An error occurred while fetching folder content.
crypto: aes_ti - disable interrupts while accessing S-box
Eric Biggers authored
[ Upstream commit 0a6a40c2 ]

In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult.  Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.

In tests I did on x86 and ARM, this doesn't affect performance
significantly.  Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.

Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf

 for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.
Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by...
99eed8a2
Name Last commit Last update
..
asymmetric_keys Replace magic for trusting the secondary keyring with #define
async_tx async_pq: Remove VLA usage
842.c crypto: acomp - add support for 842 via scomp
Kconfig crypto: aes_ti - disable interrupts while accessing S-box
Makefile crypto: speck - remove Speck
ablkcipher.c crypto: ablkcipher - fix crash flushing dcache in error path
acompress.c crypto: acomp - allow registration of multiple acomps
aead.c crypto: aead - prevent using AEADs without setting key
aegis.h crypto: aegis/generic - fix for big endian systems
aegis128.c crypto: aead - remove useless setting of type flags
aegis128l.c crypto: aead - remove useless setting of type flags
aegis256.c crypto: aead - remove useless setting of type flags
aes_generic.c crypto: aes-generic - drop alignment requirement
aes_ti.c crypto: aes_ti - disable interrupts while accessing S-box
af_alg.c Revert "net: simplify sock_poll_wait"
ahash.c crypto: ahash - Fix early termination in hash walk
akcipher.c crypto: Replaced gcc specific attributes with macros from compiler.h
algapi.c crypto: api - laying defines and checks for statically allocated buffers
algboss.c crypto: algboss - remove redundant setting of len to zero
algif_aead.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
algif_hash.c net: remove sock_no_poll
algif_rng.c net: remove sock_no_poll
algif_skcipher.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
ansi_cprng.c crypto: ansi_cprng - Convert to new rng interface
anubis.c crypto: prefix module autoloading with "crypto-"
api.c evm: Don't deadlock if a crypto algorithm is unavailable
arc4.c crypto: prefix module autoloading with "crypto-"
authenc.c crypto: authenc - fix parsing key with misaligned rta_len
authencesn.c crypto: authencesn - Avoid twice completion call in decrypt path
blkcipher.c crypto: blkcipher - fix crash flushing dcache in error path
blowfish_common.c crypto: blowfish - split generic and common c code
blowfish_generic.c crypto: add missing crypto module aliases
camellia_generic.c crypto: replace FSF address with web source in license notices
cast5_generic.c crypto: replace FSF address with web source in license notices
cast6_generic.c crypto: replace FSF address with web source in license notices
cast_common.c crypto: make tables used from assembler __visible
cbc.c crypto: do not free algorithm before using
ccm.c crypto: ccm - preserve the IV buffer
cfb.c crypto: cfb - fix decryption
chacha20_generic.c crypto: chacha20 - Fix keystream alignment for chacha20_block()
chacha20poly1305.c crypto: chacha20poly1305 - validate the digest size
cipher.c crypto: remove several VLAs
cmac.c crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic
compress.c crypto: api - Remove no-op exit_ops code
crc32_generic.c crypto: crc32-generic - remove __crc32_le()
crc32c_generic.c crypto: crc32c-generic - remove cra_alignmask
crct10dif_common.c crypto: crct10dif - Add fallback for broken initrds
crct10dif_generic.c crypto: squash lines for simple wrapper functions
cryptd.c crypto: hash - annotate algorithms taking optional key
crypto_engine.c crypto: engine - Permit to enqueue all async requests
crypto_null.c
crypto_user.c
crypto_wq.c
ctr.c
cts.c
deflate.c
des_generic.c
dh.c
dh_helper.c
drbg.c
ecb.c
ecc.c
ecc.h
ecc_curve_defs.h
ecdh.c
ecdh_helper.c
echainiv.c
fcrypt.c
fips.c
gcm.c
gf128mul.c
ghash-generic.c
hash_info.c
hmac.c
internal.h
jitterentropy-kcapi.c
jitterentropy.c
keywrap.c
khazad.c
kpp.c
lrw.c
lz4.c
lz4hc.c
lzo.c
mcryptd.c
md4.c
md5.c
memneq.c
michael_mic.c
morus1280.c
morus640.c
pcbc.c
pcrypt.c
poly1305_generic.c
proc.c
ripemd.h
rmd128.c
rmd160.c
rmd256.c
rmd320.c