Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 19:16:24 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs on entropy

Browse source
This commit is contained in:
raja-grewal 2025-10-17 01:01:28 +00:00 committed by GitHub
parent 708e1358df
commit 11d9b94038
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -288,6 +288,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## The RNG seed passed by the bootloader could also potentially be tampered.
## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources.
## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
##
## https://en.wikipedia.org/wiki/RDRAND#Reception
@ -299,6 +300,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
## https://github.com/NixOS/nixpkgs/pull/165355
## https://lkml.org/lkml/2022/6/5/271
## https://lwn.net/Articles/961121/
## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/
##
## KSPP=yes
## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.