[PATCH libgcrypt] Disable CPU speculation-related misfeatures
Guido Trentalancia
guido at trentalancia.com
Sun May 25 17:25:56 CEST 2025
Disable CPU speculation-related misfeatures which are in
fact vulnerabilities causing data leaks:
- Speculative Store Bypass
- Indirect Branch Speculation
- Flush L1D Cache on context switch out of the task
For further information see the kernel documentation:
Documentation/userspace-api/spec_ctrl.rst
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
---
src/global.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/src/global.c 2024-04-26 14:08:12.000000000 +0200
+++ b/src/global.c 2025-05-25 16:03:24.718598884 +0200
@@ -33,6 +33,7 @@
#ifdef HAVE_SYSLOG
# include <syslog.h>
#endif /*HAVE_SYSLOG*/
+#include <sys/prctl.h>
#include "g10lib.h"
#include "gcrypt-testapi.h"
@@ -95,6 +96,26 @@ global_init (void)
return;
_gcry_global_any_init_done = 1;
+/* Disable CPU speculation-related misfeatures which are in
+ * fact vulnerabilities causing data leaks: see the kernel
+ * documentation: Documentation/userspace-api/spec_ctrl.rst
+ *
+ * - Speculative Store Bypass
+ * - Indirect Branch Speculation
+ * - Flush L1D Cache on context switch out of the task
+ */
+#ifdef PR_SPEC_STORE_BYPASS
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_INDIRECT_BRANCH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_L1D_FLUSH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
/* Tell the random module that we have seen an init call. */
_gcry_set_preferred_rng_type (0);
More information about the Gcrypt-devel
mailing list