On Wed, 3 Jul 2019 at 15:25, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > > > +config CRYPTO_AES_REDUCED_TABLES > > + bool "Use reduced AES table set" > > + depends on CRYPTO_AES && HAVE_EFFICIENT_UNALIGNED_ACCESS > > + default y > > + help > > + Use a set of AES lookup tables that is only half the size, but > > + uses unaligned accesses to fetch the data. Given that the D-cache > > + pressure of table based AES induces timing variances that can > > + sometimes be exploited to infer key bits when the plaintext is > > + known, this should typically be left enabled. > > I don't think this option should exist at all, and certainly > not as a user-visible option. > OK, so perhaps we should just use HAVE_EFFICIENT_UNALIGNED_ACCESS in the code to make the distinction. But i'd like to gain an understanding of how this affects performance on various (micro)architectures first. I'll park this until after the summer, since i won't have time to spend on this myself anyway, and hopefully, some interested parties will have provided some data points by then.
