[PATCH libgcrypt] Disable CPU speculation-related misfeatures
Guido Trentalancia
guido at trentalancia.com
Mon Jun 23 20:22:53 CEST 2025
All parts of the cryptographic code can change the process through
prctl(), in order to avoid the information disclosure vulnerabilities.
The best way to achieve protection is obviously by calling prctl()
during the cryptographic application startup and this is precisely what
the gnupg patch does:
https://lists.gnupg.org/pipermail/gnupg-devel/2025-May/035904.html
However it is not possible to foresee all the other applications using
libgcrypt, so another preventive patch has been submitted so that
prctl() is also called by the cryptographic library and this is what
the libgcrypt patch does:
https://lists.gnupg.org/pipermail/gcrypt-devel/2025-May/005856.html
By applying the companion libgcrypt patch we offer some kind of
protection to applications other than gnupg, even though the level of
protection is not the same as if prctl() was called at application
startup.
Please note that calling prctl() twice in gnupg and then in libgcrypt
has no side-effects.
The fact that other cryptographic libraries such as openssl do not do
the same only means that they are vulnerable those cryptographic
information disclosure vulnerabilities.
Regards,
Guido
On Mon, 23/06/2025 at 19.58 +0200, Werner Koch wrote:
> On Mon, 23 Jun 2025 13:57, Guido Trentalancia said:
> > It does not change the property of the system, it only changes the
>
> Sorry, with "system" I meant the process with its main application
> and
> all other libraries. Libgcrypt is a library usally linked at runtime
> and thus it would be surprising if it changes such process
> properties.
>
>
> Salam-Shalom,
>
> Werner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250623/60b5c882/attachment.html>
More information about the Gcrypt-devel
mailing list