update rng-tools to 6.16. the previous bugzilla is bz2075977. upstream: https://github.com/nhorman/rng-tools/ fedora: https://src.fedoraproject.org/rpms/rng-tools/
[CI] [GATING] [DONE] rng-tools-6.15-2.el9 passed gating because all required tests passed jitterlib 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491585 rng-tools 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491578 jitterlib 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143076 rng-tools 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143066 jitterlib 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143076 rng-tools 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143066
a test plan: 0) ensure no previous installation and no config and 'rngd' user exists from previous installations # rpm -e rng-tools jitterentropy # userdel -r rngd # rm -f /etc/sysconfig/rngd* 1) grab rngd daemon and jitterentropy lib packages and rngd daemon source rpms from brew via links above 2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes. 3) verify that a service file DO NOT contain "udevadm" command: # grep udevadm /usr/lib/systemd/system/rngd.service <none> 4) verify qrypt is disabled in a config file: # grep -- '-x qrypt' /etc/sysconfig/rngd RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon" 5) this release does not create any new user/group. still, check that pwck is fine after installation. # pwck 6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line: a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter. # systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd 7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ] optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked, then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of "rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all three should return 0: # ./rngtestzero.sh ; echo $? # ./rngtesturandom.sh ; echo $? # RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $? 8) clean up # systemctl stop rngd # dnf -y erase rng-tools jitterentropy # rm -f rng-tools*rpm jitterentropy*rpm
Thanks for the test plan. What is your question?
No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself. So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.
Looks okay on RHEL-9.2.0-20221006.d.0 with kernel 5.14.0-170.kpq1.el9.x86_64+debug : # rpm -e rng-tools jitterentropy Removed "/etc/systemd/system/multi-user.target.wants/rngd.service". # userdel -r rngd userdel: user 'rngd' does not exist # rm -f /etc/sysconfig/rngd* # rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/rng-tools/6.15/2.el9/x86_64/rng-tools-6.15-2.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/jitterentropy/3.4.1/1.el9/x86_64/jitterentropy-3.4.1-1.el9.x86_64.rpm Created symlink /etc/systemd/system/multi-user.target.wants/rngd.service → /usr/lib/systemd/system/rngd.service. # grep udevadm /usr/lib/systemd/system/rngd.service # grep -- '-x qrypt' /etc/sysconfig/rngd RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon" # pwck # systemctl start rngd # systemctl status rngd (...) Active: active (running) since Thu 2022-10-06 15:55:59 EDT; 4s ago (...) └─10752 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon (...) Oct 06 15:56:00 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[10752]: Process privileges have been dropped to 2:2 # ./rngtestjitter.sh ; echo $? Disabling 0: Hardware RNG Device (hwrng) Disabling 2: Intel RDRAND Instruction RNG (rdrand) Disabling 1: TPM RNG Device (tpm) Initializing available sources [jitter]: JITTER timeout set to 5 sec [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=250.967; avg=307.092; max=515.500)Mibits/s rngtest: FIPS tests speed: (min=157.632; avg=198.352; max=202.909)Mibits/s rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s rngtest: Program run time: 1592761 microseconds killing 0 # ./rngtesturandom.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=4.657; avg=6.652; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=183.399; avg=198.434; max=202.909)Mibits/s rngtest: output channel speed: (min=20000000000.000; avg=74074074074.074; max=0.000)bits/s rngtest: Program run time: 10766 microseconds 0 # ./rngtestzero.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 0 rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 100 rngtest: FIPS 140-2(2001-10-10) Monobit: 100 rngtest: FIPS 140-2(2001-10-10) Poker: 100 rngtest: FIPS 140-2(2001-10-10) Runs: 100 rngtest: FIPS 140-2(2001-10-10) Long run: 100 rngtest: FIPS 140-2(2001-10-10) Continuous run: 100 rngtest: input channel speed: (min=4.657; avg=7.421; max=9.313)Gibits/s rngtest: FIPS tests speed: (min=1003.868; avg=1467.191; max=1589.457)Mibits/s rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s rngtest: Program run time: 2330 microseconds 0
Thanks for a testing, Vilem, most appreciated.
Looks good: DISTRO=RHEL-9.2.0-20221013.0 kernel 5.14.0-175.el9.x86_64+debug # rpm -q rng-tools package rng-tools is not installed # rpm -q jitterentropy package jitterentropy is not installed # userdel -r rngd userdel: user 'rngd' does not exist # rm -f /etc/sysconfig/rngd* # dnf install rng-tools jitterentropy (...) Installed: jitterentropy-3.4.1-1.el9.x86_64 rng-tools-6.15-2.el9.x86_64 # grep udevadm /usr/lib/systemd/system/rngd.service # grep -- '-x qrypt' /etc/sysconfig/rngd RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon" # pwck # systemctl start rngd # systemctl status rngd (...) Active: active (running) since Thu 2022-10-20 18:17:42 EDT; 4s ago (...) └─60094 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon (...) Oct 20 18:17:44 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[60094]: Process privileges have been dropped to 2:2 # ./rngtestjitter.sh ; echo $? Disabling 0: Hardware RNG Device (hwrng) Disabling 2: Intel RDRAND Instruction RNG (rdrand) Disabling 1: TPM RNG Device (tpm) Initializing available sources [jitter]: JITTER timeout set to 5 sec [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=272.478; avg=322.460; max=381.470)Mibits/s rngtest: FIPS tests speed: (min=178.257; avg=198.744; max=202.909)Mibits/s rngtest: output channel speed: (min=20000000000.000; avg=68965517241.379; max=0.000)bits/s rngtest: Program run time: 1593021 microseconds killing 0 # ./rngtesturandom.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=4.657; avg=7.276; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=188.846; avg=198.910; max=202.909)Mibits/s rngtest: output channel speed: (min=20000000000.000; avg=62500000000.000; max=0.000)bits/s rngtest: Program run time: 10637 microseconds 0 # ./rngtestzero.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 0 rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 100 rngtest: FIPS 140-2(2001-10-10) Monobit: 100 rngtest: FIPS 140-2(2001-10-10) Poker: 100 rngtest: FIPS 140-2(2001-10-10) Runs: 100 rngtest: FIPS 140-2(2001-10-10) Long run: 100 rngtest: FIPS 140-2(2001-10-10) Continuous run: 100 rngtest: input channel speed: (min=2.070; avg=7.164; max=9.313)Gibits/s rngtest: FIPS tests speed: (min=1.242; avg=1.418; max=1.552)Gibits/s rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s rngtest: Program run time: 2527 microseconds 0
unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2473