Extend (& deprecate) lib_random #4
Conversation
…simple implementation that will produce random if the attacker does not have physical access to the chip
…uld probably be removed and replaced with ordinary EXPLORER-200.
deprecated random_create_generator_from_hw_seed() making it's build conditional (add 'RANDOM_ENABLE_HW_SEED=1' to the Makefile)
Make random_prng_server(...,client interface random_pool ?rpi,...) optinal
There was a problem hiding this comment.
Hi @robert-lytton, apologies for the delay in giving feedback on this pull request. I like the way the implementation is layered from bit to pool to prng, and have added a few questions and comments against particular parts of the source.
We have a few concrete use cases for this library as both a RNG and an entropy source now, and it looks like a common feature of them both is to have access to C functions with a prototype similar to the standard C int rand(void) function. I think that we should be able to provide that via a simple wrapper to the pool and prng APIs of this library, do you see any problem with that?
I will need to confirm that we will not need a CSPRNG for this, but I think not. Can the the values from the bit and pool APIs be considered cryptographically secure?
Did you have an implementation in mind for a CSPRNG? Would it have a very similar API to the PRNG added here?
Are the functions in random.h provided an a very low compute/fast PRNG alternative to random_prng.h?
Cheers,
Sam
| #include <stdint.h> | ||
| #include <stddef.h> | ||
|
|
||
| #ifndef REFERENCE_PARAM |
There was a problem hiding this comment.
Is there a reason for defining REFERENCE_PARAM here (and in random.h) rather than using the macro from xccompat.h?
There was a problem hiding this comment.
no,
xccompat.h should be included
There was a problem hiding this comment.
random.h has now been removed - use clib alternatives.
lib_random/src/random_bit.xc
Outdated
| timer tmr; | ||
| tmr :> last_time; | ||
| STORE32(last_time, &per_tile_last_time); | ||
| setps(0x60B, 2); |
There was a problem hiding this comment.
We could replace the magic numbers in the calls to getps() and setps() with the defines in xs2a_registers.h if this library is to support only XS2. Unfortunately the XS1 ring oscillator defines in xs1l_registers.h have a slightly different prefix, otherwise we could just include xs1_registers.h and have it work for both architectures...
There was a problem hiding this comment.
the decision/roadmap/work to fix target headers has been on hold since Mr Fyles blocked it.
The single character fix is somewhere in bugzilla...
| tmr :> time; | ||
| // If the timer wraps, we will miss the opportunity - tough! | ||
| // N.B. unsigned wrapping has defined behaviour. | ||
| if (time - last_time > TIME_FOR_ONE_BIT) { |
There was a problem hiding this comment.
Why do we delay reading the ring oscillator after it is stopped?
There was a problem hiding this comment.
Ask henk,
I assume if we don't, the probability field is skewed.
No, apart from extra code. |
The PRNG is revealing 32bits out of either 57, 88 or 113 bits, the other bits remain hidden (unless the user connects a debugger). It is up to the user to decide: I believe this is best left as an explicit implementation detail. |
This is deprecated backward comparability. |
Ensure CI system treats it as an xCORE application, and attempts a build.
Add Jenkins pipeline
fix magic numbers
Simple wrapper? It would be nice if the XC language allowed collections of select-case statements to be built up and dynamically dispatched opaquely. Until that day arrives, I am not sure of the best way to mix C and XC, along with adding the necessary top level knitting, especially in an easy to use library. |
Starting the lib_random server as a task in xC is not an issue. However, we'll need C compatible API to access the client side, which we can use to set defines when building 3rd party libraries. These 3rd party libraries are configured as follows. Kernel config: #define configRAND32() ulRand()IP stack config: #define ipconfigRAND32() ulRand()PKCS11 config: /* Random number generation */
/* C_SeedRandom mixes additional seed material into the token's
* random number generator. */
CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSeed, /* the seed material */
CK_ULONG ulSeedLen /* length of seed material */
);
#endif
/* C_GenerateRandom generates random data. */
CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR RandomData, /* receives the random data */
CK_ULONG ulRandomLen /* # of bytes to generate */
);
#endifTLS library config: #define MBEDTLS_ENTROPY_HARDWARE_ALT
int mbedtls_hardware_poll(void * data, unsigned char * output, size_t len, size_t * olen) {
...
}The following mbedTLS documentation looks useful: |
|
Erm.... |
This looks like an adapter is needed into a particular 3rd party library. I'll write suitable code and you can decide if it lives in the libraries 'examples', the libraries API or alongside the client (mbed) code. |
These could use the stdlib.h rand() function. |
|
p.s. here is the 'good enough' prng behind rand().... good enough for Donald good enough for me: |
|
I've taken a 'quick' look at the cryptsoft API: This is generating random numbers for you, I believe. |
|
The TLS library looks like it need hooks into the entropy. |
|
Please do comment if I am incorrect regarding how these components work, or if the application architecture needs additional components that require something else. |
Understood, thank you. I've created https://github.com/xmos/amazon_freertos_experiment/issues/29 to track this. |
If we use |
I have not looked at the implementation, but yes, that looks like one way of doing it. It should be noted that random_pool.h could be used to gather the bits, but it seems too heavy weight an API (and it is written in XC). Thus implementing a really simple pooling function seems sensible in this case. |
|
N.B. If they are running on the same core, they will need to share the bits co-operatively to prevent starvation or a race condition - the library is not logical-core safe by design! The random_bit_claim() is there to make this sharing safe. |
|
I found this documentation on how to port mbed TLS. So I agree, we can start off using the random_bit API for this too (and hopefully find that it performs well enough polling for a byte of entropy at a time in |
|
I think all of the abov means that in actual fact this pull request is almost ready to merge? |
Looking into this further, I'm not sure if I'm missing something. I thought this was specifying an API, but not providing an implementation? |
| interface random_prng prngi; | ||
| par { | ||
| [[distribute]] | ||
| random_prng_server(prngi, null, prng57, null); |
There was a problem hiding this comment.
@robert-lytton should the third argument passed be prng rather than prng57, or have I misunderstood?
|
|
||
| /** Method that returns a pseudo-random number. | ||
| * | ||
| * ====== WARNING ==================================================== |
There was a problem hiding this comment.
@robert-lytton does this warning still hold true?
I'm trying to ensure I have correctly understood which applications this PRNG can be safely used for, but I'm struggling to reconcile the warning in the source with the comments in this review:
I will need to confirm that we will not need a CSPRNG for this
The PRNG is revealing 32bits out of either 57, 88 or 113 bits, the other bits remain hidden (unless the user connects a debugger).
It is up to the user to decide:
how many hidden bits are required;
how much entropy the seeds must start with;
how often entropy needs to be injected into the state;
I believe this is best left as an explicit implementation detail.
Work to date - please review it is what we want.
(history should be squashed)