Bug 2075974

Summary:	[RHEL-8.7] update rng-tools to 6.15 and jitterentropy to 3.4.0
Product:	Red Hat Enterprise Linux 8	Reporter:	Vladis Dronov <vdronov>
Component:	rng-tools	Assignee:	Vladis Dronov <vdronov>
Status:	CLOSED ERRATA	QA Contact:	Vilém Maršík <vmarsik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.7	Keywords:	Rebase, Triaged
Target Milestone:	rc
Target Release:	8.7
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	rng-tools-6.15-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-08 10:47:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2076641
Bug Blocks:

Description Vladis Dronov 2022-04-16 19:30:41 UTC

update rng-tools to 6.15 and jitterentropy lib to 3.4.0 + important upstream fixes.

rng-tools:
upstream: https://github.com/smuellerDD/jitterentropy-library/
fedora: https://src.fedoraproject.org/rpms/jitterentropy/

jitterentropy-lib:
upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 2 Vladis Dronov 2022-05-08 11:33:36 UTC

[CI] [GATING] [DONE] rng-tools-6.15-1.el8 passed gating because all required tests passed
rng-tools-6.15-1.el8 successfully moved from rhel-8.7.0-gate into rhel-8.7.0-candidate
brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=45148424
osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/45148424

Comment 3 Vladis Dronov 2022-05-09 09:43:39 UTC

a test plan:

0) ensure no config and 'rngd' user exists from previous installations

# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that both service files DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
<none>

4) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# ./rngtestjitter.sh ; echo $?

6) start a service and ensure a process is run as daemon user and a log contains "dropping privileges" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd

7) clean up

# dnf -y erase rng-tools
# rm -f rng-tools*rpm

Comment 4 Vilém Maršík 2022-05-10 16:34:54 UTC

Looks good on RHEL-8.7.0-20220510.d.0:

#  userdel -r rngd
userdel: user 'rngd' does not exist
#  rm -f /etc/sysconfig/rngd*
# dnf install -y http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el8/x86_64/rng-tools-6.15-1.el8.x86_64.rpm
(...)
# rpm -q selinux-policy
selinux-policy-3.14.3-98.el8.noarch
#  grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
grep: /usr/lib/systemd/system/rngd-wake-threshold.service: No such file or directory
# pwck
# dnf install -y wget
(...)
# wget http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el8/src/rng-tools-6.15-1.el8.src.rpm
(...)
# rpm2cpio rng-tools-6.15-1.el8.src.rpm | cpio --extract --make-directories --no-absolute-filenames
329 blocks
# tar xvfz rng-tools-6.15.tar.gz
(...)
# cd rng-tools-6.15/tests
# vim rngtestzero.sh
# vim rngtestjitter.sh
# vim rngtesturandom.sh
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=14.111; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=476.837; avg=538.343; max=544.957)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 3804 microseconds
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=6.209; avg=16.057; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=135.273; avg=158.589; max=165.856)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=35087719298.246; max=0.000)bits/s
rngtest: Program run time: 12856 microseconds
0
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=112.197; avg=575.543; max=733.596)Mibits/s
rngtest: FIPS tests speed: (min=113.533; avg=116.807; max=118.469)Mibits/s
rngtest: output channel speed: (min=9.313; avg=22.442; max=18.626)Gibits/s
rngtest: Program run time: 6358119 microseconds
killing
0
# systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-05-10 12:26:13 EDT; 5s ago
 Main PID: 17885 (rngd)
    Tasks: 5 (limit: 49098)
   Memory: 4.1M
   CGroup: /system.slice/rngd.service
           └─17885 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon

May 10 12:26:13 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Disabling 7: PKCS11 Entropy generator (pkcs11)
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Disabling 5: NIST Network Entropy Beacon (nist)
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Initializing available sources
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [hwrng ]: Initialized
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [rdrand]: Enabling RDRAND rng support
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [rdrand]: Initialized
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [jitter]: Initializing AES buffer
root       17885       1 99 12:26 ?        00:00:19 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon
root       17896   16288  0 12:26 pts/0    00:00:00 grep --color=auto rngd
# journalctl | grep rngd | tail -n1
May 10 12:26:20 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Process privileges have been dropped to 2:2

Comment 7 Vilém Maršík 2022-06-13 22:07:41 UTC

Similar results to https://bugzilla.redhat.com/show_bug.cgi?id=2075977#c8 on RHEL-8.7.0-20220613.d.0, waiting to clarify the low entropy under stress. Otherwise passed.

---


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

    Package       : rng-tools
    Installed     : rng-tools-6.15-1.el8.x86_64
    beakerlib RPM : beakerlib-1.27-1.el8bkr.noarch
    bl-redhat RPM : beakerlib-redhat-1-33.el8bkr.noarch
    Test name     : /CoreOS/rng-tools/Sanity/hwrng
    Test version  : 1.0-12
    Test built    : 2020-06-02 10:01:33 EDT
    Test started  : 2022-06-13 17:39:16 EDT
    Test finished : 2022-06-13 17:44:49 EDT (still running)
    Test duration : 333 seconds
    Distro        : Red Hat Enterprise Linux release 8.7 Beta (Ootpa)
    Hostname      : intel-eaglestream-spr-04.khw1.lab.eng.bos.redhat.com
    Architecture  : x86_64
    CPUs          : 192 x Genuine Intel(R) CPU 0000%@
    RAM size      : 127858 MB
    HDD size      : 1783.61 GB

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/rng-tools/Sanity/hwrng
Description: Check hardware random number generator
Author: Jeff Bastian <jbastian>

This test verifies the hardware random number generator is working
with the rngtest tool, and that the kernel's entropy pool remains full
with rngd running.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   basic daemon tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:39:16 ] :: [   PASS   ] :: Checking if stopped (Expected 3, got 3)
:: [ 17:39:16 ] :: [   PASS   ] :: Starting rngd daemon (Expected 0, got 0)
:: [ 17:39:16 ] :: [   PASS   ] :: Checking if started (Expected 0, got 0)
:: [ 17:39:21 ] :: [   PASS   ] :: Still running after 15s (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 5s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (basic daemon tests)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   options test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:39:23 ] :: [   PASS   ] :: foreground run OK
:: [ 17:39:23 ] :: [   PASS   ] :: background run OK
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 2 good, 0 bad
::   RESULT: PASS (options test)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   rngtest
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:39 ] :: [   PASS   ] :: Running rngtest (Expected 0,1, got 0)
:: [ 17:44:39 ] :: [   INFO   ] :: Sending /var/tmp/rlRun_LOG.FZ4XpMUE as rngtest.out
:: [ 17:44:39 ] :: [   LOG    ] :: File '/tmp/tmp.d63V5Q1IjA/rngtest.out' stored here: /var/tmp/BEAKERLIB_STORED_rngtest.out
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 316s
::   Assertions: 1 good, 0 bad
::   RESULT: PASS (rngtest)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   entropy-pool
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:39 ] :: [   PASS   ] :: Starting rngd.service (Expected 0, got 0)
:: [ 17:44:39 ] :: [   PASS   ] :: rngd.service is active (Expected 0, got 0)
:: [ 17:44:39 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "2102" should be greater than "2047")
:: [ 17:44:40 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "1080" should be greater than "2047")
:: [ 17:44:41 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "61" should be greater than "2047")
:: [ 17:44:42 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:43 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3330" should be greater than "2047")
:: [ 17:44:44 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:45 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3899" should be greater than "2047")
:: [ 17:44:46 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:47 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:48 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3395" should be greater than "2047")
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 10s
::   Assertions: 10 good, 2 bad
::   RESULT: FAIL (entropy-pool)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   /CoreOS/rng-tools/Sanity/hwrng
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:49 ] :: [   LOG    ] :: JOURNAL XML: /var/tmp/beakerlib-lOjWxIB/journal.xml
:: [ 17:44:49 ] :: [   LOG    ] :: JOURNAL TXT: /var/tmp/beakerlib-lOjWxIB/journal.txt
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 333s
::   Phases: 3 good, 1 bad
::   OVERALL RESULT: FAIL (/CoreOS/rng-tools/Sanity/hwrng)

[root@intel-eaglestream-spr-04 rng-tools]# rngd -l
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
5: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
0: Hardware RNG Device (hwrng)
2: Intel RDRAND Instruction RNG (rdrand)
6: JITTER Entropy generator (jitter)
Available entropy sources that failed initalization:

[root@intel-eaglestream-spr-04 rng-tools]# time rngd -f -x tpm -x nist -x hwrng -x rdrand -n jitter -o /dev/stdout > /tmp/entropy
Disabling 1: TPM RNG Device (tpm)
Disabling 5: NIST Network Entropy Beacon (nist)
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Enabling 6: JITTER Entropy generator (jitter)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
^C[jitter]: Shutting down

real    1m44.267s
user    8m25.563s
sys     0m13.200s
[root@intel-eaglestream-spr-04 rng-tools]# ls -lh /tmp/entropy
-rw-r--r--. 1 root root 1.8G Jun 13 17:59 /tmp/entropy
[root@intel-eaglestream-spr-04 rng-tools]# cat /tmp/entropy | rngtest
rngtest 6.15
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: entropy source drained
rngtest: bits received from input: 15345926656
rngtest: FIPS 140-2 successes: 766964
rngtest: FIPS 140-2 failures: 332
rngtest: FIPS 140-2(2001-10-10) Monobit: 65
rngtest: FIPS 140-2(2001-10-10) Poker: 71
rngtest: FIPS 140-2(2001-10-10) Runs: 196
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 1
rngtest: input channel speed: (min=3.104; avg=23.084; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=99.861; avg=171.186; max=178.257)Mibits/s
rngtest: Program run time: 86162305 microseconds

Comment 9 Vilém Maršík 2022-06-29 17:19:02 UTC

The only failure in the test caused probably by slow rngd startup, considering success. Setting verified.

Comment 11 errata-xmlrpc 2022-11-08 10:47:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7710