[libvirt PATCH 0/3] Actually do secure erase with explicit_bzero
If we're going to have a virSecureErase function, we might as well make it do secure erasure with currently available explicit_bzero in FreeBSD/Linux. While we're here, we should use it from the RPC code. The remaining hole in the RPC code is xdr_free which does not securely erase buffers. That's not easily fixed without dropping the RPC impl in favour of a custom one. Daniel P. Berrangé (3): util: implement secure erase with explicit_bzero rpc: fix buffer offset updates after decoding payload rpc: securely erase the message buffers meson.build | 1 + src/rpc/virnetmessage.c | 4 +++- src/util/virsecureerase.c | 6 ++++++ 3 files changed, 10 insertions(+), 1 deletion(-) -- 2.38.1
This is available on at least FreeBSD and GLibc >= 2.25. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 1 + src/util/virsecureerase.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/meson.build b/meson.build index f9834a36c2..553d4328d0 100644 --- a/meson.build +++ b/meson.build @@ -537,6 +537,7 @@ libvirt_export_dynamic = cc.first_supported_link_argument([ functions = [ 'elf_aux_info', + 'explicit_bzero', 'fallocate', 'getauxval', 'getegid', diff --git a/src/util/virsecureerase.c b/src/util/virsecureerase.c index ead12803da..00542da99d 100644 --- a/src/util/virsecureerase.c +++ b/src/util/virsecureerase.c @@ -19,6 +19,8 @@ #include <config.h> +#include <string.h> + #include "virsecureerase.h" /** @@ -40,7 +42,11 @@ virSecureErase(void *ptr, if (!ptr || size == 0) return; +#ifdef WITH_EXPLICIT_BZERO + explicit_bzero(ptr, size); +#else memset(ptr, 0, size); +#endif } /** -- 2.38.1
The buffer length refers to the allocated buffer memory size, while the offset refers to have much of the buffer we have read/written. After reading the message payload we must thus update the latter. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/rpc/virnetmessage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c index ceba1a5a8e..438c75b049 100644 --- a/src/rpc/virnetmessage.c +++ b/src/rpc/virnetmessage.c @@ -423,7 +423,7 @@ int virNetMessageDecodePayload(virNetMessage *msg, } /* Get the length stored in buffer. */ - msg->bufferLength += xdr_getpos(&xdr); + msg->bufferOffset += xdr_getpos(&xdr); xdr_destroy(&xdr); return 0; -- 2.38.1
While only a couple of the message types include sensitive data, the overhead of calling secure erase is not noticable enough to worry about making the erasure selective per type. Thus it is simplest to unconditionally securely erase the buffer. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/rpc/virnetmessage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c index 438c75b049..c9698fb263 100644 --- a/src/rpc/virnetmessage.c +++ b/src/rpc/virnetmessage.c @@ -28,6 +28,7 @@ #include "virlog.h" #include "virfile.h" #include "virutil.h" +#include "virsecureerase.h" #define VIR_FROM_THIS VIR_FROM_RPC @@ -65,6 +66,7 @@ virNetMessageClearPayload(virNetMessage *msg) { virNetMessageClearFDs(msg); + virSecureErase(msg->buffer, msg->bufferLength); msg->bufferOffset = 0; msg->bufferLength = 0; VIR_FREE(msg->buffer); -- 2.38.1
On a Monday in 2022, Daniel P. Berrangé wrote:
If we're going to have a virSecureErase function, we might as well make it do secure erasure with currently available explicit_bzero in FreeBSD/Linux.
While we're here, we should use it from the RPC code.
The remaining hole in the RPC code is xdr_free which does not securely erase buffers. That's not easily fixed without dropping the RPC impl in favour of a custom one.
Daniel P. Berrangé (3): util: implement secure erase with explicit_bzero rpc: fix buffer offset updates after decoding payload rpc: securely erase the message buffers
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
participants (2)
-
Daniel P. Berrangé -
Ján Tomko