linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Colm MacCárthaigh" <colm@allcosts.net>
To: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK
Date: Mon, 7 Aug 2017 18:02:23 +0200	[thread overview]
Message-ID: <CAAF6GDfmBK_dOneBz=0p8MgjaM=fpGfRzkpqGqDf3y9kipZ0EQ@mail.gmail.com> (raw)
In-Reply-To: <CAAF6GDcNoDUaDSxV6N12A_bOzo8phRUX5b8-OBteuN0AmeCv0g@mail.gmail.com>

[ Resent as text/plain, after sacrificing an offering to the RFC822 gods]

On Mon, Aug 7, 2017 at 3:46 PM, Michal Hocko <mhocko@kernel.org> wrote:
>
>
> > > The use case is libraries that store or cache information, and
> > > want to know that they need to regenerate it in the child process
> > > after fork.
>
> How do they know that they need to regenerate if they do not get SEGV?
> Are they going to assume that a read of zeros is a "must init again"?
> Isn't
> that too fragile? Or do they play other tricks like parse /proc/self/smaps
> and read in the flag?

Hi from a user space crypto maintainer :) Here's how we do exactly this it
in s2n:

https://github.com/awslabs/s2n/blob/master/utils/s2n_random.c , lines 62 - 91

and here's how LibreSSL does it:

https://github.com/libressl-portable/openbsd/blob/57dcd4329d83bff3dd67a293d5c4a53b795c587e/src/lib/libc/crypt/arc4random.h
(lines 37 on)
https://github.com/libressl-portable/openbsd/blob/57dcd4329d83bff3dd67a293d5c4a53b795c587e/src/lib/libc/crypt/arc4random.c
(Line 110)

OpenSSL and libc are in the process of adding similar DRBGs and would use a
WIPEONFORK. BoringSSL's maintainers are also interested as it adds
robustness.  I also recall it being a topic of discussion at the High
Assurance Cryptography Symposium (HACS) where many crypto maintainers meet
and several more maintainers there indicated it would be nice to have.

Right now on Linux we all either use pthread_atfork() to zero the memory on
fork, or getpid() and getppid() guards. The former can be evaded by direct
syscall() and other tricks (which things like Language VMs are prone to
doing), and the latter check is probabilistic as pids can repeat, though if
you use both getpid() and getppid() - which is slow! - the probability of
both PIDs colliding is very low indeed.

The result at the moment on Linux there's no bulletproof way to detect a
fork and erase a key or DRBG state. It would really be nice to be able to
match what we can do with MAP_INHERIT_ZERO and minherit() on BSD.  madvise()
does seem like the established idiom for behavior like this on Linux.  I
don't imagine it will be hard to use in practice, we can fall back to
existing behavior if the flag isn't accepted.


-- 
Colm

  parent reply	other threads:[~2017-08-07 16:02 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-06 14:04 [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK riel
2017-08-06 14:04 ` [PATCH 1/2] x86,mpx: make mpx depend on x86-64 to free up VMA flag riel
2017-08-06 14:04 ` [PATCH 2/2] mm,fork: introduce MADV_WIPEONFORK riel
2017-08-10 15:23   ` Michal Hocko
2017-08-11 15:23     ` Rik van Riel
2017-08-11 16:36       ` Mike Kravetz
2017-08-11 16:59         ` Rik van Riel
2017-08-11 17:07           ` Mike Kravetz
2017-08-07 13:22 ` [PATCH v2 0/2] mm,fork,security: " Michal Hocko
2017-08-07 13:46   ` Michal Hocko
2017-08-07 14:19     ` Florian Weimer
2017-08-10 13:06       ` Michal Hocko
2017-08-07 14:59     ` Rik van Riel
2017-08-09  9:59       ` Kirill A. Shutemov
2017-08-09 12:31         ` Rik van Riel
2017-08-09 12:42         ` Florian Weimer
2017-08-10 13:05       ` Michal Hocko
2017-08-10 13:23         ` Colm MacCárthaigh
2017-08-10 15:36           ` Michal Hocko
     [not found]             ` <CAAF6GDeno6RpHf1KORVSxUL7M-CQfbWFFdyKK8LAWd_6PcJ55Q@mail.gmail.com>
2017-08-10 17:01               ` Michal Hocko
2017-08-10 22:09                 ` Colm MacCárthaigh
2017-08-11 14:06                   ` Michal Hocko
2017-08-11 14:11                     ` Florian Weimer
2017-08-11 14:24                       ` Michal Hocko
2017-08-11 15:24                         ` Florian Weimer
2017-08-11 15:31                           ` Michal Hocko
     [not found]     ` <CAAF6GDcNoDUaDSxV6N12A_bOzo8phRUX5b8-OBteuN0AmeCv0g@mail.gmail.com>
2017-08-07 16:02       ` Colm MacCárthaigh [this message]
2017-08-10 13:21       ` Michal Hocko
2017-08-10 14:11         ` Michal Hocko
2017-08-07 18:23 ` Mike Kravetz
2017-08-08  9:58   ` Florian Weimer
2017-08-08 13:15     ` Rik van Riel
2017-08-08 15:19       ` Mike Kravetz
2017-08-08 15:22         ` Florian Weimer
2017-08-08 15:46         ` Rik van Riel
2017-08-08 16:48           ` Colm MacCárthaigh
2017-08-08 16:52           ` Matthew Wilcox
2017-08-08 18:45             ` Rik van Riel
2017-08-10 15:31               ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAF6GDfmBK_dOneBz=0p8MgjaM=fpGfRzkpqGqDf3y9kipZ0EQ@mail.gmail.com' \
    --to=colm@allcosts.net \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).