Crypto: P256-M: Allow options for deeper configurability
* The compiler can generate a constant time implementation
of u32_muladd64 on Armv8.1-M targets. Hence
make sure that MUL64_IS_CONSTANT_TIME is set.
* Add an option MULADD64_IGNORE_ASM that allows to bypass
the automatic application of assembly code in p256-m.c
so that compilers can generate an UMLAL based u32_muladd64
that can be time independent if DIT is available in v8.1-M
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: Iad60489b2c383a6566678dd024678a1b23a2ead2
diff --git a/lib/ext/mbedcrypto/0007-P256M-Add-option-to-force-not-use-of-asm.patch b/lib/ext/mbedcrypto/0007-P256M-Add-option-to-force-not-use-of-asm.patch
new file mode 100644
index 0000000..645542a
--- /dev/null
+++ b/lib/ext/mbedcrypto/0007-P256M-Add-option-to-force-not-use-of-asm.patch
@@ -0,0 +1,30 @@
+From c9f25ec14a33c06242e41edce1b65454936bdc92 Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Wed, 9 Oct 2024 13:36:42 +0100
+Subject: [PATCH 7/7] P256M: Add option to force not use of asm
+
+Add an option to let the compiler generate the assembly
+code for u32_muladd64(), especially for MinSizeRel and
+Release builds.
+
+Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
+---
+ 3rdparty/p256-m/p256-m/p256-m.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c
+index 42c35b5bf..558a8bc95 100644
+--- a/3rdparty/p256-m/p256-m/p256-m.c
++++ b/3rdparty/p256-m/p256-m/p256-m.c
+@@ -197,7 +197,7 @@ static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t);
+ * v7-M architectures. __ARM_ARCH_PROFILE is not defined for v6 and earlier.
+ * Thumb and 32-bit assembly is supported; aarch64 is not supported.
+ */
+-#if defined(__GNUC__) &&\
++#if !defined(MULADD64_IGNORE_ASM) && defined(__GNUC__) &&\
+ defined(__ARM_ARCH) && __ARM_ARCH >= 6 && defined(__ARM_ARCH_PROFILE) && \
+ ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */ && \
+ !defined(__aarch64__)
+--
+2.34.1
+
diff --git a/secure_fw/partitions/crypto/CMakeLists.txt b/secure_fw/partitions/crypto/CMakeLists.txt
index 565810b..38545fb 100644
--- a/secure_fw/partitions/crypto/CMakeLists.txt
+++ b/secure_fw/partitions/crypto/CMakeLists.txt
@@ -5,6 +5,12 @@
#
#-------------------------------------------------------------------------------
+set(is_v8.1m "$<STREQUAL:${TFM_SYSTEM_ARCHITECTURE},armv8.1-m.main>")
+set(is_v8m_base "$<STREQUAL:${TFM_SYSTEM_ARCHITECTURE},armv8-m.base>")
+set(is_v8m_main "$<STREQUAL:${TFM_SYSTEM_ARCHITECTURE},armv8-m.main>")
+set(is_v8.0m "$<OR:${is_v8m_main},${is_v8m_base}>")
+set(is_v8.xm "$<OR:${is_v8.1m},${is_v8.0m}>")
+
############################### PSA CRYPTO CONFIG ##############################
# Make sure these are available even if the TFM_PARTITION_CRYPTO is not defined
@@ -206,6 +212,11 @@
PRIVATE
MBEDTLS_PSA_P256M_DRIVER_ENABLED
MBEDTLS_PSA_CRYPTO_SPM
+ # Code is branchless but UMLAL might take a variable amount of cycles
+ # depedening on inputs if ${is_v8.1m} is false. We don't aim to protect
+ # against side channel so this is a acknowledged behaviour
+ MUL64_IS_CONSTANT_TIME
+ MULADD64_IGNORE_ASM
)
# The crypto_spe.h to be passed to p256m is here