Eric Biggers, one of the developers of the Adiantum cipher and a kernel subsystem maintainer Linux fscrypt proposed a set of patches to address security issues arising from a feature of Intel processors that does not guarantee consistent instruction execution times for different types of data. The issue has been present in Intel processors since the Ice Lake family. A similar issue has also been observed in ARM processors.
Dependence of the execution time of instructions on the data processed in these instructions is regarded by the author of the patches as a vulnerability in processors, since such behavior cannot guarantee the security of cryptographic operations performed in the system. Many implementations of cryptographic algorithms rely on the fact that data does not affect the execution time of instructions, and violation of this behavior can lead to the creation of side-channel attacks that recover data based on analysis of the processing time.
Potentially, runtime dependence on data can also be used to organize attacks to determine kernel data from user space. According to Eric Biggers, even for instructions that perform addition and XOR operations, as well as for specialized AES-NI instructions, a constant execution time is not provided by default (the information is not confirmed by tests, according to other data, there is a delay of one cycle when multiplying vectors and counting bits ).
To disable this behavior, Intel and ARM have proposed new flags: the DIT (Data Independent Timing) PSTATE bit for ARM CPUs and the DOITM (Data Operand Independent Timing Mode) MSR bit for Intel CPUs, returning the old behavior with constant execution time. Intel and ARM recommend turning on protection as needed for critical code, but in reality, important calculations can occur in any part of the kernel and user space, so the possibility of permanently enabling DOITM and DIT modes for the entire kernel is being considered.
For ARM processors in the kernel branch Linux Patches that change kernel behavior have already been adopted for 6.2, but these patches are considered insufficient because they only affect kernel code and do not change user-space behavior. For Intel processors, enabling the protection is currently in the review phase. Performance impact measurements for the patch have not yet been conducted, but according to Intel documentation, enabling DOITM mode reduces performance (for example, by disabling certain optimizations, such as data-specific prefetching), and the performance penalty may increase in future processor models.
Source: opennet.ru
