Stefan Sperling wrote: > I also have some machines which are affected by this, and I am > not sure what to about it. I cannot judge the advantages of > either AES implementation.
There's very little advantage to a constant time implementation for disk encryption. The threat model doesn't really include such side channels. But I don't know how much burden it will be to maintain two implementations, with the various defines like CRYPTO_AES_XTS and CRYPTO_AES_XTS_FASTER_BUT_MAYBE_A_LITTLE_UNSAFE and deciding where to use each. Although, truth be told, XTS is only useful for disk encryption. It shouldn't be used for network traffic. So we could just always make software XTS use the original rijndael code. But this is mike's fun zone.
