This issue is public, so removing restrict label. Set severity to low, since it requires access to perform the side-channel work. Please adjust if I've missed some path that makes this worse.

1.7.8 is in gentoo, so we can probably just upgrade to address this.

Seems potentially feasible to run the side-channel attack from NaCl.

(Whether any part of Chrome OS actually does the relevant operations using gcrypt rather than some other library is another question.)

we disable libgcrypt in most packages.  a cursory check suggests crda (for verification?) & samba (for kerberos auth) are the only ones currently using it.

I've taken a quick look: libgcrypt-1.7.8 depends on >=libgpg-error-1.13. The latter fails to build (even the most recent 1.27-r1 from gentoo) due to its inability to deal with our x86_64-cros-linux-gnu CHOST.

Furthermore, the libgcrypt configure script checks for the libgpg-error version installed in the system, but fails to do so correctly for cross compilation (i.e. invokes the SDK's /usr/bin/gpg-error-config).

Finally, there seems to be some issue with the libgcrypt build not selecting the correct asm implementations for crypto algorithms, leading to link errors.

After hacking around all these, I got a successful x86_64 build at least. Here's the hacked up version of the ebuilds for reference: https://chromium-review.googlesource.com/575134

There's definitely work to be done to fix up the packages to build properly.

I'm going to throw this over the wall to the chromad team who owns samba on Chrome OS. Folks, can you sort out the upgrade soonish?

Sure, I'll take a look after M61 branch.

Re - libgpg-error-1.27-r1 not compiling due to cros CHOST:
I've modified Mattias' hack to make it compile on amd64, x86 and arm. mkheader.c has a hardcoded map for CHOST where we could add cros, but that seems ugly since having everything in the ebuild is easier to read. I'm not sure what the right solution is here.

Re - libgcrypt using /usr/bin/gpg-error-config instead of /build/${BOARD}/usr/bin/gpg-error-config:
I've added
  export GPG_ERROR_CONFIG="${EROOT}/usr/bin/gpg-error-config"
and verified that does the right thing.

Re - libgcrypt not selecting the correct asm implementations:
I've played around with the ebuild and made it compile on all 3 platforms without disabling asm. Not sure what exactly is going on, though. I believe mpi/config.links picks the asm based on platform.

Hey Mike, mind to take a look at the CL? Is this an acceptable solution?

https://chromium-review.googlesource.com/575134

@ljusten, any plans to submit the CL mentioned in #C12?

ljusten@, are you still intending to submit the CL to fix this? 

Mike, could you take a look at the CL, please? Looks like I've linked the wrong one in #12.

https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/594728

vapier@ can you please comment on #18?