x86/tboot: actually wipe contexts

Especially with our use of __builtin_memset() to implement memset() the
compiler is free to eliminate instances when it can prove that the
affected object is dead. Introduce a small helper function accompanying
the memset() with a construct forcing the compiler to retain the
clearing of (stack) memory.

Fixes: c021c95498d9 ("x86: Replace our own specialised versions of memset and memcpy with")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
index 68bee222ddf41fedd8fc976d26554847c1acda47..90f6e805a9fb3792e9c8a0e763569202a6feffa3 100644 (file)
--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -179,6 +179,17 @@ static void update_iommu_mac(vmac_ctx_t *ctx, uint64_t pt_maddr, int level)
 #define is_page_in_use(page) \
     (page_state_is(page, inuse) || page_state_is(page, offlining))
 
+/* Wipe ctx to ensure key is not left in memory. */
+static void wipe_ctx(vmac_ctx_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+    /*
+     * Make sure the compiler won't optimize out the memset(), for the local
+     * variable (at the call sites) going out of scope right afterwards.
+     */
+    asm volatile ( "" :: "m" (*ctx) );
+}
+
 static void tboot_gen_domain_integrity(const uint8_t key[TB_KEY_SIZE],
                                        vmac_t *mac)
 {
@@ -216,8 +227,7 @@ static void tboot_gen_domain_integrity(const uint8_t key[TB_KEY_SIZE],
 
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 static void tboot_gen_xenheap_integrity(const uint8_t key[TB_KEY_SIZE],
@@ -247,8 +257,7 @@ static void tboot_gen_xenheap_integrity(const uint8_t key[TB_KEY_SIZE],
     }
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 static void tboot_gen_frametable_integrity(const uint8_t key[TB_KEY_SIZE],
@@ -276,8 +285,7 @@ static void tboot_gen_frametable_integrity(const uint8_t key[TB_KEY_SIZE],
 
     *mac = vmac(NULL, 0, nonce, NULL, &ctx);
 
-    /* wipe ctx to ensure key is not left in memory */
-    memset(&ctx, 0, sizeof(ctx));
+    wipe_ctx(&ctx);
 }
 
 void tboot_shutdown(uint32_t shutdown_type)