Bug#911043: rng-tools does not perform as expected on Beaglebone Black with OMAP hw rng

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#911043: rng-tools does not perform as expected on Beaglebone Black with OMAP hw rng

Jeffrey Walton-3
Package: rng-tools
Version: 2-unofficial-mt.14-1
X-Debbugs-CC: [hidden email],
[hidden email]

rng-tools does not perform as expected on a Beaglebone Black. The
dev-board has a built-in rng, and the kernel driver loads as expected.
/dev/hwrng is full, but /dev/random is suffering depletion. After
draining /dev/random, it takes 646 seconds to read 10 bytes in
blocking mode.

The problem seems to be the wrapper script of systemd around the old
sysinit script. Or maybe the wrapper is OK but systemd is the problem.
I don't know what the problem is at the moment.

Manually running '/etc/init.d/rng-tools start' and things work as
expected. /dev/random has a bountiful stream of bits.

A related question where I tried to troubleshoot it is at
https://unix.stackexchange.com/q/475489/56041. Unfortunately, I don't
know enough about the system components and they way they are supposed
to interact.

This report may be related:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776597 .

This may be CVE worthy. It is effectively a security related DoS due
to a configuration problem.

At this point I think it would be wise to provide a proper systemd
service file for rng-tools.

I am happy to manually install and test an updated *.deb package for
rng-tools. Just point me to a download.

-------------------------

Some hardware information.

$ cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 2 (v7l)
BogoMIPS        : 996.14
Features        : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc08
CPU revision    : 2

Hardware        : Generic AM33XX (Flattened Device Tree)
Revision        : 0000
Serial          : 0000000000000000

-------------------------

$ apt-cache show rng-tools
Package: rng-tools
Version: 2-unofficial-mt.14-1
Installed-Size: 148
Maintainer: Henrique de Moraes Holschuh <[hidden email]>
Architecture: armhf
Replaces: intel-rng-tools
Provides: intel-rng-tools
Depends: libc6 (>= 2.4), udev (>= 0.053) | makedev (>= 2.3.1-77)
Conflicts: intel-rng-tools
Description: Daemon to use a Hardware TRNG
Description-md5: 6da2aca3dd07b55b609d9cf3d5d7cd57
Tag: interface::daemon, network::server, role::program
Section: utils
Priority: optional
Filename: pool/main/r/rng-tools/rng-tools_2-unofficial-mt.14-1_armhf.deb
Size: 47364
MD5sum: eb9bde7feaec413754e4b1f255865c8d
SHA1: 4ab63f0ec0f84499decbfe916c248580f51ab560
SHA256: a017aa416bda627a20cf5fdcf51f2a46471b800225a3b3abb5c6774b3cd94c6e

-------------------------

$ apt-cache show systemd
Package: systemd
Version: 230-7~bpo8+2
Architecture: armhf
Maintainer: Debian systemd Maintainers
<[hidden email]>
Installed-Size: 6490
Pre-Depends: libc6 (>= 2.8), libgcc1 (>= 1:4.4.0)
Depends: libacl1 (>= 2.2.51-8), libapparmor1 (>= 2.9.0-3+exp2),
libaudit1 (>= 1:2.2.1), libblkid1 (>= 2.19.1), libc6 (>= 2.17),
libcap2 (>= 1:2.10), libcryptsetup4 (>= 2:1.4.3), libgcrypt20 (>=
1.6.1), libgpg-error0 (>= 1.14), libidn11 (>=1.13), libkmod2 (>= 5~),
liblzma5 (>= 5.1.1alpha+20120614), libmount1 (>= 2.20.1), libpam0g (>=
0.99.7.1), libseccomp2 (>= 2.1.0), libselinux1 (>= 2.1.9), libsystemd0
(= 230-7~bpo8+2), util-linux (>= 2.25.2-6), mount (>= 2.25.2-6),
adduser, libcap2-bin
Recommends: libpam-systemd, dbus
Suggests: systemd-ui, systemd-container, policykit-1
Conflicts: klogd
Breaks: apparmor (<< 2.9.2-1), ifupdown (<< 0.8.5~), laptop-mode-tools
(<< 1.68~), lsb-base (<< 4.1+Debian4), lvm2 (<< 2.02.104-1),
systemd-shim (<< 8-2), udev(<< 228-5)
Replaces: udev (<< 228-5)
Multi-Arch: foreign
Homepage: http://www.freedesktop.org/wiki/Software/systemd
Priority: important
Section: admin
Filename: pool/main/s/systemd/systemd_230-7~bpo8+2_armhf.deb
Size: 2146126
SHA256: b8ad0cd78f01d14980fa728baa841a2a59d85c706e6a3843930a8d932d289d04
SHA1: cf280cd4acccc7564a50404b95c04967be9ba468
MD5sum: bb29e98702695017bc9241c6b81d600f
Description: system and service manager
 systemd is a system and service manager for Linux. It provides aggressive
 parallelization capabilities, uses socket and D-Bus activation for starting
 services, offers on-demand starting of daemons, keeps track of processes
 using Linux control groups, supports snapshotting and restoring of the system
 state, maintains mount and automount points and implements an elaborate
 transactional dependency-based service control logic.
 .
 systemd is compatible with SysV and LSB init scripts and can work as a
 drop-in replacement for sysvinit.
 .
 Installing the systemd package will not switch your init system unless you
 boot with init=/bin/systemd or install systemd-sysv in addition.
Description-md5: daa2c3e0044c2c2f5adc47475a3d6969

Package: systemd
Version: 215-17+deb8u7
Installed-Size: 7977
Maintainer: Debian systemd Maintainers
<[hidden email]>
Architecture: armhf
Depends: libacl1 (>= 2.2.51-8), libaudit1 (>= 1:2.2.1), libblkid1 (>=
2.19.1), libcap2 (>= 1:2.10), libcryptsetup4 (>= 2:1.4.3), libkmod2
(>= 5~), libpam0g (>=0.99.7.1), libselinux1 (>= 2.1.9), libsystemd0 (=
215-17+deb8u7), util-linux (>= 2.19.1-2), mount (>= 2.21), initscripts
(>= 2.88dsf-53.2), sysv-rc, udev (>= 208-8), acl, adduser, libcap2-bin
Pre-Depends: libc6 (>= 2.17), libgcrypt20 (>= 1.6.1), liblzma5 (>=
5.1.1alpha+20120614), libselinux1 (>= 1.32)
Recommends: libpam-systemd, dbus
Suggests: systemd-ui
Conflicts: klogd
Breaks: lsb-base (<< 4.1+Debian4), lvm2 (<< 2.02.104-1), systemd-shim (<< 8-2)
Description: system and service manager
Description-md5: b7cab5335af47ff49cf666299f5ca607
Homepage: http://www.freedesktop.org/wiki/Software/systemd
Section: admin
Priority: important
Filename: pool/main/s/systemd/systemd_215-17+deb8u7_armhf.deb
Size: 2315660
MD5sum: fdd888dba6bca71c11df702e3943d49a
SHA1: 4df59c5ecbdb0202a8df1199e0dc0537c05945b3
SHA256: 16f38b4beb42020e28cd53f3e6be5bbb0af85605420389a46e6a6b94fc5de699

Reply | Threaded
Open this post in threaded view
|

Bug#911043: rng-tools does not perform as expected ...

Jeffrey Walton-3
Here is the workaround.

I don't know what the fix is. I was never able to get systemd to
enable the service (or subsequently start the service). Nothing I
attempted would get the service out of the "generated" status.

$ cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

if [ -e /usr/sbin/rngd ]; then
    /usr/sbin/rngd -r /dev/hwrng -f
fi

exit 0

Reply | Threaded
Open this post in threaded view
|

Bug#911043: rng-tools does not perform as expected ...

Jeffrey Walton-3
In reply to this post by Jeffrey Walton-3
Attached is a rng-tools.service that tested well on two BeagleBoards.
The service file avoids the logger dependencies, avoids udev rules,
and tries to recover from failure on startup.

The recovery part was important on the Beagleboards. The service
failed during startup because the udev /dev/hwrng device was not
online when rng-tools started. By adding a small delay and retry count
we could side-step udev rules to support rng-tools.

The Conflicts was needed because the Beagleboards were hanging on
shutdowns and reboots. It seems the Restart was restarting the service
during shutdown.

The unit file can be dropped in /etc/systemd/system without deleting
the old service. 'systemctl enable rng-tools.service' will actually
enable the unit file even though systemd reports something about the
old service file.

I have other ARM dev-boards without a RNG. I did not test rng-tools on
them because haveged runs on them.

Robert, you may want to grab this for the images you build for the
4.1.15-ti-rt-r40 kernel. It is an improvement over the old service
file. The old service actually fails to run but no one realized it.

Jeff

rng-tools.service (988 bytes) Download Attachment