Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add functions to create random numbers #64

Merged
merged 2 commits into from
Sep 21, 2020
Merged

Conversation

stlankes
Copy link
Contributor

rand creates pseudo-random numbers, while secure_rand32/64 produce cryptographicly secure random numbers

@stlankes stlankes changed the title add function to create random numbers add functions to create random numbers Sep 12, 2020
@stlankes stlankes requested a review from jbreitbart September 12, 2020 23:33
Comment on lines +449 to +463
/// Create a cryptographicly secure 32bit random number with the support of
/// the underlying hardware. If the required hardware isn't available,
/// the function returns `None`.
#[inline(always)]
pub unsafe fn secure_rand32() -> Option<u32> {
sys_secure_rand32()
}

/// Create a cryptographicly secure 64bit random number with the support of
/// the underlying hardware. If the required hardware isn't available,
/// the function returns `None`.
#[inline(always)]
pub unsafe fn secure_rand64() -> Option<u64> {
sys_secure_rand64()
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason these functions are unsafe? Will asking for random number ever invoke UB?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will answer the question in the comment below.

Comment on lines +15 to +18
extern "Rust" {
fn sys_secure_rand64() -> Option<u64>;
fn sys_secure_rand32() -> Option<u32>;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So having extern "Rust" here means that the version of rustc used to compile hermit-abi must be exactly the same version used to compile the kernel (rusty-hermit/libhermit-rs). Is this a problem? (I don't know much about HermitCore).

If it is, you could just have a returned value of 0 represent failure (I realize this is technically a valid random number, but it's extremely unlikely that it gets returned). Alternatively, you could take a *mut u64 as input and return 0/-ENOSYS on success/failure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In principle, the unikernel is completely written in Rust. Technical it could be possible that the Rust standard library call directly the Rust function of the unikernel. However, the unikernel depends on too many crates. The Rust community will not permit that rustc depends on all these crates. The workaround is a small system interface hermit-abi, which provides a similar interface like the crate libc. The unikernel itself will be provided as common static library. To guarantee that the unikernel and the application are build by the same compiler, we provide the crate hermit-sys. This crate builds the unikernel and link the library to the application. This is the reason that we suggest to add following line to Cargo.toml:

[target.'cfg(target_os = "hermit")'.dependencies]
hermit-sys = "0.1.*"

Unfortunately, every jump into a static library is unsafe because the compiler is not able to check the function. But we are able to use "real" Rust functions and to use Option as return value.

@stlankes
Copy link
Contributor Author

bors ping

@bors
Copy link
Contributor

bors bot commented Sep 14, 2020

pong

@stlankes
Copy link
Contributor Author

bors try

bors bot added a commit that referenced this pull request Sep 20, 2020
@bors
Copy link
Contributor

bors bot commented Sep 20, 2020

try

Build failed:

@stlankes
Copy link
Contributor Author

bors r+

@bors
Copy link
Contributor

bors bot commented Sep 21, 2020

Merge conflict.

rand creates pseudo-random numbers, while secure_rand32/64 produce
cryptographicly secure random numbers
@stlankes
Copy link
Contributor Author

bors r+

@stlankes
Copy link
Contributor Author

I assume that @josephlr like the patch an accept it

@bors
Copy link
Contributor

bors bot commented Sep 21, 2020

@sjmackenzie
Copy link

Does this patch actually generate random numbers?

@stlankes
Copy link
Contributor Author

It should generate random numbers. The function calls implicitly generate_random_number64, which uses Intel's rdrand instruction to generate random numbers. See also _rdrand32_step.

@sjmackenzie
Copy link

okay great I have getrandom working on x86_unknown_hermit. Thanks for the pointer, although is there a solution for aarch64?

@stlankes
Copy link
Contributor Author

Currently not, but we are working on it.

@sjmackenzie
Copy link

Okay so my patch to getrandom will only support x86_64-unknown-hermit.

Thanks for your assistance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants