Menu

#1023 Deal with side-channels in stm8 port

None
open
nobody
None
5
2026-06-07
2026-06-04
No

Now that work on [feature-requests:#1006] has started, we should also look into the stm8-specific aspects. We then need fixes or documentation. A first view shows:

  • Side channels are created in trunk in codegen for addition, subtraction, the division hardware bug woraround, for right shifts (data from left operand leaked). These will be fixed in the nosidechannel branch today.
  • There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts. reads from signed bit-fields.
  • There are side channels in support routines.
  • Peephole optimizer rules do not introduce side-channels.

Related

Feature Requests: #1006
Feature Requests: #1007

Discussion

  • Philipp Klaus Krause

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,4 +1,4 @@
    -Now that work on [feature-requests:1006] has started, we should also look into the stm8-specific aspects. We then need fixes or documentation. A first view shows:
    +Now that work on [feature-requests:#1006] has started, we should also look into the stm8-specific aspects. We then need fixes or documentation. A first view shows:
    
    
     * Side channels are created in trunk in codegen for addition, subtraction, the division hardware bug woraround, for right shifts (data from left operand leaked). These will be fixed in the nosidechannel branch today.
     * There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts.
    
    • Group: -->
     

    Related

    Feature Requests: #1006

  • Philipp Klaus Krause

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -3,3 +3,4 @@
    
     * Side channels are created in trunk in codegen for addition, subtraction, the division hardware bug woraround, for right shifts (data from left operand leaked). These will be fixed in the nosidechannel branch today.
     * There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts.
     * There are side channels in support routines.
    +* Peephole optimizer rules haven't been checked yet.
    
     
  • Philipp Klaus Krause

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -3,4 +3,4 @@
    
     * Side channels are created in trunk in codegen for addition, subtraction, the division hardware bug woraround, for right shifts (data from left operand leaked). These will be fixed in the nosidechannel branch today.
     * There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts.
     * There are side channels in support routines.
    -* Peephole optimizer rules haven't been checked yet.
    +* Peephole optimizer rules do not introduce side-channels.
    
     
  • Philipp Klaus Krause

    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,6 +1,6 @@
     Now that work on [feature-requests:#1006] has started, we should also look into the stm8-specific aspects. We then need fixes or documentation. A first view shows:
    
    
     * Side channels are created in trunk in codegen for addition, subtraction, the division hardware bug woraround, for right shifts (data from left operand leaked). These will be fixed in the nosidechannel branch today.
    -* There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts.
    +* There are side-channels in codegen for division / modulo, shifts (right operand), comparisons, shifts (data from right operand leaked), rotations, signed casts. reads from signed bit-fields.
     * There are side channels in support routines.
     * Peephole optimizer rules do not introduce side-channels.
    
     

    Related

    Feature Requests: #1006

  • Philipp Klaus Krause

    By now, the low-hanging fruit has been dealt with in the nosidechannels branch. Some cases were easy to fix, some turned out to not exist after all (a conditional branch followed by a single-cycle instruction followed by the target label - looks like a timing side-channel at first sight due tot he conditional jump, but on closer analysis the conditional jump takes 2 cycles when branching, 1 when not, so the total execution time of this construct is always two cycles).

    Remaining:

    • Division and modulo - would be complex to make constant-time, so just documenting in in the manual would be the way to go; also, cryptographers are used to these often not being constant time, so cryptographic code is likely not using those.
    • Shifts leaking right operand - same.
    • Floating point operations - same.
    • Comparisons - somewhat complex to make constant-time, but should be doable. Will require a few days of work on code generation, I guess.
     

Log in to post a comment.

Auth0 Logo