On Mon, Feb 01, 2021 at 02:38:52PM +0100, Peter Krempa wrote: > Most callers are way better off using memset directly additionally few > places didn't even use it to clear sensitive data in the first place > since the name probably sounded as the right thing to use. Although virDispose did indeed use memset(), I don't think we should be replacing it with use of memset(). This is well known to be subject to compiler optimization eliminating the call entirely. We shouldn't have used it in virDispose in the first place, instead we need to call the platform specific "safe" method for erasing data. Istead we ought to have been using explicit_bzero or memset_s(), or memset_explicitly, or $whatever. At least with virDispose we would only have one place to fix this problem, but this with series eliminating it, the callers that need the secure erase are no longer distinct/visible from general memset usage. I think we ought to have a 'virSecureErase' function, that we can back with the appropriate platform specific call. If you don't want to get so deeply involved in that, I'd be fine if this series too a minimialist approach and only introduced #define virSecureErase(ptr, len) memset(ptr, 0, len) and then used virSecureErase intead of memset(). That would at least make sure we're no worse than today and callers remain easily identifiable. Actually checking for the platform specific secure erase functions and wiring them up could be a separate patch series at a later time. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
