dm-integrity: fix non-constant-time tag verification - Linux

diff options

author	Jo Van Bulck <jo.vanbulck@kuleuven.be>	2025-03-28 16:04:47 +0100
committer	Mikulas Patocka <mpatocka@redhat.com>	2025-03-28 18:25:42 +0100
commit	8bde1033f9cfc1c08628255cc434c6cf39c9d9ba (patch)
tree	5d7ec614255dec32435b1762f59f4aaa91e014f4 /lib/crypto/mpi/mpiutil.c
parent	5c5d0d7050286e14a6ca18b8d77fc7a34f701206 (diff)
download	linux-8bde1033f9cfc1c08628255cc434c6cf39c9d9ba.tar.gz linux-8bde1033f9cfc1c08628255cc434c6cf39c9d9ba.tar.bz2 linux-8bde1033f9cfc1c08628255cc434c6cf39c9d9ba.zip

dm-integrity: fix non-constant-time tag verification

When using dm-integrity in standalone mode with a keyed hmac algorithm, integrity tags are calculated and verified internally. Using plain memcmp to compare the stored and computed tags may leak the position of the first byte mismatch through side-channel analysis, allowing to brute-force expected tags in linear time (e.g., by counting single-stepping interrupts in confidential virtual machine environments). Co-developed-by: Luca Wilke <work@luca-wilke.com> Signed-off-by: Luca Wilke <work@luca-wilke.com> Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Cc: stable@vger.kernel.org

Diffstat (limited to 'lib/crypto/mpi/mpiutil.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: