Re: There must be a simpler fix...
Your fix is changing the target of the attack from application space (i.e. browser or ash session keys) to the kernel - deduce the code encryption keys at the kernel via a timing attack and you're back to the original issue