-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to port *ring* to a no_std
-only platform
#744
Comments
The other, harder, issue, is how to get the test suite to run on such platforms, because the tests use libstd a lot currently. Some issues are probably, e.g. we could use I suggest we prototype this first by solving it specifically for SGX, which seems to be a |
@briansmith Are you working on this? |
This solution is unlikely to work in general for embedded platforms. AFAIK, for SGX there is only one obvious implementation of a random number generator (namely the This is not the case for eg. embedded ARM targets, which don't have a single random number generator. Instead, vendors often provide a peripheral for random number generation, which could implement For those targets I suggest EDIT: Just noticed that |
That way we can guarantee it is actually secure by ensuring all the implementations are in ring.
In such situations the peripherals are almost definitely implementing a raw, unmixed, entropy source. We should take the output of that and postprocess it with a DRBG. In other words, for |
Thanks, that makes sense!
Nordic employs optional bias correction in their RNGs, so I think this step would not be needed for their devices (provided that the correction is actually turned on, of course - nrf-rs/nrf-hal#85).
That would not be the case if you'd accept external entropy sources though, right? |
Interesting. I don't know if that would be sufficient without reading more about it.
First, let me walk back what I said a bit: In ring we don't guarantee anything. We try to make things as safe as we can given limited resources. Your issue nrf-rs/nrf-hal#85 shows exactly why I've avoided providing a way to swap in an entropy source so far. Perhaps, instead of providing an extension point for entropy sources, we should provide explicit features that enable specific implementations. So, for example, we could have a |
From #813:
Researching this, it seems the libc crate maintainers don't want to port libc to platforms that need the C types defined but which don't have a libc. See rust-lang/libc#1092 for example. The |
So after my attempt in rust-lang/libc#1244 and a later attempt in rust-lang/libc#1285, the conclusion was to keep
To make things easier, we could simply have three (mutually exclusive) Cargo features that determine how
|
Also, @briansmith is there a reason we don't just use
|
Generally ring doesn't depend on third-party crates. We had made an exception for |
ring's doesn't use A bigger problem is that it isn't clear that ring's current API (which is similar to the |
FYI, some issues about this: rust-random/getrandom#4 It's a good question and a tough one: |
I submitted PR #840 as a stepping stone to resolving the libc types issue in the interim until the Rust libs team can agree on a long-term solution. |
See also: rust-embedded/embedded-hal#142 |
One particular kind of |
I hope you'll revisit it even without inclusion into libcore. Otherwise it looks like a duplication of work. Your review will be certainly appreciated and to minimize risks you can pin And it will be easier for embedded projects to simply replace a single |
@newpavlov most of my recent PRs have been to incorporate some of the good things ring has done in There's also the separate issue that switching to getrandom would make ring start compiling on platforms it doesn't support, but I think that's a minor issue as the |
Please take a look at PR #869, which makes libstd an optional dependency even for RSA and the test framework in favor of using |
Regarding the libc dependency, please see PR #39. Basically we just need to write a little |
PR #875 avoids |
PR #879 will remove the |
"In particular, our end-to-end exploit can leak the entire private key of a secure enclave running on a separate CPU core after only a single digital signature operation." - https://www.vusec.net/projects/crosstalk/ |
I'm running headlong into a situation where I need no_std support for ring on x86-64. It looks like there was a flurry of effort on this last year, but progress has plateaued a bit. The most comparable thing to what I'm looking for is the work a coworker, @josephlr, proposed for UEFI (but subsequently abandoned). It sounds to me like there are a few requirements to support no_std on a per-arch basis:
Does this list seem accurate? I mention 2), since I suspect the "easy" answer to writing a fill_impl would be just depending on getrandom across the board. Once getrandom v0.2 shows up, it's actually even somewhat straightfoward to get W.r.t. 3), for uefi/other OS-less environments, things are a bit messy for CI. Most of the ideas I can think of depend on being able to use KVM inside CI, which might be hard if CI is a VM itself (nested virt support is rare). You could skip KVM and just use QEMU, but you'll be forced to emulate which has it's own problems (like the unaligned access emulation issues on arm), and you'll be forced to somehow test ring using a full-blown efi binary (or something similar). The other option for me is to fork ring, but I'm interested in avoiding the proliferation of ring forks, particularly when the changes I'm interested in aren't particularly invasive. |
@briansmith since this issue was opened I notice that this comment popped up:
I'm trying to use I'm also curious about whether supporting the |
@devsnek I mostly agree with the Linux kernel developers on this issue. See the old discussions about Linux. Basically you should have a software CSPRNG in your operating system that is seeded by rdrand and maybe other things. I am hoping that ring will eventually provide this, but right now it doesn't. In the meantime, please provide a syscall like |
@stevenrutherford The last time I looked at We should really "just" implement a CSPRNG that is seeded by |
It seems For the time being, we can add a less-safe-getrandom-rdrand feature that lets us use getrandom as it is for UEFI, as I suggest in my review of PR #1406. And the same for other targets where getrandom uses rdrand. Going forward, I expect ring will provide a "userspace" CSPRNG for use within ring, including the public ring::rand API, specifically to support these targets so we don't have to read RDRAND directly. This is TBD. But the short-term solution outlined above is OK for 0.17. |
[Updated]: Currently the main issue is the need to implement
fill_impl
inring::rand
for each platform.The text was updated successfully, but these errors were encountered: