Botan 2.19.1
Crypto and TLS for C&
rdseed.cpp
Go to the documentation of this file.
1/*
2* Entropy Source Using Intel's rdseed instruction
3* (C) 2015 Daniel Neus
4* (C) 2015,2019 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/rdseed.h>
10#include <botan/cpuid.h>
11
12#include <immintrin.h>
13
14namespace Botan {
15
16namespace {
17
18BOTAN_FUNC_ISA("rdseed")
19bool read_rdseed(secure_vector<uint32_t>& seed)
20 {
21 /*
22 * RDSEED is not guaranteed to generate an output within any specific number
23 * of attempts. However in testing on a Skylake system, with all hyperthreads
24 * occupied in tight RDSEED loops, RDSEED will still usually succeed in under
25 * 150 attempts. The maximum ever seen was 230 attempts until success. When
26 * idle, RDSEED usually succeeds in 1 or 2 attempts.
27 *
28 * We set an upper bound of 512 attempts, because it is possible that due
29 * to firmware issue RDSEED is simply broken and never succeeds. We do not
30 * want to loop forever in that case. If we exceed that limit, then we assume
31 * the hardware is actually just broken, and stop the poll.
32 */
33 const size_t RDSEED_RETRIES = 512;
34
35 for(size_t i = 0; i != RDSEED_RETRIES; ++i)
36 {
37 uint32_t r = 0;
38 int cf = 0;
39
40#if defined(BOTAN_USE_GCC_INLINE_ASM)
41 asm("rdseed %0; adcl $0,%1" :
42 "=r" (r), "=r" (cf) : "0" (r), "1" (cf) : "cc");
43#else
44 cf = _rdseed32_step(&r);
45#endif
46
47 if(1 == cf)
48 {
49 seed.push_back(r);
50 return true;
51 }
52
53 // Intel suggests pausing if RDSEED fails.
54 _mm_pause();
55 }
56
57 return false; // failed to produce an output after many attempts
58 }
59
60}
61
63 {
64 const size_t RDSEED_BYTES = 1024;
65 static_assert(RDSEED_BYTES % 4 == 0, "Bad RDSEED configuration");
66
67 if(CPUID::has_rdseed())
68 {
70 seed.reserve(RDSEED_BYTES / 4);
71
72 for(size_t p = 0; p != RDSEED_BYTES / 4; ++p)
73 {
74 /*
75 If at any point we exceed our retry count, we stop the entire seed
76 gathering process. This situation will only occur in situations of
77 extremely high RDSEED utilization. If RDSEED is currently so highly
78 contended, then the rest of the poll is likely to also face contention and
79 it is better to quit now rather than (presumably) face very high retry
80 times for the rest of the poll.
81 */
82 if(!read_rdseed(seed))
83 break;
84 }
85
86 if(seed.size() > 0)
87 {
88 rng.add_entropy(reinterpret_cast<const uint8_t*>(seed.data()),
89 seed.size() * sizeof(uint32_t));
90 }
91 }
92
93 // RDSEED is used but not trusted
94 return 0;
95 }
96
97}
size_t poll(RandomNumberGenerator &rng) override
Definition: rdseed.cpp:62
virtual void add_entropy(const uint8_t input[], size_t length)=0
#define BOTAN_FUNC_ISA(isa)
Definition: compiler.h:77
Definition: alg_id.cpp:13
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65