Add linux_raw opt-in backend (#572)

This PR replaces the `linux_rustix` opt-in backend introduced in #520
with `linux_raw` opt-in backend based raw syscalls implemented using
`asm!`. It noticeably reduces dependency footprint of the crate (see
concerns raised in #433). Unfortunately, it means that we have to
implement the raw syscalls ourselves.

This PR implements `linux_raw` support only for target arches with
stable `asm!`. Nightly-only support for other targets can be added in
later PRs.

Author: newpavlov

.github/workflows/build.yml

@@ -132,6 +132,32 @@ jobs:
           RUSTFLAGS: -Dwarnings --cfg getrandom_backend="rdrand"
         run: cargo build --features=std
 
+  linux-raw:
+    name: Build Raw Linux
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        target: [
+          arm-unknown-linux-gnueabihf,
+          aarch64-unknown-linux-gnu,
+          loongarch64-unknown-linux-gnu,
+          riscv32gc-unknown-linux-gnu,
+          riscv64gc-unknown-linux-gnu,
+          s390x-unknown-linux-gnu,
+          i686-unknown-linux-gnu,
+          x86_64-unknown-linux-gnu,
+          x86_64-unknown-linux-gnux32,
+        ]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: nightly-2025-02-15
+          components: rust-src
+      - env:
+          RUSTFLAGS: -Dwarnings --cfg getrandom_backend="linux_raw"
+        run: cargo build -Zbuild-std=core --target=${{ matrix.target }}
+
   web:
     name: ${{ matrix.target.description }} ${{ matrix.feature.description }} ${{ matrix.atomic.description }}
     runs-on: ubuntu-24.04

.github/workflows/nopanic.yaml

@@ -49,6 +49,13 @@ jobs:
       - name: Check (getrandom.rs)
         run: (exit $( grep -c panic target/release/libgetrandom_wrapper.so ))
 
+      - name: Build (linux_raw.rs)
+        env:
+          RUSTFLAGS: -Dwarnings --cfg getrandom_backend="linux_raw"
+        run: cargo build --release
+      - name: Check (linux_raw.rs)
+        run: (exit $( grep -c panic target/release/libgetrandom_wrapper.so ))
+
       - name: Build (rdrand.rs)
         env:
           RUSTFLAGS: -Dwarnings --cfg getrandom_backend="rdrand"

.github/workflows/tests.yml

@@ -57,6 +57,10 @@ jobs:
           RUSTFLAGS: -Dwarnings --cfg getrandom_backend="linux_getrandom"
           RUSTDOCFLAGS: -Dwarnings --cfg getrandom_backend="linux_getrandom"
         run: cargo test --target=${{ matrix.target }} --features=std
+      - env:
+          RUSTFLAGS: -Dwarnings --cfg getrandom_backend="linux_raw"
+          RUSTDOCFLAGS: -Dwarnings --cfg getrandom_backend="linux_raw"
+        run: cargo test --target=${{ matrix.target }} --features=std
       - env:
           RUSTFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback
           RUSTDOCFLAGS: -Dwarnings --cfg getrandom_test_linux_fallback

.github/workflows/workspace.yml

@@ -57,6 +57,10 @@ jobs:
       run: cargo clippy --target x86_64-unknown-linux-gnu
     - name: Linux (linux_android_with_fallback.rs)
       run: cargo clippy --target x86_64-unknown-linux-gnu
+    - name: Linux (linux_raw.rs)
+      env:
+        RUSTFLAGS: -Dwarnings --cfg getrandom_backend="linux_raw"
+      run: cargo clippy --target x86_64-unknown-linux-gnu
     - name: NetBSD (netbsd.rs)
       run: cargo clippy -Zbuild-std=core --target x86_64-unknown-netbsd
     - name: Fortranix SGX (rdrand.rs)

Cargo.toml

@@ -31,7 +31,7 @@ compiler_builtins = { version = "0.1", optional = true }
 core = { version = "1.0", optional = true, package = "rustc-std-workspace-core" }
 
 # getrandom / linux_android_with_fallback
-[target.'cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr"))))'.dependencies]
+[target.'cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "linux_raw", getrandom_backend = "rdrand", getrandom_backend = "rndr"))))'.dependencies]
 libc = { version = "0.2.154", default-features = false }
 
 # apple-other
@@ -81,7 +81,7 @@ wasm-bindgen-test = "0.3"
 [lints.rust.unexpected_cfgs]
 level = "warn"
 check-cfg = [
-  'cfg(getrandom_backend, values("custom", "rdrand", "rndr", "linux_getrandom", "wasm_js"))',
+  'cfg(getrandom_backend, values("custom", "rdrand", "rndr", "linux_getrandom", "linux_raw", "wasm_js"))',
   'cfg(getrandom_msan)',
   'cfg(getrandom_windows_legacy)',
   'cfg(getrandom_test_linux_fallback)',

README.md

@@ -80,6 +80,7 @@ of randomness based on their specific needs:
 | Backend name      | Target               | Target Triple            | Implementation
 | ----------------- | -------------------- | ------------------------ | --------------
 | `linux_getrandom` | Linux, Android       | `*‑linux‑*`              | [`getrandom`][1] system call (without `/dev/urandom` fallback). Bumps minimum supported Linux kernel version to 3.17 and Android API level to 23 (Marshmallow).
+| `linux_raw`       | Linux, Android       | `*‑linux‑*`              | Same as `linux_getrandom`, but uses raw `asm!`-based syscalls instead of `libc`.
 | `rdrand`          | x86, x86-64          | `x86_64-*`, `i686-*`     | [`RDRAND`] instruction
 | `rndr`            | AArch64              | `aarch64-*`              | [`RNDR`] register
 | `wasm_js`         | Web Browser, Node.js | `wasm32‑unknown‑unknown`, `wasm32v1-none` | [`Crypto.getRandomValues`]. Requires feature `wasm_js` ([see below](#webassembly-support)).
@@ -110,6 +111,15 @@ WILL NOT have any effect on its downstream users.
 
 [`.cargo/config.toml`]: https://doc.rust-lang.org/cargo/reference/config.html
 
+### Raw Linux syscall support
+
+Currently the `linux_raw` backend supports only targets with stabilized `asm!` macro,
+i.e. `arm`, `aarch64`, `loongarch64`, `riscv32`, `riscv64`, `s390x`, `x86`, and `x86_64`.
+
+Note that the raw syscall backend may be slower than backends based on `libc::getrandom`,
+e.g. it does not implement vDSO optimizations and on `x86` it uses the infamously slow
+`int 0x80` instruction to perform syscall.
+
 ### WebAssembly support
 
 This crate fully supports the [WASI] and [Emscripten] targets. However,

src/backends.rs

@@ -13,6 +13,9 @@ cfg_if! {
     } else if #[cfg(getrandom_backend = "linux_getrandom")] {
         mod getrandom;
         pub use getrandom::*;
+    } else if #[cfg(getrandom_backend = "linux_raw")] {
+        mod linux_raw;
+        pub use linux_raw::*;
     } else if #[cfg(getrandom_backend = "rdrand")] {
         mod rdrand;
         pub use rdrand::*;

src/backends/linux_raw.rs

@@ -0,0 +1,139 @@
+//! Implementation for Linux / Android using `asm!`-based syscalls.
+use crate::{Error, MaybeUninit};
+
+pub use crate::util::{inner_u32, inner_u64};
+
+#[cfg(not(any(target_os = "android", target_os = "linux")))]
+compile_error!("`linux_raw` backend can be enabled only for Linux/Android targets!");
+
+#[allow(non_upper_case_globals)]
+unsafe fn getrandom_syscall(buf: *mut u8, buflen: usize, flags: u32) -> isize {
+    let r0;
+
+    // Based on `rustix` and `linux-raw-sys` code.
+    cfg_if! {
+        if #[cfg(target_arch = "arm")] {
+            const __NR_getrandom: u32 = 384;
+            // In thumb-mode, r7 is the frame pointer and is not permitted to be used in
+            // an inline asm operand, so we have to use a different register and copy it
+            // into r7 inside the inline asm.
+            // Theoretically, we could detect thumb mode in the build script, but several
+            // register moves are cheap enough compared to the syscall cost, so we do not
+            // bother with it.
+            core::arch::asm!(
+                "mov {tmp}, r7",
+                "mov r7, {nr}",
+                "svc 0",
+                "mov r7, {tmp}",
+                nr = const __NR_getrandom,
+                tmp = out(reg) _,
+                inlateout("r0") buf => r0,
+                in("r1") buflen,
+                in("r2") flags,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(target_arch = "aarch64")] {
+            const __NR_getrandom: u32 = 278;
+            core::arch::asm!(
+                "svc 0",
+                in("x8") __NR_getrandom,
+                inlateout("x0") buf => r0,
+                in("x1") buflen,
+                in("x2") flags,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(target_arch = "loongarch64")] {
+            const __NR_getrandom: u32 = 278;
+            core::arch::asm!(
+                "syscall 0",
+                in("$a7") __NR_getrandom,
+                inlateout("$a0") buf => r0,
+                in("$a1") buflen,
+                in("$a2") flags,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(any(target_arch = "riscv32", target_arch = "riscv64"))] {
+            const __NR_getrandom: u32 = 278;
+            core::arch::asm!(
+                "ecall",
+                in("a7") __NR_getrandom,
+                inlateout("a0") buf => r0,
+                in("a1") buflen,
+                in("a2") flags,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(target_arch = "s390x")] {
+            const __NR_getrandom: u32 = 349;
+            core::arch::asm!(
+                "svc 0",
+                in("r1") __NR_getrandom,
+                inlateout("r2") buf => r0,
+                in("r3") buflen,
+                in("r4") flags,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(target_arch = "x86")] {
+            const __NR_getrandom: u32 = 355;
+            // `int 0x80` is famously slow, but implementing vDSO is too complex
+            // and `sysenter`/`syscall` have their own portability issues,
+            // so we use the simple "legacy" way of doing syscalls.
+            core::arch::asm!(
+                "int $$0x80",
+                in("eax") __NR_getrandom,
+                in("ebx") buf,
+                in("ecx") buflen,
+                in("edx") flags,
+                lateout("eax") r0,
+                options(nostack, preserves_flags)
+            );
+        } else if #[cfg(target_arch = "x86_64")] {
+            #[cfg(target_pointer_width = "64")]
+            const __NR_getrandom: u32 = 318;
+            #[cfg(target_pointer_width = "32")]
+            const __NR_getrandom: u32 = (1 << 30) + 318;
+
+            core::arch::asm!(
+                "syscall",
+                in("rax") __NR_getrandom,
+                in("rdi") buf,
+                in("rsi") buflen,
+                in("rdx") flags,
+                lateout("rax") r0,
+                lateout("rcx") _,
+                lateout("r11") _,
+                options(nostack, preserves_flags)
+            );
+        } else {
+            compile_error!("`linux_raw` backend does not support this target arch");
+        }
+    }
+
+    r0
+}
+
+#[inline]
+pub fn fill_inner(mut dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
+    // Value of this error code is stable across all target arches.
+    const EINTR: isize = -4;
+
+    loop {
+        let ret = unsafe { getrandom_syscall(dest.as_mut_ptr().cast(), dest.len(), 0) };
+        match usize::try_from(ret) {
+            Ok(0) => return Err(Error::UNEXPECTED),
+            Ok(len) => {
+                dest = dest.get_mut(len..).ok_or(Error::UNEXPECTED)?;
+                if dest.is_empty() {
+                    return Ok(());
+                }
+            }
+            Err(_) if ret == EINTR => continue,
+            Err(_) => {
+                let code: u32 = ret
+                    .wrapping_neg()
+                    .try_into()
+                    .map_err(|_| Error::UNEXPECTED)?;
+                return Err(Error::from_os_error(code));
+            }
+        }
+    }
+}