Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Low entropy after enclave boot (reading from /dev/random blocks) #41

Closed
ppmag opened this issue Mar 4, 2021 · 5 comments
Closed

Low entropy after enclave boot (reading from /dev/random blocks) #41

ppmag opened this issue Mar 4, 2021 · 5 comments

Comments

@ppmag
Copy link

ppmag commented Mar 4, 2021

Hi,

I just faced the problem, a brand new enclave has zero entropy:

cat /proc/sys/kernel/random/entropy_avail
0

which causing block when reading from /dev/random early after boot.

What about adding some entropy from NSM RNG at enclave boot stage ?

(in nitro-cli run-enclave? )
(or at lower level: I just submitted issue there - aws/aws-nitro-enclaves-sdk-bootstrap#5)

Another question: which preferred workaround to use right now?
@ppmag ppmag mentioned this issue Mar 4, 2021
Closed
@petreeftime
Copy link
Contributor

There a few possible solutions:

  1. Call aws_nitro_enclaves_library_seed_entropy explicitly during application start, and on a timer afterwards.
  2. Use RDSEED CPU instruction to seed entropy, rngd or similar can help with this.
  3. Set random.trust_cpu=on in the kernel commandline (only works on Linux kernels > 4.19).

It might be possible to integrate calls to generate entropy and seed entropy into the provided init process of the enclave, but might not be the best option.

@ppmag
Copy link
Author

ppmag commented Mar 9, 2021

Thank you very much,
first option (aws_nitro_enclaves_library_seed_entropy()) works like a charm!

@ppmag ppmag closed this as completed Mar 9, 2021
ppmag added a commit to ppmag/libsodium-doc that referenced this issue Mar 9, 2021
@ppmag
AWS Nitro Enclave hangs resolution
2e48077 
Based on AWS team comments any my own (1st solution) experience.

See: aws/aws-nitro-enclaves-sdk-c#41
@ppmag ppmag mentioned this issue Mar 9, 2021
Merged
jedisct1 pushed a commit to jedisct1/libsodium-doc that referenced this issue Mar 9, 2021
@ppmag
AWS Nitro Enclave hangs resolution (#129)
20b61f9 
Based on AWS team comments any my own (1st solution) experience.

See: aws/aws-nitro-enclaves-sdk-c#41
@andraprs andraprs mentioned this issue Apr 13, 2021
Closed
@andraprs andraprs mentioned this issue Jul 28, 2021
Closed
@texastony texastony mentioned this issue Aug 5, 2021
Closed
@Jonas-Metzger
Copy link

Hi @petreeftime , is there an easy way to call aws_nitro_enclaves_library_seed_entropy from the command line?

@NullHypothesis NullHypothesis mentioned this issue Sep 9, 2021
Closed
@jethrogb
Copy link

Why doesn't the NSM directly input entropy in the kernel entropy pool?

@petreeftime
Copy link
Contributor

Why doesn't the NSM directly input entropy in the kernel entropy pool?

This feature was added in aws/aws-nitro-enclaves-sdk-bootstrap#9. The next RPM release should also contain it.

@gbryant-arm gbryant-arm mentioned this issue Sep 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jethrogb @ppmag @petreeftime @Jonas-Metzger