diff --git a/examples/aws.yml b/examples/aws.yml index a22e11237..232d0b1e1 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:cec86f3e1c260c9eafefa80c262fceb40c182ddf services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/examples/azure.yml b/examples/azure.yml index 983242a13..150359565 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/docker.yml b/examples/docker.yml index 0af4210b1..5e742c74a 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -22,7 +22,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: ntpd diff --git a/examples/gcp.yml b/examples/gcp.yml index a7a760654..efca66dda 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/examples/getty.yml b/examples/getty.yml index 7a9fbf2ec..42202ca84 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -19,7 +19,7 @@ services: #env: # - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 3d0f86965..a832ab6f1 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -11,7 +11,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: node_exporter diff --git a/examples/packet.yml b/examples/packet.yml index c86010073..a2c362711 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/sshd.yml b/examples/sshd.yml index e824223c1..ac94573a2 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -10,7 +10,7 @@ onboot: - name: sysctl image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051 - name: rngd1 - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e command: ["/sbin/rngd", "-1"] services: - name: getty @@ -18,7 +18,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/swap.yml b/examples/swap.yml index 8e9090e9e..973793d89 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -28,7 +28,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/examples/tpm.yml b/examples/tpm.yml index 3709ef55f..b7e871c60 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -20,7 +20,7 @@ services: - name: tss image: linuxkit/tss:7f7d8d3d76d764e3130dd92f52c4944908c8bd80 - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/vmware.yml b/examples/vmware.yml index d6751b511..e9885dfef 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -15,7 +15,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: nginx diff --git a/examples/vultr.yml b/examples/vultr.yml index 770acecd7..4b5e3603a 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/linuxkit.yml b/linuxkit.yml index 3b15cdf52..60ae3b40b 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -22,7 +22,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index 7221dd5a6..0f5b8696a 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -1,5 +1,4 @@ IMAGE=rngd DEPS:=$(wildcard cmd/rngd/*.go) $(shell find cmd/rngd/vendor) -ARCHES=x86_64 include ../package.mk diff --git a/pkg/rngd/cmd/rngd/main.go b/pkg/rngd/cmd/rngd/main.go index ecea2c2d1..93136d233 100644 --- a/pkg/rngd/cmd/rngd/main.go +++ b/pkg/rngd/cmd/rngd/main.go @@ -2,10 +2,14 @@ package main +// int rndaddentropy; +import "C" + import ( "flag" "log" "os" + "unsafe" "golang.org/x/sys/unix" ) @@ -69,3 +73,24 @@ func main() { } } } + +type randInfo struct { + entropyCount int + size int + buf uint64 +} + +func writeEntropy(random *os.File) (int, error) { + r, err := rand() + if err != nil { + // assume can fail occasionally + return 0, nil + } + const entropy = 64 // they are good random numbers, Brent + info := randInfo{entropy, 8, r} + ret, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) + if ret == 0 { + return 8, nil + } + return 0, err +} diff --git a/pkg/rngd/cmd/rngd/rng_linux_amd64.go b/pkg/rngd/cmd/rngd/rng_linux_amd64.go index ad3a5ffed..8db57dbf2 100644 --- a/pkg/rngd/cmd/rngd/rng_linux_amd64.go +++ b/pkg/rngd/cmd/rngd/rng_linux_amd64.go @@ -37,10 +37,6 @@ import "C" import ( "errors" "flag" - "os" - "unsafe" - - "golang.org/x/sys/unix" ) var disableRdrand = flag.Bool("disable-rdrand", false, "Disable use of RDRAND") @@ -48,12 +44,6 @@ var disableRdseed = flag.Bool("disable-rdseed", false, "Disable use of RDSEED") var hasRdrand, hasRdseed bool -type randInfo struct { - entropyCount int - size int - buf uint64 -} - func initRand() bool { hasRdrand = C.hasrdrand() == 1 && !*disableRdrand hasRdseed = C.hasrdseed() == 1 && !*disableRdseed @@ -72,18 +62,3 @@ func rand() (uint64, error) { } return 0, errors.New("No randomness available") } - -func writeEntropy(random *os.File) (int, error) { - r, err := rand() - if err != nil { - // assume can fail occasionally - return 0, nil - } - const entropy = 64 // they are good random numbers, Brent - info := randInfo{entropy, 8, r} - ret, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) - if ret == 0 { - return 8, nil - } - return 0, err -} diff --git a/pkg/rngd/cmd/rngd/rng_linux_arm64.go b/pkg/rngd/cmd/rngd/rng_linux_arm64.go new file mode 100644 index 000000000..df9d0ff28 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_linux_arm64.go @@ -0,0 +1,21 @@ +package main + +// #include +// +// int rndaddentropy = RNDADDENTROPY; +// +import "C" + +import ( + "errors" +) + +// No standard RNG on arm64 + +func initRand() bool { + return false +} + +func rand() (uint64, error) { + return 0, errors.New("No randomness available") +} diff --git a/pkg/rngd/cmd/rngd/rng_unsupported.go b/pkg/rngd/cmd/rngd/rng_unsupported.go index 9d3ca3735..423670bd7 100644 --- a/pkg/rngd/cmd/rngd/rng_unsupported.go +++ b/pkg/rngd/cmd/rngd/rng_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux !amd64 +// +build !linux !amd64,!arm64 package main diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index 2590028b4..58ae0bcc9 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -21,7 +21,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: docker diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index d371a0e88..f6bfedf64 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -21,7 +21,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: docker diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index c3fd8e5a0..248ce7eda 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -21,7 +21,7 @@ onboot: image: linuxkit/metadata:cec86f3e1c260c9eafefa80c262fceb40c182ddf services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: node_exporter diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index e114157b9..8ce5d9c11 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -15,7 +15,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 5e953b706..43f811dd7 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -32,7 +32,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: sshd diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 63c4c5f18..0d234c311 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -32,7 +32,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: sshd diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index a1f5812ae..d402dad82 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -15,7 +15,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/miragesdk/examples/fdd.yml b/projects/miragesdk/examples/fdd.yml index 6c8355fab..b2c81e078 100644 --- a/projects/miragesdk/examples/fdd.yml +++ b/projects/miragesdk/examples/fdd.yml @@ -16,7 +16,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 files: diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index fcf06bd37..467e8ab0d 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/projects/shiftfs/shiftfs.yml b/projects/shiftfs/shiftfs.yml index 8f2162261..f3dd2d581 100644 --- a/projects/shiftfs/shiftfs.yml +++ b/projects/shiftfs/shiftfs.yml @@ -18,7 +18,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index a78dc6c8c..c21e8cf05 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -31,7 +31,7 @@ services: binds: - /dev/vport0p1:/dev/vport0p1 - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: weave diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index f101348ab..190795c62 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -18,7 +18,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: docker