This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] explicit_bzero final

From: Zack Weinberg <zackw at panix dot com>
To: Jeff Law <law at redhat dot com>
Cc: Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, Joseph Myers <joseph at codesourcery dot com>, Adhemerval Zanella <adhemerval dot zanella at linaro dot org>, Wilco Dijkstra <Wilco dot Dijkstra at arm dot com>
Date: Fri, 16 Dec 2016 16:35:31 -0500
Subject: Re: [PATCH] explicit_bzero final
Authentication-results: sourceware.org; auth=none
References: <20161212230622.14045-1-zackw@panix.com> <96232743-345c-5126-e526-9a8aadc4fdb7@redhat.com> <CAKCAbMgRrFKsisTu1wMYtLnc44Zwt5-GPFpt8GPWu2oXv6JN=Q@mail.gmail.com> <2e51eedf-874e-cb81-79a6-0a0c667371db@redhat.com> <CAKCAbMgxfviybrcRtSO-=eEc0YQc-TfwP+fvtKqQsodBTr_isg@mail.gmail.com> <ad37af4c-f3a5-00ec-b7aa-cee930a0f08b@redhat.com> <CAKCAbMgeK23rcGA-uQUjC8ctXTcYcSpYquyO8kwku7Kn0Q=NQQ@mail.gmail.com> <af2c6326-a763-0dd0-a8d5-f818a9678987@redhat.com> <65af2074-e961-9c4a-836a-4a736b49d6e2@panix.com> <6a5179d4-fe8c-a101-380a-88c3ad94684d@redhat.com>

On Fri, Dec 16, 2016 at 1:26 PM, Jeff Law <law@redhat.com> wrote:
> On 12/15/2016 04:21 PM, Zack Weinberg wrote:
>> To be clear, explicit_bzero itself is not going away.  It is already in
>> use in a wide variety of applications, and substitutes (such as the
>> hypothetical __attribute__((sensitive))) will not become widespread
>> quickly enough to avoid adding it to glibc.  I've been working on this
>> patch off and on for _two years_, and I picked it up from someone else
>> who'd given up on the process after roughly that long himself.  I fully
>> intend to commit it in some form tomorrow evening; I consider missing
>> 2.25 unacceptable.
>
> Understood.  And my position is that explicit_bzero is inherently flawed.
> You really need direct compiler support.
>
> So while it's not going away and it's an incremental improvement over
> nothing, it comes with a cost.  Namely that some objects which previously
> weren't addressable become addressable and are now sitting in memory waiting
> to be extracted.

I do agree with both parts of this as well.

>> What I'd hope we could do with compiler-side smarts is _convert_
>> explicit_bzero to __attribute__((sensitive)) or a clobbering assignment
>> or whatever the most convenient compiler-side representation winds up
>> being, so that artifacts of glibc's implementation become irrelevant.
>
> We can likely infer something passed to explicit_bzero is sensitive and
> build a web to capture whatever DECLs potentially feed the explicit_bzero.
> So we convert the fence to the CONSTRUCTOR assignment.  That's fine. Then
> we'd want DSE to eliminate the memset, then recompute addressability.

What I just committed to glibc does not have the inlines, so that
memset won't be kicking around.  It will probably still be necessary
to recompute addressability after lowering the builtin, though.

I wish I could say that I would have time to help with making compiler
support happen, but realistically I don't.

zw

References:
- [PATCH] explicit_bzero final
  - From: Zack Weinberg
- Re: [PATCH] explicit_bzero final
  - From: Florian Weimer
- Re: [PATCH] explicit_bzero final
  - From: Zack Weinberg
- Re: [PATCH] explicit_bzero final
  - From: Jeff Law
- Re: [PATCH] explicit_bzero final
  - From: Zack Weinberg
- Re: [PATCH] explicit_bzero final
  - From: Jeff Law
- Re: [PATCH] explicit_bzero final
  - From: Zack Weinberg
- Re: [PATCH] explicit_bzero final
  - From: Jeff Law
- Re: [PATCH] explicit_bzero final
  - From: Zack Weinberg
- Re: [PATCH] explicit_bzero final
  - From: Jeff Law

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]