Seed entropy pool using the NSM device.

Amnesic-Systems · Oct 18, 2024 · dcdef70 · dcdef70
1 parent ed9b3bb
commit dcdef70
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 2 deletions.
diff --git a/internal/service/service.go b/internal/service/service.go
@@ -32,7 +32,7 @@ func Run(
 	if err := checkSystemSafety(config); err != nil {
 		log.Fatalf("Failed safety check: %v", err)
 	}
-	if err := setupSystem(); err != nil {
+	if err := setupSystem(config); err != nil {
 		log.Fatalf("Failed to set up system: %v", err)
 	}
 
@@ -83,9 +83,14 @@ func checkSystemSafety(config *config.Config) (err error) {
 	return nil
 }
 
-func setupSystem() (err error) {
+func setupSystem(config *config.Config) (err error) {
 	defer errs.Wrap(&err, "failed to set up system")
 
+	if !config.Testing {
+		if err := system.SeedRandomness(); err != nil {
+			return err
+		}
+	}
 	return system.SetupLo()
 }
 

diff --git a/internal/system/system_darwin.go b/internal/system/system_darwin.go
@@ -3,3 +3,4 @@ package system
 func HasSecureRNG() bool           { return true }
 func HasSecureKernelVersion() bool { return true }
 func SetupLo() error               { return nil }
+func SeedRandomness() (err error)  { return nil }
diff --git a/internal/system/system_linux.go b/internal/system/system_linux.go
@@ -1,12 +1,17 @@
 package system
 
 import (
+	"errors"
 	"log"
 	"net"
 	"os"
 	"syscall"
+	"unsafe"
 
+	"github.com/hf/nsm"
+	"github.com/hf/nsm/request"
 	"github.com/milosgajdos/tenus"
+	"golang.org/x/sys/unix"
 
 	"github.com/Amnesic-Systems/veil/internal/errs"
 )
@@ -16,6 +21,55 @@ const (
 	wantRNG   = "nsm-hwrng"
 )
 
+func SeedRandomness() (err error) {
+	defer errs.Wrap(&err, "failed to seed entropy pool")
+
+	s, err := nsm.OpenDefaultSession()
+	if err != nil {
+		return err
+	}
+	defer func() { err = s.Close() }()
+
+	fd, err := os.OpenFile("/dev/random", os.O_WRONLY, os.ModePerm)
+	if err != nil {
+		return err
+	}
+	defer func() { err = fd.Close() }()
+
+	const seedLen = 2048
+	var w int
+	for total := 0; total < seedLen; {
+		res, err := s.Send(&request.GetRandom{})
+		if err != nil {
+			return err
+		}
+		if res.GetRandom == nil {
+			return errors.New("attribute GetRandom in NSM response is nil")
+		}
+		if len(res.GetRandom.Random) == 0 {
+			return errors.New("got no random bytes from NSM")
+		}
+
+		// Write NSM-provided random bytes to the system's entropy pool to seed
+		// it.
+		if w, err = fd.Write(res.GetRandom.Random); err != nil {
+			return err
+		}
+		total += w
+
+		// Tell the system to update its entropy count.
+		if _, _, errno := unix.Syscall(
+			unix.SYS_IOCTL,
+			uintptr(fd.Fd()),
+			uintptr(unix.RNDADDTOENTCNT),
+			uintptr(unsafe.Pointer(&w)),
+		); errno != 0 {
+			return errno
+		}
+	}
+	return nil
+}
+
 // SetupLo sets up the loopback interface.
 func SetupLo() (err error) {
 	defer errs.Wrap(&err, "failed to configure loopback interface")