[PM-5693] CryptoService using memfd_secret on Linux #7
Conversation
Otherwise some Drop implementations can crash
|
No New Or Fixed Issues Found |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7 +/- ##
==========================================
+ Coverage 64.43% 65.55% +1.12%
==========================================
Files 188 195 +7
Lines 13832 15005 +1173
==========================================
+ Hits 8912 9836 +924
- Misses 4920 5169 +249 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
I've taken an initial look at this. I think the general concept is solid, there are some potential areas for improvements.
However the biggest pieces would be:
- Documentation, we need to ensure we write solid documentation on the difference areas and ensure we are clear about how it's intended to be used.
- Improve test coverage, since we're dealing with cryptography we want to be really sure nothing breaks in the future.
There was a problem hiding this comment.
Do we have any documentation for why we need to implement our own slice vs using built in?
There was a problem hiding this comment.
Added some doc comments here:
| use key_store::KeyStore; | ||
|
|
||
| #[derive(Clone)] | ||
| pub struct CryptoService<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef> { |
There was a problem hiding this comment.
question: We define a Keys struct which essentially acts as the KeyStore. Would it be a cleaner interface to define a KeyStore trait which both CryptoService and Keys implements, and CryptoService simply forwards calls to the inner store.
There was a problem hiding this comment.
Initially I think I've tried to do something like that, but it was hard to get a good API when using a trait here and then also trying to be generic over key type / Encryptable implementation.
# Conflicts: # crates/bitwarden-crypto/src/lib.rs
|
I've made a few changes while documenting this a bit, plus some of the review suggestions are included here as well:
The next steps for the crypto refactor after this are:
Some future API improvements:
|
| @@ -50,6 +50,9 @@ wasm-bindgen = { workspace = true, optional = true } | |||
| zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] } | |||
| zeroizing-alloc = ">=0.1.0, <0.2" | |||
|
|
|||
| [target.'cfg(all(not(target_arch = "wasm32"), not(windows)))'.dependencies] | |||
| memsec = { version = "0.7.0", features = ["alloc_ext"] } | |||
There was a problem hiding this comment.
Did we explore the alternative crate (memfd) which has more downloads?
| @@ -50,6 +50,9 @@ wasm-bindgen = { workspace = true, optional = true } | |||
| zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] } | |||
| zeroizing-alloc = ">=0.1.0, <0.2" | |||
|
|
|||
| [target.'cfg(all(not(target_arch = "wasm32"), not(windows)))'.dependencies] | |||
There was a problem hiding this comment.
Yeah, the mlock/munlock APIs work on any unix system, including Mac and BSDs. memfd_secret is Linux only
| @@ -23,6 +23,10 @@ pub enum CryptoError { | |||
| MissingKey(Uuid), | |||
| #[error("The item was missing a required field: {0}")] | |||
| MissingField(&'static str), | |||
| #[error("Missing Key for Ref. {0}")] | |||
| MissingKey2(String), | |||
There was a problem hiding this comment.
Can we rename this to MissingKeyRef? Put it under MissingKey and add a comment to rename this once we refactor the usage.
| @@ -80,6 +80,8 @@ mod util; | |||
| pub use util::{generate_random_alphanumeric, generate_random_bytes, pbkdf2}; | |||
| mod wordlist; | |||
| pub use wordlist::EFF_LONG_WORD_LIST; | |||
| pub mod store; | |||
There was a problem hiding this comment.
question: Do we want to use pub mod here?
| @@ -1,5 +1,9 @@ | |||
| mod key_encryptable; | |||
| pub use key_encryptable::{CryptoKey, KeyContainer, KeyDecryptable, KeyEncryptable, LocateKey}; | |||
| mod encryptable; | |||
| pub use encryptable::{Decryptable, Encryptable, UsesKey}; | |||
| pub mod key_ref; | |||
There was a problem hiding this comment.
question: keys isn't public so key_ref should probably not be public either?
| pub mod key_ref; | |
| pub key_ref; |
|
|
||
| // For Send+Sync to be safe, we need to ensure that the memory is only accessed mutably from one | ||
| // thread. To do this, we have to make sure that any funcion in `MemfdSecretImplKeyData` that | ||
| // accesses the pointer mutably is defined as &mut self, and that the pointer is never copied or |
There was a problem hiding this comment.
| // accesses the pointer mutably is defined as &mut self, and that the pointer is never copied or | |
| // accesses the pointer mutably is defined as `&mut self`, and that the pointer is never copied or |
| let ptr: NonNull<[u8]> = memsec::memfd_secret_sized(capacity * entry_size) | ||
| .expect("memfd_secret_sized failed"); |
There was a problem hiding this comment.
When would memfd fail? If we run out of memory?
There was a problem hiding this comment.
According to the docs (https://man7.org/linux/man-pages/man2/memfd_secret.2.html):
EINVAL flags included unknown bits.
EMFILE The per-process limit on the number of open file
descriptors has been reached.
EMFILE The system-wide limit on the total number of open files
has been reached.
ENOMEM There was insufficient memory to create a new anonymous
file.
ENOSYS memfd_secret() is not implemented on this architecture, or
has not been enabled on the kernel command-line with
secretmem_enable=1.
So when the system is out of memory or the process has reached the file descriptor limit, or if the feature is disabled and not supported (but we check for that the first time)
| // Initialize the array with Nones using MaybeUninit | ||
| let uninit_slice: &mut [MaybeUninit<_>] = std::slice::from_raw_parts_mut( | ||
| ptr.as_ptr() as *mut MaybeUninit<Option<(Key, Key::KeyValue)>>, | ||
| capacity, | ||
| ); | ||
| for elem in uninit_slice { | ||
| elem.write(None); | ||
| } |
There was a problem hiding this comment.
This is probably unsafe? https://doc.rust-lang.org/std/slice/fn.from_raw_parts_mut.html
| // SAFETY: The pointer is valid and points to a valid slice of the correct size. | ||
| // This function is &self so it only takes a immutable *const pointer. |
There was a problem hiding this comment.
Can you elaborate on how we know it's valid?
| return Box::new(key_store); | ||
| } | ||
|
|
||
| Box::new(rust::RustBackend::new().expect("RustKeyStore should always be available")) |
There was a problem hiding this comment.
| Box::new(rust::RustBackend::new().expect("RustKeyStore should always be available")) | |
| Box::new(rust::RustBackend::new().expect("RustKeyStore to always be available")) |
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-5693
📔 Objective
Migrated from bitwarden/sdk-sm#979
I've been looking into using
memfd_secretto protect keys in memory on Linux.The
memfd_secretAPI is similar to malloc in that we get some memory range allocated for us, but this memory is only visible to the process that has access to the file descriptor, which should protect us from any memory dumping from anything other than a kernel driver.https://man.archlinux.org/man/memfd_secret.2.en
Using this requires changing how we store keys, so this is the perfect moment to go through removing the raw keys from the API surface.
Changes
KeyReftrait andSymmetricKeyRef/AsymmetricKeyRefsubtraits to represent the key types. Also a small macro to quickly implement them.KeyRefimplementations are user defined types that implementsEq+Hash+Copy, and don't contain any key materialKeyEncryptable/KeyDecryptableare nowDecryptable/Encryptable, and instead of taking the key as parameter, they take aCryptoServiceContextand aKeyRef. This way keys are never exposed to the clients.KeyLocatortrait is replaced byUsesKey. This trait only returns theKeyRefof the key required to decrypt it, instead of fetching the key itself.KeyStoretrait, with some simple CRUD methods. We have two implementations, one based onmemfd_secretfor Linux, and another one based on a Rust boxed slice, that also appliesmlockif possible.mlockandmemfd_secretapply their protection over a specified memory area, we need a Rust data structure that is laid out linearly and also doesn't reallocate by itself. Also becausememfd_secretallocates the memory for us, we can't use a std type like Vec (reason is the Vec must be allocated by the Rust allocator [ref]). This basically only leaves us with a Rust slice, on top of which we'd need to implement insert/get/delete. To allow for reuse and easier testing I've createdSliceKeyStore, which implements the CRUD methods from theKeyStoretrait on top of a plain slice. Then the actualmlockandmemfd_secretimplementations just need to implement a trait casting their data to a slice. The data is stored as a slice ofOption<(KeyRef, KeyMaterial)>, and the keys are unique and sorted in the slice for easier lookups.CryptoService, which contains theKeyStores and some encrypt/decrypt utility functions. From aCryptoServiceyou can also initialize aCryptoServiceContextCryptoServiceContextcontains a read only view of the keys inside theCryptoService, plus a read-write ephemeral key store, for use byDecryptable/Encryptableimplementations when they need to temporarily store some keys (Cipher keys, attachment keys, send keys...).Migrated the codebase to use these changes in a separate PR: bitwarden/sdk-sm#1117
📸 Screenshots
⏰ Reminders before review
team
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmedissue and could potentially benefit from discussion
:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes