From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with archive (Exim 4.43)
	id 1JOJ7V-0006Xj-SN
	for mharc-grub-devel@gnu.org; Sun, 10 Feb 2008 15:49:49 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JOJ7T-0006XT-Hi
	for grub-devel@gnu.org; Sun, 10 Feb 2008 15:49:47 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JOJ7S-0006XD-Ev
	for grub-devel@gnu.org; Sun, 10 Feb 2008 15:49:46 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JOJ7S-0006XA-8M
	for grub-devel@gnu.org; Sun, 10 Feb 2008 15:49:46 -0500
Received: from aybabtu.com ([69.60.117.155])
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <rmh@aybabtu.com>) id 1JOJ7S-00043M-4o
	for grub-devel@gnu.org; Sun, 10 Feb 2008 15:49:46 -0500
Received: from [192.168.10.6] (helo=thorin)
	by aybabtu.com with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63) (envelope-from <rmh@aybabtu.com>) id 1JOJ7L-0003gq-4P
	for grub-devel@gnu.org; Sun, 10 Feb 2008 21:49:40 +0100
Received: from rmh by thorin with local (Exim 4.63)
	(envelope-from <rmh@aybabtu.com>) id 1JOJ5O-0001JP-Af
	for grub-devel@gnu.org; Sun, 10 Feb 2008 21:47:38 +0100
Date: Sun, 10 Feb 2008 21:47:38 +0100
From: Robert Millan <rmh@aybabtu.com>
To: The development of GRUB 2 <grub-devel@gnu.org>
Message-ID: <20080210204738.GA4916@thorin>
References: <20080210131656.GA4168@thorin>
	<47AF0282.4000307@isaac.cedarswampstudios.org>
	<20080210152226.GB7404@thorin>
	<47AF293F.8070804@isaac.cedarswampstudios.org>
	<20080210170026.GA12941@thorin>
	<47AF3BD2.6060305@isaac.cedarswampstudios.org>
	<20080210193916.GA22265@thorin>
	<47AF57DF.1000306@isaac.cedarswampstudios.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <47AF57DF.1000306@isaac.cedarswampstudios.org>
Organization: free as in freedom
X-Message-Flag: Worried about Outlook viruses? Switch to Thunderbird!
	www.mozilla.com/thunderbird
X-Debbugs-No-Ack: true
User-Agent: Mutt/1.5.13 (2006-08-11)
X-detected-kernel: by monty-python.gnu.org: Genre and OS details not
	recognized.
Subject: [PATCH] erase variable data on user unset
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: The development of GRUB 2 <grub-devel@gnu.org>
List-Id: The development of GRUB 2 <grub-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Feb 2008 20:49:47 -0000


--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On Sun, Feb 10, 2008 at 03:00:31PM -0500, Isaac Dupree wrote:
> Robert Millan wrote:
> >On Sun, Feb 10, 2008 at 01:00:50PM -0500, Isaac Dupree wrote:
> >>anyway if a hash is used that takes (by design) around one second on the 
> >>machine (e.g. sha256 repeated thousands? millions? of times), then I 
> >>suppose the time taken to erase the memory used by GRUB would be trivial 
> >>in comparison, assuming(rightly or wrongly) a good implementation...
> >
> >The problem is not time, it's just to find the right way to do it.
> 
> yeah. probably involves thinking about GRUB's allocation and 
> deallocation mechanisms, which I don't know anything about and don't 
> have time to investigate :-/

This should address your concern.  As to why I propose to put this in unset
command rather than kernel, since GRUB itself doesn't have any mechanisms
where a variable would contain sensible information, I think it's better to
protect user variables only.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What use is a phone call… if you are unable to speak?
(as seen on /.)

--HcAYCG3uE/tztfnV
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="unset.diff"

2008-02-10  Robert Millan  <rmh@aybabtu.com>

	* normal/command.c (unset_command): Erase the contents of the variable
	we're about to unset, before actually unsetting it.

diff -x configure -x config.h.in -x CVS -x '*~' -x '*.mk' -urp ../grub2/normal/command.c ./normal/command.c
--- ../grub2/normal/command.c	2007-07-22 01:32:29.000000000 +0200
+++ ./normal/command.c	2008-02-10 21:42:44.000000000 +0100
@@ -274,10 +274,19 @@ static grub_err_t
 unset_command (struct grub_arg_list *state __attribute__ ((unused)),
 	       int argc, char **args)
 {
+  char *value;
+
   if (argc < 1)
     return grub_error (GRUB_ERR_BAD_ARGUMENT,
 		       "no environment variable specified");
 
+  value = grub_env_get (args[0]);
+
+  /* Users may store sensitive information in their variables (e.g. passwords),
+     so erase its content here when they choose to unset them.  */
+  if (value)
+    grub_memset (value, 0, grub_strlen (value));
+
   grub_env_unset (args[0]);
   return 0;
 }

--HcAYCG3uE/tztfnV--