From b117db4efaff1b1b4685558189959da468859985 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 28 Apr 2021 19:30:53 +0200 Subject: [PATCH] Restore the CET protection Resolves: rhbz#1954422 --- libgcrypt-1.8.5-intel-cet.patch | 34 +++++++++++++++++++++++++++++++++ libgcrypt.spec | 8 +++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 libgcrypt-1.8.5-intel-cet.patch diff --git a/libgcrypt-1.8.5-intel-cet.patch b/libgcrypt-1.8.5-intel-cet.patch new file mode 100644 index 0000000..a19d2f1 --- /dev/null +++ b/libgcrypt-1.8.5-intel-cet.patch @@ -0,0 +1,34 @@ +From b04c0a86b19856071c29d2a6285f3240c606ee7a Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 27 Apr 2021 09:08:41 -0700 +Subject: [PATCH] Always include in cipher assembly codes + +* cipher/poly1305-s390x.S: Always include . + +When Intel CET is enabled, we need to include in assembly codes +to mark Intel CET support even if it is empty. We should always include + in cipher assembly codes so that they will be marked for +Intel CET support when compiling for x86-64 and i686. + +Signed-off-by: H.J. Lu +--- + cipher/poly1305-s390x.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/poly1305-s390x.S b/cipher/poly1305-s390x.S +index 844245f6..28bed560 100644 +--- a/cipher/poly1305-s390x.S ++++ b/cipher/poly1305-s390x.S +@@ -18,8 +18,8 @@ + * License along with this program; if not, see . + */ + +-#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 + #include ++#if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 + #if defined(HAVE_GCC_INLINE_ASM_S390X) + + #include "asm-poly1305-s390x.h" +-- +GitLab + diff --git a/libgcrypt.spec b/libgcrypt.spec index 730a7db..d1b9ec8 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.9.3 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -44,6 +44,8 @@ Patch24: libgcrypt-1.8.5-getrandom.patch Patch26: libgcrypt-1.8.3-fips-enttest.patch # Disable non-approved FIPS hashes in the enforced FIPS mode Patch27: libgcrypt-1.8.3-md-fips-enforce.patch +# Missing Intel CET support in the library (#1954049) +Patch28: libgcrypt-1.8.5-intel-cet.patch # FIPS module is redefined a little bit (implicit by kernel FIPS mode) Patch30: libgcrypt-1.8.5-fips-module.patch @@ -93,6 +95,7 @@ applications using libgcrypt. %patch24 -p1 -b .getrandom %patch26 -p1 -b .fips-enttest %patch27 -p1 -b .fips-enforce +%patch28 -p1 -b .intel-cet %patch30 -p1 -b .fips-module cp %{SOURCE4} cipher/ @@ -203,6 +206,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %license COPYING %changelog +* Wed Apr 28 2021 Jakub Jelen - 1.9.3-2 +- Restore the CET protection (#1954049) + * Tue Apr 20 2021 Jakub Jelen - 1.9.3-1 - New upstream release (#1951325)