On Wed, May 17, 2017 at 12:42 -0400, Ted Unangst wrote: > Stefan Sperling wrote: > > I also have some machines which are affected by this, and I am > > not sure what to about it. I cannot judge the advantages of > > either AES implementation. > > There's very little advantage to a constant time implementation for disk > encryption. The threat model doesn't really include such side channels. >
This is simply not true if you have local users on the same box. http://www.cs.tau.ac.il/~tromer/papers/cache.pdf > But I don't know how much burden it will be to maintain two implementations, > with the various defines like CRYPTO_AES_XTS and > CRYPTO_AES_XTS_FASTER_BUT_MAYBE_A_LITTLE_UNSAFE and deciding where to use > each. > I can switch AES-XTS back to T-tables at any time but there's no way to distinguish between what implementation to use at a given moment. > Although, truth be told, XTS is only useful for disk encryption. It shouldn't > be used for network traffic. So we could just always make software XTS use > the original rijndael code. But this is mike's fun zone. Again, if you don't have local users or you trust them to not attack you, you can use any implementation.
