summaryrefslogtreecommitdiffstats
path: root/lib/crypto
diff options
context:
space:
mode:
authorArd Biesheuvel <ard.biesheuvel@linaro.org>2019-07-02 21:41:21 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2019-07-26 06:52:04 +0200
commitb158fcbba857c71ffb05ab254aff3b32b5e3cfc3 (patch)
treefea1d1c172b2c41018f1ec8dee23b9da3352c984 /lib/crypto
parentcrypto: aes - rename local routines to prevent future clashes (diff)
downloadlinux-b158fcbba857c71ffb05ab254aff3b32b5e3cfc3.tar.xz
linux-b158fcbba857c71ffb05ab254aff3b32b5e3cfc3.zip
crypto: aes/fixed-time - align key schedule with other implementations
The fixed time AES code mangles the key schedule so that xoring the first round key with values at fixed offsets across the Sbox produces the correct value. This primes the D-cache with the entire Sbox before any data dependent lookups are done, making it more difficult to infer key bits from timing variances when the plaintext is known. The downside of this approach is that it renders the key schedule incompatible with other implementations of AES in the kernel, which makes it cumbersome to use this implementation as a fallback for SIMD based AES in contexts where this is not allowed. So let's tweak the fixed Sbox indexes so that they add up to zero under the xor operation. While at it, increase the granularity to 16 bytes so we cover the entire Sbox even on systems with 16 byte cachelines. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'lib/crypto')
0 files changed, 0 insertions, 0 deletions