[PATCH gnupg v2] Disable CPU speculation-related misfeatures

Guido Trentalancia guido at trentalancia.com
Fri Jun 27 12:46:59 CEST 2025 

Disable CPU speculation-related misfeatures which are in
fact vulnerabilities causing data leaks:

 - Speculative Store Bypass
 - Indirect Branch Speculation
 - Flush L1D Cache on context switch out of the task

For further information see the kernel documentation:
Documentation/userspace-api/spec_ctrl.rst

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
--- 
 common/init.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff -pru a/common/init.c b/common/init.c
--- a/common/init.c	2024-05-15 12:33:38.000000000 +0200
+++ b/common/init.c	2025-06-27 12:35:33.543235132 +0200
@@ -29,6 +29,10 @@
 
 #include <config.h>
 
+#if defined(__linux__)
+# include <sys/prctl.h>
+#endif
+
 #ifdef HAVE_W32_SYSTEM
 # if _WIN32_WINNT < 0x0600
 #   define _WIN32_WINNT 0x0600  /* Required for SetProcessDEPPolicy.  */
@@ -131,6 +135,29 @@ writestring_via_estream (int mode, const
 void
 early_system_init (void)
 {
+#if defined(__linux__)
+
+/* Disable CPU speculation-related misfeatures which are in
+ * fact vulnerabilities causing data leaks: see the kernel
+ * documentation: Documentation/userspace-api/spec_ctrl.rst
+ *
+ * - Speculative Store Bypass
+ * - Indirect Branch Speculation
+ * - Flush L1D Cache on context switch out of the task
+ */
+#ifdef PR_SPEC_STORE_BYPASS
+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_INDIRECT_BRANCH
+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_L1D_FLUSH
+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#endif /* __linux__ */
 }
 
 

On Mon, 26/05/2025 at 16.46 +0200, Werner Koch wrote:
> Hi!
> 
> On Mon, 26 May 2025 14:00, Guido Trentalancia said:
> > Disable CPU speculation-related misfeatures which are in
> > fact vulnerabilities causing data leaks:
> 
> If that is a misfeature it needs to be fixed at the pläce where it
> was
> introduced and not just in a single binary.  If this code is really
> needed it would first of all be useful in Libgcrypt only then then
> you
> should put it into gnupg/common/init.c:early_system_init.
> 
> Specific Linux code is in general not a good idea, if that is
> required,
> please write a proper configure test for this feature and use a
> dedicated macro.  A more detailed explanation of the pro and cons
> would
> also be appreciated.
> 
> 
> 
> Shalom-Salam,
> 
>    Werner
>

More information about the Gnupg-devel mailing list