crypto: arm/aes - add some hardening against cache-timing attacks
authorEric Biggers <ebiggers@google.com>
Thu, 18 Oct 2018 04:37:59 +0000 (21:37 -0700)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 9 Nov 2018 09:36:48 +0000 (17:36 +0800)
commit913a3aa07d16e5b302f408d497a4b829910de247
tree88e4aadf88930378116f3dd311f076fb6a78276d
parent0a6a40c2a8c184a2fb467efacfb1cd338d719e0b
crypto: arm/aes - add some hardening against cache-timing attacks

Make the ARM scalar AES implementation closer to constant-time by
disabling interrupts and prefetching the tables into L1 cache.  This is
feasible because due to ARM's "free" rotations, the main tables are only
1024 bytes instead of the usual 4096 used by most AES implementations.

On ARM Cortex-A7, the speed loss is only about 5%.  The resulting code
is still over twice as fast as aes_ti.c.  Responsiveness is potentially
a concern, but interrupts are only disabled for a single AES block.

Note that even after these changes, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.

Much of this patch is based on patches suggested by Ard Biesheuvel.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
arch/arm/crypto/Kconfig
arch/arm/crypto/aes-cipher-core.S
crypto/aes_generic.c