[Bug 269219] cryptographic operations are not constant time anymore for armv8.4+ and amd64/icelake

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269219

--- Comment #1 from Michael Paepcke <bugs.fbsd@paepcke.de> ---
Hi,
not sure where to track this, this might require some architecture decision,
not only a simple patch.

Summary:
Since introduction of the armv8.4 ISA (and all following) and x86/icelake ISA
(impacts: skylake,cannonlake,cabbylake, ...) many base instructions (used by
openssl,openssh,libcrypt,ossl in base/kernel/userland/ports) including AES-NI
(WTH?) are not guaranteed constant time anymore.

 *
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html

 *
https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing

It is possible to ensure constant time execution again via setting CPU specific
register. I might be wrong but as fare as I can see, we do not even have the
infrastructure yet, to address this (here)?

 * https://cgit.freebsd.org/src/tree/sys/x86/include/specialreg.h

The Linux Team seems tend to disable this features by default (my personal
favorite) as solution and allow to re-enable it via build-time-optimization
switch. (Discussion about runtime sysctl/syscall/procfs still ongoing)

 *
https://lore.kernel.org/lkml/YxCQzZqLZ49gLlrH@hirez.programming.kicks-ass.net/

Is someone already working in this. Ideas? Personal Preferences?

Thank you!
Michael

-- 
You are receiving this mail because:
You are the assignee for the bug.