[v3,0/2] crypto: some hardening against AES cache-timing attacks

Message ID	20181018043759.7669-1-ebiggers@kernel.org (mailing list archive)
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Eric Biggers <ebiggers@kernel.org> To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Paul Crowley <paulcrowley@google.com> Subject: [PATCH v3 0/2] crypto: some hardening against AES cache-timing attacks Date: Wed, 17 Oct 2018 21:37:57 -0700 Message-Id: <20181018043759.7669-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk
Series	crypto: some hardening against AES cache-timing attacks \| expand [v3,0/2] crypto: some hardening against AES cache-timing attacks [v3,1/2] crypto: aes_ti - disable interrupts while accessing S-box [v3,2/2] crypto: arm/aes - add some hardening against cache-timing attacks

Message ID

20181018043759.7669-1-ebiggers@kernel.org (mailing list archive)

Headers

From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Paul Crowley <paulcrowley@google.com>
Subject: [PATCH v3 0/2] crypto: some hardening against AES cache-timing
 attacks
Date: Wed, 17 Oct 2018 21:37:57 -0700
Message-Id: <20181018043759.7669-1-ebiggers@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk

Series

crypto: some hardening against AES cache-timing attacks | expand

Message

Eric Biggers Oct. 18, 2018, 4:37 a.m. UTC

This series makes the "aes-fixed-time" and "aes-arm" implementations of
AES more resistant to cache-timing attacks.

Note that even after these changes, the implementations still aren't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.

Changed since v2:
- In aes-arm, move the IRQ disable/enable into the assembly file.
- Other aes-arm tweaks.
- Add Kconfig help text.

Thanks to Ard Biesheuvel for the suggestions.

Eric Biggers (2):
  crypto: aes_ti - disable interrupts while accessing S-box
  crypto: arm/aes - add some hardening against cache-timing attacks

 arch/arm/crypto/Kconfig           |  9 +++++
 arch/arm/crypto/aes-cipher-core.S | 62 ++++++++++++++++++++++++++-----
 crypto/Kconfig                    |  3 +-
 crypto/aes_generic.c              |  9 +++--
 crypto/aes_ti.c                   | 18 +++++++++
 5 files changed, 86 insertions(+), 15 deletions(-)

Comments

Herbert Xu Nov. 9, 2018, 9:49 a.m. UTC | #1

On Wed, Oct 17, 2018 at 09:37:57PM -0700, Eric Biggers wrote:
> This series makes the "aes-fixed-time" and "aes-arm" implementations of
> AES more resistant to cache-timing attacks.
> 
> Note that even after these changes, the implementations still aren't
> necessarily guaranteed to be constant-time; see
> https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
> of the many difficulties involved in writing truly constant-time AES
> software.  But it's valuable to make such attacks more difficult.
> 
> Changed since v2:
> - In aes-arm, move the IRQ disable/enable into the assembly file.
> - Other aes-arm tweaks.
> - Add Kconfig help text.
> 
> Thanks to Ard Biesheuvel for the suggestions.
> 
> Eric Biggers (2):
>   crypto: aes_ti - disable interrupts while accessing S-box
>   crypto: arm/aes - add some hardening against cache-timing attacks
> 
>  arch/arm/crypto/Kconfig           |  9 +++++
>  arch/arm/crypto/aes-cipher-core.S | 62 ++++++++++++++++++++++++++-----
>  crypto/Kconfig                    |  3 +-
>  crypto/aes_generic.c              |  9 +++--
>  crypto/aes_ti.c                   | 18 +++++++++
>  5 files changed, 86 insertions(+), 15 deletions(-)

All applied.  Thanks.