1 // SPDX-License-Identifier: GPL-2.0+
19 #include <u-boot/rsa.h>
20 #include <u-boot/rsa-mod-exp.h>
31  * subtract_modulus() - subtract modulus from the given value
33  * @key:	Key containing modulus to subtract
36 static void subtract_modulus(const struct rsa_public_key *key, uint32_t num[])  in subtract_modulus()  argument
41 	for (i = 0; i < key->len; i++) {  in subtract_modulus()
42 		acc += (uint64_t)num[i] - key->modulus[i];  in subtract_modulus()
49  * greater_equal_modulus() - check if a value is >= modulus
51  * @key:	Key containing modulus to check
55 static int greater_equal_modulus(const struct rsa_public_key *key,  in greater_equal_modulus()  argument
60 	for (i = (int)key->len - 1; i >= 0; i--) {  in greater_equal_modulus()
61 		if (num[i] < key->modulus[i])  in greater_equal_modulus()
63 		if (num[i] > key->modulus[i])  in greater_equal_modulus()
71  * montgomery_mul_add_step() - Perform montgomery multiply-add step
75  * @key:	RSA key
80 static void montgomery_mul_add_step(const struct rsa_public_key *key,  in montgomery_mul_add_step()  argument
88 	d0 = (uint32_t)acc_a * key->n0inv;  in montgomery_mul_add_step()
89 	acc_b = (uint64_t)d0 * key->modulus[0] + (uint32_t)acc_a;  in montgomery_mul_add_step()
90 	for (i = 1; i < key->len; i++) {  in montgomery_mul_add_step()
92 		acc_b = (acc_b >> 32) + (uint64_t)d0 * key->modulus[i] +  in montgomery_mul_add_step()
94 		result[i - 1] = (uint32_t)acc_b;  in montgomery_mul_add_step()
99 	result[i - 1] = (uint32_t)acc_a;  in montgomery_mul_add_step()
102 		subtract_modulus(key, result);  in montgomery_mul_add_step()
106  * montgomery_mul() - Perform montgomery mutitply
110  * @key:	RSA key
115 static void montgomery_mul(const struct rsa_public_key *key,  in montgomery_mul()  argument
120 	for (i = 0; i < key->len; ++i)  in montgomery_mul()
122 	for (i = 0; i < key->len; ++i)  in montgomery_mul()
123 		montgomery_mul_add_step(key, result, a[i], b);  in montgomery_mul()
127  * num_pub_exponent_bits() - Number of bits in the public exponent
129  * @key:	RSA key
132 static int num_public_exponent_bits(const struct rsa_public_key *key,  in num_public_exponent_bits()  argument
139 	exponent = key->exponent;  in num_public_exponent_bits()
153 	return -EINVAL;  in num_public_exponent_bits()
157  * is_public_exponent_bit_set() - Check if a bit in the public exponent is set
159  * @key:	RSA key
162 static int is_public_exponent_bit_set(const struct rsa_public_key *key,  in is_public_exponent_bit_set()  argument
165 	return key->exponent & (1ULL << pos);  in is_public_exponent_bit_set()
169  * pow_mod() - in-place public exponentiation
171  * @key:	RSA key
172  * @inout:	Big-endian word array containing value and result
174 static int pow_mod(const struct rsa_public_key *key, uint32_t *inout)  in pow_mod()  argument
180 	/* Sanity check for stack size - key->len is in 32-bit words */  in pow_mod()
181 	if (key->len > RSA_MAX_KEY_BITS / 32) {  in pow_mod()
182 		debug("RSA key words %u exceeds maximum %d\n", key->len,  in pow_mod()
184 		return -EINVAL;  in pow_mod()
187 	uint32_t val[key->len], acc[key->len], tmp[key->len];  in pow_mod()
188 	uint32_t a_scaled[key->len];  in pow_mod()
189 	result = tmp;  /* Re-use location. */  in pow_mod()
192 	for (i = 0, ptr = inout + key->len - 1; i < key->len; i++, ptr--)  in pow_mod()
195 	if (0 != num_public_exponent_bits(key, &k))  in pow_mod()
196 		return -EINVAL;  in pow_mod()
201 		return -EINVAL;  in pow_mod()
204 	if (!is_public_exponent_bit_set(key, 0)) {  in pow_mod()
206 		return -EINVAL;  in pow_mod()
209 	/* the bit at e[k-1] is 1 by definition, so start with: C := M */  in pow_mod()
210 	montgomery_mul(key, acc, val, key->rr); /* acc = a * RR / R mod n */  in pow_mod()
212 	memcpy(a_scaled, acc, key->len * sizeof(a_scaled[0]));  in pow_mod()
214 	for (j = k - 2; j > 0; --j) {  in pow_mod()
215 		montgomery_mul(key, tmp, acc, acc); /* tmp = acc^2 / R mod n */  in pow_mod()
217 		if (is_public_exponent_bit_set(key, j)) {  in pow_mod()
219 			montgomery_mul(key, acc, tmp, a_scaled);  in pow_mod()
222 			memcpy(acc, tmp, key->len * sizeof(acc[0]));  in pow_mod()
227 	montgomery_mul(key, tmp, acc, acc); /* tmp = acc^2 / R mod n */  in pow_mod()
228 	montgomery_mul(key, acc, tmp, val); /* acc = tmp * a / R mod M */  in pow_mod()
229 	memcpy(result, acc, key->len * sizeof(result[0]));  in pow_mod()
232 	if (greater_equal_modulus(key, result))  in pow_mod()
233 		subtract_modulus(key, result);  in pow_mod()
236 	for (i = key->len - 1, ptr = inout; (int)i >= 0; i--, ptr++)  in pow_mod()
246 		dst[i] = fdt32_to_cpu(src[len - 1 - i]);  in rsa_convert_big_endian()
252 	struct rsa_public_key key;  in rsa_mod_exp_sw()  local
257 		return -EBADF;  in rsa_mod_exp_sw()
259 	key.n0inv = prop->n0inv;  in rsa_mod_exp_sw()
260 	key.len = prop->num_bits;  in rsa_mod_exp_sw()
262 	if (!prop->public_exponent)  in rsa_mod_exp_sw()
263 		key.exponent = RSA_DEFAULT_PUBEXP;  in rsa_mod_exp_sw()
265 		key.exponent =  in rsa_mod_exp_sw()
266 			fdt64_to_cpu(*((uint64_t *)(prop->public_exponent)));  in rsa_mod_exp_sw()
268 	if (!key.len || !prop->modulus || !prop->rr) {  in rsa_mod_exp_sw()
269 		debug("%s: Missing RSA key info", __func__);  in rsa_mod_exp_sw()
270 		return -EFAULT;  in rsa_mod_exp_sw()
274 	if (key.len > RSA_MAX_KEY_BITS || key.len < RSA_MIN_KEY_BITS) {  in rsa_mod_exp_sw()
275 		debug("RSA key bits %u outside allowed range %d..%d\n",  in rsa_mod_exp_sw()
276 		      key.len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS);  in rsa_mod_exp_sw()
277 		return -EFAULT;  in rsa_mod_exp_sw()
279 	key.len /= sizeof(uint32_t) * 8;  in rsa_mod_exp_sw()
280 	uint32_t key1[key.len], key2[key.len];  in rsa_mod_exp_sw()
282 	key.modulus = key1;  in rsa_mod_exp_sw()
283 	key.rr = key2;  in rsa_mod_exp_sw()
284 	rsa_convert_big_endian(key.modulus, (uint32_t *)prop->modulus, key.len);  in rsa_mod_exp_sw()
285 	rsa_convert_big_endian(key.rr, (uint32_t *)prop->rr, key.len);  in rsa_mod_exp_sw()
286 	if (!key.modulus || !key.rr) {  in rsa_mod_exp_sw()
288 		return -ENOMEM;  in rsa_mod_exp_sw()
295 	ret = pow_mod(&key, buf);  in rsa_mod_exp_sw()
306  * zynq_pow_mod - in-place public exponentiation
308  * @keyptr:	RSA key
309  * @inout:	Big-endian word array containing value and result
320 	struct rsa_public_key *key;  in zynq_pow_mod()  local
323 	key = (struct rsa_public_key *)keyptr;  in zynq_pow_mod()
325 	/* Sanity check for stack size - key->len is in 32-bit words */  in zynq_pow_mod()
326 	if (key->len > RSA_MAX_KEY_BITS / 32) {  in zynq_pow_mod()
327 		debug("RSA key words %u exceeds maximum %d\n", key->len,  in zynq_pow_mod()
329 		return -EINVAL;  in zynq_pow_mod()
332 	result = tmp;  /* Re-use location. */  in zynq_pow_mod()
334 	for (i = 0, ptr = inout; i < key->len; i++, ptr++)  in zynq_pow_mod()
337 	montgomery_mul(key, acc, val, key->rr);  /* axx = a * RR / R mod M */  in zynq_pow_mod()
339 		montgomery_mul(key, tmp, acc, acc); /* tmp = acc^2 / R mod M */  in zynq_pow_mod()
340 		montgomery_mul(key, acc, tmp, tmp); /* acc = tmp^2 / R mod M */  in zynq_pow_mod()
342 	montgomery_mul(key, result, acc, val);  /* result = XX * a / R mod M */  in zynq_pow_mod()
345 	if (greater_equal_modulus(key, result))  in zynq_pow_mod()
346 		subtract_modulus(key, result);  in zynq_pow_mod()
348 	for (i = 0, ptr = inout; i < key->len; i++, ptr++)  in zynq_pow_mod()