1 // Copyright 2018 Developers of the Rand project.
2 //
3 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
4 // https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
5 // <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
6 // option. This file may not be copied, modified, or distributed
7 // except according to those terms.
8 
9 //! Implementation for SGX using RDRAND instruction
10 use crate::Error;
11 use core::mem;
12 
13 cfg_if! {
14     if #[cfg(target_arch = "x86_64")] {
15         use core::arch::x86_64 as arch;
16         use arch::_rdrand64_step as rdrand_step;
17     } else if #[cfg(target_arch = "x86")] {
18         use core::arch::x86 as arch;
19         use arch::_rdrand32_step as rdrand_step;
20     }
21 }
22 
23 // Recommendation from "Intel® Digital Random Number Generator (DRNG) Software
24 // Implementation Guide" - Section 5.2.1 and "Intel® 64 and IA-32 Architectures
25 // Software Developer’s Manual" - Volume 1 - Section 7.3.17.1.
26 const RETRY_LIMIT: usize = 10;
27 const WORD_SIZE: usize = mem::size_of::<usize>();
28 
29 #[target_feature(enable = "rdrand")]
rdrand() -> Result<[u8; WORD_SIZE], Error>30 unsafe fn rdrand() -> Result<[u8; WORD_SIZE], Error> {
31     for _ in 0..RETRY_LIMIT {
32         let mut el = mem::zeroed();
33         if rdrand_step(&mut el) == 1 {
34             // AMD CPUs from families 14h to 16h (pre Ryzen) sometimes fail to
35             // set CF on bogus random data, so we check these values explicitly.
36             // See https://github.com/systemd/systemd/issues/11810#issuecomment-489727505
37             // We perform this check regardless of target to guard against
38             // any implementation that incorrectly fails to set CF.
39             if el != 0 && el != !0 {
40                 return Ok(el.to_ne_bytes());
41             }
42             // Keep looping in case this was a false positive.
43         }
44     }
45     Err(Error::FAILED_RDRAND)
46 }
47 
48 // "rdrand" target feature requires "+rdrnd" flag, see https://github.com/rust-lang/rust/issues/49653.
49 #[cfg(all(target_env = "sgx", not(target_feature = "rdrand")))]
50 compile_error!(
51     "SGX targets require 'rdrand' target feature. Enable by using -C target-feature=+rdrnd."
52 );
53 
54 #[cfg(target_feature = "rdrand")]
is_rdrand_supported() -> bool55 fn is_rdrand_supported() -> bool {
56     true
57 }
58 
59 // TODO use is_x86_feature_detected!("rdrand") when that works in core. See:
60 // https://github.com/rust-lang-nursery/stdsimd/issues/464
61 #[cfg(not(target_feature = "rdrand"))]
is_rdrand_supported() -> bool62 fn is_rdrand_supported() -> bool {
63     use crate::util::LazyBool;
64 
65     // SAFETY: All Rust x86 targets are new enough to have CPUID, and if CPUID
66     // is supported, CPUID leaf 1 is always supported.
67     const FLAG: u32 = 1 << 30;
68     static HAS_RDRAND: LazyBool = LazyBool::new();
69     HAS_RDRAND.unsync_init(|| unsafe { (arch::__cpuid(1).ecx & FLAG) != 0 })
70 }
71 
getrandom_inner(dest: &mut [u8]) -> Result<(), Error>72 pub fn getrandom_inner(dest: &mut [u8]) -> Result<(), Error> {
73     if !is_rdrand_supported() {
74         return Err(Error::NO_RDRAND);
75     }
76 
77     // SAFETY: After this point, rdrand is supported, so calling the rdrand
78     // functions is not undefined behavior.
79     unsafe { rdrand_exact(dest) }
80 }
81 
82 #[target_feature(enable = "rdrand")]
rdrand_exact(dest: &mut [u8]) -> Result<(), Error>83 unsafe fn rdrand_exact(dest: &mut [u8]) -> Result<(), Error> {
84     // We use chunks_exact_mut instead of chunks_mut as it allows almost all
85     // calls to memcpy to be elided by the compiler.
86     let mut chunks = dest.chunks_exact_mut(WORD_SIZE);
87     for chunk in chunks.by_ref() {
88         chunk.copy_from_slice(&rdrand()?);
89     }
90 
91     let tail = chunks.into_remainder();
92     let n = tail.len();
93     if n > 0 {
94         tail.copy_from_slice(&rdrand()?[..n]);
95     }
96     Ok(())
97 }
98