diff options
| author | Eric Biggers <ebiggers@google.com> | 2018-10-17 21:37:58 -0700 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-11-09 17:36:48 +0800 |
| commit | d38d79bff98d8551b374f9783fd13ef8dc44927b (patch) | |
| tree | 813597ddb8bc21ea7d20d630af4bd40c13795e27 /crypto/aes_generic.c | |
| parent | f5dc455f1b0548b15904e18be717c6f85f1c446d (diff) | |
| download | linux-crypto-d38d79bff98d8551b374f9783fd13ef8dc44927b.tar.gz linux-crypto-d38d79bff98d8551b374f9783fd13ef8dc44927b.zip | |
crypto: aes_ti - disable interrupts while accessing S-box
In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult. Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.
In tests I did on x86 and ARM, this doesn't affect performance
significantly. Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.
Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software. But it's valuable to make such attacks more difficult.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/aes_generic.c')
0 files changed, 0 insertions, 0 deletions