2075974 – [RHEL-8.7] update rng-tools to 6.15 and jitterentropy to 3.4.0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2075974 - [RHEL-8.7] update rng-tools to 6.15 and jitterentropy to 3.4.0

Summary: [RHEL-8.7] update rng-tools to 6.15 and jitterentropy to 3.4.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	8.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.7
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:	2076641
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-16 19:30 UTC by Vladis Dronov
Modified:	2022-11-08 12:28 UTC (History)
CC List:	0 users
Fixed In Version:	rng-tools-6.15-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 10:47:11 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-119081	0	None	None	None	2022-04-16 19:31:26 UTC
Red Hat Product Errata	RHBA-2022:7710	0	None	None	None	2022-11-08 10:47:16 UTC

Description Vladis Dronov 2022-04-16 19:30:41 UTC

update rng-tools to 6.15 and jitterentropy lib to 3.4.0 + important upstream fixes.

rng-tools:
upstream: https://github.com/smuellerDD/jitterentropy-library/
fedora: https://src.fedoraproject.org/rpms/jitterentropy/

jitterentropy-lib:
upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 2 Vladis Dronov 2022-05-08 11:33:36 UTC

[CI] [GATING] [DONE] rng-tools-6.15-1.el8 passed gating because all required tests passed
rng-tools-6.15-1.el8 successfully moved from rhel-8.7.0-gate into rhel-8.7.0-candidate
brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=45148424
osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/45148424

Comment 3 Vladis Dronov 2022-05-09 09:43:39 UTC

a test plan:

0) ensure no config and 'rngd' user exists from previous installations

# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that both service files DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
<none>

4) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# ./rngtestjitter.sh ; echo $?

6) start a service and ensure a process is run as daemon user and a log contains "dropping privileges" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd

7) clean up

# dnf -y erase rng-tools
# rm -f rng-tools*rpm

Comment 4 Vilém Maršík 2022-05-10 16:34:54 UTC

Looks good on RHEL-8.7.0-20220510.d.0:

#  userdel -r rngd
userdel: user 'rngd' does not exist
#  rm -f /etc/sysconfig/rngd*
# dnf install -y http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el8/x86_64/rng-tools-6.15-1.el8.x86_64.rpm
(...)
# rpm -q selinux-policy
selinux-policy-3.14.3-98.el8.noarch
#  grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
grep: /usr/lib/systemd/system/rngd-wake-threshold.service: No such file or directory
# pwck
# dnf install -y wget
(...)
# wget http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el8/src/rng-tools-6.15-1.el8.src.rpm
(...)
# rpm2cpio rng-tools-6.15-1.el8.src.rpm | cpio --extract --make-directories --no-absolute-filenames
329 blocks
# tar xvfz rng-tools-6.15.tar.gz
(...)
# cd rng-tools-6.15/tests
# vim rngtestzero.sh
# vim rngtestjitter.sh
# vim rngtesturandom.sh
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=14.111; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=476.837; avg=538.343; max=544.957)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 3804 microseconds
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=6.209; avg=16.057; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=135.273; avg=158.589; max=165.856)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=35087719298.246; max=0.000)bits/s
rngtest: Program run time: 12856 microseconds
0
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=112.197; avg=575.543; max=733.596)Mibits/s
rngtest: FIPS tests speed: (min=113.533; avg=116.807; max=118.469)Mibits/s
rngtest: output channel speed: (min=9.313; avg=22.442; max=18.626)Gibits/s
rngtest: Program run time: 6358119 microseconds
killing
0
# systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-05-10 12:26:13 EDT; 5s ago
 Main PID: 17885 (rngd)
    Tasks: 5 (limit: 49098)
   Memory: 4.1M
   CGroup: /system.slice/rngd.service
           └─17885 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon

May 10 12:26:13 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Disabling 7: PKCS11 Entropy generator (pkcs11)
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Disabling 5: NIST Network Entropy Beacon (nist)
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Initializing available sources
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [hwrng ]: Initialized
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [rdrand]: Enabling RDRAND rng support
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [rdrand]: Initialized
May 10 12:26:14 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: [jitter]: Initializing AES buffer
root       17885       1 99 12:26 ?        00:00:19 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon
root       17896   16288  0 12:26 pts/0    00:00:00 grep --color=auto rngd
# journalctl | grep rngd | tail -n1
May 10 12:26:20 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[17885]: Process privileges have been dropped to 2:2

Comment 7 Vilém Maršík 2022-06-13 22:07:41 UTC

Similar results to https://bugzilla.redhat.com/show_bug.cgi?id=2075977#c8 on RHEL-8.7.0-20220613.d.0, waiting to clarify the low entropy under stress. Otherwise passed.

---


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

    Package       : rng-tools
    Installed     : rng-tools-6.15-1.el8.x86_64
    beakerlib RPM : beakerlib-1.27-1.el8bkr.noarch
    bl-redhat RPM : beakerlib-redhat-1-33.el8bkr.noarch
    Test name     : /CoreOS/rng-tools/Sanity/hwrng
    Test version  : 1.0-12
    Test built    : 2020-06-02 10:01:33 EDT
    Test started  : 2022-06-13 17:39:16 EDT
    Test finished : 2022-06-13 17:44:49 EDT (still running)
    Test duration : 333 seconds
    Distro        : Red Hat Enterprise Linux release 8.7 Beta (Ootpa)
    Hostname      : intel-eaglestream-spr-04.khw1.lab.eng.bos.redhat.com
    Architecture  : x86_64
    CPUs          : 192 x Genuine Intel(R) CPU 0000%@
    RAM size      : 127858 MB
    HDD size      : 1783.61 GB

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/rng-tools/Sanity/hwrng
Description: Check hardware random number generator
Author: Jeff Bastian <jbastian>

This test verifies the hardware random number generator is working
with the rngtest tool, and that the kernel's entropy pool remains full
with rngd running.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   basic daemon tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:39:16 ] :: [   PASS   ] :: Checking if stopped (Expected 3, got 3)
:: [ 17:39:16 ] :: [   PASS   ] :: Starting rngd daemon (Expected 0, got 0)
:: [ 17:39:16 ] :: [   PASS   ] :: Checking if started (Expected 0, got 0)
:: [ 17:39:21 ] :: [   PASS   ] :: Still running after 15s (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 5s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (basic daemon tests)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   options test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:39:23 ] :: [   PASS   ] :: foreground run OK
:: [ 17:39:23 ] :: [   PASS   ] :: background run OK
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 2 good, 0 bad
::   RESULT: PASS (options test)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   rngtest
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:39 ] :: [   PASS   ] :: Running rngtest (Expected 0,1, got 0)
:: [ 17:44:39 ] :: [   INFO   ] :: Sending /var/tmp/rlRun_LOG.FZ4XpMUE as rngtest.out
:: [ 17:44:39 ] :: [   LOG    ] :: File '/tmp/tmp.d63V5Q1IjA/rngtest.out' stored here: /var/tmp/BEAKERLIB_STORED_rngtest.out
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 316s
::   Assertions: 1 good, 0 bad
::   RESULT: PASS (rngtest)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   entropy-pool
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:39 ] :: [   PASS   ] :: Starting rngd.service (Expected 0, got 0)
:: [ 17:44:39 ] :: [   PASS   ] :: rngd.service is active (Expected 0, got 0)
:: [ 17:44:39 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "2102" should be greater than "2047")
:: [ 17:44:40 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "1080" should be greater than "2047")
:: [ 17:44:41 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "61" should be greater than "2047")
:: [ 17:44:42 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:43 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3330" should be greater than "2047")
:: [ 17:44:44 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:45 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3899" should be greater than "2047")
:: [ 17:44:46 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:47 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3971" should be greater than "2047")
:: [ 17:44:48 ] :: [   PASS   ] :: Available entropy at least 2048 (Assert: "3395" should be greater than "2047")
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 10s
::   Assertions: 10 good, 2 bad
::   RESULT: FAIL (entropy-pool)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   /CoreOS/rng-tools/Sanity/hwrng
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:44:49 ] :: [   LOG    ] :: JOURNAL XML: /var/tmp/beakerlib-lOjWxIB/journal.xml
:: [ 17:44:49 ] :: [   LOG    ] :: JOURNAL TXT: /var/tmp/beakerlib-lOjWxIB/journal.txt
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 333s
::   Phases: 3 good, 1 bad
::   OVERALL RESULT: FAIL (/CoreOS/rng-tools/Sanity/hwrng)

[root@intel-eaglestream-spr-04 rng-tools]# rngd -l
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
5: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
0: Hardware RNG Device (hwrng)
2: Intel RDRAND Instruction RNG (rdrand)
6: JITTER Entropy generator (jitter)
Available entropy sources that failed initalization:

[root@intel-eaglestream-spr-04 rng-tools]# time rngd -f -x tpm -x nist -x hwrng -x rdrand -n jitter -o /dev/stdout > /tmp/entropy
Disabling 1: TPM RNG Device (tpm)
Disabling 5: NIST Network Entropy Beacon (nist)
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Enabling 6: JITTER Entropy generator (jitter)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
^C[jitter]: Shutting down

real    1m44.267s
user    8m25.563s
sys     0m13.200s
[root@intel-eaglestream-spr-04 rng-tools]# ls -lh /tmp/entropy
-rw-r--r--. 1 root root 1.8G Jun 13 17:59 /tmp/entropy
[root@intel-eaglestream-spr-04 rng-tools]# cat /tmp/entropy | rngtest
rngtest 6.15
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: entropy source drained
rngtest: bits received from input: 15345926656
rngtest: FIPS 140-2 successes: 766964
rngtest: FIPS 140-2 failures: 332
rngtest: FIPS 140-2(2001-10-10) Monobit: 65
rngtest: FIPS 140-2(2001-10-10) Poker: 71
rngtest: FIPS 140-2(2001-10-10) Runs: 196
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 1
rngtest: input channel speed: (min=3.104; avg=23.084; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=99.861; avg=171.186; max=178.257)Mibits/s
rngtest: Program run time: 86162305 microseconds

Comment 9 Vilém Maršík 2022-06-29 17:19:02 UTC

The only failure in the test caused probably by slow rngd startup, considering success. Setting verified.

Comment 11 errata-xmlrpc 2022-11-08 10:47:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7710

Note You need to log in before you can comment on or make changes to this bug.