Bug 2124602

[CI] [GATING] [DONE] rng-tools-6.15-2.el8 passed gating because all required tests passed

jit+rng 8.8 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143786
jit+rng 8.8 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143786

x86_64 rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3547/48143547/rng-tools-6.15-2.el8.x86_64.rpm
src rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3787/48143787/rng-tools-6.15-2.el8.src.rpm

a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package and a source package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools
# rm -f rng-tools*rpm

Thanks for providing the test plan. What is your question?

No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.

Okay, will let you know when testing is finished.

Thanks, Vilem, most appreciated.

Looks okay on RHEL-8.8.0-20221006.0 :
# rpm -e rng-tools
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/rng-tools/6.15/2.el8/x86_64/rng-tools-6.15-2.el8.x86_64.rpm
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-10-06 19:18:33 EDT; 10s ago
(...)
Oct 06 19:18:34 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[19961]: Process privileges have been dropped to 2:2
(...)
daemon     19961       1 99 19:18 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.725; avg=8.828; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=167.311; avg=194.926; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 10163 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=1.433; avg=7.761; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=1214.872; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 1882 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=346.791; avg=462.163; max=560.985)Mibits/s
rngtest: FIPS tests speed: (min=185.179; avg=195.185; max=200.774)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=55555555555.556; max=0.000)bits/s
rngtest: Program run time: 1563073 microseconds
killing
0

Thanks for a testing, Vilem!

rng-tools-6.15-2.el8.x86_64 passed tests on RHEL-8.8.0-20221204.2 kernel 4.18.0-441.el8.x86_64:
# rpm -e rng-tools
error: package rng-tools is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools
(...)
Installed:
  rng-tools-6.15-2.el8.x86_64 
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-05 16:54:00 EST; 10s ago
 Main PID: 6969 (rngd)
    Tasks: 5 (limit: 3297041)
   Memory: 2.7M
   CGroup: /system.slice/rngd.service
           └─6969 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon

Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Disabling 9: Qrypt quantum entropy beacon (qrypt)
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Initializing available sources
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [hwrng ]: Initialization Failed
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Enabling RDSEED rng support
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Initialized
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: JITTER timeout set to 5 sec
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initializing AES buffer
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Enabling JITTER rng support
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initialized
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Process privileges have been dropped to 2:2
daemon      6969       1 99 16:53 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
root        6982    6497  0 16:54 pts/0    00:00:00 grep --color=auto rngd

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=11.642; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=165.856; avg=197.776; max=205.091)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=250000000000.000; max=0.000)bits/s
rngtest: Program run time: 10041 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=17.247; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=954.629; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2204 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=544.957; avg=870.538; max=9536.743)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=195.185; max=198.682)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=95238095238.095; max=0.000)bits/s
rngtest: Program run time: 1559944 microseconds
killing
0

Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?
Otherwise verified.

(In reply to Vilém Maršík from comment #14)
> Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?

updated the bz title, thanks. unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.

Thanks, setting this one verified.

thanks, Vilem, your help is most appreciated. i'm sorry
for the another rngd update, unfortunately, we just cannot
release a version which crashes (even only on s390x).

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2959