SCS Entropy: Implementation and Testing Notes
Implementation notes
With reasonably recent hardware—x86 CPU with RDRAND/RDSEED (Intel from 2012, AMD from 2015) or ARM CPU with FEAT_RNG or FEAT_RNG_TRAP—and recent VM image—Linux kernel 5.18 or higher—, there is (almost) nothing to be done.
Only the flavor and image attributes required by the standard have to be set:
- flavor extra_spec:
hw_rng:allowed=True, - image property:
hw_rng_model: virtio.
Automated tests
Images sample
Some checks need to be performed on a live instance. For these checks, it is necessary to choose a sample of VM images to test on.
For the time being, the sample MUST contain at least one public image reported by OpenStack. This may be extended in the future.
Errors
For every image in the chosen sample, the following items MUST be detected and reported as an error:
- the service
rngdis not running, - the special file
/proc/sys/kernel/random/entropy_availdoes not contain the value 256 (pinned since kernel 5.18), - the number of FIPS 140-2 failures exceeds 3 out of 1000 blocks
tested, as determined by
cat /dev/random | rngtest -c 1000.
Note: The latter two items act as surrogates for the following item, which cannot be detected directly:
- CPU instructions for accessing entropy are not available to the VMs.
Warnings
The following items MUST be detected and reported as a warning:
- any flavor missing the attribute
hw_rng:allowed=True, - any image missing the attribute
hw_rng_model: virtio,
Note that the requirement regarding the kernel patch level will not be
checked, because of two reasons: (a) we already check the file entropy_avail
(see subsection on Errors), and (b) users can always choose a recent image,
as ensured by the image metadata standard.
Implementation
The script entropy-check.py
connects to OpenStack and performs the checks described in this section.
Manual tests
None.