Add Entropy Source and DRNG Manager (ESDM) RNG support #4309
Conversation
|
cc @smuellerDD |
thillux
force-pushed
the
esdm-rng
branch
3 times, most recently
from
b031eb7 to
4151fd1
Compare
|
I tested the FFI-Bindings against https://github.com/thillux/botan-rs/tree/esdm-rng. e.g. the following worked as expected: let mut rng = RandomNumberGenerator::new_esdm_pr().unwrap();
for _ in 0..10 {
let bytes = rng.read(32);
println!("{bytes:x?}");
} |
|
@reneme I reformatted the code with clang-format, after looking at the CI results. |
Thanks! FYI: There are some Emacs, VS Code and .editorconfig config files in src/editors. In case you use any of this, you might want to symlink them into the repo's root dir and benefit from things like "format on save". |
thillux
force-pushed
the
esdm-rng
branch
2 times, most recently
from
756c117 to
df2d5fc
Compare
There was a problem hiding this comment.
This seems interesting and the code looks good already. Thanks for the contribution! I've left a few suggestions down below.
Is there a way to test this in CI? I'd hope that we could just install and configure the daemon in src/scripts/ci/setup_gh_actions.sh and run a few basic smoke tests against it in the unit tests.
|
So the change already looks pretty good, I think reneme already hit most of the points I would raise on it, but I am going to have to be a downer here and ask Can you expand more on where and how ESDM is used? It does not seem to be widely distributed, eg per https://repology.org/project/esdm/versions it is only included in AUR and nix (the Debian experimental listing is a name collision with another package). In general our integrations with other systems have been for very widely deployed (eg TPM, PKCS11, OS provided interfaces, or widely deployed libs like zlib or sqlite3) and I'm hesitant to accept something that is so niche. |
|
I'm pretty sure it doesn't work on Mac, for example. No idea if it runs on Windows. |
You're right with ESDM being niche from a major Linux distribution point of view. I cannot weaken/invalidate this argument. ESDM is currently mostly used under the public radar I would say. My company uses it to provide randomness in a regulated/certified market, on an installed base of >= 100k Linux-based notebooks and plans to use ESDM in more products in the future. For such a usage in a regulated market or for governmental customers, it offers the following key benefits from my point of view:
|
That's correct, it runs on Unix/Linux. |
|
I started working on your suggestions and will squash them together again, when finished. |
How can I test this by myself? I think I'll need some iterations to get this running. |
The repository policy doesn't let first-time contributors run the CI pipeline. You could iterate in a branch on your private fork, though. For a full end-to-end test, unfortunately the process is commit->push->fail->fix->commit 😢 You can, however, run the underlying CI script locally (that assumes that |
Does Botan aim to only run on Linux? And at that, on one (possibly major) distribution of Linux? |
The ESDM_RNG class is added as optional dependency. On Windows and/or MacOS it just can't be used. This PR does not limit Botan to only Linux. |
|
I'll probably try to add the test this weekend or start of next week. |
There was a problem hiding this comment.
One more suggestion for our little initialization-concurrency rabbit hole 🕳️, otherwise looks good to me now. Looking forward to a test.
Regarding the utility of this: I tend to agree that this is rather niche. Nevertheless, this has sparked some interest in our company as well, for similar reasons as pointed out by @thillux. FWIW.
thillux
force-pushed
the
esdm-rng
branch
3 times, most recently
from
9884c54 to
8343523
Compare
|
@reneme Smoke tests added and PR squashed again. |
thillux
force-pushed
the
esdm-rng
branch
2 times, most recently
from
5a91a9c to
26d69f8
Compare
|
I'm maybe too stupid to get esdm-server started for the coverage and sanitizer targets. I'll pushed a fix that hopefully works. |
|
All tests green in my repo now. |
|
I started rebasing, will push an updated version for 3.7 soon. |
|
@reneme @randombit CI was green on my testing branch yesterday. |
|
@reneme @randombit Is there something left in this PR which I have to adapt to and was not aware of? |
thillux
force-pushed
the
esdm-rng
branch
2 times, most recently
from
20c08cc to
f3d19f7
Compare
|
I applied your suggestions and squashed them together with my last commit as suggested. Thanks for your review @reneme! |
| */ | ||
| esdm_invoke(esdm_rpcc_write_data(in.data(), in.size())); | ||
| if(ret != 0) { | ||
| throw Botan::System_Error("Writing additional input to ESDM failed"); |
There was a problem hiding this comment.
This is pretty confusing on first read - is esdm_invoke a macro that sets ret? 😬 If so please add a block comment here calling out this.
There was a problem hiding this comment.
The comment mentioning this, was already at the initial declaration of ret in line 64. I added a short note above every check against ret nevertheless, as this behavior is probably not expected.
src/scripts/config_for_oss_fuzz.py
Outdated
| @@ -29,7 +29,7 @@ | |||
| "--build-fuzzers=libfuzzer", | |||
| "--build-targets=static", | |||
| "--without-os-features=getrandom,getentropy", | |||
| "--disable-modules=system_rng,processor_rng", | |||
| "--disable-modules=system_rng,processor_rng,esdm_rng", | |||
There was a problem hiding this comment.
This shouldn’t be necessary - this is only built if explicitly requested. (Right??)
There was a problem hiding this comment.
Done. I removed this, as you are right here.
src/scripts/test_python.py
Outdated
| @@ -179,6 +179,27 @@ def test_rng(self): | |||
|
|
|||
| user_rng.add_entropy('seed material...') | |||
|
|
|||
| if platform.system() != "Linux": | |||
There was a problem hiding this comment.
Don’t do this. This breaks anyone (such as distributions or end users) which want to run the Python tests but are not using ESDM. Instead try to call ESDM. If it succeeds, great. If not, verify that we throw something indicating not implemented / not available.
There was a problem hiding this comment.
Done, I moved this to a own unit test function, which checks for "not implemented" and gets skipped accordingly.
| } | ||
|
|
||
| private: | ||
| std::mutex m_mutex; |
There was a problem hiding this comment.
Couple of things here
- If using
std::mutexthen include<mutex>in the file - This then requires threads, which is ok BUT
2a) If we require threads here then addos_featuresblock listing threads
2b) If it’s ok to use this on a machine without threads then use the wrappers inutils/mutex.h
I think the context ESDM is used in it probably doesn’t make sense to support systems without threads. This is typically just for people doing very niche baremetal/RTOS/etc kind of things so probably the correct fix is 2a.
|
@randombit Thanks for your feedback! If you can live with the current state, I'll squash the WIP commit. I just left it for now, in order to make it easier to look at the changes related to your suggestions. |
ESDM is a Linux-based user-space PRNG daemon, with configurable entropy sources. See: https://github.com/smuellerDD/esdm It currently gets used, when a high level of control over entropy sources is desirable, e.g. for VPN appliance solutions. In order to use this source, the ESDM server daemon has to be running and botan must be configured --with-esdm. ESDM currently works only on Linux. Signed-off-by: Markus Theil <[email protected]>
Thanks for your review, squash is now pushed. |
ESDM is a Linux-based user-space PRNG daemon, with configurable entropy sources.
See: https://github.com/smuellerDD/esdm
It currently gets used, when a high level of control over entropy sources is desirable, e.g. for VPN appliance solutions.
In order to use this source, the ESDM server daemon has to be running and botan must be configured --with-esdm.
ESDM currently works only on Linux.