Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 22:18:33 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs on entropy

Browse source
This commit is contained in:
raja-grewal 2025-11-05 00:03:19 +00:00 committed by GitHub
parent 4c88b91141
commit 019a0cf72c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -250,7 +250,9 @@ Direct memory access:
Entropy: Entropy:
- Do not credit the CPU or bootloader as entropy sources at boot in order to - Do not credit the CPU or bootloader as entropy sources at boot in order to
maximize the absolute quantity of entropy in the combined pool. maximize the absolute quantity of entropy in the combined pool. This is desirable
for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU
instructions for random number generation that have long history of being defective.
- Obtain more entropy at boot from RAM as the runtime memory allocator is - Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialized. being initialized.

8
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -287,19 +287,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
## Do not credit the CPU or bootloader seeds as entropy sources at boot. ## Do not credit the CPU or bootloader seeds as entropy sources at boot.
## The RDRAND CPU (RNG) instructions are proprietary and closed-source. ## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source.
## Numerous implementations of RDRAND have a long history of being defective. ## Numerous implementations of RDRAND and RDSEED have a long history of being defective.
## The RNG seed passed by the bootloader could also potentially be tampered. ## The RNG seed passed by the bootloader could also potentially be tampered.
## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
## These settings ensure additional entropy is obtained from other sources to initialize the RNG. ## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG.
## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources.
## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
## ##
## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://en.wikipedia.org/wiki/RDRAND#Reception
## https://systemd.io/RANDOM_SEEDS/ ## https://systemd.io/RANDOM_SEEDS/
## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
## https://x.com/pid_eins/status/1149649806056280069
## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://github.com/NixOS/nixpkgs/pull/165355 ## https://github.com/NixOS/nixpkgs/pull/165355