The vulnerabilities being tackled by this proposed patch are hardware vulnerabilities that exist in the CPU.
They were introduced with branch-prediction and other speculative- execution CPU optimizations. Because once exploited they materialize in Information Disclosure (data leaks), cryptographic software is the most affected class of software, because cryptographic keys or encrypted data can be leaked. Unfortunately not all of such hardware vulnerabilities can be tackled by a microcode update, some of them need to be tackled in software: this is what this patch aims to do (software-based mitigation of hardware vulnerabilities). An equivalent patch has been already proposed for libgcrypt and another one might be proposed for gnutls. Only tackling libgcrypt is not enough, because cryptographic applications such as gnupg also deal with the cryptographic keys (e.g. passphrases), which are then passed to the libgcrypt cryptographic functions for actual encryption and decryption. The "pros" of this patch are that it avoids the risk of leaking cryptographic keys or encrypted data on CPUs that are affected by those vulnerabilities. The "cons" of this patch are decreased execution speed: this is not normally noticeable to the user. I hope this helps. On Mon, 26/05/2025 at 16.46 +0200, Werner Koch wrote: > Hi! > > On Mon, 26 May 2025 14:00, Guido Trentalancia said: > > Disable CPU speculation-related misfeatures which are in > > fact vulnerabilities causing data leaks: > > If that is a misfeature it needs to be fixed at the pläce where it > was > introduced and not just in a single binary. If this code is really > needed it would first of all be useful in Libgcrypt only then then > you > should put it into gnupg/common/init.c:early_system_init. > > Specific Linux code is in general not a good idea, if that is > required, > please write a proper configure test for this feature and use a > dedicated macro. A more detailed explanation of the pro and cons > would > also be appreciated. > > > > Shalom-Salam, > > Werner > _______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
