Entropy problem on Nitro

[gbryant-arm]

Describe the bug On some Nitro machines, requesting entropy by whether reading /dev/random or sending a getrandom syscall results in failure: the function call hangs and does not return. This might be due to entropy shortage. Passing GRND_RANDOM or GRND_NONBLOCK to getrandom() doesn't seem to make any difference. Reading from /dev/urandom works.

To Reproduce Call libc's (musl's) getrandom() or read /dev/random inside Nitro and wait for the return... forever (doesn't happen on every Nitro machine)

Expected behaviour getrandom() or /dev/random should whether return random bytes or return immediately.

Additional context / Solutions It is recommended to use AWS' NSM library for RNG, though in Veracruz, this approach is only available to WASM programs at present, not to the C code in the runtime. As a quick workaround we could read from /dev/urandom.

[dreemkiller]

What are the properties of the instances that are experiencing the failures? Have they been up a long time? Because originally, nsm was not plumbed into /dev/random. Is it possible that the failures are happening on instances launched before that change was made?

[dreemkiller]

Here are some thoughts about /dev/random vs /dev/urandom: https://www.2uo.de/myths-about-urandom/

TL/DR: /dev/urandom should be fine.

[gbryant-arm]

What are the properties of the instances that are experiencing the failures? Have they been up a long time? Because originally, nsm was not plumbed into /dev/random. Is it possible that the failures are happening on instances launched before that change was made?

I've only found one Nitro machine experiencing the failure so far. It was created at the same time as the ones that are fine, and has been rebooted many times since then. I don't know what is wrong with that machine.

[gbryant-arm]

Opened an issue upstream: https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/issues/15