2124605 – [RHEL-9.2] update rng-tools to 6.15@6dcc9ec2

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2124605 - [RHEL-9.2] update rng-tools to 6.15@6dcc9ec2

Summary: [RHEL-9.2] update rng-tools to 6.15@6dcc9ec2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.2
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-06 15:19 UTC by Vladis Dronov
Modified:	2023-08-08 03:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:	rng-tools-6.15-2.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-09 08:15:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-133324	0	None	None	None	2022-09-06 15:34:45 UTC
Red Hat Product Errata	RHBA-2023:2473	0	None	None	None	2023-05-09 08:15:45 UTC

Description Vladis Dronov 2022-09-06 15:19:35 UTC

update rng-tools to 6.16. the previous bugzilla is bz2075977.

upstream: https://github.com/nhorman/rng-tools/
fedora: https://src.fedoraproject.org/rpms/rng-tools/

Comment 1 Vladis Dronov 2022-10-06 16:05:11 UTC

[CI] [GATING] [DONE] rng-tools-6.15-2.el9 passed gating because all required tests passed

jitterlib 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491585
rng-tools 9.2 koji: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1491578
jitterlib 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143076
rng-tools 9.2 brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=48143066
jitterlib 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143076
rng-tools 9.2 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48143066

Comment 2 Vladis Dronov 2022-10-06 16:25:22 UTC

a test plan:

0) ensure no previous installation and no config and 'rngd' user exists from previous installations

# rpm -e rng-tools jitterentropy
# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon and jitterentropy lib packages and rngd daemon source rpms from brew via links above

2) install both. please, note this release requires selinux-policy >= 34.1.31-2, it is available in the latest 9.1 composes.

3) verify that a service file DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service
<none>

4) verify qrypt is disabled in a config file:

# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"

5) this release does not create any new user/group. still, check that pwck is fine after installation.

# pwck

6) start a service and ensure a process is run as daemon user and a log contains "Process privileges have been dropped" line:
a pause is needed for jitter to init, alternatively you can add "-x jitter" to /etc/sysconfig/rngd to disable jitter.

# systemctl start rngd ; sleep 10 ; systemctl status rngd ; ps -ef | grep rngd

7) [ RUN THIS AFTER STARTING rngd SERVICE AS DESCRIBED IN (6) ABOVE ]
optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code, all
three should return 0:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# RNGD_JITTER_TIMEOUT=60 ./rngtestjitter.sh ; echo $?

8) clean up

# systemctl stop rngd
# dnf -y erase rng-tools jitterentropy
# rm -f rng-tools*rpm jitterentropy*rpm

Comment 3 Vilém Maršík 2022-10-06 16:28:38 UTC

Thanks for the test plan. What is your question?

Comment 4 Vladis Dronov 2022-10-06 17:43:45 UTC

No question. As we've agreed on a latest meeting we track bugzilla progress in a bugzilla itself.
So I set needinfo to you when my part is done and I handover a bugzilla to you for testing or verification or when any further actions are needed from your side.

Comment 5 Vilém Maršík 2022-10-06 20:06:58 UTC

Looks okay on RHEL-9.2.0-20221006.d.0 with kernel 5.14.0-170.kpq1.el9.x86_64+debug :
# rpm -e rng-tools jitterentropy
Removed "/etc/systemd/system/multi-user.target.wants/rngd.service".
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# rpm -i http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/rng-tools/6.15/2.el9/x86_64/rng-tools-6.15-2.el9.x86_64.rpm http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/jitterentropy/3.4.1/1.el9/x86_64/jitterentropy-3.4.1-1.el9.x86_64.rpm
Created symlink /etc/systemd/system/multi-user.target.wants/rngd.service → /usr/lib/systemd/system/rngd.service.
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd
# systemctl status rngd
(...)
     Active: active (running) since Thu 2022-10-06 15:55:59 EDT; 4s ago
(...)
             └─10752 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)
Oct 06 15:56:00 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[10752]: Process privileges have been dropped to 2:2

# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=250.967; avg=307.092; max=515.500)Mibits/s
rngtest: FIPS tests speed: (min=157.632; avg=198.352; max=202.909)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=52631578947.368; max=0.000)bits/s
rngtest: Program run time: 1592761 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=6.652; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=183.399; avg=198.434; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=74074074074.074; max=0.000)bits/s
rngtest: Program run time: 10766 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=4.657; avg=7.421; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=1003.868; avg=1467.191; max=1589.457)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2330 microseconds
0

Comment 6 Vladis Dronov 2022-10-07 14:03:43 UTC

Thanks for a testing, Vilem, most appreciated.

Comment 9 Vilém Maršík 2022-10-20 22:51:47 UTC

Looks good:
DISTRO=RHEL-9.2.0-20221013.0
kernel 5.14.0-175.el9.x86_64+debug
# rpm -q rng-tools
package rng-tools is not installed
# rpm -q jitterentropy
package jitterentropy is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# dnf install rng-tools jitterentropy
(...)
Installed:
  jitterentropy-3.4.1-1.el9.x86_64                                          rng-tools-6.15-2.el9.x86_64
# grep udevadm /usr/lib/systemd/system/rngd.service
# grep -- '-x qrypt' /etc/sysconfig/rngd
RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon"
# pwck
# systemctl start rngd
# systemctl status rngd
(...)
     Active: active (running) since Thu 2022-10-20 18:17:42 EDT; 4s ago
(...)
             └─60094 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon
(...)
Oct 20 18:17:44 intel-eaglestream-spr-07.khw1.lab.eng.bos.redhat.com rngd[60094]: Process privileges have been dropped to 2:2
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=272.478; avg=322.460; max=381.470)Mibits/s
rngtest: FIPS tests speed: (min=178.257; avg=198.744; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=68965517241.379; max=0.000)bits/s
rngtest: Program run time: 1593021 microseconds
killing
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=4.657; avg=7.276; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=188.846; avg=198.910; max=202.909)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=62500000000.000; max=0.000)bits/s
rngtest: Program run time: 10637 microseconds
0
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=2.070; avg=7.164; max=9.313)Gibits/s
rngtest: FIPS tests speed: (min=1.242; avg=1.418; max=1.552)Gibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2527 microseconds
0

Comment 10 Vladis Dronov 2022-12-27 13:39:11 UTC

unfortunately we would need another important update in 8.8/9.2 due to a crash: bz2140043, bz2141379.

Comment 12 errata-xmlrpc 2023-05-09 08:15:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2473

Note You need to log in before you can comment on or make changes to this bug.