PuTTY wish arm-dit

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Arm: set PSTATE.DIT flag to protect constant-time cryptography
class: wish: This is a request for an enhancement.
present-in: 0.82
fixed-in: 98200d1bfec13397cf81b1d5b28a1ab90962dcde (0.83)

DIT, for 'Data-Independent Timing', is a bit you can set in the processor state on sufficiently new Arm CPUs, which promises that a long list of instructions will deliberately avoid varying their timing based on the input register values. Just what you want for keeping your constant-time crypto primitives constant-time.

In version 0.82 and before, PuTTY did not set the DIT flag. So in principle a CPU was free to optimise in a data-dependent way. However, I'm not yet aware of any CPU implementing the Arm architecture which does perform any data-dependent optimisations. So this was a lack of futureproofing, but unless we hear otherwise, not an actual side-channel leak.

The Unix builds of PuTTY now attempt to turn on DIT in the PuTTY process state, if the operating system tells it the feature is available.

The Windows on Arm versions of PuTTY still do not, because Windows has no API call to query whether the necessary machine instruction is supported. I [SGT] have heard it rumoured that Windows might unconditionally turn on DIT anyway, in which case this doesn't matter, but at present I have no confirmation of that. Further information welcome, if anyone has any!


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2024-12-20 13:20:02 +0000)