-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce ukarch_random and add implementation for arm64 (FEAT_RNG) #434
Introduce ukarch_random and add implementation for arm64 (FEAT_RNG) #434
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some conflicts that should be resolved. Otherwise, the PR looks fine to me.
44a1e0b
to
5704a19
Compare
@samoilescusebastian thanks for looking into this. I recently put a bit more thinking into it, and just pushed an update with the following changes:
|
5704a19
to
0cec86e
Compare
Green light :) |
0cec86e
to
f2a7e6d
Compare
f2a7e6d
to
da61670
Compare
Rebased to |
I had a quick look and it seems that the changes you mentioned (#434 (comment)) are not part of the current PR 👀 |
674cdbe
to
6f534d6
Compare
Rebased to staging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @michpappas,
thanks for submitting the PR! 😃 Looks pretty good. I left some minor feedback.
Provide a marco for the `warn_unused_result` function attribute of GCC. Functions defined with this attribute will issue a compile-time warning when called and the return value is unused. This is useful for preventing bugs, especially in security-critical functions. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
6f534d6
to
8438c96
Compare
@marcrittinghaus thanks for the review, pushed a new revision with all comments addressed. |
This commit introduces a minimal set of functions for random number generation implemented in the processor. The API provides functions for initialization of the RNG, and the generation of random numbers with and without reseeding the RNG. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies a hardware-based RNG that is implemented as a cryptographically secure Deterministic Random Bit Generator (DRBG), seeded by a TRNG. The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the DRBG before generating the next random number. This commit adds a new Kconfig option to enable FEAT_RNG and implements the ukarch_random API using RNDR / RNDRRS. Notice that as the entropy generated by a TRNG is limited, the caller must always check the returned value to ensure that a random number was successfully generated. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
8438c96
to
b85483b
Compare
@michpappas Thanks for addressing the comments 😃 It looks good now from my perspective. I am going to test it again. @samoilescusebastian Could you also do a second pass and then approve as reviewer if everything works for you? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good here 🎲
Reviewed-by: Cezar Craciunoiu cezar.craciunoiu@unikraft.io
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeet! 🥏
Approved-by: Marc Rittinghaus marc.rittinghaus@unikraft.io
✅ Checkpatch passed Beep boop! I ran Unikraft's
|
This commit introduces a minimal set of functions for random number generation implemented in the processor. The API provides functions for initialization of the RNG, and the generation of random numbers with and without reseeding the RNG. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm> Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io> Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io> Tested-by: Unikraft CI <monkey@unikraft.io> GitHub-Closes: #434
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies a hardware-based RNG that is implemented as a cryptographically secure Deterministic Random Bit Generator (DRBG), seeded by a TRNG. The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the DRBG before generating the next random number. This commit adds a new Kconfig option to enable FEAT_RNG and implements the ukarch_random API using RNDR / RNDRRS. Notice that as the entropy generated by a TRNG is limited, the caller must always check the returned value to ensure that a random number was successfully generated. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm> Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io> Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io> Tested-by: Unikraft CI <monkey@unikraft.io> GitHub-Closes: #434
Provide a marco for the `warn_unused_result` function attribute of GCC. Functions defined with this attribute will issue a compile-time warning when called and the return value is unused. This is useful for preventing bugs, especially in security-critical functions. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm> Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io> Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io> Tested-by: Unikraft CI <monkey@unikraft.io> GitHub-Closes: unikraft#434
This commit introduces a minimal set of functions for random number generation implemented in the processor. The API provides functions for initialization of the RNG, and the generation of random numbers with and without reseeding the RNG. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm> Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io> Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io> Tested-by: Unikraft CI <monkey@unikraft.io> GitHub-Closes: unikraft#434
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies a hardware-based RNG that is implemented as a cryptographically secure Deterministic Random Bit Generator (DRBG), seeded by a TRNG. The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the DRBG before generating the next random number. This commit adds a new Kconfig option to enable FEAT_RNG and implements the ukarch_random API using RNDR / RNDRRS. Notice that as the entropy generated by a TRNG is limited, the caller must always check the returned value to ensure that a random number was successfully generated. Signed-off-by: Michalis Pappas <mpappas@fastmail.fm> Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io> Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io> Tested-by: Unikraft CI <monkey@unikraft.io> GitHub-Closes: unikraft#434
Prerequisite checklist
checkpatch.pl
on your commit series before opening this PR;Base target
arm64
,x86_64
]Additional configuration
The ukarch_random API is unconditionally present. Each architecture's support is conditional and can be checked via the
ukararch_random_avail()
.In arm64, availability is controlled by a newly introduced parameter
CONFIG_ARM_64_FEAT_RNG
.Description of changes
The ukarch_random API
Processor-supported random number generation can be useful for different purposes on the platform and library level. Some examples include key / seed generation for hardware-based security protections, such as PAuth, MTE in Armv8, or seed generation for the ChaCha20-based PRNG in the ukswrand library.
This PR introduces a minimal API for processor-supported randomness, namely
ukarch_random
. The API consists of merely three functions, that map closely to the functionality provided by the relevant mechanisms in Armv8 and x86_64:ukarch_random_avail()
checks whether the feature is implemented by the processor,ukarch_random_get_long()
returns a random long integer, andukarch_random_long_reseed()
returns a random long integer after reseeding the RNG.Given that the trustworthiness of processor-provided randomness is a controversial topic, higher layers shall ideally use
ukarch_random
optionally and when possible provide the user with additional options for other sources of randomness, such as drivers to TRNGs or Crypto Engines external to the processor.Implementation in Armv8
Processor-supported randomness (FEAT_RNG) is introduced as an OPTIONAL extension in Armv8.5-a. The architecture defines the RNG as the output of a Deterministic Random Bit Generator (DRBG) that produces random numbers from a cryptographically secure algorithm, and is seeded by a True Random Number Generator (TRNG). The architecture requires that the DRBG and TRNG conform to a set of standards. Specifically the DRBG should conform to NIST SP800-90A Rev1, while TRNG should conform to NIST SP800-90B, NIST SP800-22, FIPS 140-2, BSI AIS-31.
The RNG is exposed to the user through the RNDR and RNDRSS registers. The RNDR outputs random numbers, and is re-seeded at an IMPLEMENTATION DEFINED rate. RNDRSS re-seeds the DRBG immediately before generating a new random number.
This PR provides an implementation of the
ukarch_random
API via the RNDR / RNDRSS registers, along with a new optionCONFIG_ARM_64_FEAT_RNG
, to enable the feature. As no Armv8 IP provided by Arm implements Armv8.5-A, this can be only tested in QEMU with-machine virt -cpu max
or third-party SoCs that implementFEAT_RNG
.Notice: Since the rate at which TRNGs can generate random bits is limited, RNDR and RNDRSS try to return a random number at a "reasonable period of time". When that fails, the PSTATE.NZCV bits are set to 0b0100, and a zero value is returned. Callers must therefore always check the result of the operation, and act as required on failure.