2075977 – [RHEL-9.1] update rng-tools to 6.15 + latest fixes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2075977 - [RHEL-9.1] update rng-tools to 6.15 + latest fixes

Summary: [RHEL-9.1] update rng-tools to 6.15 + latest fixes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	9.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.1
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:	2076642
Blocks:	2077036
TreeView+	depends on / blocked

Reported:	2022-04-16 19:44 UTC by Vladis Dronov
Modified:	2023-08-08 03:02 UTC (History)
CC List:	2 users (show)
Fixed In Version:	rng-tools-6.15-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2077036 (view as bug list)
Environment:
Last Closed:	2022-11-15 11:16:12 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-119083	0	None	None	None	2022-04-16 19:46:18 UTC
Red Hat Product Errata	RHBA-2022:8308	0	None	None	None	2022-11-15 11:16:15 UTC

Description Vladis Dronov 2022-04-16 19:44:52 UTC

update rng-tools to 6.15 + important upstream fixes (like "Build Power9 code separately").

upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 3 Vladis Dronov 2022-05-08 11:30:56 UTC

[CI] [GATING] [DONE] rng-tools-6.15-1.el9 passed gating because all required tests passed
koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1114004
brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=45148226
osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/45148226

Comment 4 Vladis Dronov 2022-05-09 09:48:37 UTC

a test plan:

0) ensure no config and 'rngd' user exists from previous installations

# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon and jitterentropy lib packages from brew via links above and in bz2075978#c3.

2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes.

3) verify that both service files DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
<none>

4) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# ./rngtestjitter.sh ; echo $?

6) start a service and ensure a process is run as 'daemon' user and a log contains "dropping privileges" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd

7) clean up

# dnf -y erase rng-tools jitterentropy
# rm -f rng-tools*rpm

Comment 5 Vilém Maršík 2022-05-10 18:28:34 UTC

Looks good in RHEL-9.1.0-20220510.d.0:

# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install wget tar http://download.eng.bos.redhat.com/brewroot/work/tasks/4381/44874381/jitterentropy-3.4.0-1.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/work/tasks/8233/45148233/rng-tools-6.15-1.el9.x86_64.rpm
(...)
# rpm -q selinux-policy
selinux-policy-34.1.31-2.el9.noarch
#  grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
grep: /usr/lib/systemd/system/rngd-wake-threshold.service: No such file or directory
# pwck
# wget http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el9/src/rng-tools-6.15-1.el9.src.rpm
(...)
# rpm2cpio rng-tools-6.15-1.el9.src.rpm  | cpio --extract --make-directories --no-absolute-filenames
158 blocks
# tar xvfz rng-tools-6.15.tar.gz
(...)
# cd rng-tools-6.15/tests/
# vim rngtestzero.sh
# vim rngtestjitter.sh
# vim rngtesturandom.sh
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=1.330; avg=6.559; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=340.598; avg=867.766; max=953.674)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2724 microseconds
0
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=140.246; avg=408.513; max=476.837)Mibits/s
rngtest: FIPS tests speed: (min=164.427; avg=173.854; max=176.606)Mibits/s
rngtest: output channel speed: (min=18.626; avg=30.043; max=18.626)Gibits/s
rngtest: Program run time: 3502982 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=7.481; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=134.320; avg=187.898; max=205.091)Mibits/s
rngtest: output channel speed: (min=18.626; avg=28.222; max=18.626)Gibits/s
rngtest: Program run time: 11436 microseconds
0
# systemctl start rngd ; sleep 5 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
     Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-05-10 13:46:25 EDT; 5s ago
   Main PID: 19769 (rngd)
      Tasks: 5 (limit: 203004)
     Memory: 4.9M
        CPU: 19.922s
     CGroup: /system.slice/rngd.service
             └─19769 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon

May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Disabling 7: PKCS11 Entropy generator (pkcs11)
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Disabling 5: NIST Network Entropy Beacon (nist)
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Initializing available sources
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [hwrng ]: Initialization Failed
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [rdrand]: Enabling RDRAND rng support
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [rdrand]: Initialized
May 10 13:46:25 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Initializing AES buffer
May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Enabling JITTER rng support
May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: [jitter]: Initialized
May 10 13:46:28 intel-wildcatpass-01.lab.eng.rdu2.redhat.com rngd[19769]: Process privileges have been dropped to 2:2
daemon     19769       1 99 13:46 ?        00:00:20 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon
root       19780   19003  0 13:46 pts/0    00:00:00 grep --color=auto rngd

Comment 8 Vilém Maršík 2022-06-13 21:01:38 UTC

Mostly working on RHEL-9.1.0-20220613.d.0 with kernel 5.14.0-105.kpq0.el9.x86_64 and rng-tools-6.15-1.el9.x86_64, but the entropy gets rather low when used, however it does reach zero. Is this still okay?


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

    Package       : rng-tools
    Installed     : rng-tools-6.15-1.el9.x86_64
    beakerlib RPM : beakerlib-1.27-1.el9.noarch
    bl-redhat RPM : beakerlib-redhat-1-30.el9.noarch
    Test name     : /CoreOS/rng-tools/Sanity/hwrng
    Test version  : 1.0-12
    Test built    : 2020-06-02 10:01:33 EDT
    Test started  : 2022-06-13 16:37:30 EDT
    Test finished : 2022-06-13 16:43:01 EDT (still running)
    Test duration : 331 seconds
    Distro        : Red Hat Enterprise Linux release 9.1 Beta (Plow)
    Hostname      : intel-eaglestream-spr-04.khw1.lab.eng.bos.redhat.com
    Architecture  : x86_64
    CPUs          : 192 x Genuine Intel(R) CPU 0000%@
    RAM size      : 127596 MB
    HDD size      : 1783.61 GB

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/rng-tools/Sanity/hwrng
Description: Check hardware random number generator
Author: Jeff Bastian <jbastian>

This test verifies the hardware random number generator is working
with the rngtest tool, and that the kernel's entropy pool remains full
with rngd running.


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   basic daemon tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:37:31 ] :: [   PASS   ] :: Checking if stopped (Expected 3, got 3)
:: [ 16:37:31 ] :: [   PASS   ] :: Starting rngd daemon (Expected 0, got 0)
:: [ 16:37:31 ] :: [   PASS   ] :: Checking if started (Expected 0, got 0)
:: [ 16:37:36 ] :: [   PASS   ] :: Still running after 15s (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 5s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (basic daemon tests)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   options test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:37:38 ] :: [   PASS   ] :: foreground run OK
:: [ 16:37:38 ] :: [   PASS   ] :: background run OK
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 2 good, 0 bad
::   RESULT: PASS (options test)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   rngtest
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:42:51 ] :: [   PASS   ] :: Running rngtest (Expected 0,1, got 0)
:: [ 16:42:51 ] :: [   INFO   ] :: Sending /var/tmp/rlRun_LOG.ml3kEs69 as rngtest.out
:: [ 16:42:51 ] :: [   LOG    ] :: File '/tmp/tmp.wkQGeAaaFz/rngtest.out' stored here: /var/tmp/BEAKERLIB_STORED_rngtest.out
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 313s
::   Assertions: 1 good, 0 bad
::   RESULT: PASS (rngtest)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   entropy-pool
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:42:51 ] :: [   PASS   ] :: Starting rngd.service (Expected 0, got 0)
:: [ 16:42:51 ] :: [   PASS   ] :: rngd.service is active (Expected 0, got 0)
:: [ 16:42:51 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "67" should be greater than "2047")
:: [ 16:42:52 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "69" should be greater than "2047")
:: [ 16:42:53 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "75" should be greater than "2047")
:: [ 16:42:54 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:42:55 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:42:56 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:42:57 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:42:58 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:42:59 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
:: [ 16:43:00 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 10s
::   Assertions: 2 good, 10 bad
::   RESULT: FAIL (entropy-pool)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   /CoreOS/rng-tools/Sanity/hwrng
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:43:01 ] :: [   LOG    ] :: JOURNAL XML: /var/tmp/beakerlib-zt8MTKy/journal.xml
:: [ 16:43:01 ] :: [   LOG    ] :: JOURNAL TXT: /var/tmp/beakerlib-zt8MTKy/journal.txt
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 331s
::   Phases: 3 good, 1 bad
::   OVERALL RESULT: FAIL (/CoreOS/rng-tools/Sanity/hwrng)

[root@intel-eaglestream-spr-04 hwrng]# rngd -l
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
5: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
0: Hardware RNG Device (hwrng)
2: Intel RDRAND Instruction RNG (rdrand)
6: JITTER Entropy generator (jitter)
Available entropy sources that failed initalization:

Comment 9 Vladis Dronov 2022-06-14 11:50:04 UTC

(In reply to Vilém Maršík from comment #8)
> Mostly working on RHEL-9.1.0-20220613.d.0 with kernel
> 5.14.0-105.kpq0.el9.x86_64 and rng-tools-6.15-1.el9.x86_64, but the entropy
> gets rather low when used, however it does reach zero. Is this still okay?
> 
> :: [ 16:42:51 ] :: [   PASS   ] :: rngd.service is active (Expected 0, got 0)
> :: [ 16:42:51 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "67" should be greater than "2047")
> :: [ 16:42:52 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "69" should be greater than "2047")
> :: [ 16:42:53 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "75" should be greater than "2047")
> :: [ 16:42:54 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
> :: [ 16:42:55 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")
> :: [ 16:43:00 ] :: [   FAIL   ] :: Available entropy at least 2048 (Assert: "256" should be greater than "2047")

Hi, Vilem,
Thanks for testing. In short, the above is expected on RHEL9 and I guess,
a test can be adjusted to conform to new RHEL9 behavior.

In long, there is a combination of factors.

1) jitter-entropy source starts several seconds. So rngd does not feed entropy
pool immediately at startup. This explains behavior at seconds 42:51-42:53.

2) RHEL9 has changed entropy pool size from 4096 to 256:

(rhel9)# cat /proc/sys/kernel/random/poolsize
256

in a commit 6e8ec2552c7d ("random: use computational hash for entropy extraction"),
BLAKE2S_HASH_SIZE is exactly 32:

-       POOL_BITS = POOL_BYTES * 8,
+       POOL_BITS = BLAKE2S_HASH_SIZE * 8,

this was backported to C9S/RHEL9 via: https://bugzilla.redhat.com/2079030

So if rndg is run with --fill-watermark=0 / -W 0 as by default in RHEL8/9,
/proc/sys/kernel/random/write_wakeup_threshold is not adjusted and remains
equal to /proc/sys/kernel/random/poolsize, i.e. 256. This is exactly what
our test log shows.

If rngd is run with --fill-watermark=N / -W N, then write_wakeup_threshold
is set to N. If rngd is run without these, then write_wakeup_threshold is
set to 3/4 of poolsize.

Comment 11 Vilém Maršík 2022-06-29 17:08:09 UTC

Thanks for commenting, have fixed the testsuite. Setting the bug verified.

Comment 13 errata-xmlrpc 2022-11-15 11:16:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8308

Note You need to log in before you can comment on or make changes to this bug.