All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ardb@kernel.org>
To: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	Eric Biggers <ebiggers@kernel.org>,
	David Laight <David.Laight@aculab.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v4 2/6] crypto: Use memzero_explicit() for clearing state
Date: Mon, 26 Oct 2020 08:58:27 +0100	[thread overview]
Message-ID: <CAMj1kXEqJFaQkdv04wE2JHKxU7SH+W8KR9tYrBzbghRp0Zg_-g@mail.gmail.com> (raw)
In-Reply-To: <20201025143119.1054168-3-nivedita@alum.mit.edu>

On Sun, 25 Oct 2020 at 15:31, Arvind Sankar <nivedita@alum.mit.edu> wrote:
>
> Without the barrier_data() inside memzero_explicit(), the compiler may
> optimize away the state-clearing if it can tell that the state is not
> used afterwards.
>
> Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

I agree with Eric that, even though there are cases where it is
unlikely that the compiler could elide an ordinary memset() or struct
assignment (even under LTO), using memzero_explicit() is better in
these cases, as it also clarifies the intent of the operation, and
doesn't result in worse code now that memzero_explicit() is a static
inline around memset() and a barrier.





> ---
>  arch/arm64/crypto/ghash-ce-glue.c | 2 +-
>  arch/arm64/crypto/poly1305-glue.c | 2 +-
>  arch/arm64/crypto/sha3-ce-glue.c  | 2 +-
>  arch/x86/crypto/poly1305_glue.c   | 2 +-
>  include/crypto/sha1_base.h        | 3 ++-
>  include/crypto/sha256_base.h      | 3 ++-
>  include/crypto/sha512_base.h      | 3 ++-
>  include/crypto/sm3_base.h         | 3 ++-
>  8 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
> index 8536008e3e35..2427e2f3a9a1 100644
> --- a/arch/arm64/crypto/ghash-ce-glue.c
> +++ b/arch/arm64/crypto/ghash-ce-glue.c
> @@ -168,7 +168,7 @@ static int ghash_final(struct shash_desc *desc, u8 *dst)
>         put_unaligned_be64(ctx->digest[1], dst);
>         put_unaligned_be64(ctx->digest[0], dst + 8);
>
> -       *ctx = (struct ghash_desc_ctx){};
> +       memzero_explicit(ctx, sizeof(*ctx));
>         return 0;
>  }
>
> diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
> index f33ada70c4ed..683de671741a 100644
> --- a/arch/arm64/crypto/poly1305-glue.c
> +++ b/arch/arm64/crypto/poly1305-glue.c
> @@ -177,7 +177,7 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
>         }
>
>         poly1305_emit(&dctx->h, dst, dctx->s);
> -       *dctx = (struct poly1305_desc_ctx){};
> +       memzero_explicit(dctx, sizeof(*dctx));
>  }
>  EXPORT_SYMBOL(poly1305_final_arch);
>
> diff --git a/arch/arm64/crypto/sha3-ce-glue.c b/arch/arm64/crypto/sha3-ce-glue.c
> index 9a4bbfc45f40..e5a2936f0886 100644
> --- a/arch/arm64/crypto/sha3-ce-glue.c
> +++ b/arch/arm64/crypto/sha3-ce-glue.c
> @@ -94,7 +94,7 @@ static int sha3_final(struct shash_desc *desc, u8 *out)
>         if (digest_size & 4)
>                 put_unaligned_le32(sctx->st[i], (__le32 *)digest);
>
> -       *sctx = (struct sha3_state){};
> +       memzero_explicit(sctx, sizeof(*sctx));
>         return 0;
>  }
>
> diff --git a/arch/x86/crypto/poly1305_glue.c b/arch/x86/crypto/poly1305_glue.c
> index e508dbd91813..64d09520d279 100644
> --- a/arch/x86/crypto/poly1305_glue.c
> +++ b/arch/x86/crypto/poly1305_glue.c
> @@ -209,7 +209,7 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
>         }
>
>         poly1305_simd_emit(&dctx->h, dst, dctx->s);
> -       *dctx = (struct poly1305_desc_ctx){};
> +       memzero_explicit(dctx, sizeof(*dctx));
>  }
>  EXPORT_SYMBOL(poly1305_final_arch);
>
> diff --git a/include/crypto/sha1_base.h b/include/crypto/sha1_base.h
> index 20fd1f7468af..a5d6033efef7 100644
> --- a/include/crypto/sha1_base.h
> +++ b/include/crypto/sha1_base.h
> @@ -12,6 +12,7 @@
>  #include <crypto/sha.h>
>  #include <linux/crypto.h>
>  #include <linux/module.h>
> +#include <linux/string.h>
>
>  #include <asm/unaligned.h>
>
> @@ -101,7 +102,7 @@ static inline int sha1_base_finish(struct shash_desc *desc, u8 *out)
>         for (i = 0; i < SHA1_DIGEST_SIZE / sizeof(__be32); i++)
>                 put_unaligned_be32(sctx->state[i], digest++);
>
> -       *sctx = (struct sha1_state){};
> +       memzero_explicit(sctx, sizeof(*sctx));
>         return 0;
>  }
>
> diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h
> index 6ded110783ae..93f9fd21cc06 100644
> --- a/include/crypto/sha256_base.h
> +++ b/include/crypto/sha256_base.h
> @@ -12,6 +12,7 @@
>  #include <crypto/sha.h>
>  #include <linux/crypto.h>
>  #include <linux/module.h>
> +#include <linux/string.h>
>
>  #include <asm/unaligned.h>
>
> @@ -105,7 +106,7 @@ static inline int sha256_base_finish(struct shash_desc *desc, u8 *out)
>         for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be32))
>                 put_unaligned_be32(sctx->state[i], digest++);
>
> -       *sctx = (struct sha256_state){};
> +       memzero_explicit(sctx, sizeof(*sctx));
>         return 0;
>  }
>
> diff --git a/include/crypto/sha512_base.h b/include/crypto/sha512_base.h
> index fb19c77494dc..93ab73baa38e 100644
> --- a/include/crypto/sha512_base.h
> +++ b/include/crypto/sha512_base.h
> @@ -12,6 +12,7 @@
>  #include <crypto/sha.h>
>  #include <linux/crypto.h>
>  #include <linux/module.h>
> +#include <linux/string.h>
>
>  #include <asm/unaligned.h>
>
> @@ -126,7 +127,7 @@ static inline int sha512_base_finish(struct shash_desc *desc, u8 *out)
>         for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be64))
>                 put_unaligned_be64(sctx->state[i], digest++);
>
> -       *sctx = (struct sha512_state){};
> +       memzero_explicit(sctx, sizeof(*sctx));
>         return 0;
>  }
>
> diff --git a/include/crypto/sm3_base.h b/include/crypto/sm3_base.h
> index 1cbf9aa1fe52..2f3a32ab97bb 100644
> --- a/include/crypto/sm3_base.h
> +++ b/include/crypto/sm3_base.h
> @@ -13,6 +13,7 @@
>  #include <crypto/sm3.h>
>  #include <linux/crypto.h>
>  #include <linux/module.h>
> +#include <linux/string.h>
>  #include <asm/unaligned.h>
>
>  typedef void (sm3_block_fn)(struct sm3_state *sst, u8 const *src, int blocks);
> @@ -104,7 +105,7 @@ static inline int sm3_base_finish(struct shash_desc *desc, u8 *out)
>         for (i = 0; i < SM3_DIGEST_SIZE / sizeof(__be32); i++)
>                 put_unaligned_be32(sctx->state[i], digest++);
>
> -       *sctx = (struct sm3_state){};
> +       memzero_explicit(sctx, sizeof(*sctx));
>         return 0;
>  }
>
> --
> 2.26.2
>

  reply	other threads:[~2020-10-26  7:58 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-25 14:31 [PATCH v4 0/6] crypto: lib/sha256 - cleanup/optimization Arvind Sankar
2020-10-25 14:31 ` [PATCH v4 1/6] crypto: lib/sha256 - Use memzero_explicit() for clearing state Arvind Sankar
2020-10-26  7:59   ` Ard Biesheuvel
2020-10-25 14:31 ` [PATCH v4 2/6] crypto: " Arvind Sankar
2020-10-26  7:58   ` Ard Biesheuvel [this message]
2020-10-25 14:31 ` [PATCH v4 3/6] crypto: lib/sha256 - Don't clear temporary variables Arvind Sankar
2020-10-26  7:59   ` Ard Biesheuvel
2020-10-25 14:31 ` [PATCH v4 4/6] crypto: lib/sha256 - Clear W[] in sha256_update() instead of sha256_transform() Arvind Sankar
2020-10-26  8:00   ` Ard Biesheuvel
2020-10-25 14:31 ` [PATCH v4 5/6] crypto: lib/sha256 - Unroll SHA256 loop 8 times intead of 64 Arvind Sankar
2020-10-26  8:00   ` Ard Biesheuvel
2020-10-25 14:31 ` [PATCH v4 6/6] crypto: lib/sha256 - Unroll LOAD and BLEND loops Arvind Sankar
2020-10-25 18:51   ` David Laight
2020-10-25 20:18     ` Arvind Sankar
2020-10-25 23:23       ` David Laight
2020-10-25 23:53         ` Arvind Sankar
2020-10-26 10:06           ` David Laight
2020-10-26  8:02   ` Ard Biesheuvel
2020-10-30  6:53 ` [PATCH v4 0/6] crypto: lib/sha256 - cleanup/optimization Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMj1kXEqJFaQkdv04wE2JHKxU7SH+W8KR9tYrBzbghRp0Zg_-g@mail.gmail.com \
    --to=ardb@kernel.org \
    --cc=David.Laight@aculab.com \
    --cc=davem@davemloft.net \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nivedita@alum.mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.