This is the mail archive of the
mailing list for the GCC project.
Re: [musl] Compiler support for erasure of sensitive data
- From: Rich Felker <dalias at libc dot org>
- To: Zack Weinberg <zackw at panix dot com>
- Cc: gcc at gcc dot gnu dot org, GNU C Library <libc-alpha at sourceware dot org>, musl at lists dot openwall dot com
- Date: Wed, 9 Sep 2015 13:13:38 -0400
- Subject: Re: [musl] Compiler support for erasure of sensitive data
- Authentication-results: sourceware.org; auth=none
- References: <55F05FF1 dot 3000405 at panix dot com> <20150909164228 dot GD17773 at brightrain dot aerifal dot cx> <CAKCAbMjpOAzS-vHfy27BxHikUeaRziZ1hhmWLX_F2Gt9ajgE7g at mail dot gmail dot com>
On Wed, Sep 09, 2015 at 12:47:10PM -0400, Zack Weinberg wrote:
> On Wed, Sep 9, 2015 at 12:42 PM, Rich Felker <firstname.lastname@example.org> wrote:
> > You're making this harder than it needs to be. The "m" constraint is
> > the wrong thing to use here. Simply use:
> > __asm__(""::"r"(ptr):"memory");
> Please review my earlier conversation with Adhemerval on exactly this point.
My understanding is that you consider this a "big hammer". Does that
really matter if the intent is that it only be used in isolated,
sensitive contexts? Are you just unhappy with the performance cost, or
concerned that the clobber will cause more spilling of sensitive data?
I'm doubtful that this would happen because a "memory" clobber does
not affect all data cached in registers, only data which is
potentially reachable by the asm.
In any case, I think the intent of my reply was unclear. I did not
mean to detract from the idea of compiler support for handling of
sensitive data, just to point out that the hack with the "m"
constraint is wrong and easily fixed. It still may be possible to get
much better results via other means.