* Peter Zijlstra <pet...@infradead.org> wrote:
> On Wed, Oct 02, 2013 at 01:23:16PM +0200, Peter Zijlstra wrote:
>
> > So the only thing I can come up with is something like the below;
> > supposedly the sha hash mixing a boot time random seed and the mm
> > pointer is enough to avoid it being a data leak.
>
> That is, right until it becomes feasible to run 2^64 SHA1 computations.
> I've actually no idea how hard that is given todays GPU assisted
> efforts.
Well, here are the possible cryptanalytic attacks I can think of:
- differential, because here you don't just have access to the hash
value but you can essentially feed highly correlated plaintext to the
hash at will, by starting/stopping threads, knowing their typical mm
pointer differences, etc.
I.e. less than 2^64, potentially a lot less.
- then there are timing attacks, and someone having access to a PMU
context and who can trigger this SHA1 computation arbitrarily in task
local context can run very accurate and low noise timing attacks...
I don't think the kernel's sha_transform() is hardened against timing
attacks, it's performance optimized so it has variable execution time
highly dependent on plaintext input - which leaks information about the
plaintext.
But then again, how realistic is an attack? All that effort just to
recover the raw kernel data pointer value of a struct mm? Dunno whether we
should worry about it.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
