Bug 2075977
Summary: | [RHEL-9.1] update rng-tools to 6.15 + latest fixes | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Vladis Dronov <vdronov> | |
Component: | rng-tools | Assignee: | Vladis Dronov <vdronov> | |
Status: | CLOSED ERRATA | QA Contact: | Vilém Maršík <vmarsik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 9.1 | CC: | core-kernel-mgr, dbohanno | |
Target Milestone: | rc | Keywords: | Rebase, Triaged, ZStream | |
Target Release: | 9.1 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | rng-tools-6.15-1.el9 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2077036 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-15 11:16:12 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 2076642 | |||
Bug Blocks: | 2077036 |
Description
Vladis Dronov
2022-04-16 19:44:52 UTC
[CI] [GATING] [DONE] rng-tools-6.15-1.el9 passed gating because all required tests passed koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1114004 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=45148226 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/45148226 a test plan: 0) ensure no config and 'rngd' user exists from previous installations # userdel -r rngd # rm -f /etc/sysconfig/rngd* 1) grab rngd daemon and jitterentropy lib packages from brew via links above and in bz2075978#c3. 2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes. 3) verify that both service files DO NOT contain "udevadm" command: # grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service <none> 4) this release does not create any new user/group. still, check that pwck is fine after installation. # pwck 5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked, then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of "rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all three should return 0: # ./rngtestzero.sh ; echo $? # ./rngtesturandom.sh ; echo $? # ./rngtestjitter.sh ; echo $? 6) start a service and ensure a process is run as 'daemon' user and a log contains "dropping privileges" line: a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter. systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd 7) clean up # dnf -y erase rng-tools jitterentropy # rm -f rng-tools*rpm Looks good in RHEL-9.1.0-20220510.d.0: # userdel -r rngd userdel: user 'rngd' does not exist # rm -f /etc/sysconfig/rngd* # dnf install wget tar http://download.eng.bos.redhat.com/brewroot/work/tasks/4381/44874381/jitterentropy-3.4.0-1.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/work/tasks/8233/45148233/rng-tools-6.15-1.el9.x86_64.rpm (...) # rpm -q selinux-policy selinux-policy-34.1.31-2.el9.noarch # grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service grep: /usr/lib/systemd/system/rngd-wake-threshold.service: No such file or directory # pwck # wget http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el9/src/rng-tools-6.15-1.el9.src.rpm (...) # rpm2cpio rng-tools-6.15-1.el9.src.rpm | cpio --extract --make-directories --no-absolute-filenames 158 blocks # tar xvfz rng-tools-6.15.tar.gz (...) # cd rng-tools-6.15/tests/ # vim rngtestzero.sh # vim rngtestjitter.sh # vim rngtesturandom.sh # ./rngtestzero.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 0 rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 100 rngtest: FIPS 140-2(2001-10-10) Monobit: 100 rngtest: FIPS 140-2(2001-10-10) Poker: 100 rngtest: FIPS 140-2(2001-10-10) Runs: 100 rngtest: FIPS 140-2(2001-10-10) Long run: 100 rngtest: FIPS 140-2(2001-10-10) Continuous run: 100 rngtest: input channel speed: (min=1.330; avg=6.559; max=9.313)Gibits/s rngtest: FIPS tests speed: (min=340.598; avg=867.766; max=953.674)Mibits/s rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s rngtest: Program run time: 2724 microseconds 0 # ./rngtestjitter.sh ; echo $? Disabling 0: Hardware RNG Device (hwrng) Disabling 2: Intel RDRAND Instruction RNG (rdrand) Disabling 1: TPM RNG Device (tpm) Initializing available sources [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=140.246; avg=408.513; max=476.837)Mibits/s rngtest: FIPS tests speed: (min=164.427; avg=173.854; max=176.606)Mibits/s rngtest: output channel speed: (min=18.626; avg=30.043; max=18.626)Gibits/s rngtest: Program run time: 3502982 microseconds killing 0 # ./rngtesturandom.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=4.657; avg=7.481; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=134.320; avg=187.898; max=205.091)Mibits/s rngtest: output channel speed: (min=18.626; avg=28.222; max=18.626)Gibits/s rngtest: Program run time: 11436 microseconds 0 # systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-05-10 13:46:25 EDT; 5s ago Main PID: 19769 (rngd) Tasks: 5 (limit: 203004) Memory: 4.9M CPU: 19.922s CGroup: /system.slice/rngd.service └─19769 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Disabling 7: PKCS11 Entropy generator (pkcs11) May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Disabling 5: NIST Network Entropy Beacon (nist) May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Initializing available sources May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [hwrng ]: Initialization Failed May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [rdrand]: Enabling RDRAND rng support May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [rdrand]: Initialized May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Initializing AES buffer May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Enabling JITTER rng support May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Initialized May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Process privileges have been dropped to 2:2 daemon 19769 1 99 13:46 ? 00:00:20 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon root 19780 19003 0 13:46 pts/0 00:00:00 grep --color=auto rngd Mostly working on RHEL-9.1.0-20220613.d.0 with kernel 5.14.0-105.kpq0.el9.x86_64 and rng-tools-6.15-1.el9.x86_64, but the entropy gets rather low when used, however it does reach zero. Is this still okay? :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: TEST PROTOCOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Package : rng-tools Installed : rng-tools-6.15-1.el9.x86_64 beakerlib RPM : beakerlib-1.27-1.el9.noarch bl-redhat RPM : beakerlib-redhat-1-30.el9.noarch Test name : /CoreOS/rng-tools/Sanity/hwrng Test version : 1.0-12 Test built : 2020-06-02 10:01:33 EDT Test started : 2022-06-13 16:37:30 EDT Test finished : 2022-06-13 16:43:01 EDT (still running) Test duration : 331 seconds Distro : Red Hat Enterprise Linux release 9.1 Beta (Plow) Hostname : intel-eaglestream-spr-04.khw1.lab.eng.bos.redhat.com Architecture : x86_64 CPUs : 192 x Genuine Intel(R) CPU 0000%@ RAM size : 127596 MB HDD size : 1783.61 GB :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Test description :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: PURPOSE of /CoreOS/rng-tools/Sanity/hwrng Description: Check hardware random number generator Author: Jeff Bastian <jbastian> This test verifies the hardware random number generator is working with the rngtest tool, and that the kernel's entropy pool remains full with rngd running. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: basic daemon tests :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:37:31 ] :: [ PASS ] :: Checking if stopped (Expected 3, got 3) :: [ 16:37:31 ] :: [ PASS ] :: Starting rngd daemon (Expected 0, got 0) :: [ 16:37:31 ] :: [ PASS ] :: Checking if started (Expected 0, got 0) :: [ 16:37:36 ] :: [ PASS ] :: Still running after 15s (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 4 good, 0 bad :: RESULT: PASS (basic daemon tests) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: options test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:37:38 ] :: [ PASS ] :: foreground run OK :: [ 16:37:38 ] :: [ PASS ] :: background run OK :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 2 good, 0 bad :: RESULT: PASS (options test) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: rngtest :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:42:51 ] :: [ PASS ] :: Running rngtest (Expected 0,1, got 0) :: [ 16:42:51 ] :: [ INFO ] :: Sending /var/tmp/rlRun_LOG.ml3kEs69 as rngtest.out :: [ 16:42:51 ] :: [ LOG ] :: File '/tmp/tmp.wkQGeAaaFz/rngtest.out' stored here: /var/tmp/BEAKERLIB_STORED_rngtest.out :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 313s :: Assertions: 1 good, 0 bad :: RESULT: PASS (rngtest) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: entropy-pool :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:42:51 ] :: [ PASS ] :: Starting rngd.service (Expected 0, got 0) :: [ 16:42:51 ] :: [ PASS ] :: rngd.service is active (Expected 0, got 0) :: [ 16:42:51 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "67" should be greater than "2047") :: [ 16:42:52 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "69" should be greater than "2047") :: [ 16:42:53 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "75" should be greater than "2047") :: [ 16:42:54 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:42:55 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:42:56 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:42:57 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:42:58 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:42:59 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :: [ 16:43:00 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 10s :: Assertions: 2 good, 10 bad :: RESULT: FAIL (entropy-pool) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: /CoreOS/rng-tools/Sanity/hwrng :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:43:01 ] :: [ LOG ] :: JOURNAL XML: /var/tmp/beakerlib-zt8MTKy/journal.xml :: [ 16:43:01 ] :: [ LOG ] :: JOURNAL TXT: /var/tmp/beakerlib-zt8MTKy/journal.txt :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 331s :: Phases: 3 good, 1 bad :: OVERALL RESULT: FAIL (/CoreOS/rng-tools/Sanity/hwrng) [root@intel-eaglestream-spr-04 hwrng]# rngd -l Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 5: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 0: Hardware RNG Device (hwrng) 2: Intel RDRAND Instruction RNG (rdrand) 6: JITTER Entropy generator (jitter) Available entropy sources that failed initalization: (In reply to Vilém Maršík from comment #8) > Mostly working on RHEL-9.1.0-20220613.d.0 with kernel > 5.14.0-105.kpq0.el9.x86_64 and rng-tools-6.15-1.el9.x86_64, but the entropy > gets rather low when used, however it does reach zero. Is this still okay? > > :: [ 16:42:51 ] :: [ PASS ] :: rngd.service is active (Expected 0, got 0) > :: [ 16:42:51 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "67" should be greater than "2047") > :: [ 16:42:52 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "69" should be greater than "2047") > :: [ 16:42:53 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "75" should be greater than "2047") > :: [ 16:42:54 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") > :: [ 16:42:55 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") > :: [ 16:43:00 ] :: [ FAIL ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047") Hi, Vilem, Thanks for testing. In short, the above is expected on RHEL9 and I guess, a test can be adjusted to conform to new RHEL9 behavior. In long, there is a combination of factors. 1) jitter-entropy source starts several seconds. So rngd does not feed entropy pool immediately at startup. This explains behavior at seconds 42:51-42:53. 2) RHEL9 has changed entropy pool size from 4096 to 256: (rhel9)# cat /proc/sys/kernel/random/poolsize 256 in a commit 6e8ec2552c7d ("random: use computational hash for entropy extraction"), BLAKE2S_HASH_SIZE is exactly 32: - POOL_BITS = POOL_BYTES * 8, + POOL_BITS = BLAKE2S_HASH_SIZE * 8, this was backported to C9S/RHEL9 via: https://bugzilla.redhat.com/2079030 So if rndg is run with --fill-watermark=0 / -W 0 as by default in RHEL8/9, /proc/sys/kernel/random/write_wakeup_threshold is not adjusted and remains equal to /proc/sys/kernel/random/poolsize, i.e. 256. This is exactly what our test log shows. If rngd is run with --fill-watermark=N / -W N, then write_wakeup_threshold is set to N. If rngd is run without these, then write_wakeup_threshold is set to 3/4 of poolsize. Thanks for commenting, have fixed the testsuite. Setting the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8308 |