feat(entropy): use aws-lc-rs for random bytes

bchalios · bchalios · commit b693669994c1 · 2023-05-19T14:23:39.000+02:00
aws-lc-rs is a cryptographic library based on the aws-lc native library.
Currently, we are using OsRng from rand crate for getting random bytes
to fulfill guest requests.

This commit switches from rand crate to aws-lc-rs. The latter is in the
process of getting FIPS certification which might be of use to use in
the future.

Signed-off-by: Babis Chalios &lt;bchalios@amazon.es&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/resources/seccomp/aarch64-unknown-linux-musl.json b/resources/seccomp/aarch64-unknown-linux-musl.json
@@ -104,7 +104,7 @@
             },
             {
               "syscall": "getrandom",
-              "comment": "getrandom is used by virtio-rng to initialize the rand crate"
+              "comment": "getrandom is used by aws-lc library which we consume in virtio-rng"
             },
             {
                 "syscall": "accept4",
@@ -206,16 +206,7 @@
             },
             {
                 "syscall": "madvise",
-                "comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
-                "args": [
-                    {
-                        "index": 2,
-                        "type": "dword",
-                        "op": "eq",
-                        "val": 4,
-                        "comment": "libc::MADV_DONTNEED"
-                    }
-                ]
+                "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." 
             },
             {
                 "syscall": "mmap",
diff --git a/resources/seccomp/x86_64-unknown-linux-musl.json b/resources/seccomp/x86_64-unknown-linux-musl.json
@@ -104,7 +104,7 @@
             },
             {
               "syscall": "getrandom",
-              "comment": "getrandom is used by virtio-rng to initialize the rand crate"
+              "comment": "getrandom is used by aws-lc library which we consume in virtio-rng" 
             },
             {
                 "syscall": "accept4",
@@ -206,16 +206,7 @@
             },
             {
                 "syscall": "madvise",
-                "comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
-                "args": [
-                    {
-                        "index": 2,
-                        "type": "dword",
-                        "op": "eq",
-                        "val": 4,
-                        "comment": "libc::MADV_DONTNEED"
-                    }
-                ]
+                "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." 
             },
             {
                 "syscall": "mmap",
diff --git a/src/vmm/Cargo.toml b/src/vmm/Cargo.toml
@@ -6,6 +6,7 @@ edition = "2021"
 license = "Apache-2.0"
 
 [dependencies]
+aws-lc-rs = "1.0.2"
 bitflags = "2.0.2"
 derive_more = { version = "0.99.17", default-features = false, features = ["from", "display"] }
 event-manager = "0.3.0"
@@ -15,7 +16,6 @@ lazy_static = "1.4.0"
 libc = "0.2.117"
 linux-loader = "0.8.1"
 log = "0.4.17"
-rand = "0.8.5"
 serde = { version = "1.0.136", features = ["derive"] }
 serde_json = "1.0.78"
 timerfd = "1.2.0"
diff --git a/src/vmm/src/devices/virtio/rng/device.rs b/src/vmm/src/devices/virtio/rng/device.rs
@@ -5,9 +5,8 @@ use std::io;
 use std::sync::atomic::AtomicUsize;
 use std::sync::Arc;
 
+use aws_lc_rs::rand;
 use logger::{debug, error, IncMetric, METRICS};
-use rand::rngs::OsRng;
-use rand::RngCore;
 use rate_limiter::{RateLimiter, TokenType};
 use utils::eventfd::EventFd;
 use utils::vm_memory::{GuestMemoryError, GuestMemoryMmap};
@@ -28,7 +27,7 @@ pub enum Error {
     #[error("Bad guest memory buffer: {0}")]
     GuestMemory(#[from] GuestMemoryError),
     #[error("Could not get random bytes: {0}")]
-    Random(#[from] rand::Error),
+    Random(#[from] aws_lc_rs::error::Unspecified),
 }
 
 type Result<T> = std::result::Result<T, Error>;
@@ -105,7 +104,7 @@ impl Entropy {
 
     fn handle_one(&self, iovec: &mut IoVecBufferMut) -> Result<u32> {
         let mut rand_bytes = vec![0; iovec.len()];
-        OsRng.try_fill_bytes(&mut rand_bytes).map_err(|err| {
+        rand::fill(&mut rand_bytes).map_err(|err| {
             METRICS.entropy.host_rng_fails.inc();
             err
         })?;
