On Fri, 19 Apr 2024, Zack Weinberg wrote:
> On Fri, Apr 19, 2024, at 4:15 PM, Mikulas Patocka wrote:
> > On Fri, 19 Apr 2024, Zack Weinberg wrote:
> >> ... the copy
> >> of round_keys in the vector registers *won't* get erased -- the exact
> >> problem being discussed in this thread.
> >
> > On the SYSV ABI, all the vector registers are volatile, so you can erase
> > them in explicit_bzero.
> >
> > On Windows 64-bit ABI, it is more problematic, because some of the vector
> > registers must be preserved.
>
> Oh, huh. Yes, that would work.
I've just realized that this wouldn't work - if the function
explicit_bzero is lazily resolved, the dynamic linker would spill the
vector registers to the stack prior to calling explicit_bzero.
> Call-preserved registers are not a
> problem, because any function that puts secret data in a call-preserved
> register in the first place, must erase it again (by restoring the old
> value) before returning. Therefore, if we made explicit_bzero wipe *all*
> the call-clobbered registers before returning, my example function would
> be safe.
>
> There's still a place secrets could leak to and not get erased, though:
> register spill slots on the stack. Only the compiler could plug this
> leak. Long term, I think what we want is something like
> __attribute__((sensitive)), which can only be applied to variables with
> automatic storage duration, and which means "erase all copies of this
> variable's value, wherever they wound up, at the end of its lifetime."
> Note that such variables must not be put in call-preserved registers in
> non-leaf functions, because then they might get spilled to the stack by
> a callee, which has no way of knowing that it's just leaked a secret.
> And I suppose we might also want to worry about signal frames. Nobody
> said this was gonna be easy ;-)
>
> zw
Yes.
Another problem is varargs - if there is at least one floating point
argument, the compiler will store 8 XMM registers on the stack regardless
of whether they are used or not.
In the past it didn't do it (it made indirect jump based on the value in
the %AL register to save only the used registers), but someone probably
found out that indirect jumps are expensive and that storing all 8
registers is faster.
Mikulas
