[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 01/13] introduce g_autowipe
From: |
Maxim Levitsky |
Subject: |
[Qemu-devel] [PATCH v2 01/13] introduce g_autowipe |
Date: |
Mon, 26 Aug 2019 16:50:51 +0300 |
Marking a pointer with g_autowipe, will
not only free it at the scope exit, but also
erase the data it points to just prior to freeing it.
This is first attempt to implement this feature,
as suggested by Daniel and Nir.
The things that need to be verified prior to merging this is
1. Can we just always use memset_s (defined in C++)
or some alternative.
2. is it portable enought for us to use malloc_usable_size
to get the size of malloced pointer in the autofree callback?
This function is aviable in glibc (but no wrapper in glib).
Thanks for Daniel for the g_autowipe and to Nir for the
information about the fact that plain memset is usually
optimized away.
Suggested-by: Daniel P. Berrangé <address@hidden>
Suggested-by: Nir Soffer <address@hidden>
Signed-off-by: Maxim Levitsky <address@hidden>
---
include/autowipe.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 include/autowipe.h
diff --git a/include/autowipe.h b/include/autowipe.h
new file mode 100644
index 0000000000..1ed4eaf3ba
--- /dev/null
+++ b/include/autowipe.h
@@ -0,0 +1,52 @@
+/*
+ * g_autowipe implementation for crypto secret wiping
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ * Copyright (c) 2019 Maxim Levitsky
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#include <stddef.h>
+#include <malloc.h>
+#include <glib.h>
+
+
+/*
+ * based on
+ *
https://www.cryptologie.net/article/419/zeroing-memory-compiler-optimizations-and-memset_s/
+ */
+
+static inline void memerase(void *pointer, size_t size)
+{
+#ifdef __STDC_LIB_EXT1__
+ memset_s(pointer, size, 0, size);
+#else
+ /*volatile used to force compiler to not optimize the code away*/
+ volatile unsigned char *p = pointer;
+ while (size--) {
+ *p++ = 0;
+ }
+#endif
+}
+
+static void g_autoptr_cleanup_generic_wipe_gfree(void *p)
+{
+ void **pp = (void **)p;
+ size_t size = malloc_usable_size(*pp);
+ memerase(*pp, size);
+ g_free(*pp);
+}
+
+#define g_autowipe _GLIB_CLEANUP(g_autoptr_cleanup_generic_wipe_gfree)
--
2.17.2
- [Qemu-devel] [PATCH v2 00/13] RFC crypto/luks: preparation for encryption key managment, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 01/13] introduce g_autowipe,
Maxim Levitsky <=
- [Qemu-devel] [PATCH v2 02/13] block-crypto: misc refactoring, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 03/13] qcrypto-luks: rename some fields in QCryptoBlockLUKSHeader, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 04/13] qcrypto-luks: don't overwrite cipher_mode in header, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 05/13] qcrypto-luks: simplify masterkey and masterkey length, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 06/13] qcrypto-block: pass keyslot index rather that pointer to the keyslot, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 07/13] qcrypto-luks: use the parsed encryption settings in QCryptoBlockLUKS, Maxim Levitsky, 2019/08/26
- [Qemu-devel] [PATCH v2 08/13] qcrypto-luks: extract store and load header, Maxim Levitsky, 2019/08/26