On Fri, Aug 01, 2025 at 07:36:02AM -0400, James Bottomley wrote: > On Thu, 2025-07-31 at 20:02 -0700, Eric Biggers wrote: > > On Thu, Jul 31, 2025 at 10:28:49PM -0400, James Bottomley wrote: > > > On Thu, 2025-07-31 at 14:52 -0700, Eric Biggers wrote: > > > > To prevent timing attacks, HMAC value comparison needs to be > > > > constant time. Replace the memcmp() with the correct function, > > > > crypto_memneq(). > > > > > > Um, OK, I'm all for more security but how could there possibly be a > > > timing attack in the hmac final comparison code? All it's doing is > > > seeing if the HMAC the TPM returns matches the calculated one. > > > Beyond this calculation, there's nothing secret about the HMAC key. > > > > I'm not sure I understand your question. Timing attacks on MAC > > validation are a well-known issue that can allow a valid MAC to be > > guessed without knowing the key. Whether it's practical in this > > particular case for some architecture+compiler+kconfig combination is > > another question, but there's no reason not to use the constant-time > > comparison function that solves this problem. > > > > Is your claim that in this case the key is public, so the MAC really > > just serves as a checksum (and thus the wrong primitive is being > > used)? > > The keys used for TPM HMAC calculations are all derived from a shared > secret and updating parameters making them one time ones which are > never reused, so there's no benefit to an attacker working out after > the fact what the key was.
MAC timing attacks forge MACs; they don't leak the key. It's true that such attacks don't work with one-time keys. But here it's not necessarily a one-time key. E.g., tpm2_get_random() sets a key, then authenticates multiple messages using that key. I guses I'm struggling to understand the point of your comments. Even if in a follow-up message you're finally able to present a correct argument for why memcmp() is okay, it's clearly subtle enough that we should just use crypto_memneq() anyway, just like everywhere else in the kernel that validates MACs. If you're worried about performance, you shouldn't be: it's a negligible difference that is far outweighed by all the optimizations I've been making to lib/crypto/. - Eric
