On 05/04/16 21:03, Jeffrey Walton wrote:
On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'o <tytso@xxxxxxx> wrote:
...
But instead of arguing over what works and doesn't, let's just create
the the test set and just try it on a wide range of compilers and
architectures, hmmm?
What are the requirements? Here's a short list:
* No undefined behavior
- important because the compiler writers use the C standard
* Compiles to native "rotate IMMEDIATE" if the rotate amount is a
"constant expression" and the machine provides it
- translates to a native rotate instruction if available
- "rotate IMM" can be 3 times faster than "rotate REG"
- do any architectures *not* provide a rotate?
* Compiles to native "rotate REGISTER" if the rotate is variable and
the machine provides it
- do any architectures *not* provide a rotate?
* Constant time
- important to high-integrity code
- Non-security code paths probably don't care
Maybe the first thing to do is provide a different rotates for the
constant-time requirement when its in effect?
The disagreement here is the priority between these points. In my very
strong opinion, "no undefined behavior" per the C standard is way less
important than the others; what matters is what gcc and the other
compilers we care about do. The kernel relies on various versions of
C-standard-undefined behavior *all over the place*; for one thing
sizeof(void *) == sizeof(size_t) == sizeof(unsigned long)!! but they are
well-defined in the subcontext we care about.
(And no, not all architectures provide a rotate instruction.)
-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html