Bug 1973157

Summary: update jitterentropy and add -devel to crb
Product: Red Hat Enterprise Linux 9 Reporter: Vladis Dronov <vdronov>
Component: jitterentropyAssignee: Vladis Dronov <vdronov>
Status: CLOSED CURRENTRELEASE QA Contact: Vilém Maršík <vmarsik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: skozina, vmarsik
Target Milestone: betaKeywords: Rebase, Triaged
Target Release: 9.0 Beta   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:20:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: jitterentropy-3.0.2
Embargoed:

Description Vladis Dronov 2021-06-17 10:53:42 UTC 
a v3.0.2 update is needed since it introduces important NIST SP 800-90B fixes which in turn is needed for the later fips certification.

also we need jitterentropy-devel in crb repo, the product listing is not correct as of now.

upstream: https://github.com/smuellerDD/jitterentropy-library
fedora: https://src.fedoraproject.org/rpms/jitterentropy/
Comment 1 Vladis Dronov 2021-06-18 13:51:48 UTC 
c9s comps.xml update to add jitterentropy-devel to CRB:
https://gitlab.com/redhat/centos-stream/release-engineering/comps/-/merge_requests/56
Comment 3 Vilém Maršík 2021-06-23 00:04:33 UTC 
Ack, expecting a package jitterentropy-devel to be included in 9.0
Comment 5 Vladis Dronov 2021-07-29 12:31:54 UTC 
hello, Vilem,

could you please provide Verified:Tested for this bz, so i can proceed with its errata?
the test plan for both jitterentropy library and rngd daemon is the following:

1) grab the packages from brew:

# wget http://download.devel.redhat.com/brewroot/work/tasks/2274/38422274/jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm http://download.devel.redhat.com/brewroot/work/tasks/6815/38436815/rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm

2) install and disable rngd service:

# dnf -y install jitterentropy*rpm rng-tools*rpm && systemctl stop rngd && systemctl disable rngd

3) gather random data more that 4 Mb. for this wait ~10 seconds after the "[jitter]: Initialized"
line and press Ctrl-C.

# /usr/sbin/rngd -f -o /dev/stdout > /tmp/rngfile
Initializing available sources
[hwrng ]: Initialized
[rdrand]: Enabling RDRAND rng support
[rdrand]: Initialized
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
< wait 5-10 seconds >
^C
[hwrng ]: Shutting down
[rdrand]: Shutting down
[jitter]: Shutting down

4) check that /tmp/rngfile is more that 4 Mb: 

# ls -lh /tmp/rngfile
-rw-r--r-- 1 root root 51M Jul 29 14:16 /tmp/rngfile

5) run the FIPS test for the random data gathered:

# cat /tmp/rngfile | /usr/bin/rngtest -c 1000
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 999
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 1
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=397.364; avg=7515.164; max=19073.486)Mibits/s
rngtest: FIPS tests speed: (min=37.919; avg=138.251; max=161.640)Mibits/s
rngtest: Program run time: 141251 microseconds

some "FIPS 140-2 failures" are fine here, they should not be more than "FIPS 140-2 successes".

6) clean up

# rm -f /tmp/rngfile
# dnf -y erase jitterentropy rng-tools

thank you.
Comment 8 Vilém Maršík 2021-08-05 23:58:30 UTC 
Verified, thanks for the very detailed testing instructions.

-------------

# wget http://download.devel.redhat.com/brewroot/work/tasks/2274/38422274/jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm http://download.devel.redhat.com/brewroot/work/tasks/6815/38436815/rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm
(...)
Downloaded: 2 files, 93K in 0.003s (32.8 MB/s)
# dnf -y install jitterentropy*rpm rng-tools*rpm && systemctl stop rngd && systemctl disable rngd
(...)
Installed:
  jitterentropy-3.0.2-2.git.409828cf.el9.x86_64                                        rng-tools-6.13-5.git.d207e0b6.el9.x86_64
Complete!
Removed /etc/systemd/system/multi-user.target.wants/rngd.service.
# /usr/sbin/rngd -f -o /dev/stdout > /tmp/rngfile
Initializing available sources
[hwrng ]: Initialization Failed
[rdrand]: Enabling RDRAND rng support
[rdrand]: Initialized
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
^C[rdrand]: Shutting down
[jitter]: Shutting down
# ls -lh /tmp/rngfile
-rw-r--r--. 1 root root 252M Aug  5 19:53 /tmp/rngfile
# cat /tmp/rngfile | /usr/bin/rngtest -c 1000
rngtest 6.13
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 999
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 1
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=6.209; avg=16.735; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=164.427; avg=211.514; max=214.309)Mibits/s
rngtest: Program run time: 91681 microseconds
# rm -f /tmp/rngfile
# dnf -y erase jitterentropy rng-tools