Skip to content

Configure the confidence in TPM for entropy

An XCCDF Rule

Description

The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not credited entropy. Use rng_core.default_quality in the kernel command line to set the trust level on the hardware generators. The trust level defines the amount of entropy to credit. A value of 0 tells the system not to trust the hardware random number generators available, and doesn't credit any entropy to the pool. A value of 1000 assigns full confidence in the generators, and credits all the entropy it provides to the pool. Note that the value of rng_core.default_quality is global, affecting the trust on all hardware random number generators. Select the appropriate confidence by adding the argument rng_core.default_quality= to the default GRUB 2 command line for the Linux operating system. To ensure that rng_core.default_quality= is added as a kernel command line argument to newly installed kernels, add rng_core.default_quality= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="rng_core.default_quality="

Rationale

A system may struggle to initialize its entropy pool and end up starving. Crediting entropy from the hardware number generators available in the system helps fill up the entropy pool.

ID
xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
Severity
Low
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "rng_core.default_quality=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" use="legacy"/>"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_rng_core_default_quality='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" use="legacy"/>'



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_rng_core_default_quality_argument
  - low_disruption