commit 85df256c4a6733c2989b707c9b641bd5ae050c03
author Sungbae Yoo <sungbaey@nvidia.com> Thu Nov 21 14:21:29 2024 +0000
committer Jerome Forissier <jerome@forissier.org> Mon Nov 25 09:21:51 2024 +0100
tree 0fcb330240ceb3fd81666301cc7a5ccc21924a6c
parent 1e9c6f15ef0fde509e188c1b54c56f5a307fd168

libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MEBDTLS_UNSAFE_MODEXP

Modular exponentiation in MBed TLS v3.6.2 comes in two flavors: an
'unsafe' one, mbedtls_mpi_exp_mod_unsafe(), and a 'safe' one called
mbedtls_mpi_exp_mod(). Here safe/unsafe refers to resistance against
timing attacks (the safe variant is constant-time and usually much
slower). The reason for having the two variants is that the fastest
may be used with public keys while the slowest should be used with
private keys.

This commit introduces CFG_CORE_UNSAFE_MODEXP for TEE core and
CFG_TA_MEBDTLS_UNSAFE_MODEXP for the MBedTLS library for TAs.
Those configurations switch mbedtls_mpi_exp_mod() to the unsafe variant
for better performance.

This commit adds CFG_CORE_UNSAFE_MODEXP=y to QEMUv7 tests as well
because the problem with the safe variant which is now the default is that
it introduces a large performance regression in "time xtest 4011"
which makes the QEMUv7 tests in particular impractical:

		    QEMUv8      QEMUv7
3.4.0 (OP-TEE 4.2.0)    0m 0.85s    0m 14.29s
3.6.2 w/o this commit   0m 21.83s   8m 3.04s
3.6.2 w/  this commit   0m 0.93s    0m 14.34s

Prior to v3.6.0, MBed TLS had no constant time implementation.

Link: https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v7 [1]
Link: https://github.com/Mbed-TLS/mbedtls/commit/1ba40585f9446372f69f19693c20f593283930af
Signed-off-by: Sungbae Yoo <sungbaey@nvidia.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>