Bug 921122
| Summary: | tcsd.service is not starting with default configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Sklenar <psklenar> |
| Component: | trousers | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | azazelahh, bugproxy, hannsj_uhl, hugh, jscotka, ltcgcw, noloader, psklenar |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-18 12:36:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 744225 | ||
|
Description
Petr Sklenar
2013-03-13 14:03:19 UTC
This seems to be the relevant part of a run:
open("/etc/tcsd.conf", O_RDONLY) = 3
read(3, "\n#\n# This is the configuration f"..., 4096) = 4096
read(3, " TCS/TPM for its capabilities\n#\t"..., 4096) = 2315
read(3, "", 4096) = 0
close(3) = 0
open("/dev/tpm0", O_RDWR) = -1 EBUSY (Device or resource busy)
open("/udev/tpm0", O_RDWR) = -1 ENOENT (No such file or directory)
open("/dev/tpm", O_RDWR) = -1 ENOENT (No such file or directory)
write(2, "TCSD TDDL ERROR: Could not find "..., 50TCSD TDDL ERROR: Could not find a device to open!
) = 50
exit_group(4233)
My guess is that rngd is using the tpm.
I'll work on getting this bug reverse mirrored to IBM. I am curious if your system has rngd enabled? If rngd has run at all, it seems to leave the TPM in a state where tcsd cannot connect to it. I don't know if they can share the device or not. I can only start tcsd in the default config when rngd has been disabled or removed from the system. Yes, I see the same thing. And it appears to work vice versa as well. Richard Costa has been assigned this bug on our side and reports that this is also happening on Fedora. To clarify, "work" in the last comments means "the bug works." It looks like the TPM device access is mutually exclusive. The tcsd starts after rngd has shutdown. However, it always seems to report: Jul 15 12:17:00 dhcp-9-41-105-128 TCSD TDDL[13046]: TrouSerS ioctl: (25) Inappropriate ioctl for device Jul 15 12:17:00 dhcp-9-41-105-128 TCSD TDDL[13046]: TrouSerS Falling back to Read/Write device support. Jul 15 12:17:00 dhcp-9-41-105-128 TCSD[13047]: TrouSerS trousers 0.3.10: TCSD up and running. As mentioned here by Steve Grubb and George Wilson, this problem arises from the fact that rngd grabs the tpm device (usually in /dev/tpm0) before tcsd. Since the tpm driver only allows a single process to open the tpm device, the tcsd receives an error code when it executes the open call. Note that the TSS specification (used as a basis for the tcsd) assumes that only code belonging to the TSS stack (in this case, the tcsd), access the TPM device through its device driver, so the driver is doing what its suppose to do. The text that mentions it can be found at the latest TSS document, at page 7, last paragraph. After talking to George Wilson about it, I've found that there was a recent modification in the rngd code to allow it to increase the entropy of the number generator by accessing the random number generator inside the TPM chip. Based on the evidence above, from now on, I'm gonna work on the rngd to fix this issue. This appears to be an rngd issue. At some point, TPM support was added to rngd. The TPM device driver enforces exclusive access so rngd access conflicts with tcsd. Kent Yoder's change to the TPM device driver contributes entropy via a /dev/hwrng device. So recommended changes are: (1) rngd's default command line should be modified to add --no-tpm=1 (2) The tpm-rng device driver needs to be loaded if rngd is to harvest entropy from the TPM Unsure if you want (2) to happen by default (or on demand) or if loading it should be an explicit end user decision. Tested on RHEL7.0 Snapshot 6, following the procedure below and everything ran fine. However, when I tried to load in the reverse order (first tcsd, then rngd), I've got an access error from rngd. It couldn't access the TPM hardware on /dev/tpm0, because TrouSerS was already using it. My concern here is that rngd will try to access the /dev/tpm0 device on demand (open it when needed), but it will fail because the device is already in use, thus generating another bug. For this specific bug, though, I'll mark it as rejected, since another solution was applied (i.e. changed the rngd behavior). This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Can someone help me out and tell me how to do this? "rngd's default command line should be modified to add --no-tpm=1" What command should I execute to perform that step or what file do I need to edit? Thanks. ------- Comment From gcwilson.com 2013-07-11 20:23 EDT------- ------- Comment From gcwilson.com 2013-07-15 17:14 EDT------- ------- Comment From gcwilson.com 2013-07-15 17:18 EDT------- ------- Comment From richardm.com 2013-07-18 00:35 EDT------- ------- Comment From gcwilson.com 2013-07-19 21:59 EDT------- ------- Comment From richardm.com 2014-03-04 18:52 EDT------- |