2124602 – [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2124602 - [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113

Summary: [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.8
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-06 15:14 UTC by Vladis Dronov
Modified:	2023-05-16 10:59 UTC (History)
CC List:	2 users (show)
Fixed In Version:	rng-tools-6.15-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 09:03:32 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-133319	0	None	None	None	2022-09-06 15:22:03 UTC
Red Hat Product Errata	RHBA-2023:2959	0	None	None	None	2023-05-16 09:03:35 UTC

Description Vladis Dronov 2022-09-06 15:14:12 UTC

update rng-tools to 6.16 and jitterentropy lib to 3.4.1. the previous bugzilla is bz2075974.

rng-tools:
upstream: https://github.com/smuellerDD/jitterentropy-library/
fedora: https://src.fedoraproject.org/rpms/jitterentropy/

jitterentropy-lib:
upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 1 Vladis Dronov 2022-10-06 15:39:09 UTC

[CI] [GATING] [DONE] rng-tools-6.15-2.el8 passed gating because all required tests passed

jit+rng 8.8 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143786
jit+rng 8.8 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143786

x86_64 rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3547/48143547/rng-tools-6.15-2.el8.x86_64.rpm
src rpm: http://download.eng.bos.redhat.com/brewroot/work/tasks/3787/48143787/rng-tools-6.15-2.el8.src.rpm

Comment 2 Vladis Dronov 2022-10-06 15:50:48 UTC

a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package and a source package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools
# rm -f rng-tools*rpm

Comment 3 Vilém Maršík 2022-10-06 16:08:01 UTC

Thanks for providing the test plan. What is your question?

Comment 4 Vladis Dronov 2022-10-06 16:29:01 UTC

No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.

Comment 5 Vilém Maršík 2022-10-06 16:30:48 UTC

Okay, will let you know when testing is finished.

Comment 6 Vladis Dronov 2022-10-06 17:43:01 UTC

Thanks, Vilem, most appreciated.

Comment 7 Vilém Maršík 2022-10-06 23:25:41 UTC

Looks okay on RHEL-8.8.0-20221006.0 :
# rpm -e rng-tools
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/rng-tools/6.15/2.el8/x86_64/rng-tools-6.15-2.el8.x86_64.rpm
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-10-06 19:18:33 EDT; 10s ago
(...)
Oct 06 19:18:34 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[19961]: Process privileges have been dropped to 2:2
(...)
daemon     19961       1 99 19:18 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.725; avg=8.828; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=167.311; avg=194.926; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 10163 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=1.433; avg=7.761; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=1214.872; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 1882 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=346.791; avg=462.163; max=560.985)Mibits/s
rngtest: FIPS tests speed: (min=185.179; avg=195.185; max=200.774)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=55555555555.556; max=0.000)bits/s
rngtest: Program run time: 1563073 microseconds
killing
0

Comment 8 Vladis Dronov 2022-10-07 14:05:00 UTC

Thanks for a testing, Vilem!

Comment 14 Vilém Maršík 2022-12-05 22:15:26 UTC

rng-tools-6.15-2.el8.x86_64 passed tests on RHEL-8.8.0-20221204.2 kernel 4.18.0-441.el8.x86_64:
# rpm -e rng-tools
error: package rng-tools is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools
(...)
Installed:
  rng-tools-6.15-2.el8.x86_64 
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-05 16:54:00 EST; 10s ago
 Main PID: 6969 (rngd)
    Tasks: 5 (limit: 3297041)
   Memory: 2.7M
   CGroup: /system.slice/rngd.service
           └─6969 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon

Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Disabling 9: Qrypt quantum entropy beacon (qrypt)
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Initializing available sources
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [hwrng ]: Initialization Failed
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Enabling RDSEED rng support
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Initialized
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: JITTER timeout set to 5 sec
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initializing AES buffer
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Enabling JITTER rng support
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initialized
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Process privileges have been dropped to 2:2
daemon      6969       1 99 16:53 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
root        6982    6497  0 16:54 pts/0    00:00:00 grep --color=auto rngd

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=11.642; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=165.856; avg=197.776; max=205.091)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=250000000000.000; max=0.000)bits/s
rngtest: Program run time: 10041 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=17.247; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=954.629; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2204 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=544.957; avg=870.538; max=9536.743)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=195.185; max=198.682)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=95238095238.095; max=0.000)bits/s
rngtest: Program run time: 1559944 microseconds
killing
0

Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?
Otherwise verified.

Comment 16 Vladis Dronov 2022-12-27 13:36:38 UTC

(In reply to Vilém Maršík from comment #14)
> Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?

updated the bz title, thanks. unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.

Comment 17 Vilém Maršík 2023-01-05 14:34:42 UTC

Thanks, setting this one verified.

Comment 18 Vladis Dronov 2023-01-05 16:08:47 UTC

thanks, Vilem, your help is most appreciated. i'm sorry
for the another rngd update, unfortunately, we just cannot
release a version which crashes (even only on s390x).

Comment 20 errata-xmlrpc 2023-05-16 09:03:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2959

Note You need to log in before you can comment on or make changes to this bug.