Implement io::Entropy and refactor random data generation
#108874
Conversation
|
(rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
rustbot
added
S-waiting-on-ACP
|
I assume you know that the random number devices have been united in recent Linux kernels and they will not have substantial differences, namely that |
Yes, but polling is (unfortunately) still necessary for compatibility with older versions. The new versions use |
|
Hmm, I don't know if it's actually worth it to ever hit |
I don't want to create security vulnerabilities by not considering the edge cases ( I'll add the version note, that's a good idea. |
| unsafe { | ||
| let mut ret: u64 = 0; | ||
| for _ in 0..10 { | ||
| if crate::arch::x86_64::_rdrand64_step(&mut ret) == 1 { |
There was a problem hiding this comment.
Not a maintainer of sgx but this does not offer high quality entropy. See the "Generating seeds with rdrand" section in https://www.intel.com/content/www/us/en/developer/articles/guide/intel-digital-random-number-generator-drng-software-implementation-guide.html for how to do it (which we probably don't want in std...)
There was a problem hiding this comment.
I... don't quite get that section, unfortunately.
IIUC (please feel free to correct me), RDRAND is like /dev/urandom in that it uses a CSPRNG to generate more random data from a single, truly random seed. Because of the size of the seed, constant reseeding and the strength of the PRNG, the output should not be in any practical way less secure that RDSEED. But that doesn't explain why anyone would use RDSEED...
Edit: Ah, I missed the part about forward and backward prediction resistance... Still, I don't know if it's really, truly necessary here.
I didn't change this, because getrandom uses RDRAND on SGX. Note that it does not consider values 0 or u64::MAX valid because of hardware bugs on AMD devices. Since SGX is Intel-only, I guess it isn't a concern here?
If RDRAND is truly the wrong option here, I guess the alternative is doing what I did for Hermit here and use RDSEED to seed our own PRNG.
There was a problem hiding this comment.
...the DRNG using the RDRAND instruction is useful for generating high-quality keys for cryptographic protocols, and the RSEED instruction is provided for seeding software-based pseudorandom number generators (PRNGs)
I think that sums it up nicely. If someone needs stronger guarantees for a PRNG, they should take a look at what exactly happens in getrandom. The documentation explicitly mentions the randomness comes from rdrand. To me that looks fine, but I'm not a cryptographic. @zugzwang can you pitch in?
Indeed, AMD hardware bugs have no impact on SGX and the values 0 and u64::MAX should not be handled differently.
There was a problem hiding this comment.
Makes sense to me. Intel documentation looks clear, and there is useful discussion on security levels here.
See #104658 where I went through the work of removing use of I would prefer we not undo that improvement. |
|
☔ The latest upstream changes (presumably #109734) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
|
☔ The latest upstream changes (presumably #111346) made this pull request unmergeable. Please resolve the merge conflicts. |
Dylan-DPC
removed
the
S-waiting-on-review
|
r? libs |
| @@ -164,7 +164,8 @@ pub fn wait(event_mask: u64, mut timeout: u64) -> IoResult<u64> { | |||
| // trusted to ensure accurate timeouts. | |||
| if let Ok(timeout_signed) = i64::try_from(timeout) { | |||
| let tenth = timeout_signed / 10; | |||
| let deviation = (rdrand64() as i64).checked_rem(tenth).unwrap_or(0); | |||
| let rand = rdrand64().unwrap_or_else(|| rtabort!("Failed to obtain random data")); | |||
There was a problem hiding this comment.
Nitpick: There's no need to abort here when rdrand64() returns None. This code is just there to avoid developers from relying on the accuracy of timeouts. Using a default (as in the original code) is fine here.
There's even a small availability issue with the new code. The rdrand instruction can be executed by any userspace program. So an attacker may be able to execute this instruction over and over again until the pool of random values is exhausted. This will cause the enclave to abort here. SGX does not provide any security guarantees related to availability, but this attack may be executed to make enclaves abort even when the attacker would not be able to do so through other means (e.g., they don't have the access rights to stop the process running the enclave). On the other hand, when the enclave needs to do a cryptographic operation, there's no other way than to abort. Hence, it's a bit of a nitpick :)
| @@ -3122,7 +3122,17 @@ impl RandomState { | |||
| // increment one of the seeds on every RandomState creation, giving | |||
| // every corresponding HashMap a different iteration order. | |||
| thread_local!(static KEYS: Cell<(u64, u64)> = { | |||
| Cell::new(sys::hashmap_random_keys()) | |||
| if crate::sys::entropy::INSECURE_HASHMAP { | |||
| Cell::new((1, 2)) | |||
There was a problem hiding this comment.
This is not blocking, but one thing I was thinking of proposing as a path to make RandomState still work without libstd is allowing users to provide their own entropy function, and it would be nice if this were factored in a way that always took that path, rather than hard-coding in an insecure constant for the state.
Since no one is going to rely explicitly on the (1, 2) state for these cases by design, I think it'd be better to just provide a random eight bytes that get sent through the path instead. That way everything goes through the "entropy" path of decoding the bytes, even if the bytes are static.
| /// | ||
| /// Be aware that, because the data is of very high quality, reading high amounts | ||
| /// of data can be very slow, and potentially slow down other processes requiring | ||
| /// random data. Use a pseudo-random number generator if speed is important. |
There was a problem hiding this comment.
Since we do this elsewhere in libstd with other crates, perhaps we could just straight-up recommend the rand crate for this purpose? Especially since this is an org-maintained crate.
There was a problem hiding this comment.
We have been trying to not advertise external crates from std docs. And there are other potential options beside rand even if they're more niche.
| } else { | ||
| let mut v = [0u8; 16]; | ||
| let mut entropy = entropy(); | ||
| entropy.set_insecure(true); |
There was a problem hiding this comment.
Since the purpose is to prevent hash DOS, attacks, wouldn't setting insecure be counter to that? Or am I missing the purpose of this flag?
|
Edit: nevermind, just realised this is waiting on the ACP being merged |
| #[derive(Debug)] | ||
| #[unstable(feature = "io_entropy", issue = "none")] | ||
| pub struct Entropy { | ||
| insecure: bool, |
There was a problem hiding this comment.
This could probably use sys::Entropy directly here (and define a set_insecure method for it)
Implements the ACP rust-lang/libs-team#159.
Because
stdhas special needs (its OK to use less secure random data forHashMapkeys if that means we don't have to block) and theReadAPI diverges fromgetrandom(not the whole buffer must be read, but errors should be immediately returned), I decided not to branch out togetrandom, but to refactor the currentstdimplementation, merging elements fromgetrandomwhere required. In particular:/dev/randomneeds to be polled before reading from/dev/urandomwhen generating secure data/dev/random/, unless it is known that it is identical to/dev/urandomAs a consequence, this PR is rather large, so please let me know if there is anything I can do to simplify the review process.
Checked on all platforms (that currently are not broken), but tested only on macOS (and the Linux CI).
@rustbot label +S-waiting-on-ACP +T-libs-api