Commit 985e4c41 authored by Andy Polyakov's avatar Andy Polyakov
Browse files

Mitigate the hazard of cache-collision timing attack on last round. The 

only chance for T[ed]4 to get evicted in this module is when its cache
"overlaps" with last 128 bits of key schedule.
parent 9598fa87

crypto/aes/asm/aes-sparcv9.pl

+22 −3
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ 
# forms are granted according to the OpenSSL license.

# ====================================================================

#

# Version 1.0

# Version 1.1

#

# The major reason for undertaken effort was to mitigate the hazard of

# cache-timing attack. This is [currently and initially!] addressed in
@@ -16,6 +16,9 @@ 
# is an initial draft and one should expect more countermeasures to

# be implemented...

#

# Version 1.1 prefetches T[ed]4 in order to mitigate attack on last

# round.

#

# Even though performance was not the primary goal [on the contrary,

# extra shifts "induced" by compressed S-box and longer loop epilogue

# "induced" by scheduling for L2 have negative effect on performance],
@@ -78,7 +81,7 @@ ___ 
$code.=<<___;

.section	".text",#alloc,#execinstr



.align	64

.align	256

AES_Te:

___

&_data_word(
@@ -364,20 +367,28 @@ _sparcv9_AES_encrypt: 
	ld	[$key+28],$t3			!

		srlx	$acc9,8,$acc9

		xor	$acc5,$s1,$s1

	ldx	[$tbl+2048+0],%g0		! prefetch te4

		srlx	$acc10,16,$acc10

		xor	$acc6,$s1,$s1

	ldx	[$tbl+2048+32],%g0		! prefetch te4

		srlx	$acc11,24,$acc11

		xor	$acc7,$s1,$s1

	ldx	[$tbl+2048+64],%g0		! prefetch te4

		srlx	$acc13,8,$acc13

		xor	$acc8,$s2,$s2

	ldx	[$tbl+2048+96],%g0		! prefetch te4

		srlx	$acc14,16,$acc14	!

		xor	$acc9,$s2,$s2

	ldx	[$tbl+2048+128],%g0		! prefetch te4

		srlx	$acc15,24,$acc15

		xor	$acc10,$s2,$s2

	ldx	[$tbl+2048+160],%g0		! prefetch te4

	srl	$s0,21,$acc0

		xor	$acc11,$s2,$s2

	ldx	[$tbl+2048+192],%g0		! prefetch te4

		xor	$acc12,$acc14,$acc14

		xor	$acc13,$s3,$s3

	ldx	[$tbl+2048+224],%g0		! prefetch te4

	srl	$s1,13,$acc1			!

		xor	$acc14,$s3,$s3

		xor	$acc15,$s3,$s3
@@ -616,7 +627,7 @@ AES_encrypt: 
___



$code.=<<___;

.align	64

.align	256

AES_Td:

___

&_data_word(
@@ -902,20 +913,28 @@ _sparcv9_AES_decrypt: 
	ld	[$key+28],$t3			!

		srlx	$acc9,8,$acc9

		xor	$acc5,$s1,$s1

	ldx	[$tbl+2048+0],%g0		! prefetch td4

		srlx	$acc10,16,$acc10

		xor	$acc6,$s1,$s1

	ldx	[$tbl+2048+32],%g0		! prefetch td4

		srlx	$acc11,24,$acc11

		xor	$acc7,$s1,$s1

	ldx	[$tbl+2048+64],%g0		! prefetch td4

		srlx	$acc13,8,$acc13

		xor	$acc8,$s2,$s2

	ldx	[$tbl+2048+96],%g0		! prefetch td4

		srlx	$acc14,16,$acc14	!

		xor	$acc9,$s2,$s2

	ldx	[$tbl+2048+128],%g0		! prefetch td4

		srlx	$acc15,24,$acc15

		xor	$acc10,$s2,$s2

	ldx	[$tbl+2048+160],%g0		! prefetch td4

	srl	$s0,21,$acc0

		xor	$acc11,$s2,$s2

	ldx	[$tbl+2048+192],%g0		! prefetch td4

		xor	$acc12,$acc14,$acc14

		xor	$acc13,$s3,$s3

	ldx	[$tbl+2048+224],%g0		! prefetch td4

	and	$acc0,2040,$acc0		!

		xor	$acc14,$s3,$s3

		xor	$acc15,$s3,$s3