diff mbox series

[v9,01/15] eal: introduce new secure memory zero

Message ID	20250220164151.9606-2-stephen@networkplumber.org (mailing list archive)
State	Accepted
Delegated to:	Thomas Monjalon
Headers	From: Stephen Hemminger <stephen@networkplumber.org> To: dev@dpdk.org Cc: Stephen Hemminger <stephen@networkplumber.org>, =?utf-8?q?Morten_Br?= =?utf-8?q?=C3=B8rup?= <mb@smartsharesystems.com>, Tyler Retzlaff <roretzla@linux.microsoft.com> Subject: [PATCH v9 01/15] eal: introduce new secure memory zero Date: Thu, 20 Feb 2025 08:27:07 -0800 Message-ID: <20250220164151.9606-2-stephen@networkplumber.org> In-Reply-To: <20250220164151.9606-1-stephen@networkplumber.org> References: <20241114011129.451243-1-stephen@networkplumber.org> <20250220164151.9606-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	fix insecure use of memset bugs \| [v9,00/15] fix insecure use of memset bugs [v9,01/15] eal: introduce new secure memory zero [v9,02/15] app/test: remove unused variable [v9,03/15] eal: add new secure free function [v9,04/15] app/test: use unit test runner for malloc tests [v9,05/15] app/test: add test for rte_free_sensitive [v9,06/15] common/cnxk: remove unused variable [v9,07/15] crypto/qat: force zero of keys [v9,08/15] crypto/qat: fix size calculation for memset [v9,09/15] crypto/qat: use secure free for keys [v9,10/15] bus/uacce: remove memset before free [v9,11/15] compress/octeontx: remove unnecessary memset [v9,12/15] test: remove unneeded memset [v9,13/15] net/ntnic: check result of malloc [v9,14/15] net/ntnic: remove unnecessary memset [v9,15/15] devtools/cocci: add script to find problematic memset

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Stephen Hemminger Feb. 20, 2025, 4:27 p.m. UTC

When memset() is used before a release function such as free,
the compiler if allowed to optimize the memset away under
the as-if rules. This is normally ok, but in certain cases such
as passwords or security keys it is problematic.

Introduce a DPDK wrapper which uses the bzero_explicit function
or SecureZeroMemory on Windows.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
---
 lib/eal/common/eal_common_string_fns.c | 14 ++++++++++++++
 lib/eal/include/rte_string_fns.h       | 18 ++++++++++++++++++
 lib/eal/version.map                    |  3 +++
 3 files changed, 35 insertions(+)

Comments

Thomas Monjalon June 11, 2025, 12:34 p.m. UTC | #1

20/02/2025 17:27, Stephen Hemminger:
> --- a/lib/eal/include/rte_string_fns.h
> +++ b/lib/eal/include/rte_string_fns.h
> +__rte_experimental
> +void
> +rte_memzero_explicit(void *dst, size_t sz);

This function is not about strings.
Better to move it to rte_memory.h (even if not ideal).
I'll try to move while merging.

Stephen Hemminger June 11, 2025, 2:57 p.m. UTC | #2

On Wed, 11 Jun 2025 14:34:49 +0200
Thomas Monjalon <thomas@monjalon.net> wrote:

> 20/02/2025 17:27, Stephen Hemminger:
> > --- a/lib/eal/include/rte_string_fns.h
> > +++ b/lib/eal/include/rte_string_fns.h
> > +__rte_experimental
> > +void
> > +rte_memzero_explicit(void *dst, size_t sz);  
> 
> This function is not about strings.
> Better to move it to rte_memory.h (even if not ideal).
> I'll try to move while merging.
> 
> 

I chose rte_string_fns.h since regular memset prototype
is in string.h

Thomas Monjalon June 11, 2025, 3:08 p.m. UTC | #3

11/06/2025 16:57, Stephen Hemminger:
> On Wed, 11 Jun 2025 14:34:49 +0200
> Thomas Monjalon <thomas@monjalon.net> wrote:
> 
> > 20/02/2025 17:27, Stephen Hemminger:
> > > --- a/lib/eal/include/rte_string_fns.h
> > > +++ b/lib/eal/include/rte_string_fns.h
> > > +__rte_experimental
> > > +void
> > > +rte_memzero_explicit(void *dst, size_t sz);  
> > 
> > This function is not about strings.
> > Better to move it to rte_memory.h (even if not ideal).
> > I'll try to move while merging.
> 
> I chose rte_string_fns.h since regular memset prototype
> is in string.h

I know, and I think the libc choice was strange :)

diff mbox series

Patch

diff --git a/lib/eal/common/eal_common_string_fns.c b/lib/eal/common/eal_common_string_fns.c
index 9ca2045b18..31804101cc 100644
--- a/lib/eal/common/eal_common_string_fns.c
+++ b/lib/eal/common/eal_common_string_fns.c
@@ -10,6 +10,10 @@ 
 #include <rte_string_fns.h>
 #include <rte_errno.h>
 
+#ifdef RTE_EXEC_ENV_WINDOWS
+#include <rte_windows.h>
+#endif
+
 /* split string into tokens */
 int
 rte_strsplit(char *string, int stringlen,
@@ -98,3 +102,13 @@  rte_str_to_size(const char *str)
 	}
 	return size;
 }
+
+void
+rte_memzero_explicit(void *dst, size_t sz)
+{
+#ifdef RTE_EXEC_ENV_WINDOWS
+	SecureZeroMemory(dst, sz);
+#else
+	explicit_bzero(dst, sz);
+#endif
+}
diff --git a/lib/eal/include/rte_string_fns.h b/lib/eal/include/rte_string_fns.h
index 702bd81251..79ca9abd67 100644
--- a/lib/eal/include/rte_string_fns.h
+++ b/lib/eal/include/rte_string_fns.h
@@ -149,6 +149,24 @@  rte_str_skip_leading_spaces(const char *src)
 	return p;
 }
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Fill memory with zero's (e.g. sensitive keys).
+ * Normally using memset() is fine, but in cases where clearing out local data
+ * before going out of scope is required, use rte_memzero_explicit() instead
+ * to prevent the compiler from optimizing away the zeroing operation.
+ *
+ * @param dst
+ *   target buffer
+ * @param sz
+ *   number of bytes to fill
+ */
+__rte_experimental
+void
+rte_memzero_explicit(void *dst, size_t sz);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/eal/version.map b/lib/eal/version.map
index a20c713eb1..82a3e91c97 100644
--- a/lib/eal/version.map
+++ b/lib/eal/version.map
@@ -398,6 +398,9 @@  EXPERIMENTAL {
 	# added in 24.11
 	rte_bitset_to_str;
 	rte_lcore_var_alloc;
+
+	# added in 25.03
+	rte_memzero_explicit;
 };
 
 INTERNAL {