From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/8478
Path: news.gmane.org!not-for-mail
From: Rich Felker <dalias@libc.org>
Newsgroups: gmane.linux.lib.musl.general,gmane.comp.gcc.devel,gmane.comp.lib.glibc.alpha
Subject: Re: Compiler support for erasure of sensitive data
Date: Wed, 9 Sep 2015 13:13:38 -0400
Message-ID: <20150909171337.GH17773@brightrain.aerifal.cx>
References: <55F05FF1.3000405@panix.com>
 <20150909164228.GD17773@brightrain.aerifal.cx>
 <CAKCAbMjpOAzS-vHfy27BxHikUeaRziZ1hhmWLX_F2Gt9ajgE7g@mail.gmail.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1441818842 4315 80.91.229.3 (9 Sep 2015 17:14:02 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 9 Sep 2015 17:14:02 +0000 (UTC)
Cc: gcc@gcc.gnu.org, GNU C Library <libc-alpha@sourceware.org>,
	musl@lists.openwall.com
To: Zack Weinberg <zackw@panix.com>
Original-X-From: musl-return-8488-gllmg-musl=m.gmane.org@lists.openwall.com Wed Sep 09 19:14:00 2015
Return-path: <musl-return-8488-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-8488-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1ZZiwY-0003ch-TQ
	for gllmg-musl@m.gmane.org; Wed, 09 Sep 2015 19:13:59 +0200
Original-Received: (qmail 31797 invoked by uid 550); 9 Sep 2015 17:13:57 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 31776 invoked from network); 9 Sep 2015 17:13:56 -0000
Content-Disposition: inline
In-Reply-To: <CAKCAbMjpOAzS-vHfy27BxHikUeaRziZ1hhmWLX_F2Gt9ajgE7g@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Original-Sender: Rich Felker <dalias@aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:8478 gmane.comp.gcc.devel:141211 gmane.comp.lib.glibc.alpha:55359
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/8478>

On Wed, Sep 09, 2015 at 12:47:10PM -0400, Zack Weinberg wrote:
> On Wed, Sep 9, 2015 at 12:42 PM, Rich Felker <dalias@libc.org> wrote:
> > You're making this harder than it needs to be. The "m" constraint is
> > the wrong thing to use here. Simply use:
> >
> >         __asm__(""::"r"(ptr):"memory");
> 
> Please review my earlier conversation with Adhemerval on exactly this point.

My understanding is that you consider this a "big hammer". Does that
really matter if the intent is that it only be used in isolated,
sensitive contexts? Are you just unhappy with the performance cost, or
concerned that the clobber will cause more spilling of sensitive data?
I'm doubtful that this would happen because a "memory" clobber does
not affect all data cached in registers, only data which is
potentially reachable by the asm.

In any case, I think the intent of my reply was unclear. I did not
mean to detract from the idea of compiler support for handling of
sensitive data, just to point out that the hack with the "m"
constraint is wrong and easily fixed. It still may be possible to get
much better results via other means.

Rich