[PATCH gnupg] Disable CPU speculation-related misfeatures
Guido Trentalancia
guido at trentalancia.com
Mon May 26 14:00:54 CEST 2025
Disable CPU speculation-related misfeatures which are in
fact vulnerabilities causing data leaks:
- Speculative Store Bypass
- Indirect Branch Speculation
- Flush L1D Cache on context switch out of the task
For further information see the kernel documentation:
Documentation/userspace-api/spec_ctrl.rst
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
---
g10/gpg.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/g10/gpg.c 2025-05-25 15:40:33.552985274 +0200
+++ b/g10/gpg.c 2025-05-25 15:39:08.580843301 +0200
@@ -27,6 +27,9 @@
#include <string.h>
#include <ctype.h>
#include <unistd.h>
+#if defined(__linux__)
+# include <sys/prctl.h>
+#endif
#ifdef HAVE_STAT
#include <sys/stat.h> /* for stat() */
#endif
@@ -2419,6 +2420,29 @@ main (int argc, char **argv)
static const char *homedirvalue;
static const char *changeuser;
+#if defined(__linux__)
+
+/* Disable CPU speculation-related misfeatures which are in
+ * fact vulnerabilities causing data leaks: see the kernel
+ * documentation: Documentation/userspace-api/spec_ctrl.rst
+ *
+ * - Speculative Store Bypass
+ * - Indirect Branch Speculation
+ * - Flush L1D Cache on context switch out of the task
+ */
+#ifdef PR_SPEC_STORE_BYPASS
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_INDIRECT_BRANCH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_L1D_FLUSH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#endif /* __linux__ */
#ifdef __riscos__
opt.lock_once = 1;
More information about the Gnupg-devel
mailing list