4:32 a.m.
If we're going to have a virSecureErase function, we
might as well make it do secure erasure with currently
available explicit_bzero in FreeBSD/Linux.
While we're here, we should use it from the RPC code.
The remaining hole in the RPC code is xdr_free which
does not securely erase buffers. That's not easily
fixed without dropping the RPC impl in favour of a
custom one.
Daniel P. Berrangé (3):
util: implement secure erase with explicit_bzero
rpc: fix buffer offset updates after decoding payload
rpc: securely erase the message buffers
meson.build | 1 +
src/rpc/virnetmessage.c | 4 +++-
src/util/virsecureerase.c | 6 ++++++
3 files changed, 10 insertions(+), 1 deletion(-)
--
2.38.1
4:32 a.m.
New subject: [libvirt PATCH 1/3] util: implement secure erase with explicit_bzero
This is available on at least FreeBSD and GLibc >= 2.25.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
meson.build | 1 +
src/util/virsecureerase.c | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/meson.build b/meson.build
index f9834a36c2..553d4328d0 100644
--- a/meson.build
+++ b/meson.build
@@ -537,6 +537,7 @@ libvirt_export_dynamic = cc.first_supported_link_argument([
functions = [
'elf_aux_info',
+ 'explicit_bzero',
'fallocate',
'getauxval',
'getegid',
diff --git a/src/util/virsecureerase.c b/src/util/virsecureerase.c
index ead12803da..00542da99d 100644
--- a/src/util/virsecureerase.c
+++ b/src/util/virsecureerase.c
@@ -19,6 +19,8 @@
#include <config.h>
+#include <string.h>
+
#include "virsecureerase.h"
/**
@@ -40,7 +42,11 @@ virSecureErase(void *ptr,
if (!ptr || size == 0)
return;
+#ifdef WITH_EXPLICIT_BZERO
+ explicit_bzero(ptr, size);
+#else
memset(ptr, 0, size);
+#endif
}
/**
--
2.38.1
4:32 a.m.
New subject: [libvirt PATCH 2/3] rpc: fix buffer offset updates after decoding payload
The buffer length refers to the allocated buffer memory size,
while the offset refers to have much of the buffer we have
read/written. After reading the message payload we must thus
update the latter.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/rpc/virnetmessage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c
index ceba1a5a8e..438c75b049 100644
--- a/src/rpc/virnetmessage.c
+++ b/src/rpc/virnetmessage.c
@@ -423,7 +423,7 @@ int virNetMessageDecodePayload(virNetMessage *msg,
}
/* Get the length stored in buffer. */
- msg->bufferLength += xdr_getpos(&xdr);
+ msg->bufferOffset += xdr_getpos(&xdr);
xdr_destroy(&xdr);
return 0;
--
2.38.1
4:32 a.m.
New subject: [libvirt PATCH 3/3] rpc: securely erase the message buffers
While only a couple of the message types include sensitive data,
the overhead of calling secure erase is not noticable enough
to worry about making the erasure selective per type. Thus it is
simplest to unconditionally securely erase the buffer.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/rpc/virnetmessage.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c
index 438c75b049..c9698fb263 100644
--- a/src/rpc/virnetmessage.c
+++ b/src/rpc/virnetmessage.c
@@ -28,6 +28,7 @@
#include "virlog.h"
#include "virfile.h"
#include "virutil.h"
+#include "virsecureerase.h"
#define VIR_FROM_THIS VIR_FROM_RPC
@@ -65,6 +66,7 @@ virNetMessageClearPayload(virNetMessage *msg)
{
virNetMessageClearFDs(msg);
+ virSecureErase(msg->buffer, msg->bufferLength);
msg->bufferOffset = 0;
msg->bufferLength = 0;
VIR_FREE(msg->buffer);
--
2.38.1
5:47 a.m.
On a Monday in 2022, Daniel P. Berrangé wrote:
If we're going to have a virSecureErase function, we
might as well make it do secure erasure with currently
available explicit_bzero in FreeBSD/Linux.
While we're here, we should use it from the RPC code.
The remaining hole in the RPC code is xdr_free which
does not securely erase buffers. That's not easily
fixed without dropping the RPC impl in favour of a
custom one.
Daniel P. Berrangé (3):
util: implement secure erase with explicit_bzero
rpc: fix buffer offset updates after decoding payload
rpc: securely erase the message buffers
Reviewed-by: Ján Tomko <jtomko(a)redhat.com>
Jano
710
days inactive
710
days old
4 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Ján Tomko