Of all the attacks on cryptographic code, timing attacks may be among the
most insidious. An algorithm that appears to be coded correctly, perhaps
even with a formal proof of its correctness, may be undermined by
information leaked as the result of data-dependent timing differences.
Both Arm and Intel have introduced modes that are intended to help defend
against timing attacks, but the extent to which those modes should be used
in the kernel is still under discussion.