* [zeus][PATCH] libgcrypt: fix CVE-2019-13627 @ 2019-10-18 19:32 Trevor Gamblin 2019-10-19 15:09 ` akuster808 0 siblings, 1 reply; 5+ messages in thread From: Trevor Gamblin @ 2019-10-18 19:32 UTC (permalink / raw) To: openembedded-core Note that there are two patch files added for this fix. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> --- ...cdsa-Fix-use-of-nonce-use-larger-one.patch | 126 ++++++++++++++++++ ...Add-mitigation-against-timing-attack.patch | 68 ++++++++++ .../libgcrypt/libgcrypt_1.8.4.bb | 2 + 3 files changed, 196 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch create mode 100644 meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch new file mode 100644 index 0000000000..fdc3873ba1 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch @@ -0,0 +1,126 @@ +From 7c2943309d14407b51c8166c4dcecb56a3628567 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 8 Aug 2019 17:42:02 +0900 +Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one. + +* cipher/dsa-common.c (_gcry_dsa_modify_k): New. +* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New. +* cipher/dsa.c (sign): Use _gcry_dsa_modify_k. +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise. +* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise. + +CVE-id: CVE-2019-13627 +GnuPG-bug-id: 4626 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + cipher/dsa-common.c | 24 ++++++++++++++++++++++++ + cipher/dsa.c | 2 ++ + cipher/ecc-ecdsa.c | 10 +--------- + cipher/ecc-gost.c | 2 ++ + cipher/pubkey-internal.h | 1 + + 5 files changed, 30 insertions(+), 9 deletions(-) + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d1] +This backport is one of two upstream patches addressing CVE-2019-13627. + +CVE: CVE-2019-13627 + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + +diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c +index 8c0a6843..fe49248d 100644 +--- a/cipher/dsa-common.c ++++ b/cipher/dsa-common.c +@@ -29,6 +29,30 @@ + #include "pubkey-internal.h" + + ++/* ++ * Modify K, so that computation time difference can be small, ++ * by making K large enough. ++ * ++ * Originally, (EC)DSA computation requires k where 0 < k < q. Here, ++ * we add q (the order), to keep k in a range: q < k < 2*q (or, ++ * addming more q, to keep k in a range: 2*q < k < 3*q), so that ++ * timing difference of the EC multiply (or exponentiation) operation ++ * can be small. The result of (EC)DSA computation is same. ++ */ ++void ++_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) ++{ ++ gcry_mpi_t k1 = mpi_new (qbits+2); ++ ++ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); ++ k->nlimbs = k->alloced; ++ mpi_add (k, k, q); ++ mpi_add (k1, k, q); ++ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); ++ ++ mpi_free (k1); ++} ++ + /* + * Generate a random secret exponent K less than Q. + * Note that ECDSA uses this code also to generate D. +diff --git a/cipher/dsa.c b/cipher/dsa.c +index 22d8d782..24a53528 100644 +--- a/cipher/dsa.c ++++ b/cipher/dsa.c +@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, + k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM); + } + ++ _gcry_dsa_modify_k (k, skey->q, qbits); ++ + /* r = (a^k mod p) mod q */ + mpi_powm( r, skey->g, k, skey->p ); + mpi_fdiv_r( r, r, skey->q ); +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c +index 84a1cf84..97966c3a 100644 +--- a/cipher/ecc-ecdsa.c ++++ b/cipher/ecc-ecdsa.c +@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + else + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + +- /* Originally, ECDSA computation requires k where 0 < k < n. +- * Here, we add n (the order of curve), to keep k in a +- * range: n < k < 2*n, or, addming more n, keep k in a range: +- * 2*n < k < 3*n, so that timing difference of the EC +- * multiply operation can be small. The result is same. +- */ +- mpi_add (k, k, skey->E.n); +- if (!mpi_test_bit (k, qbits)) +- mpi_add (k, k, skey->E.n); ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); + + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) +diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c +index a34fa084..0362a6c7 100644 +--- a/cipher/ecc-gost.c ++++ b/cipher/ecc-gost.c +@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey, + mpi_free (k); + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); ++ + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) + { +diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h +index b8167c77..d31e26f3 100644 +--- a/cipher/pubkey-internal.h ++++ b/cipher/pubkey-internal.h +@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded, + + + /*-- dsa-common.c --*/ ++void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits); + gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level); + gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k, + gcry_mpi_t dsa_q, gcry_mpi_t dsa_x, +-- +2.23.0 + diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch new file mode 100644 index 0000000000..66402d6187 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch @@ -0,0 +1,68 @@ +From b9577f7c89b4327edc09f2231bc8b31521102c79 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Wed, 17 Jul 2019 12:44:50 +0900 +Subject: [PATCH] ecc: Add mitigation against timing attack. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K. +* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger. + +CVE-id: CVE-2019-13627 +GnuPG-bug-id: 4626 +Co-authored-by: Ján Jančár <johny@neuromancer.sk> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + cipher/ecc-ecdsa.c | 10 ++++++++++ + mpi/ec.c | 6 +++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b] +This backport is one of two upstream patches addressing CVE-2019-13627. + +CVE: CVE-2019-13627 + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c +index 140e8c09..84a1cf84 100644 +--- a/cipher/ecc-ecdsa.c ++++ b/cipher/ecc-ecdsa.c +@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + else + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); + ++ /* Originally, ECDSA computation requires k where 0 < k < n. ++ * Here, we add n (the order of curve), to keep k in a ++ * range: n < k < 2*n, or, addming more n, keep k in a range: ++ * 2*n < k < 3*n, so that timing difference of the EC ++ * multiply operation can be small. The result is same. ++ */ ++ mpi_add (k, k, skey->E.n); ++ if (!mpi_test_bit (k, qbits)) ++ mpi_add (k, k, skey->E.n); ++ + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) + { +diff --git a/mpi/ec.c b/mpi/ec.c +index 97afbfed..ed936d74 100644 +--- a/mpi/ec.c ++++ b/mpi/ec.c +@@ -1509,7 +1509,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result, + unsigned int nbits; + int j; + +- nbits = mpi_get_nbits (scalar); ++ if (mpi_cmp (scalar, ctx->p) >= 0) ++ nbits = mpi_get_nbits (scalar); ++ else ++ nbits = mpi_get_nbits (ctx->p); ++ + if (ctx->model == MPI_EC_WEIERSTRASS) + { + mpi_set_ui (result->x, 1); +-- +2.23.0 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index fda68a2938..9d649e49a3 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb @@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \ file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ + file://0001-ecc-Add-mitigation-against-timing-attack.patch \ + file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ " SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" -- 2.23.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [zeus][PATCH] libgcrypt: fix CVE-2019-13627 2019-10-18 19:32 [zeus][PATCH] libgcrypt: fix CVE-2019-13627 Trevor Gamblin @ 2019-10-19 15:09 ` akuster808 2019-10-23 16:24 ` [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus Trevor Gamblin 2019-10-23 16:26 ` [zeus][PATCH v2] libgcrypt: fix CVE-2019-12904 Trevor Gamblin 0 siblings, 2 replies; 5+ messages in thread From: akuster808 @ 2019-10-19 15:09 UTC (permalink / raw) To: Trevor Gamblin, openembedded-core On 10/18/19 12:32 PM, Trevor Gamblin wrote: > Note that there are two patch files added for this fix. Queued up while we sort out the maintainer. https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/zeus-nmut > > Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > --- > ...cdsa-Fix-use-of-nonce-use-larger-one.patch | 126 ++++++++++++++++++ > ...Add-mitigation-against-timing-attack.patch | 68 ++++++++++ > .../libgcrypt/libgcrypt_1.8.4.bb | 2 + > 3 files changed, 196 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch > create mode 100644 meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch > > diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch > new file mode 100644 > index 0000000000..fdc3873ba1 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch > @@ -0,0 +1,126 @@ > +From 7c2943309d14407b51c8166c4dcecb56a3628567 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka <gniibe@fsij.org> > +Date: Thu, 8 Aug 2019 17:42:02 +0900 > +Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one. > + > +* cipher/dsa-common.c (_gcry_dsa_modify_k): New. > +* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New. > +* cipher/dsa.c (sign): Use _gcry_dsa_modify_k. > +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise. > +* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise. > + > +CVE-id: CVE-2019-13627 > +GnuPG-bug-id: 4626 > +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> > +--- > + cipher/dsa-common.c | 24 ++++++++++++++++++++++++ > + cipher/dsa.c | 2 ++ > + cipher/ecc-ecdsa.c | 10 +--------- > + cipher/ecc-gost.c | 2 ++ > + cipher/pubkey-internal.h | 1 + > + 5 files changed, 30 insertions(+), 9 deletions(-) > + > +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d1] > +This backport is one of two upstream patches addressing CVE-2019-13627. > + > +CVE: CVE-2019-13627 > + > +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > + > +diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c > +index 8c0a6843..fe49248d 100644 > +--- a/cipher/dsa-common.c > ++++ b/cipher/dsa-common.c > +@@ -29,6 +29,30 @@ > + #include "pubkey-internal.h" > + > + > ++/* > ++ * Modify K, so that computation time difference can be small, > ++ * by making K large enough. > ++ * > ++ * Originally, (EC)DSA computation requires k where 0 < k < q. Here, > ++ * we add q (the order), to keep k in a range: q < k < 2*q (or, > ++ * addming more q, to keep k in a range: 2*q < k < 3*q), so that > ++ * timing difference of the EC multiply (or exponentiation) operation > ++ * can be small. The result of (EC)DSA computation is same. > ++ */ > ++void > ++_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) > ++{ > ++ gcry_mpi_t k1 = mpi_new (qbits+2); > ++ > ++ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); > ++ k->nlimbs = k->alloced; > ++ mpi_add (k, k, q); > ++ mpi_add (k1, k, q); > ++ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); > ++ > ++ mpi_free (k1); > ++} > ++ > + /* > + * Generate a random secret exponent K less than Q. > + * Note that ECDSA uses this code also to generate D. > +diff --git a/cipher/dsa.c b/cipher/dsa.c > +index 22d8d782..24a53528 100644 > +--- a/cipher/dsa.c > ++++ b/cipher/dsa.c > +@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, > + k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM); > + } > + > ++ _gcry_dsa_modify_k (k, skey->q, qbits); > ++ > + /* r = (a^k mod p) mod q */ > + mpi_powm( r, skey->g, k, skey->p ); > + mpi_fdiv_r( r, r, skey->q ); > +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c > +index 84a1cf84..97966c3a 100644 > +--- a/cipher/ecc-ecdsa.c > ++++ b/cipher/ecc-ecdsa.c > +@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, > + else > + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); > + > +- /* Originally, ECDSA computation requires k where 0 < k < n. > +- * Here, we add n (the order of curve), to keep k in a > +- * range: n < k < 2*n, or, addming more n, keep k in a range: > +- * 2*n < k < 3*n, so that timing difference of the EC > +- * multiply operation can be small. The result is same. > +- */ > +- mpi_add (k, k, skey->E.n); > +- if (!mpi_test_bit (k, qbits)) > +- mpi_add (k, k, skey->E.n); > ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); > + > + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); > + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) > +diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c > +index a34fa084..0362a6c7 100644 > +--- a/cipher/ecc-gost.c > ++++ b/cipher/ecc-gost.c > +@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey, > + mpi_free (k); > + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); > + > ++ _gcry_dsa_modify_k (k, skey->E.n, qbits); > ++ > + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); > + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) > + { > +diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h > +index b8167c77..d31e26f3 100644 > +--- a/cipher/pubkey-internal.h > ++++ b/cipher/pubkey-internal.h > +@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded, > + > + > + /*-- dsa-common.c --*/ > ++void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits); > + gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level); > + gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k, > + gcry_mpi_t dsa_q, gcry_mpi_t dsa_x, > +-- > +2.23.0 > + > diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch > new file mode 100644 > index 0000000000..66402d6187 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch > @@ -0,0 +1,68 @@ > +From b9577f7c89b4327edc09f2231bc8b31521102c79 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka <gniibe@fsij.org> > +Date: Wed, 17 Jul 2019 12:44:50 +0900 > +Subject: [PATCH] ecc: Add mitigation against timing attack. > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K. > +* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger. > + > +CVE-id: CVE-2019-13627 > +GnuPG-bug-id: 4626 > +Co-authored-by: Ján Jančár <johny@neuromancer.sk> > +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> > +--- > + cipher/ecc-ecdsa.c | 10 ++++++++++ > + mpi/ec.c | 6 +++++- > + 2 files changed, 15 insertions(+), 1 deletion(-) > + > +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b] > +This backport is one of two upstream patches addressing CVE-2019-13627. > + > +CVE: CVE-2019-13627 > + > +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > + > +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c > +index 140e8c09..84a1cf84 100644 > +--- a/cipher/ecc-ecdsa.c > ++++ b/cipher/ecc-ecdsa.c > +@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, > + else > + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); > + > ++ /* Originally, ECDSA computation requires k where 0 < k < n. > ++ * Here, we add n (the order of curve), to keep k in a > ++ * range: n < k < 2*n, or, addming more n, keep k in a range: > ++ * 2*n < k < 3*n, so that timing difference of the EC > ++ * multiply operation can be small. The result is same. > ++ */ > ++ mpi_add (k, k, skey->E.n); > ++ if (!mpi_test_bit (k, qbits)) > ++ mpi_add (k, k, skey->E.n); > ++ > + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); > + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) > + { > +diff --git a/mpi/ec.c b/mpi/ec.c > +index 97afbfed..ed936d74 100644 > +--- a/mpi/ec.c > ++++ b/mpi/ec.c > +@@ -1509,7 +1509,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result, > + unsigned int nbits; > + int j; > + > +- nbits = mpi_get_nbits (scalar); > ++ if (mpi_cmp (scalar, ctx->p) >= 0) > ++ nbits = mpi_get_nbits (scalar); > ++ else > ++ nbits = mpi_get_nbits (ctx->p); > ++ > + if (ctx->model == MPI_EC_WEIERSTRASS) > + { > + mpi_set_ui (result->x, 1); > +-- > +2.23.0 > + > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > index fda68a2938..9d649e49a3 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > @@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \ > file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \ > file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ > + file://0001-ecc-Add-mitigation-against-timing-attack.patch \ > + file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ > " > SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" > SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" ^ permalink raw reply [flat|nested] 5+ messages in thread
* [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus. 2019-10-19 15:09 ` akuster808 @ 2019-10-23 16:24 ` Trevor Gamblin 2019-10-23 16:26 ` Trevor Gamblin 2019-10-23 16:26 ` [zeus][PATCH v2] libgcrypt: fix CVE-2019-12904 Trevor Gamblin 1 sibling, 1 reply; 5+ messages in thread From: Trevor Gamblin @ 2019-10-23 16:24 UTC (permalink / raw) To: openembedded-core From: Yi Zhao <yi.zhao@windriver.com> libgcrypt: fix CVE-2019-12904 In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> --- .../0001-Prefetch-GCM-look-up-tables.patch | 90 +++++ ...-tables-to-.data-section-and-unshare.patch | 332 ++++++++++++++++++ ...-table-to-.data-section-and-unshare-.patch | 178 ++++++++++ .../libgcrypt/libgcrypt_1.8.4.bb | 3 + 4 files changed, 603 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 0000000000..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch @@ -0,0 +1,90 @@ +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Sat, 27 Apr 2019 19:33:28 +0300 +Subject: [PATCH 1/3] Prefetch GCM look-up tables + +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) +(prefetch_tables): New. +(ghash_internal): Call prefetch_tables. +-- + +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index c19f09f..11f119a 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }; + ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; i < len; i += 8 * 32) ++ { ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++ } ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(gcmR, sizeof(gcmR)); ++} ++ + #ifdef GCM_TABLES_USE_U64 + static void + bshift (u64 * b0, u64 * b1) +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch new file mode 100644 index 0000000000..c82c5b5c8a --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch @@ -0,0 +1,332 @@ +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between + processes + +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. +* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. +(enc_tables): New structure for encryption table with counters before +and after. +(encT): New macro. +(dec_tables): Add counters before and after encryption table; Move +from .rodata to .data section. +(do_encrypt): Change 'encT' to 'enc_tables.T'. +(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. +* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input +with length not multiple of 256. +(prefetch_enc, prefetch_dec): Modify pre- and post-table counters +to unshare look-up table pages between processes. +-- + +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/rijndael-internal.h | 4 +- + cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++-------------------- + cipher/rijndael.c | 35 ++++++++-- + 3 files changed, 118 insertions(+), 76 deletions(-) + +diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h +index 160fb8c..a62d4b7 100644 +--- a/cipher/rijndael-internal.h ++++ b/cipher/rijndael-internal.h +@@ -29,11 +29,13 @@ + #define BLOCKSIZE (128/8) + + +-/* Helper macro to force alignment to 16 bytes. */ ++/* Helper macro to force alignment to 16 or 64 bytes. */ + #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED + # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) + #else + # define ATTR_ALIGNED_16 ++# define ATTR_ALIGNED_64 + #endif + + +diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h +index 8359470..b54d959 100644 +--- a/cipher/rijndael-tables.h ++++ b/cipher/rijndael-tables.h +@@ -21,80 +21,98 @@ + /* To keep the actual implementation at a readable size we use this + include file to define the tables. */ + +-static const u32 encT[256] = ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u32 T[256]; ++ volatile u32 counter_tail; ++} enc_tables ATTR_ALIGNED_64 = + { +- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, +- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, +- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, +- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, +- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, +- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, +- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, +- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, +- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, +- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, +- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, +- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, +- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, +- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, +- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, +- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, +- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, +- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, +- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, +- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, +- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, +- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, +- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, +- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, +- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, +- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, +- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, +- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, +- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, +- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, +- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, +- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, +- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, +- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, +- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, +- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, +- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, +- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, +- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, +- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, +- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, +- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, +- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, +- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, +- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, +- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, +- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, +- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, +- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, +- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, +- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, +- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, +- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, +- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, +- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, +- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, +- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, +- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, +- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, +- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, +- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, +- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, +- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, +- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ 0, ++ { 0, }, ++ { ++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, ++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, ++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, ++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, ++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, ++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, ++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, ++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, ++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, ++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, ++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, ++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, ++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, ++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, ++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, ++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, ++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, ++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, ++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, ++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, ++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, ++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, ++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, ++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, ++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, ++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, ++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, ++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, ++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, ++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, ++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, ++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, ++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, ++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, ++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, ++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, ++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, ++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, ++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, ++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, ++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, ++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, ++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, ++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, ++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, ++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, ++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, ++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, ++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, ++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, ++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, ++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, ++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, ++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, ++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, ++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, ++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, ++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, ++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, ++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, ++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, ++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, ++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, ++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ }, ++ 0 + }; + +-static const struct ++#define encT enc_tables.T ++ ++static struct + { ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; + u32 T[256]; + byte inv_sbox[256]; +-} dec_tables = ++ volatile u32 counter_tail; ++} dec_tables ATTR_ALIGNED_64 = + { ++ 0, ++ { 0, }, + { + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, +@@ -194,7 +212,8 @@ static const struct + 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, + 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +- } ++ }, ++ 0 + }; + + #define decT dec_tables.T +diff --git a/cipher/rijndael.c b/cipher/rijndael.c +index 8637195..d0edab2 100644 +--- a/cipher/rijndael.c ++++ b/cipher/rijndael.c +@@ -227,11 +227,11 @@ static const char *selftest(void); + + \f + /* Prefetching for encryption/decryption tables. */ +-static void prefetch_table(const volatile byte *tab, size_t len) ++static inline void prefetch_table(const volatile byte *tab, size_t len) + { + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)tab[i + 0 * 32]; + (void)tab[i + 1 * 32]; +@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) + (void)tab[i + 6 * 32]; + (void)tab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)tab[i]; ++ } + + (void)tab[len - 1]; + } + + static void prefetch_enc(void) + { +- prefetch_table((const void *)encT, sizeof(encT)); ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ enc_tables.counter_head++; ++ enc_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); + } + + static void prefetch_dec(void) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ dec_tables.counter_head++; ++ dec_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); + } + +@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, +- encT); ++ enc_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, + return ret; + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) +- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); ++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, ++ enc_tables.T); + #else + return do_encrypt_fn (ctx, bx, ax); + #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ +@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) + return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + #else + return do_decrypt_fn (ctx, bx, ax); + #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch new file mode 100644 index 0000000000..b580b7b13c --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch @@ -0,0 +1,178 @@ +From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:27:25 +0300 +Subject: [PATCH 3/3] GCM: move look-up table to .data section and unshare + between processes + +* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. +(gcmR): Move to 'gcm_table' structure. +(gcm_table): New structure for look-up table with counters before and +after. +(gcmR): New macro. +(prefetch_table): Handle input with length not multiple of 256. +(do_prefetch_tables): Modify pre- and post-table counters to unshare +look-up table pages between processes. +-- + +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/cipher-gcm.c | 106 ++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 70 insertions(+), 36 deletions(-) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index 11f119a..194e2ec 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -30,6 +30,14 @@ + #include "./cipher-internal.h" + + ++/* Helper macro to force alignment to 16 or 64 bytes. */ ++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) ++#else ++# define ATTR_ALIGNED_64 ++#endif ++ ++ + #ifdef GCM_USE_INTEL_PCLMUL + extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); + +@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, + + + #ifdef GCM_USE_TABLES +-static const u16 gcmR[256] = { +- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, +- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, +- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, +- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, +- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, +- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, +- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, +- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, +- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, +- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, +- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, +- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, +- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, +- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, +- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, +- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, +- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, +- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, +- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, +- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, +- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, +- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, +- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, +- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, +- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, +- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, +- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, +- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, +- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, +- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, +- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, +- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, +-}; ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u16 R[256]; ++ volatile u32 counter_tail; ++} gcm_table ATTR_ALIGNED_64 = ++ { ++ 0, ++ { 0, }, ++ { ++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, ++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, ++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, ++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, ++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, ++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, ++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, ++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, ++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, ++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, ++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, ++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, ++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, ++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, ++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, ++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, ++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, ++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, ++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, ++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, ++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, ++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, ++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, ++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, ++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, ++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, ++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, ++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, ++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, ++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, ++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, ++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, ++ }, ++ 0 ++ }; ++ ++#define gcmR gcm_table.R + + static inline + void prefetch_table(const void *tab, size_t len) +@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) + const volatile byte *vtab = tab; + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)vtab[i + 0 * 32]; + (void)vtab[i + 1 * 32]; +@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) + (void)vtab[i + 6 * 32]; + (void)vtab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)vtab[i]; ++ } + + (void)vtab[len - 1]; + } +@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) + static inline void + do_prefetch_tables (const void *gcmM, size_t gcmM_size) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ gcm_table.counter_head++; ++ gcm_table.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table(gcmM, gcmM_size); +- prefetch_table(gcmR, sizeof(gcmR)); ++ prefetch_table(&gcm_table, sizeof(gcm_table)); + } + + #ifdef GCM_TABLES_USE_U64 +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index 9d649e49a3..6635fb0b4f 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb @@ -23,6 +23,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ file://0001-ecc-Add-mitigation-against-timing-attack.patch \ file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ + file://0001-Prefetch-GCM-look-up-tables.patch \ + file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ + file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ " SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" -- 2.23.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus. 2019-10-23 16:24 ` [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus Trevor Gamblin @ 2019-10-23 16:26 ` Trevor Gamblin 0 siblings, 0 replies; 5+ messages in thread From: Trevor Gamblin @ 2019-10-23 16:26 UTC (permalink / raw) To: openembedded-core On 10/23/19 12:24 PM, Trevor Gamblin wrote: > From: Yi Zhao <yi.zhao@windriver.com> > > libgcrypt: fix CVE-2019-12904 > > In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a > flush-and-reload side-channel attack because physical addresses are > available to other processes. (The C implementation is used on platforms > where an assembly-language implementation is unavailable.) > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2019-12904 > > Patches from: > https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 > https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 > https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > Signed-off-by: Ross Burton <ross.burton@intel.com> > Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> > --- > .../0001-Prefetch-GCM-look-up-tables.patch | 90 +++++ > ...-tables-to-.data-section-and-unshare.patch | 332 ++++++++++++++++++ > ...-table-to-.data-section-and-unshare-.patch | 178 ++++++++++ > .../libgcrypt/libgcrypt_1.8.4.bb | 3 + > 4 files changed, 603 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch > create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch > create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch > > diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch > new file mode 100644 > index 0000000000..4df96f0011 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch > @@ -0,0 +1,90 @@ > +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 > +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> > +Date: Sat, 27 Apr 2019 19:33:28 +0300 > +Subject: [PATCH 1/3] Prefetch GCM look-up tables > + > +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) > +(prefetch_tables): New. > +(ghash_internal): Call prefetch_tables. > +-- > + > +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> > + > +Upstream-Status: Backport > +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] > + > +CVE: CVE-2019-12904 > + > +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > +--- > + cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++ > + 1 file changed, 33 insertions(+) > + > +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c > +index c19f09f..11f119a 100644 > +--- a/cipher/cipher-gcm.c > ++++ b/cipher/cipher-gcm.c > +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { > + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, > + }; > + > ++static inline > ++void prefetch_table(const void *tab, size_t len) > ++{ > ++ const volatile byte *vtab = tab; > ++ size_t i; > ++ > ++ for (i = 0; i < len; i += 8 * 32) > ++ { > ++ (void)vtab[i + 0 * 32]; > ++ (void)vtab[i + 1 * 32]; > ++ (void)vtab[i + 2 * 32]; > ++ (void)vtab[i + 3 * 32]; > ++ (void)vtab[i + 4 * 32]; > ++ (void)vtab[i + 5 * 32]; > ++ (void)vtab[i + 6 * 32]; > ++ (void)vtab[i + 7 * 32]; > ++ } > ++ > ++ (void)vtab[len - 1]; > ++} > ++ > ++static inline void > ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) > ++{ > ++ prefetch_table(gcmM, gcmM_size); > ++ prefetch_table(gcmR, sizeof(gcmR)); > ++} > ++ > + #ifdef GCM_TABLES_USE_U64 > + static void > + bshift (u64 * b0, u64 * b1) > +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) > + #define fillM(c) \ > + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) > + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) > ++#define prefetch_tables(c) \ > ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) > + > + #else > + > +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) > + > + #define fillM(c) do { } while (0) > + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) > ++#define prefetch_tables(c) do {} while (0) > + > + #endif /* !GCM_USE_TABLES */ > + > +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, > + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; > + unsigned int burn = 0; > + > ++ prefetch_tables (c); > ++ > + while (nblocks) > + { > + burn = GHASH (c, result, buf); > +-- > +2.7.4 > + > diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch > new file mode 100644 > index 0000000000..c82c5b5c8a > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch > @@ -0,0 +1,332 @@ > +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 > +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> > +Date: Fri, 31 May 2019 17:18:09 +0300 > +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between > + processes > + > +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. > +* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. > +(enc_tables): New structure for encryption table with counters before > +and after. > +(encT): New macro. > +(dec_tables): Add counters before and after encryption table; Move > +from .rodata to .data section. > +(do_encrypt): Change 'encT' to 'enc_tables.T'. > +(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. > +* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input > +with length not multiple of 256. > +(prefetch_enc, prefetch_dec): Modify pre- and post-table counters > +to unshare look-up table pages between processes. > +-- > + > +GnuPG-bug-id: 4541 > +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> > + > +Upstream-Status: Backport > +[https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762] > + > +CVE: CVE-2019-12904 > + > +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > +--- > + cipher/rijndael-internal.h | 4 +- > + cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++-------------------- > + cipher/rijndael.c | 35 ++++++++-- > + 3 files changed, 118 insertions(+), 76 deletions(-) > + > +diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h > +index 160fb8c..a62d4b7 100644 > +--- a/cipher/rijndael-internal.h > ++++ b/cipher/rijndael-internal.h > +@@ -29,11 +29,13 @@ > + #define BLOCKSIZE (128/8) > + > + > +-/* Helper macro to force alignment to 16 bytes. */ > ++/* Helper macro to force alignment to 16 or 64 bytes. */ > + #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED > + # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) > ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) > + #else > + # define ATTR_ALIGNED_16 > ++# define ATTR_ALIGNED_64 > + #endif > + > + > +diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h > +index 8359470..b54d959 100644 > +--- a/cipher/rijndael-tables.h > ++++ b/cipher/rijndael-tables.h > +@@ -21,80 +21,98 @@ > + /* To keep the actual implementation at a readable size we use this > + include file to define the tables. */ > + > +-static const u32 encT[256] = > ++static struct > ++{ > ++ volatile u32 counter_head; > ++ u32 cacheline_align[64 / 4 - 1]; > ++ u32 T[256]; > ++ volatile u32 counter_tail; > ++} enc_tables ATTR_ALIGNED_64 = > + { > +- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, > +- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, > +- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, > +- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, > +- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, > +- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, > +- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, > +- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, > +- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, > +- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, > +- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, > +- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, > +- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, > +- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, > +- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, > +- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, > +- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, > +- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, > +- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, > +- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, > +- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, > +- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, > +- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, > +- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, > +- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, > +- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, > +- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, > +- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, > +- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, > +- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, > +- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, > +- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, > +- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, > +- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, > +- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, > +- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, > +- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, > +- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, > +- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, > +- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, > +- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, > +- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, > +- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, > +- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, > +- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, > +- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, > +- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, > +- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, > +- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, > +- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, > +- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, > +- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, > +- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, > +- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, > +- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, > +- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, > +- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, > +- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, > +- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, > +- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, > +- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, > +- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, > +- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, > +- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c > ++ 0, > ++ { 0, }, > ++ { > ++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, > ++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, > ++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, > ++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, > ++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, > ++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, > ++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, > ++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, > ++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, > ++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, > ++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, > ++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, > ++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, > ++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, > ++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, > ++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, > ++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, > ++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, > ++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, > ++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, > ++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, > ++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, > ++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, > ++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, > ++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, > ++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, > ++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, > ++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, > ++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, > ++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, > ++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, > ++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, > ++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, > ++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, > ++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, > ++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, > ++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, > ++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, > ++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, > ++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, > ++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, > ++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, > ++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, > ++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, > ++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, > ++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, > ++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, > ++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, > ++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, > ++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, > ++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, > ++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, > ++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, > ++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, > ++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, > ++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, > ++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, > ++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, > ++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, > ++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, > ++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, > ++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, > ++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, > ++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c > ++ }, > ++ 0 > + }; > + > +-static const struct > ++#define encT enc_tables.T > ++ > ++static struct > + { > ++ volatile u32 counter_head; > ++ u32 cacheline_align[64 / 4 - 1]; > + u32 T[256]; > + byte inv_sbox[256]; > +-} dec_tables = > ++ volatile u32 counter_tail; > ++} dec_tables ATTR_ALIGNED_64 = > + { > ++ 0, > ++ { 0, }, > + { > + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, > + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, > +@@ -194,7 +212,8 @@ static const struct > + 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, > + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, > + 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d > +- } > ++ }, > ++ 0 > + }; > + > + #define decT dec_tables.T > +diff --git a/cipher/rijndael.c b/cipher/rijndael.c > +index 8637195..d0edab2 100644 > +--- a/cipher/rijndael.c > ++++ b/cipher/rijndael.c > +@@ -227,11 +227,11 @@ static const char *selftest(void); > + > + \f > + /* Prefetching for encryption/decryption tables. */ > +-static void prefetch_table(const volatile byte *tab, size_t len) > ++static inline void prefetch_table(const volatile byte *tab, size_t len) > + { > + size_t i; > + > +- for (i = 0; i < len; i += 8 * 32) > ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) > + { > + (void)tab[i + 0 * 32]; > + (void)tab[i + 1 * 32]; > +@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) > + (void)tab[i + 6 * 32]; > + (void)tab[i + 7 * 32]; > + } > ++ for (; i < len; i += 32) > ++ { > ++ (void)tab[i]; > ++ } > + > + (void)tab[len - 1]; > + } > + > + static void prefetch_enc(void) > + { > +- prefetch_table((const void *)encT, sizeof(encT)); > ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages > ++ * of look-up table are shared between processes. Modifying counters also > ++ * causes checksums for pages to change and hint same-page merging algorithm > ++ * that these pages are frequently changing. */ > ++ enc_tables.counter_head++; > ++ enc_tables.counter_tail++; > ++ > ++ /* Prefetch look-up tables to cache. */ > ++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); > + } > + > + static void prefetch_dec(void) > + { > ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages > ++ * of look-up table are shared between processes. Modifying counters also > ++ * causes checksums for pages to change and hint same-page merging algorithm > ++ * that these pages are frequently changing. */ > ++ dec_tables.counter_head++; > ++ dec_tables.counter_tail++; > ++ > ++ /* Prefetch look-up tables to cache. */ > + prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); > + } > + > +@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, > + #ifdef USE_AMD64_ASM > + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS > + return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, > +- encT); > ++ enc_tables.T); > + # else > + /* Call SystemV ABI function without storing non-volatile XMM registers, > + * as target function does not use vector instruction sets. */ > +@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, > + return ret; > + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ > + #elif defined(USE_ARM_ASM) > +- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); > ++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, > ++ enc_tables.T); > + #else > + return do_encrypt_fn (ctx, bx, ax); > + #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ > +@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, > + #ifdef USE_AMD64_ASM > + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS > + return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, > +- &dec_tables); > ++ dec_tables.T); > + # else > + /* Call SystemV ABI function without storing non-volatile XMM registers, > + * as target function does not use vector instruction sets. */ > +@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, > + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ > + #elif defined(USE_ARM_ASM) > + return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, > +- &dec_tables); > ++ dec_tables.T); > + #else > + return do_decrypt_fn (ctx, bx, ax); > + #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ > +-- > +2.7.4 > + > diff --git a/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch > new file mode 100644 > index 0000000000..b580b7b13c > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch > @@ -0,0 +1,178 @@ > +From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001 > +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> > +Date: Fri, 31 May 2019 17:27:25 +0300 > +Subject: [PATCH 3/3] GCM: move look-up table to .data section and unshare > + between processes > + > +* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. > +(gcmR): Move to 'gcm_table' structure. > +(gcm_table): New structure for look-up table with counters before and > +after. > +(gcmR): New macro. > +(prefetch_table): Handle input with length not multiple of 256. > +(do_prefetch_tables): Modify pre- and post-table counters to unshare > +look-up table pages between processes. > +-- > + > +GnuPG-bug-id: 4541 > +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> > + > +Upstream-Status: Backport > +[https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020] > + > +CVE: CVE-2019-12904 > + > +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > +--- > + cipher/cipher-gcm.c | 106 ++++++++++++++++++++++++++++++++++------------------ > + 1 file changed, 70 insertions(+), 36 deletions(-) > + > +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c > +index 11f119a..194e2ec 100644 > +--- a/cipher/cipher-gcm.c > ++++ b/cipher/cipher-gcm.c > +@@ -30,6 +30,14 @@ > + #include "./cipher-internal.h" > + > + > ++/* Helper macro to force alignment to 16 or 64 bytes. */ > ++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED > ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) > ++#else > ++# define ATTR_ALIGNED_64 > ++#endif > ++ > ++ > + #ifdef GCM_USE_INTEL_PCLMUL > + extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); > + > +@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, > + > + > + #ifdef GCM_USE_TABLES > +-static const u16 gcmR[256] = { > +- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, > +- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, > +- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, > +- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, > +- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, > +- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, > +- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, > +- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, > +- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, > +- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, > +- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, > +- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, > +- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, > +- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, > +- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, > +- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, > +- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, > +- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, > +- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, > +- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, > +- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, > +- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, > +- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, > +- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, > +- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, > +- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, > +- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, > +- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, > +- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, > +- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, > +- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, > +- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, > +-}; > ++static struct > ++{ > ++ volatile u32 counter_head; > ++ u32 cacheline_align[64 / 4 - 1]; > ++ u16 R[256]; > ++ volatile u32 counter_tail; > ++} gcm_table ATTR_ALIGNED_64 = > ++ { > ++ 0, > ++ { 0, }, > ++ { > ++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, > ++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, > ++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, > ++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, > ++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, > ++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, > ++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, > ++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, > ++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, > ++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, > ++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, > ++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, > ++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, > ++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, > ++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, > ++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, > ++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, > ++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, > ++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, > ++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, > ++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, > ++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, > ++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, > ++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, > ++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, > ++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, > ++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, > ++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, > ++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, > ++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, > ++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, > ++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, > ++ }, > ++ 0 > ++ }; > ++ > ++#define gcmR gcm_table.R > + > + static inline > + void prefetch_table(const void *tab, size_t len) > +@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) > + const volatile byte *vtab = tab; > + size_t i; > + > +- for (i = 0; i < len; i += 8 * 32) > ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) > + { > + (void)vtab[i + 0 * 32]; > + (void)vtab[i + 1 * 32]; > +@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) > + (void)vtab[i + 6 * 32]; > + (void)vtab[i + 7 * 32]; > + } > ++ for (; i < len; i += 32) > ++ { > ++ (void)vtab[i]; > ++ } > + > + (void)vtab[len - 1]; > + } > +@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) > + static inline void > + do_prefetch_tables (const void *gcmM, size_t gcmM_size) > + { > ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages > ++ * of look-up table are shared between processes. Modifying counters also > ++ * causes checksums for pages to change and hint same-page merging algorithm > ++ * that these pages are frequently changing. */ > ++ gcm_table.counter_head++; > ++ gcm_table.counter_tail++; > ++ > ++ /* Prefetch look-up tables to cache. */ > + prefetch_table(gcmM, gcmM_size); > +- prefetch_table(gcmR, sizeof(gcmR)); > ++ prefetch_table(&gcm_table, sizeof(gcm_table)); > + } > + > + #ifdef GCM_TABLES_USE_U64 > +-- > +2.7.4 > + > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > index 9d649e49a3..6635fb0b4f 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb > @@ -23,6 +23,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ > file://0001-ecc-Add-mitigation-against-timing-attack.patch \ > file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ > + file://0001-Prefetch-GCM-look-up-tables.patch \ > + file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ > + file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ > " > SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" > SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" Oops. v2 incoming ^ permalink raw reply [flat|nested] 5+ messages in thread
* [zeus][PATCH v2] libgcrypt: fix CVE-2019-12904 2019-10-19 15:09 ` akuster808 2019-10-23 16:24 ` [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus Trevor Gamblin @ 2019-10-23 16:26 ` Trevor Gamblin 1 sibling, 0 replies; 5+ messages in thread From: Trevor Gamblin @ 2019-10-23 16:26 UTC (permalink / raw) To: openembedded-core From: Yi Zhao <yi.zhao@windriver.com> Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus. In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> --- .../0001-Prefetch-GCM-look-up-tables.patch | 90 +++++ ...-tables-to-.data-section-and-unshare.patch | 332 ++++++++++++++++++ ...-table-to-.data-section-and-unshare-.patch | 178 ++++++++++ .../libgcrypt/libgcrypt_1.8.4.bb | 3 + 4 files changed, 603 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 0000000000..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch @@ -0,0 +1,90 @@ +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Sat, 27 Apr 2019 19:33:28 +0300 +Subject: [PATCH 1/3] Prefetch GCM look-up tables + +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) +(prefetch_tables): New. +(ghash_internal): Call prefetch_tables. +-- + +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index c19f09f..11f119a 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }; + ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; i < len; i += 8 * 32) ++ { ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++ } ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(gcmR, sizeof(gcmR)); ++} ++ + #ifdef GCM_TABLES_USE_U64 + static void + bshift (u64 * b0, u64 * b1) +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch new file mode 100644 index 0000000000..c82c5b5c8a --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch @@ -0,0 +1,332 @@ +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between + processes + +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. +* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. +(enc_tables): New structure for encryption table with counters before +and after. +(encT): New macro. +(dec_tables): Add counters before and after encryption table; Move +from .rodata to .data section. +(do_encrypt): Change 'encT' to 'enc_tables.T'. +(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. +* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input +with length not multiple of 256. +(prefetch_enc, prefetch_dec): Modify pre- and post-table counters +to unshare look-up table pages between processes. +-- + +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/rijndael-internal.h | 4 +- + cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++-------------------- + cipher/rijndael.c | 35 ++++++++-- + 3 files changed, 118 insertions(+), 76 deletions(-) + +diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h +index 160fb8c..a62d4b7 100644 +--- a/cipher/rijndael-internal.h ++++ b/cipher/rijndael-internal.h +@@ -29,11 +29,13 @@ + #define BLOCKSIZE (128/8) + + +-/* Helper macro to force alignment to 16 bytes. */ ++/* Helper macro to force alignment to 16 or 64 bytes. */ + #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED + # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) + #else + # define ATTR_ALIGNED_16 ++# define ATTR_ALIGNED_64 + #endif + + +diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h +index 8359470..b54d959 100644 +--- a/cipher/rijndael-tables.h ++++ b/cipher/rijndael-tables.h +@@ -21,80 +21,98 @@ + /* To keep the actual implementation at a readable size we use this + include file to define the tables. */ + +-static const u32 encT[256] = ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u32 T[256]; ++ volatile u32 counter_tail; ++} enc_tables ATTR_ALIGNED_64 = + { +- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, +- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, +- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, +- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, +- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, +- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, +- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, +- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, +- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, +- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, +- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, +- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, +- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, +- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, +- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, +- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, +- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, +- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, +- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, +- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, +- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, +- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, +- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, +- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, +- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, +- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, +- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, +- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, +- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, +- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, +- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, +- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, +- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, +- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, +- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, +- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, +- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, +- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, +- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, +- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, +- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, +- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, +- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, +- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, +- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, +- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, +- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, +- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, +- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, +- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, +- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, +- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, +- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, +- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, +- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, +- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, +- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, +- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, +- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, +- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, +- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, +- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, +- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, +- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ 0, ++ { 0, }, ++ { ++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, ++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, ++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, ++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, ++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, ++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, ++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, ++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, ++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, ++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, ++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, ++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, ++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, ++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, ++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, ++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, ++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, ++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, ++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, ++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, ++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, ++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, ++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, ++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, ++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, ++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, ++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, ++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, ++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, ++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, ++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, ++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, ++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, ++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, ++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, ++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, ++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, ++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, ++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, ++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, ++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, ++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, ++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, ++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, ++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, ++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, ++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, ++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, ++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, ++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, ++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, ++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, ++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, ++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, ++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, ++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, ++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, ++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, ++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, ++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, ++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, ++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, ++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, ++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ }, ++ 0 + }; + +-static const struct ++#define encT enc_tables.T ++ ++static struct + { ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; + u32 T[256]; + byte inv_sbox[256]; +-} dec_tables = ++ volatile u32 counter_tail; ++} dec_tables ATTR_ALIGNED_64 = + { ++ 0, ++ { 0, }, + { + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, +@@ -194,7 +212,8 @@ static const struct + 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, + 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +- } ++ }, ++ 0 + }; + + #define decT dec_tables.T +diff --git a/cipher/rijndael.c b/cipher/rijndael.c +index 8637195..d0edab2 100644 +--- a/cipher/rijndael.c ++++ b/cipher/rijndael.c +@@ -227,11 +227,11 @@ static const char *selftest(void); + + \f + /* Prefetching for encryption/decryption tables. */ +-static void prefetch_table(const volatile byte *tab, size_t len) ++static inline void prefetch_table(const volatile byte *tab, size_t len) + { + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)tab[i + 0 * 32]; + (void)tab[i + 1 * 32]; +@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) + (void)tab[i + 6 * 32]; + (void)tab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)tab[i]; ++ } + + (void)tab[len - 1]; + } + + static void prefetch_enc(void) + { +- prefetch_table((const void *)encT, sizeof(encT)); ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ enc_tables.counter_head++; ++ enc_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); + } + + static void prefetch_dec(void) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ dec_tables.counter_head++; ++ dec_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); + } + +@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, +- encT); ++ enc_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, + return ret; + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) +- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); ++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, ++ enc_tables.T); + #else + return do_encrypt_fn (ctx, bx, ax); + #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ +@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) + return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + #else + return do_decrypt_fn (ctx, bx, ax); + #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch new file mode 100644 index 0000000000..b580b7b13c --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch @@ -0,0 +1,178 @@ +From a4c561aab1014c3630bc88faf6f5246fee16b020 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:27:25 +0300 +Subject: [PATCH 3/3] GCM: move look-up table to .data section and unshare + between processes + +* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. +(gcmR): Move to 'gcm_table' structure. +(gcm_table): New structure for look-up table with counters before and +after. +(gcmR): New macro. +(prefetch_table): Handle input with length not multiple of 256. +(do_prefetch_tables): Modify pre- and post-table counters to unshare +look-up table pages between processes. +-- + +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + cipher/cipher-gcm.c | 106 ++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 70 insertions(+), 36 deletions(-) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index 11f119a..194e2ec 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -30,6 +30,14 @@ + #include "./cipher-internal.h" + + ++/* Helper macro to force alignment to 16 or 64 bytes. */ ++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) ++#else ++# define ATTR_ALIGNED_64 ++#endif ++ ++ + #ifdef GCM_USE_INTEL_PCLMUL + extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); + +@@ -83,40 +91,54 @@ ghash_armv7_neon (gcry_cipher_hd_t c, byte *result, const byte *buf, + + + #ifdef GCM_USE_TABLES +-static const u16 gcmR[256] = { +- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, +- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, +- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, +- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, +- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, +- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, +- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, +- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, +- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, +- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, +- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, +- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, +- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, +- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, +- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, +- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, +- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, +- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, +- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, +- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, +- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, +- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, +- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, +- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, +- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, +- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, +- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, +- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, +- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, +- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, +- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, +- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, +-}; ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u16 R[256]; ++ volatile u32 counter_tail; ++} gcm_table ATTR_ALIGNED_64 = ++ { ++ 0, ++ { 0, }, ++ { ++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, ++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, ++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, ++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, ++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, ++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, ++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, ++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, ++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, ++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, ++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, ++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, ++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, ++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, ++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, ++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, ++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, ++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, ++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, ++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, ++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, ++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, ++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, ++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, ++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, ++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, ++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, ++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, ++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, ++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, ++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, ++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, ++ }, ++ 0 ++ }; ++ ++#define gcmR gcm_table.R + + static inline + void prefetch_table(const void *tab, size_t len) +@@ -124,7 +146,7 @@ void prefetch_table(const void *tab, size_t len) + const volatile byte *vtab = tab; + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)vtab[i + 0 * 32]; + (void)vtab[i + 1 * 32]; +@@ -135,6 +157,10 @@ void prefetch_table(const void *tab, size_t len) + (void)vtab[i + 6 * 32]; + (void)vtab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)vtab[i]; ++ } + + (void)vtab[len - 1]; + } +@@ -142,8 +168,16 @@ void prefetch_table(const void *tab, size_t len) + static inline void + do_prefetch_tables (const void *gcmM, size_t gcmM_size) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ gcm_table.counter_head++; ++ gcm_table.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table(gcmM, gcmM_size); +- prefetch_table(gcmR, sizeof(gcmR)); ++ prefetch_table(&gcm_table, sizeof(gcm_table)); + } + + #ifdef GCM_TABLES_USE_U64 +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index 9d649e49a3..6635fb0b4f 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb @@ -23,6 +23,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ file://0001-ecc-Add-mitigation-against-timing-attack.patch \ file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ + file://0001-Prefetch-GCM-look-up-tables.patch \ + file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ + file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ " SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" -- 2.23.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-10-23 16:26 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-10-18 19:32 [zeus][PATCH] libgcrypt: fix CVE-2019-13627 Trevor Gamblin 2019-10-19 15:09 ` akuster808 2019-10-23 16:24 ` [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus Trevor Gamblin 2019-10-23 16:26 ` Trevor Gamblin 2019-10-23 16:26 ` [zeus][PATCH v2] libgcrypt: fix CVE-2019-12904 Trevor Gamblin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.