From 10c7e78034f8f2ea6d6fec5df476e559ae428b02 Mon Sep 17 00:00:00 2001 From: Philipp Winter Date: Sat, 12 Oct 2024 07:40:35 -0500 Subject: [PATCH] Move Linux-specific test from general package. --- internal/system/system.go | 24 ------------------------ internal/system/system_linux.go | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 24 deletions(-) delete mode 100644 internal/system/system.go diff --git a/internal/system/system.go b/internal/system/system.go deleted file mode 100644 index bec51c3..0000000 --- a/internal/system/system.go +++ /dev/null @@ -1,24 +0,0 @@ -package system - -import ( - "log" - "os" -) - -const ( - pathToRNG = "/sys/devices/virtual/misc/hw_random/rng_current" - wantRNG = "nsm-hwrng" -) - -// HasSecureRNG checks if the enclave is configured to use the Nitro hardware -// RNG. This was suggested in: -// https://blog.trailofbits.com/2024/09/24/notes-on-aws-nitro-enclaves-attack-surface/ -func HasSecureRNG() bool { - haveRNG, err := os.ReadFile(pathToRNG) - if err != nil { - log.Printf("Error reading %s: %v", pathToRNG, err) - return false - } - log.Printf("Have RNG: %s", haveRNG) - return string(haveRNG) == wantRNG -} diff --git a/internal/system/system_linux.go b/internal/system/system_linux.go index f35c891..76bb9a1 100644 --- a/internal/system/system_linux.go +++ b/internal/system/system_linux.go @@ -2,9 +2,28 @@ package system import ( "log" + "os" "syscall" ) +const ( + pathToRNG = "/sys/devices/virtual/misc/hw_random/rng_current" + wantRNG = "nsm-hwrng" +) + +// HasSecureRNG checks if the enclave is configured to use the Nitro hardware +// RNG. This was suggested in: +// https://blog.trailofbits.com/2024/09/24/notes-on-aws-nitro-enclaves-attack-surface/ +func HasSecureRNG() bool { + haveRNG, err := os.ReadFile(pathToRNG) + if err != nil { + log.Printf("Error reading %s: %v", pathToRNG, err) + return false + } + log.Printf("Have RNG: %s", haveRNG) + return string(haveRNG) == wantRNG +} + func HasSecureKernelVersion() bool { var uname syscall.Utsname if err := syscall.Uname(&uname); err != nil {