Re: [PATCH v4 1/6] crypto: lib/sha256 - Use memzero_explicit() for clearing state

From: Ard Biesheuvel
Date: Mon Oct 26 2020 - 03:59:24 EST


On Sun, 25 Oct 2020 at 15:31, Arvind Sankar <nivedita@xxxxxxxxxxxx> wrote:
>
> Without the barrier_data() inside memzero_explicit(), the compiler may
> optimize away the state-clearing if it can tell that the state is not
> used afterwards. At least in lib/crypto/sha256.c:__sha256_final(), the
> function can get inlined into sha256(), in which case the memset is
> optimized away.
>
> Signed-off-by: Arvind Sankar <nivedita@xxxxxxxxxxxx>
> Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>

Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>

> ---
> lib/crypto/sha256.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> index 2321f6cb322f..d43bc39ab05e 100644
> --- a/lib/crypto/sha256.c
> +++ b/lib/crypto/sha256.c
> @@ -265,7 +265,7 @@ static void __sha256_final(struct sha256_state *sctx, u8 *out, int digest_words)
> put_unaligned_be32(sctx->state[i], &dst[i]);
>
> /* Zeroize sensitive information. */
> - memset(sctx, 0, sizeof(*sctx));
> + memzero_explicit(sctx, sizeof(*sctx));
> }
>
> void sha256_final(struct sha256_state *sctx, u8 *out)
> --
> 2.26.2
>