Low entropy after enclave boot (reading from /dev/random blocks)

[ppmag]

Hi,

I just faced the problem, a brand new enclave has zero entropy:

cat /proc/sys/kernel/random/entropy_avail
0

which causing block when reading from /dev/random early after boot.

What about adding some entropy from NSM RNG at enclave boot stage ?

(in nitro-cli run-enclave? ) (or at lower level: I just submitted issue there - https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/issues/5)

Another question: which preferred workaround to use right now?

[petreeftime]

There a few possible solutions:

1. Call aws_nitro_enclaves_library_seed_entropy explicitly during application start, and on a timer afterwards.
2. Use RDSEED CPU instruction to seed entropy, rngd or similar can help with this.
3. Set random.trust_cpu=on in the kernel commandline (only works on Linux kernels > 4.19).

It might be possible to integrate calls to generate entropy and seed entropy into the provided init process of the enclave, but might not be the best option.

[ppmag]

Thank you very much, first option (aws_nitro_enclaves_library_seed_entropy()) works like a charm!

[Jonas-Metzger]

Hi @petreeftime , is there an easy way to call aws_nitro_enclaves_library_seed_entropy from the command line?

[jethrogb]

Why doesn't the NSM directly input entropy in the kernel entropy pool?

[petreeftime]

Why doesn't the NSM directly input entropy in the kernel entropy pool?

This feature was added in https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/pull/9. The next RPM release should also contain it.