NetBSD Problem Report #57427
From www@netbsd.org Mon May 22 14:19:34 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 48FE51A923A
for <gnats-bugs@gnats.NetBSD.org>; Mon, 22 May 2023 14:19:34 +0000 (UTC)
Message-Id: <20230522141903.0AFD91A9241@mollari.NetBSD.org>
Date: Mon, 22 May 2023 14:19:03 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: mvxpsec(4) is vulnerable to cache-timing attacks on table-based AES key schedule
X-Send-Pr-Version: www-1.0
>Number: 57427
>Category: kern
>Synopsis: mvxpsec(4) is vulnerable to cache-timing attacks on table-based AES key schedule
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 22 14:20:01 +0000 2023
>Originator: Taylor R Campbell
>Release: current
>Organization:
The NetAES Foundatoin
>Environment:
>Description:
The mv_aes_enckey and mv_aes_deckey functions compute the AES key schedule using a table-driven S-box computation, which is vulnerable to cache-timing side channel attacks.
These functions should be changed to call br_aes_ct_keysched_stdenc and br_aes_ct_keysched_stddec instead.
This requires testing to verify that mv_aes_enckey/deckey are actually computing the standard AES key schedule; if they actually do a variant key schedule, well, someone has to write some bitsliced or vector-permuted code or something to compute the variant.
>How-To-Repeat:
code inspection
>Fix:
Yes, please!
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.