[PATCH gnupg v5] Disable CPU speculation-related misfeatures
Jacob Bachmeyer
jcb62281 at gmail.com
Mon Jul 7 02:00:25 CEST 2025
On 7/6/25 15:03, Guido Trentalancia via Gnupg-devel wrote:
> [...]
> diff -pru a/common/init.c b/common/init.c
> --- a/common/init.c 2025-05-25 15:43:45.871984100 +0200
> +++ b/common/init.c 2025-07-06 18:24:18.564538076 +0200
> [...]
> @@ -132,6 +136,29 @@ writestring_via_estream (int mode, const
> void
> early_system_init (void)
> {
> +#if defined(__linux__)
> +
> +/* Disable CPU speculation-related misfeatures which are in
> + * fact vulnerabilities causing data leaks: see the kernel
> + * documentation: Documentation/userspace-api/spec_ctrl.rst
> + *
> + * - Speculative Store Bypass
> + * - Indirect Branch Speculation
> + * - Flush L1D Cache on context switch out of the task
> + */
> +#ifdef PR_SPEC_STORE_BYPASS
> + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
> +#endif
> +
> +#ifdef PR_SPEC_INDIRECT_BRANCH
> + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
> +#endif
> +
> +#if defined(ENABLE_L1D_CACHE_FLUSH) && defined(PR_SPEC_L1D_FLUSH)
> + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
My understanding is that this prctl(2) call raises SIGBUS unless the
kernel was given a boot option to enable this workaround. If a library
is going to do this behind the main program's back, that library *needs*
to be prepared to catch a SIGBUS at this point.
> +#endif
> +
> +#endif /* __linux__ */
> }
>
>
> diff -pru a/configure.ac b/configure.ac
> --- a/configure.ac 2025-07-06 18:01:54.128546282 +0200
> +++ b/configure.ac 2025-07-06 21:56:51.219048292 +0200
> @@ -244,6 +244,16 @@ AC_ARG_ENABLE(selinux-support,
> AC_MSG_RESULT($selinux_support)
>
>
> +# Fix security vulnerability CVE-2020-0550 by enabling
> +# Level 1 Data Cache flushing on context switch.
> +AC_MSG_CHECKING([whether Level 1 Data Cache is flushed on context switch])
This message is worded very badly: the configure script is *not*
checking whether context switches flush L1; it is checking whether the
configuration option to *request* that context switches flush L1 has
been given.
A better way to word this would be "[whether L1 data cache should be
flushed on context switch]".
> +AC_ARG_ENABLE(l1d-cache-flushing,
> + AS_HELP_STRING([--enable-l1d-cache-flushing],
> + [enable L1D cache flushing]),
> + l1d_cache_flushing=$enableval, l1d_cache_flushing=no)
> +AC_MSG_RESULT($l1d_cache_flushing)
> +
> +
> AC_MSG_CHECKING([whether to allocate extra secure memory])
> AC_ARG_ENABLE(large-secmem,
> AS_HELP_STRING([--enable-large-secmem],
> @@ -1313,6 +1323,15 @@ fi
>
>
> #
> +# Level 1 Data Cache flushing on context switch (CVE-2020-0550)
> +#
> +if test "$l1d_cache_flushing" = yes ; then
> + AC_DEFINE(ENABLE_L1D_CACHE_FLUSH,1,
> + [Define to enable Layer 1 Data Cache flushing])
Again, this *enables* nothing; it causes the program to *request* the L1
cache be flushed on context switch.
> +fi
> +
> +
> +#
> # Checks for header files.
> #
> AC_MSG_NOTICE([checking for header files])
> @@ -1322,6 +1341,13 @@ AC_CHECK_HEADERS([unistd.h langinfo.h te
> ucred.h sys/ucred.h sys/sysmacros.h sys/mkdev.h])
>
>
> +# See whether libc supports the prctl()
> +case "${host}" in
> + *-*-linux*)
> + AC_CHECK_HEADERS([sys/prctl.h])
> + ;;
> +esac
> +
> #
> # Checks for typedefs, structures, and compiler characteristics.
> #
>
[...]
Overall, I am still unconvinced of the appropriateness of this patch.
As I understand, these leaks only matter in multi-tenant systems, or if
Mallory otherwise has access to your machine, in which case you have
bigger problems if your private key is on such a system.
-- Jacob
More information about the Gnupg-devel
mailing list