On 2/22/21 7:15 PM, Daniel P. Berrangé wrote: > On Fri, Feb 19, 2021 at 03:09:43PM +0100, Philippe Mathieu-Daudé wrote: >> On 2/19/21 12:07 PM, Max Reitz wrote: >>> On 13.02.21 22:54, Fam Zheng wrote: >>>> On 2021-02-11 15:26, Philippe Mathieu-Daudé wrote: >>>>> The null-co driver doesn't zeroize buffer in its default config, >>>>> because it is designed for testing and tests want to run fast. >>>>> However this confuses security researchers (access to uninit >>>>> buffers). >>>> >>>> I'm a little surprised. >>>> >>>> Is changing default the only way to fix this? I'm not opposed to >>>> changing the default but I'm not convinced this is the easiest way. >>>> block/nvme.c also doesn't touch the memory, but defers to the device >>>> DMA, why doesn't that confuse the security checker? >> >> Generally speaking, there is a balance between security and performance. >> We try to provide both, but when we can't, my understanding is security >> is more important. >> >> Customers expect a secure product. If they prefer performance and >> at the price of security, it is also possible by enabling an option >> that is not the default. >> >> I'm not sure why you mention block/nvme here. I have the understanding >> the null-co driver is only useful for testing. Are there production >> cases where null-co is used? > > Do we have any real world figures for the performance of null-co > with & without zero'ing ? Before worrying about a tradeoff of > security vs performance, it'd be good to know if there is actually > a real world performance problem in the first place. Personally I'd > go for zero'ing by defualt unless the performance hit was really > bad.
I simply wanted to help the security team by removing the amount of reports using the null-co driver. This is probably easier to resolve with one documentation line. As I am not understanding where this thread is heading, I am taking a step back with this topic. Please disregard this series. Regards, Phil.