Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity
go/doc/next/6-stdlib/1-secret.md
Daniel Morsing a3fb92a710 runtime/secret: implement new secret package 
Implement secret.Do.

- When secret.Do returns:
  - Clear stack that is used by the argument function.
  - Clear all the registers that might contain secrets.
- On stack growth in secret mode, clear the old stack.
- When objects are allocated in secret mode, mark them and then zero
  the marked objects immediately when they are freed.
- If the argument function panics, raise that panic as if it originated
  from secret.Do. This removes anything about the secret function
  from tracebacks.

For now, this is only implemented on linux for arm64 and amd64.

This is a rebased version of Keith Randalls initial implementation at
CL 600635. I have added arm64 support, signal handling, preemption
handling and dealt with vDSOs spilling into system stacks.

Fixes #21865

Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Co-authored-by: Keith Randall <khr@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/704615
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2025-11-26 15:42:52 -08:00

20 lines
898 B
Markdown
Raw Blame History

### New secret package
<!-- https://go.dev/issue/21865 --->
The new [secret](/pkg/runtime/secret) package is available as an experiment.
It provides a facility for securely erasing temporaries used in
code that manipulates secret information, typically cryptographic in nature.
Users can access it by passing `GOEXPERIMENT=runtimesecret` at build time.
<!-- if we land any code that uses runtimesecret for forward secrecy
like crypto/tls, mention them here too -->
The secret.Do function runs its function argument and then erases all
temporary storage (registers, stack, new heap allocations) used by
that function argument. Heap storage is not erased until that storage
is deemed unreachable by the garbage collector, which might take some
time after secret.Do completes.
This package is intended to make it easier to ensure [forward
secrecy](https://en.wikipedia.org/wiki/Forward_secrecy).
Reference in a new issue View git blame Copy permalink