Move Linux-specific test from general package.

Amnesic-Systems · Oct 12, 2024 · 10c7e78 · 10c7e78
1 parent b27bcb0
commit 10c7e78
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 24 deletions.
diff --git a/internal/system/system.go b/internal/system/system.go
diff --git a/internal/system/system_linux.go b/internal/system/system_linux.go
@@ -2,9 +2,28 @@ package system
 
 import (
 	"log"
+	"os"
 	"syscall"
 )
 
+const (
+	pathToRNG = "/sys/devices/virtual/misc/hw_random/rng_current"
+	wantRNG   = "nsm-hwrng"
+)
+
+// HasSecureRNG checks if the enclave is configured to use the Nitro hardware
+// RNG. This was suggested in:
+// https://blog.trailofbits.com/2024/09/24/notes-on-aws-nitro-enclaves-attack-surface/
+func HasSecureRNG() bool {
+	haveRNG, err := os.ReadFile(pathToRNG)
+	if err != nil {
+		log.Printf("Error reading %s: %v", pathToRNG, err)
+		return false
+	}
+	log.Printf("Have RNG: %s", haveRNG)
+	return string(haveRNG) == wantRNG
+}
+
 func HasSecureKernelVersion() bool {
 	var uname syscall.Utsname
 	if err := syscall.Uname(&uname); err != nil {