erix/lib-constant-time
1
0
Fork 0
generated from erix/meta
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Minimal no_std constant-time primitives for EriX security-critical code paths.
9 commits 1 branch 0 tags 67 KiB
  • Rust 100%
Find a file
Exact
Erik Inkinen c4a51b47e2
All checks were successful
CI / security (push) Successful in 1m27s
Details
CI / minimal-versions (push) Successful in 10s
Details
CI / test (push) Successful in 4s
Details
lib-constant-time: drop unstable rustfmt options for stable toolchains
2026-03-23 10:19:53 +02:00
.github Refactor milestone terminology to "Component Milestone Tracking" across templates and documentation for consistency 2026-03-05 11:54:20 +02:00
src Add initial implementation of constant-time primitives and Cargo configuration 2026-02-26 16:21:03 +02:00
.editorconfig Initial commit 2026-02-26 15:15:34 +01:00
.gitignore Initial commit 2026-02-26 15:15:34 +01:00
ARCHITECTURE.md Initialize lib-constant-time 2026-02-26 16:18:58 +02:00
Cargo.toml Add initial implementation of constant-time primitives and Cargo configuration 2026-02-26 16:21:03 +02:00
CODE_OF_CONDUCT.md Initial commit 2026-02-26 15:15:34 +01:00
CONTRIBUTING.md Refactor milestone terminology to "Component Milestone Tracking" across templates and documentation for consistency 2026-03-05 11:54:20 +02:00
LICENSE Initial commit 2026-02-26 15:15:34 +01:00
README.md Refactor milestone terminology to "Component Milestone Tracking" across templates and documentation for consistency 2026-03-05 11:54:20 +02:00
ROADMAP.md Update README and ROADMAP with current implementation status and core primitive details 2026-02-28 04:53:25 +02:00
rustfmt.toml lib-constant-time: drop unstable rustfmt options for stable toolchains 2026-03-23 10:19:53 +02:00
SECURITY.md docs: align security policy phase numbering 2026-03-11 05:28:12 +02:00

README.md

lib-constant-time

Minimal no_std constant-time primitives for EriX security-critical code paths.

This crate exists to provide small, auditable building blocks for byte-level operations where timing behavior must not depend on secret data.

UEFI + x86_64 are current primary targets, but this crate is explicitly portable and architecture-neutral.

Scope

This crate provides:

  • constant-time equality for fixed and variable byte slices
  • constant-time zero checks
  • constant-time conditional selection/masking helpers

This crate does not provide:

  • hashing algorithms
  • signature algorithms
  • key storage or secure element integration
  • random number generation

Why this crate exists

EriX verification paths (boot image verification, signature checks, hash comparison) need a shared implementation for constant-time byte operations.

Keeping these primitives in a dedicated crate improves:

  • auditability (small API, focused code)
  • reuse (lib-bootimg, future lib-ed25519, future kernel-side verifiers)
  • consistency (single behavior across components)

Design constraints

  • #![no_std]
  • zero external dependencies
  • no dynamic allocation required
  • deterministic behavior and explicit error handling
  • minimal unsafe (ideally none)

Security notes

"Constant-time" here means branch/data-flow behavior should not depend on secret values for supported operations.

This does not eliminate all side channels (cache hierarchy, power, platform noise), but removes common variable-time bugs in straightforward comparisons.

Intended consumers

  • lib-bootimg (manifest/section hash comparisons)
  • future lib-ed25519 (verification helpers)
  • bootloader and kernel-side validation code

Status

Implemented baseline.

Core constant-time primitives are implemented with unit coverage. Remaining work focuses on hardening-oriented review and expanded downstream integration checks.

See ARCHITECTURE.md and ROADMAP.md.