[PM-5693] CryptoService using memfd_secret on Linux

[dani-garcia]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-5693

📔 Objective

Migrated from bitwarden/sdk-sm#979

I've been looking into using memfd_secret to protect keys in memory on Linux.

The memfd_secret API is similar to malloc in that we get some memory range allocated for us, but this memory is only visible to the process that has access to the file descriptor, which should protect us from any memory dumping from anything other than a kernel driver.

https://man.archlinux.org/man/memfd_secret.2.en

Using this requires changing how we store keys, so this is the perfect moment to go through removing the raw keys from the API surface.

Changes

• Added a KeyRef trait and SymmetricKeyRef/AsymmetricKeyRef subtraits to represent the key types. Also a small macro to quickly implement them. KeyRef implementations are user defined types that implements Eq+Hash+Copy, and don't contain any key material
• KeyEncryptable/KeyDecryptable are now Decryptable/Encryptable, and instead of taking the key as parameter, they take a CryptoServiceContext and a KeyRef. This way keys are never exposed to the clients.
• KeyLocator trait is replaced by UsesKey. This trait only returns the KeyRef of the key required to decrypt it, instead of fetching the key itself.
• Created a KeyStore trait, with some simple CRUD methods. We have two implementations, one based on memfd_secret for Linux, and another one based on a Rust boxed slice, that also applies mlock if possible.
• Because both mlock and memfd_secret apply their protection over a specified memory area, we need a Rust data structure that is laid out linearly and also doesn't reallocate by itself. Also because memfd_secret allocates the memory for us, we can't use a std type like Vec (reason is the Vec must be allocated by the Rust allocator [ref]). This basically only leaves us with a Rust slice, on top of which we'd need to implement insert/get/delete. To allow for reuse and easier testing I've created SliceKeyStore, which implements the CRUD methods from the KeyStore trait on top of a plain slice. Then the actual mlock and memfd_secret implementations just need to implement a trait casting their data to a slice. The data is stored as a slice of Option<(KeyRef, KeyMaterial)>, and the keys are unique and sorted in the slice for easier lookups.
• Created CryptoService, which contains the KeyStores and some encrypt/decrypt utility functions. From a CryptoService you can also initialize a CryptoServiceContext
• A CryptoServiceContext contains a read only view of the keys inside the CryptoService, plus a read-write ephemeral key store, for use by Decryptable/Encryptable implementations when they need to temporarily store some keys (Cipher keys, attachment keys, send keys...).

Migrated the codebase to use these changes in a separate PR: bitwarden/sdk-sm#1117

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[dani-garcia]

I've made a few changes while documenting this a bit, plus some of the review suggestions are included here as well:

• memsec is disabled on windows for now, and we're not using my fork
• There's been a few renames:
  • CryptoService -> KeyStore. to move away from the service name
  • Keys -> KeyStoreInner. This only exists to be wrapped with the RwLock, and everything in KeyStore is pretty much delegated to it, so it seems like a better name.
  • CryptoServiceContext -> KeyStoreContext. To match the service rename
  • KeyStore -> StoreBackend. To signify there are different backends per platform
  • LinuxMemfdSecretKeyStore -> LinuxMemfdSecretBackend and RustStore -> RustBackend, to match the trait above.
• Changed the generic params of the KeyStore to be a single KeyRefs, which makes the generic types everywhere much less verbose (Instead of having to do <SymmetricKeyRef, AsymmetricKeyRef> everywhere you can do <KeyRefs>.
• Removed the generic type over KeyStoreContext global keys, and moved it to an enum.

---

The next steps for the crypto refactor after this are:

• Move all the Encryptable implementations to the new trait: [PM-5693] Migrate SDK to CryptoService #8
• Migrate existing APIs that deal with SymmetricCryptoKey/AsymmetricCryptoKey directly to deal with references instead (init_crypto functions, MasterKey, UserKey, PinKey, Key fingerprint etc).
• Remove uses of KeyStoreContext::get_key|set_key from the non crypto crates, which shouldn't have any uses left after the previous step (maybe?).
• Once no other uses of SymmetricCryptoKey/AsymmetricCryptoKey are left, make them private to bitwarden-crypto
• Remove the now unnecessary boxing around SymmetricCryptoKey/AsymmetricCryptoKey

---

Some future API improvements:

• Improve the design around local keys, instead of accepting any user type, create an opaque token and return it in the functions, so the only way for a user to get a valid local key ref is to obtain it from a function.
• Currently the context implementation can be read-only or read-write over the global keys, depending on how it's initialized, and it's behavior changes slightly in both cases. I think it might be a better design to instead do something like SQL transactions. Contexts are always read-only, but they have a commit function that consumes them and applies the changes to the global KeyStore

[Hinton]

Still need to review the rust backend.

[Hinton]

Suggested change

	// accesses the pointer mutably is defined as &mut self, and that the pointer is never copied or
	// accesses the pointer mutably is defined as `&mut self`, and that the pointer is never copied or

[Hinton]

When would memfd fail? If we run out of memory?

[dani-garcia]

According to the docs (https://man7.org/linux/man-pages/man2/memfd_secret.2.html):

       EINVAL flags included unknown bits.

       EMFILE The per-process limit on the number of open file
              descriptors has been reached.

       EMFILE The system-wide limit on the total number of open files
              has been reached.

       ENOMEM There was insufficient memory to create a new anonymous
              file.

       ENOSYS memfd_secret() is not implemented on this architecture, or
              has not been enabled on the kernel command-line with
              secretmem_enable=1.

So when the system is out of memory or the process has reached the file descriptor limit, or if the feature is disabled and not supported (but we check for that the first time)

[Hinton]

Should we provide a better error message? This seems like an unrecoverable situation but it also sounds like we need to test what happens if we panic on desktop with napi?

[Hinton]

This is probably unsafe? https://doc.rust-lang.org/std/slice/fn.from_raw_parts_mut.html

[Hinton]

Can you elaborate on how we know it's valid?

[Hinton]

Suggested change

	Box::new(rust::RustBackend::new().expect("RustKeyStore should always be available"))
	Box::new(rust::RustBackend::new().expect("RustKeyStore to always be available"))

[Hinton]

Some more comments, still need to review slice_backend properly.

[Hinton]

question: Can we provide some examples of when it's alright to use these APIs?

[Hinton]

issue: Magic number, extract it as a constant with a good name?

[Hinton]

question: Just checking but we fulfill all safety criteria defined in https://doc.rust-lang.org/std/slice/fn.from_raw_parts_mut.html?

[Hinton]

question: Why is munlock zeroizing memory undefined state?

And do we have documentation that we're re-initializing it correctly.

[dani-garcia]

Because the items inside the store can implement Drop themselves, and if they try to access their values after they have been zeroed it would cause UB.

[Hinton]

issue: This sounds like an upsert. I think we should name it accurately if that is the expected behaviour.

[dani-garcia]

Yeah, I based it on the std HashMap API, where the insert does insert and replace. I'll rename it

[Hinton]

question: We seem to rely on this being an ordered list but it's not documented? Can we add this.

[dani-garcia]

The ordering is an implementation detail of the backend, I chose it because it allows us to do binary searches for lookup performance. It shouldn't be exposed outside its own API.

That said it would be good to document it yes.

[dani-garcia]

Split the secure storage implementations to #125 so this is easier to review and merge.

[Hinton]

Suggested change

	// Key::KeyValue already implements ZeroizeOnDrop,
	// [Key::KeyValue] already implements ZeroizeOnDrop,

[Hinton]

Suggested change

	/// The keys themselves implement ZeroizeOnDrop, so the store will only need to make sure
	/// The keys themselves implement [ZeroizeOnDrop], so the store will only need to make sure

[Hinton]

suggestion: New line between functions?

[Hinton]

Suggested change

	/// This context contains access to the user keys stored in the [super::KeyStore] (sometimes refered
	/// This context contains access to the user keys stored in the [super::KeyStore] (sometimes referred

[Hinton]

Suggested change

	// modify the global keys, but only allows one context at a time. This is controlled by a RWLock on
	// modify the global keys, but only allows one context at a time. This is controlled by a [RwLock] on

[Hinton]

Suggested change

	/// This trait is user-implemented, and our recommended implementation is using enums with variants
	/// This trait is user-implemented, and the recommended implementation is using enums with variants

[Hinton]

I believe we can generalize this code slightly.

Suggested change

	impl<Ids: KeyIds> Encryptable<Ids, Ids::Symmetric, EncString> for &str {
	fn encrypt(
	&self,
	ctx: &mut KeyStoreContext<Ids>,
	key: Ids::Symmetric,
	) -> Result<EncString, CryptoError> {
	self.as_bytes().encrypt(ctx, key)
	}
	}
	impl<Ids: KeyIds> Encryptable<Ids, Ids::Asymmetric, AsymmetricEncString> for &str {
	fn encrypt(
	&self,
	ctx: &mut KeyStoreContext<Ids>,
	key: Ids::Asymmetric,
	) -> Result<AsymmetricEncString, CryptoError> {
	self.as_bytes().encrypt(ctx, key)
	}
	}
	impl<Ids, K, E> Encryptable<Ids, K, E> for &str
	where
	Ids: KeyIds,
	K: KeyId,
	E: EncStringType,
	[u8]: Encryptable<Ids, K, E>,
	{
	fn encrypt(&self, ctx: &mut KeyStoreContext<Ids>, key: K) -> Result<E, CryptoError> {
	self.as_bytes().encrypt(ctx, key)
	}
	}

And define a common trait for EncString.

pub trait EncStringType {}
impl EncStringType for EncString {}
impl EncStringType for AsymmetricEncString {}

[Hinton]

Can we add some quick module docs? I.e. //!

[Hinton]

Suggested change

	impl<Ids: KeyIds> std::fmt::Debug for KeyStore<Ids> {
	// [KeyStore] contains sensitive data, provide a dummy [Debug] implementation.
	impl<Ids: KeyIds> std::fmt::Debug for KeyStore<Ids> {

[Hinton]

I wonder if the naming here is slightly misleading. We're not decrypting it we're adding it to the context?