[PATCH 2/3] crypto: X25519 core functions for ppc64le
Andy Polyakov
appro at cryptogams.org
Wed May 15 18:29:56 AEST 2024
Hi,
> +static void cswap(fe51 p, fe51 q, unsigned int bit)
> +{
> + u64 t, i;
> + u64 c = 0 - (u64) bit;
> +
> + for (i = 0; i < 5; ++i) {
> + t = c & (p[i] ^ q[i]);
> + p[i] ^= t;
> + q[i] ^= t;
> + }
> +}
The "c" in cswap stands for "constant-time," and the problem is that
contemporary compilers have exhibited the ability to produce
non-constant-time machine code as result of compilation of the above
kind of technique. The outcome is platform-specific and ironically some
of PPC code generators were observed to generate "most"
non-constant-time code. "Most" in sense that execution time variations
would be most easy to catch. One way to work around the problem, at
least for the time being, is to add 'asm volatile("" : "+r"(c))' after
you calculate 'c'. But there is no guarantee that the next compiler
version won't see through it, hence the permanent solution is to do it
in assembly. I can put together something...
Cheers.
More information about the Linuxppc-dev
mailing list