From: Waiman Long <longman@redhat.com>
To: Joe Perches <joe@perches.com>, David Howells <dhowells@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-mm@kvack.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] mm: Add kvfree_sensitive() for freeing sensitive data objects
Date: Mon, 6 Apr 2020 13:58:54 -0400 [thread overview]
Message-ID: <19cbf3b1-2c3f-dd0f-a5c6-69ca3f77dd68@redhat.com> (raw)
In-Reply-To: <d509771b7e08fff0d18654b746e413e93ed62fe8.camel@perches.com>
On 4/6/20 12:10 PM, Joe Perches wrote:
> On Mon, 2020-04-06 at 17:00 +0100, David Howells wrote:
>> Joe Perches <joe@perches.com> wrote:
>>
>>>> This patch introduces a new kvfree_sensitive() for freeing those
>>>> sensitive data objects allocated by kvmalloc(). The relevnat places
>>>> where kvfree_sensitive() can be used are modified to use it.
>>> Why isn't this called kvzfree like the existing kzfree?
>> To quote Linus:
>>
>> We have a function for clearing sensitive information: it's called
>> "memclear_explicit()", and it's about forced (explicit) clearing even
>> if the data might look dead afterwards.
>>
>> The other problem with that function is the name: "__kvzfree()" is not
>> a useful name for this function. We use the "__" format for internal
>> low-level helpers, and it generally means that it does *less* than the
>> full function. This does more, not less, and "__" is not following any
>> sane naming model.
>>
>> So the name should probably be something like "kvfree_sensitive()" or
>> similar. Or maybe it could go even further, and talk about _why_ it's
>> sensitive, and call it "kvfree_cleartext()" or something like that.
>>
>> Because the clearing is really not what even matters. It might choose
>> other patterns to overwrite things with, but it might do other things
>> too, like putting special barriers for data leakage (or flags to tell
>> return-to-user-mode to do so).
>>
>> And yes, kzfree() isn't a good name either, and had that same
>> memset(), but at least it doesn't do the dual-underscore mistake.
>>
>> Including some kzfree()/crypto people explicitly - I hope we can get
>> away from this incorrect and actively wrong pattern of thinking that
>> "sensitive data should be memset(), and then we should add a random
>> 'z' in the name somewhere to 'document' that".
> Thanks.
>
> While I agree with Linus about the __ prefix,
> the z is pretty common and symmetric to all
> the <foo>zalloc uses.
>
> And if _sensitive is actually used, it'd be
> good to do a s/kzfree/kfree_sensitive/ one day
> sooner than later.
>
>
I have actually been thinking about that. I saw a couple of cases in the
crypto code where a memzero_explicit() is followed by kfree(). Those can
be replaced by kfree_sensitive.
Cheers,
Longman
next prev parent reply other threads:[~2020-04-06 17:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-06 2:37 Waiman Long
2020-04-06 4:20 ` David Rientjes
2020-04-06 14:36 ` Waiman Long
2020-04-06 14:39 ` Matthew Wilcox
2020-04-06 7:44 ` David Howells
2020-04-06 23:20 ` David Rientjes
2020-04-06 14:32 ` David Howells
2020-04-06 14:40 ` Waiman Long
2020-04-06 15:45 ` Joe Perches
2020-04-06 16:00 ` David Howells
2020-04-06 16:10 ` Joe Perches
2020-04-06 16:41 ` Linus Torvalds
2020-04-06 16:42 ` Joe Perches
2020-04-06 17:11 ` Linus Torvalds
2020-04-06 17:20 ` Joe Perches
2020-04-06 17:26 ` Matthew Wilcox
2020-04-06 17:33 ` Linus Torvalds
2020-04-06 17:46 ` Joe Perches
2020-04-06 17:58 ` Waiman Long [this message]
2020-04-06 18:06 ` Linus Torvalds
2020-04-06 18:46 ` Joe Perches
2020-04-06 16:26 ` David Howells
2020-04-06 16:38 ` Joe Perches
2020-04-06 17:10 ` Joe Perches
2020-04-06 17:24 ` Matthew Wilcox
2020-04-06 17:26 ` Linus Torvalds
2020-04-06 17:51 ` David Howells
2020-04-06 17:58 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19cbf3b1-2c3f-dd0f-a5c6-69ca3f77dd68@redhat.com \
--to=longman@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox