From: Eric Biggers
The generic constant-time AES implementation is supposed to preload the
AES S-box into the CPU's L1 data cache. But, an interrupt handler can
run on the CPU and muck with the cache. Worse, on preemptible kernels
the process can even be preempted and moved to a different CPU.
On 3 October 2018 at 07:22, Eric Biggers wrote:
> From: Eric Biggers
>
> In the new arm64 CTS-CBC implementation, return an error code rather
> than crashing on inputs shorter than AES_BLOCK_SIZE bytes. Also set
> cra_blocksize to AES_BLOCK_SIZE (like is done in the cts template) to
> indicate
