From collin.funk1 at gmail.com Thu Jul 3 04:51:54 2025 From: collin.funk1 at gmail.com (Collin Funk) Date: Wed, 2 Jul 2025 19:51:54 -0700 Subject: [PATCH gpgme] Remove duplicate character passed to strchr. Message-ID: <5e22d59820d24bbcfb99fbc8f5782ea51284d557.1751511107.git.collin.funk1@gmail.com> * src/keylist.c (parse_sec_field15): Remove duplicate '0' character. Signed-off-by: Collin Funk --- src/keylist.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keylist.c b/src/keylist.c index c0bf2155..7d4c706a 100644 --- a/src/keylist.c +++ b/src/keylist.c @@ -454,7 +454,7 @@ parse_sec_field15 (gpgme_key_t key, gpgme_subkey_t subkey, char *field) subkey->secret = 0; key->secret = 1; } - else if (strchr ("01234567890ABCDEFabcdef", *field)) + else if (strchr ("0123456789ABCDEFabcdef", *field)) { /* Fields starts with a hex digit; thus it is a serial number. */ key->secret = 1; -- 2.50.0 From wk at gnupg.org Thu Jul 3 09:21:26 2025 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Jul 2025 09:21:26 +0200 Subject: [PATCH gpgme] Remove duplicate character passed to strchr. In-Reply-To: <5e22d59820d24bbcfb99fbc8f5782ea51284d557.1751511107.git.collin.funk1@gmail.com> (Collin Funk via Gnupg-devel's message of "Wed, 2 Jul 2025 19:51:54 -0700") References: <5e22d59820d24bbcfb99fbc8f5782ea51284d557.1751511107.git.collin.funk1@gmail.com> Message-ID: <87h5zt91u1.fsf@jacob.g10code.de> On Wed, 2 Jul 2025 19:51, Collin Funk said: > * src/keylist.c (parse_sec_field15): Remove duplicate '0' character. Thanks. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Thu Jul 3 09:24:32 2025 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Jul 2025 09:24:32 +0200 Subject: [PATCH gnupg v2] Disable CPU speculation-related misfeatures In-Reply-To: <1751021219.6405.6.camel@trentalancia.com> (Guido Trentalancia's message of "Fri, 27 Jun 2025 12:46:59 +0200") References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> Message-ID: <87cyah91ov.fsf@jacob.g10code.de> Hi! I and other already explained that the way you propose the patches is not acceptable: - No autoconf macros and possibly tests to decide whether to use the feature. - No proper ChangeLog (see gnupg/doc/HACKING) Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From collin.funk1 at gmail.com Fri Jul 4 05:34:05 2025 From: collin.funk1 at gmail.com (Collin Funk) Date: Thu, 3 Jul 2025 20:34:05 -0700 Subject: [PATCH gpgme] Fix an uninitialized variable. Message-ID: <5b1f676a4db6395e4919281b77b97e13256fe012.1751600035.git.collin.funk1@gmail.com> * src/engine-gpg.c (gpg_getdirect): Initialize ERR to zero to satisfy the loop condition. -- Fixes-commit: 0a64c7d0c6d0463cf2e06b3a01ef5be4d879bcf0 Signed-off-by: Collin Funk --- src/engine-gpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/engine-gpg.c b/src/engine-gpg.c index b3399027..c6c5c4e6 100644 --- a/src/engine-gpg.c +++ b/src/engine-gpg.c @@ -4226,7 +4226,7 @@ gpg_getdirect (void *engine, const char *argv[], gpgme_data_t dataout, unsigned int flags) { engine_gpg_t gpg = engine; - gpgme_error_t err; + gpgme_error_t err = 0; int i; if (!engine || !argv || !dataout || flags) -- 2.50.0 From collin.funk1 at gmail.com Fri Jul 4 05:42:43 2025 From: collin.funk1 at gmail.com (Collin Funk) Date: Thu, 03 Jul 2025 20:42:43 -0700 Subject: [PATCH gpgme] Fix an uninitialized variable. In-Reply-To: <5b1f676a4db6395e4919281b77b97e13256fe012.1751600035.git.collin.funk1@gmail.com> References: <5b1f676a4db6395e4919281b77b97e13256fe012.1751600035.git.collin.funk1@gmail.com> Message-ID: <87h5zs7hak.fsf@gmail.com> Collin Funk writes: > * src/engine-gpg.c (gpg_getdirect): Initialize ERR to zero to satisfy > the loop condition. > > -- > > Fixes-commit: 0a64c7d0c6d0463cf2e06b3a01ef5be4d879bcf0 > Signed-off-by: Collin Funk > --- > src/engine-gpg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/engine-gpg.c b/src/engine-gpg.c > index b3399027..c6c5c4e6 100644 > --- a/src/engine-gpg.c > +++ b/src/engine-gpg.c > @@ -4226,7 +4226,7 @@ gpg_getdirect (void *engine, const char *argv[], > gpgme_data_t dataout, unsigned int flags) > { > engine_gpg_t gpg = engine; > - gpgme_error_t err; > + gpgme_error_t err = 0; > int i; > > if (!engine || !argv || !dataout || flags) Hi Werner, forgot to CC. Looks like this was from that commit a few months ago. The original code: gpgme_error_t err; int i; if (!engine || !argv || !dataout || flags) return gpg_error (GPG_ERR_INV_VALUE); for (i=0; !err && argv[i]; i++) if ((err = add_arg (gpg, argv[i]))) return err; Basically, the first iteration will always read an uninitialized variable. Seems mostly harmless and will probably mostly work, but UB is UB. :) Collin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: From guido at trentalancia.com Fri Jul 4 16:00:49 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Fri, 04 Jul 2025 16:00:49 +0200 Subject: [PATCH gnupg v3] Disable CPU speculation-related misfeatures In-Reply-To: <87cyah91ov.fsf@jacob.g10code.de> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> Message-ID: <1751637649.6137.2.camel@trentalancia.com> I have reformatted the commit log according to the gnupg coding style as in gnupg/doc/HACKING and created a v3 patch which follows. common: Disable CPU speculation-related misfeatures * common/init.c (early_system_init): Disable CPU speculation-related misfeatures which are in fact vulnerabilities causing data leaks: - Speculative Store Bypass - Indirect Branch Speculation - Flush L1D Cache on context switch out of the task For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2024-05-15 12:33:38.000000000 +0200 +++ b/common/init.c 2025-06-27 12:35:33.543235132 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -131,6 +135,29 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) + +/* Disable CPU speculation-related misfeatures which are in + * fact vulnerabilities causing data leaks: see the kernel + * documentation: Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass + * - Indirect Branch Speculation + * - Flush L1D Cache on context switch out of the task + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_L1D_FLUSH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#endif /* __linux__ */ } On Thu, 03/07/2025 at 09.24 +0200, Werner Koch wrote: > Hi! > > I and other already explained that the way you propose the patches is > not acceptable: > > - No autoconf macros and possibly tests to decide whether to use the > feature. > > - No proper ChangeLog (see gnupg/doc/HACKING) > > > > Shalom-Salam, > > Werner > From wk at gnupg.org Sat Jul 5 13:06:38 2025 From: wk at gnupg.org (Werner Koch) Date: Sat, 05 Jul 2025 13:06:38 +0200 Subject: [PATCH gpgme] Fix an uninitialized variable. In-Reply-To: <87h5zs7hak.fsf@gmail.com> (Collin Funk via Gnupg-devel's message of "Thu, 03 Jul 2025 20:42:43 -0700") References: <5b1f676a4db6395e4919281b77b97e13256fe012.1751600035.git.collin.funk1@gmail.com> <87h5zs7hak.fsf@gmail.com> Message-ID: <877c0m522p.fsf@jacob.g10code.de> On Thu, 3 Jul 2025 20:42, Collin Funk said: > for (i=0; !err && argv[i]; i++) > Basically, the first iteration will always read an uninitialized > variable. Seems mostly harmless and will probably mostly work, but UB is > UB. :) I would not call that a undefined behaviour but a plain bug. My fault :-( Thanks for reporting. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Sat Jul 5 13:37:19 2025 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sat, 5 Jul 2025 14:37:19 +0300 Subject: [PATCH gnupg v3] Disable CPU speculation-related misfeatures In-Reply-To: <1751637649.6137.2.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> Message-ID: On 04/07/2025 17:00, Guido Trentalancia via Gnupg-devel wrote: > I have reformatted the commit log according to the gnupg coding style > as in gnupg/doc/HACKING and created a v3 patch which follows. > > common: Disable CPU speculation-related misfeatures > > * common/init.c (early_system_init): Disable CPU > speculation-related misfeatures which are in fact > vulnerabilities causing data leaks: > > - Speculative Store Bypass > - Indirect Branch Speculation > - Flush L1D Cache on context switch out of the task > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2024-05-15 12:33:38.000000000 +0200 > +++ b/common/init.c 2025-06-27 12:35:33.543235132 +0200 > @@ -29,6 +29,10 @@ > > #include > > +#if defined(__linux__) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ > @@ -131,6 +135,29 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) > + > +/* Disable CPU speculation-related misfeatures which are in > + * fact vulnerabilities causing data leaks: see the kernel > + * documentation: Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass > + * - Indirect Branch Speculation > + * - Flush L1D Cache on context switch out of the task > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_L1D_FLUSH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif There is additional documentation of PR_SET_L1D_FLUSH at https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html There's few limitations that might be interesting from gnupg point of view: - "The kernel command line allows to control the L1D flush mitigations at boot time with the option ?l1d_flush=?. on | Enables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled By default the mechanism is disabled." - "NOTE : The opt-in of a task for L1D flushing works only when the task?s affinity is limited to cores running in non-SMT mode. If a task which requested L1D flushing is scheduled on a SMT-enabled core the kernel sends a SIGBUS to the task." Is it really good idea to just blindly enable this like done here? Is crashing on SIGBUS acceptable behavior? I see that there was some heated discussion on this setting in linux kernel mailing list when there was first attempt to introduce this to kernel [1]. Which makes me wonder if changing this setting is good idea at all. -Jussi [1] https://lore.kernel.org/lkml/CAHk-=wgXf_wQ9zrJKv2Hy4EpEbLuqty-Cjbs2u00gm7XcYHBfw at mail.gmail.com/ > + > +#endif /* __linux__ */ > } > > > > On Thu, 03/07/2025 at 09.24 +0200, Werner Koch wrote: >> Hi! >> >> I and other already explained that the way you propose the patches is >> not acceptable: >> >> - No autoconf macros and possibly tests to decide whether to use the >> feature. >> >> - No proper ChangeLog (see gnupg/doc/HACKING) >> >> >> >> Shalom-Salam, >> >> Werner >> > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From guido at trentalancia.com Sun Jul 6 17:10:07 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Sun, 06 Jul 2025 17:10:07 +0200 Subject: [PATCH gnupg v3] Disable CPU speculation-related misfeatures In-Reply-To: References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> Message-ID: <1751814607.10569.5.camel@trentalancia.com> Please note that Level 1 Data Cache flushing is disabled. So, at the moment the corresponding vulnerability CVE-2020-0550 is not being addressed. That specific part can be enabled at a later time with an additional patch, for example through a specific autoconf configure option (say -- enable-l1d-cache-flushing or --enable-fix-CVE-2020-0550). Guido On Sat, 05/07/2025 at 14.37 +0300, Jussi Kivilinna wrote: > On 04/07/2025 17:00, Guido Trentalancia via Gnupg-devel wrote: > > I have reformatted the commit log according to the gnupg coding > > style > > as in gnupg/doc/HACKING and created a v3 patch which follows. > > > > common: Disable CPU speculation-related misfeatures > > > > * common/init.c (early_system_init): Disable CPU > > speculation-related misfeatures which are in fact > > vulnerabilities causing data leaks: > > > > - Speculative Store Bypass > > - Indirect Branch Speculation > > - Flush L1D Cache on context switch out of the task > > > > For further information see the kernel documentation: > > Documentation/userspace-api/spec_ctrl.rst > > > > Signed-off-by: Guido Trentalancia > > > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2024-05-15 12:33:38.000000000 +0200 > > +++ b/common/init.c 2025-06-27 12:35:33.543235132 +0200 > > @@ -29,6 +29,10 @@ > > > > #include > > > > +#if defined(__linux__) > > +# include > > +#endif > > + > > #ifdef HAVE_W32_SYSTEM > > # if _WIN32_WINNT < 0x0600 > > # define _WIN32_WINNT 0x0600 /* Required for > > SetProcessDEPPolicy. */ > > @@ -131,6 +135,29 @@ writestring_via_estream (int mode, const > > void > > early_system_init (void) > > { > > +#if defined(__linux__) > > + > > +/* Disable CPU speculation-related misfeatures which are in > > + * fact vulnerabilities causing data leaks: see the kernel > > + * documentation: Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass > > + * - Indirect Branch Speculation > > + * - Flush L1D Cache on context switch out of the task > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_L1D_FLUSH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > There is additional documentation of PR_SET_L1D_FLUSH at > https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html > > There's few limitations that might be interesting from gnupg point of > view: > - "The kernel command line allows to control the L1D flush > mitigations > at boot time with the option ?l1d_flush=?. > on | Enables the prctl interface, applications trying to use > the prctl() > will fail with an error if l1d_flush is not enabled > By default the mechanism is disabled." > - "NOTE : The opt-in of a task for L1D flushing works only when the > task?s > affinity is limited to cores running in non-SMT mode. If a task > which > requested L1D flushing is scheduled on a SMT-enabled core the > kernel > sends a SIGBUS to the task." > > Is it really good idea to just blindly enable this like done > here? Is crashing on SIGBUS acceptable behavior? > > I see that there was some heated discussion on this setting in linux > kernel mailing list when there was first attempt to introduce this > to kernel [1]. Which makes me wonder if changing this setting is good > idea at all. > > -Jussi > > [1] https://lore.kernel.org/lkml/CAHk-=wgXf_wQ9zrJKv2Hy4EpEbLuqty-Cjb > s2u00gm7XcYHBfw at mail.gmail.com/ > > > + > > +#endif /* __linux__ */ > > } > > > > > > > > On Thu, 03/07/2025 at 09.24 +0200, Werner Koch wrote: > > > Hi! > > > > > > I and other already explained that the way you propose the > > > patches is > > > not acceptable: > > > > > > - No autoconf macros and possibly tests to decide whether to use > > > the > > > feature. > > > > > > - No proper ChangeLog (see gnupg/doc/HACKING) > > > > > > > > > > > > Shalom-Salam, > > > > > > Werner > > > > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > From guido at trentalancia.com Sun Jul 6 21:50:52 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Sun, 06 Jul 2025 21:50:52 +0200 Subject: [PATCH gnupg v4] Disable CPU speculation-related misfeatures In-Reply-To: <1751814607.10569.5.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> Message-ID: <1751831452.25372.4.camel@trentalancia.com> The following new v4 version has been created taking into account more recent discussions on the L1 Data Cache vulnerability. It should cater to the needs of most users, while it can also be configured for special cases... common: Disable CPU speculation-related misfeatures * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h * common/init.c (early_system_init): Disable CPU speculation-related misfeatures which are in fact vulnerabilities causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) + +/* Disable CPU speculation-related misfeatures which are in + * fact vulnerabilities causing data leaks: see the kernel + * documentation: Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass + * - Indirect Branch Speculation + * - Flush L1D Cache on context switch out of the task + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); +#endif + +#endif /* __linux__ */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-06 21:34:17.915056552 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,13 +1323,23 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ pwd.h inttypes.h signal.h sys/select.h sys/time.h \ stdint.h signal.h termios.h \ - ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) + ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h \ + sys/prctl.h]) # On Sun, 06/07/2025 at 17.10 +0200, Guido Trentalancia via Gnupg-devel wrote: > Please note that Level 1 Data Cache flushing is disabled. > > So, at the moment the corresponding vulnerability CVE-2020-0550 is > not > being addressed. > > That specific part can be enabled at a later time with an additional > patch, for example through a specific autoconf configure option (say > -- > enable-l1d-cache-flushing or --enable-fix-CVE-2020-0550). > > Guido > > On Sat, 05/07/2025 at 14.37 +0300, Jussi Kivilinna wrote: > > On 04/07/2025 17:00, Guido Trentalancia via Gnupg-devel wrote: > > > I have reformatted the commit log according to the gnupg coding > > > style > > > as in gnupg/doc/HACKING and created a v3 patch which follows. > > > > > > common: Disable CPU speculation-related misfeatures > > > > > > * common/init.c (early_system_init): Disable CPU > > > speculation-related misfeatures which are in fact > > > vulnerabilities causing data leaks: > > > > > > - Speculative Store Bypass > > > - Indirect Branch Speculation > > > - Flush L1D Cache on context switch out of the task > > > > > > For further information see the kernel documentation: > > > Documentation/userspace-api/spec_ctrl.rst > > > > > > Signed-off-by: Guido Trentalancia > > > > > > diff -pru a/common/init.c b/common/init.c > > > --- a/common/init.c 2024-05-15 12:33:38.000000000 +0200 > > > +++ b/common/init.c 2025-06-27 12:35:33.543235132 +0200 > > > @@ -29,6 +29,10 @@ > > > > > > #include > > > > > > +#if defined(__linux__) > > > +# include > > > +#endif > > > + > > > #ifdef HAVE_W32_SYSTEM > > > # if _WIN32_WINNT < 0x0600 > > > # define _WIN32_WINNT 0x0600 /* Required for > > > SetProcessDEPPolicy. */ > > > @@ -131,6 +135,29 @@ writestring_via_estream (int mode, const > > > void > > > early_system_init (void) > > > { > > > +#if defined(__linux__) > > > + > > > +/* Disable CPU speculation-related misfeatures which are in > > > + * fact vulnerabilities causing data leaks: see the kernel > > > + * documentation: Documentation/userspace-api/spec_ctrl.rst > > > + * > > > + * - Speculative Store Bypass > > > + * - Indirect Branch Speculation > > > + * - Flush L1D Cache on context switch out of the task > > > + */ > > > +#ifdef PR_SPEC_STORE_BYPASS > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#ifdef PR_SPEC_L1D_FLUSH > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > > There is additional documentation of PR_SET_L1D_FLUSH at > > https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html > > > > There's few limitations that might be interesting from gnupg point > > of > > view: > > - "The kernel command line allows to control the L1D flush > > mitigations > > at boot time with the option ?l1d_flush=?. > > on | Enables the prctl interface, applications trying to use > > the prctl() > > will fail with an error if l1d_flush is not enabled > > By default the mechanism is disabled." > > - "NOTE : The opt-in of a task for L1D flushing works only when > > the > > task?s > > affinity is limited to cores running in non-SMT mode. If a > > task > > which > > requested L1D flushing is scheduled on a SMT-enabled core the > > kernel > > sends a SIGBUS to the task." > > > > Is it really good idea to just blindly enable this like done > > here? Is crashing on SIGBUS acceptable behavior? > > > > I see that there was some heated discussion on this setting in > > linux > > kernel mailing list when there was first attempt to introduce this > > to kernel [1]. Which makes me wonder if changing this setting is > > good > > idea at all. > > > > -Jussi > > > > [1] https://lore.kernel.org/lkml/CAHk-=wgXf_wQ9zrJKv2Hy4EpEbLuqty-C > > jb > > s2u00gm7XcYHBfw at mail.gmail.com/ > > > > > + > > > +#endif /* __linux__ */ > > > } > > > > > > > > > > > > On Thu, 03/07/2025 at 09.24 +0200, Werner Koch wrote: > > > > Hi! > > > > > > > > I and other already explained that the way you propose the > > > > patches is > > > > not acceptable: > > > > > > > > - No autoconf macros and possibly tests to decide whether to > > > > use > > > > the > > > > feature. > > > > > > > > - No proper ChangeLog (see gnupg/doc/HACKING) > > > > > > > > > > > > > > > > Shalom-Salam, > > > > > > > > Werner > > > > > > > > > > _______________________________________________ > > > Gnupg-devel mailing list > > > Gnupg-devel at gnupg.org > > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From guido at trentalancia.com Sun Jul 6 22:03:56 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Sun, 06 Jul 2025 22:03:56 +0200 Subject: [PATCH gnupg v5] Disable CPU speculation-related misfeatures In-Reply-To: <1751831452.25372.4.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> Message-ID: <1751832236.25372.6.camel@trentalancia.com> Same as v4, but avoiding possible build failures on non-linux systems. common: Disable CPU speculation-related misfeatures * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculation-related misfeatures which are in fact vulnerabilities causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) + +/* Disable CPU speculation-related misfeatures which are in + * fact vulnerabilities causing data leaks: see the kernel + * documentation: Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass + * - Indirect Branch Speculation + * - Flush L1D Cache on context switch out of the task + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); +#endif + +#endif /* __linux__ */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,15 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Sun, 06/07/2025 at 21.50 +0200, Guido Trentalancia via Gnupg-devel wrote: > The following new v4 version has been created taking into account > more > recent discussions on the L1 Data Cache vulnerability. It should > cater > to the needs of most users, while it can also be configured for > special > cases... > > common: Disable CPU speculation-related misfeatures > > * configure.ac: add a new L1D Cache flushing option > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > and check for sys/prctl.h > > * common/init.c (early_system_init): Disable CPU > speculation-related misfeatures which are in fact > vulnerabilities causing data leaks: > > - Speculative Store Bypass (always disabled) > - Indirect Branch Speculation (always disabled) > - Flush L1D Cache on context switch out of the > task (use the --enable-l1d-cache-flushing > configure option to mitigate the vulnerability) > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200 > @@ -29,6 +29,10 @@ > > #include > > +#if defined(__linux__) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for > SetProcessDEPPolicy. */ > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) > + > +/* Disable CPU speculation-related misfeatures which are in > + * fact vulnerabilities causing data leaks: see the kernel > + * documentation: Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass > + * - Indirect Branch Speculation > + * - Flush L1D Cache on context switch out of the task > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, > 0, 0); > +#endif > + > +#endif /* __linux__ */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-06 21:34:17.915056552 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > switch]) > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,13 +1323,23 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > pwd.h inttypes.h signal.h sys/select.h sys/time.h > \ > stdint.h signal.h termios.h \ > - ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > + ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h \ > + sys/prctl.h]) > > > # > > On Sun, 06/07/2025 at 17.10 +0200, Guido Trentalancia via > Gnupg-devel wrote: > > Please note that Level 1 Data Cache flushing is disabled. > > > > So, at the moment the corresponding vulnerability CVE-2020-0550 is > > not > > being addressed. > > > > That specific part can be enabled at a later time with an > > additional > > patch, for example through a specific autoconf configure option > > (say > > -- > > enable-l1d-cache-flushing or --enable-fix-CVE-2020-0550). > > > > Guido > > > > On Sat, 05/07/2025 at 14.37 +0300, Jussi Kivilinna wrote: > > > On 04/07/2025 17:00, Guido Trentalancia via Gnupg-devel wrote: > > > > I have reformatted the commit log according to the gnupg coding > > > > style > > > > as in gnupg/doc/HACKING and created a v3 patch which follows. > > > > > > > > common: Disable CPU speculation-related misfeatures > > > > > > > > * common/init.c (early_system_init): Disable CPU > > > > speculation-related misfeatures which are in fact > > > > vulnerabilities causing data leaks: > > > > > > > > - Speculative Store Bypass > > > > - Indirect Branch Speculation > > > > - Flush L1D Cache on context switch out of the task > > > > > > > > For further information see the kernel documentation: > > > > Documentation/userspace-api/spec_ctrl.rst > > > > > > > > Signed-off-by: Guido Trentalancia > > > > > > > > diff -pru a/common/init.c b/common/init.c > > > > --- a/common/init.c 2024-05-15 12:33:38.000000000 +0200 > > > > +++ b/common/init.c 2025-06-27 12:35:33.543235132 +0200 > > > > @@ -29,6 +29,10 @@ > > > > > > > > #include > > > > > > > > +#if defined(__linux__) > > > > +# include > > > > +#endif > > > > + > > > > #ifdef HAVE_W32_SYSTEM > > > > # if _WIN32_WINNT < 0x0600 > > > > # define _WIN32_WINNT 0x0600 /* Required for > > > > SetProcessDEPPolicy. */ > > > > @@ -131,6 +135,29 @@ writestring_via_estream (int mode, const > > > > void > > > > early_system_init (void) > > > > { > > > > +#if defined(__linux__) > > > > + > > > > +/* Disable CPU speculation-related misfeatures which are in > > > > + * fact vulnerabilities causing data leaks: see the kernel > > > > + * documentation: Documentation/userspace-api/spec_ctrl.rst > > > > + * > > > > + * - Speculative Store Bypass > > > > + * - Indirect Branch Speculation > > > > + * - Flush L1D Cache on context switch out of the task > > > > + */ > > > > +#ifdef PR_SPEC_STORE_BYPASS > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > > +#endif > > > > + > > > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > > +#endif > > > > + > > > > +#ifdef PR_SPEC_L1D_FLUSH > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > > +#endif > > > > > > There is additional documentation of PR_SET_L1D_FLUSH at > > > https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html > > > > > > There's few limitations that might be interesting from gnupg > > > point > > > of > > > view: > > > - "The kernel command line allows to control the L1D flush > > > mitigations > > > at boot time with the option ?l1d_flush=?. > > > on | Enables the prctl interface, applications trying to > > > use > > > the prctl() > > > will fail with an error if l1d_flush is not enabled > > > By default the mechanism is disabled." > > > - "NOTE : The opt-in of a task for L1D flushing works only when > > > the > > > task?s > > > affinity is limited to cores running in non-SMT mode. If a > > > task > > > which > > > requested L1D flushing is scheduled on a SMT-enabled core > > > the > > > kernel > > > sends a SIGBUS to the task." > > > > > > Is it really good idea to just blindly enable this like done > > > here? Is crashing on SIGBUS acceptable behavior? > > > > > > I see that there was some heated discussion on this setting in > > > linux > > > kernel mailing list when there was first attempt to introduce > > > this > > > to kernel [1]. Which makes me wonder if changing this setting is > > > good > > > idea at all. > > > > > > -Jussi > > > > > > [1] https://lore.kernel.org/lkml/CAHk-=wgXf_wQ9zrJKv2Hy4EpEbLuqty > > > -C > > > jb > > > s2u00gm7XcYHBfw at mail.gmail.com/ > > > > > > > + > > > > +#endif /* __linux__ */ > > > > } > > > > > > > > > > > > > > > > On Thu, 03/07/2025 at 09.24 +0200, Werner Koch wrote: > > > > > Hi! > > > > > > > > > > I and other already explained that the way you propose the > > > > > patches is > > > > > not acceptable: > > > > > > > > > > - No autoconf macros and possibly tests to decide whether to > > > > > use > > > > > the > > > > > feature. > > > > > > > > > > - No proper ChangeLog (see gnupg/doc/HACKING) > > > > > > > > > > > > > > > > > > > > Shalom-Salam, > > > > > > > > > > Werner > > > > > > > > > > > > > _______________________________________________ > > > > Gnupg-devel mailing list > > > > Gnupg-devel at gnupg.org > > > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > > > > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From jcb62281 at gmail.com Mon Jul 7 02:00:25 2025 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Sun, 6 Jul 2025 19:00:25 -0500 Subject: [PATCH gnupg v5] Disable CPU speculation-related misfeatures In-Reply-To: <1751832236.25372.6.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <1751832236.25372.6.camel@trentalancia.com> Message-ID: <66c9be4c-0d4e-4ae0-88bb-ef5e34db6c1a@gmail.com> On 7/6/25 15:03, Guido Trentalancia via Gnupg-devel wrote: > [...] > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200 > [...] > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) > + > +/* Disable CPU speculation-related misfeatures which are in > + * fact vulnerabilities causing data leaks: see the kernel > + * documentation: Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass > + * - Indirect Branch Speculation > + * - Flush L1D Cache on context switch out of the task > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); My understanding is that this prctl(2) call raises SIGBUS unless the kernel was given a boot option to enable this workaround.? If a library is going to do this behind the main program's back, that library *needs* to be prepared to catch a SIGBUS at this point. > +#endif > + > +#endif /* __linux__ */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) This message is worded very badly:? the configure script is *not* checking whether context switches flush L1; it is checking whether the configuration option to *request* that context switches flush L1 has been given. A better way to word this would be "[whether L1 data cache should be flushed on context switch]". > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,6 +1323,15 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) Again, this *enables* nothing; it causes the program to *request* the L1 cache be flushed on context switch. > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > > > +# See whether libc supports the prctl() > +case "${host}" in > + *-*-linux*) > + AC_CHECK_HEADERS([sys/prctl.h]) > + ;; > +esac > + > # > # Checks for typedefs, structures, and compiler characteristics. > # > [...] Overall, I am still unconvinced of the appropriateness of this patch.? As I understand, these leaks only matter in multi-tenant systems, or if Mallory otherwise has access to your machine, in which case you have bigger problems if your private key is on such a system. -- Jacob From wk at gnupg.org Mon Jul 7 18:36:19 2025 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Jul 2025 18:36:19 +0200 Subject: [PATCH gnupg v4] Disable CPU speculation-related misfeatures In-Reply-To: <1751831452.25372.4.camel@trentalancia.com> (Guido Trentalancia via Gnupg-devel's message of "Sun, 06 Jul 2025 21:50:52 +0200") References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> Message-ID: <875xg42c1o.fsf@jacob.g10code.de> Hi! On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > common: Disable CPU speculation-related misfeatures I would prefer to keep the subject clear of an opinion. > +#if defined(__linux__) > +# include > +#endif Good. You now provide configure tests. Please also add a general one which checks for this header. > +#if defined(__linux__) And use that here ;-) > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > pwd.h inttypes.h signal.h sys/select.h sys/time.h \ > stdint.h signal.h termios.h \ > - ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > + ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h \ > + sys/prctl.h]) Hey, you already got that macro. Thus you can replace the above with #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) and we are good. The ifdef __linux__ here is so that we cater for OSes which have such a header for different purposes. Using the standard configure test along with a ifdef in the code is a good compromise between readibility and regualar autoconf style. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From guido at trentalancia.com Mon Jul 7 19:17:54 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Mon, 07 Jul 2025 19:17:54 +0200 Subject: [PATCH gnupg v6] Disable CPU speculation-related misfeatures In-Reply-To: <875xg42c1o.fsf@jacob.g10code.de> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> Message-ID: <1751908674.7090.8.camel@trentalancia.com> On Mon, 07/07/2025 alle 18.36 +0200, Werner Koch wrote: > Hi! > > On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > > > common: Disable CPU speculation-related misfeatures > > I would prefer to keep the subject clear of an opinion. It's not an opinion, it's a fact. The wording is taken from the official Linux kernel documentation, however I agree it's probably too delicate, the correct wording is "security vulnerabilities". > > +#if defined(__linux__) > > +# include > > +#endif > > Good. You now provide configure tests. Please also add a general > one > which checks for this header. A general check for sys/prctl.h is not needed, as such header file is only used on Linux-specific code and it can therefore break things on non-Linux systems. > > +#if defined(__linux__) > > And use that here ;-) > > > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > > pwd.h inttypes.h signal.h sys/select.h > > sys/time.h \ > > stdint.h signal.h termios.h \ > > - ucred.h sys/ucred.h sys/sysmacros.h > > sys/mkdev.h]) > > + ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h > > \ > > + sys/prctl.h]) > > Hey, you already got that macro. Thus you can replace the above with > > #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) I can replace that, in reversed order. Please see the v6 patch below, my last attempt at fixing this... > and we are good. The ifdef __linux__ here is so that we cater for > OSes > which have such a header for different purposes. Using the standard > configure test along with a ifdef in the code is a good compromise > between readibility and regualar autoconf style. common: Disable CPU speculation-related security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculation-related misfeatures which are in fact vulnerabilities causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculation-related security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass + * - Indirect Branch Speculation + * - Flush L1D Cache on context switch out of the task + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,15 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # From guido at trentalancia.com Tue Jul 8 13:05:00 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Tue, 08 Jul 2025 13:05:00 +0200 Subject: [PATCH gnupg v7] Disable CPU speculation-related misfeatures In-Reply-To: <1751908674.7090.8.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> Message-ID: <1751972700.857.4.camel@trentalancia.com> In the following v7 patch I have improved the commit log and source code comments, with a better explaination of how to fix CVE-2020-0550 (L1 Data Cache flush). common: Disable CPU speculative execution security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculative execution security vulnerabilities potentially causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option and l1d_flush=on on the boot command line to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculative execution security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass (CVE-2018-3639, always + * disabled) + * - Indirect Branch Speculation (CVE-2017-5715, always + * disabled) + * - Flush L1D Cache on context switch out of the task (it + * requires the l1d_flush=on kernel boot parameter) + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,15 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Mon, 07/07/2025 at 19.17 +0200, Guido Trentalancia via Gnupg-devel wrote: > On Mon, 07/07/2025 alle 18.36 +0200, Werner Koch wrote: > > Hi! > > > > On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > > > > > common: Disable CPU speculation-related misfeatures > > > > I would prefer to keep the subject clear of an opinion. > > It's not an opinion, it's a fact. > > The wording is taken from the official Linux kernel documentation, > however I agree it's probably too delicate, the correct wording is > "security vulnerabilities". > > > > +#if defined(__linux__) > > > +# include > > > +#endif > > > > Good. You now provide configure tests. Please also add a general > > one > > which checks for this header. > > A general check for sys/prctl.h is not needed, as such header file is > only used on Linux-specific code and it can therefore break things on > non-Linux systems. > > > > +#if defined(__linux__) > > > > And use that here ;-) > > > > > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > > > pwd.h inttypes.h signal.h sys/select.h > > > sys/time.h \ > > > stdint.h signal.h termios.h \ > > > - ucred.h sys/ucred.h sys/sysmacros.h > > > sys/mkdev.h]) > > > + ucred.h sys/ucred.h sys/sysmacros.h > > > sys/mkdev.h > > > \ > > > + sys/prctl.h]) > > > > Hey, you already got that macro. Thus you can replace the above > > with > > > > #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) > > I can replace that, in reversed order. Please see the v6 patch below, > my last attempt at fixing this... > > > and we are good. The ifdef __linux__ here is so that we cater for > > OSes > > which have such a header for different purposes. Using the > > standard > > configure test along with a ifdef in the code is a good compromise > > between readibility and regualar autoconf style. > > common: Disable CPU speculation-related security > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > CVE-2017-5715 and optionally CVE-2020-0550) > > * configure.ac: add a new L1D Cache flushing option > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > and check for sys/prctl.h on Linux systems > > * common/init.c (early_system_init): Disable CPU > speculation-related misfeatures which are in fact > vulnerabilities causing data leaks: > > - Speculative Store Bypass (always disabled) > - Indirect Branch Speculation (always disabled) > - Flush L1D Cache on context switch out of the > task (use the --enable-l1d-cache-flushing > configure option to mitigate the vulnerability) > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > @@ -29,6 +29,10 @@ > > #include > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for > SetProcessDEPPolicy. */ > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > + > +/* Disable CPU speculation-related security vulnerabilities > + * causing data leaks: see the Linux kernel documentation > + * Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass > + * - Indirect Branch Speculation > + * - Flush L1D Cache on context switch out of the task > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, > 0, 0); > +#endif > + > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > switch]) > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,6 +1323,15 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > > > +# See whether libc supports the prctl() > +case "${host}" in > + *-*-linux*) > + AC_CHECK_HEADERS([sys/prctl.h]) > + ;; > +esac > + > # > # Checks for typedefs, structures, and compiler characteristics. > # > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From guido at trentalancia.com Tue Jul 8 16:05:58 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Tue, 08 Jul 2025 16:05:58 +0200 Subject: [PATCH gnupg v8] Disable CPU speculation-related misfeatures In-Reply-To: <1751972700.857.4.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> Message-ID: <1751983558.11004.3.camel@trentalancia.com> I have now further improved the documentation of how to use L1 Data Cache flushing, this should answer the question raised by Jussi Kivilinna regarding the SIGBUS error. A new v8 patch has been created. common: Disable CPU speculative execution security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculative execution security vulnerabilities potentially causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option and "nosmt l1d_flush=on" on the boot command line to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 @@ -29,6 +29,10 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculative execution security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass (CVE-2018-3639, always + * disabled) + * - Indirect Branch Speculation (CVE-2017-5715, always + * disabled) + * - Flush L1D Cache on context switch out of the task (it + * requires the "nosmt l1d_flush=on" kernel boot parameter) + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0); +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,15 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Tue, 08/07/2025 at 13.05 +0200, Guido Trentalancia via Gnupg-devel wrote: > In the following v7 patch I have improved the commit log and source > code comments, with a better explaination of how to fix CVE-2020-0550 > (L1 Data Cache flush). > > common: Disable CPU speculative execution security > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > CVE-2017-5715 and optionally CVE-2020-0550) > > * configure.ac: add a new L1D Cache flushing option > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > and check for sys/prctl.h on Linux systems > > * common/init.c (early_system_init): Disable CPU > speculative execution security vulnerabilities > potentially causing data leaks: > > - Speculative Store Bypass (always disabled) > - Indirect Branch Speculation (always disabled) > - Flush L1D Cache on context switch out of the > task (use the --enable-l1d-cache-flushing > configure option and l1d_flush=on on the boot > command line to mitigate the vulnerability) > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > @@ -29,6 +29,10 @@ > > #include > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for > SetProcessDEPPolicy. */ > @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > + > +/* Disable CPU speculative execution security vulnerabilities > + * causing data leaks: see the Linux kernel documentation > + * Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass (CVE-2018-3639, always > + * disabled) > + * - Indirect Branch Speculation (CVE-2017-5715, always > + * disabled) > + * - Flush L1D Cache on context switch out of the task (it > + * requires the l1d_flush=on kernel boot parameter) > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, > 0, 0); > +#endif > + > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > switch]) > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,6 +1323,15 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > > > +# See whether libc supports the prctl() > +case "${host}" in > + *-*-linux*) > + AC_CHECK_HEADERS([sys/prctl.h]) > + ;; > +esac > + > # > # Checks for typedefs, structures, and compiler characteristics. > # > > On Mon, 07/07/2025 at 19.17 +0200, Guido Trentalancia via > Gnupg-devel wrote: > > On Mon, 07/07/2025 alle 18.36 +0200, Werner Koch wrote: > > > Hi! > > > > > > On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > > > > > > > common: Disable CPU speculation-related misfeatures > > > > > > I would prefer to keep the subject clear of an opinion. > > > > It's not an opinion, it's a fact. > > > > The wording is taken from the official Linux kernel documentation, > > however I agree it's probably too delicate, the correct wording is > > "security vulnerabilities". > > > > > > +#if defined(__linux__) > > > > +# include > > > > +#endif > > > > > > Good. You now provide configure tests. Please also add a > > > general > > > one > > > which checks for this header. > > > > A general check for sys/prctl.h is not needed, as such header file > > is > > only used on Linux-specific code and it can therefore break things > > on > > non-Linux systems. > > > > > > +#if defined(__linux__) > > > > > > And use that here ;-) > > > > > > > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > > > > pwd.h inttypes.h signal.h sys/select.h > > > > sys/time.h \ > > > > stdint.h signal.h termios.h \ > > > > - ucred.h sys/ucred.h sys/sysmacros.h > > > > sys/mkdev.h]) > > > > + ucred.h sys/ucred.h sys/sysmacros.h > > > > sys/mkdev.h > > > > \ > > > > + sys/prctl.h]) > > > > > > Hey, you already got that macro. Thus you can replace the above > > > with > > > > > > #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) > > > > I can replace that, in reversed order. Please see the v6 patch > > below, > > my last attempt at fixing this... > > > > > and we are good. The ifdef __linux__ here is so that we cater > > > for > > > OSes > > > which have such a header for different purposes. Using the > > > standard > > > configure test along with a ifdef in the code is a good > > > compromise > > > between readibility and regualar autoconf style. > > > > common: Disable CPU speculation-related security > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > * configure.ac: add a new L1D Cache flushing option > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > and check for sys/prctl.h on Linux systems > > > > * common/init.c (early_system_init): Disable CPU > > speculation-related misfeatures which are in fact > > vulnerabilities causing data leaks: > > > > - Speculative Store Bypass (always disabled) > > - Indirect Branch Speculation (always disabled) > > - Flush L1D Cache on context switch out of the > > task (use the --enable-l1d-cache-flushing > > configure option to mitigate the vulnerability) > > > > For further information see the kernel documentation: > > Documentation/userspace-api/spec_ctrl.rst > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > Signed-off-by: Guido Trentalancia > > > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > @@ -29,6 +29,10 @@ > > > > #include > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > +# include > > +#endif > > + > > #ifdef HAVE_W32_SYSTEM > > # if _WIN32_WINNT < 0x0600 > > # define _WIN32_WINNT 0x0600 /* Required for > > SetProcessDEPPolicy. */ > > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > > void > > early_system_init (void) > > { > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > + > > +/* Disable CPU speculation-related security vulnerabilities > > + * causing data leaks: see the Linux kernel documentation > > + * Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass > > + * - Indirect Branch Speculation > > + * - Flush L1D Cache on context switch out of the task > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_ENABLE, > > 0, 0); > > +#endif > > + > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > } > > > > > > diff -pru a/configure.ac b/configure.ac > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > AC_MSG_RESULT($selinux_support) > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > +# Level 1 Data Cache flushing on context switch. > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > > switch]) > > +AC_ARG_ENABLE(l1d-cache-flushing, > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > + [enable L1D cache flushing]), > > + l1d_cache_flushing=$enableval, > > l1d_cache_flushing=no) > > +AC_MSG_RESULT($l1d_cache_flushing) > > + > > + > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > AC_ARG_ENABLE(large-secmem, > > AS_HELP_STRING([--enable-large-secmem], > > @@ -1313,6 +1323,15 @@ fi > > > > > > # > > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > > +# > > +if test "$l1d_cache_flushing" = yes ; then > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > + [Define to enable Layer 1 Data Cache flushing]) > > +fi > > + > > + > > +# > > # Checks for header files. > > # > > AC_MSG_NOTICE([checking for header files]) > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > ucred.h sys/ucred.h sys/sysmacros.h > > sys/mkdev.h]) > > > > > > +# See whether libc supports the prctl() > > +case "${host}" in > > + *-*-linux*) > > + AC_CHECK_HEADERS([sys/prctl.h]) > > + ;; > > +esac > > + > > # > > # Checks for typedefs, structures, and compiler characteristics. > > # > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From guido at trentalancia.com Tue Jul 8 18:26:36 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Tue, 08 Jul 2025 18:26:36 +0200 Subject: [PATCH gnupg v9] Disable CPU speculation-related misfeatures In-Reply-To: <1751983558.11004.3.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> <1751983558.11004.3.camel@trentalancia.com> Message-ID: <1751991996.6941.1.camel@trentalancia.com> Error reporting and handling has been added to create a v9 patch that follows... common: Disable CPU speculative execution security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculative execution security vulnerabilities potentially causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option and "nosmt l1d_flush=on" on the boot command line to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-08 18:14:12.246994230 +0200 @@ -29,6 +29,14 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -128,10 +136,52 @@ writestring_via_estream (int mode, const } +void sigbus_handler(int signo) +{ + if (signo == SIGBUS) + { + log_info ("Warning: Level 1 Data Cache flushing requires the \"nosmt\" boot parameter.\n"); + } +} + + /* This function should be the first called after main. */ void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculative execution security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass (CVE-2018-3639, always + * disabled) + * - Indirect Branch Speculation (CVE-2017-5715, always + * disabled) + * - Flush L1D Cache on context switch out of the task (it + * requires the "nosmt l1d_flush=on" kernel boot parameter) + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) + { + log_info ("Warning: cannot catch the SIGBUS signal.\n"); + } + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0) < 0) + { + log_info ("Warning: Level 1 Data Cache flushing requires the \"l1d_flush=on\" boot parameter.\n"); + } +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-08 17:31:51.757997407 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,15 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Tue, 08/07/2025 at 16.05 +0200, Guido Trentalancia via Gnupg-devel wrote: > I have now further improved the documentation of how to use L1 Data > Cache flushing, this should answer the question raised by Jussi > Kivilinna regarding the SIGBUS error. A new v8 patch has been > created. > > common: Disable CPU speculative execution security > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > CVE-2017-5715 and optionally CVE-2020-0550) > > * configure.ac: add a new L1D Cache flushing option > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > and check for sys/prctl.h on Linux systems > > * common/init.c (early_system_init): Disable CPU > speculative execution security vulnerabilities > potentially causing data leaks: > > - Speculative Store Bypass (always disabled) > - Indirect Branch Speculation (always disabled) > - Flush L1D Cache on context switch out of the > task (use the --enable-l1d-cache-flushing > configure option and "nosmt l1d_flush=on" on the > boot command line to mitigate the vulnerability) > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > @@ -29,6 +29,10 @@ > > #include > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for > SetProcessDEPPolicy. */ > @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const > void > early_system_init (void) > { > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > + > +/* Disable CPU speculative execution security vulnerabilities > + * causing data leaks: see the Linux kernel documentation > + * Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass (CVE-2018-3639, always > + * disabled) > + * - Indirect Branch Speculation (CVE-2017-5715, always > + * disabled) > + * - Flush L1D Cache on context switch out of the task (it > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, > 0, 0); > +#endif > + > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > switch]) > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,6 +1323,15 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > > > +# See whether libc supports the prctl() > +case "${host}" in > + *-*-linux*) > + AC_CHECK_HEADERS([sys/prctl.h]) > + ;; > +esac > + > # > # Checks for typedefs, structures, and compiler characteristics. > # > > On Tue, 08/07/2025 at 13.05 +0200, Guido Trentalancia via > Gnupg-devel wrote: > > In the following v7 patch I have improved the commit log and source > > code comments, with a better explaination of how to fix CVE-2020- > > 0550 > > (L1 Data Cache flush). > > > > common: Disable CPU speculative execution security > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > * configure.ac: add a new L1D Cache flushing option > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > and check for sys/prctl.h on Linux systems > > > > * common/init.c (early_system_init): Disable CPU > > speculative execution security vulnerabilities > > potentially causing data leaks: > > > > - Speculative Store Bypass (always disabled) > > - Indirect Branch Speculation (always disabled) > > - Flush L1D Cache on context switch out of the > > task (use the --enable-l1d-cache-flushing > > configure option and l1d_flush=on on the boot > > command line to mitigate the vulnerability) > > > > For further information see the kernel documentation: > > Documentation/userspace-api/spec_ctrl.rst > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > Signed-off-by: Guido Trentalancia > > > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > @@ -29,6 +29,10 @@ > > > > #include > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > +# include > > +#endif > > + > > #ifdef HAVE_W32_SYSTEM > > # if _WIN32_WINNT < 0x0600 > > # define _WIN32_WINNT 0x0600 /* Required for > > SetProcessDEPPolicy. */ > > @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const > > void > > early_system_init (void) > > { > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > + > > +/* Disable CPU speculative execution security vulnerabilities > > + * causing data leaks: see the Linux kernel documentation > > + * Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass (CVE-2018-3639, always > > + * disabled) > > + * - Indirect Branch Speculation (CVE-2017-5715, always > > + * disabled) > > + * - Flush L1D Cache on context switch out of the task (it > > + * requires the l1d_flush=on kernel boot parameter) > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_ENABLE, > > 0, 0); > > +#endif > > + > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > } > > > > > > diff -pru a/configure.ac b/configure.ac > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > AC_MSG_RESULT($selinux_support) > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > +# Level 1 Data Cache flushing on context switch. > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > > switch]) > > +AC_ARG_ENABLE(l1d-cache-flushing, > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > + [enable L1D cache flushing]), > > + l1d_cache_flushing=$enableval, > > l1d_cache_flushing=no) > > +AC_MSG_RESULT($l1d_cache_flushing) > > + > > + > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > AC_ARG_ENABLE(large-secmem, > > AS_HELP_STRING([--enable-large-secmem], > > @@ -1313,6 +1323,15 @@ fi > > > > > > # > > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > > +# > > +if test "$l1d_cache_flushing" = yes ; then > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > + [Define to enable Layer 1 Data Cache flushing]) > > +fi > > + > > + > > +# > > # Checks for header files. > > # > > AC_MSG_NOTICE([checking for header files]) > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > ucred.h sys/ucred.h sys/sysmacros.h > > sys/mkdev.h]) > > > > > > +# See whether libc supports the prctl() > > +case "${host}" in > > + *-*-linux*) > > + AC_CHECK_HEADERS([sys/prctl.h]) > > + ;; > > +esac > > + > > # > > # Checks for typedefs, structures, and compiler characteristics. > > # > > > > On Mon, 07/07/2025 at 19.17 +0200, Guido Trentalancia via > > Gnupg-devel wrote: > > > On Mon, 07/07/2025 alle 18.36 +0200, Werner Koch wrote: > > > > Hi! > > > > > > > > On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > > > > > > > > > common: Disable CPU speculation-related misfeatures > > > > > > > > I would prefer to keep the subject clear of an opinion. > > > > > > It's not an opinion, it's a fact. > > > > > > The wording is taken from the official Linux kernel > > > documentation, > > > however I agree it's probably too delicate, the correct wording > > > is > > > "security vulnerabilities". > > > > > > > > +#if defined(__linux__) > > > > > +# include > > > > > +#endif > > > > > > > > Good. You now provide configure tests. Please also add a > > > > general > > > > one > > > > which checks for this header. > > > > > > A general check for sys/prctl.h is not needed, as such header > > > file > > > is > > > only used on Linux-specific code and it can therefore break > > > things > > > on > > > non-Linux systems. > > > > > > > > +#if defined(__linux__) > > > > > > > > And use that here ;-) > > > > > > > > > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > > > > > pwd.h inttypes.h signal.h sys/select.h > > > > > sys/time.h \ > > > > > stdint.h signal.h termios.h \ > > > > > - ucred.h sys/ucred.h sys/sysmacros.h > > > > > sys/mkdev.h]) > > > > > + ucred.h sys/ucred.h sys/sysmacros.h > > > > > sys/mkdev.h > > > > > \ > > > > > + sys/prctl.h]) > > > > > > > > Hey, you already got that macro. Thus you can replace the > > > > above > > > > with > > > > > > > > #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) > > > > > > I can replace that, in reversed order. Please see the v6 patch > > > below, > > > my last attempt at fixing this... > > > > > > > and we are good. The ifdef __linux__ here is so that we cater > > > > for > > > > OSes > > > > which have such a header for different purposes. Using the > > > > standard > > > > configure test along with a ifdef in the code is a good > > > > compromise > > > > between readibility and regualar autoconf style. > > > > > > common: Disable CPU speculation-related security > > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > > > * configure.ac: add a new L1D Cache flushing option > > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > > and check for sys/prctl.h on Linux systems > > > > > > * common/init.c (early_system_init): Disable CPU > > > speculation-related misfeatures which are in fact > > > vulnerabilities causing data leaks: > > > > > > - Speculative Store Bypass (always disabled) > > > - Indirect Branch Speculation (always disabled) > > > - Flush L1D Cache on context switch out of the > > > task (use the --enable-l1d-cache-flushing > > > configure option to mitigate the vulnerability) > > > > > > For further information see the kernel documentation: > > > Documentation/userspace-api/spec_ctrl.rst > > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > > > Signed-off-by: Guido Trentalancia > > > > > > diff -pru a/common/init.c b/common/init.c > > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > > @@ -29,6 +29,10 @@ > > > > > > #include > > > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > +# include > > > +#endif > > > + > > > #ifdef HAVE_W32_SYSTEM > > > # if _WIN32_WINNT < 0x0600 > > > # define _WIN32_WINNT 0x0600 /* Required for > > > SetProcessDEPPolicy. */ > > > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > > > void > > > early_system_init (void) > > > { > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > + > > > +/* Disable CPU speculation-related security vulnerabilities > > > + * causing data leaks: see the Linux kernel documentation > > > + * Documentation/userspace-api/spec_ctrl.rst > > > + * > > > + * - Speculative Store Bypass > > > + * - Indirect Branch Speculation > > > + * - Flush L1D Cache on context switch out of the task > > > + */ > > > +#ifdef PR_SPEC_STORE_BYPASS > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && > > > defined(PR_SPEC_L1D_FLUSH) > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > > PR_SPEC_ENABLE, > > > 0, 0); > > > +#endif > > > + > > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > > } > > > > > > > > > diff -pru a/configure.ac b/configure.ac > > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > > AC_MSG_RESULT($selinux_support) > > > > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > > +# Level 1 Data Cache flushing on context switch. > > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on > > > context > > > switch]) > > > +AC_ARG_ENABLE(l1d-cache-flushing, > > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > > + [enable L1D cache flushing]), > > > + l1d_cache_flushing=$enableval, > > > l1d_cache_flushing=no) > > > +AC_MSG_RESULT($l1d_cache_flushing) > > > + > > > + > > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > > AC_ARG_ENABLE(large-secmem, > > > AS_HELP_STRING([--enable-large-secmem], > > > @@ -1313,6 +1323,15 @@ fi > > > > > > > > > # > > > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > > > +# > > > +if test "$l1d_cache_flushing" = yes ; then > > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > > + [Define to enable Layer 1 Data Cache flushing]) > > > +fi > > > + > > > + > > > +# > > > # Checks for header files. > > > # > > > AC_MSG_NOTICE([checking for header files]) > > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > > ucred.h sys/ucred.h sys/sysmacros.h > > > sys/mkdev.h]) > > > > > > > > > +# See whether libc supports the prctl() > > > +case "${host}" in > > > + *-*-linux*) > > > + AC_CHECK_HEADERS([sys/prctl.h]) > > > + ;; > > > +esac > > > + > > > # > > > # Checks for typedefs, structures, and compiler characteristics. > > > # > > > > > > _______________________________________________ > > > Gnupg-devel mailing list > > > Gnupg-devel at gnupg.org > > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From guido at trentalancia.com Tue Jul 8 21:38:29 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Tue, 08 Jul 2025 21:38:29 +0200 Subject: [PATCH gnupg v10] Disable CPU speculation-related misfeatures In-Reply-To: <1751991996.6941.1.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> <1751983558.11004.3.camel@trentalancia.com> <1751991996.6941.1.camel@trentalancia.com> Message-ID: <1752003509.25437.3.camel@trentalancia.com> The following new v10 patch has been created to fix a missing #ifdef and header file check for the case of L1D cache flushing. common: Disable CPU speculative execution security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculative execution security vulnerabilities potentially causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option and "nosmt l1d_flush=on" on the boot command line to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-08 21:29:23.071406450 +0200 @@ -29,6 +29,14 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -128,10 +136,54 @@ writestring_via_estream (int mode, const } +#ifdef ENABLE_L1D_CACHE_FLUSH +void sigbus_handler(int signo) +{ + if (signo == SIGBUS) + { + log_info ("Warning: Level 1 Data Cache flushing requires the \"nosmt\" boot parameter.\n"); + } +} +#endif + + /* This function should be the first called after main. */ void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculative execution security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass (CVE-2018-3639, always + * disabled) + * - Indirect Branch Speculation (CVE-2017-5715, always + * disabled) + * - Flush L1D Cache on context switch out of the task (it + * requires the "nosmt l1d_flush=on" kernel boot parameter) + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) + { + log_info ("Warning: cannot catch the SIGBUS signal.\n"); + } + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0) < 0) + { + log_info ("Warning: Level 1 Data Cache flushing requires the \"l1d_flush=on\" boot parameter.\n"); + } +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-08 21:32:32.674405293 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,16 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) + AC_CHECK_HEADERS([signal.h]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1342,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Tue, 08/07/2025 at 18.26 +0200, Guido Trentalancia via Gnupg-devel wrote: > Error reporting and handling has been added to create a v9 patch that > follows... > > common: Disable CPU speculative execution security > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > CVE-2017-5715 and optionally CVE-2020-0550) > > * configure.ac: add a new L1D Cache flushing option > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > and check for sys/prctl.h on Linux systems > > * common/init.c (early_system_init): Disable CPU > speculative execution security vulnerabilities > potentially causing data leaks: > > - Speculative Store Bypass (always disabled) > - Indirect Branch Speculation (always disabled) > - Flush L1D Cache on context switch out of the > task (use the --enable-l1d-cache-flushing > configure option and "nosmt l1d_flush=on" on the > boot command line to mitigate the vulnerability) > > For further information see the kernel documentation: > Documentation/userspace-api/spec_ctrl.rst > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > Signed-off-by: Guido Trentalancia > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-08 18:14:12.246994230 +0200 > @@ -29,6 +29,14 @@ > > #include > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > +# include > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) > +# include > +#endif > + > #ifdef HAVE_W32_SYSTEM > # if _WIN32_WINNT < 0x0600 > # define _WIN32_WINNT 0x0600 /* Required for > SetProcessDEPPolicy. */ > @@ -128,10 +136,52 @@ writestring_via_estream (int mode, const > } > > > +void sigbus_handler(int signo) > +{ > + if (signo == SIGBUS) > + { > + log_info ("Warning: Level 1 Data Cache flushing requires the > \"nosmt\" boot parameter.\n"); > + } > +} > + > + > /* This function should be the first called after main. */ > void > early_system_init (void) > { > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > + > +/* Disable CPU speculative execution security vulnerabilities > + * causing data leaks: see the Linux kernel documentation > + * Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass (CVE-2018-3639, always > + * disabled) > + * - Indirect Branch Speculation (CVE-2017-5715, always > + * disabled) > + * - Flush L1D Cache on context switch out of the task (it > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) > + { > + log_info ("Warning: cannot catch the SIGBUS signal.\n"); > + } > + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > PR_SPEC_ENABLE, 0, 0) < 0) > + { > + log_info ("Warning: Level 1 Data Cache flushing requires the > \"l1d_flush=on\" boot parameter.\n"); > + } > +#endif > + > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-08 17:31:51.757997407 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > switch]) > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > @@ -1313,6 +1323,15 @@ fi > > > # > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > +# > +if test "$l1d_cache_flushing" = yes ; then > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > + [Define to enable Layer 1 Data Cache flushing]) > +fi > + > + > +# > # Checks for header files. > # > AC_MSG_NOTICE([checking for header files]) > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) > > > +# See whether libc supports the prctl() > +case "${host}" in > + *-*-linux*) > + AC_CHECK_HEADERS([sys/prctl.h]) > + ;; > +esac > + > # > # Checks for typedefs, structures, and compiler characteristics. > # > > On Tue, 08/07/2025 at 16.05 +0200, Guido Trentalancia via > Gnupg-devel wrote: > > I have now further improved the documentation of how to use L1 Data > > Cache flushing, this should answer the question raised by Jussi > > Kivilinna regarding the SIGBUS error. A new v8 patch has been > > created. > > > > common: Disable CPU speculative execution security > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > * configure.ac: add a new L1D Cache flushing option > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > and check for sys/prctl.h on Linux systems > > > > * common/init.c (early_system_init): Disable CPU > > speculative execution security vulnerabilities > > potentially causing data leaks: > > > > - Speculative Store Bypass (always disabled) > > - Indirect Branch Speculation (always disabled) > > - Flush L1D Cache on context switch out of the > > task (use the --enable-l1d-cache-flushing > > configure option and "nosmt l1d_flush=on" on the > > boot command line to mitigate the vulnerability) > > > > For further information see the kernel documentation: > > Documentation/userspace-api/spec_ctrl.rst > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > Signed-off-by: Guido Trentalancia > > > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > @@ -29,6 +29,10 @@ > > > > #include > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > +# include > > +#endif > > + > > #ifdef HAVE_W32_SYSTEM > > # if _WIN32_WINNT < 0x0600 > > # define _WIN32_WINNT 0x0600 /* Required for > > SetProcessDEPPolicy. */ > > @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const > > void > > early_system_init (void) > > { > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > + > > +/* Disable CPU speculative execution security vulnerabilities > > + * causing data leaks: see the Linux kernel documentation > > + * Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass (CVE-2018-3639, always > > + * disabled) > > + * - Indirect Branch Speculation (CVE-2017-5715, always > > + * disabled) > > + * - Flush L1D Cache on context switch out of the task (it > > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_ENABLE, > > 0, 0); > > +#endif > > + > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > } > > > > > > diff -pru a/configure.ac b/configure.ac > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > AC_MSG_RESULT($selinux_support) > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > +# Level 1 Data Cache flushing on context switch. > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > > switch]) > > +AC_ARG_ENABLE(l1d-cache-flushing, > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > + [enable L1D cache flushing]), > > + l1d_cache_flushing=$enableval, > > l1d_cache_flushing=no) > > +AC_MSG_RESULT($l1d_cache_flushing) > > + > > + > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > AC_ARG_ENABLE(large-secmem, > > AS_HELP_STRING([--enable-large-secmem], > > @@ -1313,6 +1323,15 @@ fi > > > > > > # > > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > > +# > > +if test "$l1d_cache_flushing" = yes ; then > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > + [Define to enable Layer 1 Data Cache flushing]) > > +fi > > + > > + > > +# > > # Checks for header files. > > # > > AC_MSG_NOTICE([checking for header files]) > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > ucred.h sys/ucred.h sys/sysmacros.h > > sys/mkdev.h]) > > > > > > +# See whether libc supports the prctl() > > +case "${host}" in > > + *-*-linux*) > > + AC_CHECK_HEADERS([sys/prctl.h]) > > + ;; > > +esac > > + > > # > > # Checks for typedefs, structures, and compiler characteristics. > > # > > > > On Tue, 08/07/2025 at 13.05 +0200, Guido Trentalancia via > > Gnupg-devel wrote: > > > In the following v7 patch I have improved the commit log and > > > source > > > code comments, with a better explaination of how to fix CVE-2020- > > > 0550 > > > (L1 Data Cache flush). > > > > > > common: Disable CPU speculative execution security > > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > > > * configure.ac: add a new L1D Cache flushing option > > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > > and check for sys/prctl.h on Linux systems > > > > > > * common/init.c (early_system_init): Disable CPU > > > speculative execution security vulnerabilities > > > potentially causing data leaks: > > > > > > - Speculative Store Bypass (always disabled) > > > - Indirect Branch Speculation (always disabled) > > > - Flush L1D Cache on context switch out of the > > > task (use the --enable-l1d-cache-flushing > > > configure option and l1d_flush=on on the boot > > > command line to mitigate the vulnerability) > > > > > > For further information see the kernel documentation: > > > Documentation/userspace-api/spec_ctrl.rst > > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > > > Signed-off-by: Guido Trentalancia > > > > > > diff -pru a/common/init.c b/common/init.c > > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > > @@ -29,6 +29,10 @@ > > > > > > #include > > > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > +# include > > > +#endif > > > + > > > #ifdef HAVE_W32_SYSTEM > > > # if _WIN32_WINNT < 0x0600 > > > # define _WIN32_WINNT 0x0600 /* Required for > > > SetProcessDEPPolicy. */ > > > @@ -132,6 +136,32 @@ writestring_via_estream (int mode, const > > > void > > > early_system_init (void) > > > { > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > + > > > +/* Disable CPU speculative execution security vulnerabilities > > > + * causing data leaks: see the Linux kernel documentation > > > + * Documentation/userspace-api/spec_ctrl.rst > > > + * > > > + * - Speculative Store Bypass (CVE-2018-3639, always > > > + * disabled) > > > + * - Indirect Branch Speculation (CVE-2017-5715, always > > > + * disabled) > > > + * - Flush L1D Cache on context switch out of the task (it > > > + * requires the l1d_flush=on kernel boot parameter) > > > + */ > > > +#ifdef PR_SPEC_STORE_BYPASS > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > +#endif > > > + > > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && > > > defined(PR_SPEC_L1D_FLUSH) > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > > PR_SPEC_ENABLE, > > > 0, 0); > > > +#endif > > > + > > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > > } > > > > > > > > > diff -pru a/configure.ac b/configure.ac > > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > > AC_MSG_RESULT($selinux_support) > > > > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > > +# Level 1 Data Cache flushing on context switch. > > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on > > > context > > > switch]) > > > +AC_ARG_ENABLE(l1d-cache-flushing, > > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > > + [enable L1D cache flushing]), > > > + l1d_cache_flushing=$enableval, > > > l1d_cache_flushing=no) > > > +AC_MSG_RESULT($l1d_cache_flushing) > > > + > > > + > > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > > AC_ARG_ENABLE(large-secmem, > > > AS_HELP_STRING([--enable-large-secmem], > > > @@ -1313,6 +1323,15 @@ fi > > > > > > > > > # > > > +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) > > > +# > > > +if test "$l1d_cache_flushing" = yes ; then > > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > > + [Define to enable Layer 1 Data Cache flushing]) > > > +fi > > > + > > > + > > > +# > > > # Checks for header files. > > > # > > > AC_MSG_NOTICE([checking for header files]) > > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > > ucred.h sys/ucred.h sys/sysmacros.h > > > sys/mkdev.h]) > > > > > > > > > +# See whether libc supports the prctl() > > > +case "${host}" in > > > + *-*-linux*) > > > + AC_CHECK_HEADERS([sys/prctl.h]) > > > + ;; > > > +esac > > > + > > > # > > > # Checks for typedefs, structures, and compiler characteristics. > > > # > > > > > > On Mon, 07/07/2025 at 19.17 +0200, Guido Trentalancia via > > > Gnupg-devel wrote: > > > > On Mon, 07/07/2025 alle 18.36 +0200, Werner Koch wrote: > > > > > Hi! > > > > > > > > > > On Sun, 6 Jul 2025 21:50, Guido Trentalancia said: > > > > > > > > > > > common: Disable CPU speculation-related misfeatures > > > > > > > > > > I would prefer to keep the subject clear of an opinion. > > > > > > > > It's not an opinion, it's a fact. > > > > > > > > The wording is taken from the official Linux kernel > > > > documentation, > > > > however I agree it's probably too delicate, the correct wording > > > > is > > > > "security vulnerabilities". > > > > > > > > > > +#if defined(__linux__) > > > > > > +# include > > > > > > +#endif > > > > > > > > > > Good. You now provide configure tests. Please also add a > > > > > general > > > > > one > > > > > which checks for this header. > > > > > > > > A general check for sys/prctl.h is not needed, as such header > > > > file > > > > is > > > > only used on Linux-specific code and it can therefore break > > > > things > > > > on > > > > non-Linux systems. > > > > > > > > > > +#if defined(__linux__) > > > > > > > > > > And use that here ;-) > > > > > > > > > > > AC_CHECK_HEADERS([unistd.h langinfo.h termio.h locale.h \ > > > > > > pwd.h inttypes.h signal.h sys/select.h > > > > > > sys/time.h \ > > > > > > stdint.h signal.h termios.h \ > > > > > > - ucred.h sys/ucred.h sys/sysmacros.h > > > > > > sys/mkdev.h]) > > > > > > + ucred.h sys/ucred.h sys/sysmacros.h > > > > > > sys/mkdev.h > > > > > > \ > > > > > > + sys/prctl.h]) > > > > > > > > > > Hey, you already got that macro. Thus you can replace the > > > > > above > > > > > with > > > > > > > > > > #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) > > > > > > > > I can replace that, in reversed order. Please see the v6 patch > > > > below, > > > > my last attempt at fixing this... > > > > > > > > > and we are good. The ifdef __linux__ here is so that we > > > > > cater > > > > > for > > > > > OSes > > > > > which have such a header for different purposes. Using the > > > > > standard > > > > > configure test along with a ifdef in the code is a good > > > > > compromise > > > > > between readibility and regualar autoconf style. > > > > > > > > common: Disable CPU speculation-related security > > > > vulnerabilities (CVE-2018-3639 aka Spectre variant 4, > > > > CVE-2017-5715 and optionally CVE-2020-0550) > > > > > > > > * configure.ac: add a new L1D Cache flushing option > > > > (--enable-l1d-cache-flushing) to fix CVE-2020-0550 > > > > and check for sys/prctl.h on Linux systems > > > > > > > > * common/init.c (early_system_init): Disable CPU > > > > speculation-related misfeatures which are in fact > > > > vulnerabilities causing data leaks: > > > > > > > > - Speculative Store Bypass (always disabled) > > > > - Indirect Branch Speculation (always disabled) > > > > - Flush L1D Cache on context switch out of the > > > > task (use the --enable-l1d-cache-flushing > > > > configure option to mitigate the vulnerability) > > > > > > > > For further information see the kernel documentation: > > > > Documentation/userspace-api/spec_ctrl.rst > > > > Documentation/admin-guide/hw-vuln/l1d_flush.rst > > > > > > > > Signed-off-by: Guido Trentalancia > > > > > > > > diff -pru a/common/init.c b/common/init.c > > > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > > > +++ b/common/init.c 2025-07-07 19:02:08.478853360 +0200 > > > > @@ -29,6 +29,10 @@ > > > > > > > > #include > > > > > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > > +# include > > > > +#endif > > > > + > > > > #ifdef HAVE_W32_SYSTEM > > > > # if _WIN32_WINNT < 0x0600 > > > > # define _WIN32_WINNT 0x0600 /* Required for > > > > SetProcessDEPPolicy. */ > > > > @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const > > > > void > > > > early_system_init (void) > > > > { > > > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > > > + > > > > +/* Disable CPU speculation-related security vulnerabilities > > > > + * causing data leaks: see the Linux kernel documentation > > > > + * Documentation/userspace-api/spec_ctrl.rst > > > > + * > > > > + * - Speculative Store Bypass > > > > + * - Indirect Branch Speculation > > > > + * - Flush L1D Cache on context switch out of the task > > > > + */ > > > > +#ifdef PR_SPEC_STORE_BYPASS > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > > +#endif > > > > + > > > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > > > PR_SPEC_FORCE_DISABLE, 0, 0); > > > > +#endif > > > > + > > > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && > > > > defined(PR_SPEC_L1D_FLUSH) > > > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > > > PR_SPEC_ENABLE, > > > > 0, 0); > > > > +#endif > > > > + > > > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > > > } > > > > > > > > > > > > diff -pru a/configure.ac b/configure.ac > > > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > > > +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200 > > > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > > > AC_MSG_RESULT($selinux_support) > > > > > > > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > > > +# Level 1 Data Cache flushing on context switch. > > > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on > > > > context > > > > switch]) > > > > +AC_ARG_ENABLE(l1d-cache-flushing, > > > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > > > + [enable L1D cache flushing]), > > > > + l1d_cache_flushing=$enableval, > > > > l1d_cache_flushing=no) > > > > +AC_MSG_RESULT($l1d_cache_flushing) > > > > + > > > > + > > > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > > > AC_ARG_ENABLE(large-secmem, > > > > AS_HELP_STRING([--enable-large-secmem], > > > > @@ -1313,6 +1323,15 @@ fi > > > > > > > > > > > > # > > > > +# Level 1 Data Cache flushing on context switch (CVE-2020- > > > > 0550) > > > > +# > > > > +if test "$l1d_cache_flushing" = yes ; then > > > > + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, > > > > + [Define to enable Layer 1 Data Cache flushing]) > > > > +fi > > > > + > > > > + > > > > +# > > > > # Checks for header files. > > > > # > > > > AC_MSG_NOTICE([checking for header files]) > > > > @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te > > > > ucred.h sys/ucred.h sys/sysmacros.h > > > > sys/mkdev.h]) > > > > > > > > > > > > +# See whether libc supports the prctl() > > > > +case "${host}" in > > > > + *-*-linux*) > > > > + AC_CHECK_HEADERS([sys/prctl.h]) > > > > + ;; > > > > +esac > > > > + > > > > # > > > > # Checks for typedefs, structures, and compiler > > > > characteristics. > > > > # > > > > > > > > _______________________________________________ > > > > Gnupg-devel mailing list > > > > Gnupg-devel at gnupg.org > > > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > > > _______________________________________________ > > > Gnupg-devel mailing list > > > Gnupg-devel at gnupg.org > > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-devel > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-devel From jcb62281 at gmail.com Wed Jul 9 03:02:29 2025 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Tue, 8 Jul 2025 20:02:29 -0500 Subject: [PATCH gnupg v10] Disable CPU speculation-related misfeatures In-Reply-To: <1752003509.25437.3.camel@trentalancia.com> References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> <1751983558.11004.3.camel@trentalancia.com> <1751991996.6941.1.camel@trentalancia.com> <1752003509.25437.3.camel@trentalancia.com> Message-ID: On 7/8/25 14:38, Guido Trentalancia via Gnupg-devel wrote: > The following new v10 patch has been created to fix a missing #ifdef > and header file check for the case of L1D cache flushing. > [...] Two major issues, further explained inline below: ??? - You are installing the signal handler incorrectly; this will interfere with other possible uses of SIGBUS. ??? - Your message from configure when testing the option to request L1 cache flushes is misleading. Further, none of this actually *fixes* anything; these are *workarounds* for widespread hardware bugs. Also, have you actually tested this on a machine where the request for L1 cache flushes raises SIGBUS? > > diff -pru a/common/init.c b/common/init.c > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > +++ b/common/init.c 2025-07-08 21:29:23.071406450 +0200 > [...] > /* This function should be the first called after main. */ > void > early_system_init (void) > { > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > + > +/* Disable CPU speculative execution security vulnerabilities > + * causing data leaks: see the Linux kernel documentation > + * Documentation/userspace-api/spec_ctrl.rst > + * > + * - Speculative Store Bypass (CVE-2018-3639, always > + * disabled) > + * - Indirect Branch Speculation (CVE-2017-5715, always > + * disabled) > + * - Flush L1D Cache on context switch out of the task (it > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > + */ > +#ifdef PR_SPEC_STORE_BYPASS > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#ifdef PR_SPEC_INDIRECT_BRANCH > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); > +#endif > + > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) > + { > + log_info ("Warning: cannot catch the SIGBUS signal.\n"); > + } You cannot use signal() here in a library because you must restore any previous signal handler immediately after the prctl() call.? Other code in the program might have its own reasons to catch SIGBUS, and this handler will interfere with that. You must use sigaction() here to obtain the old handler in a form that you can use to restore it after calling prctl(). > + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0) < 0) > + { > + log_info ("Warning: Level 1 Data Cache flushing requires the \"l1d_flush=on\" boot parameter.\n"); > + } This is where you need to restore the previous state of SIGBUS handling. > +#endif > + > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > } > > > diff -pru a/configure.ac b/configure.ac > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > +++ b/configure.ac 2025-07-08 21:32:32.674405293 +0200 > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > AC_MSG_RESULT($selinux_support) > > > +# Fix security vulnerability CVE-2020-0550 by enabling > +# Level 1 Data Cache flushing on context switch. > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch]) This message does not accurately describe what is going on.? This should say "whether L1 data cache should be flushed on context switch" because it does *not* test whether the cache is *actually* flushed, but only if the option to *request* flushing the cache is set. > +AC_ARG_ENABLE(l1d-cache-flushing, > + AS_HELP_STRING([--enable-l1d-cache-flushing], > + [enable L1D cache flushing]), > + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) > +AC_MSG_RESULT($l1d_cache_flushing) > + > + > AC_MSG_CHECKING([whether to allocate extra secure memory]) > AC_ARG_ENABLE(large-secmem, > AS_HELP_STRING([--enable-large-secmem], > [...] -- Jacob -------------- next part -------------- An HTML attachment was scrubbed... URL: From guido at trentalancia.com Wed Jul 9 14:20:40 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Wed, 09 Jul 2025 14:20:40 +0200 Subject: [PATCH gnupg v10] Disable CPU speculation-related misfeatures In-Reply-To: References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> <1751983558.11004.3.camel@trentalancia.com> <1751991996.6941.1.camel@trentalancia.com> <1752003509.25437.3.camel@trentalancia.com> Message-ID: <1752063640.6141.8.camel@trentalancia.com> On Tue, 08/07/2025 at 20.02 -0500, Jacob Bachmeyer wrote: > On 7/8/25 14:38, Guido Trentalancia via Gnupg-devel wrote: > > The following new v10 patch has been created to fix a missing > > #ifdef > > and header file check for the case of L1D cache flushing. > > [...] > > Two major issues, further explained inline below: > - You are installing the signal handler incorrectly; this will > interfere with other possible uses of SIGBUS. > - Your message from configure when testing the option to request > L1 cache flushes is misleading. > Further, none of this actually *fixes* anything; these are > *workarounds* for widespread hardware bugs. They are best practice on fixing the security vulnerabilities mentioned in the patch. They are real "fixes" because they avoid the potential information disclosure, they do not work around anything, they prevent a series of hardware bugs from causing serious damage to data confidentiality. > Also, have you actually tested this on a machine where the request > for L1 cache flushes raises SIGBUS? > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > +++ b/common/init.c 2025-07-08 21:29:23.071406450 +0200 > > [...] > > /* This function should be the first called after main. */ > > void > > early_system_init (void) > > { > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > + > > +/* Disable CPU speculative execution security vulnerabilities > > + * causing data leaks: see the Linux kernel documentation > > + * Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass (CVE-2018-3639, always > > + * disabled) > > + * - Indirect Branch Speculation (CVE-2017-5715, always > > + * disabled) > > + * - Flush L1D Cache on context switch out of the task (it > > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > > + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) > > + { > > + log_info ("Warning: cannot catch the SIGBUS signal.\n"); > > + } > > You cannot use signal() here in a library because you must restore > any previous signal handler immediately after the prctl() call. > Other code in the program might have its own reasons to catch SIGBUS, > and this handler will interfere with that. You must use sigaction() > here to obtain the old handler in a form that you can use to restore > it after calling prctl(). I have created a new v11 patch which uses sigaction(), as it has some advantages over signal(). > > + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_ENABLE, 0, 0) < 0) > > + { > > + log_info ("Warning: Level 1 Data Cache flushing requires the > > \"l1d_flush=on\" boot parameter.\n"); > > + } > > This is where you need to restore the previous state of SIGBUS > handling. > > +#endif > > + > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > } > > > > > > diff -pru a/configure.ac b/configure.ac > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > +++ b/configure.ac 2025-07-08 21:32:32.674405293 +0200 > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > AC_MSG_RESULT($selinux_support) > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > +# Level 1 Data Cache flushing on context switch. > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > > switch]) > > This message does not accurately describe what is going on. This > should say "whether L1 data cache should be flushed on context > switch" because it does *not* test whether the cache is *actually* > flushed, but only if the option to *request* flushing the cache is > set. The new code tests whether the cache is flushed or not by checking the value returned by prctl() and when the cache is not flushed it produces a warning message, so the comment above doesn't make any sense. > > +AC_ARG_ENABLE(l1d-cache-flushing, > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > + [enable L1D cache flushing]), > > + l1d_cache_flushing=$enableval, > > l1d_cache_flushing=no) > > +AC_MSG_RESULT($l1d_cache_flushing) > > + > > + > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > AC_ARG_ENABLE(large-secmem, > > AS_HELP_STRING([--enable-large-secmem], > > [...] > > -- Jacob The new v11 patch follows in a separate message... Guido From guido at trentalancia.com Wed Jul 9 14:22:48 2025 From: guido at trentalancia.com (Guido Trentalancia) Date: Wed, 09 Jul 2025 14:22:48 +0200 Subject: [PATCH gnupg v11] Disable CPU speculation-related misfeatures In-Reply-To: References: <1748260854.1126.8.camel@trentalancia.com> <87tt57fn0s.fsf@jacob.g10code.de> <1751021219.6405.6.camel@trentalancia.com> <87cyah91ov.fsf@jacob.g10code.de> <1751637649.6137.2.camel@trentalancia.com> <1751814607.10569.5.camel@trentalancia.com> <1751831452.25372.4.camel@trentalancia.com> <875xg42c1o.fsf@jacob.g10code.de> <1751908674.7090.8.camel@trentalancia.com> <1751972700.857.4.camel@trentalancia.com> <1751983558.11004.3.camel@trentalancia.com> <1751991996.6941.1.camel@trentalancia.com> <1752003509.25437.3.camel@trentalancia.com> Message-ID: <1752063768.6141.10.camel@trentalancia.com> A new v11 patch has created to use sigaction() instead of signal() to deal with the SIGBUS signal. A few other cosmetic changes have been introduced. common: Disable CPU speculative execution security vulnerabilities (CVE-2018-3639 aka Spectre variant 4, CVE-2017-5715 and optionally CVE-2020-0550) * configure.ac: add a new L1D Cache flushing option (--enable-l1d-cache-flushing) to fix CVE-2020-0550 and check for sys/prctl.h on Linux systems * common/init.c (early_system_init): Disable CPU speculative execution security vulnerabilities potentially causing data leaks: - Speculative Store Bypass (always disabled) - Indirect Branch Speculation (always disabled) - Flush L1D Cache on context switch out of the task (use the --enable-l1d-cache-flushing configure option and "nosmt l1d_flush=on" on the boot command line to mitigate the vulnerability) For further information see the kernel documentation: Documentation/userspace-api/spec_ctrl.rst Documentation/admin-guide/hw-vuln/l1d_flush.rst Signed-off-by: Guido Trentalancia diff -pru a/common/init.c b/common/init.c --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 +++ b/common/init.c 2025-07-09 13:39:44.036998821 +0200 @@ -29,6 +29,14 @@ #include +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) +# include +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) +# include +#endif + #ifdef HAVE_W32_SYSTEM # if _WIN32_WINNT < 0x0600 # define _WIN32_WINNT 0x0600 /* Required for SetProcessDEPPolicy. */ @@ -128,10 +136,65 @@ writestring_via_estream (int mode, const } +#ifdef ENABLE_L1D_CACHE_FLUSH +void sigbus_handler (int signo) +{ + if (signo == SIGBUS) + { + log_fatal ("Level 1 Data Cache flushing requires the \"nosmt\" boot parameter.\n"); + } + + exit (SIGBUS); +} +#endif + + /* This function should be the first called after main. */ void early_system_init (void) { +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) + +/* Disable CPU speculative execution security vulnerabilities + * causing data leaks: see the Linux kernel documentation + * Documentation/userspace-api/spec_ctrl.rst + * + * - Speculative Store Bypass (CVE-2018-3639, always + * disabled) + * - Indirect Branch Speculation (CVE-2017-5715, always + * disabled) + * - Flush L1D Cache on context switch out of the task (it + * requires the "nosmt l1d_flush=on" kernel boot parameter) + */ +#ifdef PR_SPEC_STORE_BYPASS + prctl (PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#ifdef PR_SPEC_INDIRECT_BRANCH + prctl (PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +#endif + +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) + struct sigaction old_action, new_action; + + new_action.sa_handler = sigbus_handler; + + sigaction (SIGBUS, NULL, &old_action); + if (old_action.sa_handler != SIG_IGN) + { + if (sigaction (SIGBUS, &new_action, NULL) == -1) + { + log_info ("Warning: cannot catch the SIGBUS signal.\n"); + } + } + + if (prctl (PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0) < 0) + { + log_info ("Warning: Level 1 Data Cache flushing requires the \"l1d_flush=on\" boot parameter.\n"); + } +#endif + +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ } diff -pru a/configure.ac b/configure.ac --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 +++ b/configure.ac 2025-07-08 21:32:32.674405293 +0200 @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +# Fix security vulnerability CVE-2020-0550 by enabling +# Level 1 Data Cache flushing on context switch. +AC_MSG_CHECKING([whether Level 1 Data Cache should be flushed on context switch]) +AC_ARG_ENABLE(l1d-cache-flushing, + AS_HELP_STRING([--enable-l1d-cache-flushing], + [enable L1D cache flushing]), + l1d_cache_flushing=$enableval, l1d_cache_flushing=no) +AC_MSG_RESULT($l1d_cache_flushing) + + AC_MSG_CHECKING([whether to allocate extra secure memory]) AC_ARG_ENABLE(large-secmem, AS_HELP_STRING([--enable-large-secmem], @@ -1313,6 +1323,16 @@ fi # +# Level 1 Data Cache flushing on context switch (CVE-2020-0550) +# +if test "$l1d_cache_flushing" = yes ; then + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1, + [Define to enable Layer 1 Data Cache flushing]) + AC_CHECK_HEADERS([signal.h]) +fi + + +# # Checks for header files. # AC_MSG_NOTICE([checking for header files]) @@ -1322,6 +1342,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h]) +# See whether libc supports the prctl() +case "${host}" in + *-*-linux*) + AC_CHECK_HEADERS([sys/prctl.h]) + ;; +esac + # # Checks for typedefs, structures, and compiler characteristics. # On Tue, 08/07/2025 at 20.02 -0500, Jacob Bachmeyer wrote: > On 7/8/25 14:38, Guido Trentalancia via Gnupg-devel wrote: > > The following new v10 patch has been created to fix a missing > > #ifdef > > and header file check for the case of L1D cache flushing. > > [...] > > Two major issues, further explained inline below: > - You are installing the signal handler incorrectly; this will > interfere with other possible uses of SIGBUS. > - Your message from configure when testing the option to request > L1 cache flushes is misleading. > Further, none of this actually *fixes* anything; these are > *workarounds* for widespread hardware bugs. > Also, have you actually tested this on a machine where the request > for L1 cache flushes raises SIGBUS? > > diff -pru a/common/init.c b/common/init.c > > --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200 > > +++ b/common/init.c 2025-07-08 21:29:23.071406450 +0200 > > [...] > > /* This function should be the first called after main. */ > > void > > early_system_init (void) > > { > > +#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) > > + > > +/* Disable CPU speculative execution security vulnerabilities > > + * causing data leaks: see the Linux kernel documentation > > + * Documentation/userspace-api/spec_ctrl.rst > > + * > > + * - Speculative Store Bypass (CVE-2018-3639, always > > + * disabled) > > + * - Indirect Branch Speculation (CVE-2017-5715, always > > + * disabled) > > + * - Flush L1D Cache on context switch out of the task (it > > + * requires the "nosmt l1d_flush=on" kernel boot parameter) > > + */ > > +#ifdef PR_SPEC_STORE_BYPASS > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#ifdef PR_SPEC_INDIRECT_BRANCH > > + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, > > PR_SPEC_FORCE_DISABLE, 0, 0); > > +#endif > > + > > +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH) > > + if (signal(SIGBUS, sigbus_handler) == SIG_ERR) > > + { > > + log_info ("Warning: cannot catch the SIGBUS signal.\n"); > > + } > > You cannot use signal() here in a library because you must restore > any previous signal handler immediately after the prctl() call. > Other code in the program might have its own reasons to catch SIGBUS, > and this handler will interfere with that. You must use sigaction() > here to obtain the old handler in a form that you can use to restore > it after calling prctl(). > > + if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, > > PR_SPEC_ENABLE, 0, 0) < 0) > > + { > > + log_info ("Warning: Level 1 Data Cache flushing requires the > > \"l1d_flush=on\" boot parameter.\n"); > > + } > > This is where you need to restore the previous state of SIGBUS > handling. > > +#endif > > + > > +#endif /* __linux__ && HAVE_SYS_PRCTL_H */ > > } > > > > > > diff -pru a/configure.ac b/configure.ac > > --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200 > > +++ b/configure.ac 2025-07-08 21:32:32.674405293 +0200 > > @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support, > > AC_MSG_RESULT($selinux_support) > > > > > > +# Fix security vulnerability CVE-2020-0550 by enabling > > +# Level 1 Data Cache flushing on context switch. > > +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context > > switch]) > > This message does not accurately describe what is going on. This > should say "whether L1 data cache should be flushed on context > switch" because it does *not* test whether the cache is *actually* > flushed, but only if the option to *request* flushing the cache is > set. > > +AC_ARG_ENABLE(l1d-cache-flushing, > > + AS_HELP_STRING([--enable-l1d-cache-flushing], > > + [enable L1D cache flushing]), > > + l1d_cache_flushing=$enableval, > > l1d_cache_flushing=no) > > +AC_MSG_RESULT($l1d_cache_flushing) > > + > > + > > AC_MSG_CHECKING([whether to allocate extra secure memory]) > > AC_ARG_ENABLE(large-secmem, > > AS_HELP_STRING([--enable-large-secmem], > > [...] > > -- Jacob