Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize size of ed25519 #4146

Merged
merged 4 commits into from
Sep 26, 2024
Merged

Optimize size of ed25519 #4146

merged 4 commits into from
Sep 26, 2024

Conversation

onvej-sl
Copy link
Contributor

@onvej-sl onvej-sl commented Sep 1, 2024

This is a continuation of #4107.

@onvej-sl
Copy link
Contributor Author

onvej-sl commented Sep 1, 2024

Saved space 24.5 KB.

Before After
publickey 4.1 ms 11 ms
sign 8.3 ms 23 ms
verify 11 ms 11 ms

@onvej-sl onvej-sl marked this pull request as ready for review September 1, 2024 19:31
@onvej-sl onvej-sl force-pushed the onvej-sl/optimize-size-ed25519 branch from 675df44 to b534a72 Compare September 12, 2024 12:53
@onvej-sl
Copy link
Contributor Author

onvej-sl commented Sep 13, 2024
edited
Loading

The test CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./crypto/tests/test_check_noasan is failing. It returns a lot of errors that look like this:

==27372== Use of uninitialised value of size 8
==27372==    at 0x472C01: curve25519_mul (curve25519-donna-32bit.c:167)
==27372==    by 0x477193: ge25519_pnielsadd_p1p1 (ed25519-donna-impl-base.c:112)
==27372==    by 0x478FDA: ge25519_scalarmult (ed25519-donna-impl-base.c:480)
==27372==    by 0x47A098: ed25519_publickey_ext (ed25519.c:216)
==27372==    by 0x47A098: ed25519_publickey (ed25519.c:49)
==27372==    by 0x415C76: test_ed25519_fn (test_check.c:7817)
==27372==    by 0x485A27A: srunner_run_tagged (in /nix/store/hag8z773k2l4l42kdbbqmhp1qb4pfk8h-check-0.15.2/lib/libcheck.so.0.0.0)
==27372==    by 0x40121B: main (test_check.c:11828)

I experimentally found out that these errors disappear if I remove the following lines:

The macro MARK_SECRET_DATA(addr, len) is defined as VALGRIND_MAKE_MEM_UNDEFINED(addr, len). This should be a trick how to make valgrind test that the code is constant time (see this blogpost). I don't quiet understand how it works.

It seems to me that this is a false positive.

@onvej-sl
Copy link
Contributor Author

Together with Andrew we discovered this is caused by memory access dependent on secret key:

@github-actions GitHub Actions
Copy link

core UI changes device test click test persistence test
T2T1 Model T test(screens) main(screens) test(screens) main(screens) test(screens) main(screens)
T3B1 Safe 3 test(screens) main(screens) test(screens) main(screens) 2724
T3T1 test(screens) main(screens) test(screens) main(screens) test(screens) main(screens)
All main(screens)

@onvej-sl onvej-sl force-pushed the onvej-sl/optimize-size-ed25519 branch from cf9362d to c54213c Compare September 25, 2024 18:26
@matejcik
Copy link
Contributor

gotta say, pretty cool that we have setup which caught this

@onvej-sl onvej-sl merged commit 3b49e54 into main Sep 26, 2024
86 checks passed
@onvej-sl onvej-sl deleted the onvej-sl/optimize-size-ed25519 branch September 26, 2024 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkozlik andrewkozlik andrewkozlik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Firmware
Status: Approved
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@onvej-sl @matejcik @andrewkozlik