crypto/aes.c (used for emulating aes instructions) has a timing side-channel
Host environment
- Operating system: any
- OS/kernel version: any
- Architecture: any
- QEMU flavor: any
- QEMU version: a9cd5bc6
- QEMU command line: n/a
Emulated/Virtualized environment
- Operating system: n/a
- OS/kernel version: n/a
- Architecture: x86 or arm, maybe more...
Description of problem
much of the code in crypto/aes.c accesses memory arrays where the array index is based on the secret data being encrypted/decrypted. because of cpu caches and other things that can delay memory accesses based on their address, this is a timing side-channel, potentially allowing leaking secrets over a network based on timing how long cryptography operations take.
compare to openssl which uses an algorithm where its execution time doesn't depend on the data being processed: https://github.com/openssl/openssl/commit/0051746e03c65f5970d8ca424579d50f58a877e0
I initially reported this as a security issue, but was told that since it's only used by TCG, it isn't a security issue, since TCG isn't considered secure.