From 8b2327b0e270c9c1ee734e04ca3a2ae9bb6911d3 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 4 Aug 2017 14:01:18 +0100 Subject: [PATCH 1/2] Support rngd on arm64 Although it does not do anything, as there is no CPU rng on arm64 at present. Signed-off-by: Justin Cormack --- pkg/rngd/Makefile | 1 - pkg/rngd/cmd/rngd/main.go | 25 +++++++++++++++++++++++++ pkg/rngd/cmd/rngd/rng_linux_amd64.go | 25 ------------------------- pkg/rngd/cmd/rngd/rng_linux_arm64.go | 21 +++++++++++++++++++++ pkg/rngd/cmd/rngd/rng_unsupported.go | 2 +- 5 files changed, 47 insertions(+), 27 deletions(-) create mode 100644 pkg/rngd/cmd/rngd/rng_linux_arm64.go diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index 7221dd5a6..0f5b8696a 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -1,5 +1,4 @@ IMAGE=rngd DEPS:=$(wildcard cmd/rngd/*.go) $(shell find cmd/rngd/vendor) -ARCHES=x86_64 include ../package.mk diff --git a/pkg/rngd/cmd/rngd/main.go b/pkg/rngd/cmd/rngd/main.go index ecea2c2d1..93136d233 100644 --- a/pkg/rngd/cmd/rngd/main.go +++ b/pkg/rngd/cmd/rngd/main.go @@ -2,10 +2,14 @@ package main +// int rndaddentropy; +import "C" + import ( "flag" "log" "os" + "unsafe" "golang.org/x/sys/unix" ) @@ -69,3 +73,24 @@ func main() { } } } + +type randInfo struct { + entropyCount int + size int + buf uint64 +} + +func writeEntropy(random *os.File) (int, error) { + r, err := rand() + if err != nil { + // assume can fail occasionally + return 0, nil + } + const entropy = 64 // they are good random numbers, Brent + info := randInfo{entropy, 8, r} + ret, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) + if ret == 0 { + return 8, nil + } + return 0, err +} diff --git a/pkg/rngd/cmd/rngd/rng_linux_amd64.go b/pkg/rngd/cmd/rngd/rng_linux_amd64.go index ad3a5ffed..8db57dbf2 100644 --- a/pkg/rngd/cmd/rngd/rng_linux_amd64.go +++ b/pkg/rngd/cmd/rngd/rng_linux_amd64.go @@ -37,10 +37,6 @@ import "C" import ( "errors" "flag" - "os" - "unsafe" - - "golang.org/x/sys/unix" ) var disableRdrand = flag.Bool("disable-rdrand", false, "Disable use of RDRAND") @@ -48,12 +44,6 @@ var disableRdseed = flag.Bool("disable-rdseed", false, "Disable use of RDSEED") var hasRdrand, hasRdseed bool -type randInfo struct { - entropyCount int - size int - buf uint64 -} - func initRand() bool { hasRdrand = C.hasrdrand() == 1 && !*disableRdrand hasRdseed = C.hasrdseed() == 1 && !*disableRdseed @@ -72,18 +62,3 @@ func rand() (uint64, error) { } return 0, errors.New("No randomness available") } - -func writeEntropy(random *os.File) (int, error) { - r, err := rand() - if err != nil { - // assume can fail occasionally - return 0, nil - } - const entropy = 64 // they are good random numbers, Brent - info := randInfo{entropy, 8, r} - ret, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) - if ret == 0 { - return 8, nil - } - return 0, err -} diff --git a/pkg/rngd/cmd/rngd/rng_linux_arm64.go b/pkg/rngd/cmd/rngd/rng_linux_arm64.go new file mode 100644 index 000000000..df9d0ff28 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_linux_arm64.go @@ -0,0 +1,21 @@ +package main + +// #include +// +// int rndaddentropy = RNDADDENTROPY; +// +import "C" + +import ( + "errors" +) + +// No standard RNG on arm64 + +func initRand() bool { + return false +} + +func rand() (uint64, error) { + return 0, errors.New("No randomness available") +} diff --git a/pkg/rngd/cmd/rngd/rng_unsupported.go b/pkg/rngd/cmd/rngd/rng_unsupported.go index 9d3ca3735..423670bd7 100644 --- a/pkg/rngd/cmd/rngd/rng_unsupported.go +++ b/pkg/rngd/cmd/rngd/rng_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux !amd64 +// +build !linux !amd64,!arm64 package main From d164bcf283c5bd4a46aeba8b26fe3aaf902dd8f2 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 4 Aug 2017 14:10:51 +0100 Subject: [PATCH 2/2] update hashes for rngd Signed-off-by: Justin Cormack --- examples/aws.yml | 2 +- examples/azure.yml | 2 +- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/getty.yml | 2 +- examples/node_exporter.yml | 2 +- examples/packet.yml | 2 +- examples/sshd.yml | 4 ++-- examples/swap.yml | 2 +- examples/tpm.yml | 2 +- examples/vmware.yml | 2 +- examples/vultr.yml | 2 +- linuxkit.yml | 2 +- projects/compose/compose-dynamic.yml | 2 +- projects/compose/compose-static.yml | 2 +- projects/etcd/etcd.yml | 2 +- projects/ima-namespace/ima-namespace.yml | 2 +- projects/kubernetes/kube-master.yml | 2 +- projects/kubernetes/kube-node.yml | 2 +- projects/logging/examples/logging.yml | 2 +- projects/miragesdk/examples/fdd.yml | 2 +- projects/okernel/examples/okernel_simple.yaml | 2 +- projects/shiftfs/shiftfs.yml | 2 +- projects/swarmd/swarmd.yml | 2 +- .../cases/030_security/000_docker-bench/test-docker-bench.yml | 2 +- 25 files changed, 26 insertions(+), 26 deletions(-) diff --git a/examples/aws.yml b/examples/aws.yml index bee9ec715..004df6422 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:cec86f3e1c260c9eafefa80c262fceb40c182ddf services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/examples/azure.yml b/examples/azure.yml index 6add5b6c4..fd8b504c5 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:184c914d23a017062d7b53d7fc1dfaf47764bef6 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/docker.yml b/examples/docker.yml index ddbd3b1db..c6a5e3a4c 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -22,7 +22,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: ntpd diff --git a/examples/gcp.yml b/examples/gcp.yml index eae17ab6b..3b22ba61b 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/examples/getty.yml b/examples/getty.yml index f407e412c..a226c2f86 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -19,7 +19,7 @@ services: #env: # - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 3d0f86965..a832ab6f1 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -11,7 +11,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: node_exporter diff --git a/examples/packet.yml b/examples/packet.yml index d027e3588..42ad91df9 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:184c914d23a017062d7b53d7fc1dfaf47764bef6 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/sshd.yml b/examples/sshd.yml index c8ebef263..7add0a0e3 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -10,7 +10,7 @@ onboot: - name: sysctl image: linuxkit/sysctl:184c914d23a017062d7b53d7fc1dfaf47764bef6 - name: rngd1 - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e command: ["/sbin/rngd", "-1"] services: - name: getty @@ -18,7 +18,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/examples/swap.yml b/examples/swap.yml index 795ebc16b..1009cca23 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -28,7 +28,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/examples/tpm.yml b/examples/tpm.yml index 140caf917..361987c96 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -20,7 +20,7 @@ services: - name: tss image: linuxkit/tss:7f7d8d3d76d764e3130dd92f52c4944908c8bd80 - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/vmware.yml b/examples/vmware.yml index aecb5f5c6..3e034ba7c 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -15,7 +15,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: nginx diff --git a/examples/vultr.yml b/examples/vultr.yml index ab2e4799b..16a9ebc57 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: sshd image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 binds: diff --git a/linuxkit.yml b/linuxkit.yml index 1f691fbad..3473e6487 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -22,7 +22,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index 97685621c..a43b1ae33 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -21,7 +21,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: docker diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index 23481cc67..63b84fe1d 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -21,7 +21,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: docker diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 85e6b94ee..633dbbe82 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -21,7 +21,7 @@ onboot: image: linuxkit/metadata:cec86f3e1c260c9eafefa80c262fceb40c182ddf services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: node_exporter diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index 4fb5d495f..8ab07c8f8 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -15,7 +15,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index a75690a5f..21fc9a175 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -32,7 +32,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: sshd diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 1919c4d53..2f645bb0f 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -32,7 +32,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: sshd diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 16a959776..b1f7db45c 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -15,7 +15,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/miragesdk/examples/fdd.yml b/projects/miragesdk/examples/fdd.yml index 16143fb3d..e92e85928 100644 --- a/projects/miragesdk/examples/fdd.yml +++ b/projects/miragesdk/examples/fdd.yml @@ -16,7 +16,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 files: diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 74a9abfc3..580ce922f 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:184c914d23a017062d7b53d7fc1dfaf47764bef6 services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: sshd diff --git a/projects/shiftfs/shiftfs.yml b/projects/shiftfs/shiftfs.yml index 5b5549fe0..b74a192bf 100644 --- a/projects/shiftfs/shiftfs.yml +++ b/projects/shiftfs/shiftfs.yml @@ -18,7 +18,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: nginx image: nginx:alpine capabilities: diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index f314b48a0..7274c1452 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -31,7 +31,7 @@ services: binds: - /dev/vport0p1:/dev/vport0p1 - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: ntpd image: linuxkit/openntpd:0d7befc79842849d0b88d6c3b64200e340d7cf67 - name: weave diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 454ed997a..de496df0e 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -18,7 +18,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:b2f4bdcb55aa88a25c86733e294628614504f383 + image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e - name: dhcpcd image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 - name: docker