should be related to the `signature` parameter passed to the prior
+ * invocation of `rsa_3072_verify_async`.
+ *
+ * @param message Encoded message representative to check the signature against.
+ * @return Result of the operation (OK or error).
+ */
+otbn_error_t rsa_3072_verify_finalize(const rsa_3072_int_t *message,
+ hardened_bool_t *result);
+
+/**
+ * Verifies an RSA-3072 signature; blocks until complete.
  *
  * The key exponent must be 65537; no other exponents are supported.
  *
  * @param signature Signature to be verified.
  * @param message Encoded message representative to check the signature against.
  * @param public_key Key to check the signature against.
+ * @param constants Precomputed Montgomery constants for the public_key.
  * @param result Buffer in which to store output (true iff signature is valid)
  * @return Result of the operation (OK or error).
  */