[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 5/5] x86/tboot: actually wipe contexts

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 6 Dec 2022 14:57:15 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8P+ZvvlWseJQ7rCEbvxjpP5fORRzmdqcqG4aQ2OAwuE=; b=JUEirW6I2jC3S9g3jYj7Ou9pNPy8R1U6MlSmy5RnWYbG+U9+Z0k9cQFgXeXwl0NAYSjFBj0f16g0RVS/1NEb0jWrBl34bgIoEaZV+2L8FCIyFFl+9nGiM+e4N4uCnicGs4II7yVGDaKVqkGIfz1KMkNOrnN7u6gJ/GFcnGVGMzypZVch3QZrPtdxOK/5aZ38V6uojyZ+hcBkaxuwj3kKS1t3VXLtVt3qrpvCF82t3+HbDqP8UgA4Z9Hyd5I9/doJh3kGv+IofgKDqOgADnSo90I4aoxudYD0GizbripIZPBUi/LcRdbMSPJjX7+mm/Zhb4K16KwU2VIvma1dHJyZyA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D/pyHkZZIu4T3K+8/r8ATdkXsupm0H9aEMV2ikEKf3wTXcRzbIVLQsGmTJ+mnwUnF65cDePIkQSmn0ZWQ/sCFpCr1si2dSB2Q2rbA3qnD3ZPDTo4uPd57yoOD1NHqScEizEG21xlYQCzAg/4pQ7BK1za6ZjN5XVspRMjNTLWsyBFNs4HFKD+2nLh00rIbFxbOw03WlIICQzUGGEX7yNg9FrJnTxTwZ8SyRDA5d4aK93+IBDoTwWoiKj68GrjJjijpWdjGmm2/XfXAcMyZ3F7E/fMmZIq84oTMHP3X3hP3YV2Ka2l2RD6HkBM6/tFVUQDZ/5ZwDVOw+TXxkpPZiYsFw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Lukasz Hawrylko <lukasz@xxxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Mateusz Mówka <mateusz.mowka@xxxxxxxxx>
  • Delivery-date: Tue, 06 Dec 2022 13:57:22 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Especially with our use of __builtin_memset() to implement memset() the
compiler is free to eliminate instances when it can prove that the
affected object is dead. Introduce a small helper function accompanying
the memset() with a construct forcing the compiler to retain the
clearing of (stack) memory.

Fixes: c021c95498d9 ("x86: Replace our own specialised versions of memset and 
memcpy with")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
The Fixes: tag names the commit which broke the wrong assumption made by
6deab1ae316b ("txt: perform per-domain (and frametable and xenheap) MAC
on entry into").

--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -179,6 +179,17 @@ static void update_iommu_mac(vmac_ctx_t
 #define is_page_in_use(page) \
     (page_state_is(page, inuse) || page_state_is(page, offlining))
 
+/* Wipe ctx to ensure key is not left in memory. */
+static void wipe_ctx(vmac_ctx_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+    /*
+     * Make sure the compiler won't optimize out the memset(), for the local
+     * variable (at the call sites) going out of scope right afterwards.
+     */
+    asm volatile ( "" :: "m" (*ctx) );
+}
+
 static void tboot_gen_domain_integrity(const uint8_t key[TB_KEY_SIZE],
                                        vmac_t *mac)
 {
@@ -216,8 +227,7 @@ static void tboot_gen_domain_integrity(c
 
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 /*
@@ -278,8 +288,7 @@ static void tboot_gen_xenheap_integrity(
     }
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 static void tboot_gen_frametable_integrity(const uint8_t key[TB_KEY_SIZE],
@@ -307,8 +316,7 @@ static void tboot_gen_frametable_integri
 
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 void tboot_shutdown(uint32_t shutdown_type)

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.