From: Segher Boessenkool <segher@kernel.crashing.org>
To: Andy Polyakov <appro@cryptogams.org>
Cc: Danny Tsen <dtsen@linux.ibm.com>,
linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au,
dtsen@us.ibm.com, nayna@linux.ibm.com,
linux-kernel@vger.kernel.org, ltcgcw@linux.vnet.ibm.com,
leitao@debian.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 2/3] crypto: X25519 core functions for ppc64le
Date: Thu, 16 May 2024 14:28:06 -0500 [thread overview]
Message-ID: <20240516192806.GM19790@gate.crashing.org> (raw)
In-Reply-To: <847f2e4f-ace1-415d-b129-ed2751429eec@cryptogams.org>
On Wed, May 15, 2024 at 10:29:56AM +0200, Andy Polyakov wrote:
> >+static void cswap(fe51 p, fe51 q, unsigned int bit)
>
> The "c" in cswap stands for "constant-time," and the problem is that
> contemporary compilers have exhibited the ability to produce
> non-constant-time machine code as result of compilation of the above
> kind of technique.
This can happen with *any* comnpiler, on *any* platform. In general,
you have to write machine code if you want to be sure what machine code
will eventually be executed.
> The outcome is platform-specific and ironically some
> of PPC code generators were observed to generate "most"
> non-constant-time code. "Most" in sense that execution time variations
> would be most easy to catch. One way to work around the problem, at
> least for the time being, is to add 'asm volatile("" : "+r"(c))' after
> you calculate 'c'. But there is no guarantee that the next compiler
> version won't see through it, hence the permanent solution is to do it
> in assembly. I can put together something...
Such tricks can help ameliorate the problem, sure. But it is not a
solution ever.
Segher
WARNING: multiple messages have this Message-ID (diff)
From: Segher Boessenkool <segher@kernel.crashing.org>
To: Andy Polyakov <appro@cryptogams.org>
Cc: herbert@gondor.apana.org.au, dtsen@us.ibm.com,
nayna@linux.ibm.com, linux-kernel@vger.kernel.org,
Danny Tsen <dtsen@linux.ibm.com>,
linux-crypto@vger.kernel.org, ltcgcw@linux.vnet.ibm.com,
leitao@debian.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 2/3] crypto: X25519 core functions for ppc64le
Date: Thu, 16 May 2024 14:28:06 -0500 [thread overview]
Message-ID: <20240516192806.GM19790@gate.crashing.org> (raw)
In-Reply-To: <847f2e4f-ace1-415d-b129-ed2751429eec@cryptogams.org>
On Wed, May 15, 2024 at 10:29:56AM +0200, Andy Polyakov wrote:
> >+static void cswap(fe51 p, fe51 q, unsigned int bit)
>
> The "c" in cswap stands for "constant-time," and the problem is that
> contemporary compilers have exhibited the ability to produce
> non-constant-time machine code as result of compilation of the above
> kind of technique.
This can happen with *any* comnpiler, on *any* platform. In general,
you have to write machine code if you want to be sure what machine code
will eventually be executed.
> The outcome is platform-specific and ironically some
> of PPC code generators were observed to generate "most"
> non-constant-time code. "Most" in sense that execution time variations
> would be most easy to catch. One way to work around the problem, at
> least for the time being, is to add 'asm volatile("" : "+r"(c))' after
> you calculate 'c'. But there is no guarantee that the next compiler
> version won't see through it, hence the permanent solution is to do it
> in assembly. I can put together something...
Such tricks can help ameliorate the problem, sure. But it is not a
solution ever.
Segher
next prev parent reply other threads:[~2024-05-16 20:10 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 17:38 [PATCH 0/3] crypto: X25519 supports for ppc64le Danny Tsen
2024-05-14 17:38 ` Danny Tsen
2024-05-14 17:38 ` [PATCH 1/3] crypto: X25519 low-level primitives " Danny Tsen
2024-05-14 17:38 ` Danny Tsen
2024-05-15 8:11 ` Andy Polyakov
2024-05-15 8:11 ` Andy Polyakov
2024-05-15 12:59 ` Danny Tsen
2024-05-15 12:59 ` Danny Tsen
2024-05-15 9:06 ` Andy Polyakov
2024-05-15 9:06 ` Andy Polyakov
2024-05-15 13:04 ` Danny Tsen
2024-05-15 13:04 ` Danny Tsen
2024-05-16 4:53 ` Michael Ellerman
2024-05-16 4:53 ` Michael Ellerman
2024-05-16 8:38 ` Andy Polyakov
2024-05-16 8:38 ` Andy Polyakov
2024-05-16 11:39 ` Danny Tsen
2024-05-16 11:39 ` Danny Tsen
2024-05-16 12:06 ` Michael Ellerman
2024-05-16 12:06 ` Michael Ellerman
2024-05-16 13:42 ` Andy Polyakov
2024-05-16 13:42 ` Andy Polyakov
2024-05-16 19:48 ` Segher Boessenkool
2024-05-16 19:48 ` Segher Boessenkool
2024-05-16 11:38 ` Danny Tsen
2024-05-16 11:38 ` Danny Tsen
2024-05-14 17:38 ` [PATCH 2/3] crypto: X25519 core functions " Danny Tsen
2024-05-14 17:38 ` Danny Tsen
2024-05-15 8:29 ` Andy Polyakov
2024-05-15 8:29 ` Andy Polyakov
2024-05-15 13:06 ` Danny Tsen
2024-05-15 13:06 ` Danny Tsen
2024-05-15 13:33 ` Andy Polyakov
2024-05-15 13:33 ` Andy Polyakov
2024-05-15 13:58 ` Danny Tsen
2024-05-15 13:58 ` Danny Tsen
2024-05-15 14:20 ` Andy Polyakov
2024-05-15 14:20 ` Andy Polyakov
2024-05-16 19:28 ` Segher Boessenkool [this message]
2024-05-16 19:28 ` Segher Boessenkool
2024-05-14 17:38 ` [PATCH 3/3] crypto: Update Kconfig and Makefile for ppc64le x25519 Danny Tsen
2024-05-14 17:38 ` Danny Tsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240516192806.GM19790@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=appro@cryptogams.org \
--cc=dtsen@linux.ibm.com \
--cc=dtsen@us.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=leitao@debian.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=ltcgcw@linux.vnet.ibm.com \
--cc=nayna@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.