Bug 2015560
| Summary: | [RHEL-9.0-GA] update jitterentropy to 3.3.1 + latest fixes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Vladis Dronov <vdronov> |
| Component: | jitterentropy | Assignee: | Vladis Dronov <vdronov> |
| Status: | CLOSED ERRATA | QA Contact: | Vilém Maršík <vmarsik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | Keywords: | Rebase, Triaged |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 9.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jitterentropy-3.3.1-2.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:58:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Vladis Dronov
2021-10-19 13:59:32 UTC
[CI] [GATING] [DONE] jitterentropy-3.3.1-2.el9 passed gating because all required tests passed Brew build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1805076 CI Dashboard: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/41472626 could you please provide Verified:Tested for this bz, so i can proceed with its errata? the test plan for both jitterentropy library (this bz) and rngd daemon (bz2015566) is the same as for the previous version: https://bugzilla.redhat.com/show_bug.cgi?id=1973157#c5 (just the download links are different, see them above) As of RHEL-9.0.0-20211212.3, even on aarch64, the kernel seems to gather its own entropy with no rngd running. Not sure why, RHEL8 is not doing that. Is there a way to prove that rngd/jitterentropy is working, i.e. to switch off all other entropy sources?
---
# systemctl status rngd
○ rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/usr/lib/systemd/system/rngd.service; disabled; vendor preset: enabled)
Active: inactive (dead)
# cat /proc/sys/kernel/random/entropy_avail
471
# rngtest -c 1000 </dev/random
(...)
rngtest: input channel speed: (min=733.596; avg=1313.149; max=1362.392)Mibits/s
rngtest: FIPS tests speed: (min=102.546; avg=125.036; max=127.157)Mibits/s
rngtest: Program run time: 167345 microseconds
# cat /proc/sys/kernel/random/entropy_avail
486
# rngtest -c 1000 </dev/random
(...)
# cat /proc/sys/kernel/random/entropy_avail
489
# uname -m
aarch64
(In reply to Vilém Maršík from comment #6) > As of RHEL-9.0.0-20211212.3, even on aarch64, the kernel seems to gather its > own entropy with no rngd running. Not sure why, RHEL8 is not doing that. Is > there a way to prove that rngd/jitterentropy is working, i.e. to switch off > all other entropy sources? please, follow the suggested test procedure. it does not involve /dev/random and so any other entropy sources. Okay, you want to test rngd output directly, instead of kernel generator output. Makes sense. Works good on RHEL-9.0.0-20211217.d.1 aarch64: # dnf install rng-tools (...) Installed: jitterentropy-3.3.1-2.el9.aarch64 rng-tools-6.14-2.git.b2b7934e.el9.aarch64 Complete! # rngd -l Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 5: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 0: Hardware RNG Device (hwrng) 6: JITTER Entropy generator (jitter) Available entropy sources that failed initalization: 4: ARM v8.5 RNDR Instruction RNG (rndr) # time rngd -x tpm -x nist -x hwrng -x rndr -n jitter -f -o /dev/stdout > /tmp/entropy Disabling 1: TPM RNG Device (tpm) Disabling 5: NIST Network Entropy Beacon (nist) Disabling 0: Hardware RNG Device (hwrng) Disabling 4: ARM v8.5 RNDR Instruction RNG (rndr) Enabling 6: JITTER Entropy generator (jitter) Initializing available sources [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized ^C[jitter]: Shutting down real 0m22.259s user 1m25.605s sys 0m3.168s # ls -lh /tmp/entropy -rw-r--r--. 1 root root 54M Dec 21 15:04 /tmp/entropy # cat /tmp/entropy | rngtest rngtest 6.14 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: entropy source drained rngtest: bits received from input: 447781888 rngtest: FIPS 140-2 successes: 22382 rngtest: FIPS 140-2 failures: 7 rngtest: FIPS 140-2(2001-10-10) Monobit: 1 rngtest: FIPS 140-2(2001-10-10) Poker: 2 rngtest: FIPS 140-2(2001-10-10) Runs: 4 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=205.091; avg=1976.324; max=6357.829)Mibits/s rngtest: FIPS tests speed: (min=37.620; avg=90.208; max=94.423)Mibits/s rngtest: Program run time: 4957102 microseconds Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: jitterentropy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3989 |