RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1632786 - rngd lists no entropy sources, but still reads from TPM2
Summary: rngd lists no entropy sources, but still reads from TPM2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rng-tools
Version: 7.6
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Neil Horman
QA Contact: Vilém Maršík
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-25 14:26 UTC by Vilém Maršík
Modified: 2019-08-06 13:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:18:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2338 0 None None None 2019-08-06 13:18:45 UTC

Description Vilém Maršík 2018-09-25 14:26:16 UTC 
Description of problem:
rngd on a TPM2 machine lists no entropy sources, but secretly feeds TPM2 entropy into system.
Found while testing Bug 1627822 - rngd: failed to init TPM2 RNG.

Version-Release number of selected component (if applicable):
rng-tools-6.3.1-3.el7.x86_64
kernel-3.10.0-952.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. log in to a machine with working TPM2
2. # rngd -f -d -x 1 -x 2 -x 5
3. read from /dev/random

Actual results:
rngd does not list any available source:
# rngd -f -d -x 1 -x 2 -x 5
Disabling 1: TPM RNG Device
Disabling 2: Intel RDRAND Instruction RNG
Disabling 5: JITTER Entropy generator
Initalizing available sources

rngd still feeds entropy, running "time cat /dev/random | rngtest -c 1" finishes in about 2.5s, without rngd it never finished for me and was killed after minutes

tracing shows that rngd reads from TPM:
# echo *tpm* > /sys/kernel/debug/tracing/set_ftrace_filter
# echo *locality* >> /sys/kernel/debug/tracing/set_ftrace_filter
# echo function_graph > /sys/kernel/debug/tracing/current_tracer
# time cat /dev/random | rngtest -c 1
(...)
real    0m2.391s
(...)
# cat /sys/kernel/debug/tracing/trace
# tracer: function_graph
#
# CPU  DURATION                  FUNCTION CALLS
# |     |   |                     |   |   |   |
   6)               |  tpm_hwrng_read() {
   6)               |    tpm_get_random() {
   6)               |      tpm_chip_find_get() {
   6)   0.142 us    |        tpm_try_get_ops();
   6)   0.774 us    |      }
   6)               |      tpm2_get_random() {
   6)               |        tpm_transmit_cmd() {
   6)               |          tpm_transmit() {
   6)   0.077 us    |            tpm_tis_clkrun_enable();
   6)               |            request_locality() {
   6)               |              check_locality() {
   6)   1.445 us    |                tpm_tcg_read_bytes();
   6)   1.867 us    |              }
   6)   0.046 us    |              tpm_tcg_write_bytes();
   6)               |              check_locality() {
   6)   1.393 us    |                tpm_tcg_read_bytes();
   6)   1.808 us    |              }
   6)   4.838 us    |            }
(...)
   6)               |  tpm_hwrng_read() {
   6)               |    tpm_get_random() {
   6)               |      tpm_chip_find_get() {
   6)   0.045 us    |        tpm_try_get_ops();
   6)   0.363 us    |      }
   6)               |      tpm2_get_random() {
   6)               |        tpm_transmit_cmd() {
   6)               |          tpm_transmit() {
   6)   0.034 us    |            tpm_tis_clkrun_enable();
   6)               |            request_locality() {
   6)               |              check_locality() {
   6)   1.410 us    |                tpm_tcg_read_bytes();
   6)   1.744 us    |              }
   6)   0.034 us    |              tpm_tcg_write_bytes();
   6)               |              check_locality() {
   6)   1.479 us    |                tpm_tcg_read_bytes();
   6)   1.819 us    |              }
   6)   4.560 us    |            }
(...)

Expected results:
TPM2 listed in the available sources, when being used

Additional info:
Comment 3 Vilém Maršík 2018-09-25 14:43:28 UTC 
And I wonder how to disable this TPM2 source with the '-x' option.
Comment 4 Neil Horman 2018-09-25 14:52:10 UTC 
tpm2 exports its entropy as a hwrng (/dev/hwrng), and your command line doesn't disable the hwrng entropy source (-x 0)
Comment 5 Vilém Maršík 2018-09-25 15:22:15 UTC 
(In reply to Neil Horman from comment #4)
> tpm2 exports its entropy as a hwrng (/dev/hwrng), and your command line
> doesn't disable the hwrng entropy source (-x 0)

Then why is that source not listed there?
Comment 6 Neil Horman 2018-09-25 15:57:52 UTC 
That is an excellent question.  Can you post the console output of rngd here please?
Comment 7 Vilém Maršík 2018-09-26 14:38:47 UTC 
See Description:
# rngd -f -d -x 1 -x 2 -x 5
Disabling 1: TPM RNG Device
Disabling 2: Intel RDRAND Instruction RNG
Disabling 5: JITTER Entropy generator
Initalizing available sources

^ i.e. TPM2/HWRNG not listed but used (and the '-x' flags make no difference in what was printed). Now I have found that the source gets listed by the '-l' flag:
# rngd -l
Entropy sources that are available but disabled
1: TPM RNG Device
4: NIST Network Entropy Beacon
Available and enabled entropy sources:
0: Hardware RNG Device
2: Intel RDRAND Instruction RNG
5: JITTER Entropy generator

This is what I had on my mind while reporting this, think about reopening. Any ideas?
Comment 8 Neil Horman 2018-09-26 15:43:32 UTC 
I'm not sure what you're driving at.  I'm sorry you didn't realize that rngd -l lists the entropy sources (though that is documented in the man page).  It seems pretty clear to me that source 0 (hwrng) is enabled and available, so thats where your getting entropy from.

What is the ask here.  Are you looking for a message that expressly indicates that the hwrng is being enabled?  If so, sure I can do that, though I'd like to be sure thats what your after first
Comment 9 Vilém Maršík 2018-09-27 09:18:55 UTC 
Yes, I ask for message that HWRNG is being used, when it is the case. Otherwise it's confusing:

I run rngd, it says it uses RDRAND + JITTER:
# rngd -f -d
Initalizing available sources
Enabling RDRAND rng support
Enabling JITTER rng support

Now I run it with these sources disabled, rngd runs with no sources listed and does not exit:
# rngd -f -d -x 2 -x 5
Disabling 2: Intel RDRAND Instruction RNG
Disabling 5: JITTER Entropy generator
Initalizing available sources

Strangely, entropy is still increasing, where did it come from?
# rngd -l
(...)
Available and enabled entropy sources:
0: Hardware RNG Device
2: Intel RDRAND Instruction RNG
5: JITTER Entropy generator

Ah, there is a secret source 0, that was hidden before.
Could it have been listed instead?
Comment 10 Neil Horman 2018-09-27 13:54:50 UTC 
In fairness, its not unlisted, the list command clearly shows it.

But I take your meaning, clearly calling out all sources as they are initalized is a good idea. I'll take care of that, though It may be too late for 7.6.  I'll try my best
Comment 11 Vilém Maršík 2018-09-27 14:15:53 UTC 
I know that the list commands shows that, but still got quite confused that the '-d' did not, before trying to use '-l'. Would like to avoid such confusions for the users.

I don't insist on this going into 7.6, but will do my best if it does.

Thanks
Comment 12 Neil Horman 2018-09-27 15:10:43 UTC 
looks like were not going to make it for 7.6 (I need to get blocker approval, and its too late to get that for this as its not function critical).  I've fixed it upstream though, and will backport for 7,7
Comment 14 Vilém Maršík 2019-06-21 17:53:31 UTC 
The messages now look correct in rng-tools-6.3.1-4.el7.x86_64:

# rngd -f -d -x 1 -x 2 -x 5
Disabling 1: TPM RNG Device
Disabling 2: Intel RDRAND Instruction RNG
Disabling 5: JITTER Entropy generator

Initalizing available sources

Initalizing entropy source Hardware RNG Device
^ here

Setting verified.
Comment 16 errata-xmlrpc 2019-08-06 13:18:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2338
Note You need to log in before you can comment on or make changes to this bug.