From: Peter Zijlstra <peterz@infradead.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: x86@kernel.org, linux-arm-kernel@lists.infradead.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Adam Langley <agl@google.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>
Subject: Re: Should Linux set the new constant-time mode CPU flags?
Date: Fri, 26 Aug 2022 09:23:33 +0200 [thread overview]
Message-ID: <Ywh09ZXBZFA3R0W6@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <YwgCrqutxmX0W72r@gmail.com>
On Thu, Aug 25, 2022 at 11:15:58PM +0000, Eric Biggers wrote:
> Hi,
>
> Intel and ARM recently published documentation that says that no instructions
> are guaranteed to be constant-time with respect to their data operands, unless a
> "data independent timing" flag in the IA32_UARCH_MISC_CTL register (Intel) or
> DIT register (arm64) is set:
>
> * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html
> * https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing
>
> This is a major problem for crypto code, which needs to be constant-time,
> especially with respect to keys. And since this is a CPU issue, it affects all
> code running on the CPU. While neither company is treating this as a security
> disclosure, to me this looks exactly like a CPU vulnerability.
>
> For Intel, given that the mitigation is to set an MSR flag, it seems that the
> kernel will need to do that -- similar to the MSR flags that enable mitigations
> for speculative execution vulnerabilities.
>
> For arm64, it's not clear to me whether the DIT flag is privileged or not. If
> privileged, I expect it would need to be set by the kernel just like the Intel
> flag. If unprivileged, I expect there will still be work to do in the kernel,
> as the flag will need to be set when running any crypto code in the kernel.
>
> I'm wondering if people are aware of this issue, and whether anyone has any
> thoughts on whether/where the kernel should be setting these new CPU flags.
> There don't appear to have been any prior discussions about this. (Thanks to
> Adam Langley, who maintains BoringSSL, for bringing this to my attention.)
Whichever way around I think you want OS support to make it a per-task
property instead of a per CPU one.
Also, *sigh* yet another MSR to touch :/
next prev parent reply other threads:[~2022-08-26 7:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-25 23:15 Should Linux set the new constant-time mode CPU flags? Eric Biggers
2022-08-26 7:23 ` Peter Zijlstra [this message]
2022-08-26 8:45 ` Arnd Bergmann
2022-09-15 17:18 ` Catalin Marinas
2022-08-26 15:40 ` Jeffrey Walton
2022-08-29 16:39 ` Jason A. Donenfeld
2022-08-29 18:08 ` Eric Biggers
2022-08-29 19:09 ` Jason A. Donenfeld
2022-08-29 19:05 ` Jason A. Donenfeld
2022-08-30 14:25 ` Dave Hansen
2022-09-01 11:00 ` Peter Zijlstra
2022-10-25 5:06 ` Eric Biggers
2022-09-15 17:52 ` Catalin Marinas
2022-10-26 17:01 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ywh09ZXBZFA3R0W6@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=Jason@zx2c4.com \
--cc=agl@google.com \
--cc=ardb@kernel.org \
--cc=ebiggers@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).