Disable CPU speculation-related misfeatures which are in
fact vulnerabilities causing data leaks:
- Speculative Store Bypass
- Indirect Branch Speculation
- Flush L1D Cache on context switch out of the task
For further information see the kernel documentation:
Documentation/userspace-api/spec_ctrl.rst
Signed-off-by: Guido Trentalancia <gu...@trentalancia.com>
---
g10/gpg.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/g10/gpg.c 2025-05-25 15:40:33.552985274 +0200
+++ b/g10/gpg.c 2025-05-25 15:39:08.580843301 +0200
@@ -27,6 +27,9 @@
#include <string.h>
#include <ctype.h>
#include <unistd.h>
+#if defined(__linux__)
+# include <sys/prctl.h>
+#endif
#ifdef HAVE_STAT
#include <sys/stat.h> /* for stat() */
#endif
@@ -2419,6 +2420,29 @@ main (int argc, char **argv)
static const char *homedirvalue;
static const char *changeuser;
+#if defined(__linux__)
+
+/* Disable CPU speculation-related misfeatures which are in
+ * fact vulnerabilities causing data leaks: see the kernel
+ * documentation: Documentation/userspace-api/spec_ctrl.rst
+ *
+ * - Speculative Store Bypass
+ * - Indirect Branch Speculation
+ * - Flush L1D Cache on context switch out of the task
+ */
+#ifdef PR_SPEC_STORE_BYPASS
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS,
PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_INDIRECT_BRANCH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH,
PR_SPEC_FORCE_DISABLE, 0, 0);
+#endif
+
+#ifdef PR_SPEC_L1D_FLUSH
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_FORCE_DISABLE,
0, 0);
+#endif
+
+#endif /* __linux__ */
#ifdef __riscos__
opt.lock_once = 1;
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
