RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2124602 - [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113
Summary: [RHEL-8.8] update rng-tools to 6.15@6dcc9ec2 and jitterentropy to 3.4.1@4544e113
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rng-tools
Version: 8.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Vladis Dronov
QA Contact: Vilém Maršík
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-06 15:14 UTC by Vladis Dronov
Modified: 2023-05-16 10:59 UTC (History)
2 users (show)

Fixed In Version: rng-tools-6.15-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:03:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-133319 0 None None None 2022-09-06 15:22:03 UTC
Red Hat Product Errata RHBA-2023:2959 0 None None None 2023-05-16 09:03:35 UTC

Description Vladis Dronov 2022-09-06 15:14:12 UTC
update rng-tools to 6.16 and jitterentropy lib to 3.4.1. the previous bugzilla is bz2075974.

rng-tools:
upstream: https://github.com/smuellerDD/jitterentropy-library/
fedora: https://src.fedoraproject.org/rpms/jitterentropy/

jitterentropy-lib:
upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 2 Vladis Dronov 2022-10-06 15:50:48 UTC
a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package and a source package from brew via links above

2) install it. please, note this release requires selinux-policy >= 3.14.3-98, it is available in the latest 8.7 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools
# rm -f rng-tools*rpm

Comment 3 Vilém Maršík 2022-10-06 16:08:01 UTC
Thanks for providing the test plan. What is your question?

Comment 4 Vladis Dronov 2022-10-06 16:29:01 UTC
No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.

Comment 5 Vilém Maršík 2022-10-06 16:30:48 UTC
Okay, will let you know when testing is finished.

Comment 6 Vladis Dronov 2022-10-06 17:43:01 UTC
Thanks, Vilem, most appreciated.

Comment 7 Vilém Maršík 2022-10-06 23:25:41 UTC
Looks okay on RHEL-8.8.0-20221006.0 :
# rpm -e rng-tools
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/rng-tools/6.15/2.el8/x86_64/rng-tools-6.15-2.el8.x86_64.rpm
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-10-06 19:18:33 EDT; 10s ago
(...)
Oct 06 19:18:34 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[19961]: Process privileges have been dropped to 2:2
(...)
daemon     19961       1 99 19:18 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.725; avg=8.828; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=167.311; avg=194.926; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 10163 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=1.433; avg=7.761; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=1214.872; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 1882 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=346.791; avg=462.163; max=560.985)Mibits/s
rngtest: FIPS tests speed: (min=185.179; avg=195.185; max=200.774)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=55555555555.556; max=0.000)bits/s
rngtest: Program run time: 1563073 microseconds
killing
0

Comment 8 Vladis Dronov 2022-10-07 14:05:00 UTC
Thanks for a testing, Vilem!

Comment 14 Vilém Maršík 2022-12-05 22:15:26 UTC
rng-tools-6.15-2.el8.x86_64 passed tests on RHEL-8.8.0-20221204.2 kernel 4.18.0-441.el8.x86_64:
# rpm -e rng-tools
error: package rng-tools is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools
(...)
Installed:
  rng-tools-6.15-2.el8.x86_64 
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-05 16:54:00 EST; 10s ago
 Main PID: 6969 (rngd)
    Tasks: 5 (limit: 3297041)
   Memory: 2.7M
   CGroup: /system.slice/rngd.service
           └─6969 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon

Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Disabling 9: Qrypt quantum entropy beacon (qrypt)
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Initializing available sources
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [hwrng ]: Initialization Failed
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Enabling RDSEED rng support
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [rdrand]: Initialized
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: JITTER timeout set to 5 sec
Dec 05 16:54:00 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initializing AES buffer
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Enabling JITTER rng support
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: [jitter]: Initialized
Dec 05 16:54:01 intel-eaglestream-spr-11.khw3.lab.eng.bos.redhat.com rngd[6969]: Process privileges have been dropped to 2:2
daemon      6969       1 99 16:53 ?        00:00:18 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
root        6982    6497  0 16:54 pts/0    00:00:00 grep --color=auto rngd

# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=11.642; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=165.856; avg=197.776; max=205.091)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=250000000000.000; max=0.000)bits/s
rngtest: Program run time: 10041 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=6.209; avg=17.247; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=489.064; avg=954.629; max=1467.191)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2204 microseconds
0
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 60 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=544.957; avg=870.538; max=9536.743)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=195.185; max=198.682)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=95238095238.095; max=0.000)bits/s
rngtest: Program run time: 1559944 microseconds
killing
0

Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?
Otherwise verified.

Comment 16 Vladis Dronov 2022-12-27 13:36:38 UTC
(In reply to Vilém Maršík from comment #14)
> Just one question - why does the title want rng-tools-6.16, while we have rng-tools-6.15-2 ?

updated the bz title, thanks. unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.

Comment 17 Vilém Maršík 2023-01-05 14:34:42 UTC
Thanks, setting this one verified.

Comment 18 Vladis Dronov 2023-01-05 16:08:47 UTC
thanks, Vilem, your help is most appreciated. i'm sorry
for the another rngd update, unfortunately, we just cannot
release a version which crashes (even only on s390x).

Comment 20 errata-xmlrpc 2023-05-16 09:03:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2959


Note You need to log in before you can comment on or make changes to this bug.