Re: [PATCH 5.4 regression fix] x86/boot: Provide memzero_explicit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Oct 07, 2019 at 03:00:51PM +0200, Hans de Goede wrote:
> Hi Stephan,
> 
> On 07-10-2019 11:34, Stephan Mueller wrote:
> > Am Montag, 7. Oktober 2019, 11:06:04 CEST schrieb Hans de Goede:
> > 
> > Hi Hans,
> > 
> >> Hi Stephan,
> >>
> >> On 07-10-2019 10:59, Stephan Mueller wrote:
> >>> Am Montag, 7. Oktober 2019, 10:55:01 CEST schrieb Hans de Goede:
> >>>
> >>> Hi Hans,
> >>>
> >>>> The purgatory code now uses the shared lib/crypto/sha256.c sha256
> >>>> implementation. This needs memzero_explicit, implement this.
> >>>>
> >>>> Reported-by: Arvind Sankar <nivedita@xxxxxxxxxxxx>
> >>>> Fixes: 906a4bb97f5d ("crypto: sha256 - Use get/put_unaligned_be32 to get
> >>>> input, memzero_explicit") Signed-off-by: Hans de Goede
> >>>> <hdegoede@xxxxxxxxxx>
> >>>> ---
> >>>>
> >>>>    arch/x86/boot/compressed/string.c | 5 +++++
> >>>>    1 file changed, 5 insertions(+)
> >>>>
> >>>> diff --git a/arch/x86/boot/compressed/string.c
> >>>> b/arch/x86/boot/compressed/string.c index 81fc1eaa3229..511332e279fe
> >>>> 100644
> >>>> --- a/arch/x86/boot/compressed/string.c
> >>>> +++ b/arch/x86/boot/compressed/string.c
> >>>> @@ -50,6 +50,11 @@ void *memset(void *s, int c, size_t n)
> >>>>
> >>>>    	return s;
> >>>>    
> >>>>    }
> >>>>
> >>>> +void memzero_explicit(void *s, size_t count)
> >>>> +{
> >>>> +	memset(s, 0, count);
> >>>
> >>> May I ask how it is guaranteed that this memset is not optimized out by
> >>> the
> >>> compiler, e.g. for stack variables?
> >>
> >> The function and the caller live in different compile units, so unless
> >> LTO is used this cannot happen.
> > 
> > Agreed in this case.
> > 
> > I would just be worried that this memzero_explicit implementation is assumed
> > to be protected against optimization when used elsewhere since other
> > implementations of memzero_explicit are provided with the goal to be protected
> > against optimizations.
> >>
> >> Also note that the previous purgatory private (vs shared) sha256
> >> implementation had:
> >>
> >>           /* Zeroize sensitive information. */
> >>           memset(sctx, 0, sizeof(*sctx));
> >>
> >> In the place where the new shared 256 code uses memzero_explicit() and the
> >> new shared sha256 code is the only user of the
> >> arch/x86/boot/compressed/string.c memzero_explicit() implementation.
> >>
> >> With that all said I'm open to suggestions for improving this.
> > 
> > What speaks against the common memzero_explicit implementation?
> 
> Nothing, but the purgatory is a standalone binary which runs between
> 2 kernels when doing kexec so it cannot use the function from lib/string.c
> since it is not linked against the lib/string.o object.
> 
> > If you cannot
> > use it, what about adding a barrier in the memzero_explicit implementation? Or
> > what about adding some compiler magic as attached to this email?
> 
> Since the purgatory code is running in a somewhat limited environment,
> with not all standard headers / macros available I was afraid that the
> barrier_data() from the lib/string.c implementation would not work, so
> I left it out. In hindsight I should have really given it a try first as
> it seems to compile fine and there are no missing symbols in
> arch/x86/purgatory/purgatory.ro when using it.
> 
> So I will send out a new version with the barrier_data() added making
> the arch/x86/boot/compressed/string.c implementation identical to the
> lib/string.c one.
> 
> Regards,
> 
> Hans
> 

I think we also need a fix for at least s390 right? That also has sha256
verification and would presumably have the same issue with undefined
memzero_explicit? powerpc does not seem to do sha256 verification
afaict.



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux