openentropy-core 0.12.3

Core entropy harvesting library — hardware noise sources, raw or SHA-256 conditioned
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

//! Apple APRR (Access Permission Restriction Register) JIT toggle timing.
//!
//! Apple Silicon implements a proprietary extension called APRR (Access Permission
//! Restriction Register) via a pair of undocumented system registers:
//! `S3_4_C15_C2_0` (UUIDT — User-level permission toggle) and `S3_4_C15_C3_0`.
//!
//! ## The Hardware
//!
//! APRR is used to implement JIT (Just-In-Time) compilation safely on Apple Silicon
//! without requiring `mmap(MAP_JIT)` pages to be simultaneously writable and
//! executable. The userspace API is `pthread_jit_write_protect_np(bool)`:
//!
//! - `pthread_jit_write_protect_np(0)` — switch to WRITE mode (not executable)
//! - `pthread_jit_write_protect_np(1)` — switch to EXEC mode (not writable)
//!
//! Under the hood, this writes to `S3_4_C15_C2_0` (confirmed by Apple open-source
//! libpthread). The register is accessible from EL0 — one of the very few
//! Apple-proprietary registers that user processes can directly write.
//!
//! ## Physics
//!
//! Writing to the APRR register triggers:
//!
//! 1. **Permission pipeline flush**: The CPU must drain in-flight memory accesses
//!    before the permission change takes effect. The flush latency depends on the
//!    depth of the memory operation pipeline.
//!
//! 2. **TLB coherency**: The permission change must be reflected in the TLB.
//!    If the JIT page is currently in the TLB, a TLB invalidation may be triggered.
//!
//! 3. **Instruction stream coupling**: The APRR write has a data dependency on
//!    the preceding memory operations. Pipeline hazards from concurrent loads/stores
//!    add variable latency.
//!
//! Empirically on M4 Mac mini (N=2000):
//! - **write_protect(0) [→write]: mean=20.89, CV=100.0%, range=[0,83]**
//! - **write_protect(1) [→exec]: mean=20.78, CV=100.4%, range=[0,83]**
//!
//! Both directions show CV≈100% with a **trimodal distribution** at 0, ~42, ~83 ticks:
//! - 0 ticks: APRR write completes without pipeline stall
//! - ~42 ticks: one pipeline flush cycle required
//! - ~83 ticks: two pipeline flush cycles (memory ordering conflict)
//!
//! ## Why This Is Entropy
//!
//! The APRR toggle timing captures:
//!
//! 1. **Memory operation pipeline depth** — how many in-flight operations need draining
//! 2. **TLB state** — whether the JIT page is currently TLB-resident
//! 3. **Memory ordering hazards** — concurrent loads/stores creating dependencies
//! 4. **Power state** — the APRR register path has variable latency based on pipeline
//!    power state
//!
//! ## Historical Context and Prior Art
//!
//! APRR (Access Permission Remapping Registers) was discovered and reverse-engineered
//! by security researcher Siguza in 2020 during iOS jailbreak research. SPRR (its M1+
//! successor, later referred to as Fast Permission Restrictions in Apple's Security
//! Guide) was reverse-engineered by Sven Peter in 2021 using bare-metal M1 code.
//! Neither paper characterizes APRR timing as a source of entropy.
//!
//! Google Scholar and web searches return **zero results** for any combination of
//! APRR, S3_4_c15, pthread_jit_write_protect, timing, entropy, and random number
//! generation. This appears to be the **first use of APRR register timing as an
//! entropy source**.
//!
//! Apple's APRR/SPRR became publicly known primarily through iOS jailbreak research;
//! its use as a covert timing channel was not previously characterized.
//!
//! ## References
//!
//! - Siguza, "APRR: iPhone's Memory Permission Trick",
//!   <https://siguza.github.io/APRR/>, 2020.
//! - Sven Peter, "Apple Silicon Hardware Secrets: SPRR and Guarded Exception
//!   Levels (GXF)", <https://blog.svenpeter.dev/posts/m1_sprr_gxf/>, 2021.
//! - Apple Platform Security Guide, "Fast Permission Restrictions",
//!   <https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/web>

use crate::source::{EntropySource, Platform, SourceCategory, SourceInfo};

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
use crate::sources::helpers::{extract_timing_entropy_debiased, mach_time};

static APRR_JIT_TIMING_INFO: SourceInfo = SourceInfo {
    name: "aprr_jit_timing",
    description: "Apple APRR undocumented register JIT toggle — CV=100%, trimodal 0/42/83",
    physics: "Times pthread_jit_write_protect_np() which writes to Apple's proprietary \
              S3_4_C15_C2_0 register (UUIDT/APRR). The register toggle triggers: permission \
              pipeline flush (draining in-flight memory ops), TLB coherency for the JIT \
              page, instruction stream coupling hazards. Empirical: CV=100.0% both \
              directions, trimodal at 0/42/83 ticks — one or two pipeline flush cycles. \
              Apple APRR is undocumented in ARM specs, accessible only at EL0 on Apple \
              Silicon, reverse-engineered from iOS jailbreak research in 2020. First \
              entropy source exploiting Apple-proprietary hardware permission register.",
    category: SourceCategory::Microarch,
    platform: Platform::MacOS,
    requirements: &[],
    entropy_rate_estimate: 1.5,
    composite: false,
    is_fast: false,
};

/// Entropy source from Apple APRR JIT permission toggle timing.
pub struct APRRJitTimingSource;

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
unsafe extern "C" {
    /// Apple-private API: toggle JIT page write protection.
    /// 0 = write mode (writable, not executable)
    /// 1 = exec mode (executable, not writable)
    fn pthread_jit_write_protect_np(enabled: i32);
}

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
impl EntropySource for APRRJitTimingSource {
    fn info(&self) -> &SourceInfo {
        &APRR_JIT_TIMING_INFO
    }

    fn is_available(&self) -> bool {
        static APRR_AVAILABLE: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
        *APRR_AVAILABLE.get_or_init(|| {
            // MAP_JIT + APRR available on all Apple Silicon
            // Verify by attempting a MAP_JIT allocation
            let page = unsafe {
                libc::mmap(
                    core::ptr::null_mut(),
                    4096,
                    libc::PROT_READ | libc::PROT_WRITE | libc::PROT_EXEC,
                    libc::MAP_PRIVATE | libc::MAP_ANONYMOUS | 0x0800, // MAP_JIT = 0x0800
                    -1,
                    0,
                )
            };
            if page == libc::MAP_FAILED {
                return false;
            }
            unsafe { libc::munmap(page, 4096) };
            true
        })
    }

    fn collect(&self, n_samples: usize) -> Vec<u8> {
        /// RAII guard for a JIT mmap page — ensures munmap on drop (including panic unwind).
        struct JitPage(*mut libc::c_void);
        impl Drop for JitPage {
            fn drop(&mut self) {
                unsafe {
                    libc::munmap(self.0, 4096);
                }
            }
        }

        // MAP_JIT is required to make APRR meaningful
        let jit_page = unsafe {
            libc::mmap(
                core::ptr::null_mut(),
                4096,
                libc::PROT_READ | libc::PROT_WRITE | libc::PROT_EXEC,
                libc::MAP_PRIVATE | libc::MAP_ANONYMOUS | 0x0800, // MAP_JIT
                -1,
                0,
            )
        };
        if jit_page == libc::MAP_FAILED {
            return Vec::new();
        }
        let _jit_guard = JitPage(jit_page);

        let raw = n_samples * 3 + 64;
        let mut timings = Vec::with_capacity(raw * 2);

        // Warm up APRR path
        for _ in 0..16 {
            unsafe {
                pthread_jit_write_protect_np(0);
                pthread_jit_write_protect_np(1);
            }
        }

        for _ in 0..raw {
            // Time the write→exec transition
            let t0 = mach_time();
            unsafe { pthread_jit_write_protect_np(0) }; // write mode
            let t_write = mach_time().wrapping_sub(t0);

            // Time the exec→write transition
            let t1 = mach_time();
            unsafe { pthread_jit_write_protect_np(1) }; // exec mode
            let t_exec = mach_time().wrapping_sub(t1);

            // Both under 1ms (reject suspend/resume)
            if t_write < 24_000 {
                timings.push(t_write);
            }
            if t_exec < 24_000 {
                timings.push(t_exec);
            }
        }

        // _jit_guard drops here, calling munmap automatically

        // Trimodal 0/42/83 — full range captures mode identity
        // XOR the write and exec timings to mix both APRR paths
        let mixed: Vec<u64> = timings
            .chunks(2)
            .filter(|c| c.len() == 2)
            .map(|c| c[0].wrapping_add(c[1].wrapping_shl(3)))
            .collect();

        extract_timing_entropy_debiased(&mixed, n_samples)
    }
}

#[cfg(not(all(target_os = "macos", target_arch = "aarch64")))]
impl EntropySource for APRRJitTimingSource {
    fn info(&self) -> &SourceInfo {
        &APRR_JIT_TIMING_INFO
    }
    fn is_available(&self) -> bool {
        false
    }
    fn collect(&self, _: usize) -> Vec<u8> {
        Vec::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn info() {
        let src = APRRJitTimingSource;
        assert_eq!(src.info().name, "aprr_jit_timing");
        assert!(matches!(src.info().category, SourceCategory::Microarch));
        assert_eq!(src.info().platform, Platform::MacOS);
        assert!(!src.info().composite);
    }

    #[test]
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    fn is_available_on_apple_silicon() {
        // MAP_JIT should work on all Apple Silicon with hardened runtime disabled
        let _ = APRRJitTimingSource.is_available(); // don't assert — depends on entitlements
    }

    #[test]
    #[ignore]
    fn collects_trimodal_aprr() {
        let data = APRRJitTimingSource.collect(32);
        assert!(!data.is_empty());
    }
}