kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2cac3506fa
boringssl/crypto/rand/asm/rdrand-x86_64.pl
Adam Langley 2cac3506fa Handle RDRAND failures. 
I mistakenly believed that only RDSEED could fail. However, the Intel
manuals state that RDRAND can fail too.

I can't actually observe it failing, even with all cores running RDRAND in a
tight loop. In any case, the ChaCha20 masking means that it wouldn't be
a big deal anyway.

Still, this change tests the carry flag after RDRAND and the code falls
back to |CRYPTO_sysrand| if RDRAND has a hiccup. (The Intel manuals
suggest[1] calling RDRAND in a loop, ten times, before considering it to
have failed. But a single failure appears to be such a rare event that
the complexity in the asm code doesn't seem worth it.)

This change also adds an asm function to fill a buffer with random data.
Otherwise the overhead of calling |CRYPTO_rdrand|, and bouncing the data
in and out of memory starts to add up.

Thanks to W. Mark Kubacki, who may have reported this. (There's some
confusion in the bug report.)

Before:

Did 6148000 RNG (16 bytes) operations in 1000080us: 98.4 MB/s
Did 649000 RNG (256 bytes) operations in 1000281us: 166.1 MB/s
Did 22000 RNG (8192 bytes) operations in 1033538us: 174.4 MB/s

After:

Did 6573000 RNG (16 bytes) operations in 1000002us: 105.2 MB/s
Did 693000 RNG (256 bytes) operations in 1000127us: 177.4 MB/s
Did 24000 RNG (8192 bytes) operations in 1028466us: 191.2 MB/s

[1] Intel Reference Manual, section 7.3.17.1.

Change-Id: Iba7f82e844ebacef535472a31f2dd749aad1190a
Reviewed-on: https://boringssl-review.googlesource.com/5180
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 20:56:33 +00:00

76 lines
2.3 KiB
Raku
Raw Blame History

#!/usr/bin/env perl
# Copyright (c) 2015, Google Inc.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
$flavour = shift;
$output = shift;
if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
open OUT,"| \"$^X\" $xlate $flavour $output";
*STDOUT=*OUT;
print<<___;
.text
# CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
# |out|. It returns one on success or zero on hardware failure.
# int CRYPTO_rdrand(uint8_t out[8]);
.globl CRYPTO_rdrand
.type CRYPTO_rdrand,\@function,1
.align 16
CRYPTO_rdrand:
xorq %rax, %rax
# This is rdrand %rcx. It sets rcx to a random value and sets the carry
# flag on success.
.byte 0x48, 0x0f, 0xc7, 0xf1
# An add-with-carry of zero effectively sets %rax to the carry flag.
adcq %rax, %rax
movq %rcx, 0(%rdi)
retq
# CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
# the hardware RNG. The |len| argument must be a multiple of eight. It returns
# one on success and zero on hardware failure.
# int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
.globl CRYPTO_rdrand_multiple8_buf
.type CRYPTO_rdrand_multiple8_buf\@function,1
.align 16
CRYPTO_rdrand_multiple8_buf:
test %rsi, %rsi
jz .Lout
movq \$8, %rdx
.Lloop:
# This is rdrand %rcx. It sets rcx to a random value and sets the carry
# flag on success.
.byte 0x48, 0x0f, 0xc7, 0xf1
jnc .Lerr
movq %rcx, 0(%rdi)
addq %rdx, %rdi
subq %rdx, %rsi
jnz .Lloop
.Lout:
movq \$1, %rax
retq
.Lerr:
xorq %rax, %rax
retq
___
close STDOUT; # flush
Reference in New Issue View Git Blame Copy Permalink