crypto: aes_ti - disable interrupts while accessing S-box - openslx/kernel-qcow2-linux.git

diff options

author	Eric Biggers	2018-10-18 06:37:58 +0200
committer	Herbert Xu	2018-11-09 10:36:48 +0100
commit	0a6a40c2a8c184a2fb467efacfb1cd338d719e0b (patch)
tree	83c30f4e2775779925bd03c9d3f5f5f4f06887ae /crypto/aes_generic.c
parent	crypto: user - Zeroize whole structure given to user space (diff)
download	kernel-qcow2-linux-0a6a40c2a8c184a2fb467efacfb1cd338d719e0b.tar.gz kernel-qcow2-linux-0a6a40c2a8c184a2fb467efacfb1cd338d719e0b.tar.xz kernel-qcow2-linux-0a6a40c2a8c184a2fb467efacfb1cd338d719e0b.zip

crypto: aes_ti - disable interrupts while accessing S-box

In the "aes-fixed-time" AES implementation, disable interrupts while accessing the S-box, in order to make cache-timing attacks more difficult. Previously it was possible for the CPU to be interrupted while the S-box was loaded into L1 cache, potentially evicting the cachelines and causing later table lookups to be time-variant. In tests I did on x86 and ARM, this doesn't affect performance significantly. Responsiveness is potentially a concern, but interrupts are only disabled for a single AES block. Note that even after this change, the implementation still isn't necessarily guaranteed to be constant-time; see https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion of the many difficulties involved in writing truly constant-time AES software. But it's valuable to make such attacks more difficult. Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Diffstat (limited to 'crypto/aes_generic.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: