The AWS-LC project is yet another TLS library that was would have to be worked
into Fedora, while Firecracker only uses it for its randomness functions. The
reason stated for choosing AWS-LC is that Amazon might get it FIPS-certified
some day. This patch reverts 246a308ef6d1054f7551ebeee7f0191b8518d2ad to go
back to the original implementation with the rand crate instead.
--- a/resources/seccomp/aarch64-unknown-linux-musl.json
+++ b/resources/seccomp/aarch64-unknown-linux-musl.json
@@ -108,7 +108,7 @@
},
{
"syscall": "getrandom",
- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng"
+ "comment": "getrandom is used by virtio-rng to initialize the rand crate"
},
{
"syscall": "accept4",
@@ -210,7 +210,16 @@
},
{
"syscall": "madvise",
- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms."
+ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
+ "args": [
+ {
+ "index": 2,
+ "type": "dword",
+ "op": "eq",
+ "val": 4,
+ "comment": "libc::MADV_DONTNEED"
+ }
+ ]
},
{
"syscall": "mmap",
--- a/resources/seccomp/x86_64-unknown-linux-musl.json
+++ b/resources/seccomp/x86_64-unknown-linux-musl.json
@@ -108,7 +108,7 @@
},
{
"syscall": "getrandom",
- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng"
+ "comment": "getrandom is used by virtio-rng to initialize the rand crate"
},
{
"syscall": "accept4",
@@ -210,7 +210,16 @@
},
{
"syscall": "madvise",
- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms."
+ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
+ "args": [
+ {
+ "index": 2,
+ "type": "dword",
+ "op": "eq",
+ "val": 4,
+ "comment": "libc::MADV_DONTNEED"
+ }
+ ]
},
{
"syscall": "mmap",
--- a/src/vmm/Cargo.toml
+++ b/src/vmm/Cargo.toml
@@ -9,7 +9,7 @@
bench = false
[dependencies]
-aws-lc-rs = "1.0.2"
+rand = "0.8.5"
bitflags = "2.0.2"
derive_more = { version = "0.99.17", default-features = false, features = ["from", "display"] }
event-manager = "0.3.0"
--- a/src/vmm/src/devices/virtio/rng/device.rs
+++ b/src/vmm/src/devices/virtio/rng/device.rs
@@ -5,7 +5,8 @@
use std::sync::atomic::AtomicU32;
use std::sync::Arc;
-use aws_lc_rs::rand;
+use rand::rngs::OsRng;
+use rand::RngCore;
use utils::eventfd::EventFd;
use vm_memory::GuestMemoryError;
@@ -30,7 +31,7 @@
/// Bad guest memory buffer: {0}
GuestMemory(#[from] GuestMemoryError),
/// Could not get random bytes: {0}
- Random(#[from] aws_lc_rs::error::Unspecified),
+ Random(#[from] rand::Error),
}
#[derive(Debug)]
@@ -113,7 +114,7 @@
}
let mut rand_bytes = vec![0; iovec.len()];
- rand::fill(&mut rand_bytes).map_err(|err| {
+ OsRng.try_fill_bytes(&mut rand_bytes).map_err(|err| {
METRICS.host_rng_fails.inc();
err
})?;