An error occurred while fetching folder content.
crypto: aes_ti - disable interrupts while accessing S-box
Eric Biggers authored
[ Upstream commit 0a6a40c2 ]

In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult.  Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.

In tests I did on x86 and ARM, this doesn't affect performance
significantly.  Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.

Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf

 for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.
Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by...
99eed8a2
Name Last commit Last update
..
asymmetric_keys Replace magic for trusting the secondary keyring with #define
async_tx async_pq: Remove VLA usage
842.c crypto: acomp - add support for 842 via scomp
Kconfig crypto: aes_ti - disable interrupts while accessing S-box
Makefile crypto: speck - remove Speck
ablkcipher.c crypto: ablkcipher - fix crash flushing dcache in error path
acompress.c crypto: acomp - allow registration of multiple acomps
aead.c crypto: aead - prevent using AEADs without setting key
aegis.h crypto: aegis/generic - fix for big endian systems
aegis128.c crypto: aead - remove useless setting of type flags
aegis128l.c crypto: aead - remove useless setting of type flags
aegis256.c crypto: aead - remove useless setting of type flags
aes_generic.c crypto: aes-generic - drop alignment requirement
aes_ti.c crypto: aes_ti - disable interrupts while accessing S-box
af_alg.c Revert "net: simplify sock_poll_wait"
ahash.c crypto: ahash - Fix early termination in hash walk
akcipher.c crypto: Replaced gcc specific attributes with macros from compiler.h
algapi.c crypto: api - laying defines and checks for statically allocated buffers
algboss.c crypto: algboss - remove redundant setting of len to zero
algif_aead.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
algif_hash.c net: remove sock_no_poll
algif_rng.c net: remove sock_no_poll
algif_skcipher.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
ansi_cprng.c crypto: ansi_cprng - Convert to new rng interface
anubis.c crypto: prefix module autoloading with "crypto-"
api.c evm: Don't deadlock if a crypto algorithm is unavailable
arc4.c crypto: prefix module autoloading with "crypto-"
authenc.c crypto: authenc - fix parsing key with misaligned rta_len
authencesn.c crypto: authencesn - Avoid twice completion call in decrypt path
blkcipher.c crypto: blkcipher - fix crash flushing dcache in error path
blowfish_common.c crypto: blowfish - split generic and common c code
blowfish_generic.c crypto: add missing crypto module aliases
camellia_generic.c crypto: replace FSF address with web source in license notices
cast5_generic.c crypto: replace FSF address with web source in license notices
cast6_generic.c crypto: replace FSF address with web source in license notices
cast_common.c crypto: make tables used from assembler __visible
cbc.c crypto: do not free algorithm before using
ccm.c crypto: ccm - preserve the IV buffer
cfb.c crypto: cfb - fix decryption
chacha20_generic.c crypto: chacha20 - Fix keystream alignment for chacha20_block()
chacha20poly1305.c crypto: chacha20poly1305 - validate the digest size
cipher.c crypto: remove several VLAs
cmac.c crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic
compress.c crypto: api - Remove no-op exit_ops code
crc32_generic.c crypto: crc32-generic - remove __crc32_le()
crc32c_generic.c crypto: crc32c-generic - remove cra_alignmask
crct10dif_common.c crypto: crct10dif - Add fallback for broken initrds
crct10dif_generic.c crypto: squash lines for simple wrapper functions
cryptd.c crypto: hash - annotate algorithms taking optional key
crypto_engine.c crypto: engine - Permit to enqueue all async requests
crypto_null.c crypto: shash - remove useless setting of type flags
crypto_user.c crypto: user - fix leaking uninitialized memory to userspace
crypto_wq.c crypto: crypto_wq - Fix late crypto work queue initialization
ctr.c crypto: remove several VLAs
cts.c crypto: remove several VLAs
deflate.c crypto: scomp - add support for deflate rfc1950 (zlib)
des_generic.c crypto: add missing crypto module aliases
dh.c crypto: dh - fix memory leak
dh_helper.c crypto: dh - make crypto_dh_encode_key() make robust
drbg.c crypto: drbg - in-place cipher operation for CTR
ecb.c crypto: include crypto- module prefix in template
ecc.c crypto: ecc - regularize scalar for scalar multiplication
ecc.h crypto: ecc - Actually remove stack VLA usage
ecc_curve_defs.h crypto: ecdh - fix typo of P-192 b value
ecdh.c crypto: ecc - Actually remove stack VLA usage
ecdh_helper.c crypto: ecdh - return unsigned value for crypto_ecdh_key_len()
echainiv.c crypto: echainiv - Remove unused alg/spawn variable
fcrypt.c crypto: prefix module autoloading with "crypto-"
fips.c crypto: fips - Move fips_enabled sysctl into fips.c
gcm.c crypto: null - Get rid of crypto_{get,put}_default_null_skcipher2()
gf128mul.c crypto: gf128mul - remove incorrect comment
ghash-generic.c crypto: shash - remove useless setting of type flags
hash_info.c keys, trusted: select hash algorithm for TPM2 chips
hmac.c crypto: hmac - require that the underlying hash algorithm is unkeyed
internal.h crypto: api - Make crypto_alg_lookup static
jitterentropy-kcapi.c
jitterentropy.c
keywrap.c
khazad.c
kpp.c
lrw.c
lz4.c
lz4hc.c
lzo.c
mcryptd.c
md4.c
md5.c
memneq.c
michael_mic.c
morus1280.c
morus640.c
pcbc.c
pcrypt.c
poly1305_generic.c
proc.c
ripemd.h
rmd128.c
rmd160.c
rmd256.c
rmd320.c