diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2019-05-23 12:57:17 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2019-05-23 12:57:17 +0100 |
commit | d418238dca7b4e0b124135827ead3076233052b1 (patch) | |
tree | 5869c8301e18962d3ddb4e927e152220c21ce33f | |
parent | c4600d5d417ea13e0f1cc047b227a2b5b0e694f5 (diff) | |
parent | 369fd5ca66810b2ddb16e23a497eabe59385eceb (diff) | |
download | qemu-d418238dca7b4e0b124135827ead3076233052b1.zip qemu-d418238dca7b4e0b124135827ead3076233052b1.tar.gz qemu-d418238dca7b4e0b124135827ead3076233052b1.tar.bz2 |
Merge remote-tracking branch 'remotes/rth/tags/pull-rng-20190522' into staging
Introduce qemu_guest_getrandom.
Use qemu_guest_getrandom in aspeed, nrf51, bcm2835, exynos4210 rng devices.
Use qemu_guest_getrandom in target/ppc darn instruction.
Support ARMv8.5-RNG extension.
Support x86 RDRAND extension.
Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Laurent Vivier <laurent@vivier.eu>
# gpg: Signature made Wed 22 May 2019 19:36:43 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-rng-20190522: (25 commits)
target/i386: Implement CPUID_EXT_RDRAND
target/ppc: Use qemu_guest_getrandom for DARN
target/ppc: Use gen_io_start/end around DARN
target/arm: Implement ARMv8.5-RNG
target/arm: Put all PAC keys into a structure
hw/misc/exynos4210_rng: Use qemu_guest_getrandom
hw/misc/bcm2835_rng: Use qemu_guest_getrandom_nofail
hw/misc/nrf51_rng: Use qemu_guest_getrandom_nofail
aspeed/scu: Use qemu_guest_getrandom_nofail
linux-user: Remove srand call
linux-user/aarch64: Use qemu_guest_getrandom for PAUTH keys
linux-user: Use qemu_guest_getrandom_nofail for AT_RANDOM
linux-user: Call qcrypto_init if not using -seed
linux-user: Initialize pseudo-random seeds for all guest cpus
cpus: Initialize pseudo-random seeds for all guest cpus
util: Add qemu_guest_getrandom and associated routines
ui/vnc: Use gcrypto_random_bytes for start_auth_vnc
ui/vnc: Split out authentication_failed
crypto: Change the qcrypto_random_bytes buffer type to void*
crypto: Use getrandom for qcrypto_random_bytes
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
36 files changed, 610 insertions, 256 deletions
@@ -413,7 +413,7 @@ dummy := $(call unnest-vars,, \ block-obj-y \ block-obj-m \ crypto-obj-y \ - crypto-aes-obj-y \ + crypto-user-obj-y \ qom-obj-y \ io-obj-y \ common-obj-y \ @@ -487,7 +487,7 @@ subdir-slirp: .git-submodule-status $(call quiet-command,$(MAKE) -C $(SRC_PATH)/slirp BUILD_DIR="$(BUILD_DIR)/slirp" CC="$(CC)" AR="$(AR)" LD="$(LD)" RANLIB="$(RANLIB)" CFLAGS="$(QEMU_CFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)") $(SUBDIR_RULES): libqemuutil.a $(common-obj-y) \ - $(qom-obj-y) $(crypto-aes-obj-$(CONFIG_USER_ONLY)) + $(qom-obj-y) $(crypto-user-obj-$(CONFIG_USER_ONLY)) ROMSUBDIR_RULES=$(patsubst %,romsubdir-%, $(ROMS)) # Only keep -O and -g cflags diff --git a/Makefile.objs b/Makefile.objs index 485f962..d749141 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -25,7 +25,7 @@ block-obj-m = block/ # crypto-obj-y is code used by both qemu system emulation and qemu-img crypto-obj-y = crypto/ -crypto-aes-obj-y = crypto/ +crypto-user-obj-y = crypto/ ####################################################################### # qom-obj-y is code used by both qemu system emulation and qemu-img diff --git a/Makefile.target b/Makefile.target index fdbe7c8..4ef4ce5 100644 --- a/Makefile.target +++ b/Makefile.target @@ -180,7 +180,7 @@ dummy := $(call unnest-vars,.., \ block-obj-m \ chardev-obj-y \ crypto-obj-y \ - crypto-aes-obj-y \ + crypto-user-obj-y \ qom-obj-y \ io-obj-y \ common-obj-y \ @@ -189,7 +189,7 @@ all-obj-y += $(common-obj-y) all-obj-y += $(qom-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(authz-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(block-obj-y) $(chardev-obj-y) -all-obj-$(CONFIG_USER_ONLY) += $(crypto-aes-obj-y) +all-obj-$(CONFIG_USER_ONLY) += $(crypto-user-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(crypto-obj-y) all-obj-$(CONFIG_SOFTMMU) += $(io-obj-y) @@ -2784,17 +2784,23 @@ fi # GNUTLS probe if test "$gnutls" != "no"; then + pass="no" if $pkg_config --exists "gnutls >= 3.1.18"; then gnutls_cflags=$($pkg_config --cflags gnutls) gnutls_libs=$($pkg_config --libs gnutls) - libs_softmmu="$gnutls_libs $libs_softmmu" - libs_tools="$gnutls_libs $libs_tools" - QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags" - gnutls="yes" - elif test "$gnutls" = "yes"; then + # Packaging for the static libraries is not always correct. + # At least ubuntu 18.04 ships only shared libraries. + write_c_skeleton + if compile_prog "" "$gnutls_libs" ; then + LIBS="$gnutls_libs $LIBS" + QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags" + pass="yes" + fi + fi + if test "$pass" = "no" && test "$gnutls" = "yes"; then feature_not_found "gnutls" "Install gnutls devel >= 3.1.18" else - gnutls="no" + gnutls="$pass" fi fi @@ -2849,43 +2855,52 @@ has_libgcrypt() { if test "$nettle" != "no"; then + pass="no" if $pkg_config --exists "nettle >= 2.7.1"; then nettle_cflags=$($pkg_config --cflags nettle) nettle_libs=$($pkg_config --libs nettle) nettle_version=$($pkg_config --modversion nettle) - libs_softmmu="$nettle_libs $libs_softmmu" - libs_tools="$nettle_libs $libs_tools" - QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags" - nettle="yes" - - if test -z "$gcrypt"; then - gcrypt="no" + # Link test to make sure the given libraries work (e.g for static). + write_c_skeleton + if compile_prog "" "$nettle_libs" ; then + LIBS="$nettle_libs $LIBS" + QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags" + if test -z "$gcrypt"; then + gcrypt="no" + fi + pass="yes" fi + fi + if test "$pass" = "no" && test "$nettle" = "yes"; then + feature_not_found "nettle" "Install nettle devel >= 2.7.1" else - if test "$nettle" = "yes"; then - feature_not_found "nettle" "Install nettle devel >= 2.7.1" - else - nettle="no" - fi + nettle="$pass" fi fi if test "$gcrypt" != "no"; then + pass="no" if has_libgcrypt; then gcrypt_cflags=$(libgcrypt-config --cflags) gcrypt_libs=$(libgcrypt-config --libs) - # Debian has remove -lgpg-error from libgcrypt-config + # Debian has removed -lgpg-error from libgcrypt-config # as it "spreads unnecessary dependencies" which in # turn breaks static builds... if test "$static" = "yes" then gcrypt_libs="$gcrypt_libs -lgpg-error" fi - libs_softmmu="$gcrypt_libs $libs_softmmu" - libs_tools="$gcrypt_libs $libs_tools" - QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" - gcrypt="yes" + # Link test to make sure the given libraries work (e.g for static). + write_c_skeleton + if compile_prog "" "$gcrypt_libs" ; then + LIBS="$gcrypt_libs $LIBS" + QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" + pass="yes" + fi + fi + if test "$pass" = "yes"; then + gcrypt="yes" cat > $TMPC << EOF #include <gcrypt.h> int main(void) { @@ -2898,12 +2913,10 @@ EOF if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then gcrypt_hmac=yes fi + elif test "$gcrypt" = "yes"; then + feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0" else - if test "$gcrypt" = "yes"; then - feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0" - else - gcrypt="no" - fi + gcrypt="no" fi fi @@ -5803,6 +5816,20 @@ if compile_prog "" "" ; then fi ########################################## +# check for getrandom() + +have_getrandom=no +cat > $TMPC << EOF +#include <sys/random.h> +int main(void) { + return getrandom(0, 0, GRND_NONBLOCK); +} +EOF +if compile_prog "" "" ; then + have_getrandom=yes +fi + +########################################## # checks for sanitizers have_asan=no @@ -7191,7 +7218,9 @@ fi if test "$have_utmpx" = "yes" ; then echo "HAVE_UTMPX=y" >> $config_host_mak fi - +if test "$have_getrandom" = "yes" ; then + echo "CONFIG_GETRANDOM=y" >> $config_host_mak +fi if test "$ivshmem" = "yes" ; then echo "CONFIG_IVSHMEM=y" >> $config_host_mak fi @@ -50,6 +50,7 @@ #include "qemu/option.h" #include "qemu/bitmap.h" #include "qemu/seqlock.h" +#include "qemu/guest-random.h" #include "tcg.h" #include "hw/nmi.h" #include "sysemu/replay.h" @@ -1276,6 +1277,7 @@ static void *qemu_kvm_cpu_thread_fn(void *arg) /* signal CPU creation */ cpu->created = true; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); do { if (cpu_can_run(cpu)) { @@ -1319,6 +1321,7 @@ static void *qemu_dummy_cpu_thread_fn(void *arg) /* signal CPU creation */ cpu->created = true; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); do { qemu_mutex_unlock_iothread(); @@ -1478,6 +1481,7 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg) cpu->created = true; cpu->can_do_io = 1; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); /* wait for initial kick-off after machine start */ while (first_cpu->stopped) { @@ -1592,6 +1596,7 @@ static void *qemu_hax_cpu_thread_fn(void *arg) hax_init_vcpu(cpu); qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); do { if (cpu_can_run(cpu)) { @@ -1631,6 +1636,7 @@ static void *qemu_hvf_cpu_thread_fn(void *arg) /* signal CPU creation */ cpu->created = true; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); do { if (cpu_can_run(cpu)) { @@ -1671,6 +1677,7 @@ static void *qemu_whpx_cpu_thread_fn(void *arg) /* signal CPU creation */ cpu->created = true; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); do { if (cpu_can_run(cpu)) { @@ -1724,6 +1731,7 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) cpu->can_do_io = 1; current_cpu = cpu; qemu_cond_signal(&qemu_cpu_cond); + qemu_guest_random_seed_thread_part2(cpu->random_seed); /* process any pending work */ cpu->exit_request = 1; @@ -2071,6 +2079,7 @@ void qemu_init_vcpu(CPUState *cpu) cpu->nr_cores = smp_cores; cpu->nr_threads = smp_threads; cpu->stopped = true; + cpu->random_seed = qemu_guest_random_seed_thread_part1(); if (!cpu->as) { /* If the target cpu hasn't set up any address spaces itself, diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index 256c9ac..7fe2fa9 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -19,9 +19,10 @@ crypto-obj-y += tlscredspsk.o crypto-obj-y += tlscredsx509.o crypto-obj-y += tlssession.o crypto-obj-y += secret.o -crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o +crypto-rng-obj-$(CONFIG_GCRYPT) += random-gcrypt.o +crypto-rng-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o +crypto-rng-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o +crypto-obj-y += $(crypto-rng-obj-y) crypto-obj-y += pbkdf.o crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o @@ -35,7 +36,7 @@ crypto-obj-y += block.o crypto-obj-y += block-qcow.o crypto-obj-y += block-luks.o -# Let the userspace emulators avoid linking gnutls/etc -crypto-aes-obj-y = aes.o +# Let the userspace emulators avoid linking stuff they won't use. +crypto-user-obj-y = aes.o $(crypto-rng-obj-y) init.o stub-obj-y += pbkdf-stub.o diff --git a/crypto/random-gcrypt.c b/crypto/random-gcrypt.c index 9f1c9ee..7aea4ac 100644 --- a/crypto/random-gcrypt.c +++ b/crypto/random-gcrypt.c @@ -24,7 +24,7 @@ #include <gcrypt.h> -int qcrypto_random_bytes(uint8_t *buf, +int qcrypto_random_bytes(void *buf, size_t buflen, Error **errp G_GNUC_UNUSED) { diff --git a/crypto/random-gnutls.c b/crypto/random-gnutls.c index 445fd6a..ed6c9ca 100644 --- a/crypto/random-gnutls.c +++ b/crypto/random-gnutls.c @@ -26,7 +26,7 @@ #include <gnutls/gnutls.h> #include <gnutls/crypto.h> -int qcrypto_random_bytes(uint8_t *buf, +int qcrypto_random_bytes(void *buf, size_t buflen, Error **errp) { diff --git a/crypto/random-platform.c b/crypto/random-platform.c index 7541b4c..6662410 100644 --- a/crypto/random-platform.c +++ b/crypto/random-platform.c @@ -27,68 +27,88 @@ #include <wincrypt.h> static HCRYPTPROV hCryptProv; #else -static int fd; /* a file handle to either /dev/urandom or /dev/random */ +# ifdef CONFIG_GETRANDOM +# include <sys/random.h> +# endif +/* This is -1 for getrandom(), or a file handle for /dev/{u,}random. */ +static int fd; #endif int qcrypto_random_init(Error **errp) { -#ifndef _WIN32 - /* TBD perhaps also add support for BSD getentropy / Linux - * getrandom syscalls directly */ - fd = open("/dev/urandom", O_RDONLY); - if (fd == -1 && errno == ENOENT) { - fd = open("/dev/random", O_RDONLY); - } - - if (fd < 0) { - error_setg(errp, "No /dev/urandom or /dev/random found"); - return -1; - } -#else +#ifdef _WIN32 if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_SILENT | CRYPT_VERIFYCONTEXT)) { error_setg_win32(errp, GetLastError(), "Unable to create cryptographic provider"); return -1; } +#else +# ifdef CONFIG_GETRANDOM + if (getrandom(NULL, 0, 0) == 0) { + /* Use getrandom() */ + fd = -1; + return 0; + } + /* Fall through to /dev/urandom case. */ +# endif + fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC); + if (fd == -1 && errno == ENOENT) { + fd = open("/dev/random", O_RDONLY | O_CLOEXEC); + } + if (fd < 0) { + error_setg_errno(errp, errno, "No /dev/urandom or /dev/random"); + return -1; + } #endif - return 0; } -int qcrypto_random_bytes(uint8_t *buf G_GNUC_UNUSED, - size_t buflen G_GNUC_UNUSED, +int qcrypto_random_bytes(void *buf, + size_t buflen, Error **errp) { -#ifndef _WIN32 - int ret = -1; - int got; - - while (buflen > 0) { - got = read(fd, buf, buflen); - if (got < 0) { - error_setg_errno(errp, errno, - "Unable to read random bytes"); - goto cleanup; - } else if (!got) { - error_setg(errp, - "Unexpected EOF reading random bytes"); - goto cleanup; - } - buflen -= got; - buf += got; - } - - ret = 0; - cleanup: - return ret; -#else +#ifdef _WIN32 if (!CryptGenRandom(hCryptProv, buflen, buf)) { error_setg_win32(errp, GetLastError(), "Unable to read random bytes"); return -1; } - - return 0; +#else +# ifdef CONFIG_GETRANDOM + if (likely(fd < 0)) { + while (1) { + ssize_t got = getrandom(buf, buflen, 0); + if (likely(got == buflen)) { + return 0; + } + if (got >= 0) { + buflen -= got; + buf += got; + } else if (errno != EINTR) { + error_setg_errno(errp, errno, "getrandom"); + return -1; + } + } + } + /* Fall through to /dev/urandom case. */ +# endif + while (1) { + ssize_t got = read(fd, buf, buflen); + if (likely(got == buflen)) { + return 0; + } + if (got > 0) { + buflen -= got; + buf += got; + } else if (got == 0) { + error_setg(errp, "Unexpected EOF reading random bytes"); + return -1; + } else if (errno != EINTR) { + error_setg_errno(errp, errno, "Unable to read random bytes"); + return -1; + } + } #endif + return 0; } diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c index c8217740..ab1e18e 100644 --- a/hw/misc/aspeed_scu.c +++ b/hw/misc/aspeed_scu.c @@ -16,7 +16,7 @@ #include "qapi/visitor.h" #include "qemu/bitops.h" #include "qemu/log.h" -#include "crypto/random.h" +#include "qemu/guest-random.h" #include "trace.h" #define TO_REG(offset) ((offset) >> 2) @@ -157,14 +157,8 @@ static const uint32_t ast2500_a1_resets[ASPEED_SCU_NR_REGS] = { static uint32_t aspeed_scu_get_random(void) { - Error *err = NULL; uint32_t num; - - if (qcrypto_random_bytes((uint8_t *)&num, sizeof(num), &err)) { - error_report_err(err); - exit(1); - } - + qemu_guest_getrandom_nofail(&num, sizeof(num)); return num; } diff --git a/hw/misc/bcm2835_rng.c b/hw/misc/bcm2835_rng.c index 4d62143..fe59c86 100644 --- a/hw/misc/bcm2835_rng.c +++ b/hw/misc/bcm2835_rng.c @@ -9,30 +9,26 @@ #include "qemu/osdep.h" #include "qemu/log.h" -#include "qapi/error.h" -#include "crypto/random.h" +#include "qemu/guest-random.h" #include "hw/misc/bcm2835_rng.h" static uint32_t get_random_bytes(void) { uint32_t res; - Error *err = NULL; - - if (qcrypto_random_bytes((uint8_t *)&res, sizeof(res), &err) < 0) { - /* On failure we don't want to return the guest a non-random - * value in case they're really using it for cryptographic - * purposes, so the best we can do is die here. - * This shouldn't happen unless something's broken. - * In theory we could implement this device's full FIFO - * and interrupt semantics and then just stop filling the - * FIFO. That's a lot of work, though, so we assume any - * errors are systematic problems and trust that if we didn't - * fail as the guest inited then we won't fail later on - * mid-run. - */ - error_report_err(err); - exit(1); - } + + /* + * On failure we don't want to return the guest a non-random + * value in case they're really using it for cryptographic + * purposes, so the best we can do is die here. + * This shouldn't happen unless something's broken. + * In theory we could implement this device's full FIFO + * and interrupt semantics and then just stop filling the + * FIFO. That's a lot of work, though, so we assume any + * errors are systematic problems and trust that if we didn't + * fail as the guest inited then we won't fail later on + * mid-run. + */ + qemu_guest_getrandom_nofail(&res, sizeof(res)); return res; } diff --git a/hw/misc/exynos4210_rng.c b/hw/misc/exynos4210_rng.c index 4ecbebd..0e70ffb 100644 --- a/hw/misc/exynos4210_rng.c +++ b/hw/misc/exynos4210_rng.c @@ -18,10 +18,10 @@ */ #include "qemu/osdep.h" -#include "crypto/random.h" #include "hw/sysbus.h" #include "qapi/error.h" #include "qemu/log.h" +#include "qemu/guest-random.h" #define DEBUG_EXYNOS_RNG 0 @@ -109,7 +109,6 @@ static void exynos4210_rng_set_seed(Exynos4210RngState *s, unsigned int i, static void exynos4210_rng_run_engine(Exynos4210RngState *s) { Error *err = NULL; - int ret; /* Seed set? */ if ((s->reg_status & EXYNOS4210_RNG_STATUS_SEED_SETTING_DONE) == 0) { @@ -127,13 +126,11 @@ static void exynos4210_rng_run_engine(Exynos4210RngState *s) } /* Get randoms */ - ret = qcrypto_random_bytes((uint8_t *)s->randr_value, - sizeof(s->randr_value), &err); - if (!ret) { + if (qemu_guest_getrandom(s->randr_value, sizeof(s->randr_value), &err)) { + error_report_err(err); + } else { /* Notify that PRNG is ready */ s->reg_status |= EXYNOS4210_RNG_STATUS_PRNG_DONE; - } else { - error_report_err(err); } out: diff --git a/hw/misc/nrf51_rng.c b/hw/misc/nrf51_rng.c index d188f04..3400e90 100644 --- a/hw/misc/nrf51_rng.c +++ b/hw/misc/nrf51_rng.c @@ -14,7 +14,7 @@ #include "qapi/error.h" #include "hw/arm/nrf51.h" #include "hw/misc/nrf51_rng.h" -#include "crypto/random.h" +#include "qemu/guest-random.h" static void update_irq(NRF51RNGState *s) { @@ -145,7 +145,7 @@ static void nrf51_rng_timer_expire(void *opaque) { NRF51RNGState *s = NRF51_RNG(opaque); - qcrypto_random_bytes(&s->value, 1, &error_abort); + qemu_guest_getrandom_nofail(&s->value, 1); s->event_valrdy = 1; qemu_set_irq(s->eep_valrdy, 1); diff --git a/include/crypto/random.h b/include/crypto/random.h index 8764ca0..fde5929 100644 --- a/include/crypto/random.h +++ b/include/crypto/random.h @@ -34,7 +34,7 @@ * * Returns 0 on success, -1 on error */ -int qcrypto_random_bytes(uint8_t *buf, +int qcrypto_random_bytes(void *buf, size_t buflen, Error **errp); diff --git a/include/qemu/guest-random.h b/include/qemu/guest-random.h new file mode 100644 index 0000000..09ff9c2 --- /dev/null +++ b/include/qemu/guest-random.h @@ -0,0 +1,68 @@ +/* + * QEMU guest-visible random functions + * + * Copyright 2019 Linaro, Ltd. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#ifndef QEMU_GUEST_RANDOM_H +#define QEMU_GUEST_RANDOM_H + +/** + * qemu_guest_random_seed_main(const char *optarg, Error **errp) + * @optarg: a non-NULL pointer to a C string + * @errp: an error indicator + * + * The @optarg value is that which accompanies the -seed argument. + * This forces qemu_guest_getrandom into deterministic mode. + * + * Returns 0 on success, < 0 on failure while setting *errp. + */ +int qemu_guest_random_seed_main(const char *optarg, Error **errp); + +/** + * qemu_guest_random_seed_thread_part1(void) + * + * If qemu_getrandom is in deterministic mode, returns an + * independent seed for the new thread. Otherwise returns 0. + */ +uint64_t qemu_guest_random_seed_thread_part1(void); + +/** + * qemu_guest_random_seed_thread_part2(uint64_t seed) + * @seed: a value for the new thread. + * + * If qemu_guest_getrandom is in deterministic mode, this stores an + * independent seed for the new thread. Otherwise a no-op. + */ +void qemu_guest_random_seed_thread_part2(uint64_t seed); + +/** + * qemu_guest_getrandom(void *buf, size_t len, Error **errp) + * @buf: a buffer of bytes to be written + * @len: the number of bytes in @buf + * @errp: an error indicator + * + * Fills len bytes in buf with random data. This should only be used + * for data presented to the guest. Host-side crypto services should + * use qcrypto_random_bytes. + * + * Returns 0 on success, < 0 on failure while setting *errp. + */ +int qemu_guest_getrandom(void *buf, size_t len, Error **errp); + +/** + * qemu_guest_getrandom_nofail(void *buf, size_t len) + * @buf: a buffer of bytes to be written + * @len: the number of bytes in @buf + * + * Like qemu_guest_getrandom, but will assert for failure. + * Use this when there is no reasonable recovery. + */ +void qemu_guest_getrandom_nofail(void *buf, size_t len); + +#endif /* QEMU_GUEST_RANDOM_H */ diff --git a/include/qom/cpu.h b/include/qom/cpu.h index 32983f2..98e12d9 100644 --- a/include/qom/cpu.h +++ b/include/qom/cpu.h @@ -375,6 +375,7 @@ struct CPUState { int singlestep_enabled; int64_t icount_budget; int64_t icount_extra; + uint64_t random_seed; sigjmp_buf jmp_env; QemuMutex work_mutex; diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c index d75fd9d..2f2f63e 100644 --- a/linux-user/aarch64/cpu_loop.c +++ b/linux-user/aarch64/cpu_loop.c @@ -20,6 +20,7 @@ #include "qemu/osdep.h" #include "qemu.h" #include "cpu_loop-common.h" +#include "qemu/guest-random.h" #define get_user_code_u32(x, gaddr, env) \ ({ abi_long __r = get_user_u32((x), (gaddr)); \ @@ -147,24 +148,6 @@ void cpu_loop(CPUARMState *env) } } -static uint64_t arm_rand64(void) -{ - int shift = 64 - clz64(RAND_MAX); - int i, n = 64 / shift + (64 % shift != 0); - uint64_t ret = 0; - - for (i = 0; i < n; i++) { - ret = (ret << shift) | rand(); - } - return ret; -} - -void arm_init_pauth_key(ARMPACKey *key) -{ - key->lo = arm_rand64(); - key->hi = arm_rand64(); -} - void target_cpu_copy_regs(CPUArchState *env, struct target_pt_regs *regs) { ARMCPU *cpu = arm_env_get_cpu(env); @@ -192,11 +175,7 @@ void target_cpu_copy_regs(CPUArchState *env, struct target_pt_regs *regs) #endif if (cpu_isar_feature(aa64_pauth, cpu)) { - arm_init_pauth_key(&env->apia_key); - arm_init_pauth_key(&env->apib_key); - arm_init_pauth_key(&env->apda_key); - arm_init_pauth_key(&env->apdb_key); - arm_init_pauth_key(&env->apga_key); + qemu_guest_getrandom_nofail(&env->keys, sizeof(env->keys)); } ts->stack_base = info->start_stack; diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h index b595e5d..995e475 100644 --- a/linux-user/aarch64/target_syscall.h +++ b/linux-user/aarch64/target_syscall.h @@ -29,6 +29,4 @@ struct target_pt_regs { # define TARGET_PR_PAC_APDBKEY (1 << 3) # define TARGET_PR_PAC_APGAKEY (1 << 4) -void arm_init_pauth_key(ARMPACKey *key); - #endif /* AARCH64_TARGET_SYSCALL_H */ diff --git a/linux-user/elfload.c b/linux-user/elfload.c index ef42e02..1e06b90 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -7,6 +7,7 @@ #include "qemu.h" #include "disas/disas.h" #include "qemu/path.h" +#include "qemu/guest-random.h" #ifdef _ARCH_PPC64 #undef ARCH_DLINFO @@ -1883,12 +1884,9 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, } /* - * Generate 16 random bytes for userspace PRNG seeding (not - * cryptically secure but it's not the aim of QEMU). + * Generate 16 random bytes for userspace PRNG seeding. */ - for (i = 0; i < 16; i++) { - k_rand_bytes[i] = rand(); - } + qemu_guest_getrandom_nofail(k_rand_bytes, sizeof(k_rand_bytes)); if (STACK_GROWS_DOWN) { sp -= 16; u_rand_bytes = sp; diff --git a/linux-user/main.c b/linux-user/main.c index 3d22303..689bcf4 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -34,10 +34,12 @@ #include "tcg.h" #include "qemu/timer.h" #include "qemu/envlist.h" +#include "qemu/guest-random.h" #include "elf.h" #include "trace/control.h" #include "target_elf.h" #include "cpu_loop-common.h" +#include "crypto/init.h" char *exec_path; @@ -48,6 +50,7 @@ static int gdbstub_port; static envlist_t *envlist; static const char *cpu_model; static const char *cpu_type; +static const char *seed_optarg; unsigned long mmap_min_addr; unsigned long guest_base; int have_guest_base; @@ -290,15 +293,9 @@ static void handle_arg_pagesize(const char *arg) } } -static void handle_arg_randseed(const char *arg) +static void handle_arg_seed(const char *arg) { - unsigned long long seed; - - if (parse_uint_full(arg, &seed, 0) != 0 || seed > UINT_MAX) { - fprintf(stderr, "Invalid seed number: %s\n", arg); - exit(EXIT_FAILURE); - } - srand(seed); + seed_optarg = arg; } static void handle_arg_gdb(const char *arg) @@ -433,7 +430,7 @@ static const struct qemu_argument arg_table[] = { "", "run in singlestep mode"}, {"strace", "QEMU_STRACE", false, handle_arg_strace, "", "log system calls"}, - {"seed", "QEMU_RAND_SEED", true, handle_arg_randseed, + {"seed", "QEMU_RAND_SEED", true, handle_arg_seed, "", "Seed for pseudo-random number generator"}, {"trace", "QEMU_TRACE", true, handle_arg_trace, "", "[[enable=]<pattern>][,events=<file>][,file=<file>]"}, @@ -626,8 +623,6 @@ int main(int argc, char **argv, char **envp) cpu_model = NULL; - srand(time(NULL)); - qemu_add_opts(&qemu_trace_opts); optind = parse_args(argc, argv); @@ -689,8 +684,20 @@ int main(int argc, char **argv, char **envp) do_strace = 1; } - if (getenv("QEMU_RAND_SEED")) { - handle_arg_randseed(getenv("QEMU_RAND_SEED")); + if (seed_optarg == NULL) { + seed_optarg = getenv("QEMU_RAND_SEED"); + } + { + Error *err = NULL; + if (seed_optarg != NULL) { + qemu_guest_random_seed_main(seed_optarg, &err); + } else { + qcrypto_init(&err); + } + if (err) { + error_reportf_err(err, "cannot initialize crypto: "); + exit(1); + } } target_environ = envlist_to_environ(envlist, NULL); diff --git a/linux-user/syscall.c b/linux-user/syscall.c index efa3ec2..3de792a 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -107,6 +107,8 @@ #include "uname.h" #include "qemu.h" +#include "qemu/guest-random.h" +#include "qapi/error.h" #include "fd-trans.h" #ifndef CLONE_IO @@ -5482,6 +5484,7 @@ static void *clone_func(void *arg) put_user_u32(info->tid, info->child_tidptr); if (info->parent_tidptr) put_user_u32(info->tid, info->parent_tidptr); + qemu_guest_random_seed_thread_part2(cpu->random_seed); /* Enable signals. */ sigprocmask(SIG_SETMASK, &info->sigmask, NULL); /* Signal to the parent that we're ready. */ @@ -5568,6 +5571,7 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp, initializing, so temporarily block all signals. */ sigfillset(&sigmask); sigprocmask(SIG_BLOCK, &sigmask, &info.sigmask); + cpu->random_seed = qemu_guest_random_seed_thread_part1(); /* If this is our first additional thread, we need to ensure we * generate code for parallel execution and flush old translations. @@ -9762,25 +9766,45 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, int all = (TARGET_PR_PAC_APIAKEY | TARGET_PR_PAC_APIBKEY | TARGET_PR_PAC_APDAKEY | TARGET_PR_PAC_APDBKEY | TARGET_PR_PAC_APGAKEY); + int ret = 0; + Error *err = NULL; + if (arg2 == 0) { arg2 = all; } else if (arg2 & ~all) { return -TARGET_EINVAL; } if (arg2 & TARGET_PR_PAC_APIAKEY) { - arm_init_pauth_key(&env->apia_key); + ret |= qemu_guest_getrandom(&env->keys.apia, + sizeof(ARMPACKey), &err); } if (arg2 & TARGET_PR_PAC_APIBKEY) { - arm_init_pauth_key(&env->apib_key); + ret |= qemu_guest_getrandom(&env->keys.apib, + sizeof(ARMPACKey), &err); } if (arg2 & TARGET_PR_PAC_APDAKEY) { - arm_init_pauth_key(&env->apda_key); + ret |= qemu_guest_getrandom(&env->keys.apda, + sizeof(ARMPACKey), &err); } if (arg2 & TARGET_PR_PAC_APDBKEY) { - arm_init_pauth_key(&env->apdb_key); + ret |= qemu_guest_getrandom(&env->keys.apdb, + sizeof(ARMPACKey), &err); } if (arg2 & TARGET_PR_PAC_APGAKEY) { - arm_init_pauth_key(&env->apga_key); + ret |= qemu_guest_getrandom(&env->keys.apga, + sizeof(ARMPACKey), &err); + } + if (ret != 0) { + /* + * Some unknown failure in the crypto. The best + * we can do is log it and fail the syscall. + * The real syscall cannot fail this way. + */ + qemu_log_mask(LOG_UNIMP, + "PR_PAC_RESET_KEYS: Crypto failure: %s", + error_get_pretty(err)); + error_free(err); + return -TARGET_EIO; } return 0; } diff --git a/qemu-options.hx b/qemu-options.hx index 5daa5a8..7ae3373 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3641,6 +3641,16 @@ the 0x200 sized block starting at 0xffffffc000080000 and another 0x1000 sized block starting at 0xffffffc00005f000. ETEXI +DEF("seed", HAS_ARG, QEMU_OPTION_seed, \ + "-seed number seed the pseudo-random number generator\n", + QEMU_ARCH_ALL) +STEXI +@item -seed @var{number} +@findex -seed +Force the guest to use a deterministic pseudo-random number generator, seeded +with @var{number}. This does not affect crypto routines within the host. +ETEXI + DEF("L", HAS_ARG, QEMU_OPTION_L, \ "-L path set the directory for the BIOS, VGA BIOS and keymaps\n", QEMU_ARCH_ALL) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 733b840..c342076 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -636,11 +636,13 @@ typedef struct CPUARMState { } iwmmxt; #ifdef TARGET_AARCH64 - ARMPACKey apia_key; - ARMPACKey apib_key; - ARMPACKey apda_key; - ARMPACKey apdb_key; - ARMPACKey apga_key; + struct { + ARMPACKey apia; + ARMPACKey apib; + ARMPACKey apda; + ARMPACKey apdb; + ARMPACKey apga; + } keys; #endif #if defined(CONFIG_USER_ONLY) @@ -3519,6 +3521,11 @@ static inline bool isar_feature_aa64_condm_5(const ARMISARegisters *id) return FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, TS) >= 2; } +static inline bool isar_feature_aa64_rndr(const ARMISARegisters *id) +{ + return FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, RNDR) != 0; +} + static inline bool isar_feature_aa64_jscvt(const ARMISARegisters *id) { return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, JSCVT) != 0; diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index 228906f..835f73c 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -310,6 +310,7 @@ static void aarch64_max_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1); t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1); t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2); /* v8.5-CondM */ + t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1); cpu->isar.id_aa64isar0 = t; t = cpu->isar.id_aa64isar1; diff --git a/target/arm/helper.c b/target/arm/helper.c index e2d5c8e..acd23c5 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -22,6 +22,8 @@ #include "fpu/softfloat.h" #include "qemu/range.h" #include "qapi/qapi-commands-target.h" +#include "qapi/error.h" +#include "qemu/guest-random.h" #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */ @@ -5707,43 +5709,82 @@ static const ARMCPRegInfo pauth_reginfo[] = { { .name = "APDAKEYLO_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 0, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apda_key.lo) }, + .fieldoffset = offsetof(CPUARMState, keys.apda.lo) }, { .name = "APDAKEYHI_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 1, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apda_key.hi) }, + .fieldoffset = offsetof(CPUARMState, keys.apda.hi) }, { .name = "APDBKEYLO_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 2, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apdb_key.lo) }, + .fieldoffset = offsetof(CPUARMState, keys.apdb.lo) }, { .name = "APDBKEYHI_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 2, .opc2 = 3, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apdb_key.hi) }, + .fieldoffset = offsetof(CPUARMState, keys.apdb.hi) }, { .name = "APGAKEYLO_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 0, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apga_key.lo) }, + .fieldoffset = offsetof(CPUARMState, keys.apga.lo) }, { .name = "APGAKEYHI_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 3, .opc2 = 1, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apga_key.hi) }, + .fieldoffset = offsetof(CPUARMState, keys.apga.hi) }, { .name = "APIAKEYLO_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 0, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apia_key.lo) }, + .fieldoffset = offsetof(CPUARMState, keys.apia.lo) }, { .name = "APIAKEYHI_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 1, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apia_key.hi) }, + .fieldoffset = offsetof(CPUARMState, keys.apia.hi) }, { .name = "APIBKEYLO_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 2, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apib_key.lo) }, + .fieldoffset = offsetof(CPUARMState, keys.apib.lo) }, { .name = "APIBKEYHI_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 3, .access = PL1_RW, .accessfn = access_pauth, - .fieldoffset = offsetof(CPUARMState, apib_key.hi) }, + .fieldoffset = offsetof(CPUARMState, keys.apib.hi) }, + REGINFO_SENTINEL +}; + +static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri) +{ + Error *err = NULL; + uint64_t ret; + + /* Success sets NZCV = 0000. */ + env->NF = env->CF = env->VF = 0, env->ZF = 1; + + if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) { + /* + * ??? Failed, for unknown reasons in the crypto subsystem. + * The best we can do is log the reason and return the + * timed-out indication to the guest. There is no reason + * we know to expect this failure to be transitory, so the + * guest may well hang retrying the operation. + */ + qemu_log_mask(LOG_UNIMP, "%s: Crypto failure: %s", + ri->name, error_get_pretty(err)); + error_free(err); + + env->ZF = 0; /* NZCF = 0100 */ + return 0; + } + return ret; +} + +/* We do not support re-seeding, so the two registers operate the same. */ +static const ARMCPRegInfo rndr_reginfo[] = { + { .name = "RNDR", .state = ARM_CP_STATE_AA64, + .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO, + .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 0, + .access = PL0_R, .readfn = rndr_readfn }, + { .name = "RNDRRS", .state = ARM_CP_STATE_AA64, + .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO, + .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 1, + .access = PL0_R, .readfn = rndr_readfn }, REGINFO_SENTINEL }; #endif @@ -6690,6 +6731,9 @@ void register_cp_regs_for_features(ARMCPU *cpu) if (cpu_isar_feature(aa64_pauth, cpu)) { define_arm_cp_regs(cpu, pauth_reginfo); } + if (cpu_isar_feature(aa64_rndr, cpu)) { + define_arm_cp_regs(cpu, rndr_reginfo); + } #endif /* diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c index d750f96..7f30ae7 100644 --- a/target/arm/pauth_helper.c +++ b/target/arm/pauth_helper.c @@ -403,7 +403,7 @@ uint64_t HELPER(pacia)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_addpac(env, x, y, &env->apia_key, false); + return pauth_addpac(env, x, y, &env->keys.apia, false); } uint64_t HELPER(pacib)(CPUARMState *env, uint64_t x, uint64_t y) @@ -413,7 +413,7 @@ uint64_t HELPER(pacib)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_addpac(env, x, y, &env->apib_key, false); + return pauth_addpac(env, x, y, &env->keys.apib, false); } uint64_t HELPER(pacda)(CPUARMState *env, uint64_t x, uint64_t y) @@ -423,7 +423,7 @@ uint64_t HELPER(pacda)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_addpac(env, x, y, &env->apda_key, true); + return pauth_addpac(env, x, y, &env->keys.apda, true); } uint64_t HELPER(pacdb)(CPUARMState *env, uint64_t x, uint64_t y) @@ -433,7 +433,7 @@ uint64_t HELPER(pacdb)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_addpac(env, x, y, &env->apdb_key, true); + return pauth_addpac(env, x, y, &env->keys.apdb, true); } uint64_t HELPER(pacga)(CPUARMState *env, uint64_t x, uint64_t y) @@ -441,7 +441,7 @@ uint64_t HELPER(pacga)(CPUARMState *env, uint64_t x, uint64_t y) uint64_t pac; pauth_check_trap(env, arm_current_el(env), GETPC()); - pac = pauth_computepac(x, y, env->apga_key); + pac = pauth_computepac(x, y, env->keys.apga); return pac & 0xffffffff00000000ull; } @@ -453,7 +453,7 @@ uint64_t HELPER(autia)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_auth(env, x, y, &env->apia_key, false, 0); + return pauth_auth(env, x, y, &env->keys.apia, false, 0); } uint64_t HELPER(autib)(CPUARMState *env, uint64_t x, uint64_t y) @@ -463,7 +463,7 @@ uint64_t HELPER(autib)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_auth(env, x, y, &env->apib_key, false, 1); + return pauth_auth(env, x, y, &env->keys.apib, false, 1); } uint64_t HELPER(autda)(CPUARMState *env, uint64_t x, uint64_t y) @@ -473,7 +473,7 @@ uint64_t HELPER(autda)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_auth(env, x, y, &env->apda_key, true, 0); + return pauth_auth(env, x, y, &env->keys.apda, true, 0); } uint64_t HELPER(autdb)(CPUARMState *env, uint64_t x, uint64_t y) @@ -483,7 +483,7 @@ uint64_t HELPER(autdb)(CPUARMState *env, uint64_t x, uint64_t y) return x; } pauth_check_trap(env, el, GETPC()); - return pauth_auth(env, x, y, &env->apdb_key, true, 1); + return pauth_auth(env, x, y, &env->keys.apdb, true, 1); } uint64_t HELPER(xpaci)(CPUARMState *env, uint64_t a) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 2f151da..536d7d1 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -730,13 +730,14 @@ static void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \ CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \ CPUID_EXT_XSAVE | /* CPUID_EXT_OSXSAVE is dynamic */ \ - CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR) + CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR | \ + CPUID_EXT_RDRAND) /* missing: CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX, CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA, CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA, CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_AVX, - CPUID_EXT_F16C, CPUID_EXT_RDRAND */ + CPUID_EXT_F16C */ #ifdef TARGET_X86_64 #define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM) diff --git a/target/i386/helper.h b/target/i386/helper.h index 6fb8fb9..8f9e190 100644 --- a/target/i386/helper.h +++ b/target/i386/helper.h @@ -226,3 +226,5 @@ DEF_HELPER_3(rcrl, tl, env, tl, tl) DEF_HELPER_3(rclq, tl, env, tl, tl) DEF_HELPER_3(rcrq, tl, env, tl, tl) #endif + +DEF_HELPER_1(rdrand, tl, env) diff --git a/target/i386/int_helper.c b/target/i386/int_helper.c index 4dc5c65..334469c 100644 --- a/target/i386/int_helper.c +++ b/target/i386/int_helper.c @@ -22,6 +22,8 @@ #include "exec/exec-all.h" #include "qemu/host-utils.h" #include "exec/helper-proto.h" +#include "qapi/error.h" +#include "qemu/guest-random.h" //#define DEBUG_MULDIV @@ -470,3 +472,22 @@ void helper_cr4_testbit(CPUX86State *env, uint32_t bit) raise_exception_ra(env, EXCP06_ILLOP, GETPC()); } } + +target_ulong HELPER(rdrand)(CPUX86State *env) +{ + Error *err = NULL; + target_ulong ret; + + if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) { + qemu_log_mask(LOG_UNIMP, "rdrand: Crypto failure: %s", + error_get_pretty(err)); + error_free(err); + /* Failure clears CF and all other flags, and returns 0. */ + env->cc_src = 0; + return 0; + } + + /* Success sets CF and clears all others. */ + env->cc_src = CC_C; + return ret; +} diff --git a/target/i386/translate.c b/target/i386/translate.c index 77d6b73..03150a8 100644 --- a/target/i386/translate.c +++ b/target/i386/translate.c @@ -5332,31 +5332,63 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) case 0x1c7: /* cmpxchg8b */ modrm = x86_ldub_code(env, s); mod = (modrm >> 6) & 3; - if ((mod == 3) || ((modrm & 0x38) != 0x8)) - goto illegal_op; -#ifdef TARGET_X86_64 - if (dflag == MO_64) { - if (!(s->cpuid_ext_features & CPUID_EXT_CX16)) + switch ((modrm >> 3) & 7) { + case 1: /* CMPXCHG8, CMPXCHG16 */ + if (mod == 3) { goto illegal_op; - gen_lea_modrm(env, s, modrm); - if ((s->prefix & PREFIX_LOCK) && (tb_cflags(s->base.tb) & CF_PARALLEL)) { - gen_helper_cmpxchg16b(cpu_env, s->A0); - } else { - gen_helper_cmpxchg16b_unlocked(cpu_env, s->A0); } - } else +#ifdef TARGET_X86_64 + if (dflag == MO_64) { + if (!(s->cpuid_ext_features & CPUID_EXT_CX16)) { + goto illegal_op; + } + gen_lea_modrm(env, s, modrm); + if ((s->prefix & PREFIX_LOCK) && + (tb_cflags(s->base.tb) & CF_PARALLEL)) { + gen_helper_cmpxchg16b(cpu_env, s->A0); + } else { + gen_helper_cmpxchg16b_unlocked(cpu_env, s->A0); + } + set_cc_op(s, CC_OP_EFLAGS); + break; + } #endif - { - if (!(s->cpuid_features & CPUID_CX8)) + if (!(s->cpuid_features & CPUID_CX8)) { goto illegal_op; + } gen_lea_modrm(env, s, modrm); - if ((s->prefix & PREFIX_LOCK) && (tb_cflags(s->base.tb) & CF_PARALLEL)) { + if ((s->prefix & PREFIX_LOCK) && + (tb_cflags(s->base.tb) & CF_PARALLEL)) { gen_helper_cmpxchg8b(cpu_env, s->A0); } else { gen_helper_cmpxchg8b_unlocked(cpu_env, s->A0); } + set_cc_op(s, CC_OP_EFLAGS); + break; + + case 7: /* RDSEED */ + case 6: /* RDRAND */ + if (mod != 3 || + (s->prefix & (PREFIX_LOCK | PREFIX_REPZ | PREFIX_REPNZ)) || + !(s->cpuid_ext_features & CPUID_EXT_RDRAND)) { + goto illegal_op; + } + if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) { + gen_io_start(); + } + gen_helper_rdrand(s->T0, cpu_env); + rm = (modrm & 7) | REX_B(s); + gen_op_mov_reg_v(s, dflag, rm, s->T0); + set_cc_op(s, CC_OP_EFLAGS); + if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) { + gen_io_end(); + gen_jmp(s, s->pc - s->cs_base); + } + break; + + default: + goto illegal_op; } - set_cc_op(s, CC_OP_EFLAGS); break; /**************************/ diff --git a/target/ppc/int_helper.c b/target/ppc/int_helper.c index f6a088a..9af779a 100644 --- a/target/ppc/int_helper.c +++ b/target/ppc/int_helper.c @@ -23,6 +23,8 @@ #include "exec/helper-proto.h" #include "crypto/aes.h" #include "fpu/softfloat.h" +#include "qapi/error.h" +#include "qemu/guest-random.h" #include "helper_regs.h" /*****************************************************************************/ @@ -158,24 +160,37 @@ uint32_t helper_cmpeqb(target_ulong ra, target_ulong rb) #undef hasvalue /* - * Return invalid random number. - * - * FIXME: Add rng backend or other mechanism to get cryptographically suitable - * random number + * Return a random number. */ -target_ulong helper_darn32(void) +uint64_t helper_darn32(void) { - return -1; + Error *err = NULL; + uint32_t ret; + + if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) { + qemu_log_mask(LOG_UNIMP, "darn: Crypto failure: %s", + error_get_pretty(err)); + error_free(err); + return -1; + } + + return ret; } -target_ulong helper_darn64(void) +uint64_t helper_darn64(void) { - return -1; -} + Error *err = NULL; + uint64_t ret; -#endif + if (qemu_guest_getrandom(&ret, sizeof(ret), &err) < 0) { + qemu_log_mask(LOG_UNIMP, "darn: Crypto failure: %s", + error_get_pretty(err)); + error_free(err); + return -1; + } -#if defined(TARGET_PPC64) + return ret; +} uint64_t helper_bpermd(uint64_t rs, uint64_t rb) { diff --git a/target/ppc/translate.c b/target/ppc/translate.c index b5217f6..4a5de28 100644 --- a/target/ppc/translate.c +++ b/target/ppc/translate.c @@ -1847,13 +1847,22 @@ static void gen_darn(DisasContext *ctx) { int l = L(ctx->opcode); - if (l == 0) { - gen_helper_darn32(cpu_gpr[rD(ctx->opcode)]); - } else if (l <= 2) { - /* Return 64-bit random for both CRN and RRN */ - gen_helper_darn64(cpu_gpr[rD(ctx->opcode)]); - } else { + if (l > 2) { tcg_gen_movi_i64(cpu_gpr[rD(ctx->opcode)], -1); + } else { + if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) { + gen_io_start(); + } + if (l == 0) { + gen_helper_darn32(cpu_gpr[rD(ctx->opcode)]); + } else { + /* Return 64-bit random for both CRN and RRN */ + gen_helper_darn64(cpu_gpr[rD(ctx->opcode)]); + } + if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) { + gen_io_end(); + gen_stop_exception(ctx); + } } } #endif @@ -43,6 +43,7 @@ #include "crypto/hash.h" #include "crypto/tlscredsanon.h" #include "crypto/tlscredsx509.h" +#include "crypto/random.h" #include "qom/object_interfaces.h" #include "qemu/cutils.h" #include "io/dns-resolver.h" @@ -2535,14 +2536,16 @@ void start_client_init(VncState *vs) vnc_read_when(vs, protocol_client_init, 1); } -static void make_challenge(VncState *vs) +static void authentication_failed(VncState *vs) { - int i; - - srand(time(NULL)+getpid()+getpid()*987654+rand()); - - for (i = 0 ; i < sizeof(vs->challenge) ; i++) - vs->challenge[i] = (int) (256.0*rand()/(RAND_MAX+1.0)); + vnc_write_u32(vs, 1); /* Reject auth */ + if (vs->minor >= 8) { + static const char err[] = "Authentication failed"; + vnc_write_u32(vs, sizeof(err)); + vnc_write(vs, err, sizeof(err)); + } + vnc_flush(vs); + vnc_client_error(vs); } static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) @@ -2609,21 +2612,23 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) return 0; reject: - vnc_write_u32(vs, 1); /* Reject auth */ - if (vs->minor >= 8) { - static const char err[] = "Authentication failed"; - vnc_write_u32(vs, sizeof(err)); - vnc_write(vs, err, sizeof(err)); - } - vnc_flush(vs); - vnc_client_error(vs); + authentication_failed(vs); qcrypto_cipher_free(cipher); return 0; } void start_auth_vnc(VncState *vs) { - make_challenge(vs); + Error *err = NULL; + + if (qcrypto_random_bytes(vs->challenge, sizeof(vs->challenge), &err)) { + trace_vnc_auth_fail(vs, vs->auth, "cannot get random bytes", + error_get_pretty(err)); + error_free(err); + authentication_failed(vs); + return; + } + /* Send client a 'random' challenge */ vnc_write(vs, vs->challenge, sizeof(vs->challenge)); vnc_flush(vs); @@ -2638,13 +2643,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) * must pick the one we sent. Verify this */ if (data[0] != vs->auth) { /* Reject auth */ trace_vnc_auth_reject(vs, vs->auth, (int)data[0]); - vnc_write_u32(vs, 1); - if (vs->minor >= 8) { - static const char err[] = "Authentication failed"; - vnc_write_u32(vs, sizeof(err)); - vnc_write(vs, err, sizeof(err)); - } - vnc_client_error(vs); + authentication_failed(vs); } else { /* Accept requested auth */ trace_vnc_auth_start(vs, vs->auth); switch (vs->auth) { @@ -2673,13 +2672,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) default: /* Should not be possible, but just in case */ trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", ""); - vnc_write_u8(vs, 1); - if (vs->minor >= 8) { - static const char err[] = "Authentication failed"; - vnc_write_u32(vs, sizeof(err)); - vnc_write(vs, err, sizeof(err)); - } - vnc_client_error(vs); + authentication_failed(vs); } } return 0; diff --git a/util/Makefile.objs b/util/Makefile.objs index 9206878..c27a923 100644 --- a/util/Makefile.objs +++ b/util/Makefile.objs @@ -54,5 +54,6 @@ util-obj-y += iova-tree.o util-obj-$(CONFIG_INOTIFY1) += filemonitor-inotify.o util-obj-$(CONFIG_LINUX) += vfio-helpers.o util-obj-$(CONFIG_OPENGL) += drm.o +util-obj-y += guest-random.o stub-obj-y += filemonitor-stub.o diff --git a/util/guest-random.c b/util/guest-random.c new file mode 100644 index 0000000..e8124a3 --- /dev/null +++ b/util/guest-random.c @@ -0,0 +1,93 @@ +/* + * QEMU guest-visible random functions + * + * Copyright 2019 Linaro, Ltd. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#include "qemu/osdep.h" +#include "qemu-common.h" +#include "qemu/cutils.h" +#include "qapi/error.h" +#include "qemu/guest-random.h" +#include "crypto/random.h" + + +static __thread GRand *thread_rand; +static bool deterministic; + + +static int glib_random_bytes(void *buf, size_t len) +{ + GRand *rand = thread_rand; + size_t i; + uint32_t x; + + if (unlikely(rand == NULL)) { + /* Thread not initialized for a cpu, or main w/o -seed. */ + thread_rand = rand = g_rand_new(); + } + + for (i = 0; i + 4 <= len; i += 4) { + x = g_rand_int(rand); + __builtin_memcpy(buf + i, &x, 4); + } + if (i < len) { + x = g_rand_int(rand); + __builtin_memcpy(buf + i, &x, i - len); + } + return 0; +} + +int qemu_guest_getrandom(void *buf, size_t len, Error **errp) +{ + if (unlikely(deterministic)) { + /* Deterministic implementation using Glib's Mersenne Twister. */ + return glib_random_bytes(buf, len); + } else { + /* Non-deterministic implementation using crypto routines. */ + return qcrypto_random_bytes(buf, len, errp); + } +} + +void qemu_guest_getrandom_nofail(void *buf, size_t len) +{ + qemu_guest_getrandom(buf, len, &error_fatal); +} + +uint64_t qemu_guest_random_seed_thread_part1(void) +{ + if (deterministic) { + uint64_t ret; + glib_random_bytes(&ret, sizeof(ret)); + return ret; + } + return 0; +} + +void qemu_guest_random_seed_thread_part2(uint64_t seed) +{ + g_assert(thread_rand == NULL); + if (deterministic) { + thread_rand = + g_rand_new_with_seed_array((const guint32 *)&seed, + sizeof(seed) / sizeof(guint32)); + } +} + +int qemu_guest_random_seed_main(const char *optarg, Error **errp) +{ + unsigned long long seed; + if (parse_uint_full(optarg, &seed, 0)) { + error_setg(errp, "Invalid seed number: %s", optarg); + return -1; + } else { + deterministic = true; + qemu_guest_random_seed_thread_part2(seed); + return 0; + } +} @@ -128,6 +128,7 @@ int main(int argc, char **argv) #include "qapi/qapi-commands-ui.h" #include "qapi/qmp/qerror.h" #include "sysemu/iothread.h" +#include "qemu/guest-random.h" #define MAX_VIRTIO_CONSOLES 1 @@ -3349,6 +3350,9 @@ int main(int argc, char **argv, char **envp) case QEMU_OPTION_DFILTER: qemu_set_dfilter_ranges(optarg, &error_fatal); break; + case QEMU_OPTION_seed: + qemu_guest_random_seed_main(optarg, &error_fatal); + break; case QEMU_OPTION_s: add_device_config(DEV_GDB, "tcp::" DEFAULT_GDBSTUB_PORT); break; |