2.8 How to disable hardware features

Libgcrypt makes use of certain hardware features. If the use of a feature is not desired, it may be disabled either by a program or globally using a configuration file. The currently supported features are

padlock-rng

padlock-aes

padlock-sha

padlock-mmul

intel-cpu

intel-fast-shld

intel-bmi2

intel-ssse3

intel-sse4.1

intel-pclmul

intel-aesni

intel-rdrand

intel-avx

intel-avx2

intel-fast-vpgather

intel-rdtsc

intel-shaext

intel-vaes-vpclmul

arm-neon

arm-aes

arm-sha1

arm-sha2

arm-pmull

ppc-vcrypto

ppc-arch_3_00

ppc-arch_2_07

ppc-arch_3_10

s390x-msa

s390x-msa-4

s390x-msa-8

s390x-msa-9

s390x-vx

To disable a feature for all processes using Libgcrypt 1.6 or newer, create the file /etc/gcrypt/hwf.deny and put each feature not to be used on a single line. Empty lines, white space, and lines prefixed with a hash mark are ignored. The file should be world readable.

To disable a feature specifically for a program, that program must tell it Libgcrypt before before calling gcry_check_version. Example:²

  gcry_control (GCRYCTL_DISABLE_HWF, "intel-rdrand", NULL);

To print the list of active features you may use this command:

  mpicalc --print-config | grep ^hwflist: | tr : '\n' | tail -n +2