On 7/6/25 15:03, Guido Trentalancia via Gnupg-devel wrote:
[...]
diff -pru a/common/init.c b/common/init.c
--- a/common/init.c 2025-05-25 15:43:45.871984100 +0200
+++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200
[...]
@@ -132,6 +136,29 @@ writestring_via_estream (int mode, const
void
early_system_init (void)
{
+#if defined(__linux__)
+
+/* Disable CPU speculation-related misfeatures which are in
+ * fact vulnerabilities causing data leaks: see the kernel
+ * documentation: Documentation/userspace-api/spec_ctrl.rst
+ *
+ * - Speculative Store Bypass
+ * - Indirect Branch Speculation
+ * - Flush L1D Cache on context switch out of the task
+ */
+#ifdef PR_SPEC_STORE_BYPASS
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE,
0, 0);
+#endif
+
+#ifdef PR_SPEC_INDIRECT_BRANCH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH,
PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH)
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
My understanding is that this prctl(2) call raises SIGBUS unless the
kernel was given a boot option to enable this workaround. If a library
is going to do this behind the main program's back, that library *needs*
to be prepared to catch a SIGBUS at this point.
+#endif
+
+#endif /* __linux__ */
}
diff -pru a/configure.ac b/configure.ac
--- a/configure.ac 2025-07-06 18:01:54.128546282 +0200
+++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200
@@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support,
AC_MSG_RESULT($selinux_support)
+# Fix security vulnerability CVE-2020-0550 by enabling
+# Level 1 Data Cache flushing on context switch.
+AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch])
This message is worded very badly: the configure script is *not*
checking whether context switches flush L1; it is checking whether the
configuration option to *request* that context switches flush L1 has
been given.
A better way to word this would be "[whether L1 data cache should be
flushed on context switch]".
+AC_ARG_ENABLE(l1d-cache-flushing,
+ AS_HELP_STRING([--enable-l1d-cache-flushing],
+ [enable L1D cache flushing]),
+ l1d_cache_flushing=$enableval, l1d_cache_flushing=no)
+AC_MSG_RESULT($l1d_cache_flushing)
+
+
AC_MSG_CHECKING([whether to allocate extra secure memory])
AC_ARG_ENABLE(large-secmem,
AS_HELP_STRING([--enable-large-secmem],
@@ -1313,6 +1323,15 @@ fi
#
+# Level 1 Data Cache flushing on context switch (CVE-2020-0550)
+#
+if test "$l1d_cache_flushing" = yes ; then
+ AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1,
+ [Define to enable Layer 1 Data Cache flushing])
Again, this *enables* nothing; it causes the program to *request* the L1
cache be flushed on context switch.
+fi
+
+
+#
# Checks for header files.
#
AC_MSG_NOTICE([checking for header files])
@@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te
ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h])
+# See whether libc supports the prctl()
+case "${host}" in
+ *-*-linux*)
+ AC_CHECK_HEADERS([sys/prctl.h])
+ ;;
+esac
+
#
# Checks for typedefs, structures, and compiler characteristics.
#
[...]
Overall, I am still unconvinced of the appropriateness of this patch.
As I understand, these leaks only matter in multi-tenant systems, or if
Mallory otherwise has access to your machine, in which case you have
bigger problems if your private key is on such a system.
-- Jacob
_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
