From: uazo <uazo@users.noreply.github.com>
Date: Fri, 24 Mar 2023 07:50:59 +0000
Subject: Warning message for unsupported hardware aes

In boringssl the lack of support for native aes instructions in the cpu
leads to a change in the order of the encryption methods in the
tls1.3 stack and thus to an additional fingerprint bit.
The use of software aes is discouraged due to possible side channel
attacks, so it is better to warn the user of the presence of an
unsupported device.
you can remove the message by going to chrome://flags/#no-hw-aes-warning
---
 base/base_switches.cc                                  |  2 ++
 base/base_switches.h                                   |  1 +
 chrome/BUILD.gn                                        |  3 +++
 chrome/app/chrome_main_delegate.cc                     | 10 ++++++++++
 chrome/app/generated_resources.grd                     |  4 ++++
 chrome/browser/about_flags.cc                          |  4 ++++
 chrome/browser/flag_descriptions.cc                    |  4 ++++
 chrome/browser/flag_descriptions.h                     |  3 +++
 chrome/browser/ui/startup/bad_flags_prompt.cc          |  9 +++++++++
 .../browser/renderer_host/render_process_host_impl.cc  |  1 +
 content/public/common/content_features.cc              |  5 +++++
 content/public/common/content_features.h               |  1 +
 12 files changed, 47 insertions(+)

diff --git a/base/base_switches.cc b/base/base_switches.cc
--- a/base/base_switches.cc
+++ b/base/base_switches.cc
@@ -189,6 +189,8 @@ extern const char kEnableCrashpad[] = "enable-crashpad";
 
 const char kDesktopModeViewportMetaEnabled[] = "dm-viewport-meta-enabled";
 
+const char kNoAESHardware[] = "no-aes-hardware";
+
 #if BUILDFLAG(IS_CHROMEOS)
 // Override the default scheduling boosting value for urgent tasks.
 // This can be adjusted if a specific chromeos device shows better perf/power
diff --git a/base/base_switches.h b/base/base_switches.h
--- a/base/base_switches.h
+++ b/base/base_switches.h
@@ -34,6 +34,7 @@ extern const char kTraceToFileName[];
 extern const char kV[];
 extern const char kVModule[];
 extern const char kWaitForDebugger[];
+extern const char kNoAESHardware[];
 
 #if BUILDFLAG(IS_WIN)
 extern const char kDisableHighResTimer[];
diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn
--- a/chrome/BUILD.gn
+++ b/chrome/BUILD.gn
@@ -447,6 +447,7 @@ if (is_win) {
       "//components/policy:generated",
       "//content/public/app",
       "//crypto",
+      "//third_party/boringssl",
       "//headless:headless_non_renderer",
       "//headless:headless_shell_browser_lib",
       "//net:net_resources",
@@ -1705,6 +1706,8 @@ if (is_android) {
       "//chrome/common/profiler",
       "//chrome/gpu",
       "//chrome/renderer",
+      "//crypto",
+      "//third_party/boringssl",
       "//components/minidump_uploader",
       "//components/safe_browsing:buildflags",
       "//components/safe_browsing/android:safe_browsing_api_handler",
diff --git a/chrome/app/chrome_main_delegate.cc b/chrome/app/chrome_main_delegate.cc
--- a/chrome/app/chrome_main_delegate.cc
+++ b/chrome/app/chrome_main_delegate.cc
@@ -105,6 +105,9 @@
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/resource/scoped_startup_resource_bundle.h"
 #include "ui/base/ui_base_switches.h"
+#include "base/base_switches.h"
+#include "crypto/openssl_util.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
 
 #if BUILDFLAG(IS_WIN)
 #include <malloc.h>
@@ -1133,6 +1136,13 @@ absl::optional<int> ChromeMainDelegate::BasicStartupComplete() {
     return chrome::RESULT_CODE_INVALID_SANDBOX_STATE;
 #endif
 
+if (!command_line.HasSwitch(switches::kProcessType)) {
+  crypto::EnsureOpenSSLInit();
+  if (EVP_has_aes_hardware() == 0) {
+    base::CommandLine::ForCurrentProcess()->AppendSwitch(switches::kNoAESHardware);
+  }
+}
+
 #if BUILDFLAG(IS_MAC)
   // Give the browser process a longer treadmill, since crashes
   // there have more impact.
diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -7051,6 +7051,10 @@ Keep your key file in a safe place. You will need it to create new versions of y
         You are using an unsupported feature flag: <ph name="BAD_FLAG">$1<ex>SignedHTTPExchange</ex></ph>. Stability and security will suffer.
       </message>
 
+      <message name="IDS_UNSUPPORTED_AES_HARDWARE" desc="Message shown when an unsupported hardware">
+        Your device does not support hardware aes, so it is easier to track you at the network level.
+      </message>
+
       <!-- Bad Environment Variables Infobar-->
       <message name="IDS_BAD_ENVIRONMENT_VARIABLES_WARNING_MESSAGE" desc="Message shown when an unsupported environment variable is used [Keep it short so it fits in the infobar.]">
         You are using an unsupported environment variable: <ph name="BAD_VAR">$1<ex>SSLKEYLOGFILE</ex></ph>. Stability and security will suffer.
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -8412,6 +8412,10 @@ const FeatureEntry kFeatureEntries[] = {
      flag_descriptions::kViewportSegmentsDescription, kOsAll,
      FEATURE_VALUE_TYPE(features::kViewportSegments)},
 
+    {"no-hw-aes-warning", flag_descriptions::kNoAESHardwareMessageName,
+     flag_descriptions::kNoAESHardwareMessageDescription, kOsDesktop | kOsAndroid,
+     FEATURE_VALUE_TYPE(features::kNoAESHardwareMessage)},
+
 #if BUILDFLAG(IS_CHROMEOS_ASH)
     {"device-force-scheduled-reboot",
      flag_descriptions::kDeviceForceScheduledRebootName,
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -897,6 +897,10 @@ const char kViewportSegmentsDescription[] =
     "Enable the viewport segment API, giving information about the logical "
     "segments of the device (dual screen and foldable devices)";
 
+const char kNoAESHardwareMessageName[] = "Enable no aes warning message";
+const char kNoAESHardwareMessageDescription[] =
+    "Displays a warning message if the device does not have aes support in the hardware";
+
 const char kDiscountConsentV2Name[] = "Discount Consent V2";
 const char kDiscountConsentV2Description[] = "Enables Discount Consent V2";
 
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -644,6 +644,9 @@ extern const char kDeviceForceScheduledRebootDescription[];
 extern const char kDevicePostureName[];
 extern const char kDevicePostureDescription[];
 
+extern const char kNoAESHardwareMessageName[];
+extern const char kNoAESHardwareMessageDescription[];
+
 extern const char kEnableTLS13EarlyDataName[];
 extern const char kEnableTLS13EarlyDataDescription[];
 
diff --git a/chrome/browser/ui/startup/bad_flags_prompt.cc b/chrome/browser/ui/startup/bad_flags_prompt.cc
--- a/chrome/browser/ui/startup/bad_flags_prompt.cc
+++ b/chrome/browser/ui/startup/bad_flags_prompt.cc
@@ -239,6 +239,15 @@ void ShowBadFlagsPrompt(content::WebContents* web_contents) {
       return;
     }
   }
+
+  if (base::FeatureList::IsEnabled(features::kNoAESHardwareMessage) &&
+        base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoAESHardware)) {
+    CreateSimpleAlertInfoBar(
+        infobars::ContentInfoBarManager::FromWebContents(web_contents),
+        infobars::InfoBarDelegate::BAD_FLAGS_INFOBAR_DELEGATE, nullptr,
+        l10n_util::GetStringUTF16(IDS_UNSUPPORTED_AES_HARDWARE),
+        /*auto_expire=*/false, /*should_animate=*/false);
+  }
 }
 
 void ShowBadFlagsInfoBar(content::WebContents* web_contents,
diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -3489,6 +3489,7 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
     switches::kLacrosUseChromeosProtectedAv1,
 #endif
     switches::kDesktopModeViewportMetaEnabled,
+    switches::kNoAESHardware,
   };
   renderer_cmd->CopySwitchesFrom(browser_cmd, kSwitchNames);
 
diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc
--- a/content/public/common/content_features.cc
+++ b/content/public/common/content_features.cc
@@ -600,6 +600,11 @@ BASE_FEATURE(kNoStatePrefetchHoldback,
              "NoStatePrefetchHoldback",
              base::FEATURE_DISABLED_BY_DEFAULT);
 
+// Show a warning message to user if aes hardware is not found
+BASE_FEATURE(kNoAESHardwareMessage,
+             "NoAESHardwareMessage",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
 // Controls the Origin-Agent-Cluster header. Tracking bug
 // https://crbug.com/1042415; flag removal bug (for when this is fully launched)
 // https://crbug.com/1148057.
diff --git a/content/public/common/content_features.h b/content/public/common/content_features.h
--- a/content/public/common/content_features.h
+++ b/content/public/common/content_features.h
@@ -155,6 +155,7 @@ CONTENT_EXPORT BASE_DECLARE_FEATURE(kNetworkServiceInProcess);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kNotificationContentImage);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kNotificationTriggers);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kNoStatePrefetchHoldback);
+CONTENT_EXPORT BASE_DECLARE_FEATURE(kNoAESHardwareMessage);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kOriginIsolationHeader);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kOverscrollHistoryNavigation);
 CONTENT_EXPORT BASE_DECLARE_FEATURE(kOverscrollHistoryNavigationSetting);
--
2.25.1