CVE-2021-24117

An attacker with system-level (administrator) access to the same physical machine can exploit the Intel SGX side channel by single-stepping the enclave or observing cache-timing variations during PEM file decoding [ref_id=1]. The base64 decoder's table lookup (`decode_table[input[N] as usize]`) leaks the secret key bytes through memory access patterns. This is a controlled-channel attack where the attacker monitors which cache lines are accessed, thereby recovering the RSA private key being decoded [CWE-203].

The vulnerability resides in the base64 decoding logic of the `rust-base64` crate used by Apache Teaclave Rust SGX SDK. The `decode_chunk` function directly indexes into a `decode_table` with the input byte (`decode_table[input[N] as usize]`), which creates a cache-timing side channel because the memory access pattern depends on the secret byte value. The patch introduces a `decode_aligned` function (gated behind `slow_but_safe` feature) that replaces the direct table lookup with a constant-time alternative.

The patch introduces a new `decode_aligned` function (enabled via the `slow_but_safe` feature flag) that performs the table lookup in constant time [ref_id=1]. Instead of directly indexing `decode_table[input[N] as usize]`, it computes two candidate indices (`b64ch % 64` and `b64ch % 64 + 64`) and uses a mask to select the correct result without branching on secret data. This eliminates the cache-timing side channel by ensuring the same memory locations are accessed regardless of the input byte value.