lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0612010815510.3695@woody.osdl.org>
Date:	Fri, 1 Dec 2006 08:20:15 -0800 (PST)
From:	Linus Torvalds <torvalds@...l.org>
To:	Arjan van de Ven <arjan@...radead.org>
cc:	Ben Collins <ben.collins@...ntu.com>, Pavel Machek <pavel@....cz>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/4] [x86] Add command line option to enable/disable
 hyper-threading.



On Fri, 1 Dec 2006, Arjan van de Ven wrote:
> 
> I would suggest you drop the patch; openssl has been long fixed, and it
> was only a theoretical attack in the first place...
> I'm not saying the attack isn't something that should be addressed.. but
> it is, and disabling hyperthreading is not the right fix.

I concur. A lot of these "timing attacks" may be slightly easier on HT 
CPU's than other CPU's, but they are still pretty damn theoretical (the 
more recent branch predictor one is even more so, since it apparently 
requires access to the branch predictor state itself, which you need 
CPL0 to get - and once you have CPL0, why the hell bother with the branch 
predictors at all, since you might as well just read the state directly 
from the process..)

People are a hell of a lot better at worrying about unrealistic attacks 
that they don't understand and thus sound scary, than about worrying about 
the simple things ("You mean my password shouldn't be my pets name, taped 
to my monitor? Really? And I wasn't supposed to give it out just because 
that nice man gave me chocolate?")

So I think people have blown those SSL timing attacks _way_ out of 
proportion, just because it sounds technical and cool. 

Besides, most of the time you can disable HT in the BIOS, which is better 
anyway if you don't want it.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ