Description of problem: Inspection of service rngd in the output of command journalctl reveals that a dependency on library /usr/lib64/opensc-pkcs11.so provided by package opensc is not fulfilled: Jun 7 14:22:00 localhost rngd[1734]: [pkcs11]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory Jun 7 14:22:00 localhost rngd[1734]: [pkcs11]: Initialization Failed Version-Release number of selected component (if applicable): rng-tools-6.9-3.fc32 How reproducible: Always Steps to Reproduce: 1. (Re)-start service rngd. 2. Inspect the output of command journalctl. Actual results: Initialization of source PKCS11 fails because of missing library /usr/lib64/opensc-pkcs11.so. Expected results: Initialization of source PKCS11 succeeds. Additional info: After executing 'dnf install /usr/lib64/opensc-pkcs11.so', package opensc gets installed along with required dependencies effectively resolving this issue. It neeeds to be added to the dependencies of package rng-tools.
The error message only disappears after installing package opensc when restarting service rngd, but it persists when rngd is launched during the boot procedure.
This is by design. Access to opensc-pkcs11.so is done via dlopen, not by link time binding. failure to find the dso is not fatal to the operation of rngd, it only means that that entropy source is unusable to rngd at the current time. I don't want to create a package dependency between rng-tools and opensc, because doing so implies that the opensc pacakge will have to be pulled into the initramfs, and access to that relatively low volume entropy source is less important than minimization of the initramfs. we can talk about changing the error message if you like, but as it currently stands, unless you have an explicit need for the smartcard entropy source in your initramfs, I'm inclined to close this as not a bug.
(In reply to Neil Horman from comment #2) I do not quite see the point of minimizing the size of the initramfs at "any cost" for recent hardware but leaving things as they are right now might still be better than disabling smart-card support in rng-tools builds altogether because interested users can then at least restart rngd once a system on which package opensc is installed has started up.
As per bug #1891025, it seems like this is still an issue on hardware which does not have any better source of randomness. How about using a weak dependency (`Recommends:`) instead?
Given that we do not install rngd by default anymore (after the kernel-early-entropy patch), it look like we can indeed add a week dependency for opensc. In parallel, we can also make an error message more detailed. "No pkcs11 endpoints found, install opensc if you would like to gather smartcard entropy" or some such sounds good. On the other hand, as smartcard entropy does not seem to be a frequent use case and as pkcs11 entropy source is disabled by default in Fedora, I would rather use a hint (Suggests: opensc).
...and, yeah, an upstream patch for rngd.8.in explaining the requirement for opensc (or a similar package in other distros).
packages containing opensc-pkcs11.so in other distros: debian - opensc-pkcs11 ubuntu - opensc-pkcs11
FEDORA-2023-a2aeee9847 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2aeee9847
FEDORA-2023-2c0dd54342 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2c0dd54342
FEDORA-2023-a2aeee9847 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2aeee9847` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2aeee9847 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-2c0dd54342 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-2c0dd54342` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2c0dd54342 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-2c0dd54342 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-a2aeee9847 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.