Previous: , Up: Preparation   [Contents][Index]


2.8 How to disable hardware features

Libgcrypt makes use of certain hardware features. If the use of a feature is not desired, it may be disabled either by a program or globally using a configuration file. The currently supported features are

padlock-rng
padlock-aes
padlock-sha
padlock-mmul
intel-cpu
intel-fast-shld
intel-bmi2
intel-ssse3
intel-sse4.1
intel-pclmul
intel-aesni
intel-rdrand
intel-avx
intel-avx2
intel-fast-vpgather
intel-rdtsc
intel-shaext
intel-vaes-vpclmul
arm-neon
arm-aes
arm-sha1
arm-sha2
arm-pmull
ppc-vcrypto
ppc-arch_3_00
ppc-arch_2_07
ppc-arch_3_10
s390x-msa
s390x-msa-4
s390x-msa-8
s390x-msa-9
s390x-vx

To disable a feature for all processes using Libgcrypt 1.6 or newer, create the file /etc/gcrypt/hwf.deny and put each feature not to be used on a single line. Empty lines, white space, and lines prefixed with a hash mark are ignored. The file should be world readable.

To disable a feature specifically for a program, that program must tell it Libgcrypt before before calling gcry_check_version. Example:2

  gcry_control (GCRYCTL_DISABLE_HWF, "intel-rdrand", NULL);

To print the list of active features you may use this command:

  mpicalc --print-config | grep ^hwflist: | tr : '\n' | tail -n +2

Footnotes

(2)

NB. Libgcrypt uses the RDRAND feature only as one source of entropy. A CPU with a broken RDRAND will thus not compromise the random number generator