https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96662
Bug ID: 96662
Summary: s390x uses clc taking variable execution time in
crypto code
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: unassigned at gcc dot gnu.org
Reporter: mpolacek at gcc dot gnu.org
Target Milestone: ---
In this test case:
void bar (void);
void f1 (unsigned short *p) { if (p[0] < p[1]) bar (); }
void f2 (unsigned int *p) { if (p[0] < p[1]) bar (); }
void f3 (unsigned long long *p) { if (p[0] < p[1]) bar (); }
void f4 (unsigned short *p) { if (p[0] != p[1]) bar (); }
void f5 (unsigned int *p) { if (p[0] != p[1]) bar (); }
void f6 (unsigned long long *p) { if (p[0] != p[1]) bar (); }
void f7 (short int *p) { if (p[0] != p[1]) bar (); }
void f8 (int *p) { if (p[0] != p[1]) bar (); }
void f9 (long long *p) { if (p[0] != p[1]) bar (); }
GCC generates clc on s390x. That is problematical in crypto code, because clc
works like memcmp, which has a variable execution time. So it is theoretically
possible to gauge some information by measuring how long the operation takes
(for 128 or 255 byte long comparisons).
Other arches supposedly generate instructions that take constant time,
therefore don't suffer from this issue.
