Please Consider Increasing SECMEM_BUFFER_SIZE To 1048576

Andreas Stieger astieger at suse.com
Fri Oct 13 15:00:00 CEST 2017


Hello,


On 10/13/2017 06:44 AM, Matthew Summers wrote:
> This is following up on an issue that started around in the 2.1.17
> days, and I have been carrying a small patch addressing this for my
> team since we figured it out. This is all documented in an earlier set
> of threads to this ML.
>
> Would you consider increasing SECMEM_BUFFER_SIZE to 1048576 in the
> case where the configure option `large_secmem` = yes, please?
>
> The patch itself is a super trivial in both configure and/or
> configure.ac <http://configure.ac>.
>

You haven't explicitly referenced the rationale for this. Is this about
RSA keys in excession of 4096 bits?

I would like to point out that this creates an issue on systems with the
max locked memory size (ulimit -l) is limited to 64k:
gpg: Warning: using insecure memory!
mlock(0x7f5814308000, 262144) = -1 ENOMEM (Cannot allocate memory)
Thus exposing private key material to being swapped out to permanent
storage. I am not sure if a mere warning is sufficient here.

Andreas

-- 
Andreas Stieger <astieger at suse.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/gnupg-devel/attachments/20171013/32497c67/attachment.sig>


More information about the Gnupg-devel mailing list