[$] Constant-time instructions and processor optimizations

Of all the attacks on cryptographic code, timing attacks may be among themost insidious. An algorithm that appears to be coded correctly, perhapseven with a formal proof of its correctness, may be undermined byinformation leaked as the result of data-dependent timing differences.Both Arm and Intel have introduced modes that are intended to help defendagainst timing attacks, but the extent to which those modes should be usedin the kernel is still under discussion.