-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Cargo feature for CPU randomness #133
Conversation
0af7a91
to
ec8e610
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good rationale for using a separate cpurand-getrandom
crate, though maybe it should be called getrandom-cpu
?
The code looks reasonable. The tests — I think you removed min-dependency-version tests?
6804374
to
849fd19
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On x86, s390, some ARM chips, and some PowerPC chips, CPUs support instructions to get randomness
AFAIK ARM does not have a dedicated CPU instruction for retrieving random numbers and instead dedicated peripherals are used, so you can't rely on target triplet here. I also couldn't find PowerPC instruction (although it was a shallow search). I think it may be worth to introduce getrandom-rdrand
crate instead and work on other targets in separate crates.
1ffcd5c
to
fe87d8b
Compare
@dhardy, good idea. I switched the crates to be named
Fixed. I also cleaned up the Travis scripts in general, let me know what you think.
@newpavlov I updated the OP to document the instructions on ARM, Power, and s390. At lot of these are very new, but were essentially introduced to be the counterparts of Intel's RDRAND. Particularly in the case of ARM and Power, these CPU instructions were introduced to avoid needing separate drivers for each board (i.e. the current state of affairs on ARM/Power). Given these instructions, do you think it makes sense to have a |
@josephlr So we have two use-cases (see my other message). Ideally we should separate "use a custom CPU-based |
I'm not sure that we should care about this use-case? Is there a significant set of users? As you say, the
Exposing this directly for testing / niche purposes seems acceptable to me (even though it is of limited utility). It is a small API extension with no extra code, and I don't think there's any reason we'd need to make a breaking change here (without also breaking the main |
We may support wider range of targets with such crate, plus it would allow us to fix bug faster (e.g.
For testing it should be enough to use module-level tests, no need for exposing this function publicly. I am not sure why you brought breaking changes into this discussion. The approach, which I've drafted, will not introduce any breaking changes. As for keeping RDRAND code for SGX targets, I think it may be worth to remove it from |
From the OP:
It may still be desirable to make these targets work by default. Note that libs should definitely not be importing a crate like |
b7e1d50
to
da467f8
Compare
Signed-off-by: Joe Richey <[email protected]>
We will use a more generic "cpu" mechanism to support these. Signed-off-by: Joe Richey <[email protected]>
@newpavlov @dhardy I implemented my plan from #84 (comment), I rewrote the commit history, and the tests are now passing. PTAL, each of the 5 commits is mostly self contained (be sure to keep the history when merging). The only remaining question is: What do we do for SGX targets? Right now, they are marked as explicitly supported, as RDRAND is how Intel implements |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do we do for SGX targets?
I guess we can leave it as-is, or if the cpu
feature will be removed (see my comment below), then it can be lumped together with other x86-64 targets without issues.
UPD: Essentially we have to decide if our support of SGX via RDRAND is on the same level as for targets with OS or not, i.e. should we give users an ability to overwrite it or not. I am fine with both options.
If we have the CPU feature off by default, we should still have the SGX targets build by default, as the fortanix sgx taget is Tier 2 with full 'std' support. So I think having SGX be "fully suported" is fine. |
This allows freestanding targets to use getrandom. Signed-off-by: Joe Richey <[email protected]>
- Cleanup .travis.yml - Loops over std/no_std targets - Remove deprecated/useless keys - No more `cd`, we just use `--package`. - Improve tests - Main `getrandom` tests are now unit test modules instead of integration tests, making the code cleaner. - The custom RNG crates now use this common module as part of their integration tests. - No more weird test-only features needed to get the crate to build. Signed-off-by: Joe Richey <[email protected]>
This allows us to verify the RDRAND implementation on Linux. Signed-off-by: Joe Richey <[email protected]>
Closes #84
cpu
Cargo featureMany CPU architectures support instructions to get randomness:
x86
/x86_64
have the well-known RDRAND/RDSEEDThis PR adds a
cpu
Cargo feature, which calls those instructions if there is not a supported implementation. Right now we only supportx86_64
. Thiscpu
feature is on by default (as there's no real reason to disable it, other than wanting to make sure all buildable targets have a concrete implementations). This feature takes lower priority thancustom
implementations. This is necessary to have specific RNG implementations on unsupported platforms.We can now drop explicit support for targets where we used RDRAND simply because we didn't know what else to use. This includes:
x86_64-unknown-hermit
x86_64-unknown-l4re-uclibc
x86_64-unknown-uefi
As the
cpu
feature is on by default, these targets will keep working by default, but they can now be overridden bycustom
implementations.We continue to explicitly support all SGX targets. This means that
custom
implementations cannot, override the RDRAND implementation. Intel makes it very clear you have to use RDRAND to get randomness on SGX. The other targets don't have this mandate. For example, UEFI could get it's randomness form either RDRAND or EFI_RNG_PROTOCOL.Testing improvements
I also took some time to fix the test structure. Now, there is a
test_common
module, which various test files import. This still allows for us to write tests once, but removes the need for hacky Cargo features. I then cleaned up some of the testing in.travis.yml
. I also removed duplicate tests for minimum dependency versions.We also now test the CPU-based RNG implementation on all x86 targets. This makes it possible to directly test on Linux, instead of needing a custom target.