[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode

Hongxu Jia Sun, 22 Sep 2019 08:20:13 -0700

The FIPS test is something done on government or more secure organizations
for extra security check.
...
root@qemux86-64:~# systemctl status rngd
Unit rngd-tools.service could not be found.
root@qemux86-64:~# systemctl status rngd
rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: 
enabled)
   Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
  Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, 
status=0/SUCCESS)
 Main PID: 317 (code=exited, status=0/SUCCESS)


Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not 
permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not 
permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy 
source
...

>From rngd manual, add `-i' to default
...
-i, --ignorefail
  Ignore repeated fips failures
...

After applying the fix
...
rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: 
enabled)
   Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
 Main PID: 121 (rngd)
    Tasks: 2
   Memory: 1.8M
   CGroup: /system.slice/rngd.service
           /usr/sbin/rngd -f -r /dev/hwrng -i

Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not 
permitted
...

Refer:
https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html

Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
---
 recipes-support/rng-tools/rng-tools/default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-support/rng-tools/rng-tools/default 
b/recipes-support/rng-tools/rng-tools/default
index b9f8e03..1ae6b33 100644
--- a/recipes-support/rng-tools/rng-tools/default
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -1 +1 @@
-EXTRA_ARGS="-r /dev/hwrng"
+EXTRA_ARGS="-r /dev/hwrng -i"
-- 
2.7.4

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode

Reply via email to