Hi Guido,is it possible to provide references to publications for the problem that you aim to solve?
Best regards, Falko Am 26.05.25 um 19:11 schrieb Guido Trentalancia via Gcrypt-devel:
The vulnerabilities being tackled by the patch proposed here are hardware vulnerabilities that exist in the CPU. They were introduced with branch-prediction and other speculative- execution CPU optimizations. Because, once exploited, they materialize in Information Disclosure (data leaks), cryptographic software is the most affected class of software, because cryptographic keys or encrypted data can be leaked. Unfortunately not all of such hardware vulnerabilities can be tackled by a CPU microcode update, some of them need to be tackled in software: this is what this patch aims to do (software-based mitigation of hardware vulnerabilities). An equivalent patch has been already proposed for the gnupg application and another one might be proposed for the gnutls library. In fact, only tackling libgcrypt is not enough, because cryptographic applications such as gnupg also handle the cryptographic keys (e.g. passphrases) and the sensitive data to be encrypted: these are then passed to the libgcrypt cryptographic functions for actual encryption and decryption. The "pros" of this patch are that it avoids the risk of leaking cryptographic keys or decrypted data on CPUs that are affected by those vulnerabilities. The "cons" of this patch are decreased execution speed: this is not normally noticeable to the user. I hope this helps. On Mon, 26/05/2025 at 16.53 +0200, Werner Koch wrote:On Sun, 25 May 2025 17:25, Guido Trentalancia said:Disable CPU speculation-related misfeatures which are in fact vulnerabilities causing data leaks:Please see my comments on gnupg-devel. Shalom-Salam, Werner_______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
-- *MTG AG* Dr. Falko Strenzke Phone: +49 6151 8000 24 E-Mail: falko.stren...@mtg.de Web: mtg.de <https://www.mtg.de> ------------------------------------------------------------------------ MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas MildeThis email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.
Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
smime.p7s
Description: Kryptografische S/MIME-Signatur
_______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
