net: atlantic: macsec: clear encryption keys from the stack

author Antoine Tenart <atenart@kernel.org>

Tue, 8 Nov 2022 15:34:59 +0000 (16:34 +0100)

committer Paolo Abeni <pabeni@redhat.com>

Thu, 10 Nov 2022 10:58:52 +0000 (11:58 +0100)
author Antoine Tenart <atenart@kernel.org>
Tue, 8 Nov 2022 15:34:59 +0000 (16:34 +0100)
committer Paolo Abeni <pabeni@redhat.com>
Thu, 10 Nov 2022 10:58:52 +0000 (11:58 +0100)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c

index a018081..7eb5851 100644 (file)
--- a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
@@ -570,6 +570,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx,
  
         ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);
  
+       memzero_explicit(&key_rec, sizeof(key_rec));
         return ret;
  }
  
@@ -899,6 +900,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx,
  
         ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx);
  
+       memzero_explicit(&sa_key_record, sizeof(sa_key_record));
         return ret;
  }
  
diff --git a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c

index 36c7cf0..4319249 100644 (file)
--- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
+++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
@@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
                          u16 table_index)
  {
         u16 packed_record[18];
+       int ret;
  
         if (table_index >= NUMROWS_INGRESSSAKEYRECORD)
                 return -EINVAL;
@@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
  
         packed_record[16] = rec->key_len & 0x3;
  
-       return set_raw_ingress_record(hw, packed_record, 18, 2,
-                                     ROWOFFSET_INGRESSSAKEYRECORD +
-                                             table_index);
+       ret = set_raw_ingress_record(hw, packed_record, 18, 2,
+                                    ROWOFFSET_INGRESSSAKEYRECORD +
+                                    table_index);
+
+       memzero_explicit(packed_record, sizeof(packed_record));
+       return ret;
  }
  
  int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw,
@@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw,
         ret = set_raw_egress_record(hw, packed_record, 8, 2,
                                     ROWOFFSET_EGRESSSAKEYRECORD + table_index);
         if (unlikely(ret))
-               return ret;
+               goto clear_key;
         ret = set_raw_egress_record(hw, packed_record + 8, 8, 2,
                                     ROWOFFSET_EGRESSSAKEYRECORD + table_index -
                                             32);
-       if (unlikely(ret))
-               return ret;
  
-       return 0;
+clear_key:
+       memzero_explicit(packed_record, sizeof(packed_record));
+       return ret;
  }
  
  int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw,
author	Antoine Tenart <atenart@kernel.org>
	Tue, 8 Nov 2022 15:34:59 +0000 (16:34 +0100)
committer	Paolo Abeni <pabeni@redhat.com>
	Thu, 10 Nov 2022 10:58:52 +0000 (11:58 +0100)
drivers/net/ethernet/aquantia/atlantic/aq_macsec.c		patch \| blob \| history
drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c		patch \| blob \| history