Date: Sun, 29 Jan 2023 07:15:20 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 269219] cryptographic operations are not constant time anymore for armv8.4+ and amd64/icelake Message-ID: <bug-269219-227-j3xxWki7mk@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-269219-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269219 --- Comment #1 from Michael Paepcke <bugs.fbsd@paepcke.de> --- Hi, not sure where to track this, this might require some architecture decision, not only a simple patch. Summary: Since introduction of the armv8.4 ISA (and all following) and x86/icelake ISA (impacts: skylake,cannonlake,cabbylake, ...) many base instructions (used by openssl,openssh,libcrypt,ossl in base/kernel/userland/ports) including AES-NI (WTH?) are not guaranteed constant time anymore. * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html * https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing It is possible to ensure constant time execution again via setting CPU specific register. I might be wrong but as fare as I can see, we do not even have the infrastructure yet, to address this (here)? * https://cgit.freebsd.org/src/tree/sys/x86/include/specialreg.h The Linux Team seems tend to disable this features by default (my personal favorite) as solution and allow to re-enable it via build-time-optimization switch. (Discussion about runtime sysctl/syscall/procfs still ongoing) * https://lore.kernel.org/lkml/YxCQzZqLZ49gLlrH@hirez.programming.kicks-ass.net/ Is someone already working in this. Ideas? Personal Preferences? Thank you! Michael -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-269219-227-j3xxWki7mk>