> FWIW, newer Intel and AMD chips have instructions for implementing GCM in hardware.
As far as I understand Langley's article GCM is only one part of the problem. Is the other part of the problem also resolved by those machine instructions?
In case it would be, would that mean that as long as your SW runs on "newer" machines and actually uses those instructions for AES, you're safe and protected against known sidechannel attacks in software?
Also, as far as I understood OpenSSL is *still* doing table lookups but have reduced the table sizes so as not to cause that much cache churn. Would that have made the attack harder or impossible? Harder by several orders of magnitude or by several factors?
And what about the current typical SW stack? If I do a "cat /proc/memory | grep AES", how many of the typical processes running there actually use safe AES implementations? Does the kernel?