Dependence of time of execution of data on data on CPU ARM and Intel

Eric Biggers, one of the developers of the Adiantum cipher and the linux fscrypt nucleus subsystem, > patch set to block security problems arising due to the features of Intel processors, does not guarantee the constant time of the instructions for different processed data. In Intel processors, the problem is manifested starting from the family ice lake . A similar problem is observed in ARM processors.

The presence of the dependence of the time of the instructions on the data processed in these instructions is regarded by the author of patches as a vulnerability in processors, since this behavior cannot guarantee the safety of cryptographic operations performed in the system. Many of the implementation of cryptographic algorithms are designed that the data does not affect the time of the performance of the instructions and the violation of this behavior can lead to the creation of attacks by third -party channels that restore the data based on the analysis of the time of their processing.

Potentially, the dependence of the data time can also be used to organize attacks on determining the nucleus from the user space. According to Eric Biggers, the constant time of the default execution is not provided even for instructions performing the addition operations and XOR, as well as for specialized AES-Ni instructions (the information is not confirmed by tests, according to other sources, when the bits are calculated, there is a delay in one cycle ).

To disable the behavior of the company Intel and ARM, new flags were offered: pstate-by Dit (Data Independent Timing) for CPU ARM and MSR-BIT doitm (Data
Operand Independent Timing Mode) for CPU Intel, returning old behavior with constant execution time. Intel and ARM recommends to include protection as necessary for a particularly important code, but in fact important calculations can be found in any parts of the user’s nucleus and space, therefore, the possibility of constant activation of the DOITM and Dit modes for the entire nucleus is considered.

For ARM processors in the Linux 6.2 nucleus branch, Patchi , changing behavior for the nucleus, but these patches are considered as insufficient, since they cover only the core code and do not change behavior for the user space. For Intel processors, the inclusion of protection is still at the stage of reviews

/Media reports cited above.