Add support for RNDR/RNDRRS for AArch64 on Linux #26839

pull john-moffett wants to merge 1 commits into bitcoin:master from john-moffett:2023_01_RNDRSupportLinux changing 1 files +73 −0
  1. john-moffett commented at 8:20 pm on January 6, 2023: contributor

    This checks whether the ARMv8.5-A optional TRNG extensions RNDR and RNDRRS are available and, if they are, uses them for random entropy purposes.

    They are nearly functionally identical to the x86 RDRAND/RDSEED extensions and are used in a similar manner.

    Currently, there appears to be only one actual hardware implementation – the Amazon Graviton 3. (See the rnd column in the link.) However, future hardware implementations may become available.

    It’s not possible to directly query for the capability in userspace, but the Linux kernel added support for querying the extension via getauxval in version 5.6 (in 2020), so this is limited to Linux-only for now.

    Reviewers may want to launch any of the c7g instances from AWS to test the Graviton 3 hardware. Alternatively, QEMU emulates these opcodes for aarch64 with CPU setting max.

    Output from Graviton 3 hardware:

    0ubuntu@ip:~/bitcoin$ src/bitcoind -regtest
12023-01-06T20:01:48Z Bitcoin Core version v24.99.0-3670266ce89a (release build)
22023-01-06T20:01:48Z Using the 'arm_shani(1way,2way)' SHA256 implementation
32023-01-06T20:01:48Z Using RNDR and RNDRRS as additional entropy sources
42023-01-06T20:01:48Z Default data directory /home/ubuntu/.bitcoin

    Graviton 2 (doesn’t support extensions):

    0ubuntu@ip:~/bitcoin$ src/bitcoind -regtest
12023-01-06T20:05:04Z Bitcoin Core version v24.99.0-3670266ce89a (release build)
22023-01-06T20:05:04Z Using the 'arm_shani(1way,2way)' SHA256 implementation
32023-01-06T20:05:04Z Default data directory /home/ubuntu/.bitcoin

    This partially closes #26796. As noted in that issue, OpenSSL added support for these extensions a little over a year ago.

  2. DrahtBot commented at 8:20 pm on January 6, 2023: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK laanwj, achow101
    Concept ACK fanquake, sipa, kristapsk

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. john-moffett force-pushed on Jan 6, 2023
  4. fanquake commented at 10:07 am on January 9, 2023: member
    Concept ACK
  5. sipa commented at 3:38 pm on January 9, 2023: member
    Concept ACK
  6. achow101 requested review from laanwj on Apr 25, 2023
  7. achow101 requested review from sipa on Apr 25, 2023
  8. in src/random.cpp:207 in c38f168edc outdated 
    202+ *
203+ * Must only be called when RNDR is supported.
204+ */
205+static uint64_t GetRNDR() noexcept
206+{
207+#ifdef __aarch64__
    laanwj commented at 8:27 am on April 27, 2023:
    nit: this whole block is in a #ifdef __aarch64__ section so it’s not necessary to re-check here
  9. in src/random.cpp:213 in c38f168edc outdated 
    209+    uint64_t r1;
210+    do {
211+        // https://developer.arm.com/documentation/ddi0601/2022-12/AArch64-Registers/RNDR--Random-Number
212+        __asm__ volatile("mrs %0, s3_3_c2_c4_0; cset %w1, ne;"
213+                         : "=r"(r1), "=r"(ok)::"cc");
214+        if (ok) break;
    laanwj commented at 8:38 am on April 27, 2023:
    this seems correct: according to the spec “If the instruction cannot return a genuine random number in a reasonable period of time, PSTATE.NZCV is set to 0b0100 and the data value returned is 0.”, so the Z flag is set on failure. The ok flag is set to 1 (with instruction cset) when condition ne holds, which means Z==0 conditions.
    luke-jr commented at 6:17 pm on June 22, 2023:
    But what if it’s never ok? Maybe we should have a timeout?
    laanwj commented at 4:48 am on June 24, 2023:
    That means the chip, or at least this feature, is broken, and should be disabled at the kernel errata level. No need for us to handle that in user space.
  10. in src/random.cpp:229 in c38f168edc outdated 
    224+ *
225+ * Must only be called when RNDRRS is supported.
226+ */
227+static uint64_t GetRNDRRS() noexcept
228+{
229+#ifdef __aarch64__
    laanwj commented at 8:38 am on April 27, 2023:
    same nit as above
  11. laanwj commented at 8:43 am on April 27, 2023: member

    It’s not possible to directly query for the capability in userspace, but the Linux kernel added support for querying the extension via getauxval in version 5.6 (in 2020), so this is limited to Linux-only for now.

    That’s the correct way to do it. We might actually want to define WCAP2_RNG ourselves instead of checking for its existence, to reduce dependency on compiling with specific kernel version headers (especially relevant for the GUIX release binary).

    Code review ACK. I don’t have access to hardware supporting this at the moment so wasn’t able to test.

  12. kristapsk commented at 8:57 am on April 27, 2023: contributor
    Concept ACK
  13. achow101 commented at 4:34 pm on September 20, 2023: member
    Are you still working on this?
  14. achow101 added the label Up for grabs on Sep 20, 2023
  15. john-moffett commented at 4:41 pm on September 20, 2023: contributor
    Yes, I can update to address the nits.
  16. john-moffett force-pushed on Sep 20, 2023
  17. DrahtBot added the label CI failed on Sep 21, 2023
  18. maflcko removed the label Up for grabs on Sep 21, 2023
  19. DrahtBot removed the label CI failed on Sep 21, 2023
  20. in src/random.cpp:257 in 8f065fdf6b outdated 
    251@@ -193,6 +252,14 @@ static void SeedHardwareFast(CSHA512& hasher) noexcept {
252         hasher.Write((const unsigned char*)&out, sizeof(out));
253         return;
254     }
255+#elif defined(__aarch64__) && defined(HWCAP2_RNG)
256+    if (g_rndr_supported) {
257+        for (int i = 0; i < 4; ++i) {
    sipa commented at 3:27 pm on September 29, 2023:
    There is probably no need to feed in 4 values here; also the function comment only talks about adding 64 bits of entropy. In cases where we really need secure keys (e.g. wallet encryption, key generation, …), SeedHardwareSlow will be invoked anyway.
    john-moffett commented at 6:36 pm on September 29, 2023:
    Good call, thanks!
  21. Add support for RNDR/RNDRRS for aarch64 on Linux 
    This checks whether the ARMv8.5 extensions RNDR and RNDRRS
are available and uses them for random entropy purposes.

They are functionally identical to the x86 RDRAND/RDSEED
extensions and are used in a similar manner.
    aee5404e02
  22. john-moffett force-pushed on Sep 29, 2023
  23. laanwj approved
  24. laanwj commented at 3:38 pm on November 7, 2023: member
    Tested ACK aee5404e02e203a256c1a97b629b9b107cc8bb07 I have verified this PR on the only available hardware (Amazon Graviton 3, m7g.medium instance). I was hoping for real hardware to become available but it looks like the recent crop of SoCs (such as RPI5) still doesn’t have support for this extension. In any case I’ve checked that the capability is detected correctly, and that RNDRRS is called four times at startup and RNDR frequently during runtime, and that the returned values look random. IMO this can be merged.
  25. DrahtBot requested review from sipa on Nov 7, 2023
  26. DrahtBot requested review from fanquake on Nov 7, 2023
  27. achow101 commented at 7:58 pm on November 7, 2023: member

    ACK aee5404e02e203a256c1a97b629b9b107cc8bb07

    The code looks correct to me, although I do not have hardware to test it.

  28. achow101 merged this on Nov 7, 2023
  29. achow101 closed this on Nov 7, 2023
  30. PastaPastaPasta referenced this in commit 91eac2a4c1 on Oct 24, 2024
  31. PastaPastaPasta referenced this in commit dfb35afaa8 on Oct 24, 2024
  32. PastaPastaPasta referenced this in commit 9711fc835f on Oct 24, 2024
  33. PastaPastaPasta referenced this in commit 11c441a082 on Oct 24, 2024
  34. PastaPastaPasta referenced this in commit d5e15dfc5a on Oct 24, 2024
  35. PastaPastaPasta referenced this in commit 0587790c01 on Oct 24, 2024
  36. bitcoin locked this on Nov 6, 2024


john-moffett DrahtBot fanquake sipa laanwj luke-jr kristapsk achow101


sipa fanquake

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-02-22 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me