git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Thu, 18 Oct 2018 04:37:58 +0000 (21:37 -0700)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Wed, 14 Aug 2019 09:18:49 +0000 (11:18 +0200)
commit	a87f24c456587e5be71b237869c1ce1323cbbcc1
tree	2c8737268ac9af1b84481120b1c3ef61381d4154	tree
parent	b31d2d6a59d1ec7dc8a1dadbdfb8f05a01616bf0	commit \| diff

crypto: aes_ti - disable interrupts while accessing S-box

BugLink: https://bugs.launchpad.net/bugs/1837664
[ Upstream commit 0a6a40c2a8c184a2fb467efacfb1cd338d719e0b ]

In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult.  Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.

In tests I did on x86 and ARM, this doesn't affect performance
significantly.  Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.

Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

crypto/Kconfig		diff \| blob \| blame \| history
crypto/aes_ti.c		diff \| blob \| blame \| history