1-block SSE2 variant of poly1305 stores variables s1..s4 containing key material on the stack. This commit adds missing zeroing of the stack memory. Benchmarks show negligible performance hit (tested on i7-3770). Signed-off-by: Tommi Hirvola <tommi@xxxxxxxxxx> --- Similarly, poly1305_blocks() in crypto/poly1305_generic.c stores s1..s4 as well as r0..r4 to local variables which may be stored in the stack by the compiler. Fixing that is less trivial and left for another patch. Tests were run with poly1305_simd_blocks() patched to call only 1-block SSE2 poly1305 function. --- arch/x86/crypto/poly1305-sse2-x86_64.S | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S index c88c670cb5fc..e6add74d78a5 100644 --- a/arch/x86/crypto/poly1305-sse2-x86_64.S +++ b/arch/x86/crypto/poly1305-sse2-x86_64.S @@ -272,6 +272,10 @@ ENTRY(poly1305_block_sse2) dec %rcx jnz .Ldoblock + # Zeroing of key material + mov %rcx,0x00(%rsp) + mov %rcx,0x08(%rsp) + add $0x10,%rsp pop %r12 pop %rbx -- 2.20.1
