996913 – rng-tools does not detect DRNG (rdrand) on modern Intel CPUs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 996913 - rng-tools does not detect DRNG (rdrand) on modern Intel CPUs

Summary: rng-tools does not detect DRNG (rdrand) on modern Intel CPUs

Keywords:
Status:	CLOSED DUPLICATE of bug 833620
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Neil Horman
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	994246
TreeView+	depends on / blocked

Reported:	2013-08-14 09:28 UTC by Robert Buchholz
Modified:	2019-08-15 03:40 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-04 10:20:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Buchholz 2013-08-14 09:28:47 UTC

Description of problem:
Modern Intel CPUs (Ivy Bridge and later) come with a hardware random number generates, as seen by "rdrand" in /proc/cpuinfo's flags.
However, rngd from rng-tools 2 as packages in EL6 does not detect or use it.

Version-Release number of selected component (if applicable):
2.13.el6_2

How reproducible:
Always

Steps to Reproduce:
1. Install modern Intel CPU without TPM
2. Start rngd

Actual results:
$ rngd -f
can't open entropy source(tpm or intel/amd rng)
Maybe RNG device modules are not loaded


Expected results:
$ rngd -f -v
Unable to open file: /dev/tpm0
Available entropy sources:
        DRNG

(this is the output of version 4)

Comment 2 Christian Horn 2013-10-02 13:49:43 UTC

duplicate of bz833620 ?

Comment 3 RHEL Program Management 2013-10-13 23:16:01 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 7 Neil Horman 2014-08-07 12:18:13 UTC

Based on the reproducer you provided, it sounds like you don't have any of the tpm modules loaded.  Whats the output of your lsmod command on your ivy bridge system?

Comment 8 Robert Buchholz 2014-09-04 07:53:43 UTC

I'm not sure the system actually has a TPM. The rdrand instruction should work without that, should it not?

lsmod output:
Module                  Size  Used by
ip6table_filter         2889  0 
ip6_tables             18732  1 ip6table_filter
ebtable_nat             2009  0 
ebtables               18135  1 ebtable_nat
ipt_MASQUERADE          2466  3 
iptable_nat             6158  1 
nf_nat                 22759  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4       9506  4 iptable_nat,nf_nat
nf_defrag_ipv4          1483  1 nf_conntrack_ipv4
xt_state                1492  1 
nf_conntrack           79758  5 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
ipt_REJECT              2351  2 
xt_CHECKSUM             1303  1 
iptable_mangle          3349  1 
iptable_filter          2793  1 
ip_tables              17831  3 iptable_nat,iptable_mangle,iptable_filter
bridge                 83369  0 
stp                     2218  1 bridge
llc                     5546  2 bridge,stp
ipv6                  318183  37 
ext3                  240028  1 
jbd                    80858  1 ext3
vhost_net              30849  4 
macvtap                10071  1 vhost_net
macvlan                 9969  1 macvtap
tun                    17095  14 vhost_net
kvm_intel              54317  22 
kvm                   333542  1 kvm_intel
cpufreq_ondemand       10544  8 
acpi_cpufreq            7763  0 
freq_table              4936  2 cpufreq_ondemand,acpi_cpufreq
mperf                   1557  1 acpi_cpufreq
ppdev                   8537  0 
iTCO_wdt                7115  0 
iTCO_vendor_support     3056  1 iTCO_wdt
parport_pc             22690  0 
parport                36209  2 ppdev,parport_pc
r8169                  59831  0 
mii                     5376  1 r8169
i2c_i801               11359  0 
i2c_core               31084  1 i2c_i801
sg                     29350  0 
lpc_ich                12803  0 
mfd_core                1895  1 lpc_ich
shpchp                 32778  0 
ext4                  374885  1 
jbd2                   93427  1 ext4
mbcache                 8193  2 ext3,ext4
raid1                  32045  3 
sd_mod                 39069  8 
crc_t10dif              1541  1 sd_mod
ahci                   42247  6 
xhci_hcd              148886  0 
video                  20674  0 
output                  2409  1 video
wmi                     6287  0 
dm_mirror              14384  0 
dm_region_hash         12085  1 dm_mirror
dm_log                  9930  2 dm_mirror,dm_region_hash
dm_mod                 84337  2 dm_mirror,dm_log

Comment 9 Neil Horman 2014-09-04 10:20:49 UTC

sorry, was paying too much attention to the tpm warnings in the description.  Yes it should work without a TPM, but the rng-tools version in RHEL6 just doesn't support DRNG yet.  It will when we update to the latest package, which I already have a bz for.

*** This bug has been marked as a duplicate of bug 833620 ***

Comment 10 richlv 2017-03-21 20:41:29 UTC

this has been marked as a duplicate of bug #833620, but that is not accessible :

"You are not authorized to access bug #833620.

Most likely the bug has been restricted for internal development processes and we cannot grant access."

can we please make that issue public or change the linkage and add the relevant detail here ?

Note You need to log in before you can comment on or make changes to this bug.