Un-break system safety tests on Linux.

cmd/main_test.go

@@ -165,7 +165,7 @@ func TestPages(t *testing.T) {
 }
 
 func TestReadyHandler(t *testing.T) {
-	defer stopSvc(startSvc(t, []string{"-wait-for-app"}))
+	defer stopSvc(startSvc(t, []string{"-insecure", "-wait-for-app"}))
 
 	cases := []struct {
 		name     string
@@ -266,7 +266,7 @@ func TestAttestation(t *testing.T) {
 }
 
 func TestHashes(t *testing.T) {
-	defer stopSvc(startSvc(t, []string{}))
+	defer stopSvc(startSvc(t, []string{"-insecure"}))
 
 	var (
 		hashes = new(attestation.Hashes)
@@ -354,7 +354,7 @@ func TestReverseProxy(t *testing.T) {
 		},
 	))
 	defer srv.Close()
-	defer stopSvc(startSvc(t, []string{"-app-web-srv", srv.URL}))
+	defer stopSvc(startSvc(t, []string{"-insecure", "-app-web-srv", srv.URL}))
 
 	cases := []struct {
 		name     string

internal/service/service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"errors"
 	"log"
 	"net"
 	"net/http"
@@ -31,9 +32,9 @@ func Run(
 		appReady = make(chan struct{})
 	)
 
-	// Perform basic safety checks before starting.
-	if !system.HasSecureRNG() {
-		log.Fatal("Nitro hardware RNG is not in use.")
+	// Run basic safety checks before starting.
+	if err := checkSystemSafety(config); err != nil {
+		log.Fatalf("Failed safety check: %v", err)
 	}
 
 	// Initialize the enclave keys for enclave synchronization.
@@ -59,6 +60,20 @@ func Run(
 	log.Println("Exiting.")
 }
 
+func checkSystemSafety(config *config.Config) error {
+	if config.EnableTesting {
+		return nil
+	}
+
+	if !system.HasSecureRNG() {
+		return errors.New("system does not use desired RNG")
+	}
+	if !system.HasSecureKernelVersion() {
+		return errors.New("system does not have minimum desired kernel version")
+	}
+	return nil
+}
+
 func startAllWebSrvs(
 	ctx context.Context,
 	waitForApp bool,