diff options
author | Eric Biggers <ebiggers@google.com> | 2018-10-17 21:37:58 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-02-12 19:46:58 +0100 |
commit | 99eed8a29f9fe5126fcf6d673b419bddadae8679 (patch) | |
tree | 8515a60752a56887130e00cc3abf70c2a393e284 /crypto/Kconfig | |
parent | 22ccd257add3feea6eed9690de312bbc6b4b8f8e (diff) |
crypto: aes_ti - disable interrupts while accessing S-box
[ Upstream commit 0a6a40c2a8c184a2fb467efacfb1cd338d719e0b ]
In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult. Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.
In tests I did on x86 and ARM, this doesn't affect performance
significantly. Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.
Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software. But it's valuable to make such attacks more difficult.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'crypto/Kconfig')
-rw-r--r-- | crypto/Kconfig | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 59e32623a7ce..0fb9586766a7 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -1056,7 +1056,8 @@ config CRYPTO_AES_TI 8 for decryption), this implementation only uses just two S-boxes of 256 bytes each, and attempts to eliminate data dependent latencies by prefetching the entire table into the cache at the start of each - block. + block. Interrupts are also disabled to avoid races where cachelines + are evicted when the CPU is interrupted to do something else. config CRYPTO_AES_586 tristate "AES cipher algorithms (i586)" |