Clarify that the Lucky 13 fix is quite general
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt
index 5a3eed0..adf493a 100644
--- a/ChangeLog.d/local-lucky13.txt
+++ b/ChangeLog.d/local-lucky13.txt
@@ -1,9 +1,11 @@
Security
- * Fix a local timing side channel vulnerability in (D)TLS record decryption
- when using a CBC ciphersuites without the Encrypt-then-Mac extension. In
- those circumstances, a local attacker able to observe the state of the
- cache could use well-chosen functions to measure the exact computation
- time of the HMAC, and follow up with the usual range of Lucky 13 attacks,
- including plaintext recovery and key recovery. Found and reported by Tuba
- Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
+ * In (D)TLS record decryption, when using a CBC ciphersuites without the
+ Encrypt-then-Mac extension, use constant code flow memory access patterns
+ to extract and check the MAC. This is an improvement to the existing
+ countermeasure against Lucky 13 attacks. The previous countermeasure was
+ effective against network-based attackers, but less so against local
+ attackers. The new countermeasure defends against local attackers, even
+ if they have access to fine-grained measurements. In particular, this
+ fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
+ Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
(University of Florida) and Dave Tian (Purdue University).