diff --git a/libgcrypt-1.11.0-cf-protection.patch b/libgcrypt-1.11.0-cf-protection.patch new file mode 100644 index 0000000..e7ead95 --- /dev/null +++ b/libgcrypt-1.11.0-cf-protection.patch @@ -0,0 +1,191 @@ +From de3a04203b33c2248400392b535d2ab133bcd752 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Sat, 27 Jul 2024 08:16:56 +0300 +Subject: [PATCH] Do not build rijndael-vaes-avx2-i386 on x86-64 + +* configure.ac: Enable building i386 "rijndael-vaes" only +on i?86 host instead of x86 MPI arch ("i?86 + x86-64"). +-- + +Signed-off-by: Jussi Kivilinna +--- + configure.ac | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d3dffb4b..1e182552 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3025,6 +3025,11 @@ if test "$found" = "1" ; then + AC_DEFINE(USE_AES, 1, [Defined if this module should be included]) + + case "${host}" in ++ i?86-*-*) ++ # Build with the VAES/AVX2 implementation ++ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo" ++ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo" ++ ;; + x86_64-*-*) + # Build with the assembly implementation + GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-amd64.lo" +@@ -3089,10 +3094,6 @@ if test "$found" = "1" ; then + + # Build with the Padlock implementation + GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-padlock.lo" +- +- # Build with the VAES/AVX2 implementation +- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo" +- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo" + ;; + esac + fi +-- +2.43.0 + + +From 9178af96038acd295d02a4c405c19435dce92ad8 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Fri, 26 Jul 2024 10:59:12 +0300 +Subject: [PATCH 1/2] Add CET support for x86-64 assembly + +* cipher/asm-common-amd64.h (ENDBRANCH): New. +(CFI_STARTPROC): Add ENDBRANCH. +[__CET__] (note.gnu.property): Add CET property section. +-- + +Signed-off-by: Jussi Kivilinna +--- + cipher/asm-common-amd64.h | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h +index 3fa065e8..465ef62b 100644 +--- a/cipher/asm-common-amd64.h ++++ b/cipher/asm-common-amd64.h +@@ -76,9 +76,15 @@ + # endif + #endif + ++#ifdef __CET__ ++#define ENDBRANCH endbr64 ++#else ++#define ENDBRANCH /*_*/ ++#endif ++ + #ifdef HAVE_GCC_ASM_CFI_DIRECTIVES + /* CFI directives to emit DWARF stack unwinding information. */ +-# define CFI_STARTPROC() .cfi_startproc ++# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH + # define CFI_ENDPROC() .cfi_endproc + # define CFI_REMEMBER_STATE() .cfi_remember_state + # define CFI_RESTORE_STATE() .cfi_restore_state +@@ -146,7 +152,7 @@ + DW_SLEB128_28BIT(rsp_offs) + + #else +-# define CFI_STARTPROC() ++# define CFI_STARTPROC() ENDBRANCH + # define CFI_ENDPROC() + # define CFI_REMEMBER_STATE() + # define CFI_RESTORE_STATE() +@@ -214,4 +220,24 @@ + vpopcntb xmm16, xmm16; /* Supported only by newer AVX512 CPUs. */ \ + vpxord ymm16, ymm16, ymm16; + ++#ifdef __CET__ ++/* Generate CET property for all assembly files including this header. */ ++ELF(.section .note.gnu.property,"a") ++ELF(.align 8) ++ELF(.long 1f - 0f) ++ELF(.long 4f - 1f) ++ELF(.long 5) ++ELF(0:) ++ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */ ++ELF(1:) ++ELF(.align 8) ++ELF(.long 0xc0000002) ++ELF(.long 3f - 2f) ++ELF(2:) ++ELF(.long 0x3) ++ELF(3:) ++ELF(.align 8) ++ELF(4:) ++#endif ++ + #endif /* GCRY_ASM_COMMON_AMD64_H */ +-- +2.43.0 + +From e7c81e64b1a81455ce72c54607ce6ab35c24f407 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Fri, 26 Jul 2024 11:09:37 +0300 +Subject: [PATCH 2/2] Add CET support for i386 assembly + +* cipher/asm-common-i386.h (ENDBRANCH): New. +(CFI_STARTPROC): Add ENDBRANCH. +[__CET__] (note.gnu.property): Add CET property section. +-- + +Signed-off-by: Jussi Kivilinna +--- + cipher/asm-common-i386.h | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/cipher/asm-common-i386.h b/cipher/asm-common-i386.h +index d746ebc4..346a8ff2 100644 +--- a/cipher/asm-common-i386.h ++++ b/cipher/asm-common-i386.h +@@ -59,9 +59,15 @@ + movl name##@GOT(%reg), %reg; + #endif + ++#ifdef __CET__ ++#define ENDBRANCH endbr32 ++#else ++#define ENDBRANCH /*_*/ ++#endif ++ + #ifdef HAVE_GCC_ASM_CFI_DIRECTIVES + /* CFI directives to emit DWARF stack unwinding information. */ +-# define CFI_STARTPROC() .cfi_startproc ++# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH + # define CFI_ENDPROC() .cfi_endproc + # define CFI_REMEMBER_STATE() .cfi_remember_state + # define CFI_RESTORE_STATE() .cfi_restore_state +@@ -121,7 +127,7 @@ + DW_SLEB128_28BIT(esp_offs) + + #else +-# define CFI_STARTPROC() ++# define CFI_STARTPROC() ENDBRANCH + # define CFI_ENDPROC() + # define CFI_REMEMBER_STATE() + # define CFI_RESTORE_STATE() +@@ -158,4 +164,24 @@ + vpopcntb xmm7, xmm7; /* Supported only by newer AVX512 CPUs. */ \ + vpxord ymm7, ymm7, ymm7; + ++#ifdef __CET__ ++/* Generate CET property for all assembly files including this header. */ ++ELF(.section .note.gnu.property,"a") ++ELF(.align 4) ++ELF(.long 1f - 0f) ++ELF(.long 4f - 1f) ++ELF(.long 5) ++ELF(0:) ++ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */ ++ELF(1:) ++ELF(.align 4) ++ELF(.long 0xc0000002) ++ELF(.long 3f - 2f) ++ELF(2:) ++ELF(.long 0x3) ++ELF(3:) ++ELF(.align 4) ++ELF(4:) ++#endif ++ + #endif /* GCRY_ASM_COMMON_AMD64_H */ +-- +2.43.0 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 8710f9b..64c9917 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -26,6 +26,8 @@ Patch1: libgcrypt-1.10.1-annobin.patch Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch # https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20 Patch3: libgcrypt-1.11.0-covscan.patch +# https://dev.gnupg.org/T7220 +Patch4: libgcrypt-1.11.0-cf-protection.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -62,6 +64,7 @@ applications using libgcrypt. %patch 1 -p1 %patch 2 -p1 %patch 3 -p1 +%patch 4 -p1 %build # should be all algorithms except SM3 and SM4, aria