Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2124602

Summary: [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113
Product: Red Hat Enterprise Linux 8 Reporter: Vladis Dronov <vdronov>
Component: rng-toolsAssignee: Vladis Dronov <vdronov>
Status: CLOSED ERRATA QA Contact: Vilém Maršík <vmarsik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.8CC: rparrazo, vmarsik
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rng-tools-6.15-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladis Dronov 2022-09-06 15:14:12 UTC 
update rng-tools to 6.16 and jitterentropy lib to 3.4.1. the previous bugzilla is bz2075974.

rng-tools:
upstream: https://github.com/smuellerDD/jitterentropy-library/
fedora: https://src.fedoraproject.org/rpms/jitterentropy/

jitterentropy-lib:
upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/
Comment 1 Vladis Dronov 2022-10-06 15:39:09 UTC 
[CI] [GATING] [DONE] rng-tools-6.15-2.el8 passed gating because all required tests passed

jit+rng 8.8 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143786
jit+rng 8.8 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143786

x86_64 rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3547/48143547/rng-tools-6.15-2.el8.x86_64.rpm
src rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3787/48143787/rng-tools-6.15-2.el8.src.rpm
Comment 2 Vladis Dronov 2022-10-06 15:50:48 UTC 
a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package and a source package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools
# rm -f rng-tools*rpm
Comment 3 Vilém Maršík 2022-10-06 16:08:01 UTC 
Thanks for providing the test plan. What is your question?
Comment 4 Vladis Dronov 2022-10-06 16:29:01 UTC 
No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.
Comment 5 Vilém Maršík 2022-10-06 16:30:48 UTC 
Okay, will let you know when testing is finished.
Comment 6 Vladis Dronov 2022-10-06 17:43:01 UTC 
Thanks, Vilem, most appreciated.
Comment 7 Vilém Maršík 2022-10-06 23:25:41 UTC 
Looks okay on RHEL-8.8.0-20221006.0 :
# rpm -e rng-tools
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/rng-tools/6.15/2.el8/x86_64/rng-tools-6.15-2.el8.x86_64.rpm
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-10-06 19:18:33 EDT; 10s ago
(...)
Oct 06 19:18:34 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[19961]: Process privileges have been dropped to 2:2
(...)
daemon     19961       1 99 19:18 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.725; avg=8.828; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=167.311; avg=194.926; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 10163 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=1.433; avg=7.761; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=1214.872; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 1882 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=346.791; avg=462.163; max=560.985)Mibits/s
rngtest: FIPS tests speed: (min=185.179; avg=195.185; max=200.774)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=55555555555.556; max=0.000)bits/s
rngtest: Program run time: 1563073 microseconds
killing
0
Comment 8 Vladis Dronov 2022-10-07 14:05:00 UTC 
Thanks for a testing, Vilem!
Comment 14 Vilém Maršík 2022-12-05 22:15:26 UTC 
rng-tools-6.15-2.el8.x86_64 passed tests on RHEL-8.8.0-20221204.2 kernel 4.18.0-441.el8.x86_64:
# rpm -e rng-tools
error: package rng-tools is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools
(...)
Installed:
  rng-tools-6.15-2.el8.x86_64 
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-05 16:54:00 EST; 10s ago
 Main PID: 6969 (rngd)
    Tasks: 5 (limit: 3297041)
   Memory: 2.7M
   CGroup: /system.slice/rngd.service
           └─6969 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon

Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Disabling 9: Qrypt quantum entropy beacon (qrypt)
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Initializing available sources
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [hwrng ]: Initialization Failed
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Enabling RDSEED rng support
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Initialized
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: JITTER timeout set to 5 sec
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initializing AES buffer
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Enabling JITTER rng support
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initialized
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Process privileges have been dropped to 2:2
daemon      6969       1 99 16:53 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
root        6982    6497  0 16:54 pts/0    00:00:00 grep --color=auto rngd

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=11.642; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=165.856; avg=197.776; max=205.091)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=250000000000.000; max=0.000)bits/s
rngtest: Program run time: 10041 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=17.247; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=954.629; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2204 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=544.957; avg=870.538; max=9536.743)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=195.185; max=198.682)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=95238095238.095; max=0.000)bits/s
rngtest: Program run time: 1559944 microseconds
killing
0

Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?
Otherwise verified.
Comment 16 Vladis Dronov 2022-12-27 13:36:38 UTC 
(In reply to Vilém Maršík from comment #14)
> Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?

updated the bz title, thanks. unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.
Comment 17 Vilém Maršík 2023-01-05 14:34:42 UTC 
Thanks, setting this one verified.
Comment 18 Vladis Dronov 2023-01-05 16:08:47 UTC 
thanks, Vilem, your help is most appreciated. i'm sorry
for the another rngd update, unfortunately, we just cannot
release a version which crashes (even only on s390x).
Comment 20 errata-xmlrpc 2023-05-16 09:03:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2959