Bug 2124605
| Summary: | [RHEL-9.2] update rng-tools to 6.15@6dcc9ec2 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Vladis Dronov <vdronov> |
| Component: | rng-tools | Assignee: | Vladis Dronov <vdronov> |
| Status: | CLOSED ERRATA | QA Contact: | Vilém Maršík <vmarsik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.2 | CC: | core-kernel-mgr, vmarsik |
| Target Milestone: | rc | Keywords: | Rebase, Triaged |
| Target Release: | 9.2 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rng-tools-6.15-2.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 08:15:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Vladis Dronov
2022-09-06 15:19:35 UTC
[CI] [GATING] [DONE] rng-tools-6.15-2.el9 passed gating because all required tests passed jitterlib 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491585 rng-tools 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491578 jitterlib 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143076 rng-tools 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143066 jitterlib 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143076 rng-tools 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143066 a test plan: 0) ensure no previous installation and no config and 'rngd' user exists from previous installations # rpm -e rng-tools jitterentropy # userdel -r rngd # rm -f /etc/sysconfig/rngd* 1) grab rngd daemon and jitterentropy lib packages and rngd daemon source rpms from brew via links above 2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes. 3) verify that a service file DO NOT contain "udevadm" command: # grep udevadm /usr/lib/systemd/system/rngd.service <none> 4) verify qrypt is disabled in a config file: # grep -- '-x qrypt' /etc/sysconfig/rngd RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon" 5) this release does not create any new user/group. still, check that pwck is fine after installation. # pwck 6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line: a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter. # systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd 7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ] optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked, then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of "rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all three should return 0: # ./rngtestzero.sh ; echo $? # ./rngtesturandom.sh ; echo $? # RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $? 8) clean up # systemctl stop rngd # dnf -y erase rng-tools jitterentropy # rm -f rng-tools*rpm jitterentropy*rpm Thanks for the test plan. What is your question? No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself. So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side. Looks okay on RHEL-9.2.0-20221006.d.0 with kernel 5.14.0-170.kpq1.el9.x86_64+debug : # rpm -e rng-tools jitterentropy Removed "/etc/systemd/system/multi-user.target.wants/rngd.service". # userdel -r rngd userdel: user 'rngd' does not exist # rm -f /etc/sysconfig/rngd* # rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/rng-tools/6.15/2.el9/x86_64/rng-tools-6.15-2.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/jitterentropy/3.4.1/1.el9/x86_64/jitterentropy-3.4.1-1.el9.x86_64.rpm Created symlink /etc/systemd/system/multi-user.target.wants/rngd.service → /usr/lib/systemd/system/rngd.service. # grep udevadm /usr/lib/systemd/system/rngd.service # grep -- '-x qrypt' /etc/sysconfig/rngd RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon" # pwck # systemctl start rngd # systemctl status rngd (...) Active: active (running) since Thu 2022-10-06 15:55:59 EDT; 4s ago (...) └─10752 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon (...) Oct 06 15:56:00 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[10752]: Process privileges have been dropped to 2:2 # ./rngtestjitter.sh ; echo $? Disabling 0: Hardware RNG Device (hwrng) Disabling 2: Intel RDRAND Instruction RNG (rdrand) Disabling 1: TPM RNG Device (tpm) Initializing available sources [jitter]: JITTER timeout set to 5 sec [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=250.967; avg=307.092; max=515.500)Mibits/s rngtest: FIPS tests speed: (min=157.632; avg=198.352; max=202.909)Mibits/s rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s rngtest: Program run time: 1592761 microseconds killing 0 # ./rngtesturandom.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=4.657; avg=6.652; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=183.399; avg=198.434; max=202.909)Mibits/s rngtest: output channel speed: (min=20000000000.000; avg=74074074074.074; max=0.000)bits/s rngtest: Program run time: 10766 microseconds 0 # ./rngtestzero.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 0 rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 100 rngtest: FIPS 140-2(2001-10-10) Monobit: 100 rngtest: FIPS 140-2(2001-10-10) Poker: 100 rngtest: FIPS 140-2(2001-10-10) Runs: 100 rngtest: FIPS 140-2(2001-10-10) Long run: 100 rngtest: FIPS 140-2(2001-10-10) Continuous run: 100 rngtest: input channel speed: (min=4.657; avg=7.421; max=9.313)Gibits/s rngtest: FIPS tests speed: (min=1003.868; avg=1467.191; max=1589.457)Mibits/s rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s rngtest: Program run time: 2330 microseconds 0 Thanks for a testing, Vilem, most appreciated. Looks good:
DISTRO=RHEL-9.2.0-20221013.0
kernel 5.14.0-175.el9.x86_64+debug
# rpm -q rng-tools
package rng-tools is not installed
# rpm -q jitterentropy
package jitterentropy is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools jitterentropy
(...)
Installed:
jitterentropy-3.4.1-1.el9.x86_64 rng-tools-6.15-2.el9.x86_64
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd
# systemctl status rngd
(...)
Active: active (running) since Thu 2022-10-20 18:17:42 EDT; 4s ago
(...)
└─60094 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)
Oct 20 18:17:44 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[60094]: Process privileges have been dropped to 2:2
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=272.478; avg=322.460; max=381.470)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=198.744; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=68965517241.379; max=0.000)bits/s
rngtest: Program run time: 1593021 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=7.276; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=188.846; avg=198.910; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=62500000000.000; max=0.000)bits/s
rngtest: Program run time: 10637 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=2.070; avg=7.164; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=1.242; avg=1.418; max=1.552)Gibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2527 microseconds
0
unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2473 |