Generate some entropy during boot and runtime

An XCCDF Rule

Description

Instrument some kernel code to extract some entropy from both original and artificially created program state. This will help especially embedded systems where there is little 'natural' source of entropy normally. This configuration is available from kernel 4.9, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_LATENT_ENTROPY, run the following command: grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

warning alert: Warning

Note that entropy extracted this way is not cryptographically secure!

warning alert: Performance Warning

There is a performance cost during the boot process (about 0.5%) and fork and irq processing.

Rationale

This helps generate entropy during startup and is particularly relevant for devices with inappropriate entropy sources.

ID: xccdf_org.ssgproject.content_rule_kernel_config_gcc_plugin_latent_entropy
Severity: Medium
References: BP28(R21)

CCE-87034-5
Updated: about 1 year ago