Generate random MAC addresses for soft MACs

Author: davidchisnall

lib/firewall/firewall.cc

@@ -7,6 +7,7 @@
 #include <debug.hh>
 //#include <fail-simulator-on-error.h>
 #include <locks.hh>
+#include <platform-entropy.hh>
 #include <platform-ethernet.hh>
 #include <timeout.h>
 #include <timeout.hh>
@@ -93,6 +94,44 @@ namespace
 	 */
 	using MACAddress = std::array<uint8_t, 6>;
 
+	/**
+	 * Returns the MAC address for the network interface.
+	 */
+	MACAddress &mac_address()
+	{
+		static MACAddress macAddress = []() {
+			auto &ethernet = lazy_network_interface();
+			if constexpr (EthernetDevice::has_unique_mac_address())
+			{
+				return ethernet.mac_address_default();
+			}
+			else
+			{
+				std::array<uint8_t, 6> macAddress;
+				EntropySource          entropy;
+				for (auto &byte : macAddress)
+				{
+					byte = entropy();
+				}
+				// Set the local bit (second bit transmitted from first byte) to
+				// 1 to indicate a locally administered MAC
+				macAddress[0] |= 0b01;
+				// Make sure that the broadcast bit is 0
+				macAddress[0] &= ~0b1;
+				ConditionalDebug<true, "Firewall">::log(
+				  "MAC address: {}:{}:{}:{}:{}:{}",
+				  macAddress[0],
+				  macAddress[1],
+				  macAddress[2],
+				  macAddress[3],
+				  macAddress[4],
+				  macAddress[5]);
+				return macAddress;
+			}
+		}();
+		return macAddress;
+	}
+
 	/**
 	 * Ethernet header.
 	 */
@@ -506,6 +545,7 @@ namespace
 
 	bool packet_filter_ingress(const uint8_t *data, size_t length)
 	{
+		static constinit MACAddress broadcastMAC = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
 		// Not a valid Ethernet frame (64 bytes including four-byte FCS, which
 		// is stripped by this point).
 		if (length < 60)
@@ -515,6 +555,19 @@ namespace
 		}
 		EthernetHeader *ethernetHeader =
 		  reinterpret_cast<EthernetHeader *>(const_cast<uint8_t *>(data));
+		if ((ethernetHeader->destination != mac_address()) &&
+		    (ethernetHeader->destination != broadcastMAC))
+		{
+			ConditionalDebug<true, "Firewall">::log(
+			  "Dropping frame with destination MAC address {}:{}:{}:{}:{}:{}",
+			  ethernetHeader->destination[0],
+			  ethernetHeader->destination[1],
+			  ethernetHeader->destination[2],
+			  ethernetHeader->destination[3],
+			  ethernetHeader->destination[4],
+			  ethernetHeader->destination[5]);
+			return false;
+		}
 		switch (ethernetHeader->etherType)
 		{
 #ifdef ENABLE_IPV6
@@ -557,7 +610,9 @@ bool ethernet_driver_start()
 	}
 	Debug::log("Initialising network interface");
 	auto &ethernet = lazy_network_interface();
-	ethernet.mac_address_set();
+	// If the device has a unique MAC address, use it.  Otherwise, generate a
+	// random locally administered one.
+	ethernet.mac_address_set(mac_address());
 	// Poke the barrier and make the driver thread start.
 	barrier = 2;
 	barrier.notify_one();
@@ -768,3 +823,11 @@ void firewall_remove_udpipv6_remote_endpoint(uint8_t *remoteAddress,
 }
 
 #endif
+
+uint8_t *firewall_mac_address_get()
+{
+	CHERI::Capability ret{mac_address().data()};
+	ret.permissions() &= {CHERI::Permission::Load, CHERI::Permission::Global};
+	ret.bounds() = 6;
+	return ret;
+}

lib/firewall/firewall.h

@@ -151,3 +151,10 @@ void __cheri_compartment("Firewall")
   firewall_remove_udpipv6_remote_endpoint(uint8_t *remoteAddress,
                                           uint16_t localPort,
                                           uint16_t remotePort);
+
+/**
+ * Get the MAC address of the ethernet device.
+ *
+ * Returns a read-only capability to the MAC address.
+ */
+uint8_t *__cheri_compartment("Firewall") firewall_mac_address_get();

lib/tcpip/startup.cc

@@ -90,7 +90,7 @@ void __cheri_compartment("TCPIP") network_start()
 	                      NetMask,
 	                      GatewayAddress,
 	                      DNSServerAddress,
-	                      KunyanEthernet::mac_address_default().data());
+	                      firewall_mac_address_get());
 	// Enable DHCP
 	endpointIPv4.bits.bWantDHCP = pdTRUE;