From 7f356eaae0f123decc2619f1ef789b0dc2587451 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 21 Nov 2024 04:37:28 +0000 Subject: [PATCH 1/3] Build: Never use -flto for verify.c verify.c contains various functions which must not be inlined because compilers are tempted to compile them into code that's not constant time and thereby leaks something about the secret data being processed. If `-flto` is used as a compile-time flag, verify.c is likely to be inlined. This commit modifies the Makefile to force `-fno-lto` for verify.c, overwriting `-flto` if present. This in particular affects our CI benchmarks, which do compile with `-flto`. Signed-off-by: Hanno Becker --- mk/schemes.mk | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mk/schemes.mk b/mk/schemes.mk index 6a4e7fec8..c74dd6c1d 100644 --- a/mk/schemes.mk +++ b/mk/schemes.mk @@ -13,6 +13,11 @@ MLKEM512_DIR = $(BUILD_DIR)/mlkem512 MLKEM768_DIR = $(BUILD_DIR)/mlkem768 MLKEM1024_DIR = $(BUILD_DIR)/mlkem1024 +# Even when link-time optimization is used for the rest of the code, +# make sure not to use it for verify.c: Those are functions which, when +# inlined, can be subject to compiler-induced variable-time code. +%/verify.c.o: CPPFLAGS += -fno-lto + $(MLKEM512_DIR)/bin/%: CPPFLAGS += -DMLKEM_K=2 $(ALL_TESTS:%=$(MLKEM512_DIR)/bin/%512):$(MLKEM512_DIR)/bin/%512: $(MLKEM512_DIR)/test/%.c.o $(call MAKE_OBJS,$(MLKEM512_DIR), $(SOURCES)) From 27e932e45aab9f20b4ba18f23fa69e303e9f842f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 21 Nov 2024 04:51:23 +0000 Subject: [PATCH 2/3] Readme: Add note that verify.c must not be compiled using LTO Signed-off-by: Hanno Becker --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index e828b83c3..0c73cd09d 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,19 @@ to be readable and micro-optimization deferred to automated tooling such as implementations for which the C-code is verified to be free of undefined behaviour, and where all assembly is functionally verified. +### Intended use + +**mlkem-native** is currently intended to be used as a code package, where source files of **mlkem-native** +are imported into a consuming project's source tree and built using that project's build system. The build system +provided in this repository is for experimental and development purposes only. + +#### Secure Compilation + +**mlkem-native** includes functions that are susceptible to compiler-induced variable-time code when inlined into +their call-sites. Those functions are contained in [`mlkem/verify.c`](mlkem/verify.c). To ensure secure compilation, you +MUST NOT enable link time optimization (LTO) for `mlkem/verify.c`. To the best of our knowledge, it is safe to compile +the rest of the source tree with LTO. + ### Current state **mlkem-native** is work in progress. **WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS LIBRARY IN A PRODUCTION From 2c97077e00c2fa6920f36e1481159f980b3e744a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 21 Nov 2024 05:05:11 +0000 Subject: [PATCH 3/3] Add warning about use of LTO in verify.c Signed-off-by: Hanno Becker --- mlkem/verify.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mlkem/verify.c b/mlkem/verify.c index b6b51fddb..b66ca429f 100644 --- a/mlkem/verify.c +++ b/mlkem/verify.c @@ -3,6 +3,17 @@ #include #include +// +// WARNING: +// +// The functions in this compilation unit may be susceptible to +// compiler-induced variable-time code when inlined into their call-sites. +// The purpose of having a separate compilation here is to prevent +// such potentially insecure inlining. +// +// You MUST NOT compile this file using link time optimization. +// + int verify(const uint8_t *a, const uint8_t *b, const size_t len) { uint8_t r = 0; uint64_t u;