5.x/doxygen/include_2ccf_2crypto_2entropy_8h_source.html

// Copyright (c) Microsoft Corporation. All rights reserved.

// Licensed under the Apache 2.0 License.

#pragma once


#include "ccf/pal/hardware_info.h"


#include <cassert>

#include <cstdint>

#include <cstring>

#include <memory>

#include <stdexcept>

#include <utility>

#include <vector>


// Adapted from:

// https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide


#define DRNG_NO_SUPPORT 0x0

#define DRNG_HAS_RDRAND 0x1

#define DRNG_HAS_RDSEED 0x2


// `It is recommended that applications attempt 10 retries in a tight loop in

// the unlikely event that the RDRAND instruction does not return a random

// number. This number is based on a binomial probability argument: given

// the design margins of the DRNG, the odds of ten failures in a row are

// astronomically small and would in fact be an indication of a larger CPU

// issue.`

#define RDRAND_RETRIES 10


namespace ccf::crypto

{

  using rng_func_t = int (*)(void* ctx, unsigned char* output, size_t len);


  class Entropy

  {

  public:

    Entropy() = default;

    virtual ~Entropy() = default;


    virtual std::vector<uint8_t> random(size_t len) = 0;


    virtual void random(unsigned char* data, size_t len) = 0;


    virtual uint64_t random64() = 0;

  };


  class IntelDRNG : public Entropy

  {

  private:

    static int get_drng_support()

    {

      thread_local int drng_features = -1;


      /* So we don't call cpuid multiple times for the same information */

      if (drng_features == -1)

      {

        drng_features = DRNG_NO_SUPPORT;


        if (ccf::pal::is_intel_cpu())

        {

          ccf::pal::CpuidInfo info;


          ccf::pal::cpuid(&info, 1, 0);


          if ((info.ecx & 0x40000000) == 0x40000000)

            drng_features |= DRNG_HAS_RDRAND;


          cpuid(&info, 7, 0);


          if ((info.ebx & 0x40000) == 0x40000)

            drng_features |= DRNG_HAS_RDSEED;

        }

      }


      return drng_features;

    }


    static bool rdrand16_step(uint16_t* rand)

    {

      unsigned char ok;

      // @ccc allows placing a constraint on the carry flag ('@cc c') without

      // having to write to a separate register, see

      // https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html for more details.

      asm volatile("rdrand %0" : "=r"(*rand), "=@ccc"(ok));

      return ok;

    }


    static bool rdrand32_step(uint32_t* rand)

    {

      unsigned char ok;

      asm volatile("rdrand %0" : "=r"(*rand), "=@ccc"(ok));

      return ok;

    }


    static bool rdrand64_step(uint64_t* rand)

    {

      unsigned char ok;

      asm volatile("rdrand %0" : "=r"(*rand), "=@ccc"(ok));

      return ok;

    }


    static int rdrand16_retry(unsigned int retries, uint16_t* rand)

    {

      unsigned int count = 0;


      while (count <= retries)

      {

        if (rdrand16_step(rand))

          return 1;

        ++count;

      }


      return 0;

    }


    static int rdrand32_retry(unsigned int retries, uint32_t* rand)

    {

      unsigned int count = 0;


      while (count <= retries)

      {

        if (rdrand32_step(rand))

          return 1;


        ++count;

      }


      return 0;

    }


    static int rdrand64_retry(unsigned int retries, uint64_t* rand)

    {

      unsigned int count = 0;


      while (count <= retries)

      {

        if (rdrand64_step(rand))

          return 1;


        ++count;

      }


      return 0;

    }


    static unsigned int rdrand_get_bytes(unsigned int n, unsigned char* dest)

    {

      unsigned char *headstart, *tailstart = nullptr;

      uint64_t* blockstart;

      unsigned int count, ltail, lhead, lblock;

      uint64_t i, temprand;


      /* Get the address of the first 64-bit aligned block in the

       * destination buffer. */

      headstart = dest;

      if (((uint64_t)headstart % (uint64_t)8) == 0)

      {

        blockstart = (uint64_t*)headstart;

        lblock = n;

        lhead = 0;

      }

      else

      {

        blockstart =

          (uint64_t*)(((uint64_t)headstart & ~(uint64_t)7) + (uint64_t)8);

        lhead = (unsigned int)((uint64_t)blockstart - (uint64_t)headstart);

        lblock =

          ((n - lhead) & ~(unsigned int)7); // cwinter: this bit is/as buggy in

                                            // the Intel examples.

      }


      /* Compute the number of 64-bit blocks and the remaining number

       * of bytes (the tail) */

      ltail = n - lblock - lhead;

      count = lblock / 8; /* The number 64-bit rands needed */


      assert(lhead < 8);

      assert(lblock <= n);

      assert(ltail < 8);


      if (ltail)

        tailstart = (unsigned char*)((uint64_t)blockstart + (uint64_t)lblock);


      /* Populate the starting, mis-aligned section (the head) */

      if (lhead)

      {

        if (!rdrand64_retry(RDRAND_RETRIES, &temprand))

          return 0;

        memcpy(headstart, &temprand, lhead);

      }


      /* Populate the central, aligned block */

      for (i = 0; i < count; ++i, ++blockstart)

      {

        if (!rdrand64_retry(RDRAND_RETRIES, blockstart))

          return i * 8 + lhead;

      }


      /* Populate the tail */

      if (ltail)

      {

        if (!rdrand64_retry(RDRAND_RETRIES, &temprand))

          return count * 8 + lhead;

        memcpy(tailstart, &temprand, ltail);

      }


      return n;

    }


    // The following three functions should be used to generate

    // randomness that will be used as seed for another RNG

    static bool rdseed16_step(uint16_t* seed)

    {

      unsigned char ok;

      asm volatile("rdseed %0" : "=r"(*seed), "=@ccc"(ok));

      return ok;

    }


    static bool rdseed32_step(uint32_t* seed)

    {

      unsigned char ok;

      asm volatile("rdseed %0" : "=r"(*seed), "=@ccc"(ok));

      return ok;

    }


    static bool rdseed64_step(uint64_t* seed)

    {

      unsigned char ok;

      asm volatile("rdseed %0" : "=r"(*seed), "=@ccc"(ok));

      return ok;

    }


  public:


    IntelDRNG()

    {

      if (!is_drng_supported())

        throw std::logic_error("No support for RDRAND / RDSEED on this CPU.");

    }


    std::vector<uint8_t> random(size_t len) override

    {

      std::vector<uint8_t> buf(len);


      if (rdrand_get_bytes(buf.size(), buf.data()) < buf.size())

        throw std::logic_error("Couldn't create random data");


      return buf;

    }


    uint64_t random64() override

    {

      uint64_t rnd;

      uint64_t len = sizeof(uint64_t);


      if (rdrand_get_bytes(len, reinterpret_cast<unsigned char*>(&rnd)) < len)

      {

        throw std::logic_error("Couldn't create random data");

      }


      return rnd;

    }


    void random(unsigned char* data, size_t len) override

    {

      if (rdrand_get_bytes(len, data) < len)

        throw std::logic_error("Couldn't create random data");

    }


    static int rng(void*, unsigned char* output, size_t len)

    {

      if (rdrand_get_bytes(len, output) < len)

        throw std::logic_error("Couldn't create random data");

      return 0;

    }


    static bool is_drng_supported()

    {

      return (get_drng_support() & (DRNG_HAS_RDRAND | DRNG_HAS_RDSEED)) ==

        (DRNG_HAS_RDRAND | DRNG_HAS_RDSEED);

    }


  };


  static bool use_drng = IntelDRNG::is_drng_supported();

  using EntropyPtr = std::shared_ptr<Entropy>;

  static EntropyPtr intel_drng_ptr;


  EntropyPtr get_entropy();

}

ccf::crypto::Entropy
Definition entropy.h:35

ccf::crypto::Entropy::Entropy
Entropy()=default

ccf::crypto::Entropy::random
virtual void random(unsigned char *data, size_t len)=0

ccf::crypto::Entropy::random
virtual std::vector< uint8_t > random(size_t len)=0

ccf::crypto::Entropy::~Entropy
virtual ~Entropy()=default

ccf::crypto::Entropy::random64
virtual uint64_t random64()=0

ccf::crypto::IntelDRNG
Definition entropy.h:56

ccf::crypto::IntelDRNG::is_drng_supported
static bool is_drng_supported()
Definition entropy.h:295

ccf::crypto::IntelDRNG::IntelDRNG
IntelDRNG()
Definition entropy.h:242

ccf::crypto::IntelDRNG::random64
uint64_t random64() override
Definition entropy.h:265

ccf::crypto::IntelDRNG::rng
static int rng(void *, unsigned char *output, size_t len)
Definition entropy.h:288

ccf::crypto::IntelDRNG::random
void random(unsigned char *data, size_t len) override
Definition entropy.h:282

ccf::crypto::IntelDRNG::random
std::vector< uint8_t > random(size_t len) override
Definition entropy.h:252

hardware_info.h

DRNG_HAS_RDRAND
#define DRNG_HAS_RDRAND
Definition entropy.h:19

DRNG_HAS_RDSEED
#define DRNG_HAS_RDSEED
Definition entropy.h:20

DRNG_NO_SUPPORT
#define DRNG_NO_SUPPORT
Definition entropy.h:18

RDRAND_RETRIES
#define RDRAND_RETRIES
Definition entropy.h:28

ccf::crypto
Definition base64.h:9

ccf::crypto::rng_func_t
int(*)(void *ctx, unsigned char *output, size_t len) rng_func_t
Definition entropy.h:32

ccf::crypto::get_entropy
EntropyPtr get_entropy()
Definition entropy.cpp:10

ccf::crypto::EntropyPtr
std::shared_ptr< Entropy > EntropyPtr
Definition entropy.h:303

ccf::pal::CpuidInfo
Definition hardware_info.h:12

ccf::pal::CpuidInfo::ecx
uint64_t ecx
Definition hardware_info.h:15

ccf::pal::CpuidInfo::ebx
uint64_t ebx
Definition hardware_info.h:14