Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Rdrand/rdseed instruction in hyperlight_guest #202

Open
simongdavies opened this issue Jan 29, 2025 · 0 comments
Open

Support Rdrand/rdseed instruction in hyperlight_guest #202

simongdavies opened this issue Jan 29, 2025 · 0 comments
Labels
lifecycle/needs-review The issue has not yet been reviewed.
Milestone
Backlog

Comments

@simongdavies
Copy link
Contributor

The use of rdrand in hyperlight_guest for random number generation has been removed due to issues where the Host OS has prevented its use causing a KVM exit with a Internal Error.

Some hosts can choose to not support the user of RDRAND and RDSEED instructions in guests. Intel VMX provides the capability to turn usage of these instructions to VM Exits by setting bits in the MSR IA32_VMX_PROCBASED_CTLS2 (see here for details).

Linux/KVM will process these exits as invalid operations (see here).

The use of rdrand in WSL with Ubuntu/KVM (18.04/20.04/22.04) causes invalid operation errors as does a local non virtualised install of Ubuntu 22.04. It is not clear what causes Linux to disable support for rdrand in these scenarios, there is code in the kernel which checks to see if rdrand produces sufficiently random results and disables it in the host if not, this is not happening as if we check for support in the host it is enabled.

Regardless there are a couple of things that we can do:

In hyperlight_host we can ensure that rdrand is supported in the host and that it is allowed in the guest (by clearing the bit in IA32_VMX_PROCBASED_CTLS2 and ensuring that CPUID checks for RDRAND are successful). Brief attempts at setting this up in the KVM hypervisor module were not successful (failed to get/set the CPUID property and failed to get/set the MSR), but with more investigation this should be possible. It would need to be done in all hypervisor modules.

It may be that the issue seen with KVM was due to the way we were creating threads and using the KVM API in the past, we should re-test and see if this is still an issue

Alongside this the guest should be updated to test for rdrand support something like this:

let mut _eax: u32 = 1;
let _ebx: u32;
let mut ecx: u32;
let _edx: u32;

asm!(
  "mov {0:r}, rbx",
  "cpuid",
  "xchg {0:r}, rbx",
   out(reg) _ebx,
   inout("eax") _eax,
   out("ecx") ecx,
   out("edx") _edx,
   options(nostack, preserves_flags),
   );

if ecx & (1 << 30) != 0 {
   has_rdrand = true;
}
@simongdavies simongdavies added the kind/enhancement For PRs adding features, improving functionality, docs, tests, etc. label Jan 29, 2025
@github-actions github-actions bot added the lifecycle/needs-review The issue has not yet been reviewed. label Jan 29, 2025
@syntactically syntactically removed the kind/enhancement For PRs adding features, improving functionality, docs, tests, etc. label Feb 5, 2025
@danbugs danbugs added this to the Backlog milestone Mar 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/needs-review The issue has not yet been reviewed.
Projects
Hyperlight Milestones
Status: No status
Milestone
Backlog
Development

No branches or pull requests
3 participants
@simongdavies @danbugs @syntactically