diff --git a/Cargo.lock b/Cargo.lock index 593fa9119..871034147 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1193,16 +1193,23 @@ dependencies = [ name = "drv-lpc55-rng" version = "0.1.0" dependencies = [ + "anyhow", + "build-util", "cfg-if", "drv-lpc55-syscon-api", "drv-rng-api", + "hubpack", "idol", "idol-runtime", + "lib-dice", "lib-lpc55-rng", "num-traits", "rand_chacha", "rand_core", + "ringbuf", + "serde", "sha3", + "stage0-handoff", "userlib", "zerocopy 0.6.6", "zeroize", diff --git a/app/lpc55xpresso/app.toml b/app/lpc55xpresso/app.toml index 633df6198..880860371 100644 --- a/app/lpc55xpresso/app.toml +++ b/app/lpc55xpresso/app.toml @@ -115,8 +115,9 @@ name = "drv-lpc55-rng" priority = 3 uses = ["rng", "pmc"] start = true -stacksize = 2600 +stacksize = 3000 task-slots = ["syscon_driver"] +extern-regions = ["dice_rng"] [tasks.pong] name = "task-pong" diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml index 54ff7aa7f..d08df5eba 100644 --- a/app/rot-carrier/app.toml +++ b/app/rot-carrier/app.toml @@ -101,8 +101,9 @@ name = "drv-lpc55-rng" priority = 5 uses = ["rng", "pmc"] start = true -stacksize = 2600 +stacksize = 3000 task-slots = ["syscon_driver"] +extern-regions = ["dice_rng"] [tasks.sprot] name = "drv-lpc55-sprot-server" diff --git a/chips/lpc55/memory.toml b/chips/lpc55/memory.toml index 47be0adc4..1d8573a24 100644 --- a/chips/lpc55/memory.toml +++ b/chips/lpc55/memory.toml @@ -156,3 +156,19 @@ size = 0x800 read = true write = true execute = false + +[[dice_rng]] +name = "a" +address =0x40101a00 +size = 0x100 +read = true +write = true +execute = false + +[[dice_rng]] +name = "b" +address =0x40101a00 +size = 0x100 +read = true +write = true +execute = false diff --git a/drv/lpc55-rng/Cargo.toml b/drv/lpc55-rng/Cargo.toml index f8eb2858b..8f02b69b7 100644 --- a/drv/lpc55-rng/Cargo.toml +++ b/drv/lpc55-rng/Cargo.toml @@ -5,21 +5,29 @@ edition = "2021" [dependencies] cfg-if = { workspace = true } +hubpack.workspace = true idol-runtime = { workspace = true } num-traits = { workspace = true } rand_chacha = { workspace = true } rand_core = { workspace = true } +serde.workspace = true sha3.workspace = true zerocopy = { workspace = true } zeroize.workspace = true drv-lpc55-syscon-api = { path = "../lpc55-syscon-api" } drv-rng-api = { path = "../rng-api" } +lib-dice.path = "../../lib/dice" lib-lpc55-rng.path = "../../lib/lpc55-rng" +ringbuf.path = "../../lib/ringbuf" +stage0-handoff.path = "../../lib/stage0-handoff" userlib = { path = "../../sys/userlib", features = ["panic-messages"] } [build-dependencies] -idol = { workspace = true } +anyhow.workspace = true +build-util.path = "../../build/util" +idol.workspace = true +serde.workspace = true [features] no-ipc-counters = ["idol/no-counters"] diff --git a/drv/lpc55-rng/build.rs b/drv/lpc55-rng/build.rs index 4f53fdc48..41de164f7 100644 --- a/drv/lpc55-rng/build.rs +++ b/drv/lpc55-rng/build.rs @@ -2,15 +2,50 @@ // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at https://mozilla.org/MPL/2.0/. -fn main() -> Result<(), Box> { +use anyhow::{anyhow, Context, Result}; +use idol::{server::ServerStyle, CounterSettings}; +use std::{fs::File, io::Write}; + +mod config { + include!("src/config.rs"); +} + +use config::DataRegion; + +const CFG_SRC: &str = "rng-config.rs"; + +fn main() -> Result<()> { idol::Generator::new() - .with_counters( - idol::CounterSettings::default().with_server_counters(false), - ) + .with_counters(CounterSettings::default().with_server_counters(false)) .build_server_support( "../../idl/rng.idol", "server_stub.rs", - idol::server::ServerStyle::InOrder, - )?; + ServerStyle::InOrder, + ) + .map_err(|e| anyhow!(e))?; + + let out_dir = build_util::out_dir(); + let dest_path = out_dir.join(CFG_SRC); + let mut out = + File::create(dest_path).context(format!("creating {}", CFG_SRC))?; + + let data_regions = build_util::task_extern_regions::()?; + if data_regions.is_empty() { + return Err(anyhow!("no data regions found")); + } + + let region = data_regions + .get("dice_rng") + .ok_or_else(|| anyhow!("dice_rng data region not found"))?; + writeln!( + out, + r##"use crate::config::DataRegion; +pub const RNG_DATA: DataRegion = DataRegion {{ + address: {:#x}, + size: {:#x}, +}};"##, + region.address, region.size + )?; + Ok(()) } diff --git a/drv/lpc55-rng/src/config.rs b/drv/lpc55-rng/src/config.rs new file mode 100644 index 000000000..7ef321f94 --- /dev/null +++ b/drv/lpc55-rng/src/config.rs @@ -0,0 +1,12 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +use serde::Deserialize; + +#[derive(Deserialize, Default, Debug)] +#[serde(rename_all = "kebab-case")] +pub struct DataRegion { + pub address: u32, + pub size: u32, +} diff --git a/drv/lpc55-rng/src/main.rs b/drv/lpc55-rng/src/main.rs index 828082e87..23bf22882 100644 --- a/drv/lpc55-rng/src/main.rs +++ b/drv/lpc55-rng/src/main.rs @@ -9,23 +9,48 @@ #![no_std] #![no_main] -use core::{cmp, usize}; +mod config; + +use config::DataRegion; +use core::{cmp, slice, usize}; use drv_lpc55_syscon_api::Syscon; use drv_rng_api::RngError; +use hubpack::SerializedSize; use idol_runtime::{ClientError, NotificationHandler, RequestError}; +use lib_dice::{RngData, RngSeed, SeedBuf}; use lib_lpc55_rng::Lpc55Rng; use rand_chacha::ChaCha20Rng; use rand_core::{impls, Error, RngCore, SeedableRng}; +use ringbuf::{ringbuf, ringbuf_entry}; +use serde::Deserialize; use sha3::{ digest::crypto_common::{generic_array::GenericArray, OutputSizeUser}, digest::FixedOutputReset, Digest, Sha3_256, }; +use stage0_handoff::{HandoffData, HandoffDataLoadError}; use userlib::*; use zeroize::Zeroizing; +// This file is generated by the crate build.rs. It contains instances of +// config::DataRegion structs describing regions of memory configured & +// exposed to this task by the hubris build. +mod build { + include!(concat!(env!("OUT_DIR"), "/rng-config.rs")); +} + +use build::RNG_DATA; + task_slot!(SYSCON, syscon_driver); +#[derive(Copy, Clone, PartialEq)] +enum Trace { + HandoffError(HandoffDataLoadError), + None, +} + +ringbuf!(Trace, 16, Trace::None); + // low-budget rand::rngs::adapter::ReseedingRng w/o fork stuff struct ReseedingRng { inner: T, @@ -42,19 +67,35 @@ where H: FixedOutputReset + Default + Digest, [u8; 32]: From::OutputSize>>, { - fn new(mut reseeder: R, threshold: usize) -> Result { + fn new( + seed: RngSeed, + mut reseeder: R, + threshold: usize, + ) -> Result { let threshold = if threshold == 0 { usize::MAX } else { threshold }; + let mut mixer = H::default(); + // mix platform unique seed drived by measured boot + Digest::update(&mut mixer, seed.as_bytes()); + + // w/ 32 bytes from HRNG + let mut buf = Zeroizing::new(T::Seed::default()); + reseeder.try_fill_bytes(buf.as_mut())?; + Digest::update(&mut mixer, buf.as_ref()); + + // create initial instance of the SeedableRng from the seed + let inner = T::from_seed(mixer.finalize_fixed_reset().into()); + Ok(ReseedingRng { - inner: T::from_rng(&mut reseeder)?, + inner, reseeder, threshold, bytes_until_reseed: threshold, - mixer: H::default(), + mixer, }) } } @@ -116,8 +157,14 @@ where struct Lpc55RngServer(ReseedingRng); impl Lpc55RngServer { - fn new(reseeder: Lpc55Rng, threshold: usize) -> Result { - Ok(Lpc55RngServer(ReseedingRng::new(reseeder, threshold)?)) + fn new( + seed: RngSeed, + reseeder: Lpc55Rng, + threshold: usize, + ) -> Result { + Ok(Lpc55RngServer(ReseedingRng::new( + seed, reseeder, threshold, + )?)) } } @@ -156,12 +203,41 @@ impl NotificationHandler for Lpc55RngServer { } } +/// Load a type implementing HandoffData (and others) from a config::DataRegion. +/// Errors will be reported in the ringbuf and will return in None. +fn load_data_from_region< + T: for<'a> Deserialize<'a> + HandoffData + SerializedSize, +>( + region: &DataRegion, +) -> Option { + // Safety: This memory is setup by code executed before hubris and + // exposed using the kernel `extern-regions` mechanism. The safety of + // this code is an extension of our trust in the hubris kernel / build. + let data = unsafe { + slice::from_raw_parts(region.address as *mut u8, region.size as usize) + }; + + // this can be replaced w/ .ok() if we get rid of the ringbuf entry + match T::load_from_addr(data) { + Ok(d) => Some(d), + Err(e) => { + ringbuf_entry!(Trace::HandoffError(e)); + None + } + } +} + #[export_name = "main"] fn main() -> ! { + let seed = { + load_data_from_region::(&RNG_DATA) + .unwrap_lite() + .seed + }; let rng = Lpc55Rng::new(&Syscon::from(SYSCON.get_task_id())); let threshold = 0x100000; // 1 MiB - let mut rng = Lpc55RngServer::new(rng, threshold) + let mut rng = Lpc55RngServer::new(seed, rng, threshold) .expect("Failed to create Lpc55RngServer"); let mut buffer = [0u8; idl::INCOMING_SIZE];