[v4,2/6] crypto: Use memzero_explicit() for clearing state

Message ID	20201025143119.1054168-3-nivedita@alum.mit.edu
State	Superseded
Headers	show Return-Path: <SRS0=H1lS=EA=vger.kernel.org=linux-crypto-owner@kernel.org> From: Arvind Sankar <nivedita@alum.mit.edu> To: Herbert Xu <herbert@gondor.apana.org.au>, "David S. Miller" <davem@davemloft.net>, "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>, Eric Biggers <ebiggers@kernel.org>, David Laight <David.Laight@aculab.com> Cc: linux-kernel@vger.kernel.org Subject: [PATCH v4 2/6] crypto: Use memzero_explicit() for clearing state Date: Sun, 25 Oct 2020 10:31:15 -0400 Message-Id: <20201025143119.1054168-3-nivedita@alum.mit.edu> In-Reply-To: <20201025143119.1054168-1-nivedita@alum.mit.edu> References: <20201025143119.1054168-1-nivedita@alum.mit.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v4,1/6] crypto: lib/sha256 - Use memzero_explicit() for clearing state \| expand [v4,1/6] crypto: lib/sha256 - Use memzero_explicit() for clearing state [v4,2/6] crypto: Use memzero_explicit() for clearing state [v4,3/6] crypto: lib/sha256 - Don't clear temporary variables [v4,5/6] crypto: lib/sha256 - Unroll SHA256 loop 8 times intead of 64

Message ID

20201025143119.1054168-3-nivedita@alum.mit.edu

State

Superseded

Headers

From: Arvind Sankar <nivedita@alum.mit.edu>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	Eric Biggers <ebiggers@kernel.org>,
	David Laight <David.Laight@aculab.com>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH v4 2/6] crypto: Use memzero_explicit() for clearing state
Date: Sun, 25 Oct 2020 10:31:15 -0400
Message-Id: <20201025143119.1054168-3-nivedita@alum.mit.edu>
In-Reply-To: <20201025143119.1054168-1-nivedita@alum.mit.edu>
References: <20201025143119.1054168-1-nivedita@alum.mit.edu>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v4,1/6] crypto: lib/sha256 - Use memzero_explicit() for clearing state | expand

Commit Message

Arvind Sankar Oct. 25, 2020, 2:31 p.m. UTC

Without the barrier_data() inside memzero_explicit(), the compiler may
optimize away the state-clearing if it can tell that the state is not
used afterwards.

Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
---
 arch/arm64/crypto/ghash-ce-glue.c | 2 +-
 arch/arm64/crypto/poly1305-glue.c | 2 +-
 arch/arm64/crypto/sha3-ce-glue.c  | 2 +-
 arch/x86/crypto/poly1305_glue.c   | 2 +-
 include/crypto/sha1_base.h        | 3 ++-
 include/crypto/sha256_base.h      | 3 ++-
 include/crypto/sha512_base.h      | 3 ++-
 include/crypto/sm3_base.h         | 3 ++-
 8 files changed, 12 insertions(+), 8 deletions(-)

Comments

Ard Biesheuvel Oct. 26, 2020, 7:58 a.m. UTC | #1

On Sun, 25 Oct 2020 at 15:31, Arvind Sankar <nivedita@alum.mit.edu> wrote:
>

> Without the barrier_data() inside memzero_explicit(), the compiler may

> optimize away the state-clearing if it can tell that the state is not

> used afterwards.

>

> Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>


Acked-by: Ard Biesheuvel <ardb@kernel.org>


I agree with Eric that, even though there are cases where it is
unlikely that the compiler could elide an ordinary memset() or struct
assignment (even under LTO), using memzero_explicit() is better in
these cases, as it also clarifies the intent of the operation, and
doesn't result in worse code now that memzero_explicit() is a static
inline around memset() and a barrier.





> ---

>  arch/arm64/crypto/ghash-ce-glue.c | 2 +-

>  arch/arm64/crypto/poly1305-glue.c | 2 +-

>  arch/arm64/crypto/sha3-ce-glue.c  | 2 +-

>  arch/x86/crypto/poly1305_glue.c   | 2 +-

>  include/crypto/sha1_base.h        | 3 ++-

>  include/crypto/sha256_base.h      | 3 ++-

>  include/crypto/sha512_base.h      | 3 ++-

>  include/crypto/sm3_base.h         | 3 ++-

>  8 files changed, 12 insertions(+), 8 deletions(-)

>

> diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c

> index 8536008e3e35..2427e2f3a9a1 100644

> --- a/arch/arm64/crypto/ghash-ce-glue.c

> +++ b/arch/arm64/crypto/ghash-ce-glue.c

> @@ -168,7 +168,7 @@ static int ghash_final(struct shash_desc *desc, u8 *dst)

>         put_unaligned_be64(ctx->digest[1], dst);

>         put_unaligned_be64(ctx->digest[0], dst + 8);

>

> -       *ctx = (struct ghash_desc_ctx){};

> +       memzero_explicit(ctx, sizeof(*ctx));

>         return 0;

>  }

>

> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c

> index f33ada70c4ed..683de671741a 100644

> --- a/arch/arm64/crypto/poly1305-glue.c

> +++ b/arch/arm64/crypto/poly1305-glue.c

> @@ -177,7 +177,7 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)

>         }

>

>         poly1305_emit(&dctx->h, dst, dctx->s);

> -       *dctx = (struct poly1305_desc_ctx){};

> +       memzero_explicit(dctx, sizeof(*dctx));

>  }

>  EXPORT_SYMBOL(poly1305_final_arch);

>

> diff --git a/arch/arm64/crypto/sha3-ce-glue.c b/arch/arm64/crypto/sha3-ce-glue.c

> index 9a4bbfc45f40..e5a2936f0886 100644

> --- a/arch/arm64/crypto/sha3-ce-glue.c

> +++ b/arch/arm64/crypto/sha3-ce-glue.c

> @@ -94,7 +94,7 @@ static int sha3_final(struct shash_desc *desc, u8 *out)

>         if (digest_size & 4)

>                 put_unaligned_le32(sctx->st[i], (__le32 *)digest);

>

> -       *sctx = (struct sha3_state){};

> +       memzero_explicit(sctx, sizeof(*sctx));

>         return 0;

>  }

>

> diff --git a/arch/x86/crypto/poly1305_glue.c b/arch/x86/crypto/poly1305_glue.c

> index e508dbd91813..64d09520d279 100644

> --- a/arch/x86/crypto/poly1305_glue.c

> +++ b/arch/x86/crypto/poly1305_glue.c

> @@ -209,7 +209,7 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)

>         }

>

>         poly1305_simd_emit(&dctx->h, dst, dctx->s);

> -       *dctx = (struct poly1305_desc_ctx){};

> +       memzero_explicit(dctx, sizeof(*dctx));

>  }

>  EXPORT_SYMBOL(poly1305_final_arch);

>

> diff --git a/include/crypto/sha1_base.h b/include/crypto/sha1_base.h

> index 20fd1f7468af..a5d6033efef7 100644

> --- a/include/crypto/sha1_base.h

> +++ b/include/crypto/sha1_base.h

> @@ -12,6 +12,7 @@

>  #include <crypto/sha.h>

>  #include <linux/crypto.h>

>  #include <linux/module.h>

> +#include <linux/string.h>

>

>  #include <asm/unaligned.h>

>

> @@ -101,7 +102,7 @@ static inline int sha1_base_finish(struct shash_desc *desc, u8 *out)

>         for (i = 0; i < SHA1_DIGEST_SIZE / sizeof(__be32); i++)

>                 put_unaligned_be32(sctx->state[i], digest++);

>

> -       *sctx = (struct sha1_state){};

> +       memzero_explicit(sctx, sizeof(*sctx));

>         return 0;

>  }

>

> diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h

> index 6ded110783ae..93f9fd21cc06 100644

> --- a/include/crypto/sha256_base.h

> +++ b/include/crypto/sha256_base.h

> @@ -12,6 +12,7 @@

>  #include <crypto/sha.h>

>  #include <linux/crypto.h>

>  #include <linux/module.h>

> +#include <linux/string.h>

>

>  #include <asm/unaligned.h>

>

> @@ -105,7 +106,7 @@ static inline int sha256_base_finish(struct shash_desc *desc, u8 *out)

>         for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be32))

>                 put_unaligned_be32(sctx->state[i], digest++);

>

> -       *sctx = (struct sha256_state){};

> +       memzero_explicit(sctx, sizeof(*sctx));

>         return 0;

>  }

>

> diff --git a/include/crypto/sha512_base.h b/include/crypto/sha512_base.h

> index fb19c77494dc..93ab73baa38e 100644

> --- a/include/crypto/sha512_base.h

> +++ b/include/crypto/sha512_base.h

> @@ -12,6 +12,7 @@

>  #include <crypto/sha.h>

>  #include <linux/crypto.h>

>  #include <linux/module.h>

> +#include <linux/string.h>

>

>  #include <asm/unaligned.h>

>

> @@ -126,7 +127,7 @@ static inline int sha512_base_finish(struct shash_desc *desc, u8 *out)

>         for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be64))

>                 put_unaligned_be64(sctx->state[i], digest++);

>

> -       *sctx = (struct sha512_state){};

> +       memzero_explicit(sctx, sizeof(*sctx));

>         return 0;

>  }

>

> diff --git a/include/crypto/sm3_base.h b/include/crypto/sm3_base.h

> index 1cbf9aa1fe52..2f3a32ab97bb 100644

> --- a/include/crypto/sm3_base.h

> +++ b/include/crypto/sm3_base.h

> @@ -13,6 +13,7 @@

>  #include <crypto/sm3.h>

>  #include <linux/crypto.h>

>  #include <linux/module.h>

> +#include <linux/string.h>

>  #include <asm/unaligned.h>

>

>  typedef void (sm3_block_fn)(struct sm3_state *sst, u8 const *src, int blocks);

> @@ -104,7 +105,7 @@ static inline int sm3_base_finish(struct shash_desc *desc, u8 *out)

>         for (i = 0; i < SM3_DIGEST_SIZE / sizeof(__be32); i++)

>                 put_unaligned_be32(sctx->state[i], digest++);

>

> -       *sctx = (struct sm3_state){};

> +       memzero_explicit(sctx, sizeof(*sctx));

>         return 0;

>  }

>

> --

> 2.26.2

>

diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
index 8536008e3e35..2427e2f3a9a1 100644
--- a/arch/arm64/crypto/ghash-ce-glue.c
+++ b/arch/arm64/crypto/ghash-ce-glue.c
@@ -168,7 +168,7 @@  static int ghash_final(struct shash_desc *desc, u8 *dst)
 	put_unaligned_be64(ctx->digest[1], dst);
 	put_unaligned_be64(ctx->digest[0], dst + 8);
 
-	*ctx = (struct ghash_desc_ctx){};
+	memzero_explicit(ctx, sizeof(*ctx));
 	return 0;
 }
 
diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
index f33ada70c4ed..683de671741a 100644
--- a/arch/arm64/crypto/poly1305-glue.c
+++ b/arch/arm64/crypto/poly1305-glue.c
@@ -177,7 +177,7 @@  void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 	}
 
 	poly1305_emit(&dctx->h, dst, dctx->s);
-	*dctx = (struct poly1305_desc_ctx){};
+	memzero_explicit(dctx, sizeof(*dctx));
 }
 EXPORT_SYMBOL(poly1305_final_arch);
 
diff --git a/arch/arm64/crypto/sha3-ce-glue.c b/arch/arm64/crypto/sha3-ce-glue.c
index 9a4bbfc45f40..e5a2936f0886 100644
--- a/arch/arm64/crypto/sha3-ce-glue.c
+++ b/arch/arm64/crypto/sha3-ce-glue.c
@@ -94,7 +94,7 @@  static int sha3_final(struct shash_desc *desc, u8 *out)
 	if (digest_size & 4)
 		put_unaligned_le32(sctx->st[i], (__le32 *)digest);
 
-	*sctx = (struct sha3_state){};
+	memzero_explicit(sctx, sizeof(*sctx));
 	return 0;
 }
 
diff --git a/arch/x86/crypto/poly1305_glue.c b/arch/x86/crypto/poly1305_glue.c
index e508dbd91813..64d09520d279 100644
--- a/arch/x86/crypto/poly1305_glue.c
+++ b/arch/x86/crypto/poly1305_glue.c
@@ -209,7 +209,7 @@  void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 	}
 
 	poly1305_simd_emit(&dctx->h, dst, dctx->s);
-	*dctx = (struct poly1305_desc_ctx){};
+	memzero_explicit(dctx, sizeof(*dctx));
 }
 EXPORT_SYMBOL(poly1305_final_arch);
 
diff --git a/include/crypto/sha1_base.h b/include/crypto/sha1_base.h
index 20fd1f7468af..a5d6033efef7 100644
--- a/include/crypto/sha1_base.h
+++ b/include/crypto/sha1_base.h
@@ -12,6 +12,7 @@ 
 #include <crypto/sha.h>
 #include <linux/crypto.h>
 #include <linux/module.h>
+#include <linux/string.h>
 
 #include <asm/unaligned.h>
 
@@ -101,7 +102,7 @@  static inline int sha1_base_finish(struct shash_desc *desc, u8 *out)
 	for (i = 0; i < SHA1_DIGEST_SIZE / sizeof(__be32); i++)
 		put_unaligned_be32(sctx->state[i], digest++);
 
-	*sctx = (struct sha1_state){};
+	memzero_explicit(sctx, sizeof(*sctx));
 	return 0;
 }
 
diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h
index 6ded110783ae..93f9fd21cc06 100644
--- a/include/crypto/sha256_base.h
+++ b/include/crypto/sha256_base.h
@@ -12,6 +12,7 @@ 
 #include <crypto/sha.h>
 #include <linux/crypto.h>
 #include <linux/module.h>
+#include <linux/string.h>
 
 #include <asm/unaligned.h>
 
@@ -105,7 +106,7 @@  static inline int sha256_base_finish(struct shash_desc *desc, u8 *out)
 	for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be32))
 		put_unaligned_be32(sctx->state[i], digest++);
 
-	*sctx = (struct sha256_state){};
+	memzero_explicit(sctx, sizeof(*sctx));
 	return 0;
 }
 
diff --git a/include/crypto/sha512_base.h b/include/crypto/sha512_base.h
index fb19c77494dc..93ab73baa38e 100644
--- a/include/crypto/sha512_base.h
+++ b/include/crypto/sha512_base.h
@@ -12,6 +12,7 @@ 
 #include <crypto/sha.h>
 #include <linux/crypto.h>
 #include <linux/module.h>
+#include <linux/string.h>
 
 #include <asm/unaligned.h>
 
@@ -126,7 +127,7 @@  static inline int sha512_base_finish(struct shash_desc *desc, u8 *out)
 	for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be64))
 		put_unaligned_be64(sctx->state[i], digest++);
 
-	*sctx = (struct sha512_state){};
+	memzero_explicit(sctx, sizeof(*sctx));
 	return 0;
 }
 
diff --git a/include/crypto/sm3_base.h b/include/crypto/sm3_base.h
index 1cbf9aa1fe52..2f3a32ab97bb 100644
--- a/include/crypto/sm3_base.h
+++ b/include/crypto/sm3_base.h
@@ -13,6 +13,7 @@ 
 #include <crypto/sm3.h>
 #include <linux/crypto.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <asm/unaligned.h>
 
 typedef void (sm3_block_fn)(struct sm3_state *sst, u8 const *src, int blocks);
@@ -104,7 +105,7 @@  static inline int sm3_base_finish(struct shash_desc *desc, u8 *out)
 	for (i = 0; i < SM3_DIGEST_SIZE / sizeof(__be32); i++)
 		put_unaligned_be32(sctx->state[i], digest++);
 
-	*sctx = (struct sm3_state){};
+	memzero_explicit(sctx, sizeof(*sctx));
 	return 0;
 }

[v4,2/6] crypto: Use memzero_explicit() for clearing state

Commit Message

Comments

Patch