libgcrypt: fix CVE-2019-12904

In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 (From OE-Core rev: 757f2d50d7cd194e5f734a24e68d8f0da98b38f8) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 37e390ff05b6a4509019db358ed496731d80cc51) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2019-10-15 15:42:12 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-29 09:08:18 +0000
commit: 149ad2c3e23dee4b36c60dff2b5aee6aee6a892c (patch)
tree: 081bcabde2bb7bfbf49afaa2850d8f0f8513ed87 /meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch
parent: 6b86b7fd577fca9a7705d5a8dafaab6551225d5b (diff)
download: poky-149ad2c3e23dee4b36c60dff2b5aee6aee6a892c.tar.gz
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch
new file mode 100644
index 0000000000..4df96f0011
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch
@@ -0,0 +1,90 @@
+From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Sat, 27 Apr 2019 19:33:28 +0300
+Subject: [PATCH 1/3] Prefetch GCM look-up tables
+* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables)
+(prefetch_tables): New.
+(ghash_internal): Call prefetch_tables.
+--
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Upstream-Status: Backport
+[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705]
+CVE: CVE-2019-12904
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ cipher/cipher-gcm.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
+index c19f09f..11f119a 100644
+--- a/cipher/cipher-gcm.c
+++ b/cipher/cipher-gcm.c
+@@ -118,6 +118,34 @@ static const u16 gcmR[256] = {
+   0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+ };
+ 
+static inline
+void prefetch_table(const void *tab, size_t len)
+{
+  const volatile byte *vtab = tab;
+  size_t i;
+
+  for (i = 0; i < len; i += 8 * 32)
+    {
+      (void)vtab[i + 0 * 32];
+      (void)vtab[i + 1 * 32];
+      (void)vtab[i + 2 * 32];
+      (void)vtab[i + 3 * 32];
+      (void)vtab[i + 4 * 32];
+      (void)vtab[i + 5 * 32];
+      (void)vtab[i + 6 * 32];
+      (void)vtab[i + 7 * 32];
+    }
+
+  (void)vtab[len - 1];
+}
+
+static inline void
+do_prefetch_tables (const void *gcmM, size_t gcmM_size)
+{
+  prefetch_table(gcmM, gcmM_size);
+  prefetch_table(gcmR, sizeof(gcmR));
+}
+
+ #ifdef GCM_TABLES_USE_U64
+ static void
+ bshift (u64 * b0, u64 * b1)
+@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM)
+ #define fillM(c) \
+   do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table)
+ #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table)
+#define prefetch_tables(c) \
+  do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table))
+ 
+ #else
+ 
+@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf)
+ 
+ #define fillM(c) do { } while (0)
+ #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf)
+#define prefetch_tables(c) do {} while (0)
+ 
+ #endif /* !GCM_USE_TABLES */
+ 
+@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf,
+   const unsigned int blocksize = GCRY_GCM_BLOCK_LEN;
+   unsigned int burn = 0;
+ 
+  prefetch_tables (c);
+
+   while (nblocks)
+     {
+       burn = GHASH (c, result, buf);
+-- 
+2.7.4
author	Yi Zhao <yi.zhao@windriver.com>	2019-10-15 15:42:12 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-29 09:08:18 +0000
commit	149ad2c3e23dee4b36c60dff2b5aee6aee6a892c (patch)
tree	081bcabde2bb7bfbf49afaa2850d8f0f8513ed87 /meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch
parent	6b86b7fd577fca9a7705d5a8dafaab6551225d5b (diff)
download	poky-149ad2c3e23dee4b36c60dff2b5aee6aee6a892c.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 0000000000..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch
@@ -0,0 +1,90 @@
	1	From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001
	2	From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
	3	Date: Sat, 27 Apr 2019 19:33:28 +0300
	4	Subject: [PATCH 1/3] Prefetch GCM look-up tables
	5
	6	* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables)
	7	(prefetch_tables): New.
	8	(ghash_internal): Call prefetch_tables.
	9	--
	10
	11	Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
	12
	13	Upstream-Status: Backport
	14	[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705]
	15
	16	CVE: CVE-2019-12904
	17
	18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	19	---
	20	cipher/cipher-gcm.c \| 33 +++++++++++++++++++++++++++++++++
	21	1 file changed, 33 insertions(+)
	22
	23	diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
	24	index c19f09f..11f119a 100644
	25	--- a/cipher/cipher-gcm.c
	26	+++ b/cipher/cipher-gcm.c
	27	@@ -118,6 +118,34 @@ static const u16 gcmR[256] = {
	28	0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
	29	};
	30
	31	+static inline
	32	+void prefetch_table(const void *tab, size_t len)
	33	+{
	34	+ const volatile byte *vtab = tab;
	35	+ size_t i;
	36	+
	37	+ for (i = 0; i < len; i += 8 * 32)
	38	+ {
	39	+ (void)vtab[i + 0 * 32];
	40	+ (void)vtab[i + 1 * 32];
	41	+ (void)vtab[i + 2 * 32];
	42	+ (void)vtab[i + 3 * 32];
	43	+ (void)vtab[i + 4 * 32];
	44	+ (void)vtab[i + 5 * 32];
	45	+ (void)vtab[i + 6 * 32];
	46	+ (void)vtab[i + 7 * 32];
	47	+ }
	48	+
	49	+ (void)vtab[len - 1];
	50	+}
	51	+
	52	+static inline void
	53	+do_prefetch_tables (const void *gcmM, size_t gcmM_size)
	54	+{
	55	+ prefetch_table(gcmM, gcmM_size);
	56	+ prefetch_table(gcmR, sizeof(gcmR));
	57	+}
	58	+
	59	#ifdef GCM_TABLES_USE_U64
	60	static void
	61	bshift (u64 * b0, u64 * b1)
	62	@@ -365,6 +393,8 @@ do_ghash (unsigned char result, const unsigned char buf, const u32 *gcmM)
	63	#define fillM(c) \
	64	do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table)
	65	#define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table)
	66	+#define prefetch_tables(c) \
	67	+ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table))
	68
	69	#else
	70
	71	@@ -430,6 +460,7 @@ do_ghash (unsigned char hsub, unsigned char result, const unsigned char *buf)
	72
	73	#define fillM(c) do { } while (0)
	74	#define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf)
	75	+#define prefetch_tables(c) do {} while (0)
	76
	77	#endif /* !GCM_USE_TABLES */
	78
	79	@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte result, const byte buf,
	80	const unsigned int blocksize = GCRY_GCM_BLOCK_LEN;
	81	unsigned int burn = 0;
	82
	83	+ prefetch_tables (c);
	84	+
	85	while (nblocks)
	86	{
	87	burn = GHASH (c, result, buf);
	88	--
	89	2.7.4
	90