Bug 2124605

Summary:	[RHEL-9.2] update rng-tools to 6.15@6dcc9ec2
Product:	Red Hat Enterprise Linux 9	Reporter:	Vladis Dronov <vdronov>
Component:	rng-tools	Assignee:	Vladis Dronov <vdronov>
Status:	CLOSED ERRATA	QA Contact:	Vilém Maršík <vmarsik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.2	CC:	core-kernel-mgr, vmarsik
Target Milestone:	rc	Keywords:	Rebase, Triaged
Target Release:	9.2
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	rng-tools-6.15-2.el9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-09 08:15:43 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vladis Dronov 2022-09-06 15:19:35 UTC

update rng-tools to 6.16. the previous bugzilla is bz2075977.

upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 1 Vladis Dronov 2022-10-06 16:05:11 UTC

[CI] [GATING] [DONE] rng-tools-6.15-2.el9 passed gating because all required tests passed

jitterlib 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491585
rng-tools 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491578
jitterlib 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143076
rng-tools 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143066
jitterlib 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143076
rng-tools 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143066

Comment 2 Vladis Dronov 2022-10-06 16:25:22 UTC

a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools jitterentropy
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon and jitterentropy lib packages and rngd daemon source rpms from brew via links above

2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools jitterentropy
# rm -f rng-tools*rpm jitterentropy*rpm

Comment 3 Vilém Maršík 2022-10-06 16:28:38 UTC

Thanks for the test plan. What is your question?

Comment 4 Vladis Dronov 2022-10-06 17:43:45 UTC

No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.

Comment 5 Vilém Maršík 2022-10-06 20:06:58 UTC

Looks okay on RHEL-9.2.0-20221006.d.0 with kernel 5.14.0-170.kpq1.el9.x86_64+debug :
# rpm -e rng-tools jitterentropy
Removed "/etc/systemd/system/multi-user.target.wants/rngd.service".
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/rng-tools/6.15/2.el9/x86_64/rng-tools-6.15-2.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/jitterentropy/3.4.1/1.el9/x86_64/jitterentropy-3.4.1-1.el9.x86_64.rpm
Created symlink /etc/systemd/system/multi-user.target.wants/rngd.service → /usr/lib/systemd/system/rngd.service.
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd
# systemctl status rngd
(...)
     Active: active (running) since Thu 2022-10-06 15:55:59 EDT; 4s ago
(...)
             └─10752 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)
Oct 06 15:56:00 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[10752]: Process privileges have been dropped to 2:2

# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=250.967; avg=307.092; max=515.500)Mibits/s
rngtest: FIPS tests speed: (min=157.632; avg=198.352; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 1592761 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=6.652; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=183.399; avg=198.434; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=74074074074.074; max=0.000)bits/s
rngtest: Program run time: 10766 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=4.657; avg=7.421; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=1003.868; avg=1467.191; max=1589.457)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2330 microseconds
0

Comment 6 Vladis Dronov 2022-10-07 14:03:43 UTC

Thanks for a testing, Vilem, most appreciated.

Comment 9 Vilém Maršík 2022-10-20 22:51:47 UTC

Looks good:
DISTRO=RHEL-9.2.0-20221013.0
kernel 5.14.0-175.el9.x86_64+debug
# rpm -q rng-tools
package rng-tools is not installed
# rpm -q jitterentropy
package jitterentropy is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools jitterentropy
(...)
Installed:
  jitterentropy-3.4.1-1.el9.x86_64                                          rng-tools-6.15-2.el9.x86_64
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd
# systemctl status rngd
(...)
     Active: active (running) since Thu 2022-10-20 18:17:42 EDT; 4s ago
(...)
             └─60094 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)
Oct 20 18:17:44 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[60094]: Process privileges have been dropped to 2:2
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=272.478; avg=322.460; max=381.470)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=198.744; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=68965517241.379; max=0.000)bits/s
rngtest: Program run time: 1593021 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=7.276; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=188.846; avg=198.910; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=62500000000.000; max=0.000)bits/s
rngtest: Program run time: 10637 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=2.070; avg=7.164; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=1.242; avg=1.418; max=1.552)Gibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2527 microseconds
0

Comment 10 Vladis Dronov 2022-12-27 13:39:11 UTC

unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.

Comment 12 errata-xmlrpc 2023-05-09 08:15:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2473