[PATCH libgcrypt] Disable CPU speculation-related misfeatures

Tue May 27 15:46:10 CEST 2025

Here is a list of useful documentation and references...
Informative material: https://en.wikipedia.org/wiki/Spectre_(security_v
ulnerability)
Official CVE classification of the vulnerabities:- Speculative Store
Bypass (SSB), also known as "Spectre variant 4": CVE-2018-3639 and CVE-
2021-0089- Indirect Branch Speculation, also known as "Spectre variant
2": CVE-2017-5715- Flush L1D Cache (on context switch out of the task):
CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
Vendor classification of the vulnerabilities (Intel only):- Speculative
Store Bypass (SSB) also known as "Spectre variant 4": INTEL-SA-00115 (h
ttps://www.intel.com/content/www/us/en/security-center/advisory/intel-
sa-00115.html) and INTEL-SA-00516 (https://www.intel.com/content/www/us
/en/security-center/advisory/intel-sa-00516.html)- Indirect Branch
Speculation also known as "Spectre variant 2": INTEL-SA-00088 (https://
www.intel.com/content/www/us/en/security-center/advisory/intel-sa-
00088.html and https://www.intel.com/content/www/us/en/developer/articl
es/technical/software-security-guidance/advisory-guidance/branch-
target-injection.html)- Flush L1D Cache (on context switch out of the
task): INTEL-SA-00161 (https://www.intel.com/content/www/us/en/security
-center/advisory/intel-sa-00161.html and https://www.intel.com/content/
www/us/en/developer/articles/technical/software-security-
guidance/advisory-guidance/l1-terminal-fault.html)
Table of affected processors (Intel only): https://www.intel.com/conten
t/www/us/en/developer/topic-technology/software-security-
guidance/processors-affected-consolidated-product-cpu-model.html
Vendor classification of the vulnerabilities (AMD): search https://www.
amd.com/en/resources/product-security.html
Vendor classification of the vulnerabilities (ARM) with table of
affected processors: https://developer.arm.com/documentation/110280/lat
est/
Additional notes:- Flush L1D Cache should be disabled by default,
although I cannot verify this for all CPU / microcode variants- booting
with the kernel parameter "mitigation=auto" does not necessarily
disable all the vulnerabilities !- in order to fully disable the above
mentioned vulnerabilities at boot-time, the following kernel parameters
should be used: spec_store_bypass_disable=on spectre_v2=on
spectre_v2_user=on- the proposed patch does not fully disable the above
mentioned vulnerabilities, instead it aims to disable them only for
selected patched software (gnupg, libgcrypt and eventually gnutls):
this allows to keep execution speed optimizations for software not
dealing with security-sensitive data such as cryptographic software
The above information is based on research that I carried out, I hope
it helps, although the information provided is not meant to be
exhaustive. You are invited to carry out independent additional
research if needed...
Regards,
Guido
On Tue, 27/05/2025 at 07.24 +0200, Falko Strenzke wrote:
> Hi Guido,
> is it possible to provide references to publications for the problem
> that you aim to solve? 
> Best regards,
> Falko
> Am 26.05.25 um 19:11 schrieb Guido Trentalancia via Gcrypt-devel:
> > The vulnerabilities being tackled by the patch proposed here are
> > hardware vulnerabilities that exist in the CPU.
> > 
> > They were introduced with branch-prediction and other speculative-
> > execution CPU optimizations.
> > 
> > Because, once exploited, they materialize in Information Disclosure
> > (data leaks), cryptographic software is the most affected class of
> > software, because cryptographic keys or encrypted data can be
> > leaked.
> > 
> > Unfortunately not all of such hardware vulnerabilities can be
> > tackled
> > by a CPU microcode update, some of them need to be tackled in
> > software:
> > this is what this patch aims to do (software-based mitigation of
> > hardware vulnerabilities).
> > 
> > An equivalent patch has been already proposed for the gnupg
> > application
> > and another one might be proposed for the gnutls library.
> > 
> > In fact, only tackling libgcrypt is not enough, because
> > cryptographic
> > applications such as gnupg also handle the cryptographic keys (e.g.
> > passphrases) and the sensitive data to be encrypted: these are then
> > passed to the libgcrypt cryptographic functions for actual
> > encryption
> > and decryption.
> > 
> > The "pros" of this patch are that it avoids the risk of leaking
> > cryptographic keys or decrypted data on CPUs that are affected by
> > those
> > vulnerabilities.
> > 
> > The "cons" of this patch are decreased execution speed: this is not
> > normally noticeable to the user.
> > 
> > I hope this helps.
> > 
> > On Mon, 26/05/2025 at 16.53 +0200, Werner Koch wrote:
> > > On Sun, 25 May 2025 17:25, Guido Trentalancia said:
> > > > Disable CPU speculation-related misfeatures which are in
> > > > fact vulnerabilities causing data leaks:
> > > 
> > > Please see my comments on gnupg-devel.
> > > 
> > > 
> > > Shalom-Salam,
> > > 
> > >    Werner
> > > 
> > 
> > _______________________________________________
> > Gcrypt-devel mailing list
> > Gcrypt-devel at gnupg.org
> > https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
> 
> -- 
> MTG AG
> Dr. Falko Strenzke 
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke at mtg.de
> Web: mtg.de
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
> 
> This email may contain confidential and/or privileged information. If
> you are not the correct recipient or have received this email in
> error, 
> please inform the sender immediately and delete this
> email.Unauthorised copying or distribution of this email is not
> permitted.
> 
> Data protection information: Privacy policy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250527/60cc9ad5/attachment-0001.html>