Support FIPS build w/ CPU Jitter (#657)

justsmth · web-flow · commit bcf56a3137ce · 2025-01-15T19:43:43.000-05:00
* Support FIPS build w/ CPU Jitter Entropy

* Script verifying CPU Jitter Entropy
diff --git a/.github/workflows/fips.yml b/.github/workflows/fips.yml
@@ -86,3 +86,22 @@ jobs:
       - name: Run cargo test
         working-directory: ./aws-lc-rs
         run: cargo test ${{ matrix.args }}
+  cpu-jitter-entropy-test:
+    if: github.repository_owner == 'aws'
+    name: CPU Jitter Entropy Tests
+    runs-on: ubuntu-latest
+    env:
+      AWS_LC_FIPS_SYS_CPU_JITTER_ENTROPY: 1
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+      - uses: dtolnay/rust-toolchain@master
+        id: toolchain
+        with:
+          toolchain: nightly
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Run assert script
+        run: ./scripts/tests/assert_cpu_jitter_entropy.rs
diff --git a/aws-lc-fips-sys/builder/cmake_builder.rs b/aws-lc-fips-sys/builder/cmake_builder.rs
@@ -3,9 +3,9 @@
 
 use crate::OutputLib::{Crypto, RustWrapper, Ssl};
 use crate::{
-    cargo_env, emit_warning, execute_command, is_no_asm, option_env, target, target_arch,
-    target_env, target_family, target_os, target_underscored, target_vendor, OutputLibType,
-    TestCommandResult,
+    cargo_env, emit_rustc_cfg, emit_warning, execute_command, is_cpu_jitter_entropy, is_no_asm,
+    option_env, target, target_arch, target_env, target_family, target_os, target_underscored,
+    target_vendor, OutputLibType, TestCommandResult,
 };
 use std::collections::HashMap;
 use std::env;
@@ -106,6 +106,11 @@ impl CmakeBuilder {
             cmake_cfg.define("BUILD_SHARED_LIBS", "0");
         }
 
+        if is_cpu_jitter_entropy() {
+            cmake_cfg.define("ENABLE_FIPS_ENTROPY_CPU_JITTER", "ON");
+            emit_rustc_cfg("cpu_jitter_entropy");
+        }
+
         let cc_build = cc::Build::new();
         let opt_level = cargo_env("OPT_LEVEL");
         if opt_level.ne("0") {
diff --git a/aws-lc-fips-sys/builder/main.rs b/aws-lc-fips-sys/builder/main.rs
@@ -364,6 +364,7 @@ static mut AWS_LC_FIPS_SYS_NO_PREFIX: bool = false;
 static mut AWS_LC_FIPS_SYS_PREGENERATING_BINDINGS: bool = false;
 static mut AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: bool = false;
 static mut AWS_LC_FIPS_SYS_NO_ASM: bool = false;
+static mut AWS_LC_FIPS_SYS_CPU_JITTER_ENTROPY: bool = false;
 fn initialize() {
     unsafe {
         AWS_LC_FIPS_SYS_NO_PREFIX = env_var_to_bool("AWS_LC_FIPS_SYS_NO_PREFIX").unwrap_or(false);
@@ -372,6 +373,8 @@ fn initialize() {
         AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN =
             env_var_to_bool("AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN").unwrap_or(false);
         AWS_LC_FIPS_SYS_NO_ASM = env_var_to_bool("AWS_LC_FIPS_SYS_NO_ASM").unwrap_or(false);
+        AWS_LC_FIPS_SYS_CPU_JITTER_ENTROPY =
+            env_var_to_bool("AWS_LC_FIPS_SYS_CPU_JITTER_ENTROPY").unwrap_or(false);
     }
 
     // The conditions below should prevent use of pregenerated bindings in all cases where the
@@ -435,6 +438,10 @@ fn is_no_asm() -> bool {
     unsafe { AWS_LC_FIPS_SYS_NO_ASM }
 }
 
+fn is_cpu_jitter_entropy() -> bool {
+    unsafe { AWS_LC_FIPS_SYS_CPU_JITTER_ENTROPY }
+}
+
 fn has_bindgen_feature() -> bool {
     cfg!(feature = "bindgen")
 }
@@ -449,6 +456,7 @@ fn prepare_cargo_cfg() {
         println!("cargo:rustc-check-cfg=cfg(aarch64_apple_darwin)");
         println!("cargo:rustc-check-cfg=cfg(aarch64_unknown_linux_gnu)");
         println!("cargo:rustc-check-cfg=cfg(aarch64_unknown_linux_musl)");
+        println!("cargo:rustc-check-cfg=cfg(cpu_jitter_entropy)");
         println!("cargo:rustc-check-cfg=cfg(i686_unknown_linux_gnu)");
         println!("cargo:rustc-check-cfg=cfg(use_bindgen_generated)");
         println!("cargo:rustc-check-cfg=cfg(x86_64_apple_darwin)");
diff --git a/aws-lc-fips-sys/src/lib.rs b/aws-lc-fips-sys/src/lib.rs
@@ -84,6 +84,12 @@ pub fn ERR_GET_FUNC(packed_error: u32) -> i32 {
     unsafe { ERR_GET_FUNC_RUST(packed_error) }
 }
 
+#[allow(non_snake_case)]
+#[must_use]
+pub fn CFG_CPU_JITTER_ENTROPY() -> bool {
+    cfg!(cpu_jitter_entropy)
+}
+
 #[allow(non_snake_case, clippy::not_unsafe_ptr_arg_deref)]
 pub fn BIO_get_mem_data(b: *mut BIO, pp: *mut *mut c_char) -> c_long {
     unsafe { BIO_ctrl(b, BIO_CTRL_INFO, 0, pp.cast::<c_void>()) }
diff --git a/aws-lc-rs/src/lib.rs b/aws-lc-rs/src/lib.rs
@@ -233,14 +233,42 @@ pub fn fips_mode() {
 /// Indicates whether the underlying implementation is FIPS.
 ///
 /// # Errors
-/// Return an error if the underlying implementation is not FIPS, otherwise ok
+/// Return an error if the underlying implementation is not FIPS, otherwise Ok.
 pub fn try_fips_mode() -> Result<(), &'static str> {
     init();
-    unsafe {
-        match FIPS_mode() {
-            1 => Ok(()),
-            _ => Err("FIPS mode not enabled!"),
-        }
+    match unsafe { FIPS_mode() } {
+        1 => Ok(()),
+        _ => Err("FIPS mode not enabled!"),
+    }
+}
+
+#[cfg(feature = "fips")]
+/// Panics if the underlying implementation is not using CPU jitter entropy, otherwise it returns.
+///
+/// # Panics
+/// Panics if the underlying implementation is not using CPU jitter entropy.
+pub fn fips_cpu_jitter_entropy() {
+    try_fips_cpu_jitter_entropy().unwrap();
+}
+
+/// Indicates whether the underlying implementation is FIPS.
+///
+/// # Errors
+/// Return an error if the underlying implementation is not using CPU jitter entropy, otherwise Ok.
+pub fn try_fips_cpu_jitter_entropy() -> Result<(), &'static str> {
+    init();
+    // TODO: Delete once FIPS_is_entropy_cpu_jitter() available on FIPS branch
+    // https://github.com/aws/aws-lc/pull/2088
+    #[cfg(feature = "fips")]
+    if aws_lc::CFG_CPU_JITTER_ENTROPY() {
+        Ok(())
+    } else {
+        Err("FIPS CPU Jitter Entropy not enabled!")
+    }
+    #[cfg(not(feature = "fips"))]
+    match unsafe { aws_lc::FIPS_is_entropy_cpu_jitter() } {
+        1 => Ok(()),
+        _ => Err("FIPS CPU Jitter Entropy not enabled!"),
     }
 }
 
@@ -292,12 +320,17 @@ mod tests {
     #[test]
     fn test_fips() {
         assert!({ crate::try_fips_mode().is_err() });
+        assert!({ crate::try_fips_cpu_jitter_entropy().is_err() });
     }
 
     #[test]
     // FIPS mode is disabled for an ASAN build
-    #[cfg(all(feature = "fips", not(feature = "asan")))]
+    #[cfg(feature = "fips")]
     fn test_fips() {
+        #[cfg(not(feature = "asan"))]
         crate::fips_mode();
+        if aws_lc::CFG_CPU_JITTER_ENTROPY() {
+            crate::fips_cpu_jitter_entropy();
+        }
     }
 }
diff --git a/scripts/tests/assert_cpu_jitter_entropy.rs b/scripts/tests/assert_cpu_jitter_entropy.rs
@@ -0,0 +1,13 @@
+#!/usr/bin/env -S cargo +nightly -Zscript
+---cargo
+[dependencies]
+aws-lc-rs = { version = "1", path = "../../aws-lc-rs", default-features = false, features = ["fips"] }
+---
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+fn main()  {
+    println!("Checking for CPU Jitter Entropy");
+    aws_lc_rs::fips_cpu_jitter_entropy();
+    println!("CPU Jitter Entropy Success");
+}
