{"description": "Instrument some kernel code to extract some entropy from both original and artificially created\nprogram state. This will help especially embedded systems where there is little 'natural' source\nof entropy normally.\n\nThis configuration is available from kernel 4.9, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_GCC_PLUGIN_LATENT_ENTROPY</tt>, run the following command:\n    <tt>grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This helps generate entropy during startup and is particularly relevant for devices with\ninappropriate entropy sources.", "severity": "medium", "references": {"anssi": ["R21"]}, "control_references": {"anssi": ["R21"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}, {"general": "Note that entropy extracted this way is not cryptographically secure!"}, {"performance": "There is a performance cost during the boot process (about 0.5%) and fork and irq processing."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Generate some entropy during boot and runtime", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_GCC_PLUGIN_LATENT_ENTROPY", "value": "y"}, "backends": {}}}