nrf_security: CRACEN: Update to use PK_SET_COMMAND function

Update the following functionality to use PK_SET_COMMAND
instead of aquiring and releasing each use of CRACEN.
ECDSA, ED25519, ED448, IKG and the RSA keygen
This to eliminate a possible race condition and possibly
save power.

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/coprime_check.c

@@ -40,77 +40,47 @@
 #include "coprime_check.h"
 
 /* Perform modular inversion of a, using b as the modulo. */
-static int modular_inversion_start(struct cracen_coprimecheck *coprimecheck)
+static int modular_inversion_run(sx_pk_req *req, struct cracen_coprimecheck *coprimecheck)
 {
-	int sx_status;
-	struct sx_pk_acq_req pkreq;
 	struct sx_pk_inops_mod_single_op_cmd inputs;
 	size_t bsz = coprimecheck->bsz;
 	size_t asz = coprimecheck->asz;
 	int sizes[] = {bsz, asz};
 
 	/* b is odd, we can use command SX_PK_CMD_ODD_MOD_INV */
-	pkreq = sx_pk_acquire_req(SX_PK_CMD_ODD_MOD_INV);
-	if (pkreq.status) {
-		return pkreq.status;
-	}
+	sx_pk_set_cmd(req, SX_PK_CMD_ODD_MOD_INV);
 
-	pkreq.status = sx_pk_list_gfp_inslots(pkreq.req, sizes, (struct sx_pk_slot *)&inputs);
-	if (pkreq.status) {
-		return pkreq.status;
+	int status = sx_pk_list_gfp_inslots(req, sizes, (struct sx_pk_slot *)&inputs);
+
+	if (status != SX_OK) {
+		return status;
 	}
 
 	sx_wrpkmem(inputs.n.addr, coprimecheck->b, bsz);
 	sx_wrpkmem(inputs.b.addr, coprimecheck->a, asz);
 
-	sx_pk_run(pkreq.req);
+	sx_pk_run(req);
 
-	sx_status = sx_pk_wait(pkreq.req);
-	return sx_status;
-}
-
-static int modular_reduction_finish(uint8_t *workmem, struct sx_pk_acq_req *pkreq,
-				    struct cracen_coprimecheck *coprimecheck)
-{
-	const uint8_t **outputs = sx_pk_get_output_ops(pkreq->req);
-	int opsz = sx_pk_get_opsize(pkreq->req);
-	size_t bsz = coprimecheck->bsz;
-
-	/* copy to workmem the result of the modular reduction, to be found
-	 * at the end of the device memory slots
-	 */
-	sx_rdpkmem(workmem, outputs[0] + opsz - bsz, bsz);
-
-	sx_pk_release_req(pkreq->req);
-
-	/* update the task's parameters related to a */
-	coprimecheck->a = workmem;
-	coprimecheck->asz = bsz;
-
-	return modular_inversion_start(coprimecheck);
+	return sx_pk_wait(req);
 }
 
 /* Perform modular reduction of a, using b as the modulo. */
-static int modular_reduction_start(uint8_t *workmem, struct cracen_coprimecheck *coprimecheck)
+static int modular_reduction_run(sx_pk_req *req, uint8_t *workmem,
+				 struct cracen_coprimecheck *coprimecheck)
 {
-	int sx_status;
-	struct sx_pk_acq_req pkreq;
 	struct sx_pk_inops_mod_single_op_cmd inputs;
 	size_t bsz = coprimecheck->bsz;
 	size_t asz = coprimecheck->asz;
 
-	/* b is odd, we can use command SX_PK_CMD_ODD_MOD_REDUCE */
-	pkreq = sx_pk_acquire_req(SX_PK_CMD_ODD_MOD_REDUCE);
-	if (pkreq.status) {
-		return pkreq.status;
-	}
+	sx_pk_set_cmd(req, SX_PK_CMD_ODD_MOD_REDUCE);
 
 	/* give the largest size for both inputs, in this case it is asz */
 	int sizes[] = {asz, asz};
 
-	sx_status = sx_pk_list_gfp_inslots(pkreq.req, sizes, (struct sx_pk_slot *)&inputs);
-	if (sx_status) {
-		return sx_status;
+	int status = sx_pk_list_gfp_inslots(req, sizes, (struct sx_pk_slot *)&inputs);
+
+	if (status != SX_OK) {
+		return status;
 	}
 
 	/* Copy modulo and operand to the device memory slots. Note that the
@@ -120,19 +90,32 @@ static int modular_reduction_start(uint8_t *workmem, struct cracen_coprimecheck
 	sx_wrpkmem(inputs.n.addr + asz - bsz, coprimecheck->b, bsz);
 	sx_wrpkmem(inputs.b.addr, coprimecheck->a, asz);
 
-	sx_pk_run(pkreq.req);
-	sx_status = sx_pk_wait(pkreq.req);
-	if (sx_status != SX_OK) {
-		sx_pk_release_req(pkreq.req);
-		return sx_status;
+	sx_pk_run(req);
+	status = sx_pk_wait(req);
+	if (status != SX_OK) {
+		return status;
 	}
-	return modular_reduction_finish(workmem, &pkreq, coprimecheck);
+
+	/* Read the result of the modular reduction */
+	const uint8_t **outputs = sx_pk_get_output_ops(req);
+	int opsz = sx_pk_get_opsize(req);
+
+	/* copy to workmem the result of the modular reduction, to be found
+	 * at the end of the device memory slots
+	 */
+	sx_rdpkmem(workmem, outputs[0] + opsz - bsz, bsz);
+
+	/* update the task's parameters related to a */
+	coprimecheck->a = workmem;
+	coprimecheck->asz = bsz;
+
+	return SX_OK;
 }
 
-int cracen_coprime_check(uint8_t *workmem, size_t workmemsz, const uint8_t *a, size_t asz,
-			 const uint8_t *b, size_t bsz)
+int coprime_check_run(sx_pk_req *req, uint8_t *workmem, size_t workmemsz, const uint8_t *a,
+		      size_t asz, const uint8_t *b, size_t bsz)
 {
-	int sx_status;
+	int status;
 	int a_is_odd;
 	int b_is_odd;
 	size_t minworkmemsz;
@@ -184,9 +167,31 @@ int cracen_coprime_check(uint8_t *workmem, size_t workmemsz, const uint8_t *a, s
 	coprimecheck.bsz = bsz;
 
 	if (asz > bsz) {
-		sx_status = modular_reduction_start(workmem, &coprimecheck);
-	} else {
-		sx_status = modular_inversion_start(&coprimecheck);
+		/* First do modular reduction, then inversion */
+		status = modular_reduction_run(req, workmem, &coprimecheck);
+		if (status != SX_OK) {
+			return status;
+		}
 	}
-	return sx_status;
+
+	return modular_inversion_run(req, &coprimecheck);
+}
+
+int cracen_coprime_check(uint8_t *workmem, size_t workmemsz, const uint8_t *a, size_t asz,
+			 const uint8_t *b, size_t bsz)
+{
+	struct sx_pk_acq_req pkreq;
+	int status;
+
+	pkreq = sx_pk_acquire_req(SX_PK_CMD_ODD_MOD_INV);
+	if (pkreq.status) {
+		sx_pk_release_req(pkreq.req);
+		return pkreq.status;
+	}
+
+	status = coprime_check_run(pkreq.req, workmem, workmemsz, a, asz, b, bsz);
+
+	sx_pk_release_req(pkreq.req);
+
+	return status;
 }

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/coprime_check.h

@@ -8,6 +8,7 @@
 #define COPRIME_CHECK_HEADER_FILE
 
 #include <stdint.h>
+#include <silexpk/core.h>
 
 /** Function to check if two integer numbers are coprime.
  * @param[in] a            Unsigned integer stored as a big endian byte array.
@@ -31,4 +32,10 @@
 int cracen_coprime_check(uint8_t *workmem, size_t workmemsz, const uint8_t *a, size_t asz,
 			 const uint8_t *b, size_t bsz);
 
+/** Same as cracen_coprime_check, but uses an already-acquired request.
+ * This allows chaining multiple CRACEN operations without releasing between them.
+ */
+int coprime_check_run(sx_pk_req *req, uint8_t *workmem, size_t workmemsz, const uint8_t *a,
+		      size_t asz, const uint8_t *b, size_t bsz);
+
 #endif

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ecc.c

@@ -25,19 +25,27 @@ int ecc_genpubkey(const uint8_t *priv_key, uint8_t *pub_key, const struct sx_pk_
 	struct sx_pk_acq_req pkreq;
 	struct sx_pk_inops_ecp_mult inputs;
 	int opsz;
-	int status = SX_ERR_NOT_INVERTIBLE;
+	int status = SX_ERR_CORRUPTION_DETECTED;
 	int attempts = 0;
 
 	opsz = sx_pk_curve_opsize(curve);
 
-	while (status == SX_ERR_NOT_INVERTIBLE) {
-		pkreq = sx_pk_acquire_req(SX_PK_CMD_ECC_PTMUL);
-		if (pkreq.status) {
-			return pkreq.status;
+	/* Acquire CRACEN once for all retry attempts */
+	pkreq = sx_pk_acquire_req(SX_PK_CMD_ECC_PTMUL);
+	if (pkreq.status) {
+		sx_pk_release_req(pkreq.req);
+		return pkreq.status;
+	}
+
+	do {
+		if (attempts > 0) {
+			sx_pk_set_cmd(pkreq.req, SX_PK_CMD_ECC_PTMUL);
 		}
+
 		pkreq.status =
 			sx_pk_list_ecc_inslots(pkreq.req, curve, 0, (struct sx_pk_slot *)&inputs);
 		if (pkreq.status) {
+			sx_pk_release_req(pkreq.req);
 			return pkreq.status;
 		}
 
@@ -48,22 +56,20 @@ int ecc_genpubkey(const uint8_t *priv_key, uint8_t *pub_key, const struct sx_pk_
 		sx_pk_run(pkreq.req);
 
 		status = sx_pk_wait(pkreq.req);
-		if (status != SX_OK) {
-			return status;
-		}
-		outputs = (const uint8_t **)sx_pk_get_output_ops(pkreq.req);
 
 		/* When countermeasures are used, the operation may fail with error code
 		 * SX_ERR_NOT_INVERTIBLE. In this case we can try again.
 		 */
 		if (status == SX_ERR_NOT_INVERTIBLE) {
-			sx_pk_release_req(pkreq.req);
 			if (++attempts == MAX_ECC_ATTEMPTS) {
-				status = SX_ERR_TOO_MANY_ATTEMPTS;
+				sx_pk_release_req(pkreq.req);
+				return SX_ERR_TOO_MANY_ATTEMPTS;
 			}
 		}
-	}
+	} while (status == SX_ERR_NOT_INVERTIBLE);
+
 	if (status == SX_OK) {
+		outputs = (const uint8_t **)sx_pk_get_output_ops(pkreq.req);
 		sx_rdpkmem(pub_key, outputs[0], opsz);
 		sx_rdpkmem(pub_key + opsz, outputs[1], opsz);
 	}

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ecdsa.c

@@ -170,26 +170,22 @@ static void ecdsa_read_sig(struct cracen_signature *sig, const uint8_t *r, const
 	sx_rdpkmem(sig->s, s, opsz);
 }
 
-static int ecdsa_run_generate_sign(struct sx_pk_acq_req *pkreq,
-				   const struct cracen_ecc_priv_key *privkey,
-				   const struct sx_pk_ecurve *curve, const uint8_t *workmem,
-				   size_t digestsz, size_t opsz,
-				   struct sx_pk_inops_ecdsa_generate *inputs)
+static int ecdsa_run_generate_sign(sx_pk_req *req,
+				    const struct cracen_ecc_priv_key *privkey,
+				    const struct sx_pk_ecurve *curve, const uint8_t *workmem,
+				    size_t digestsz, size_t opsz,
+				    struct sx_pk_inops_ecdsa_generate *inputs)
 {
-	*pkreq = sx_pk_acquire_req(SX_PK_CMD_ECDSA_GEN);
-	if (pkreq->status) {
-		return pkreq->status;
-	}
+	int status = sx_pk_list_ecc_inslots(req, curve, 0, (struct sx_pk_slot *)inputs);
 
-	pkreq->status = sx_pk_list_ecc_inslots(pkreq->req, curve, 0, (struct sx_pk_slot *)inputs);
-	if (pkreq->status) {
-		return pkreq->status;
+	if (status) {
+		return status;
 	}
 
 	ecdsa_write_sk(privkey, inputs->d.addr, opsz);
 	sx_wrpkmem(inputs->k.addr, workmem + digestsz, opsz);
 	digest2op(workmem, digestsz, inputs->h.addr, opsz);
-	sx_pk_run(pkreq->req);
+	sx_pk_run(req);
 
 	return SX_OK;
 }
@@ -234,32 +230,44 @@ int cracen_ecdsa_sign_digest(const struct cracen_ecc_priv_key *privkey,
 	internal_signature.r = signature;
 	internal_signature.s = signature + opsz;
 
+	pkreq = sx_pk_acquire_req(SX_PK_CMD_ECDSA_GEN);
+	if (pkreq.status) {
+		sx_pk_release_req(pkreq.req);
+		return pkreq.status;
+	}
+
 	for (int i = 0; i <= MAX_ECDSA_ATTEMPTS; i++) {
 		status = cracen_get_rnd_in_range(curve_n, opsz, workmem + digest_length);
 		if (status != SX_OK) {
+			sx_pk_release_req(pkreq.req);
 			return status;
 		}
-		status = ecdsa_run_generate_sign(&pkreq, privkey, curve, workmem, digest_length,
-						 opsz, &inputs);
 
-		if (status != SX_OK) {
-			return status;
+		if (i > 0) {
+			sx_pk_set_cmd(pkreq.req, SX_PK_CMD_ECDSA_GEN);
 		}
-		status = sx_pk_wait(pkreq.req);
+
+		status = ecdsa_run_generate_sign(pkreq.req, privkey, curve, workmem,
+						 digest_length, opsz, &inputs);
 		if (status != SX_OK) {
 			sx_pk_release_req(pkreq.req);
+			return status;
 		}
 
+		status = sx_pk_wait(pkreq.req);
+
 		/* SX_ERR_NOT_INVERTIBLE may be due to silexpk countermeasures. */
 		if ((status == SX_ERR_INVALID_SIGNATURE) || (status == SX_ERR_NOT_INVERTIBLE)) {
-			sx_pk_release_req(pkreq.req);
 			if (i == MAX_ECDSA_ATTEMPTS) {
+				sx_pk_release_req(pkreq.req);
 				return SX_ERR_TOO_MANY_ATTEMPTS;
 			}
+			/* Continue loop to retry */
 		} else {
 			break;
 		}
 	}
+
 	if (status != SX_OK) {
 		sx_pk_release_req(pkreq.req);
 		return status;
@@ -439,6 +447,12 @@ int cracen_ecdsa_sign_digest_deterministic(const struct cracen_ecc_priv_key *pri
 	internal_signature.s = signature + opsz;
 	memcpy(workmem, digest, digestsz);
 
+	pkreq = sx_pk_acquire_req(SX_PK_CMD_ECDSA_GEN);
+	if (pkreq.status) {
+		sx_pk_release_req(pkreq.req);
+		return pkreq.status;
+	}
+
 	do {
 		hmac_op.deterministic_retries = 0;
 		hmac_op.step = 0;
@@ -451,20 +465,19 @@ int cracen_ecdsa_sign_digest_deterministic(const struct cracen_ecc_priv_key *pri
 								   blocksz, workmem, &hmac_op,
 								   privkey);
 			if (status != SX_OK && status != SX_ERR_HW_PROCESSING) {
+				sx_pk_release_req(pkreq.req);
 				return status;
 			}
 		}
-		status = ecdsa_run_generate_sign(&pkreq, privkey, curve, workmem, digestsz, opsz,
-						 &inputs);
 
+		status = ecdsa_run_generate_sign(pkreq.req, privkey, curve, workmem, digestsz,
+						 opsz, &inputs);
 		if (status != SX_OK) {
+			sx_pk_release_req(pkreq.req);
 			return status;
 		}
-		status = sx_pk_wait(pkreq.req);
 
-		if (status != SX_OK) {
-			sx_pk_release_req(pkreq.req);
-		}
+		status = sx_pk_wait(pkreq.req);
 
 	} while (--hmac_op.attempts &&
 		 (status == SX_ERR_INVALID_SIGNATURE || status == SX_ERR_NOT_INVERTIBLE));