1 // Copyright 2018 Developers of the Rand project.
2 //
3 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
4 // https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
5 // <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
6 // option. This file may not be copied, modified, or distributed
7 // except according to those terms.
8
9 //! Implementation for SGX using RDRAND instruction
10 use crate::Error;
11 use core::mem;
12
13 cfg_if! {
14 if #[cfg(target_arch = "x86_64")] {
15 use core::arch::x86_64 as arch;
16 use arch::_rdrand64_step as rdrand_step;
17 } else if #[cfg(target_arch = "x86")] {
18 use core::arch::x86 as arch;
19 use arch::_rdrand32_step as rdrand_step;
20 }
21 }
22
23 // Recommendation from "Intel® Digital Random Number Generator (DRNG) Software
24 // Implementation Guide" - Section 5.2.1 and "Intel® 64 and IA-32 Architectures
25 // Software Developer’s Manual" - Volume 1 - Section 7.3.17.1.
26 const RETRY_LIMIT: usize = 10;
27 const WORD_SIZE: usize = mem::size_of::<usize>();
28
29 #[target_feature(enable = "rdrand")]
rdrand() -> Result<[u8; WORD_SIZE], Error>30 unsafe fn rdrand() -> Result<[u8; WORD_SIZE], Error> {
31 for _ in 0..RETRY_LIMIT {
32 let mut el = mem::zeroed();
33 if rdrand_step(&mut el) == 1 {
34 // AMD CPUs from families 14h to 16h (pre Ryzen) sometimes fail to
35 // set CF on bogus random data, so we check these values explicitly.
36 // See https://github.com/systemd/systemd/issues/11810#issuecomment-489727505
37 // We perform this check regardless of target to guard against
38 // any implementation that incorrectly fails to set CF.
39 if el != 0 && el != !0 {
40 return Ok(el.to_ne_bytes());
41 }
42 // Keep looping in case this was a false positive.
43 }
44 }
45 Err(Error::FAILED_RDRAND)
46 }
47
48 // "rdrand" target feature requires "+rdrnd" flag, see https://github.com/rust-lang/rust/issues/49653.
49 #[cfg(all(target_env = "sgx", not(target_feature = "rdrand")))]
50 compile_error!(
51 "SGX targets require 'rdrand' target feature. Enable by using -C target-feature=+rdrnd."
52 );
53
54 #[cfg(target_feature = "rdrand")]
is_rdrand_supported() -> bool55 fn is_rdrand_supported() -> bool {
56 true
57 }
58
59 // TODO use is_x86_feature_detected!("rdrand") when that works in core. See:
60 // https://github.com/rust-lang-nursery/stdsimd/issues/464
61 #[cfg(not(target_feature = "rdrand"))]
is_rdrand_supported() -> bool62 fn is_rdrand_supported() -> bool {
63 use crate::util::LazyBool;
64
65 // SAFETY: All Rust x86 targets are new enough to have CPUID, and if CPUID
66 // is supported, CPUID leaf 1 is always supported.
67 const FLAG: u32 = 1 << 30;
68 static HAS_RDRAND: LazyBool = LazyBool::new();
69 HAS_RDRAND.unsync_init(|| unsafe { (arch::__cpuid(1).ecx & FLAG) != 0 })
70 }
71
getrandom_inner(dest: &mut [u8]) -> Result<(), Error>72 pub fn getrandom_inner(dest: &mut [u8]) -> Result<(), Error> {
73 if !is_rdrand_supported() {
74 return Err(Error::NO_RDRAND);
75 }
76
77 // SAFETY: After this point, rdrand is supported, so calling the rdrand
78 // functions is not undefined behavior.
79 unsafe { rdrand_exact(dest) }
80 }
81
82 #[target_feature(enable = "rdrand")]
rdrand_exact(dest: &mut [u8]) -> Result<(), Error>83 unsafe fn rdrand_exact(dest: &mut [u8]) -> Result<(), Error> {
84 // We use chunks_exact_mut instead of chunks_mut as it allows almost all
85 // calls to memcpy to be elided by the compiler.
86 let mut chunks = dest.chunks_exact_mut(WORD_SIZE);
87 for chunk in chunks.by_ref() {
88 chunk.copy_from_slice(&rdrand()?);
89 }
90
91 let tail = chunks.into_remainder();
92 let n = tail.len();
93 if n > 0 {
94 tail.copy_from_slice(&rdrand()?[..n]);
95 }
96 Ok(())
97 }
98