[PATCH v2] arm64: Enable data independent timing (DIT) in the kernel
Eric Biggers
ebiggers at kernel.org
Mon Nov 7 12:38:42 PST 2022
On Mon, Nov 07, 2022 at 06:24:00PM +0100, Ard Biesheuvel wrote:
[...]
>
> Currently, we have no idea whether or not running privileged code with
> DIT disabled on a CPU that implements support for it may result in a
> side channel that exposes privileged data to unprivileged user space
> processes, so let's be cautious and just enable DIT while running in the
> kernel if supported by all CPUs.
[...]
>
> - tweak the commit log so that it doesn't read as if we are fixing an
> actual vulnerability
I think the above undersells this a bit, as crypto code often relies on
instructions being constant-time to prevent leakage of secrets outside the
system itself. For example, consider WireGuard, which includes network
attackers in its threat model. So it's not just about attacks from userspace
processes on the same system.
The patch itself looks good to me though -- thanks!
- Eric
More information about the linux-arm-kernel
mailing list