Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce ukarch_random and add implementation for arm64 (FEAT_RNG) #434

Conversation

michpappas
Copy link
Member

Prerequisite checklist

  • Read the contribution guidelines regarding submitting new changes to the project;
  • Tested your changes against relevant architectures and platforms;
  • Ran the checkpatch.pl on your commit series before opening this PR;
  • Updated relevant documentation.

Base target

  • Architecture(s): [arm64, x86_64]
  • Platform(s): [N/A]
  • Application(s): [N/A]

Additional configuration

The ukarch_random API is unconditionally present. Each architecture's support is conditional and can be checked via the ukararch_random_avail().

In arm64, availability is controlled by a newly introduced parameter CONFIG_ARM_64_FEAT_RNG.

Description of changes

The ukarch_random API

Processor-supported random number generation can be useful for different purposes on the platform and library level. Some examples include key / seed generation for hardware-based security protections, such as PAuth, MTE in Armv8, or seed generation for the ChaCha20-based PRNG in the ukswrand library.

This PR introduces a minimal API for processor-supported randomness, namely ukarch_random. The API consists of merely three functions, that map closely to the functionality provided by the relevant mechanisms in Armv8 and x86_64: ukarch_random_avail() checks whether the feature is implemented by the processor, ukarch_random_get_long() returns a random long integer, and ukarch_random_long_reseed() returns a random long integer after reseeding the RNG.

Given that the trustworthiness of processor-provided randomness is a controversial topic, higher layers shall ideally use ukarch_random optionally and when possible provide the user with additional options for other sources of randomness, such as drivers to TRNGs or Crypto Engines external to the processor.

Implementation in Armv8

Processor-supported randomness (FEAT_RNG) is introduced as an OPTIONAL extension in Armv8.5-a. The architecture defines the RNG as the output of a Deterministic Random Bit Generator (DRBG) that produces random numbers from a cryptographically secure algorithm, and is seeded by a True Random Number Generator (TRNG). The architecture requires that the DRBG and TRNG conform to a set of standards. Specifically the DRBG should conform to NIST SP800-90A Rev1, while TRNG should conform to NIST SP800-90B, NIST SP800-22, FIPS 140-2, BSI AIS-31.

The RNG is exposed to the user through the RNDR and RNDRSS registers. The RNDR outputs random numbers, and is re-seeded at an IMPLEMENTATION DEFINED rate. RNDRSS re-seeds the DRBG immediately before generating a new random number.

This PR provides an implementation of the ukarch_random API via the RNDR / RNDRSS registers, along with a new option CONFIG_ARM_64_FEAT_RNG, to enable the feature. As no Armv8 IP provided by Arm implements Armv8.5-A, this can be only tested in QEMU with -machine virt -cpu max or third-party SoCs that implement FEAT_RNG.

Notice: Since the rate at which TRNGs can generate random bits is limited, RNDR and RNDRSS try to return a random number at a "reasonable period of time". When that fails, the PSTATE.NZCV bits are set to 0b0100, and a zero value is returned. Callers must therefore always check the result of the operation, and act as required on failure.

@michpappas michpappas changed the title Introduce ukarch_random and implementation for arm64 (FEAT_RNG) Introduce ukarch_random and add implementation for arm64 (FEAT_RNG) Mar 26, 2022
@razvand razvand added this to the v0.10.0 (Phoebe) milestone Mar 28, 2022
@razvand razvand added kind/enhancement New feature or request area/lib Internal Unikraft Microlibrary arch/arm64 labels Mar 28, 2022
Copy link

@samoilescusebastian samoilescusebastian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some conflicts that should be resolved. Otherwise, the PR looks fine to me.

@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 44a1e0b to 5704a19 Compare April 23, 2022 10:12
@michpappas michpappas requested a review from a team April 23, 2022 10:12
@michpappas
Copy link
Member Author

michpappas commented Apr 23, 2022

@samoilescusebastian thanks for looking into this. I recently put a bit more thinking into it, and just pushed an update with the following changes:

  • Rebased to staging.
  • Added the __check_result macro (see the relevant commit). This is useful for catching bugs, but we should make sure it's not abused, to avoid similar problem linux folks had before. I propose that we only use it in security-critical functions. CC: @marcrittinghaus, @skuenzer.
  • Replaced ukarch_random_avail() with ukarch_random_init(). This allows more generic initialization, and the implementation can be reduced to a simple check of availability if no further initialization is needed.
  • Renamed functions to use fixed sizes instead of generic types, ie ukarch_random_get_long() now becomes ukarch_random_u64(). I also added ukarch_random_u32(). Macros for generic types can be provided in the platform layer (not part of this PR - we need to put a bit more thinking into it).
  • Added CONFIG_UKARCH_RANDOM and stubs when not available. This will also be useful later at the platform layer.

@unikraft-bot unikraft-bot added arch/arm area/arch Unikraft Architecture area/include Part of include/uk labels Apr 23, 2022
@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 5704a19 to 0cec86e Compare April 23, 2022 11:19
@samoilescusebastian
Copy link

samoilescusebastian commented May 28, 2022

Green light :)
However looks like concourse-ci/app-helloworld-staging/arm-linuxu/build test has failed, but I don't have access to the details.

@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 0cec86e to f2a7e6d Compare July 24, 2022 08:01
@michpappas michpappas requested review from a team as code owners July 24, 2022 08:01
@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from f2a7e6d to da61670 Compare July 24, 2022 08:03
@michpappas
Copy link
Member Author

Rebased to staging

@razvand razvand removed request for a team August 10, 2022 21:02
@marcrittinghaus
Copy link
Member

@michpappas

I had a quick look and it seems that the changes you mentioned (#434 (comment)) are not part of the current PR 👀

@razvand razvand removed request for a team August 16, 2022 15:56
@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 674cdbe to 6f534d6 Compare September 12, 2022 09:44
@michpappas
Copy link
Member Author

Rebased to staging

@razvand razvand mentioned this pull request Oct 7, 2022
3 tasks
Copy link
Member

@marcrittinghaus marcrittinghaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @michpappas,

thanks for submitting the PR! 😃 Looks pretty good. I left some minor feedback.

arch/arm/arm64/Config.uk Outdated Show resolved Hide resolved
arch/arm/arm64/include/uk/asm/random.h Outdated Show resolved Hide resolved
include/uk/arch/random.h Outdated Show resolved Hide resolved
arch/Config.uk Outdated Show resolved Hide resolved
include/uk/arch/random.h Outdated Show resolved Hide resolved
include/uk/arch/random.h Outdated Show resolved Hide resolved
include/uk/arch/random.h Outdated Show resolved Hide resolved
include/uk/arch/random.h Outdated Show resolved Hide resolved
include/uk/arch/random.h Show resolved Hide resolved
include/uk/essentials.h Outdated Show resolved Hide resolved
Provide a marco for the `warn_unused_result` function attribute of GCC.
Functions defined with this attribute will issue a compile-time warning
when called and the return value is unused.

This is useful for preventing bugs, especially in security-critical
functions.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 6f534d6 to 8438c96 Compare November 5, 2022 13:54
@michpappas
Copy link
Member Author

@marcrittinghaus thanks for the review, pushed a new revision with all comments addressed.

This commit introduces a minimal set of functions for random number
generation implemented in the processor. The API provides functions
for initialization of the RNG, and the generation of random numbers
with and without reseeding the RNG.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies
a hardware-based RNG that is implemented as a cryptographically secure
Deterministic Random Bit Generator (DRBG), seeded by a TRNG.

The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the
DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the
DRBG before generating the next random number.

This commit adds a new Kconfig option to enable FEAT_RNG and implements
the ukarch_random API using RNDR / RNDRRS.

Notice that as the entropy generated by a TRNG is limited, the caller
must always check the returned value to ensure that a random number was
successfully generated.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
@michpappas michpappas force-pushed the arm64_introduce_ukarch_random_and_FEAT_RNG branch from 8438c96 to b85483b Compare November 6, 2022 21:07
@marcrittinghaus
Copy link
Member

@michpappas Thanks for addressing the comments 😃 It looks good now from my perspective. I am going to test it again.

@samoilescusebastian Could you also do a second pass and then approve as reviewer if everything works for you?

@craciunoiuc craciunoiuc self-requested a review November 8, 2022 10:50
Copy link
Member

@craciunoiuc craciunoiuc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good here 🎲

Reviewed-by: Cezar Craciunoiu cezar.craciunoiu@unikraft.io

Copy link
Member

@marcrittinghaus marcrittinghaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeet! 🥏

Approved-by: Marc Rittinghaus marc.rittinghaus@unikraft.io

@unikraft-bot
Copy link
Member

Checkpatch passed

Beep boop! I ran Unikraft's checkpatch.pl support script on your pull request and it all looks good!

SHA commit checkpatch
29fb5e6 include/essentials: Provide __check_result macro
9e85919 include/uk/arch: Introduce ukarch_random functions
b85483b arch/arm64: Add processor-generated randomness (FEAT_RNG)

unikraft-bot pushed a commit that referenced this pull request Nov 15, 2022
This commit introduces a minimal set of functions for random number
generation implemented in the processor. The API provides functions
for initialization of the RNG, and the generation of random numbers
with and without reseeding the RNG.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io>
Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: #434
unikraft-bot pushed a commit that referenced this pull request Nov 15, 2022
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies
a hardware-based RNG that is implemented as a cryptographically secure
Deterministic Random Bit Generator (DRBG), seeded by a TRNG.

The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the
DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the
DRBG before generating the next random number.

This commit adds a new Kconfig option to enable FEAT_RNG and implements
the ukarch_random API using RNDR / RNDRRS.

Notice that as the entropy generated by a TRNG is limited, the caller
must always check the returned value to ensure that a random number was
successfully generated.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io>
Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: #434
@unikraft-bot unikraft-bot added the ci/merged Merged by CI label Nov 15, 2022
@michpappas michpappas deleted the arm64_introduce_ukarch_random_and_FEAT_RNG branch November 16, 2022 07:48
@nderjung nderjung added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 18, 2022
razvand pushed a commit to unikraft-upb/unikraft that referenced this pull request Nov 23, 2022
Provide a marco for the `warn_unused_result` function attribute of GCC.
Functions defined with this attribute will issue a compile-time warning
when called and the return value is unused.

This is useful for preventing bugs, especially in security-critical
functions.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io>
Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: unikraft#434
razvand pushed a commit to unikraft-upb/unikraft that referenced this pull request Nov 23, 2022
This commit introduces a minimal set of functions for random number
generation implemented in the processor. The API provides functions
for initialization of the RNG, and the generation of random numbers
with and without reseeding the RNG.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io>
Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: unikraft#434
razvand pushed a commit to unikraft-upb/unikraft that referenced this pull request Nov 23, 2022
FEAT_RNG is introduced as an OPTIONAL feature in Armv8.5-a, and specifies
a hardware-based RNG that is implemented as a cryptographically secure
Deterministic Random Bit Generator (DRBG), seeded by a TRNG.

The RNG can be accessed by the RNDR and RNDRSS registers. RNDR reseeds the
DRBG at an IMPLEMENTATION DEFINED rate. RNDRRS register that seeds the
DRBG before generating the next random number.

This commit adds a new Kconfig option to enable FEAT_RNG and implements
the ukarch_random API using RNDR / RNDRRS.

Notice that as the entropy generated by a TRNG is limited, the caller
must always check the returned value to ensure that a random number was
successfully generated.

Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Reviewed-by: Cezar Craciunoiu <cezar.craciunoiu@unikraft.io>
Approved-by: Marc Rittinghaus <marc.rittinghaus@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: unikraft#434
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
arch/arm arch/arm64 area/arch Unikraft Architecture area/include Part of include/uk area/lib Internal Unikraft Microlibrary area/plat Unikraft Patform ci/merged Merged by CI kind/enhancement New feature or request lang/c Issues or PRs to do with C/C++ plat/common Common to all platforms plat/kvm Unikraft for KVM plat/xen Unikraft for Xen release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
Archived in project
Status: Done!
Development

Successfully merging this pull request may close these issues.

8 participants