Discover Cryptography News
Intel's "DOITM" Security Feature Not Intended For Always-On Use, Linux Patches To Be Revised
Last week I wrote about Linux developers evaluating a new "DOITM" security mitigation for the latest Intel CPUs. While the cost for now of engaging the Data Operand Independent Timing Mode (DOITM) functionality is minimal, following internal Intel engineering discussions it looks like the Linux kernel patches will need to be re-worked with this functionality not intended to always be enabled.
As summed up in last week's testing article, recent and future Intel processors aren't guaranteed to be "constant time" with respect to their data operands unless a special model specific register flag is set. This caused concerns particularly around the cryptography code for Linux that there is no longer a guarantee of constant time and that the instruction execution time can vary depending upon the data operated on. The constant time execution is necessary to avoid possible side channel attacks. But in enabling the new Intel flag to ensure constant time, it comes with admitted performance implications.
The performance implications with current generation processors didn't end up being all that significant, but Intel documentation indicates that could increase in the future. With the Linux handling in it's current form is about always having the Data Operand Independent Timing Mode enabled. But now Intel is warning against such a move.