From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7718CC433F5 for ; Mon, 13 Sep 2021 18:07:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 501D460F23 for ; Mon, 13 Sep 2021 18:07:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346356AbhIMSIn (ORCPT ); Mon, 13 Sep 2021 14:08:43 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:60230 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235056AbhIMSIn (ORCPT ); Mon, 13 Sep 2021 14:08:43 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id ECCAF72C8B1; Mon, 13 Sep 2021 21:07:25 +0300 (MSK) Received: from altlinux.org (sole.flsd.net [185.75.180.6]) by imap.altlinux.org (Postfix) with ESMTPSA id A82754A46EF; Mon, 13 Sep 2021 21:07:25 +0300 (MSK) Date: Mon, 13 Sep 2021 21:07:25 +0300 From: Vitaly Chikunov To: Mimi Zohar Cc: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org, Bruno Meneguele , Stefan Berger Subject: Re: [PATCH ima-evm-utils v4] evmctl: Use secure heap for private keys and passwords Message-ID: <20210913180725.d4rngs22tqkgos77@altlinux.org> References: <20210904105054.3388329-1-vt@altlinux.org> <413f31067da8a63ecd76228e86505a9f4e5599f8.camel@linux.ibm.com> <20210910181307.dmpx5463c3t2etax@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Mimi, On Mon, Sep 13, 2021 at 01:51:58PM -0400, Mimi Zohar wrote: > > > Assuming we aren't guaranteed that the heap size is allocated, should > > > we check (e.g. OPENSSL_secure_actual_size())? > > > > We guaranteed that secure heap is allocated by return value of > > CRYPTO_secure_malloc_init. > > > > OPENSSL_secure_actual_size tell if OPENSSL_secure_malloc is actually > > provided bigger memory fragment than we requested (to reduce > > fragmentation). Why care about it? > > We wouldn't care, assuming we're guaranteed the heap size requested was > allocated and not the minimum heap size. Hm, wondering what would be > the purpose of the minimum heap size ... Perhaps, just to control heap fragmentation. > > > > + if (!CRYPTO_secure_malloc_init(8192, 64)) > > > > + log_err("CRYPTO_secure_malloc_init() failed\n"); > > > > > > Either change the test to "!= 1" or also log "and 2 if successful but > > > the heap could not be protected by memory mapping." > > > > Why should we care about implementation details of successful > > allocation? If they don't think it's secure heap they should not return > > success. And they say about its return value "and 2 if successful but", > > so it's successful. > > If you're correct, then there is no reason ever for returning 2. > Without documentation or digging into OpenSSL, this makes no sense to > me. Perhaps "secure heap" has some kernel dependency, requires HW, or > something else entirely. Not that there is much we could or would do, > but simply ignoring it just seems wrong. I looked at CRYPTO_secure_malloc_init and it seems they return 2 if mlock/madvise is failed. I think it's major enough to report it, so I will add it. Thanks,