From: Denis Efremov <efremov@linux.com>
To: "Van Leeuwen, Pascal" <pvanleeuwen@rambus.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Cc: Corentin Labbe <clabbe.montjoie@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/4] crypto: inside-secure - use kfree_sensitive()
Date: Fri, 4 Sep 2020 11:55:26 +0300 [thread overview]
Message-ID: <8ac5cb88-7df5-1060-2fac-510541fca48b@linux.com> (raw)
In-Reply-To: <CY4PR0401MB3652FFD58D9ED14F4805FC99C32F0@CY4PR0401MB3652.namprd04.prod.outlook.com>
Hi,
On 9/2/20 4:10 PM, Van Leeuwen, Pascal wrote:
>> -----Original Message-----
>> From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf Of Denis Efremov
>> Sent: Thursday, August 27, 2020 8:44 AM
>> To: linux-crypto@vger.kernel.org
>> Cc: Denis Efremov <efremov@linux.com>; Corentin Labbe <clabbe.montjoie@gmail.com>; Herbert Xu
>> <herbert@gondor.apana.org.au>; linux-kernel@vger.kernel.org
>> Subject: [PATCH v2 1/4] crypto: inside-secure - use kfree_sensitive()
>>
>> <<< External Email >>>
>> Use kfree_sensitive() instead of open-coding it.
>>
>> Signed-off-by: Denis Efremov <efremov@linux.com>
>> ---
>> drivers/crypto/inside-secure/safexcel_hash.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
>> index 16a467969d8e..5ffdc1cd5847 100644
>> --- a/drivers/crypto/inside-secure/safexcel_hash.c
>> +++ b/drivers/crypto/inside-secure/safexcel_hash.c
>> @@ -1082,8 +1082,7 @@ static int safexcel_hmac_init_pad(struct ahash_request *areq,
>> }
>>
>> /* Avoid leaking */
>> -memzero_explicit(keydup, keylen);
>> -kfree(keydup);
>> +kfree_sensitive(keydup);
>>
> I'm not sure here ... I verified it does not break the driver (not a big surprise), but ...
>
> memzero_explicit guarantees that it will not get optimized away and the keydata _always_
> gets overwritten. Does kfree_sensitive also come with such a guarantee? I could not find a
> hard statement on that in its documentation. Although the "sensitive" part surely suggests
> it.
kfree_sensitive() uses memzero_explicit() internally.
> Additionally, this remark is made in the documentation for kfree_sensitive: "this function
> zeroes the whole allocated buffer which can be a good deal bigger than the requested buffer
> size passed to kmalloc(). So be careful when using this function in performance sensitive
> code"
>
> While the memzero_explicit does not zeroize anything beyond keylen.
> Which is all you really need here, so why would you want to zeroize potentially a lot more?
> In any case the two are not fully equivalent.
There are a number of predefined allocation sizes (power of 2) for faster alloc,
i.e. https://elixir.bootlin.com/linux/latest/source/include/linux/slab.h#L349
and it looks like that keys we free in this patches are in bounds of these sizes.
As far as I understand, if a key is not a power of 2 len, the buffer will be zeroed to the closest
power of 2 size. For small sizes like these, performance difference should be unnoticeable because
of cache lines and how arch-optimized memzero() works. Key freeing doesn't look like a frequent event.
Thanks,
Denis
next prev parent reply other threads:[~2020-09-04 8:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 6:43 [PATCH v2 0/4] crypto: use kfree_sensitive() Denis Efremov
2020-08-27 6:43 ` [PATCH v2 1/4] crypto: inside-secure - " Denis Efremov
2020-08-27 14:52 ` Corentin Labbe
2020-09-02 9:02 ` Antoine Tenart
2020-09-02 13:10 ` Van Leeuwen, Pascal
2020-09-04 8:55 ` Denis Efremov [this message]
2020-09-04 9:44 ` Van Leeuwen, Pascal
2020-08-27 6:44 ` [PATCH v2 2/4] crypto: amlogic " Denis Efremov
2020-08-27 14:50 ` Corentin Labbe
2020-08-27 6:44 ` [PATCH v2 3/4] crypto: sun8i-ce " Denis Efremov
2020-08-27 14:40 ` Corentin Labbe
2020-08-27 6:44 ` [PATCH v2 4/4] crypto: sun8i-ss " Denis Efremov
2020-08-27 14:41 ` Corentin Labbe
2020-09-04 8:28 ` [PATCH v2 0/4] crypto: " Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ac5cb88-7df5-1060-2fac-510541fca48b@linux.com \
--to=efremov@linux.com \
--cc=clabbe.montjoie@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pvanleeuwen@rambus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox